Show in Graph
Common Information
Type Value
Value 
rule wellmess_botlib_function_names {
	meta:
		description = "Rule to detect WellMess Golang samples based on 
the function names used by the actor"
		author = "NCSC"
		hash = "8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8"
	strings:
		$s1 = "botlib.wellMess" ascii wide
		$s2 = "botlib.saveFile" ascii wide
		$s3 = "botlib.reply" ascii wide
		$s4 = "botlib.init" ascii wide
		$s5 = "botlib.generateRandomString" ascii wide
		$s6 = "botlib.encrypt" ascii wide
		$s7 = "botlib.deleteFile" ascii wide
		$s8 = "botlib.convertFromString" ascii wide
		$s9 = "botlib.chunksM" ascii wide
		$s10 = "botlib.Work" ascii wide
		$s11 = "botlib.UnpackB" ascii wide
		$s12 = "botlib.Unpack" ascii wide
		$s13 = "botlib.UDFile" ascii wide
		$s14 = "botlib.Split" ascii wide
		$s15 = "botlib.Service" ascii wide
		$s16 = "botlib.SendMessage" ascii wide
		$s17 = "botlib.Send.func1" ascii wide
		$s18 = "botlib.Send" ascii wide
		$s19 = "botlib.ReceiveMessage" ascii wide
		$s20 = "botlib.RandStringBytes" ascii wide
		$s21 = "botlib.RandInt" ascii wide
		$s22 = "botlib.Post" ascii wide
		$s23 = "botlib.Parse" ascii wide
		$s24 = "botlib.Pad" ascii wide
		$s25 = "botlib.Pack" ascii wide
		$s26 = "botlib.New" ascii wide
		$s27 = "botlib.KeySizeError.Error" ascii wide
		$s28 = "botlib.Key" ascii wide
		$s29 = "botlib.Join" ascii wide
		$s30 = "botlib.GetRandomBytes" ascii wide
		$s31 = "botlib.GenerateSymmKey" ascii wide
		$s32 = "botlib.FromNormalToBase64" ascii wide
		$s33 = "botlib.EncryptText" ascii wide
		$s34 = "botlib.Download" ascii wide
		$s35 = "botlib.Decipher" ascii wide
		$s36 = "botlib.Command" ascii wide
		$s37 = "botlib.Cipher" ascii wide
		$s38 = "botlib.CalculateMD5Hash" ascii wide
		$s39 = "botlib.Base64ToNormal" ascii wide
		$s40 = "botlib.AES_Encrypt" ascii wide
		$s41 = "botlib.AES_Decrypt" ascii wide
		$s42 = "botlib.(*rc6cipher).Encrypt" ascii wide
		$s43 = "botlib.(*rc6cipher).Decrypt" ascii wide
		$s44 = "botlib.(*rc6cipher).BlockSize" ascii wide
		$s45 = "botlib.(*KeySizeError).Error" ascii wide
		$s46 = "botlib.DownloadDNS" ascii wide
		$s47 = "botlib.JoinDnsChunks" ascii wide
		$s48 = "botlib.SendDNS" ascii wide
		$s49 = "botlib.CreateDNSName" ascii wide
	condition:
		((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or uint32(0) == 0x464c457f) and any of them
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Pdf 2020-07-09 139 Advisory: APT29 targets COVID-19 vaccine development