Common Information
| Type | Value |
|---|---|
| Value |
rule M_Hunting_HOOKSHOT {
meta:
author = "Mandiant"
description = "Hunting rule for HOOKSHOT"
strings:
$p00_0 = { 8B B1 [4] 40 88 73 ?? 85 F6 75 ?? 48 8B 81 [4] 48 8B 88 [4] 48 85 C9 74 ?? E8 }
$p00_1 = { 8B F3 48 8B EA 85 DB 0F 84 [4] 4C 8D 2D [4] 66 90 4C 8D 44 24 ?? 8B D6 48 8B CD }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (470000 .. 490000) and $p00_1 in (360000 .. 380000)))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |