Common Information
| Type | Value |
|---|---|
| Value |
rule lokibot {
meta:
description = "Lokibot detection rule based on .x section and C&C decoding"
author = "gpellegrino@infoblox.com"
strings:
$c2decoding = { BB FF FF DF DD BE 74 00 4A 00 90 90 90 90 30 1E }
condition:
uint16(0) == 0x5A4D and filesize < 105KB and uint16(0x260) == 0x782E and uint16(0x270) == 0x2000 and $c2decoding in (uint32(0x274) .. uint32(0x274) + 0x2000)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |