Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
import "hash"
rule PoshC2_Dropper {
meta:
description = "PoshC2 - dropper.exe"
sha256 = "9062d8c9e744b3963ea16f1df295fdf9e463902bfe37b8bae376a21a441851b4"
strings:
$s1 = "AppPolicyGetProcessTerminationMethod" ascii fullword
$s2 = " Type Descriptor'" ascii fullword
$s3 = "operator co_await" ascii fullword
$s4 = "operator<=>" ascii fullword
$s5 = ".data$rs" ascii fullword
$s6 = "api-ms-win-appmodel-runtime-l1-1-2" wide fullword
$s7 = " Class Hierarchy Descriptor'" ascii fullword
$s8 = " Base Class Descriptor at (" ascii fullword
$s9 = " Complete Object Locator'" ascii fullword
$s10 = "__swift_3" ascii fullword
$s11 = "__swift_2" ascii fullword
$s12 = ".rdata$voltmd" ascii fullword
$s13 = "xWI96tRI" ascii fullword
$s14 = " delete[]" ascii fullword
$s15 = "__swift_1" ascii fullword
$s16 = "vKfffff" ascii fullword
$s17 = "D$0@8{" ascii fullword
$s18 = "api-ms-win-core-file-l1-2-4" wide fullword
$s19 = "api-ms-win-core-file-l1-2-2" wide fullword
$s20 = " delete" ascii fullword
condition:
hash.sha256(0, filesize) == "9062d8c9e744b3963ea16f1df295fdf9e463902bfe37b8bae376a21a441851b4" or pe.sections[4].name == "_RDATA" and pe.imports("kernel32.dll", "WriteProcessMemory") and pe.imports("kernel32.dll", "CreateRemoteThread") and pe.imports("kernel32.dll", "OpenProcess") and pe.imports("kernel32.dll", "TerminateProcess") and uint16(0) == 0x5a4d and filesize < 300KB and 8 of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |