Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
rule HAKOPS_keylogger_15 {
meta:
description = "HAKOPSA keylogger 15 exe - file svchost.exe"
author = "DFIR Report"
reference = "https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/"
date = "2020-06-10"
hash1 = "27772574d00fef60de5251b2438db57b3a2645bd70e4aab13c84894844ba173f"
strings:
$x1 = "A*\\AF:\\Projelerim\\HAKOPS Keylogger\\v15\\Server\\hk15sw.vbp" wide fullword
$s2 = "FC:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VBA6.dll" ascii fullword
$s3 = "HAKOPS Keylogger 15 - KAYITLAR - [" wide fullword
$s4 = "HAKOPS Keylogger 15 - SERVER AKTIF EDILDI - [" wide fullword
$s5 = "C:\\Windows\\SysWOW64\\msvbvm60.dll\\3" ascii fullword
$s6 = "<td><span style=\"color:#3C87AF;\">HAKOPS Keylogger 15</span></td>" ascii fullword
$s7 = "00\">HAKOPS Keylogger</p></td>" ascii fullword
$s8 = "<title>HAKOPS Keylogger 15</title>" ascii fullword
$s9 = "http://schemas.microsoft.com/cdo/" wide fullword
$s10 = "<!-- Identify the application security requirements: Vista and above -->" ascii fullword
$s11 = "\\TeamViewer\\Connections.txt" wide fullword
$s12 = "o en el password " wide fullword
$s13 = "C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB" ascii fullword
$s14 = "<td><p style=\"color:#ffffff;font-family:Arial,Helvetica,sans-serif;font-size:18px;margin-left:30px;font-weight:700\">HAKOPS Key"
$s15 = "\\TeamViewer Baglanti Listesi.txt" wide fullword
$s16 = "configuration/smtpauthenticate" wide fullword
$s17 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName" wide fullword
$s18 = "regread" wide fullword
$s19 = "ScreenShot.jpg" wide fullword
$s20 = " <b><font color='DarkGreen'>" wide fullword
condition:
uint16(0) == 0x5a4d and filesize < 400KB and (pe.imphash() == "692042adb1ddf54508674aa2ffb4c50b" or (1 of ($x*) or 4 of them))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |