Common Information
| Type | Value |
|---|---|
| Value |
rule COATHANGER_files {
meta:
description = "Detects COATHANGER files by used filenames"
malware = "COATHANGER"
author = "NLD MIVD - JSCU"
date = "20240206"
strings:
$1 = "/data2/"
$2 = "/httpsd"
$3 = "/preload.so"
$4 = "/authd"
$5 = "/tmp/packfile"
$6 = "/smartctl"
$7 = "/etc/ld.so.preload"
$8 = "/newcli"
$9 = "/bin/busybox"
condition:
(uint32(0) == 0x464c457f or uint32(4) == 0x464c457f) and filesize < 5MB and 4 of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |