Common Information
| Type | Value |
|---|---|
| Value |
rule M_Hunting_TAXHAUL_Hash_1 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Rule looks for hardcoded value used in string hashing algorithm observed in instances of TAXHAUL."
md5 = "e424f4e52d21c3da1b08394b42bc0829"
strings:
$c_x64 = { 25 A3 87 DE [4-20] 25 A3 87 DE [4-20] 25 A3 87 DE }
condition:
filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and any of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |