Common Information
| Type | Value |
|---|---|
| Value |
rule YARA_CN_APT10_Trochilus_RC4Salsa20_decrypted_payload {
meta:
description = "Rule to identify Trochilus variant configured with RC4+Salsa20 encrypted C2 comms used by APT10 in 2018"
author = "Insikt Group, Recorded Future"
tlp = "white"
date = "2019-01-10"
hash1 = "42b5eb1f77a25ad73202d3be14e1833ef0502b0b6ae7ab54f5d4b5c2283429c6"
strings:
$s1 = "NASDKJF7832Hnkjsadf878UHds89iujkhNHKJDHJDH8UIYE98uihwjshewde8w"
$s2 = "www.miphomanager.com"
$s3 = { 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 }
$s4 = { 65 06 06 67 06 08 69 06 0A 6B 06 0C }
condition:
(uint16(0) == 0x5a4d and filesize < 1000KB and (2 of them))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |