Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
rule S1deloadStealer_Registry {
meta:
author = "Acs David - Bitdefender"
date = "2022-12-05"
hash = "2799C2A302164626C77DD73BF755981BE3FF159CC0D2E85C1C54B620FD815132"
strings:
$reg_util_namespace = "RegistryUtils"
$reg_util_get_registry_value = "GetRegistryValue"
$reg_util_set_registry_value = "SetRegistryValue"
$set_persistence_instructions = { 28 [6-8] 2C [2-3] 74 [6-8] 16 91 18 2E ?? 1F 0C 8D [6-8] 16 18 9C [2-4] 20 [4] 28 [4] 20 [4] 28 [4] 11 ?? 19 17 28 }
condition:
pe.is_pe and filesize <= 1MB and pe.imports("mscoree.dll") and (all of them)
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |