Common Information
Type Value
Value
import "pe"

rule PINGPULL_backdoor {
	meta:
		author = "eSentire TI"
		date = "05/24/2022"
		version = "1.0"
	strings:
		$a1 = { 68 69 6E 69 74 69 61 6C 2E 63 6F 6D }
		$a2 = { 50 52 4F 4A 45 43 54 5F 25 73 5F 25 73 5F }
		$a3 = { 74 6F 74 61 6C 3D }
		$a4 = { 49 50 20 48 65 31 70 65 72 }
		$a5 = "Iph1psvc"
	condition:
		3 of ($a*) and (filesize < 200KB) and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2022-06-20 21 eSentire Threat Intelligence Malware Analysis: PINGPULL RAT