Common Information
| Type | Value |
|---|---|
| Value |
rule spectre_stealer {
meta:
description = "Yara Rule for Spectre RAT, versions 2,3,4"
author = "Yoroi Malware Zlab"
last_updated = "2021_10_08"
tlp = "white"
category = "informational"
strings:
$main = { FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 3D B7 00 00 00 75 06 57 E8 ?? 7? 00 00 E8 }
$c2_send_request = { FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4F 04 C7 07 01 00 00 00 E8 ?? ?? ?? ?? 8B [0-6] 00 10 00 00 83 F8 08 72 ?? 8B 4? [0-2] 8D 04 45 02 00 00 00 89 4? }
condition:
all of them and uint16(0) == 0x5A4D
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |