Common Information
| Type | Value |
|---|---|
| Value |
rule wellmess_regex_used_for_parsing_beacons {
meta:
description = "Detects WellMess Golang and .NET samples based on the
regex they used to parse commands and beacon information"
author = "NCSC"
hash = "8749c1495af4fd73ccfc84b32f56f5e78549d81feefb0c1d1c3475a74345f6a8"
strings:
$a = "fileName:(?<fn>.*?)\\sargs:(?<arg>.*)\\snotwait:(?<nw>.*)" ascii wide
$b = "<;(?<key>[^;]*?);>(?<value>[^<]*?)<;[^;]*?;>" ascii wide
condition:
((uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550) or uint32(0) == 0x464c457f) and any of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |