Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
rule Ursnif_201902 {
meta:
description = "Yara rule for Ursnif loader - January version"
author = "Yoroi - ZLab"
last_updated = "2019-02-06"
tlp = "white"
category = "informational"
strings:
$a1 = "PADDINGXX"
$a2 = { 66 66 66 66 66 66 66 }
condition:
all of ($a*) and pe.number_of_sections == 4 and (pe.version_info["OriginalFilename"] contains "Lumen.exe" or pe.version_info["OriginalFilename"] contains "PropositionReputation.exe")
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |