Common Information
| Type | Value |
|---|---|
| Value |
import "elf"
rule TSM_FasterThanLite_Outlaw_Apr20 {
meta:
description = "TSM ssh bruteforce component of Outlaw Botnet April 2020"
hash32 = "3eef8c27ad8458af84dcb52dfa01295c427908a0"
hash64 = "a1da0566193f30061f69b057c698dc7923d2038c"
author = "Cybaze - Yoroi ZLab"
last_updated = "2020-04-27"
tlp = "white"
category = "informational"
strings:
$s1 = { 63 73 2D 64 76 63 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 45 53 44 48 77 69 74 68 33 44 45 53 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 45 53 44 48 77 69 74 68 52 43 32 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 33 44 45 53 77 72 61 70 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 52 43 32 77 72 61 70 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 45 53 44 48 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 43 4D 53 33 }
$s2 = { 2D 70 6C 61 63 65 4F 66 42 69 72 74 68 00 69 64 2D 70 64 61 2D 67 65 6E 64 65 72 00 69 64 2D 70 64 61 2D 63 6F 75 6E 74 72 79 4F 66 43 69 74 69 7A 65 6E 73 68 69 70 }
$s3 = "brainpoolP384r1" ascii wide
$s4 = "getpwnam" ascii wide
$s5 = "dup2" ascii wide
$s6 = "_ITM_deregisterTMCloneTable" ascii wide
$elf = { 7F 45 4C 46 }
condition:
$elf in (0 .. 4) and all of them and elf.number_of_sections > 25
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |