Common Information
| Type | Value |
|---|---|
| Value |
import "pe"
rule coyote_nimloader {
meta:
author = "Blackberry Threat Research and Intelligence"
hash = "110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79"
hash = "1bed3755276abd9b54db13882fcf29c543ebf604be3b7fcf060cbd6d68bcd23f"
strings:
$nim1 = "strformat.nim" ascii fullword
$nim2 = "fatal.nim" ascii fullword
$nim3 = "io.nim" ascii fullword
$export_name = "chrome_elf.dll" ascii fullword
condition:
pe.characteristics & pe.DLL and pe.number_of_sections > 8 and $export_name and (2 of ($nim*))
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |