telegromcn.org

raw.githubusercontent.com

nch-software.info

tradevlewdesktop_v4-94406.zip

extension.exe

extension.zip

chrome.vbs

blanks_online.exe

0a4f321c903a7fbc59566918c12aca09

146.70.79.75

UNC4553

FIN7

http://telegromcn.org/soft/analytics/extension.exe

rule M_Hunting_Embedded_Chromium_CRX_1 {
	meta:
		author = "Mandiant"
		md5 = "f1c21a69ed9f85e12d58ef0f5ac5c9b1"
		description = "Hunting for non-CRX files with extension equities"
	strings:
		$a1 = "_metadata"
		$a2 = "manifest.json"
		$a3 = "verified_contents.json"
		$s1 = "_locales"
		$s2 = "messages.json"
		$f = /[a-z0-9A-Z_-]+\.(html|htm|css|js)/
		$pk = { 50 4B 03 04 }
	condition:
		(((uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f) or (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcafebabf or uint32(0) == 0xbfbafeca)) and (((2 of ($a*)) and $f) or ((1 of ($a*)) and ($f or (1 of ($s*))))) and $pk and (#pk > 1) and (for any i in (1 .. #pk) : ( $a2 at @pk[i] + 30 )) and (for any j in (1 .. #pk) : ( $f at @pk[j] + 30 ))
}

rule M_Hunting_AdvancedInstaller_LNK_1 {
	meta:
		author = "Mandiant"
		md5 = "2782af385665c765807ed887d4bacf36"
		description = "Hunting for Advanced Installer files that drop LNKs to known locations."
	strings:
		$a1 = "Advanced Installer" wide
		$a2 = "Advanced Installer"
		$a3 = "https://www.advancedinstaller.com"
		$l1 = "Google Chrome.lnk"
		$l2 = "Brave.lnk"
		$p1 = "\\Microsoft\\Windows\\Start Menu\\Programs\\Google Chrome.lnk"
		$p2 = "\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Brave.lnk"
		$p3 = "\\Microsoft\\Internet Explorer\\Quick Launch\\Brave.lnk"
		$p4 = "\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk"
		$p5 = "\\Microsoft\\Windows\\Start Menu\\Programs\\Brave.lnk"
		$p6 = "\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk"
		$r = /\$[^\.]+\.CreateShortcut\([^\)]+\)/
	condition:
		((uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550) and (all of ($a*)) and (1 of ($l*)) and (2 of ($p*)) and $r
}

rule M_Hunting_LNKEngine_LoadExtension_Temp_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule that looks for files containing strings pertaining to execution of Edge, Opera, Brave, Chrome to launch an extension."
		md5 = "30abf9ca1bb792eb5edd8b033c010979"
	strings:
		$r1 = /(chrome|msedge|opera|brave)[^\r\n]+--load-extension="?[A-Za-z]:\\Users\\[^\\]+\\AppData\\/ ascii wide nocase
		$s2 = "--load-extension=" ascii wide
	condition:
		(uint32(0) == 0x0000004c) and filesize < 50KB and all of them
}

rule M_Hunting_RILIDE_InjectJS_1 {
	meta:
		author = "Mandiant"
		md5 = "9fe5b99b20bc91995b81eddd917bff50"
		description = "Hunting for the code that RILIDE injects"
	strings:
		$banner = "https://public.bnbstatic.com/image/email_template/emailBanner.png"
		$s1 = "[Bybit]Withdrawal Request"
		$s2 = "[Bybit] Authorize New Device"
		$a1 = "created a withdrawal request"
		$a2 = "Authorize New Device You recently attempted to sign in to your Bybit account from a new device or location. As a security measure, we require additional"
		$a3 = "Please check your withdrawal address carefully."
		$a4 = "Verification Code Of Withdrawal"
		$a6 = "Withdrawal Verification Code"
		$a7 = "Verification Code Of Authorization"
		$a8 = "initiate this withdrawal or the address is"
		$a9 = "Authorize New Device You recently attempted to sign in to your OKX account from a new device or location. As a security measure, we require additional"
		$a10 = "Confirm your new withdrawal address"
		$a11 = "A new withdrawal address was just added to your account."
		$f1 = "div:contains(\"Binance\"), div:contains(\"binance\")"
		$f2 = "binance()" fullword
		$f3 = "div:contains(\"Bybit\"), div:contains(\"bybit\")"
		$f4 = "bybit()" fullword
		$f5 = "div:contains(\"Huobi\"), div:contains(\"huobi\")"
		$f6 = "huobi()" fullword
		$f7 = "div:contains(\"Okx\"), div:contains(\"okx\")"
		$f8 = "okx()" fullword
		$f9 = "div:contains(\"Kraken\"), div:contains(\"kraken\")"
		$f10 = "kraken()" fullword
	condition:
		filesize < 1MB and $banner and (1 of ($s*)) and (3 of ($a*)) and (6 of ($f*))
}

rule M_Hunting_RILIDE_InjectJS_3 {
	meta:
		author = "Mandiant"
		md5 = "6e426758f184b5a942428731b749b000"
		description = "Hunting for the code that RILIDE injects"
	strings:
		$anchor = "const DOMAIN = 'https://extenision-app.com/api'"
		$v1 = "userId" ascii fullword
		$v2 = "bearerToken" ascii fullword
		$v3 = "sharedKey" ascii fullword
		$v4 = "multiaddr" ascii fullword
		$v5 = "ethAccount" ascii fullword
		$v6 = "userSeed" ascii fullword
		$s1 = "${DOMAIN}/exchange/create-account"
		$s2 = "${DOMAIN}/exchange/set-balance"
		$s3 = "${DOMAIN}/exchange/set-all-balances"
		$s4 = "${DOMAIN}/settings"
		$f1 = "setBalance"
		$f2 = "setAllBalance"
		$f3 = "getSettings"
		$f4 = "getPrecisions"
		$f5 = "getPriceInUSDT"
		$f6 = "checkAuthTimer"
		$f7 = "checkBalanceTimer"
		$f8 = "balanceInUSDT"
	condition:
		filesize < 1MB and (($anchor and (8 of them)) or ((4 of ($v*)) and (2 of ($s*)) and (6 of ($f*))))
}