-
Notifications
You must be signed in to change notification settings - Fork 5
/
Stealc Malware YARA Rule
47 lines (44 loc) · 1.31 KB
/
Stealc Malware YARA Rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Stealc Malware YARA Rule
rule stealc_packed{
meta:
packer = "pkr_ce1a"
reference = "https://malwarology.substack.com/p/malicious-packer-pkr_ce1a"
source = "brandefense.io"
classification = "TLP:CLEAR"
hash = "6d9df22ed6d7844b938c9b2c3f413e2c7e3306a047dc807fdca6d0edbc2d2528"
author = "theatha"
strings:
$hex01 = {d0 d7 e8 41}
$hex02 = {8d 78 4f 3f}
$hex03 = {a6 63 e3 2e}
$hex04 = {1f 5d 97 2e}
$hex05 = {a3 bd 8b 14}
$hex06 = {e1 cb 17 4c}
$hex07 = {bd 84 97 60}
$hex08 = {76 d6 10 3b}
$hex09 = {6b ab e2 5d}
$hex010 = {7d 27 35 5f}
$hex011 = {2d c6 3e 1b}
$hex012 = {41 a2 61 0e}
$hex013 = {b8 24 b3 40}
$hex014 = {2c 12 11 7b}
$hex015 = {e6 b6 20 5f}
condition:
all of them and filesize > 200KB and filesize < 300KB
}
rule stealc_unpacked
{
meta:
malware = "Stealc"
source = "brandefense.io"
classification = "TLP:CLEAR"
hash = "d4610dbc68a5840a8099f8ad7e38cf4ac12c136288b21d5a03240ac667197850"
author = "theatha"
strings:
$func = {8B 48 F8 83 C0 F0 C7 00 01 00 00 00 85 C9 74 0A 83 39 00}
$str01 = "Network Info:" ascii
$str02 = "- IP: IP?" ascii
$str03 = "- Country: ISO?" ascii
condition:
uint16(0) == 0x5A4D and ($func or 3 of ($str*))
}