YARA rules for Billbug
23 rules · scoped to actor · back to Billbug
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule MAL_Chrysalis_DllLoader_Feb26 {
meta:
description = "Detects DLL used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom"
author = "X__Junior"
date = "2026-02-02"
reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
hash = "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad"
score = 80
strings:
$op1 = { 33 D2 8B C1 F7 F6 0F B6 C1 03 55 ?? 6B C0 ?? 32 02 88 04 0F 41 83 F9 ?? 72 }
$op2 = { 0F B6 04 31 41 33 C2 69 D0 ?? ?? ?? ?? 3B CB 72 }
condition:
uint16(0) == 0x5a4d and all of them
}
rule MAL_Chrysalis_Shellcode_Loader_Feb26 {
meta:
description = "Detects shellcode used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom"
author = "X__Junior"
date = "2026-02-02"
reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
hash = "e2e3d78437cf9d48c2b2264e44bb36bc2235834fc45bbb50b5d6867f336711e3"
score = 80
strings:
$op1 = { 8B C7 03 D7 83 E0 ?? 47 8A 4C 05 ?? 8A 04 13 02 C1 32 C1 2A C1 88 02 8B 55 ?? 3B FE 7C ?? 8B 5D ?? 8B 45 }
$op2 = { 03 F8 8B 45 ?? 8B 50 ?? 85 C9 79 ?? 0F B7 C1 EB ?? 8D 41 ?? 03 C3 50 FF 75 ?? FF D2 89 07 85 C0 74 ?? 8B 4D ?? 46 }
condition:
1 of them
}
rule MAL_Chrysalis_Backdoor_Feb26 {
meta:
description = "Detects Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom"
author = "X__Junior"
date = "2026-02-02"
reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
hash = "e2e3d78437cf9d48c2b2264e44bb36bc2235834fc45bbb50b5d6867f336711e3"
score = 80
strings:
$opa1 = { 8B 4D ?? C1 CF ?? C1 C1 ?? 03 F9 D1 C3 8B 4D ?? C1 C1 ?? 03 F9 03 FB 8B 5D ?? 69 CF ?? ?? ?? ?? BF ?? ?? ?? ?? 2B F9 EB }
$opa2 = { F7 E9 [0-1] 8B C2 C1 E8 ?? 03 C2 8D 0C 40 8A C3 34 ?? [0-2] 0F B6 [1-4] 0F B6 C3 8B 5D [1-3] 0F 45 D0 }
$opb1 = { 0F B6 84 35 ?? ?? ?? ?? 88 84 3D ?? ?? ?? ?? 88 8C 35 ?? ?? ?? ?? 0F B6 84 3D ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 03 C2 0F B6 C0 0F B6 84 05 ?? ?? ?? ?? 30 04 19 43 3B 9D ?? ?? ?? ?? 7C }
condition:
(1 of ($opa*) and $opb1)
or
all of ($opa*)
}
rule SUSP_Renamed_Bitdefender_Submission_Wizard_Feb26 {
meta:
description = "Detects renamed Bitdefender Submission Wizard, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom"
author = "X__Junior"
reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
date = "2026-02-03"
score = 65
hash1 = "2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924"
strings:
$s1 = "BDSubWiz.exe" wide fullword
$s2 = "Bitdefender Submission Wizard" wide
$s3 = "Software\\Bitdefender" wide
condition:
uint16(0) == 0x5a4d
and all of ($s*)
and not filename == "BDSubWiz.exe"
}
rule APT_Thrip_Sample_Jun18_1 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "59509a17d516813350fe1683ca6b9727bd96dd81ce3435484a5a53b472ff4ae9"
id = "5b506069-8185-5dc0-bf64-90646f6bab6b"
strings:
$s1 = "idocback.dll" fullword ascii
$s2 = "constructor or from DllMain." fullword ascii
$s3 = "appmgmt" fullword ascii
$s4 = "chksrv" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
rule APT_Thrip_Sample_Jun18_2 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "1fc9f7065856cd8dc99b6f46cf0953adf90e2c42a3b65374bf7b50274fb200cc"
id = "bc1cfcc8-64a0-5da0-8ff7-147da8a3af0b"
strings:
$s1 = "C:\\WINDOWS\\system32\\sysprep\\cryptbase.dll" fullword ascii
$s2 = "ProbeScriptFint" fullword wide
$s3 = "C:\\WINDOWS\\system32\\cmd.exe" fullword ascii /* Goodware String - occured 2 times */
condition:
uint16(0) == 0x5a4d and filesize < 60KB and all of them
}
rule APT_Thrip_Sample_Jun18_3 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "0d2abdcaad99e102fdf6574b3dc90f17cb9d060c20e6ac4ff378875d3b91a840"
id = "67ea7ed1-954f-5b3e-b058-452be3b6fdfa"
strings:
$s1 = "C:\\Windows\\SysNative\\cmd.exe" fullword ascii
$s2 = "C:\\Windows\\SysNative\\sysprep\\cryptbase.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 60KB and all of them
}
rule APT_Thrip_Sample_Jun18_4 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "6b236d3fc54d36e6dc2a26299f6ded597058fed7c9099f1a37716c5e4b162abc"
id = "9dcfcdbd-d18f-5eba-a10c-95686f010f23"
strings:
$s1 = "\\system32\\wbem\\tmf\\caches_version.db" ascii
$s2 = "ProcessName No Access" fullword ascii
$s3 = "Hwnd of Process NULL" fullword ascii
$s4 = "*********The new session is be opening:(%d)**********" fullword ascii
$s5 = "[EXECUTE]" fullword ascii
$s6 = "/------------------------------------------------------------------------" fullword ascii
$s7 = "constructor or from DllMain." fullword ascii
$s8 = "Time:%d-%d-%d %d:%d:%d" fullword ascii
$s9 = "\\info.config" ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 5 of them
}
rule APT_Thrip_Sample_Jun18_5 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "32889639a27961497d53176765b3addf9fff27f1c8cc41634a365085d6d55920"
id = "42c56ed6-a509-568f-a611-ce7e5c5d9d8e"
strings:
$s2 = "c:\\windows\\USBEvent.exe" fullword ascii
$s5 = "c:\\windows\\spdir.dat" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
rule APT_Thrip_Sample_Jun18_6 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "44f58496578e55623713c4290abb256d03103e78e99939daeec059776bd79ee2"
id = "a1c65bc1-371e-509f-a01c-2d58c1773f95"
strings:
$s1 = "C:\\Windows\\system32\\Instell.exe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
}
rule APT_Thrip_Sample_Jun18_7 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "6b714dc1c7e58589374200d2c7f3d820798473faeb26855e53101b8f3c701e3f"
id = "16739590-eb88-5de2-bd76-974b3343ec19"
strings:
$s1 = "C:\\runme.exe" ascii
condition:
uint16(0) == 0x5a4d and filesize < 60KB and 1 of them
}
rule APT_Thrip_Sample_Jun18_8 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "0f2d09b1ad0694f9e71eeebec5b2d137665375bf1e76cb4ae4d7f20487394ed3"
id = "5eb98c9e-5103-5146-9364-d5f24416406f"
strings:
$x1 = "$.oS.Run('cmd.exe /c '+a+'" fullword ascii
$x2 = "new $._x('WScript.Shell');" ascii
$x3 = ".ExpandEnvironmentStrings('%Temp%')+unescape('" ascii
condition:
filesize < 10KB and 1 of ($x*)
}
rule APT_Thrip_Sample_Jun18_9 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "8e6682bcc51643f02a864b042f7223b157823f3d890fe21d38caeb43500d923e"
hash2 = "0c8ca0fd0ec246ef207b96a3aac5e94c9c368504905b0a033f11eef8c62fa14c"
hash3 = "6d0a2c822e2bc37cc0cec35f040d3fec5090ef2775df658d3823e47a93a5fef3"
hash4 = "0c49d1632eb407b5fd0ce32ed45b1c783ac2ef60d001853ae1f6b7574e08cfa9"
id = "7fcd8d7f-ed60-5155-a0dd-f3a36f3f2981"
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
pe.imphash() == "a7f0714e82b3105031fa7bc89dfe7664" or
pe.imphash() == "8812ff21aeb160e8800257140acae54b" or
pe.imphash() == "44a1e904763fe2d0837c747c7061b010" or
pe.imphash() == "51a854d285aa12eb82e76e6e1be01573" or
pe.imphash() == "a1f457c8c549c5c430556bfe5887a4e6"
)
}
rule APT_Thrip_Sample_Jun18_10 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "350d2a6f8e6a4969ffbf75d9f9aae99e7b3a8cd8708fd66f977e07d7fbf842e3"
id = "3307ca18-59fb-5400-b51e-c4f4aa99e592"
strings:
$x1 = "!This Program cannot be run in DOS mode." fullword ascii
$x2 = "!this program cannot be run in dos mode." fullword ascii
$s1 = "svchost.dll" fullword ascii
$s2 = "constructor or from DllMain." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and ( $x1 or 2 of them )
}
rule APT_Thrip_Sample_Jun18_11 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "590a6796b97469f8e6977832a63c0964464901f075a9651f7f1b4578e55bd8c8"
id = "69476f7d-c436-5863-bf20-1d3e821974e6"
strings:
$s1 = "\\AppData\\Local\\Temp\\dw20.EXE" ascii
$s2 = "C:\\Windows\\system32\\sysprep\\cryptbase.dll" fullword ascii
$s3 = "WFQNJMBWF" fullword ascii
$s4 = "SQLWLWZSF" fullword ascii
$s5 = "PFQUFQSBPP" fullword ascii
$s6 = "WQZXQFPVOW" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB
and ( pe.imphash() == "6eef4394490378f32d134ab3bf4bf194" or all of them )
}
rule APT_Thrip_Sample_Jun18_12 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "33c01d3266fe6a70e8785efaf10208f869ae58a17fd9cdb2c6995324c9a01062"
id = "b24b8042-b6a3-5af8-9fcf-6d042bdb9524"
strings:
$s1 = "pGlobal->nOSType==64--%s\\cmd.exe %s" fullword ascii
$s2 = "httpcom.log" fullword ascii
$s3 = "\\CryptBase.dll" ascii
$s4 = "gupdate.exe" fullword ascii
$s5 = "wusa.exe" fullword ascii
$s6 = " %s %s /quiet /extract:%s\\%s\\" ascii
$s7 = "%s%s.dll.cab" fullword ascii
$s8 = "/c %s\\%s\\%s%s %s" fullword ascii
$s9 = "ReleaseEvildll" fullword ascii
$s0 = "%s\\%s\\%s%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 6 of them
}
rule APT_Thrip_Sample_Jun18_13 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "780620521c92aab3d592b3dc149cbf58751ea285cfdaa50510002b441796b312"
id = "e6aec6f3-2024-5fb2-b37a-77a182684d32"
strings:
$s1 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" fullword ascii
$s2 = "<member><name>password</name>" fullword ascii
$s3 = "<value><string>qqtorspy</string></value>" fullword ascii
$s4 = "SOFTWARE\\QKitTORSPY" fullword wide
$s5 = "ipecho.net" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB
and ( pe.imphash() == "3dfad33b2fb66c083c99dc10341908b7" or 4 of them )
}
rule APT_Thrip_Sample_Jun18_14 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "67dd44a8fbf6de94c4589cf08aa5757b785b26e49e29488e9748189e13d90fb3"
id = "736e2700-cdcb-5165-b786-67edaef765b6"
strings:
$s1 = "%SystemRoot%\\System32\\svchost.exe -k " fullword ascii
$s2 = "spdirs.dll" fullword ascii
$s3 = "Provides storm installation services such as Publish, and Remove." fullword ascii
$s4 = "RegSetValueEx(Svchost\\netsvcs)" fullword ascii
$s5 = "Load %s Error" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (
( pe.exports("InstallA") and pe.exports("InstallB") and pe.exports("InstallC") ) or
all of them
)
}
rule APT_Thrip_Sample_Jun18_15 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "231c569f11460a12b171f131c40a6f25d8416954b35c28ae184aba8a649d9786"
id = "fd8aa404-4c12-5c8f-a952-a143da858b9b"
strings:
$s1 = "%s\\cmd.exe /c %s" fullword ascii
$s2 = "CryptBase.dll" fullword ascii
$s3 = "gupdate.exe" fullword ascii
$s4 = "wusa.exe" fullword ascii
$s5 = " %s %s /quiet /extract:%s\\%s\\" ascii
$s6 = "%s%s.dll.cab" fullword ascii
$s7 = "%s\\%s\\%s%s %s" fullword ascii
$s8 = "%s\\%s\\%s%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB
and ( pe.imphash() == "f6ec70a295000ab0a753aa708e9439b4" or 6 of them )
}
rule APT_Thrip_Sample_Jun18_16 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "2b1c1c6d82837dbbccd171a0413c1d761b1f7c3668a21c63ca06143e731f030e"
id = "58be9a1b-2228-5d7a-97c9-198cacbe1a66"
strings:
$s1 = "[%d] Failed, %08X" fullword ascii
$s2 = "woqunimalegebi" fullword ascii
$s3 = "[%d] Offset can not fetched." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB
and ( all of them or pe.imphash() == "c6a4c95d868a3327a62c9c45f5e15bbf" )
}
rule APT_Thrip_Sample_Jun18_17 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "05036de73c695f59adf818d3c669c48ce8626139d463b8a7e869d8155e5c0d85"
hash2 = "08d8c610e1ec4a02364cb53ba44e3ca5d46e8a177a0ecd50a1ef7b5db252701d"
hash3 = "14535607d9a7853f13e8bf63b629e3a19246ed9db6b4d2de2ca85ec7a7bee140"
id = "e314a893-1ef5-5d5f-b056-af25765c0b70"
strings:
$x1 = "c:\\users\\administrator\\desktop\\code\\skeyman2\\" ascii
$x2 = "\\SkeyMan2.pdb" ascii
$x3 = "\\\\.\\Pnpkb" fullword ascii
$s1 = "\\DosDevices\\Pnpkb" wide
$s2 = "\\DosDevices\\PnpKb" wide
$s3 = "\\Driver\\kbdhid" wide
$s4 = "\\Device\\PnpKb" wide
$s5 = "Microsoft Windows Operating System" fullword wide
$s6 = "hDevice == INVALID_HANDLE_VALUE" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 20KB and ( 1 of ($x*) and 1 of ($s*) )
}
rule APT_Thrip_Sample_Jun18_18 {
meta:
description = "Detects sample found in Thrip report by Symantec "
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets "
date = "2018-06-21"
hash1 = "33029f5364209e05481cfb2a4172c6dc157b0070f51c05dd34485b8e8da6e820"
hash2 = "263c01a3b822722dc288a5ac138d953630d8c548a0bee080ae3979b7d364cecb"
hash3 = "52d190a8d20b4845551b8765cbd12cfbe04cf23e6812e238e5a5023c34ee9b37"
hash4 = "1f019e3c30a02b7b65f7984903af11d561d02b2666cc16463c274a2a0e62145d"
hash5 = "43904ea071d4dce62a21c69b8d6efb47bcb24c467c6f6b3a6a6ed6cd2158bfe5"
hash6 = "00d9da2b665070d674acdbb7c8f25a01086b7ca39d482d55f08717f7383ee26a"
id = "20642526-5a4d-5dca-a6f5-29f19a9b5271"
strings:
$s1 = "Windows 95/98/Me, Windows NT 4.0, Windows 2000/XP: IME PROCESS key" fullword ascii
$s2 = "Windows 2000/XP: Either the angle bracket key or the backslash key on the RT 102-key keyboard" fullword ascii
$s3 = "LoadLibraryA() failed in KbdGetProcAddressByName()" fullword ascii
$s5 = "Unknown Virtual-Key Code" fullword ascii
$s6 = "Computer Sleep key" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
rule Elise_Jan18_1 {
meta:
description = "Detects Elise malware samples - fake Norton Security NavShExt.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/blu3_team/status/955971742329135105"
date = "2018-01-24"
hash1 = "6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79"
id = "8e4f4ec8-5d31-5990-8c14-861423571a79"
strings:
$s1 = "NavShExt.dll" fullword wide
$s2 = "Norton Security" fullword wide
$a1 = "donotbotherme" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and (
pe.imphash() == "e9478ee4ebf085d1f14f64ba96ef082f" or
( 1 of ($s*) and $a1 )
)
}