YARA rules for Dridex
2 rules · scoped to tool · back to Dridex
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule Dridex_Trojan_XML {
meta:
description = "Dridex Malware in XML Document"
author = "Florian Roth (Nextron Systems) @4nc4p"
reference = "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503"
date = "2015/03/08"
hash1 = "88d98e18ed996986d26ce4149ae9b2faee0bc082"
hash2 = "3b2d59adadf5ff10829bb5c27961b22611676395"
hash3 = "e528671b1b32b3fa2134a088bfab1ba46b468514"
hash4 = "981369cd53c022b434ee6d380aa9884459b63350"
hash5 = "96e1e7383457293a9b8f2c75270b58da0e630bea"
id = "a8f3406c-f8b0-559f-be12-6b2a7d401ac2"
strings:
// can be ascii or wide formatted - therefore no restriction
$c_xml = "<?xml version="
$c_word = "<?mso-application progid=\"Word.Document\"?>"
$c_macro = "w:macrosPresent=\"yes\""
$c_binary = "<w:binData w:name="
$c_0_chars = "<o:Characters>0</o:Characters>"
$c_1_line = "<o:Lines>1</o:Lines>"
condition:
all of ($c*)
}
rule crime_win32_dridex_socks5_mod {
meta:
description = "Detects Dridex socks5 module"
author = "@VK_Intel"
date = "2020-04-06"
reference = "https://twitter.com/VK_Intel/status/1247058432223477760"
id = "cee256b1-ad80-55dd-bbd3-0d3f7bc49664"
strings:
$s0 = "socks5_2_x32.dll"
$s1 = "socks5_2_x64.dll"
condition:
any of ($s*) and pe.exports("start")
}