Registration Date
rule G_Dropper_COILHATCH_1 { meta: author = "Mandiant" strings: $i1 = "zlib.decompress" ascii wide $i2 = "rc4" ascii wide $i3 = "aes_decrypt" ascii wide $i4 = "xor" ascii wide $i5 = "rsa_decrypt" ascii wide $r1 = "private_key" ascii wide $r2 = "runner" ascii wide $r3 = "marshal" ascii wide $r4 = "marshal.loads" ascii wide $r5 = "b85decode" ascii wide $r6 = "exceute_func" ascii wide $r7 = "hybrid_decrypt" ascii wide condition: (4 of ($i*)) and all of ($r*) }rule G_Dropper_STARKVEIL_1 { meta: author = "Mandiant" strings: $p00_0 = { 56 57 53 48 83 EC ?? 48 8D AA [4] 48 8B 7D ?? 48 8B 4F ?? FF 15 [4] 48 89 F9 } $p00_1 = { 0F 0B 66 0F 1F 84 00 [4] 48 89 54 24 ?? 55 41 56 56 57 53 48 83 EC } condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (48000 .. 59000) and $p00_1 in (100000 .. 120000))) }import "dotnet" rule G_Downloader_GRIMPULL_1 { meta: author = "Mandiant" strings: $str1 = "SbieDll.dll" ascii wide $str2 = "cuckoomon.dll" ascii wide $str3 = "vmGuestLib.dll" ascii wide $str4 = "select * from Win32_BIOS" ascii wide $str5 = "VMware|VIRTUAL|A M I|Xen" ascii wide $str6 = "Microsoft|VMWare|Virtual" ascii wide $str7 = "win32_process.handle='{0}'" ascii wide $str8 = "stealer" ascii wide $code = { 11 20 11 0F 11 20 11 0F 91 11 1A 11 0F 91 61 D2 9C } condition: dotnet.is_dotnet and all of them }rule G_Backdoor_FROSTRIFT_1 { meta: author = "Mandiant" strings: $guid = "$23e83ead-ecb2-418f-9450-813fb7da66b8" $r1 = "IdentifiableDecryptor.DecryptorStack" $r2 = "$ProtoBuf.Explorers.ExplorerDecryptor" $s1 = "\\User Data\\" wide $s2 = "SELECT * FROM AntiVirusProduct" wide $s3 = "Telegram.exe" wide $s4 = "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')" wide $s5 = "Litecoin-Qt" wide $s6 = "Bitcoin-Qt" wide condition: uint16(0) == 0x5a4d and (all of ($s*) or $guid or all of ($r*)) }