forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dropper.yara
28 lines (23 loc) · 955 Bytes
/
dropper.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
rule dropper: medium {
meta:
description = "References 'dropper'"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
hash_2017_BadBunny = "3ca31b2adb859da61747f8c60c10afddde43b739482aeb104d992ef5764cac7c"
strings:
$ref = "dropper" fullword
$ref2 = "Dropper" fullword
condition:
any of them
}
rule dropper_for: high {
meta:
description = "References 'dropper for'"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
hash_2017_BadBunny = "3ca31b2adb859da61747f8c60c10afddde43b739482aeb104d992ef5764cac7c"
strings:
$ref = /[dD]ropper for [\w ]{0,32}/
condition:
any of them
}