andretavare5

rule win_colibriloader
{
    meta:
        author      = "andretavare5"
        description = "Detects ColibriLoader malware."
        org         = "BitSight"
        date        = "2022-11-22"
        md5         = "f1bbf3a0c6c52953803e5804f4e37b15"
        reference   = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri"
        license     = "CC BY-NC-SA 4.0"

andretavare5

rule win_packed_colibriloader : packed loader
{
  meta:
    author      = "andretavare5"
    description = "Detects packed ColibriLoader malware"
    org         = "BitSight"
    date        = "2022-09-21"
    md5         = "e0a68b98992c1699876f818a22b5b907"
    reference   = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri"
    license     = "CC BY-NC-SA 4.0"

andretavare5

import pefile
import struct
from capstone import *

def extract_var(op):
    if ']' in op:
        op = ''.join(op.split(' ')[-1])[:-1].replace('[', '')
    return op

def search(instructions, var):

andretavare5

rule win_privateloader 
{
  meta:
    author      = "andretavare5"
    description = "Detects PrivateLoader malware."
    org         = "Bitsight"
    date        = "2024-01-11"
    sample      = "6f7f9de3238003897f35b86caf942f088f14e88ecb1a5a1329ef5a7d421f7008"
    reference   = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader"
    license     = "CC BY-NC-SA 4.0"