Last active
January 12, 2024 11:18
-
-
Save andretavare5/c56e82d47907c8f0869072ac7ed6fd49 to your computer and use it in GitHub Desktop.
Yara rule to detect ColibriLoader malware.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule win_colibriloader | |
{ | |
meta: | |
author = "andretavare5" | |
description = "Detects ColibriLoader malware." | |
org = "BitSight" | |
date = "2022-11-22" | |
md5 = "f1bbf3a0c6c52953803e5804f4e37b15" | |
reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri" | |
license = "CC BY-NC-SA 4.0" | |
strings: | |
// str decrypt loop | |
// -------------------------- | |
// xor edx, edx | |
// mov eax, ebx | |
// div [ebp+key_len] | |
// mov ax, [esi+edx*2] | |
// xor ax, [edi+ecx] | |
// inc ebx | |
// mov [ecx], ax | |
// lea ecx, [ecx+2] | |
// cmp ebx, [ebp+str_len] | |
// jb short loc_40596A | |
$loop = {33 D2 8B C3 F7 75 14 66 8B 04 56 66 33 04 0F 43 66 89 01 8D 49 02 3B 5D 0C 72 E5} | |
condition: | |
uint16(0) == 0x5A4D and | |
filesize > 10KB and filesize < 100KB and | |
$loop | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment