Skip to content

Instantly share code, notes, and snippets.

@baderj

baderj/matiex_keylogger.yara

Created July 21, 2020 17:14
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save baderj/107d03b720fa8a87e0dc4273310fa2bc to your computer and use it in GitHub Desktop.
Save baderj/107d03b720fa8a87e0dc4273310fa2bc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
matiex_keylogger.yara
rule win_matiex_keylogger_v1 {
meta:
author = "Johannes Bader @viql"
date = "2020-07-20"
description = "detects the Matiex Keylogger"
tlp = "white"
strings:
$obfuscator_1 = "OiCuntJollyGoodDayYeHavin_____________________________________________________"
$obfuscator_2 = "ObfuscatedByGoliath"
$obfuscator_3 = "de4fuckyou"
$obfuscator_4 = "ObfuscatedByGoliath"
$obfuscator_5 = "Beds-Protector"
$recoveries_1 = "Orginal_Slim"
$recoveries_2 = "Orginal_IceDragon"
$recoveries_3 = "Orginal_PaleMoon"
$recoveries_4 = "Orginal_IceCat"
$recoveries_5 = "Orginal_PostBox"
$recoveries_6 = "Orginal_FireFox"
$recoveries_7 = "Orginal_CyberFox"
$recoveries_8 = "Orginal_WaterFox"
$recoveries_9 = "Orginal_SeaMonkey"
$recoveries_10 = "Orginal_Outlook"
$recoveries_11 = "Orginal_Foxmail"
$recoveries_12 = "Orginal_Kinzaa"
$recoveries_13 = "Orginal_Sputnik"
$recoveries_14 = "Orginal_Falkon"
$recoveries_15 = "Orginal_SalamWeb"
$recoveries_16 = "Orginal_CoolNovo"
$recoveries_17 = "Orginal_QIPSurf"
$recoveries_18 = "Orginal_BlackHawk"
$recoveries_19 = "Orginal_7Star"
$recoveries_20 = "Orginal_Sleipnir"
$recoveries_21 = "Orginal_Citrio"
$recoveries_22 = "Orginal_Chrome_Canary"
$recoveries_23 = "Orginal_Chrome"
$recoveries_24 = "Orginal_Coowon"
$recoveries_25 = "Orginal_CocCoc"
$recoveries_26 = "Orginal_Uran"
$recoveries_27 = "Orginal_QQ"
$recoveries_28 = "Orginal_orbitum"
$recoveries_29 = "Orginal_Slimjet"
$recoveries_30 = "Orginal_Iridium"
$recoveries_31 = "Orginal_Vivaldi"
$recoveries_32 = "Orginal_Iron"
$recoveries_33 = "Orginal_Chromium"
$recoveries_34 = "Orginal_Ghost"
$recoveries_35 = "Orginal_Cent"
$recoveries_36 = "Orginal_xVast"
$recoveries_37 = "Orginal_Chedot"
$recoveries_38 = "Orginal_Superbird"
$recoveries_39 = "Orginal_360_English"
$recoveries_40 = "Orginal_360_China"
$recoveries_41 = "Orginal_Comodo"
$recoveries_42 = "Orginal_Brave"
$recoveries_43 = "Orginal_Torch"
$recoveries_44 = "Orginal_UC"
$recoveries_45 = "Orginal_Blisk"
$recoveries_46 = "Orginal_Epic"
$recoveries_47 = "Orginal_Yandex"
$recoveries_48 = "Orginal_Nichrome"
$recoveries_49 = "Orginal_Amigo"
$recoveries_50 = "Orginal_Kometa"
$recoveries_51 = "Orginal_Xpom"
$recoveries_52 = "Orginal_Elements"
$recoveries_53 = "Orginal_Microsoft"
$recoveries_54 = "Orginal_Opera"
$recoveries_55 = "Orginal_FileZilla"
$recoveries_56 = "Orginal_Pidgin"
$recoveries_57 = "Orginal_Liebao"
$recoveries_58 = "Orginal_avast"
$recoveries_59 = "Orginal_Discord"
$recoveries_60 = "Orginal_FireFox"
$recoveries_61 = "Orginal_WaterFox"
$recoveries_62 = "Orginal_Thunderbird"
$recoveries_63 = "Orginal_SeaMonkey"
$recoveries_64 = "Orginal_IceDragon"
$recoveries_65 = "Orginal_CyberFox"
$recoveries_66 = "Orginal_Slim"
$recoveries_67 = "Orginal_IceCat"
$recoveries_68 = "Orginal_PostBox"
$recoveries_69 = "Orginal_PaleMoon"
$recoveries_70 = "Orginal_Thunderbird"
$logger_1 = "KeyboardLoggerTimer"
$logger_2 = "ScreenshotLoggerTimer"
$logger_3 = "VoiceRecordLogger"
$logger_4 = "IPLogger"
$logger_5 = "ClipboardLoggerTimer"
$unique_1 = "TheWiFisOutput"
$unique_2 = "Decrypttttt"
$unique_3 = "ThewinProductss"
$unique_4 = "TheWiFi_Orginal"
$unique_5 = "isV10"
condition:
all of ($obfuscator_*) and
65 of ($recoveries_*) and
4 of ($logger_*) and
3 of ($unique_*)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment