msuiche/TrueBot_Domains_IOC.yara

## TrueBot_Domains_IOC.yara
rule TrueBot_Domains_IOC {
    meta:
        date = "2023-07-08"
        description = "Hunts for memory IOCs TRUEBOT."
        author = "Matt Suiche - Magnet Forensics"
        reference1 = "https://github.com/The-DFIR-Report/Yara-Rules/blob/main/21619/21619.yar"
        reference2 = "https://www.ic3.gov/Media/News/2023/230707.pdf"
        verdict = "dangerous"
        mitre = "T1082"
        platform = "windows"
    strings:
        $domain1 = "snowboardspecs.com"
        $domain2 = "corporacionhardsoft.com"
        $domain3 = "essadonio.com"
        $domain4 = "imsagentes.pe"
        $domain5 = "hrcbishtek.com"
        $domain6 = "ecorfan.org"

        $domain7 = "nitutdra.com"
        $domain8 = "romidonionhhgtt.com"
        $domain9 = "midnigthwaall.com"
        $domaina = "dragonetzone.com"
        $domainb = "rprotecruuio.com"
        $domainc = "nomoresense.com"
        $domaind = "ronoliffuinon.com"
        $domaine = "bluespiredice.com"
        $domainf = "dremmfyttrred.com"
        $domaing = "ms-online-store.com"
        $domainh = "ber6vjyb.com"
        $domaini = "jirostrogud.com"
        $domainj = "fuanshizmo.com"
        $domaink = "qweastradoc.com"
        $domainl = "hiperfdhaus.com"
        $domainm = "guerdofest.com"
        $domainn = "nefosferta.com"
        $domaino = "droogggdhfhf.com"

    condition:
        any of them
}
	rule TrueBot_Domains_IOC {
	meta:
	date = "2023-07-08"
	description = "Hunts for memory IOCs TRUEBOT."
	author = "Matt Suiche - Magnet Forensics"
	reference1 = "https://github.com/The-DFIR-Report/Yara-Rules/blob/main/21619/21619.yar"
	reference2 = "https://www.ic3.gov/Media/News/2023/230707.pdf"
	verdict = "dangerous"
	mitre = "T1082"
	platform = "windows"
	strings:
	$domain1 = "snowboardspecs.com"
	$domain2 = "corporacionhardsoft.com"
	$domain3 = "essadonio.com"
	$domain4 = "imsagentes.pe"
	$domain5 = "hrcbishtek.com"
	$domain6 = "ecorfan.org"

	$domain7 = "nitutdra.com"
	$domain8 = "romidonionhhgtt.com"
	$domain9 = "midnigthwaall.com"
	$domaina = "dragonetzone.com"
	$domainb = "rprotecruuio.com"
	$domainc = "nomoresense.com"
	$domaind = "ronoliffuinon.com"
	$domaine = "bluespiredice.com"
	$domainf = "dremmfyttrred.com"
	$domaing = "ms-online-store.com"
	$domainh = "ber6vjyb.com"
	$domaini = "jirostrogud.com"
	$domainj = "fuanshizmo.com"
	$domaink = "qweastradoc.com"
	$domainl = "hiperfdhaus.com"
	$domainm = "guerdofest.com"
	$domainn = "nefosferta.com"
	$domaino = "droogggdhfhf.com"

	condition:
	any of them
	}