Last active
December 5, 2019 20:59
-
-
Save r00tten/96429a0c392ec8c40d1238b9d8df47c4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule swift_copy { | |
meta: | |
author = "Mert Degirmenci" | |
description = "Agent Tesla phishing RTF document" | |
date = "22.10.2019" | |
hash1 = "f1a00cdd704475ee21e7a4fc38a7188868addcb681660eaa1b71f072e265fffd" | |
strings: | |
$s_rtf = "{\\rtf1" | |
$s_objdata = "\\objdata" nocase | |
// d0cf11e0a1b11ae1 | |
$s_officeMagic = { 64 30 63 66 31 31 65 30 61 31 62 31 31 61 65 31 } | |
// 998B908F898F96955C7E | |
$s_encWin32_Pro = { 33 39 33 39 33 38 34 32 33 39 33 30 33 38 34 36 33 38 33 39 33 38 34 36 33 39 33 36 33 39 33 35 33 35 34 33 33 37 34 35 } | |
// 659487839687 | |
$s_encCreate = { 33 36 33 35 33 39 33 34 33 38 33 37 33 38 33 33 33 39 33 36 33 38 33 37 } | |
// 9291998794958A878E8E424F798B90869199 | |
$s_encPS = { 39 33 32 33 39 33 31 33 39 33 39 33 38 33 37 33 39 33 34 33 39 33 35 33 38 34 31 33 38 33 37 33 38 34 35 33 38 34 35 33 34 33 32 33 34 34 36 33 37 33 39 33 38 34 32 33 39 33 30 33 38 33 36 33 39 33 31 33 39 33 } | |
condition: | |
all of them | |
} | |
rule shellcode { | |
meta: | |
author = "Mert Degirmenci" | |
description = "Rule of the shellcode that is used by the attack vector that drops Agent.Tesla" | |
date = "05.12.2019" | |
hash1 = "37a1961361073bea6c6eace6a8601f646c5b6ecd9d625e049ad02075ba996918" | |
strings: | |
// mov dword [var_a0h], 0xc8338ee | |
// mov dword [var_9ch], 0x1e16457 | |
// mov dword [var_98h], 0x8cae418 | |
// mov dword [var_94h], 0x3d8cae3 | |
// mov dword [var_90h], 0x648b099 | |
// mov dword [var_8ch], 0x394ba93 | |
// mov dword [var_88h], 0x4b9c7e4 | |
// mov dword [var_84h], 0x4b887e4 | |
// mov dword [var_80h], 0x1d72da9 | |
// mov dword [var_7ch], 0xb3dd105 | |
// mov dword [var_78h], 0xf232744 | |
// mov dword [var_74h], 0xd186fe8 | |
$s_hashes = { c7 85 60 ff ff ff ee 38 83 0c c7 85 64 ff ff ff 57 64 e1 01 c7 85 68 ff ff ff 18 e4 ca 08 c7 85 6c ff ff ff e3 ca d8 03 c7 85 70 ff ff ff 99 b0 48 06 c7 85 74 ff ff ff 93 ba 94 03 c7 85 78 ff ff ff e4 c7 b9 04 c7 85 7c ff ff ff e4 87 b8 04 c7 45 80 a9 2d d7 01 c7 45 84 05 d1 3d 0b c7 45 88 44 27 23 0f c7 45 8c e8 6f 18 } | |
// push ebp | |
// mov ebp, esp | |
// push esi | |
// push edi | |
// mov edi, dword [arg_8h] | |
// xor esi, esi | |
// push edi | |
// call sus.strLen | |
// mov ecx, eax | |
// test ecx, ecx | |
// je 0x4f | |
// movsx eax, byte [edi] | |
// shl esi, 4 | |
// add esi, eax | |
// mov eax, esi | |
// and eax, 0xf0000000 | |
// je 0x4b | |
// shr eax, 0x18 | |
// xor esi, eax | |
// and esi, 0xfffffff | |
// inc edi | |
// dec ecx | |
// jne 0x2f | |
// pop edi | |
// mov eax, esi | |
// pop esi | |
// pop ebp | |
// ret 4 | |
$s_hashCalc = { 55 8b ec 56 57 8b 7d 08 33 f6 57 e8 d7 ff ff ff 8b c8 85 c9 74 20 0f be 07 c1 e6 04 03 f0 8b c6 25 00 00 00 f0 74 0b c1 e8 18 33 f0 81 e6 ff ff ff 0f 47 49 75 e0 5f 8b c6 5e 5d c2 04 00 } | |
condition: | |
all of them | |
} | |
rule agentTesla { | |
meta: | |
author = "Mert Degirmenci" | |
description = "Agent.Tesla variant" | |
date = "05.12.2019" | |
hash1 = "6a64bc2905f213ed4baf27d9ca0844056c7184dd91269a56fcb55d2c707f52dc" | |
strings: | |
// object result; | |
// try | |
// { | |
// string text = SystemInformation.UserName + "\\" + SystemInformation.ComputerName; | |
// string[] array = new string[6]; | |
// bool flag; | |
// for (;;) | |
$s_ajn = { 28 3A 00 00 0A 72 0D 00 00 70 28 3B 00 00 0A 28 3C 00 00 0A 0D 1C 8D 46 00 00 01 13 06 20 6C F9 96 1B } | |
// int num3; | |
// int num6; | |
// num3 >>= num6; | |
// int num4; | |
// int num5; | |
// num3 = num3 - num5 + num4 - 28354; | |
// int num9; | |
// num3 = (num3 ^ num4 ^ num9); | |
// num = (num2 * 2477461615u ^ 2806709887u); | |
// continue; | |
$s_2000c = { 11 05 11 06 1F 1F 5F 63 13 05 11 05 11 07 59 11 08 58 20 C2 6E 00 00 59 13 05 11 05 11 08 61 11 09 61 13 05 FE 0C 0E 00 20 6F 10 AB 93 5A 20 7F FE 4A A7 61 38 38 FF FF FF } | |
// string str = Conversions.ToString(afg.ajw(10)); | |
// string text = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\" + str + <Module>.\u200C(127336); | |
// Size blockRegionSize = new Size(hj.hk.Screen.Bounds.Width, hj.hk.Screen.Bounds.Height); | |
$s_aor = { 1F 0A 28 4F 00 00 06 28 94 00 00 0A 13 05 1F 1A 28 95 00 00 0A 72 0D 00 00 70 11 05 20 68 F1 01 00 28 02 00 00 06 28 96 00 00 0A 13 07 12 08 28 38 00 00 06 6F 97 00 00 0A 6F 98 00 00 0A 13 10 12 10 28 99 00 00 0A 28 38 00 00 06 6F 97 00 00 0A 6F 98 00 00 0A 13 11 12 11 28 9A 00 00 0A 28 9B 00 00 0A } | |
$s_u1680 = { 00 20 23 03 00 00 8D 02 00 00 01 25 16 1F 10 8D 36 00 00 01 25 D0 02 00 00 04 } | |
condition: | |
uint16(0) == 0x5a4d and all of them | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment