r00tten/b12c59c082db972b11cc6e78fb10afc4.yar

## b12c59c082db972b11cc6e78fb10afc4.yar
rule swift_copy {

meta:
	author = "Mert Degirmenci"
	description = "Agent Tesla phishing RTF document"
	date = "22.10.2019"
	hash1 = "f1a00cdd704475ee21e7a4fc38a7188868addcb681660eaa1b71f072e265fffd"

strings:
	$s_rtf = "{\\rtf1"
	$s_objdata = "\\objdata" nocase

	// d0cf11e0a1b11ae1
	$s_officeMagic = { 64 30 63 66 31 31 65 30 61 31 62 31 31 61 65 31 }

	// 998B908F898F96955C7E
	$s_encWin32_Pro = { 33 39 33 39 33 38 34 32 33 39 33 30 33 38 34 36 33 38 33 39 33 38 34 36 33 39 33 36 33 39 33 35 33 35 34 33 33 37 34 35 }

	// 659487839687
	$s_encCreate = { 33 36 33 35 33 39 33 34 33 38 33 37 33 38 33 33 33 39 33 36 33 38 33 37 }

	// 9291998794958A878E8E424F798B90869199
	$s_encPS = { 39 33 32 33 39 33 31 33 39 33 39 33 38 33 37 33 39 33 34 33 39 33 35 33 38 34 31 33 38 33 37 33 38 34 35 33 38 34 35 33 34 33 32 33 34 34 36 33 37 33 39 33 38 34 32 33 39 33 30 33 38 33 36 33 39 33 31 33 39 33 }

condition:
	all of them
}


rule shellcode {

meta:
	author = "Mert Degirmenci"
	description = "Rule of the shellcode that is used by the attack vector that drops Agent.Tesla"
	date = "05.12.2019"
	hash1 = "37a1961361073bea6c6eace6a8601f646c5b6ecd9d625e049ad02075ba996918"

strings:
	// mov dword [var_a0h], 0xc8338ee
	// mov dword [var_9ch], 0x1e16457
	// mov dword [var_98h], 0x8cae418
	// mov dword [var_94h], 0x3d8cae3
	// mov dword [var_90h], 0x648b099
	// mov dword [var_8ch], 0x394ba93
	// mov dword [var_88h], 0x4b9c7e4
	// mov dword [var_84h], 0x4b887e4
	// mov dword [var_80h], 0x1d72da9
	// mov dword [var_7ch], 0xb3dd105
	// mov dword [var_78h], 0xf232744
	// mov dword [var_74h], 0xd186fe8
	$s_hashes = { c7 85 60 ff ff ff ee 38 83 0c c7 85 64 ff ff ff 57 64 e1 01 c7 85 68 ff ff ff 18 e4 ca 08 c7 85 6c ff ff ff e3 ca d8 03 c7 85 70 ff ff ff 99 b0 48 06 c7 85 74 ff ff ff 93 ba 94 03 c7 85 78 ff ff ff e4 c7 b9 04 c7 85 7c ff ff ff e4 87 b8 04 c7 45 80 a9 2d d7 01 c7 45 84 05 d1 3d 0b c7 45 88 44 27 23 0f c7 45 8c e8 6f 18 }

	// push ebp
	// mov ebp, esp
	// push esi
	// push edi
	// mov edi, dword [arg_8h]
	// xor esi, esi
	// push edi
	// call sus.strLen
	// mov ecx, eax
	// test ecx, ecx
	// je 0x4f
	// movsx eax, byte [edi]
	// shl esi, 4
	// add esi, eax
	// mov eax, esi
	// and eax, 0xf0000000
	// je 0x4b
	// shr eax, 0x18
	// xor esi, eax
	// and esi, 0xfffffff
	// inc edi
	// dec ecx
	// jne 0x2f
	// pop edi
	// mov eax, esi
	// pop esi
	// pop ebp
	// ret 4
	$s_hashCalc = { 55 8b ec 56 57 8b 7d 08 33 f6 57 e8 d7 ff ff ff 8b c8 85 c9 74 20 0f be 07 c1 e6 04 03 f0 8b c6 25 00 00 00 f0 74 0b c1 e8 18 33 f0 81 e6 ff ff ff 0f 47 49 75 e0 5f 8b c6 5e 5d c2 04 00 }

condition:
	all of them
}


rule agentTesla {

meta:
	author = "Mert Degirmenci"
	description = "Agent.Tesla variant"
	date = "05.12.2019"
	hash1 = "6a64bc2905f213ed4baf27d9ca0844056c7184dd91269a56fcb55d2c707f52dc"

strings:
	// 	object result;
	// 		try
	// 		{
	// 			string text = SystemInformation.UserName + "\\" + SystemInformation.ComputerName;
	// 			string[] array = new string[6];
	// 			bool flag;
	// 			for (;;)
	$s_ajn = { 28 3A 00 00 0A 72 0D 00 00 70 28 3B 00 00 0A 28 3C 00 00 0A 0D 1C 8D 46 00 00 01 13 06 20 6C F9 96 1B }

	//	int num3;
	//	int num6;
	//	num3 >>= num6;
	//	int num4;
	//	int num5;
	//	num3 = num3 - num5 + num4 - 28354;
	//	int num9;
	//	num3 = (num3 ^ num4 ^ num9);
	//	num = (num2 * 2477461615u ^ 2806709887u);
	//	continue;
	$s_2000c = { 11 05 11 06 1F 1F 5F 63 13 05 11 05 11 07 59 11 08 58 20 C2 6E 00 00 59 13 05 11 05 11 08 61 11 09 61 13 05 FE 0C 0E 00 20 6F 10 AB 93 5A 20 7F FE 4A A7 61 38 38 FF FF FF }

	// 	string str = Conversions.ToString(afg.ajw(10));
	// 	string text = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\" + str + <Module>.\u200C(127336);
	// 	Size blockRegionSize = new Size(hj.hk.Screen.Bounds.Width, hj.hk.Screen.Bounds.Height);
	$s_aor = { 1F 0A 28 4F 00 00 06 28 94 00 00 0A 13 05 1F 1A 28 95 00 00 0A 72 0D 00 00 70 11 05 20 68 F1 01 00 28 02 00 00 06 28 96 00 00 0A 13 07 12 08 28 38 00 00 06 6F 97 00 00 0A 6F 98 00 00 0A 13 10 12 10 28 99 00 00 0A 28 38 00 00 06 6F 97 00 00 0A 6F 98 00 00 0A 13 11 12 11 28 9A 00 00 0A 28 9B 00 00 0A }

	$s_u1680 = { 00 20 23 03 00 00 8D 02 00 00 01 25 16 1F 10 8D 36 00 00 01 25 D0 02 00 00 04 }

condition:
	uint16(0) == 0x5a4d and all of them
}
	rule swift_copy {

	meta:
	author = "Mert Degirmenci"
	description = "Agent Tesla phishing RTF document"
	date = "22.10.2019"
	hash1 = "f1a00cdd704475ee21e7a4fc38a7188868addcb681660eaa1b71f072e265fffd"

	strings:
	$s_rtf = "{\\rtf1"
	$s_objdata = "\\objdata" nocase

	// d0cf11e0a1b11ae1
	$s_officeMagic = { 64 30 63 66 31 31 65 30 61 31 62 31 31 61 65 31 }

	// 998B908F898F96955C7E
	$s_encWin32_Pro = { 33 39 33 39 33 38 34 32 33 39 33 30 33 38 34 36 33 38 33 39 33 38 34 36 33 39 33 36 33 39 33 35 33 35 34 33 33 37 34 35 }

	// 659487839687
	$s_encCreate = { 33 36 33 35 33 39 33 34 33 38 33 37 33 38 33 33 33 39 33 36 33 38 33 37 }

	// 9291998794958A878E8E424F798B90869199
	$s_encPS = { 39 33 32 33 39 33 31 33 39 33 39 33 38 33 37 33 39 33 34 33 39 33 35 33 38 34 31 33 38 33 37 33 38 34 35 33 38 34 35 33 34 33 32 33 34 34 36 33 37 33 39 33 38 34 32 33 39 33 30 33 38 33 36 33 39 33 31 33 39 33 }

	condition:
	all of them
	}


	rule shellcode {

	meta:
	author = "Mert Degirmenci"
	description = "Rule of the shellcode that is used by the attack vector that drops Agent.Tesla"
	date = "05.12.2019"
	hash1 = "37a1961361073bea6c6eace6a8601f646c5b6ecd9d625e049ad02075ba996918"

	strings:
	// mov dword [var_a0h], 0xc8338ee
	// mov dword [var_9ch], 0x1e16457
	// mov dword [var_98h], 0x8cae418
	// mov dword [var_94h], 0x3d8cae3
	// mov dword [var_90h], 0x648b099
	// mov dword [var_8ch], 0x394ba93
	// mov dword [var_88h], 0x4b9c7e4
	// mov dword [var_84h], 0x4b887e4
	// mov dword [var_80h], 0x1d72da9
	// mov dword [var_7ch], 0xb3dd105
	// mov dword [var_78h], 0xf232744
	// mov dword [var_74h], 0xd186fe8
	$s_hashes = { c7 85 60 ff ff ff ee 38 83 0c c7 85 64 ff ff ff 57 64 e1 01 c7 85 68 ff ff ff 18 e4 ca 08 c7 85 6c ff ff ff e3 ca d8 03 c7 85 70 ff ff ff 99 b0 48 06 c7 85 74 ff ff ff 93 ba 94 03 c7 85 78 ff ff ff e4 c7 b9 04 c7 85 7c ff ff ff e4 87 b8 04 c7 45 80 a9 2d d7 01 c7 45 84 05 d1 3d 0b c7 45 88 44 27 23 0f c7 45 8c e8 6f 18 }

	// push ebp
	// mov ebp, esp
	// push esi
	// push edi
	// mov edi, dword [arg_8h]
	// xor esi, esi
	// push edi
	// call sus.strLen
	// mov ecx, eax
	// test ecx, ecx
	// je 0x4f
	// movsx eax, byte [edi]
	// shl esi, 4
	// add esi, eax
	// mov eax, esi
	// and eax, 0xf0000000
	// je 0x4b
	// shr eax, 0x18
	// xor esi, eax
	// and esi, 0xfffffff
	// inc edi
	// dec ecx
	// jne 0x2f
	// pop edi
	// mov eax, esi
	// pop esi
	// pop ebp
	// ret 4
	$s_hashCalc = { 55 8b ec 56 57 8b 7d 08 33 f6 57 e8 d7 ff ff ff 8b c8 85 c9 74 20 0f be 07 c1 e6 04 03 f0 8b c6 25 00 00 00 f0 74 0b c1 e8 18 33 f0 81 e6 ff ff ff 0f 47 49 75 e0 5f 8b c6 5e 5d c2 04 00 }

	condition:
	all of them
	}


	rule agentTesla {

	meta:
	author = "Mert Degirmenci"
	description = "Agent.Tesla variant"
	date = "05.12.2019"
	hash1 = "6a64bc2905f213ed4baf27d9ca0844056c7184dd91269a56fcb55d2c707f52dc"

	strings:
	// object result;
	// try
	// {
	// string text = SystemInformation.UserName + "\\" + SystemInformation.ComputerName;
	// string[] array = new string[6];
	// bool flag;
	// for (;;)
	$s_ajn = { 28 3A 00 00 0A 72 0D 00 00 70 28 3B 00 00 0A 28 3C 00 00 0A 0D 1C 8D 46 00 00 01 13 06 20 6C F9 96 1B }

	// int num3;
	// int num6;
	// num3 >>= num6;
	// int num4;
	// int num5;
	// num3 = num3 - num5 + num4 - 28354;
	// int num9;
	// num3 = (num3 ^ num4 ^ num9);
	// num = (num2 * 2477461615u ^ 2806709887u);
	// continue;
	$s_2000c = { 11 05 11 06 1F 1F 5F 63 13 05 11 05 11 07 59 11 08 58 20 C2 6E 00 00 59 13 05 11 05 11 08 61 11 09 61 13 05 FE 0C 0E 00 20 6F 10 AB 93 5A 20 7F FE 4A A7 61 38 38 FF FF FF }

	// string str = Conversions.ToString(afg.ajw(10));
	// string text = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\" + str + <Module>.\u200C(127336);
	// Size blockRegionSize = new Size(hj.hk.Screen.Bounds.Width, hj.hk.Screen.Bounds.Height);
	$s_aor = { 1F 0A 28 4F 00 00 06 28 94 00 00 0A 13 05 1F 1A 28 95 00 00 0A 72 0D 00 00 70 11 05 20 68 F1 01 00 28 02 00 00 06 28 96 00 00 0A 13 07 12 08 28 38 00 00 06 6F 97 00 00 0A 6F 98 00 00 0A 13 10 12 10 28 99 00 00 0A 28 38 00 00 06 6F 97 00 00 0A 6F 98 00 00 0A 13 11 12 11 28 9A 00 00 0A 28 9B 00 00 0A }

	$s_u1680 = { 00 20 23 03 00 00 8D 02 00 00 01 25 16 1F 10 8D 36 00 00 01 25 D0 02 00 00 04 }

	condition:
	uint16(0) == 0x5a4d and all of them
	}