-
Notifications
You must be signed in to change notification settings - Fork 0
/
Windows_Trojan_AgentTesla.yar
98 lines (95 loc) · 3.99 KB
/
Windows_Trojan_AgentTesla.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
rule Windows_Trojan_AgentTesla_d3ac2b2f {
meta:
author = "Elastic Security"
id = "d3ac2b2f-14fc-4851-8a57-41032e386aeb"
fingerprint = "cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc"
creation_date = "2021-03-22"
last_modified = "2022-06-20"
threat_name = "Windows.Trojan.AgentTesla"
reference_sample = "65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a1 = "GetMozillaFromLogins" ascii fullword
$a2 = "AccountConfiguration+username" wide fullword
$a3 = "MailAccountConfiguration" ascii fullword
$a4 = "KillTorProcess" ascii fullword
$a5 = "SmtpAccountConfiguration" ascii fullword
$a6 = "GetMozillaFromSQLite" ascii fullword
$a7 = "Proxy-Agent: HToS5x" wide fullword
$a8 = "set_BindingAccountConfiguration" ascii fullword
$a9 = "doUsernamePasswordAuth" ascii fullword
$a10 = "SafariDecryptor" ascii fullword
$a11 = "get_securityProfile" ascii fullword
$a12 = "get_useSeparateFolderTree" ascii fullword
$a13 = "get_DnsResolver" ascii fullword
$a14 = "get_archivingScope" ascii fullword
$a15 = "get_providerName" ascii fullword
$a16 = "get_ClipboardHook" ascii fullword
$a17 = "get_priority" ascii fullword
$a18 = "get_advancedParameters" ascii fullword
$a19 = "get_disabledByRestriction" ascii fullword
$a20 = "get_LastAccessed" ascii fullword
$a21 = "get_avatarType" ascii fullword
$a22 = "get_signaturePresets" ascii fullword
$a23 = "get_enableLog" ascii fullword
$a24 = "TelegramLog" ascii fullword
$a25 = "generateKeyV75" ascii fullword
$a26 = "set_accountName" ascii fullword
$a27 = "set_InternalServerPort" ascii fullword
$a28 = "set_bindingConfigurationUID" ascii fullword
$a29 = "set_IdnAddress" ascii fullword
$a30 = "set_GuidMasterKey" ascii fullword
$a31 = "set_username" ascii fullword
$a32 = "set_version" ascii fullword
$a33 = "get_Clipboard" ascii fullword
$a34 = "get_Keyboard" ascii fullword
$a35 = "get_ShiftKeyDown" ascii fullword
$a36 = "get_AltKeyDown" ascii fullword
$a37 = "get_Password" ascii fullword
$a38 = "get_PasswordHash" ascii fullword
$a39 = "get_DefaultCredentials" ascii fullword
condition:
8 of ($a*)
}
rule Windows_Trojan_AgentTesla_e577e17e {
meta:
author = "Elastic Security"
id = "e577e17e-5c42-4431-8c2d-0c1153128226"
fingerprint = "009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d"
creation_date = "2022-03-11"
last_modified = "2022-04-12"
threat_name = "Windows.Trojan.AgentTesla"
reference_sample = "ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a = { 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 }
condition:
all of them
}
rule Windows_Trojan_AgentTesla_f2a90d14 {
meta:
author = "Elastic Security"
id = "f2a90d14-7212-41a5-a2cd-a6a6dedce96e"
fingerprint = "829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6"
creation_date = "2022-03-11"
last_modified = "2022-04-12"
threat_name = "Windows.Trojan.AgentTesla"
reference_sample = "ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a = { 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 }
condition:
all of them
}