-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmsil_tinydownloader.yar
109 lines (109 loc) · 3.92 KB
/
msil_tinydownloader.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
import "pe"
rule MSIL_TinyDownloader_Generic : msil downloader {
meta:
author = "albertzsigovits"
created_date = "2023-02-13"
last_updated_date = ""
version = "0"
filetype = "pedotnet"
threat = "MSIL.TinyDownloader.Generic"
description = "Detects small-sized dotNET downloaders"
hash = "c2e951d7b472a8f53f5af45151464f938a55e22bd152556d26e062b4511d38c3"
strings:
$msil1 = "_CorExeMain"
$msil2 = "mscorlib"
$msil3 = "mscoree.dll"
$msil4 = "<Module>"
$msil5 = "#Strings"
$msil6 = "#GUID"
$msil7 = "#Blob"
$msil8 = ".text"
$url01 = "Invoke-WebRequest https://" ascii wide
$url02 = "-o http://" ascii wide
$url03 = "pastebin.com/raw/" ascii wide
$url04 = "cdn.discordapp.com/attachments/" ascii wide
$url05 = "ipify.org" ascii wide
$url06 = "wtfismyip.com/json" ascii wide
$url07 = "iplogger.org" ascii wide
$url08 = "transfer.sh/get/" ascii wide
$url10 = "onedrive.live.com/download?cid=" ascii wide
$url11 = "onedrive.live.com/embed?cid=" ascii wide
$url12 = "ipfs.io/ipfs/" ascii wide
$url13 = "docs.google.com/uc?export=download&id=" ascii wide
$url14 = "discord.com/api/webhooks/" ascii wide
$url15 = "anonfiles.com/" ascii wide
$url16 = "pastebin.com/download.php?i=" ascii wide
$url17 = "://ifconfig.me/ip" ascii wide
$url18 = "://hastebin.com/raw/" ascii wide
$url19 = ".duckdns.org/" ascii wide
$ext1 = ".dat" ascii wide
$ext2 = ".gif" ascii wide
$ext3 = ".png" ascii wide
$ext4 = ".jpg" ascii wide
$ext5 = ".jpeg" ascii wide
$ext6 = ".bmp" ascii wide
$web1 = "WebClient"
$web2 = "WebResponse"
$web3 = "WebRequest"
$http1 = "HttpWebRequest"
$http2 = "System.Net.Http"
$http3 = "HttpClient"
$http4 = "HttpRequestHeader"
$http5 = "HttpEcho"
$http6 = "HttpWebResponse"
$http7 = "HttpResponseMessage"
$http8 = "HttpContent"
$dl1 = "DownloadData"
$dl2 = "DownloadString"
$dl3 = "DownloadFile"
$mem1 = "MemoryStream"
$mut1 = "Mutex"
$sys1 = "System.Reflection"
$sys2 = "System.Net"
$sys3 = "System.IO"
$file2 = "FileStream"
$file3 = "FileMode"
$file4 = "FileInfo"
$proc2 = "ProcessStartInfo"
$proc3 = "ProcessWindowStyle"
$proc4 = "GetCurrentProcess"
$cert01 = "ocsp.thawte.com"
$cert02 = "crl.thawte.com"
$cert03 = ".ws.symantec.com"
$cert04 = "crl.globalsign.com"
$cert05 = "ocsp2.globalsign.com"
$cert06 = "crl.verisign.com"
$cert07 = "ocsp.verisign.com0"
$cert08 = "VeriSign, Inc.1"
$cert11 = "Thawte Timestamping CA0"
$cert12 = "Thawte Certification1"
$cert13 = "Symantec Corporation100."
$cert14 = "crl.comodoca.com"
$cert15 = "secure.comodo.net/CPS0C"
$cert16 = "crt.sectigo.com"
$cert17 = "ocsp.sectigo.com0"
$cert18 = "crt.usertrust.com"
$cert19 = "ocsp.usertrust.com0"
$cert20 = "cacerts.digicert.com"
$cert21 = "ocsp.digicert.com"
$cert22 = "t1.symcb.com"
$cert23 = "t2.symcb.com0"
condition:
filesize < 20KB
and uint16(0) == 0x5A4D // MZ
and uint32(uint32(0x3C)) == 0x00004550 // PE
and all of ($msil*)
and not any of ($cert*)
and pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].size == 0 // No digital certificate
and (
1 of ($url*)
or
( 1 of ($ext*) and (1 of ($web*) or 1 of ($http*) ) )
or
1 of ($dl*)
or
( $mem1 and 1 of ($file*) and 1 of ($sys*) )
or
( $mut1 and 1 of ($proc*) )
)
}