-
Notifications
You must be signed in to change notification settings - Fork 55
/
AgentTesla.rule
54 lines (50 loc) · 1.57 KB
/
AgentTesla.rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
rule AgentTesla
{
meta:
author = "InQuest Labs"
source = "http://blog.inquest.net/blog/2018/05/22/field-notes-agent-tesla-open-directory/"
created = "05/18/2018"
TLP = "WHITE"
strings:
$s0 = "SecretId1" ascii
$s1 = "#GUID" ascii
$s2 = "#Strings" ascii
$s3 = "#Blob" ascii
$s4 = "get_URL" ascii
$s5 = "set_URL" ascii
$s6 = "DecryptIePassword" ascii
$s8 = "GetURLHashString" ascii
$s9 = "DoesURLMatchWithHash" ascii
$f0 = "GetSavedPasswords" ascii
$f1 = "IESecretHeader" ascii
$f2 = "RecoveredBrowserAccount" ascii
$f4 = "PasswordDerivedBytes" ascii
$f5 = "get_ASCII" ascii
$f6 = "get_ComputerName" ascii
$f7 = "get_WebServices" ascii
$f8 = "get_UserName" ascii
$f9 = "get_OSFullName" ascii
$f10 = "ComputerInfo" ascii
$f11 = "set_Sendwebcam" ascii
$f12 = "get_Clipboard" ascii
$f13 = "get_TotalFreeSpace" ascii
$f14 = "get_IsAttached" ascii
$x0 = "IELibrary.dll" ascii wide
$x1 = "webpanel" ascii wide nocase
$x2 = "smtp" ascii wide nocase
$v5 = "vmware" ascii wide nocase
$v6 = "VirtualBox" ascii wide nocase
$v7 = "vbox" ascii wide nocase
$v9 = "avghookx.dll" ascii wide nocase
$pdb = "IELibrary.pdb" ascii
condition:
(
(
5 of ($s*) or
7 of ($f*)
) and
all of ($x*) and
all of ($v*) and
$pdb
)
}