#Yara Rule for #TA505 Latest Campaign

rule ta505_downloader
{
meta:
	author = "Krishnendu Paul"
	description = "TA505 June 2020"
	
    strings:
	$meta_hex	=	"document.getElementById"
	$meta_app	= "template.innerHTML"
	$meta_filetype	= "iframeTemplate"
	$meta_b	=	"element.innerHTML"
	
    condition:
	all of ($meta_*) and filesize < 250000
}

Krishnendu Paul

Recommended for you

XLS

Allowing #XLSM and #XLSB files ? Stop it to save your Infra

I understand that a company having legacy systems running always. But, are you permitting XLSM and XLSB filetypes ? #STOP it as fast as possible !! Following images are from a malware packer, possibly related with latest #Zloader and other infections. Credit @DissectMalwareFrom the 2nd screenshot it is clear that XLSM and

a year ago • 1 min read

Malware

Easy #YARA Strings #Hunting for #Malware - The Lazy Man's Way

I am not your Regular #BlueTeam #YARA #Guru who is writing yara for everything everyday. But, was assigned for a task where I need to find-out a proper Yara for a specific class of new gen malwares where AV or SHA/MD5 based IOC's are not working. Even the network

2 years ago • 2 min read

Malware

[Custom #YARA ] #XLS #macro based #malware downloader using URLDownloadToFileA

Received numbers of sample submission of invoice themed XLS which are not getting detected on VT properly using any reputed Anti Virus engine. There is nothing abnormal happening except it is showing following screen when opened. Pretty unusual - huh ! So, after finding few sample which is successfully evading anti

2 years ago • 7 min read