#Yara Rule for #TA505 Latest Campaign

rule ta505_downloader
{
meta:
	author = "Krishnendu Paul"
	description = "TA505 June 2020"
	
    strings:
	$meta_hex	=	"document.getElementById"
	$meta_app	= "template.innerHTML"
	$meta_filetype	= "iframeTemplate"
	$meta_b	=	"element.innerHTML"
	
    condition:
	all of ($meta_*) and filesize < 250000
}

Krishnendu Paul

Recommended for you

XLS

Allowing #XLSM and #XLSB files ? Stop it to save your Infra

I understand that a company having legacy systems running always. But, are you permitting XLSM and XLSB filetypes ? #STOP it as fast as possible !! Following images are from a malware packer, possibly related with latest #Zloader and other infections. Credit @DissectMalware [https://twitter.com/DissectMalware]From the 2nd screenshot it

3 years ago • 1 min read

Malware

Easy #YARA Strings #Hunting for #Malware - The Lazy Man's Way

I am not your Regular #BlueTeam #YARA #Guru who is writing yara for everything everyday. But, was assigned for a task where I need to find-out a proper Yara for a specific class of new gen malwares where AV or SHA/MD5 based IOC's are not working. Even the network

3 years ago • 2 min read

Malware

[Custom #YARA ] #XLS #macro based #malware downloader using URLDownloadToFileA

Received numbers of sample submission of invoice themed XLS which are not getting detected on VT [https://virustotal.com] properly using any reputed Anti Virus engine. There is nothing abnormal happening except it is showing following screen when opened. Pretty unusual - huh ! So, after finding few sample which is

3 years ago • 7 min read