YARA rule set related to the 3CX incident
Contents
/ signature-base Public
Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
signature-base/yara/gen_mal_3cx_compromise_mar23.yarGo to file
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
|import "pe"|
|rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 {|
|meta:|
|description = "Detects malicious DLLs related to 3CX compromise"|
|author = "X__Junior, Florian Roth (Nextron Systems)"|
|reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"|
|date = "2023-03-29"|
|score = 85|
|hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"|
|hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"|
|strings:|
|$op1 = { 4C 89 F1 4C 89 EA 41 B8 40 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 F0 FF 15 ?? ?? ?? ?? 4C 8D 4C 24 ?? 45 8B 01 4C 89 F1 4C 89 EA FF 15 } /* VirtualProtect and execute payload*/|
|$op2 = { 48 C7 44 24 …
Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
signature-base/yara/gen_mal_3cx_compromise_mar23.yarGo to file
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
|import "pe"|
|rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 {|
|meta:|
|description = "Detects malicious DLLs related to 3CX compromise"|
|author = "X__Junior, Florian Roth (Nextron Systems)"|
|reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"|
|date = "2023-03-29"|
|score = 85|
|hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"|
|hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"|
|strings:|
|$op1 = { 4C 89 F1 4C 89 EA 41 B8 40 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 F0 FF 15 ?? ?? ?? ?? 4C 8D 4C 24 ?? 45 8B 01 4C 89 F1 4C 89 EA FF 15 } /* VirtualProtect and execute payload*/|
|$op2 = { 48 C7 44 24 …