Sponsored by Hudson Rock Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks

YARA Rule: MAL_Backdoor_Win_C3_1.yar

Group: Darkside
Valid Rule

rule MAL_Backdoor_Win_C3_1
{
	meta:
		author = "FireEye"
		date_created = "2021-05-11"
		description = "Detection to identify the Custom Command and Control (C3) binaries."
		md5 = "7cdac4b82a7573ae825e5edb48f80be5"
		reference = "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"
		id = "60eb022e-6f4e-5c7d-9ddf-b458a593071e"

	strings:
		$dropboxAPI = "Dropbox-API-Arg"
		$knownDLLs1 = "WINHTTP.dll" fullword
		$knownDLLs2 = "SHLWAPI.dll" fullword
		$knownDLLs3 = "NETAPI32.dll" fullword
		$knownDLLs4 = "ODBC32.dll" fullword
		$tokenString1 = { 5B 78 5D 20 65 72 72 6F 72 20 73 65 74 74 69 6E 67 20 74 6F 6B 65 6E }
		$tokenString2 = { 5B 78 5D 20 65 72 72 6F 72 20 63 72 65 61 74 69 6E 67 20 54 6F 6B 65 6E }
		$tokenString3 = { 5B 78 5D 20 65 72 72 6F 72 20 64 75 70 6C 69 63 61 74 69 6E 67 20 74 6F 6B 65 6E }

	condition:
		filesize < 5MB and uint16( 0 ) == 0x5A4D and uint32( uint32( 0x3C ) ) == 0x00004550 and ( ( ( all of ( $knownDLLs* ) ) and ( $dropboxAPI or ( 1 of ( $tokenString* ) ) ) ) or ( all of ( $tokenString* ) ) )
}