c3rb3ru5d3d53c
commented
1 year ago rule GCleaner {
meta:
description = "Detects GCleaner payload"
author = "Abdallah Elshinbary (@_n1ghtw0lf)"
hash1 = "020d370b51711b0814901d7cc32d8251affcc3506b9b4c15db659f3dbb6a2e6b"
hash2 = "73ed1926e850a9a076a8078932e76e1ac5f109581996dd007f00681ae4024baa"
strings:
// Kill self
$s1 = "\" & exit" ascii fullword
$s2 = "\" /f & erase " ascii fullword
$s3 = "/c taskkill /im \"" ascii fullword
// Anti checks
$s4 = " Far " ascii fullword
$s5 = "roxifier" ascii fullword
$s6 = "HTTP Analyzer" ascii fullword
$s7 = "Wireshark" ascii fullword
$s8 = "NetworkMiner" ascii fullword
// HTTP headers
$s9 = "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8" ascii fullword
$s10 = "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1" ascii fullword
$s11 = "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0" ascii fullword
$s12 = "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1" ascii fullword
condition:
uint16(0) == 0x5a4d and
10 of them
}
https://github.com/n1ght-w0lf/MalwareAnalysis/blob/master/GCleaner/config_extractor.py https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/