2019-11-04-possible-malware-falouu.vk.yar

rule crime_win32_falouu_1m {
   meta:
      description = "Detects this multi-purpse malware falouu in memory"
      reference = "https://twitter.com/VK_Intel/status/1191466698651709441"
      date = "2019-11-04"
      author = "@VK_Intel"
      tlp = "white"
      hash1 = "9019112b03f18f0e316f52870881e6d6b79192e08bdf8ca82780af6c26c93031"
   strings:
      $cmd1 = "%WINDIR%\\System32\\cmd.exe" fullword wide
      $str0 = "C:\\Users\\James\\Documents\\CBP\\jaja\\libtomcrypt.c" fullword ascii
      $str1 = "Host: google.com" fullword ascii
      $str2 = "/C ping 0.0.0.0 -n 1 -w 5000 > Nul & Del %ws" fullword wide
      $str3 = "C:\\ProgramData\\beleza.exe" fullword wide
      $str4 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" fullword ascii
      $str5 = "s.SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\%ws" fullword wide
      $str6 = "{\"jsonrpc\": \"2.0\", \"method\": \"mempool.get_fee_histogram\", \"id\": \"%d\"}" fullword ascii
      $str7 = "C%WINDIR%\\explorer.exe" fullword wide
      $str8 = "libgcj-16.dll" fullword ascii
      $str9 = "LibTomCrypt 1.17 (Tom St Denis, tomstdenis@gmail.com)" fullword ascii
      $str10 = "electrumorg.com" fullword ascii wide
      $str11 = "DDOS" fullword ascii
      $str12 = "CUS" fullword ascii
      $str13 = "STOP" fullword ascii

   condition:
      ( uint16(0) == 0x5a4d and
         filesize < 1000KB and
         ( 1 of ($cmd*) and 4 of them )
      ) or ( all of them )
}