Actor(s): Lazarus Group
There is no description at this point.
rule ps1_powerbrace_w0 { meta: description = "Detect PowerBrace PowerShell backdoor" date = "2019-06-11" author = "NTT Security" source = "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/blog/powerbrace-ntt-yara.pdf" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerbrace" malpedia_version = "20190731" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $large_cmd = "Add-Type -MemberDefinition $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAIAA9ACAAdAByAHUAZQAsACAAQwBhAGwAbABpAG4AZwBDAG8AbgB2AGUAbgB0AGkAbwBuACAAPQAgAEMAYQBsAGwAaQBuAGcAQwBvAG4AdgBlAG4AdABpAG8AbgAuAFcAaQBuAGEAcABpACkAXQANAAoAWwByAGUAdAB1AHIAbgA6ACAATQBhAHIAcwBoAGEAbABBAHMAKABVAG4AbQBhAG4AYQBnAGUAZABUAHkAcABlAC4AQgBvAG8AbAApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABJAHMAVwBvAHcANgA0AFAAcgBvAGMAZQBzAHMAKAANAAoAIAAgACAAIABbAEkAbgBdACAAUwB5AHMAdABlAG0ALgBJAG4AdABQAHQAcgAgAGgAUAByAG8AYwBlAHMAcwAsAA0ACgAgACAAIAAgAFsATwB1AHQALAAgAE0AYQByAHMAaABhAGwAQQBzACgAVQBuAG0AYQBuAGEAZwBlAGQAVAB5AHAAZQAuAEIAbwBvAGwAKQBdACAAbwB1AHQAIABiAG8AbwBsACAAdwBvAHcANgA0AFAAcgBvAGMAZQBzAHMAKQA7AA=='))) -Name NativeMethods -Namespace Kernel32" $cc1 = "$global:DATA_TAG_CAMERA_LOWQ" $cc2 = "$global:DATA_TAG_CAMERA_NORMALQ" $cc3 = "$global:DATA_TAG_CAMERA_HIGHQ" $cc4 = "$global:DATA_TAG_SCREEN_LOWQ" $cc5 = "$global:DATA_TAG_SCREEN_NORMALQ" $cc6 = "$global:DATA_TAG_SCREEN_HIGHQ" $ca1 = "CONNECT" $ca2 = "FILE_REQUEST" $ca3 = "CMD_REQUEST" $ca4 = "PROCESS_REQUEST" $ca5 = "REGISTRY_REQUEST" $ca6 = "SCREEN_REQUEST" $ca7 = "KEYBOARD_REQUEST" $ca8 = "UPLOAD_REQUEST" $ca9 = "FILE_UNZIP_REQUEST" $ca10 = "DOWNLOAD_REQUEST" $ca11 = "FILE_ZIP_REQUEST" $ca12 = "ZIP_DOWNLOAD_REQUEST" $ca13 = "KEYBOARD_STOP" $ca14 = "DOWNLOAD_STOP" $ca15 = "PROCESS_TERMINATE" $ca16 = "PROCESS_INJECT" $ca17 = "FILE_DELETE" $ca18 = "FILE_RENAME" $ca19 = "REG_DELETE" $ca20 = "REG_RENAME" $ca21 = "REG_NEW_KEY" $ca22 = "REG_NEW_STRING" $ca23 = "REG_NEW_DWORD" $ca24 = "REG_NEW_BINARY" $ca25 = "FILE_NEW_DIR" $ca26 = "DELAY_REQUEST" $ca27 = "AGENT_CONFIG" $cb1 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBPAE4ATgBFAEMAVAA=')))" $cb2 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBJAEwARQBfAFIARQBRAFUARQBTAFQA')))" $cb3 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBNAEQAXwBSAEUAUQBVAEUAUwBUAA==')))" $cb4 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABSAE8AQwBFAFMAUwBfAFIARQBRAFUARQBTAFQA')))" $cb5 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAEcASQBTAFQAUgBZAF8AUgBFAFEAVQBFAFMAVAA=')))" $cb6 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBDAFIARQBFAE4AXwBSAEUAUQBVAEUAUwBUAA==')))" $cb7 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBFAFkAQgBPAEEAUgBEAF8AUgBFAFEAVQBFAFMAVAA=')))" $cb8 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBQAEwATwBBAEQAXwBSAEUAUQBVAEUAUwBUAA==')))" $cb9 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBJAEwARQBfAFUATgBaAEkAUABfAFIARQBRAFUARQBTAFQA')))" $cb10 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABPAFcATgBMAE8AQQBEAF8AUgBFAFEAVQBFAFMAVAA=')))" $cb11 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBJAEwARQBfAFoASQBQAF8AUgBFAFEAVQBFAFMAVAA=')))" $cb12 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WgBJAFAAXwBEAE8AVwBOAEwATwBBAEQAXwBSAEUAUQBVAEUAUwBUAA==')))" $cb13 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBFAFkAQgBPAEEAUgBEAF8AUwBUAE8AUAA=')))" $cb14 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABPAFcATgBMAE8AQQBEAF8AUwBUAE8AUAA=')))" $cb15 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABSAE8AQwBFAFMAUwBfAFQARQBSAE0ASQBOAEEAVABFAA==')))" $cb16 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABSAE8AQwBFAFMAUwBfAEkATgBKAEUAQwBUAA==')))" $cb17 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBJAEwARQBfAEQARQBMAEUAVABFAA==')))" $cb18 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBJAEwARQBfAFIARQBOAEEATQBFAA==')))" $cb19 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAEcAXwBEAEUATABFAFQARQA=')))" $cb20 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAEcAXwBSAEUATgBBAE0ARQA=')))" $cb21 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAEcAXwBOAEUAVwBfAEsARQBZAA==')))" $cb22 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAEcAXwBOAEUAVwBfAFMAVABSAEkATgBHAA==')))" $cb23 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAEcAXwBOAEUAVwBfAEQAVwBPAFIARAA=')))" $cb24 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAEcAXwBOAEUAVwBfAEIASQBOAEEAUgBZAA==')))" $cb25 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBJAEwARQBfAE4ARQBXAF8ARABJAFIA')))" $cb26 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABFAEwAQQBZAF8AUgBFAFEAVQBFAFMAVAA=')))" $cb27 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBHAEUATgBUAF8AQwBPAE4ARgBJAEcA')))" $cb28 = "$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBMAEkAVgBFAA==')))" $ps = "FromBase64String" condition: $ps and ($large_cmd or 5 of ($c*) or 3 of ($cc*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY