SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ozh_rat (Back to overview)

OZH RAT


There is no description at this point.

References
2020-05-28Twitter (@BushidoToken)BushidoToken
@online{bushidotoken:20200528:ozh:d9cd398, author = {BushidoToken}, title = {{Tweet on OZH RAT}}, date = {2020-05-28}, organization = {Twitter (@BushidoToken)}, url = {https://twitter.com/BushidoToken/status/1266075992679948289}, language = {English}, urldate = {2020-05-29} } Tweet on OZH RAT
OZH RAT
Yara Rules
[TLP:WHITE] win_ozh_rat_w0 (20200608 | Detects OZH RAT)
rule win_ozh_rat_w0 {
    meta:
        description = "Detects OZH RAT"
        author = "@BushidoToken"
        reference = "https://blog.bushidotoken.net/2020/05/ozh-rat-new-net-malware.html"
        source = "https://raw.githubusercontent.com/WilliamThomas-sec/IOCs-YARAs/master/OZH_RAT.yar"
        date = "2020-06-05"
        hash1 = "15f39214b98241e7294b77d26e374e103b85ef1f189fb3ab162bda4b3423dd6c"
        hash2 = "b2ba16bcd7cb9a884f52420b1e025fc2af2610cf4324847366cc9c45e79c61c1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat"
        malpedia_rule_date = "20200608"
        malpedia_version = "20200608"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a = "OzhSecSys.My" nocase
        $b = "OzhSecSys.My.Resources" nocase
	    $c = "OzhSecSys.pdb" nocase
    condition:
       any of them
}
Download all Yara Rules