├── README.md
└── Yara
    └── RAT
        └── n-w0rm.yar


/README.md:
--------------------------------------------------------------------------------
1 | # IOCs


--------------------------------------------------------------------------------
/Yara/RAT/n-w0rm.yar:
--------------------------------------------------------------------------------
 1 | rule MAL_NW0rm { 
 2 | 	meta:
 3 | 		description = "Detect the final RAT dropped by N-W0rm"
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		reference_1 = "https://bazaar.abuse.ch/sample/1b976a1fa26c4118d09cd6b1eaeceafccc783008c22da58d6f5b1b3019fa1ba4/"
 6 | 		reference_2 = "https://www.virustotal.com/gui/file/afc5a5a1a18f3e65bffa6e3d4e68ed90c102a942156db77ef570c4e8d1394dbc"
 7 | 		hash = "08587e04a2196aa97a0f939812229d2d"
 8 | 		date = "03.02.2022"
 9 |           
10 | 	strings:
11 | 		$a1 = "N-W0rm" fullword wide
12 | 		$a2 = "N_W0rm" fullword wide
13 | 		$a3 = "|NW|" fullword wide
14 | 		
15 | 		$b1 = "Select * from AntivirusProduct" fullword wide
16 | 		$b2 = "ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File" fullword wide
17 | 		$b3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" fullword wide
18 | 		$b4 = "killer" fullword wide
19 | 		$b5 = "nyanmoney02.duckdns.org" fullword wide
20 | 
21 | 	condition:
22 | 		uint16(0) == 0x5a4d and 2 of ($a*) and 2 of ($b*)
23 | }
24 | 


--------------------------------------------------------------------------------