@@ -68,46 +68,50 @@ rule AgentTeslaV2 {
6868
6969rule AgentTeslaV3 {
7070 meta :
71- author = " ditekshen "
72- description = " AgentTeslaV3 infostealer payload "
73- cape_type = " AgentTesla payload "
71+ author = " ditekshen "
72+ description = " AgentTeslaV3 infostealer payload "
73+ cape_type = " AgentTesla payload "
7474 strings :
75- $ s1 = " get_kbok " fullword ascii
76- $ s2 = " get_CHoo " fullword ascii
77- $ s3 = " set_passwordIsSet " fullword ascii
78- $ s4 = " get_enableLog " fullword ascii
79- $ s5 = " bot%telegramapi% " wide
80- $ s6 = " KillTorProcess " fullword ascii
81- $ s7 = " GetMozilla " ascii
82- $ s8 = " torbrowser " wide
83- $ s9 = " %chatid% " wide
84- $ s10 = " logins " fullword wide
85- $ s11 = " credential " fullword wide
86- $ s12 = " AccountConfiguration+ " wide
87- $ s13 = " <a.+?href \\ s*= \\ s*([ \" '])(?<href>.+?) \\ 1[^>]*> " fullword wide
88- $ s14 = " set_Lenght " fullword ascii
89- $ s15 = " get_Keys " fullword ascii
90- $ s16 = " set_AllowAutoRedirect " fullword ascii
91- $ s17 = " set_wtqQe " fullword ascii
92- $ s18 = " set_UseShellExecute " fullword ascii
93- $ s19 = " set_IsBodyHtml " fullword ascii
94- $ s20 = " set_FElvMn " fullword ascii
95- $ s21 = " set_RedirectStandardOutput " fullword ascii
96-
97- $ g1 = " get_Clipboard " fullword ascii
98- $ g2 = " get_Keyboard " fullword ascii
99- $ g3 = " get_Password " fullword ascii
100- $ g4 = " get_CtrlKeyDown " fullword ascii
101- $ g5 = " get_ShiftKeyDown " fullword ascii
102- $ g6 = " get_AltKeyDown " fullword ascii
103-
75+ // --- High Fidelity Indicators (Malware Specific) ---
76+ $ s_specific1 = " get_kbok " fullword ascii
77+ $ s_specific2 = " get_CHoo " fullword ascii
78+ $ s_specific3 = " KillTorProcess " fullword ascii
79+ $ s_specific4 = " GetMozilla " ascii
80+ $ s_specific5 = " torbrowser " wide
81+ $ s_specific6 = " bot%telegramapi% " wide
82+ $ s_specific7 = " %chatid% " wide
83+
84+ // Known AgentTesla Typo (High Confidence)
85+ $ s_typo = " set_Lenght " fullword ascii
86+
87+ // --- Config / Stack Strings (Unique data structures) ---
10488 $ m1 = " yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time " ascii
10589 $ m2 = " %image/jpg:Zone.Identifier \\ tmpG.tmp%urlkey%-f \\ Data \\ Tor \\ torrcp=%PostURL%127.0.0.1POST+%2B " ascii
10690 $ m3 = " >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive \\ WScript.ShellRegReadg401 " ascii
10791 $ m4 = " %startupfolder% \\ %insfolder% \\ %insname%/ \\ %insfolder% \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Run%insregname%SOFTWARE \\ Microsoft \\ Windows \\ CurrentVersion \\ Explorer \\ StartupApproved \\ RunTruehttp " ascii
10892 $ m5 = " \\ WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera " ascii
93+
94+ // --- Generic Functions (Require other indicators to match) ---
95+ // These are legitimate on their own, but suspicious in context
96+ $ s_generic1 = " set_UseShellExecute " fullword ascii
97+ $ s_generic2 = " set_IsBodyHtml " fullword ascii
98+ $ s_generic3 = " set_AllowAutoRedirect " fullword ascii
99+ $ s_generic4 = " set_RedirectStandardOutput " fullword ascii
100+
109101 condition :
110- (uint16 (0 ) == 0x5a4d and (8 of ($ s * or (6 of ($ s * and 4 of ($ g * or (2 of ($ m *
102+ (
103+ // 1. Strongest: Match any of the unique config blobs
104+ 2 of ($ m *
105+ ) or (
106+ uint16 (0 ) == 0x5a4d and
107+ (
108+ // 2. Strong: Match specific malware function names
109+ 5 of ($ s_specific * or
110+
111+ // 3. Combined: The Typo + Generic email/process functions
112+ ($ s_typo and 4 of ($ s_generic *
113+ )
114+ )
111115
112116
113117rule AgentTeslaV4
0 commit comments