APT_CyberCriminal_Campagin_.../2019/2019.08.31.Bitter_APT_Malware_analysis/YARA_Rule_Bitter_Variant1_August_2019.txt

#=====================================================
# Hard coded encoded (Variant 1)
# "bqqmjdbujpo0y.xxx.gpsn.vsmfodpefe" -> "application/x-www-form-urlencoded"
# "0fiSfdws/qiq" -> "/ehRecvr.php"
# "0I0N0V0\\0o0v0 -> "/H/M/U/[[/n/u/"
# "QPTU" -> "POST"
# "lffq.bmjwf" -> "keep-alive"
# "Dpoofdujpo" -> "Connection:"
# "Iptu;" -> "Host:"
# "IUUQ02/1" -> "HTTP/1.0"
#=====================================================
rule ArtraDownlaoder_bin_Variant1
{
    meta:
    description = "Artra Downloader"
        author = "James_inthe_box, Arkbird"
    reference = "dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1"
        date = "2019/08"
        maltype = "Loader"

    strings:
        $string1 = "bqqmjdbujpo0y.xxx.gpsn.vsmfodpefe"
	$string2 = "=%s&st=%d"
        $string3 = "Content-length: %d"
        $string4 = "0I0N0V0\\0o0v0"
        $string5 = "ID=%s"
        $string6 = "QPTU"
	$string7 = "lffq.bmjwf"
	$string8 = "Dpoofdujpo"
	$string9 = "Iptu;"
	$string10 = "IUUQ02/1"

    condition:
    uint16(0) == 0x5A4D and all of ($string*) and filesize < 100KB
}

rule ArtraDownlaoder_mem_Variant1
{
    meta:
        description = "Artra Downloader"
        author = "James_inthe_box, Arkbird"
        reference = "dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1"
        date = "2019/08"
        maltype = "Loader"

    strings:
        $string1 = "bqqmjdbujpo0y.xxx.gpsn.vsmfodpefe"
	$string2 = "=%s&st=%d"
        $string3 = "Content-length: %d"
        $string4 = "0I0N0V0\\0o0v0"
        $string5 = "ID=%s"
        $string6 = "QPTU"
	$string7 = "lffq.bmjwf"
	$string8 = "Dpoofdujpo"
	$string9 = "Iptu;"
	$string10 = "IUUQ02/1"

    condition:
        all of ($string*) and filesize > 100KB
}