YARA rule for Dridex

Have been learning YARA from few days and below is my first YARA rule for a IOCs collected while analysing a word document. Analysis concluded with presence of Dridex malware.

rule dridex : dridex
{
meta:
description = “Dridex Malware Indicators”
author = “Kunal Makwana”
date = “2016/04/03”
thread_level = 4
in_the_wild = true

strings:
$domain = “g-t-c-co.uk” nocase
$ip = “185.11.240.14” wide ascii
$mail = “ali73_2008027@yahoo.co.uk” wide ascii

condition:
$domain or $ip or $mail
}

Will be writing more as days go by.

Happy Malware Analysis!!!!!

List of IOCs collected so far

Hunters,

This post is to share indicators of compromise that I collected so far for analysis and investigation that I have been doing.

Most of the them are collected from other websites as json, MISP exports etc. Normally I update that back to csirtg.io/users/makflwana but I just wanted to share it on my blog too.

Following are the links where you find the list of IOC in CSV format – some indicators are quite old and some are new. I will see if an re-verify but that will take some time.

Link: https://github.com/makflwana/IOCs-in-CSV-format

Happy Hunting!!!!!