rule SilentTrinity { meta: Description = "Attempts to detect the SilentTrinity malware family" Author = "Adam M. Swanda" Website = "https://www.deadbits.org" Repo = "https://github.com/deadbits/yara-rules" Date = "2019-07-19" Reference = "https://countercept.com/blog/hunting-for-silenttrinity/" strings: $pdb01 = "SILENTTRINITY.pdb" ascii $str01 = "Found {0} in zip" ascii fullword $str02 = "{0} not in zip file" ascii fullword $str03 = "Invalid HMAC: {0}" ascii fullword $str04 = "Attempting HTTP GET to {0}" ascii fullword $str05 = "Downloaded {0} bytes" ascii fullword $str06 = "Error downloading {0}: {1}" ascii fullword $str07 = "Attempting HTTP POST to {0}" ascii fullword $str08 = "POST" ascii fullword $str09 = "application/octet-stream" ascii fullword $str10 = "Error sending job results to {0}: {1}" ascii fullword $str11 = ".dll" ascii fullword $str12 = "Trying to resolve assemblies by staging zip" ascii fullword $str13 = "'{0}' loaded" ascii fullword $str14 = "Usage: SILENTTRINITY.exe []" ascii fullword $str15 = "IronPython.dll" ascii fullword $str16 = "IronPythonDLL" ascii fullword $str17 = "DEBUG" ascii fullword $str18 = "Main.py" ascii fullword $str19 = "Execute" ascii fullword $str20 = "SILENTTRINITY.Properties.Resources" ascii fullword $str21 = ".zip" ascii fullword $a00 = "HttpGet" ascii fullword $a01 = "System.Net" ascii fullword $a02 = "Target" ascii fullword $a03 = "WebClient" ascii fullword $a04 = "get_Current" ascii fullword $a05 = "Endpoint" ascii fullword $a06 = "AesDecrypt" ascii fullword $a07 = "AesEncrypt" ascii fullword $a08 = "cert" ascii fullword $a09 = "WebRequest" ascii fullword $a10 = "HttpPost" ascii fullword condition: uint16(0) == 0x5a4d and ( (8 of ($str*) or (all of ($a*) and $pdb01) or $pdb01) ) }