Volatility3 MCP Server

/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule BangatCode { meta: description = "Bangat code features" author = "Seth Hardy" last_modified = "2014-07-10" strings: // dec [ebp + procname], push eax, push edx, call get procaddress $ = { FE 4D ?? 8D 4? ?? 50 5? FF } condition: any of them } rule BangatStrings { meta: description = "Bangat Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-10" strings: $lib1 = "DreatePipe" $lib2 = "HetSystemDirectoryA" $lib3 = "SeleaseMutex" $lib4 = "DloseWindowStation" $lib5 = "DontrolService" $file = "~hhC2F~.tmp" $mc = "~_MC_3~" condition: all of ($lib*) or $file or $mc } rule Bangat { meta: description = "Bangat" author = "Seth Hardy" last_modified = "2014-07-10" condition: BangatCode or BangatStrings }