(YARA) Cronos-Crypter
Created the . Updated 1 month, 4 weeks ago.
import "pe"
import "dotnet"
rule MAL_Cronos_Crypter_Strings {
meta:
description = "Detects Cronos Crypter based on strings found in file."
author = "Tony Lambert"
reference = "0eb4874937a6a37665e74fcd90413b0d4161659a0226b1ebf667b954b41b1012"
date = "2024-03-17"
strings:
$s1 = "Cronos-Crypter" ascii wide
$s2 = "Rfc2898DeriveBytes" ascii wide
$s3 = "RijndaelManaged" ascii wide
condition:
pe.is_pe and all of them
}
rule MAL_Cronos_Crypter_Salt {
meta:
description = "Detects Cronos Crypter based encryption salt value and string that should be seen in memory."
author = "Tony Lambert"
reference = "0eb4874937a6a37665e74fcd90413b0d4161659a0226b1ebf667b954b41b1012"
date = "2024-03-17"
strings:
$s1 = "Cronos-Crypter" ascii wide
$salt = {1A 14 CA EA 88 7B 45 2F}
condition:
all of them
}
rule MAL_Cronos_Crypter_Assembly_Name {
meta:
description = "Detects Cronos Crypter based on .NET assembly name."
author = "Tony Lambert"
reference = "0eb4874937a6a37665e74fcd90413b0d4161659a0226b1ebf667b954b41b1012"
date = "2024-03-17"
condition:
dotnet.assembly.name startswith "Cronos-Crypter"
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Cronos-Crypter | U1437 |