From 90144df854430e95414d35aa3528afb8bea1916b Mon Sep 17 00:00:00 2001
From: blackorbird <137812951@qq.com>
Date: Fri, 30 Aug 2019 10:52:28 +0800
Subject: [PATCH] Create apt28_backdoor_cls.yar

---
 APT28/yara/apt28_backdoor_cls.yar | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 APT28/yara/apt28_backdoor_cls.yar

diff --git a/APT28/yara/apt28_backdoor_cls.yar b/APT28/yara/apt28_backdoor_cls.yar
new file mode 100644
index 0000000..b6d6780
--- /dev/null
+++ b/APT28/yara/apt28_backdoor_cls.yar
@@ -0,0 +1,17 @@
+rule apt28_backdoor_cls
+{
+            strings:
+            $st1 = "AES_256_poco" ascii
+                       $st2 = "TEncryption" ascii
+                       $st3 = "shell" ascii
+            condition:
+                       all of them
+}
+
+rule apt28_backdoor_crc32
+{
+               strings:
+                              $xor1 = { 48 8B 07 39 48 0C 75 3A 44 8B 70 08 4C 8B 38 4D 85 C0 74 2E 45 85 E4 74 29 }                                      
+               condition:
+               $xor1
+}