Have been learning YARA from few days and below is my first YARA rule for a IOCs collected while analysing a word document. Analysis concluded with presence of Dridex malware.
rule dridex : dridex
description = “Dridex Malware Indicators”
author = “Kunal Makwana”
date = “2016/04/03”
thread_level = 4
in_the_wild = true
$domain = “g-t-c-co.uk” nocase
$ip = “126.96.36.199” wide ascii
$mail = “email@example.com” wide ascii
$domain or $ip or $mail
Will be writing more as days go by.
Happy Malware Analysis!!!!!