yara/rules/Windows_Trojan_Donutloader.yar (56 lines of code) (raw):

rule Windows_Trojan_Donutloader_f40e3759 { meta: author = "Elastic Security" id = "f40e3759-2531-4e21-946a-fb55104814c0" fingerprint = "a6b9ccd69d871de081759feca580b034e3c5cec788dd5b3d3db033a5499735b5" creation_date = "2021-09-15" last_modified = "2022-01-13" threat_name = "Windows.Trojan.Donutloader" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "windows" strings: $x64 = { 06 B8 03 40 00 80 C3 4C 8B 49 10 49 8B 81 30 08 00 00 } $x86 = { 04 75 EE 89 31 F0 FF 46 04 33 C0 EB 08 83 21 00 B8 02 } condition: any of them } rule Windows_Trojan_Donutloader_5c38878d { meta: author = "Elastic Security" id = "5c38878d-ca94-4fd9-a36e-1ae5fe713ca2" fingerprint = "3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150" creation_date = "2021-09-15" last_modified = "2021-01-13" threat_name = "Windows.Trojan.Donutloader" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "windows" strings: $a = { 24 48 03 C2 48 89 44 24 28 41 8A 00 84 C0 74 14 33 D2 FF C1 } condition: any of them } rule Windows_Trojan_Donutloader_21e801e0 { meta: author = "Elastic Security" id = "21e801e0-b016-48b2-81f5-930e7d3dd318" fingerprint = "8b971734d471f281e7c48177096359e8f43578a12e42f6203f55d5e79d9ed09d" creation_date = "2024-01-21" last_modified = "2024-02-08" threat_name = "Windows.Trojan.Donutloader" reference_sample = "c3bda62725bb1047d203575bbe033f0f95d4dd6402c05f9d0c69d24bd3224ca6" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "windows" strings: $a = { 48 89 45 F0 48 8B 45 F0 48 81 C4 D0 00 00 00 5D C3 55 48 81 EC 60 02 00 00 48 8D AC 24 80 00 00 00 48 89 8D F0 01 00 00 48 89 95 F8 01 00 00 4C 89 85 00 02 00 00 4C 89 8D 08 02 00 00 48 C7 85 } condition: all of them }