yara/rules/Windows_Trojan_ShelbyC2.yar (23 lines of code) (raw):
rule Windows_Trojan_ShelbyC2_dae5bc1d {
meta:
author = "Elastic Security"
id = "dae5bc1d-2011-446e-9909-935c0ef51e37"
fingerprint = "48013925624ad4572067e40b1751e181d678a96d894ec622470c7d65d33afbd6"
creation_date = "2025-03-11"
last_modified = "2025-03-25"
threat_name = "Windows.Trojan.ShelbyC2"
reference_sample = "fb8d4c24bcfd853edb15c5c4096723b239f03255f17cec42f2d881f5f31b6025"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a0 = "File Uploaded Successfully" fullword
$a1 = "/dlextract" fullword
$a2 = "/evoke" fullword
$a4 = { 22 73 68 61 22 3A 20 22 2E 2B 3F 22 }
$a5 = { 22 2C 22 73 68 61 22 3A 22 }
condition:
all of them
}