Detects executables signed with stolen, revoked or invalid certificate
According to VirusTotal WinSCP-5.19.6-Setup.exe signed with "signed with stolen, revoked or invalid certificate"
What does it mean?
rule INDICATOR_KB_CERT_0232466dc95b40ec9d21d9329abfcd5d {
meta:
author = "ditekSHen"
description = "Detects executables signed with stolen, revoked or invalid certificate"
thumbprint = "fb845245cfbb0ee97e76c775348caa31d74bec4c"
condition:
uint16(0) == 0x5a4d and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Martin Prikryl" and
pe.signatures[i].serial == "02:32:46:6d:c9:5b:40:ec:9d:21:d9:32:9a:bf:cd:5d"
)
}
