YARA rules trigger for Teamviewer service

Question

YARA rules trigger for Teamviewer service

backherozzo opened this issue 3 years ago · 6 comments

Hello, Loki scanner trigger the following YARA rule RAT_DarkComet, RAT_DarkRAT and RAT_QRat for TeamViewer_Service.exe did it happen to you too? Thanks

Answer 1 · 2021-09-06T08:06:02.000Z

Please provide a hash or a Virustotal.com link of an analysis of that file.

Answer 2 · 2021-09-06T10:53:09.000Z

Hi, thank you for the immediate reply ti this the virus total link: https://www.virustotal.com/gui/file/45d4d38d66e64076bceb64d2a88c1729ec378d1c23cf322b061aa4605c2e7314

Answer 3 · 2021-09-06T11:34:20.000Z

I can't see the matches on that file.
When did it match? Could you provide the full line of the match?
You can remove the hostname if you like.

Answer 4 · 2021-09-06T12:41:23.000Z

This is the the line of match at the truncted end there are the classic Teamviewer path

Answer 5 · 2021-09-06T16:04:22.000Z

Ah, the rules triggered on the memory of the process - not the file on disk.
This could be caused by:

Copying the LOKI Package to the end system using TeamViewer (cause this would bring the clear text signatures into the memory of the service)
An attacked that injected malicious code in the process (less likely)

Answer 6 · 2021-09-07T19:28:52.000Z

Thank you for your feedback, I'll verify accordingly with your indication