← Back to SOC feed Coverage →

Detects malware from OilRig Campaign

yara LOW Yara-Rules
community
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-06-01T11:00:01Z · Confidence: medium

Hunt Hypothesis

Adversaries associated with the OilRig campaign may use custom malware to establish persistence and exfiltrate data, which could indicate a targeted compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term threats from advanced persistent threats.

YARA Rule

rule OilRig_Malware_Campaign_Mal3 
{

   meta:
      description = "Detects malware from OilRig Campaign"
      author = "Florian Roth"
      reference = "https://goo.gl/QMRZ8K"
      date = "2016-10-12"
      hash1 = "02226181f27dbf59af5377e39cf583db15200100eea712fcb6f55c0a2245a378"

   strings:
      $x1 = "(Get-Content $env:Public\\Libraries\\dns.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\\Libraries\\dns.ps1" fullword ascii
      $x2 = "Invoke-Expression ($global:myhome+'tp\\'+$global:filename+'.bat > '+$global:myhome+'tp\\'+$global:filename+'.txt')" fullword ascii
      $x3 = "('00000000'+(convertTo-Base36(Get-Random -Maximum 46655)))" fullword ascii

   condition:
      ( filesize < 10KB and 1 of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

This rule contains 3 string patterns in its detection logic.

References

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/malware/APT_Oilrig.yar