Added python311.dll sideloading (#90)

Co-authored-by: Swachchhanda Shrawan Poudel <[email protected]> Co-authored-by: Wietze <[email protected]>
wietze · Oct 2, 2024 · dc9c9f2 · dc9c9f2
1 parent 8977e69
commit dc9c9f2
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/yml/3rd_party/python/python311.yml b/yml/3rd_party/python/python311.yml
@@ -0,0 +1,27 @@
+---
+Name: python311.dll
+Author: Swachchhanda Shrawan Poudel
+Created: 2024-10-02
+Vendor: Python
+ExpectedLocations:
+  - '%PROGRAMFILES%\Python311'
+  - '%LOCALAPPDATA%\Programs\Python\Python311'
+VulnerableExecutables:
+  - Path: 'pythonw.exe'
+    Type: Sideloading
+    SHA256:
+      - 24385D352B83222DC5AB92FA57B6649854ECD74DE378E279D8AC20A0B3B16009
+    ExpectedVersionInformation:
+      - OriginalFilename: pythonw.exe
+        ProductName: Python
+        InternalName: Python Application
+        CompanyName: Python Software Foundation
+        FileDescription: Python
+Resources:
+  - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
+  - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
+  - https://www.virustotal.com/gui/file/9514035fea8000a664799e369ae6d3af6abfe8e5cda23cdafbede83051692e63
+  - https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/
+Acknowledgements:
+  - Name: Swachchhanda Shrawan Poudel
+    Twitter: '@_swachchhanda_'