Yara for variants of Trojan-Banker.AndroidOS.Tordow. Test rule

Hunt Hypothesis

The detection identifies potential variants of the Trojan-Banker.AndroidOS.Tordow malware leveraging Yara rules, indicating possible adversarial activity targeting Android devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage malware infections before they cause significant damage.

YARA Rule

rule andr_tordow
{
	meta:
		description = "Yara for variants of Trojan-Banker.AndroidOS.Tordow. Test rule"
		source = "https://securelist.com/blog/mobile/76101/the-banker-that-can-steal-anything/"
		author = "https://twitter.com/5h1vang"

	condition:
		androguard.package_name("com.di2.two") or		
		(androguard.activity(/API2Service/i) and
		androguard.activity(/CryptoUtil/i) and
		androguard.activity(/Loader/i) and
		androguard.activity(/Logger/i) and 
		androguard.permission(/android.permission.INTERNET/)) or
		
		//Certificate check based on @stevenchan's comment
		androguard.certificate.sha1("78F162D2CC7366754649A806CF17080682FE538C") or
		androguard.certificate.sha1("BBA26351CE41ACBE5FA84C9CF331D768CEDD768F") or
		androguard.certificate.sha1("0B7C3BC97B6D7C228F456304F5E1B75797B7265E")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: A legitimate system update or patching tool (e.g., yum, apt, or Chocolatey) is executing a script that contains strings similar to the Tordow malware signature.
  Filter/Exclusion: Check the process name and command line for known package managers or update tools. Example filter: process.name != "yum" && process.name != "apt" && process.name != "choco"

• Scenario: A scheduled system cleanup task (e.g., ccleaner, Disk Cleanup, or Windows Defender scheduled scan) is running and contains benign code that matches the Yara rule.
  Filter/Exclusion: Exclude processes associated with known cleanup or security tools. Example filter: process.name != "ccleaner.exe" && process.name != "DiskCleanup.exe" && process.name != "MsMpEng.exe"

• Scenario: A legitimate administrative task, such as configuring a firewall rule using iptables or Windows Firewall, includes a script that contains obfuscated or benign code resembling Tordow.
  Filter/Exclusion: Filter out processes related to firewall configuration. Example filter: process.name != "iptables" && process.name != "firewall.exe" && process.name != "netsh.exe"

• Scenario: A developer is testing a custom script or application that includes encoded or obfuscated strings that match the Yara rule due to similar patterns.
  Filter/Exclusion: Exclude processes from development environments or user-owned scripts. Example filter: process.name != "python" && process.name != "node" && process.name != "bash"

• Scenario: A legitimate enterprise application (e.g., LogParser, PowerShell, or SQL Server Agent Job) is running a query or script that contains benign code with similar string patterns to the Tordow malware.
  Filter/Exclusion: Exclude known enterprise tools