encrypt data using RC4 via WinAPI

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: encrypt data using RC4 via WinAPI
    namespace: data-manipulation/encryption/rc4
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    mbc:
      - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
      - Cryptography::Encrypt Data::RC4 [C0027.009]
    examples:
      - 2A584DFC657348D164274A12BFF9BBD8:0x404D42
      - 32BB43F8847ECF158C1E96891ED9A28C:0x10003A88
  features:
    - and:
      - or:
        - number: 0x6801 = CALG_RC4
      - or:
        - api: CryptGenKey
        - api: CryptDeriveKey
        - api: CryptImportKey
      - optional:
        - or:
          - number: 1 = PROV_RSA_FULL
          - api: CryptAcquireContext
          - api: CryptEncrypt
          - api: CryptDecrypt
last edited: 2023-11-24 10:34:28