In my threat hunting role I mostly focus on financially motivated threat actors, particularly ransomware groups. Given the central role that cryptocurrency has had in enabling ransomware attacks at scale, it can sometimes be useful to find files containing cryptocurrency wallet addresses.
Today’s rule uses regular expressions to match Bitcoin wallet addresses.
rule TTP_contains_BTC_address {
meta:
description = "Matches regex for Bitcoin wallet addresses."
last_modified = "2024-01-08"
author = "@petermstewart"
DaysofYara = "8/100"
strings:
$r1 = /(bc1|[13])[a-km-zA-HJ-NP-Z1-9]{25,34}/ fullword ascii wide
condition:
filesize < 5MB and
$r1
}
Regular expression matching in YARA can be very slow, so it is best practice to “anchor” the regex pattern with as many static characters as possible. I wasn’t able to do that in this case so there will likely be a significant performance hit using this rule. Increase or remove the upper limit on filesize if you want to be more thorough.
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 
One thought on “#100DaysofYARA 2024 – Day 8 – Bitcoin Address”