├── compiler.yar
├── README.md
├── .gitignore
├── jhonnie-trojan.yar
├── lostdoor.yar
├── xtreme_rat.yar
├── Bublik.yar
├── Wabot.yar
├── YahLover.yar
├── grozlex.yar
├── bitcoin-miner.yar
├── Zegost.yar
├── blackshades.yar
├── 1337 Stealer.yar
└── packer.yar


/compiler.yar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0pc0deFR/YaraRules/HEAD/compiler.yar


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | YaraRules
2 | =========
3 | 
4 | Multiple rules for yara-project to detect compiler/packer/protector
5 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | tmp/*
2 | [Cc]onfig/core.php
3 | [Cc]onfig/database.php
4 | app/tmp/*
5 | app/[Cc]onfig/core.php
6 | app/[Cc]onfig/database.php
7 | !empty


--------------------------------------------------------------------------------
/jhonnie-trojan.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | Jhonnie Trojan
 3 | */
 4 | 
 5 | rule jhonnie : Trojan
 6 | {
 7 | 	meta:
 8 | 		author="Kevin Falcoz"
 9 | 		date="24/12/2019"
10 | 		description="Jhonnie Trojan"
11 | 		
12 | 	strings:
13 | 		$signature1="\Desktop\Home\Code\Mfix\Release\Mfix.pdb"
14 | 		
15 | 	condition:
16 | 		$signature1
17 | }
18 | 


--------------------------------------------------------------------------------
/lostdoor.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | LostDoor Signature
 3 | */
 4 | 
 5 | rule lost_door : Trojan
 6 | {
 7 | 	meta:
 8 | 		author="Kevin Falcoz"
 9 | 		date="23/02/2013"
10 | 		description="Lost Door"
11 | 	
12 | 	strings:
13 | 		$signature1={45 44 49 54 5F 53 45 52 56 45 52} /*EDIT_SERVER*/
14 | 		
15 | 	condition:
16 | 		$signature1
17 | }
18 | 


--------------------------------------------------------------------------------
/xtreme_rat.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | Xtreme RAT Signature
 3 | */
 4 | 
 5 | rule xtreme_rat : Trojan
 6 | {
 7 | 	meta:
 8 | 		author="Kevin Falcoz"
 9 | 		date="23/02/2013"
10 | 		description="Xtreme RAT"
11 | 	
12 | 	strings:
13 | 		$signature1={58 00 54 00 52 00 45 00 4D 00 45} /*X.T.R.E.M.E*/
14 | 		
15 | 	condition:
16 | 		$signature1
17 | }
18 | 


--------------------------------------------------------------------------------
/Bublik.yar:
--------------------------------------------------------------------------------
 1 | rule Bublik : Downloader
 2 | {
 3 | 	meta:
 4 | 		author="Kevin Falcoz"
 5 | 		date="29/09/2013"
 6 | 		description="Bublik Trojan Downloader"
 7 | 		
 8 | 	strings:
 9 | 		$signature1={63 6F 6E 73 6F 6C 61 73}
10 | 		$signature2={63 6C 55 6E 00 69 6E 66 6F 2E 69 6E 69}
11 | 		
12 | 	condition:
13 | 		$signature1 and $signature2
14 | }
15 | 


--------------------------------------------------------------------------------
/Wabot.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | Wabot Signature
 3 | */
 4 | 
 5 | rule Wabot : Worm
 6 | {
 7 | 	meta:
 8 | 		author="Kevin Falcoz"
 9 | 		date="14/08/2015"
10 | 		description="Wabot Trojan Worm"
11 | 
12 | 	strings:
13 | 		$signature1={43 3A 5C 6D 61 72 69 6A 75 61 6E 61 2E 74 78 74}
14 | 		$signature2={73 49 52 43 34}
15 | 
16 | 	condition:
17 | 		$signature1 and $signature2
18 | }


--------------------------------------------------------------------------------
/YahLover.yar:
--------------------------------------------------------------------------------
 1 | rule YahLover : Worm
 2 | {
 3 | 	meta:
 4 | 		author="Kevin Falcoz"
 5 | 		date="10/06/2013"
 6 | 		description="YahLover"
 7 | 		
 8 | 	strings:
 9 | 		$signature1={42 00 49 00 54 00 52 00 4F 00 54 00 41 00 54 00 45 00 00 00 42 00 49 00 54 00 53 00 48 00 49 00 46 00 54 00 00 00 00 00 42 00 49 00 54 00 58 00 4F 00 52}
10 | 		
11 | 	condition:
12 | 		$signature1
13 | }


--------------------------------------------------------------------------------
/grozlex.yar:
--------------------------------------------------------------------------------
 1 | rule Grozlex : Stealer
 2 | {
 3 | 	meta:
 4 | 		author="Kevin Falcoz"
 5 | 		date="20/08/2013"
 6 | 		description="Grozlex Stealer - Possible HCStealer"
 7 | 		
 8 | 	strings:
 9 | 		$signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E}
10 | 	
11 | 	condition:
12 | 		$signature
13 | }
14 | 


--------------------------------------------------------------------------------
/bitcoin-miner.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | Bitcoin Miner
 3 | */
 4 | 
 5 | rule universal_bitcoin_miner : Miner
 6 | {
 7 | 	meta:
 8 | 		author="Kevin Falcoz"
 9 | 		date="24/12/2019"
10 | 		description="Bitcoin Miner"
11 | 		
12 | 	strings:
13 | 		$signature1="E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb"
14 | 		$signature2="http://%s/test.html?%d"
15 | 		
16 | 	condition:
17 | 		$signature1 and $signature2
18 | }
19 | 


--------------------------------------------------------------------------------
/Zegost.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | Zegost Signature
 3 | */
 4 | 
 5 | rule Zegost : Trojan
 6 | {
 7 | 	meta:
 8 | 		author="Kevin Falcoz"
 9 | 		date="10/06/2013"
10 | 		description="Zegost Trojan"
11 | 		
12 | 	strings:
13 | 		$signature1={39 2F 66 33 30 4C 69 35 75 62 4F 35 44 4E 41 44 44 78 47 38 73 37 36 32 74 71 59 3D}
14 | 		$signature2={00 BA DA 22 51 42 6F 6D 65 00}
15 | 		
16 | 	condition:
17 | 		$signature1 and $signature2
18 | }
19 | 


--------------------------------------------------------------------------------
/blackshades.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | BlackShades Signature
 3 | */
 4 | 
 5 | rule BlackShades : Trojan
 6 | {
 7 | 	meta:
 8 | 		author="Kevin Falcoz"
 9 | 		date="26/06/2013"
10 | 		description="BlackShades Server"
11 | 		
12 | 	strings:
13 | 		$signature1={62 73 73 5F 73 65 72 76 65 72}
14 | 		$signature2={43 4C 49 43 4B 5F 44 45 4C 41 59 00 53 43 4B 5F 49 44}
15 | 		$signature3={6D 6F 64 49 6E 6A 50 45}
16 | 		
17 | 	condition:
18 | 		$signature1 and $signature2 and $signature3
19 | }
20 | 


--------------------------------------------------------------------------------
/1337 Stealer.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | 1337 Stealer Signature 
 3 | */
 4 | 
 5 | rule universal_1337_stealer_serveur : Stealer
 6 | {
 7 | 	meta:
 8 | 		author="Kevin Falcoz"
 9 | 		date="24/02/2013"
10 | 		description="Universal 1337 Stealer Serveur"
11 | 		
12 | 	strings:
13 | 		$signature1={2A 5B 53 2D 50 2D 4C 2D 49 2D 54 5D 2A} /*[S-P-L-I-T]*/
14 | 		$signature2={2A 5B 48 2D 45 2D 52 2D 45 5D 2A} /*[H-E-R-E]*/
15 | 		$signature3={46 54 50 7E} /*FTP~*/
16 | 		$signature4={7E 31 7E 31 7E 30 7E 30} /*~1~1~0~0*/
17 | 		
18 | 	condition:
19 | 		$signature1 and $signature2 or $signature3 and $signature4
20 | }
21 | 


--------------------------------------------------------------------------------
/packer.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | URL: https://github.com/0pc0deFR/YaraRules
  3 | Developpeur: 0pc0deFR (alias Kevin Falcoz)
  4 | packer.yar contient plusieurs règles permettant de détecter Crypter/Packer/Protector.
  5 | */
  6 | 
  7 | rule upx_0_80_to_1_24 : Packer
  8 | {
  9 | 	meta:
 10 | 		author="Kevin Falcoz"
 11 | 		date_create="25/02/2013"
 12 | 		description="UPX 0.80 to 1.24"
 13 | 
 14 | 	strings:
 15 | 		$str1={6A 60 68 60 02 4B 00 E8 8B 04 00 00 83 65 FC 00 8D 45 90 50 FF 15 8C F1 48 00 C7 45 FC FE FF FF FF BF 94 00 00 00 57}
 16 | 		
 17 | 	condition:
 18 | 		$str1 at entrypoint
 19 | }
 20 | 
 21 | rule upx_1_00_to_1_07 : Packer
 22 | {
 23 | 	meta:
 24 | 		author="Kevin Falcoz"
 25 | 		date_create="19/03/2013"
 26 | 		description="UPX 1.00 to 1.07"
 27 | 
 28 | 	strings:
 29 | 		$str1={60 BE 00 ?0 4? 00 8D BE 00 B0 F? FF ?7 8? [3] ?0 9? [0-9] 90 90 90 90 [0-2] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0}
 30 | 		
 31 | 	condition:
 32 | 		$str1 at entrypoint
 33 | }
 34 | 
 35 | rule upx_3 : Packer
 36 | {
 37 | 	meta:
 38 | 		author="Kevin Falcoz"
 39 | 		date_create="25/02/2013"
 40 | 		description="UPX 3.X"
 41 | 
 42 | 	strings:
 43 | 		$str1={60 BE 00 [2] 00 8D BE 00 [2] FF [1-12] EB 1? 90 90 90 90 90 [1-3] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01}
 44 | 		
 45 | 	condition:
 46 | 		$str1 at entrypoint
 47 | }
 48 | 
 49 | rule obsidium : Packer
 50 | {
 51 | 	meta:
 52 | 		author="Kevin Falcoz"
 53 | 		date_create="21/01/2013"
 54 | 		last_edit="17/03/2013"
 55 | 		description="Obsidium"
 56 | 
 57 | 	strings:
 58 | 		$str1={EB 02 [2] E8 25 00 00 00 EB 04 [4] EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 [2] C3 EB 02 [2] EB 04} /*EntryPoint*/
 59 | 		
 60 | 	condition:
 61 | 		$str1 at entrypoint
 62 | }
 63 | 
 64 | rule pecompact2 : Packer
 65 | {
 66 | 	meta:
 67 | 		author="Kevin Falcoz"
 68 | 		date_create="25/02/2013"
 69 | 		description="PECompact"
 70 | 
 71 | 	strings:
 72 | 		$str1={B8 [3] 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43} /*EntryPoint*/
 73 | 		
 74 | 	condition:
 75 | 		$str1 at entrypoint
 76 | }
 77 | 
 78 | rule aspack : Packer
 79 | {
 80 | 	meta:
 81 | 		author="Kevin Falcoz"
 82 | 		date_create="25/02/2013"
 83 | 		description="ASPack"
 84 | 
 85 | 	strings:
 86 | 		$str1={60 E8 00 00 00 00 5D 81 ED 5D 3B 40 00 64 A1 30 00 00 00 0F B6 40 02 0A C0 74 04 33 C0 87 00 B9 ?? ?? 00 00 8D BD B7 3B 40 00 8B F7 AC} /*EntryPoint*/
 87 | 		
 88 | 	condition:
 89 | 		$str1 at entrypoint
 90 | }
 91 | 
 92 | rule execryptor : Protector
 93 | {
 94 | 	meta:
 95 | 		author="Kevin Falcoz"
 96 | 		date_create="25/02/2013"
 97 | 		description="EXECryptor"
 98 | 
 99 | 	strings:
100 | 		$str1={E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 64 8F 05 00 00 00 00} /*EntryPoint*/
101 | 		
102 | 	condition:
103 | 		$str1 at entrypoint
104 | }
105 | 
106 | rule winrar_sfx : Packer
107 | {
108 | 	meta:
109 | 		author="Kevin Falcoz"
110 | 		date_create="18/03/2013"
111 | 		description="Winrar SFX Archive"
112 | 	
113 | 	strings:
114 | 		$signature1={00 00 53 6F 66 74 77 61 72 65 5C 57 69 6E 52 41 52 20 53 46 58 00} 
115 | 		
116 | 	condition:
117 | 		$signature1
118 | }
119 | 
120 | rule mpress_2_xx_x86 : Packer
121 | {
122 | 	meta:
123 | 		author="Kevin Falcoz"
124 | 		date_create="19/03/2013"
125 | 		last_edit="24/03/2013"
126 | 		description="MPRESS v2.XX x86  - no .NET"
127 | 	
128 | 	strings:
129 | 		$signature1={60 E8 00 00 00 00 58 05 [2] 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 88 04 31 75 F6}
130 | 		
131 | 	condition:
132 | 		$signature1 at entrypoint
133 | }
134 | 
135 | rule mpress_2_xx_x64 : Packer
136 | {
137 | 	meta:
138 | 		author="Kevin Falcoz"
139 | 		date_create="19/03/2013"
140 | 		last_edit="24/03/2013"
141 | 		description="MPRESS v2.XX x64  - no .NET"
142 | 	
143 | 	strings:
144 | 		$signature1={57 56 53 51 52 41 50 48 8D 05 DE 0A 00 00 48 8B 30 48 03 F0 48 2B C0 48 8B FE 66 AD C1 E0 0C 48 8B C8 50 AD 2B C8 48 03 F1 8B C8 57 44 8B C1 FF C9 8A 44 39 06 88 04 31} 
145 | 		
146 | 	condition:
147 | 		$signature1 at entrypoint
148 | }
149 | 
150 | rule mpress_2_xx_net : Packer
151 | {
152 | 	meta:
153 | 		author="Kevin Falcoz"
154 | 		date_create="24/03/2013"
155 | 		description="MPRESS v2.XX .NET"
156 | 	
157 | 	strings:
158 | 		$signature1={21 46 00 69 00 6C 00 65 00 20 00 69 00 73 00 20 00 69 00 6E 00 76 00 61 00 6C 00 69 00 64 00 2E 00 00 0D 4D 00 50 00 52 00 45 00 53 00 53 00 00 00 00 00 2D 2D 93 6B 35 04 2E 43 85 EF}
159 | 		
160 | 	condition:
161 | 		$signature1
162 | }
163 | 
164 | rule rpx_1_xx : Packer
165 | {
166 | 	meta:
167 | 		author="Kevin Falcoz"
168 | 		date_create="24/03/2013"
169 | 		description="RPX v1.XX"
170 | 	
171 | 	strings:
172 | 		$signature1= "RPX 1."
173 | 		$signature2= "Copyright ©  20"
174 | 		
175 | 	condition:
176 | 		$signature1 and $signature2
177 | }
178 | 
179 | rule mew_11_xx : Packer
180 | {
181 | 	meta:
182 | 		author="Kevin Falcoz"
183 | 		date_create="25/03/2013"
184 | 		description="MEW 11"
185 | 	
186 | 	strings:
187 | 		$signature1={50 72 6F 63 41 64 64 72 65 73 73 00 E9 [6-7] 00 00 00 00 00 00 00 00 00 [7] 00}
188 | 		$signature2="MEW"
189 | 		
190 | 	condition:
191 | 		$signature1 and $signature2
192 | }
193 | 
194 | rule yoda_crypter_1_2 : Crypter
195 | {
196 | 	meta:
197 | 		author="Kevin Falcoz"
198 | 		date_create="15/04/2013"
199 | 		description="Yoda Crypter 1.2"
200 | 	
201 | 	strings:
202 | 		$signature1={60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC [19] EB 01 [27] AA E2 CC}
203 | 		
204 | 	condition:
205 | 		$signature1 at entrypoint
206 | }
207 | 
208 | rule yoda_crypter_1_3 : Crypter
209 | {
210 | 	meta:
211 | 		author="Kevin Falcoz"
212 | 		date_create="15/04/2013"
213 | 		description="Yoda Crypter 1.3"
214 | 	
215 | 	strings:
216 | 		$signature1={55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC}
217 | 		
218 | 	condition:
219 | 		$signature1 at entrypoint
220 | }
221 | 


--------------------------------------------------------------------------------