├── .github
└── workflows
│ └── yara-assemble.yml
├── .gitignore
├── .travis.yml
├── .yara-ci.yml
├── Code_of_Conduct.md
├── LICENSE
├── README.md
├── _config.yml
├── apt_unc2891_tinyshell_slapstick.yar
├── build-rules.py
├── iocs
├── README.txt
├── c2-iocs.txt
├── filename-iocs.txt
├── hash-iocs.txt
├── keywords.txt
└── otx-hash-iocs.txt
├── makefile
├── misc
└── file-type-signatures.txt
├── sig-base-rules.csv
├── vendor
└── yara
│ └── airbnb_binaryalert.yar
└── yara
├── apt_aa19_024a.yar
├── apt_agent_btz.yar
├── apt_alienspy_rat.yar
├── apt_apt10.yar
├── apt_apt10_redleaves.yar
├── apt_apt12_malware.yar
├── apt_apt15.yar
├── apt_apt17_mal_sep17.yar
├── apt_apt17_malware.yar
├── apt_apt19.yar
├── apt_apt27_hyperbro.yar
├── apt_apt27_rshell.yar
├── apt_apt28.yar
├── apt_apt28_drovorub.yar
├── apt_apt29_grizzly_steppe.yar
├── apt_apt29_nobelium_apr22.yar
├── apt_apt29_nobelium_may21.yar
├── apt_apt30_backspace.yar
├── apt_apt32.yar
├── apt_apt34.yar
├── apt_apt37.yar
├── apt_apt37_bluelight.yar
├── apt_apt3_bemstour.yar
├── apt_apt41.yar
├── apt_apt6_malware.yar
├── apt_ar18_165a.yar
├── apt_area1_phishing_diplomacy.yar
├── apt_aus_parl_compromise.yar
├── apt_babyshark.yar
├── apt_backdoor_ssh_python.yar
├── apt_backdoor_sunburst_fnv1a_experimental.yar
├── apt_backspace.yar
├── apt_barracuda_esg_unc4841_jun23.yar
├── apt_beepservice.yar
├── apt_between-hk-and-burma.yar
├── apt_bigbang.yar
├── apt_bitter.yar
├── apt_blackenergy.yar
├── apt_blackenergy_installer.yar
├── apt_bluetermite_emdivi.yar
├── apt_bronze_butler.yar
├── apt_buckeye.yar
├── apt_camaro_dragon_oct23.yar
├── apt_candiru.yar
├── apt_carbon_paper_turla.yar
├── apt_casper.yar
├── apt_cheshirecat.yar
├── apt_cisco_asa_line_dancer_apr24.yar
├── apt_cloudatlas.yar
├── apt_cloudduke.yar
├── apt_cmstar.yar
├── apt_cn_netfilter.yar
├── apt_cn_pp_zerot.yar
├── apt_cn_reddelta.yar
├── apt_cn_twisted_panda.yar
├── apt_cobaltstrike.yar
├── apt_cobaltstrike_evasive.yar
├── apt_codoso.yar
├── apt_coreimpact_agent.yar
├── apt_danti_svcmondr.yar
├── apt_darkcaracal.yar
├── apt_darkhydrus.yar
├── apt_deeppanda.yar
├── apt_derusbi.yar
├── apt_dnspionage.yar
├── apt_donotteam_ytyframework.yar
├── apt_dragonfly.yar
├── apt_dtrack.yar
├── apt_dubnium.yar
├── apt_duqu1_5_modules.yar
├── apt_duqu2.yar
├── apt_dustman.yar
├── apt_emissary.yar
├── apt_eqgrp.yar
├── apt_eqgrp_apr17.yar
├── apt_eqgrp_sparc_sbz_apr23.yar
├── apt_eqgrp_triangulation_jun23.yar
├── apt_eternalblue_non_wannacry.yar
├── apt_exile_rat.yar
├── apt_f5_bigip_expl_payloads.yar
├── apt_fakem_backdoor.yar
├── apt_fancybear_computrace_agent.yar
├── apt_fancybear_dnc.yar
├── apt_fancybear_osxagent.yar
├── apt_fidelis_phishing_plain_sight.yar
├── apt_fin7.yar
├── apt_fin7_backdoor.yar
├── apt_fin8.yar
├── apt_flame2_orchestrator.yar
├── apt_foudre.yar
├── apt_four_element_sword.yar
├── apt_freemilk.yar
├── apt_fujinama_rat.yar
├── apt_furtim.yar
├── apt_fvey_shadowbroker_dec16.yar
├── apt_fvey_shadowbroker_jan17.yar
├── apt_ghostdragon_gh0st_rat.yar
├── apt_glassRAT.yar
├── apt_golddragon.yar
├── apt_goldenspy.yar
├── apt_greenbug.yar
├── apt_greyenergy.yar
├── apt_grizzlybear_uscert.yar
├── apt_hackingteam_rules.yar
├── apt_hafnium.yar
├── apt_hafnium_log_sigs.yar
├── apt_ham_tofu_chches.yar
├── apt_hatman.yar
├── apt_hellsing_kaspersky.yar
├── apt_hidden_cobra.yar
├── apt_hiddencobra_bankshot.yar
├── apt_hiddencobra_wiper.yar
├── apt_hizor_rat.yar
├── apt_hkdoor.yar
├── apt_iamtheking.yar
├── apt_icefog.yar
├── apt_indetectables_rat.yar
├── apt_industroyer.yar
├── apt_inocnation.yar
├── apt_irongate.yar
├── apt_irontiger.yar
├── apt_irontiger_trendmicro.yar
├── apt_ism_rat.yar
├── apt_kaspersky_duqu2.yar
├── apt_ke3chang.yar
├── apt_keyboys.yar
├── apt_keylogger_cn.yar
├── apt_khrat.yar
├── apt_korplug_fast.yar
├── apt_kwampirs.yar
├── apt_laudanum_webshells.yar
├── apt_lazarus_applejeus.yar
├── apt_lazarus_aug20.yar
├── apt_lazarus_dec17.yar
├── apt_lazarus_dec20.yar
├── apt_lazarus_gopuram.yar
├── apt_lazarus_jan21.yar
├── apt_lazarus_jun18.yar
├── apt_lazarus_vhd_ransomware.yar
├── apt_leviathan.yar
├── apt_lnx_kobalos.yar
├── apt_lnx_linadoor_rootkit.yar
├── apt_lotusblossom_elise.yar
├── apt_magichound.yar
├── apt_mal_gopuram_apr23.yar
├── apt_mal_ilo_board_elf.yar
├── apt_mal_ru_snake_may23.yar
├── apt_microcin.yar
├── apt_middle_east_talosreport.yar
├── apt_miniasp.yar
├── apt_minidionis.yar
├── apt_mofang.yar
├── apt_molerats_jul17.yar
├── apt_monsoon.yar
├── apt_moonlightmaze.yar
├── apt_ms_platinum.yara
├── apt_muddywater.yar
├── apt_naikon.yar
├── apt_nanocore_rat.yar
├── apt_nazar.yar
├── apt_ncsc_report_04_2018.yar
├── apt_netwire_rat.yar
├── apt_nk_andariel_jul24.yar
├── apt_nk_gen.yar
├── apt_nk_goldbackdoor.yar
├── apt_nk_inkysquid.yar
├── apt_nk_tradingtech_apr23.yar
├── apt_nobellium_rdp_phish.yar
├── apt_oilrig.yar
├── apt_oilrig_chafer_mar18.yar
├── apt_oilrig_oct17.yar
├── apt_oilrig_rgdoor.yar
├── apt_olympic_destroyer.yar
├── apt_onhat_proxy.yar
├── apt_op_cleaver.yar
├── apt_op_cloudhopper.yar
├── apt_op_honeybee.yar
├── apt_op_shadowhammer.yar
├── apt_op_wocao.yar
├── apt_passcv.yar
├── apt_passthehashtoolkit.yar
├── apt_patchwork.yar
├── apt_peach_sandstorm.yar
├── apt_plead_downloader.yar
├── apt_plugx.yar
├── apt_poisonivy.yar
├── apt_poisonivy_gen3.yar
├── apt_poseidon_group.yar
├── apt_poshspy.yar
├── apt_prikormka.yar
├── apt_project_m.yar
├── apt_project_sauron.yara
├── apt_project_sauron_extras.yar
├── apt_promethium_neodymium.yar
├── apt_pulsesecure.yar
├── apt_putterpanda.yar
├── apt_quarkspwdump.yar
├── apt_quasar_rat.yar
├── apt_quasar_vermin.yar
├── apt_rancor.yar
├── apt_ransom_darkbit_feb23.yar
├── apt_ransom_lockbit_citrixbleed_nov23.yar
├── apt_ransom_vicesociety_dec22.yar
├── apt_reaver_sunorcal.yar
├── apt_rehashed_rat.yar
├── apt_report_ivanti_mandiant_jan24.yar
├── apt_revenge_rat.yar
├── apt_rocketkitten_keylogger.yar
├── apt_rokrat.yar
├── apt_royalroad.yar
├── apt_ru_crywiper.yar
├── apt_ruag.yar
├── apt_rwmc_powershell_creddump.yar
├── apt_sakula.yar
├── apt_sandworm_centreon.yar
├── apt_sandworm_cyclops_blink.yar
├── apt_sandworm_exim_expl.yar
├── apt_saudi_aramco_phish.yar
├── apt_scanbox_deeppanda.yar
├── apt_scarcruft.yar
├── apt_seaduke_unit42.yar
├── apt_sednit_delphidownloader.yar
├── apt_servantshell.yar
├── apt_shadowpad.yar
├── apt_shamoon.yar
├── apt_shamoon2.yar
├── apt_sharptongue.yar
├── apt_shellcrew_streamex.yar
├── apt_sidewinder.yar
├── apt_silence.yar
├── apt_skeletonkey.yar
├── apt_slingshot.yar
├── apt_snaketurla_osx.yar
├── apt_snowglobe_babar.yar
├── apt_sofacy.yar
├── apt_sofacy_cannon.yar
├── apt_sofacy_dec15.yar
├── apt_sofacy_fysbis.yar
├── apt_sofacy_hospitality.yar
├── apt_sofacy_jun16.yar
├── apt_sofacy_oct17_camp.yar
├── apt_sofacy_xtunnel_bundestag.yar
├── apt_sofacy_zebrocy.yar
├── apt_solarwinds_sunburst.yar
├── apt_solarwinds_susp_sunburst.yar
├── apt_sphinx_moth.yar
├── apt_stealer_cisa_ar22_277a.yar
├── apt_stonedrill.yar
├── apt_strider.yara
├── apt_stuxnet.yar
├── apt_stuxshop.yar
├── apt_suckfly.yar
├── apt_sunspot.yar
├── apt_sysscan.yar
├── apt_ta17_293A.yar
├── apt_ta17_318A.yar
├── apt_ta17_318B.yar
├── apt_ta18_074A.yar
├── apt_ta18_149A.yar
├── apt_ta397_dec24.yar
├── apt_ta459.yar
├── apt_telebots.yar
├── apt_terracotta.yar
├── apt_terracotta_liudoor.yar
├── apt_tetris.yar
├── apt_threatgroup_3390.yar
├── apt_thrip.yar
├── apt_tick_datper.yar
├── apt_tick_weaponized_usb.yar
├── apt_tidepool.yar
├── apt_tophat.yar
├── apt_triton.yar
├── apt_triton_mal_sshdoor.yar
├── apt_turbo_campaign.yar
├── apt_turla.yar
├── apt_turla_gazer.yar
├── apt_turla_kazuar.yar
├── apt_turla_mosquito.yar
├── apt_turla_neuron.yar
├── apt_turla_penquin.yar
├── apt_turla_png_dropper_nov18.yar
├── apt_ua_caddywiper.yar
├── apt_ua_hermetic_wiper.yar
├── apt_ua_isaacwiper.yar
├── apt_ua_wiper_whispergate.yar
├── apt_uboat_rat.yar
├── apt_unc1151_ua.yar
├── apt_unc2447_sombrat.yar
├── apt_unc2546_dewmode.yar
├── apt_unc2891_mal_jan23.yar
├── apt_unc3886_virtualpita.yar
├── apt_unit78020_malware.yar
├── apt_uscert_ta17-1117a.yar
├── apt_venom_linux_rootkit.yar
├── apt_volatile_cedar.yar
├── apt_volttyphoon_versamem.yar
├── apt_vpnfilter.yar
├── apt_waterbear.yar
├── apt_waterbug.yar
├── apt_webmonitor_rat.yar
├── apt_webshell_chinachopper.yar
├── apt_wildneutron.yar
├── apt_wilted_tulip.yar
├── apt_win_plugx.yar
├── apt_winnti.yar
├── apt_winnti_br.yar
├── apt_winnti_burning_umbrella.yar
├── apt_winnti_hdroot.yar
├── apt_winnti_linux.yar
├── apt_winnti_ms_report_201701.yar
├── apt_woolengoldfish.yar
├── apt_xrat.yar
├── apt_zxshell.yar
├── bkdr_xz_util_cve_2024_3094.yar
├── cn_pentestset_scripts.yar
├── cn_pentestset_tools.yar
├── cn_pentestset_webshells.yar
├── configured_vulns_ext_vars.yar
├── crime_academic_data_centers_camp_may20.yar
├── crime_andromeda_jun17.yar
├── crime_antifw_installrex.yar
├── crime_atm_dispenserxfs.yar
├── crime_atm_javadipcash.yar
├── crime_atm_loup.yar
├── crime_atm_xfsadm.yar
├── crime_atm_xfscashncr.yar
├── crime_bad_patch.yar
├── crime_badrabbit.yar
├── crime_bazarbackdoor.yar
├── crime_bernhard_pos.yar
├── crime_bluenoroff_pos.yar
├── crime_buzus_softpulse.yar
├── crime_cmstar.yar
├── crime_cn_campaign_njrat.yar
├── crime_cn_group_btc.yar
├── crime_cobalt_gang_pdf.yar
├── crime_cobaltgang.yar
├── crime_corkow_dll.yar
├── crime_covid_ransom.yar
├── crime_credstealer_generic.yar
├── crime_crypto_miner.yar
├── crime_cryptowall_svg.yar
├── crime_dearcry_ransom.yar
├── crime_dexter_trojan.yar
├── crime_dridex_xml.yar
├── crime_emotet.yar
├── crime_enfal.yar
├── crime_envrial.yar
├── crime_eternalrocks.yar
├── crime_evilcorp_dridex_banker.yar
├── crime_fareit.yar
├── crime_fireball.yar
├── crime_floxif_flystudio.yar
├── crime_gamaredon.yar
├── crime_goldeneye.yar
├── crime_gozi_crypter.yar
├── crime_guloader.yar
├── crime_h2miner_kinsing.yar
├── crime_hermes_ransom.yar
├── crime_icedid.yar
├── crime_kasper_oct17.yar
├── crime_kins_dropper.yar
├── crime_kr_malware.yar
├── crime_kraken_bot1.yar
├── crime_kriskynote.yar
├── crime_locky.yar
├── crime_loki_bot.yar
├── crime_mal_grandcrab.yar
├── crime_mal_nitol.yar
├── crime_mal_ransom_wadharma.yar
├── crime_malumpos.yar
├── crime_malware_generic.yar
├── crime_malware_set_oct16.yar
├── crime_maze_ransomware.yar
├── crime_mikey_trojan.yar
├── crime_mirai.yar
├── crime_mywscript_dropper.yar
├── crime_nansh0u.yar
├── crime_nkminer.yar
├── crime_nopetya_jun17.yar
├── crime_ole_loadswf_cve_2018_4878.yar
├── crime_parallax_rat.yar
├── crime_phish_gina_dec15.yar
├── crime_ransom_conti.yar
├── crime_ransom_darkside.yar
├── crime_ransom_generic.yar
├── crime_ransom_germanwiper.yar
├── crime_ransom_lockergoga.yar
├── crime_ransom_prolock.yar
├── crime_ransom_ragna_locker.yar
├── crime_ransom_revil.yar
├── crime_ransom_robinhood.yar
├── crime_ransom_stealbit_lockbit.yar
├── crime_ransom_venus.yar
├── crime_rat_parallax.yar
├── crime_revil_general.yar
├── crime_rombertik_carbongrabber.yar
├── crime_ryuk_ransomware.yar
├── crime_shifu_trojan.yar
├── crime_snarasite.yar
├── crime_socgholish.yar
├── crime_stealer_exfil_zip.yar
├── crime_teledoor.yar
├── crime_trickbot.yar
├── crime_upatre_oct15.yar
├── crime_wannacry.yar
├── crime_wsh_rat.yar
├── crime_xbash.yar
├── crime_zeus_panda.yar
├── crime_zloader_maldocs.yar
├── expl_adselfservice_cve_2021_40539.yar
├── expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar
├── expl_cleo_dec24.yar
├── expl_connectwise_screenconnect_vuln_feb24.yar
├── expl_cups_sep24.yar
├── expl_cve_2021_1647.yar
├── expl_cve_2021_26084_confluence_log.yar
├── expl_cve_2021_40444.yar
├── expl_cve_2022_41040_proxynoshell.yar
├── expl_cve_2022_46169_cacti.yar
├── expl_ivanti_epmm_mobileiron_cve_2023_35078.yar
├── expl_keepass_cve_2023_24055.yar
├── expl_libcue_cve_2023_43641.yar
├── expl_libssh_cve_2023_2283_jun23.yar
├── expl_lnk_zdi_can_25373.yar
├── expl_log4j_cve_2021_44228.yar
├── expl_macos_switcharoo_dec22.yar
├── expl_manageengine_jan23.yar
├── expl_outlook_cve_2023_23397.yar
├── expl_outlook_cve_2024_21413.yar
├── expl_proxynotshell_owassrf_dec22.yar
├── expl_proxyshell.yar
├── expl_sap_netweaver_apr25.yar
├── expl_sharepoint_cve_2023_29357.yar
├── expl_spring4shell.yar
├── expl_sysaid_cve_2023_47246.yar
├── expl_teamcity_2023_42793.yar
├── exploit_cve_2014_4076.yar
├── exploit_cve_2015_1674.yar
├── exploit_cve_2015_1701.yar
├── exploit_cve_2015_2426.yar
├── exploit_cve_2015_2545.yar
├── exploit_cve_2015_5119.yar
├── exploit_cve_2017_11882.yar
├── exploit_cve_2017_8759.yar
├── exploit_cve_2017_9800.yar
├── exploit_cve_2018_0802.yar
├── exploit_cve_2018_16858.yar
├── exploit_cve_2021_31166.yar
├── exploit_cve_2021_33766_proxytoken.yar
├── exploit_cve_2022_22954_vmware_workspace_one.yar
├── exploit_cve_2023_38146.yar
├── exploit_f5_bigip_cve_2021_22986_log.yar
├── exploit_gitlab_cve_2021_22205.yar
├── exploit_rtf_ole2link.yar
├── exploit_shitrix.yar
├── exploit_tlb_scripts.yar
├── exploit_uac_elevators.yar
├── gen_100days_of_yara_2023.yar
├── gen_Excel4Macro_Sharpshooter.yar
├── gen_ace_with_exe.yar
├── gen_anomalies_keyword_combos.yar
├── gen_anydesk_compromised_cert_feb23.yar
├── gen_armitage.yar
├── gen_autocad_lsp_malware.yar
├── gen_b374k_extra.yar
├── gen_bad_pdf.yar
├── gen_brooxml_dec24.yar
├── gen_case_anomalies.yar
├── gen_cert_payloads.yar
├── gen_chaos_payload.yar
├── gen_cmd_script_obfuscated.yar
├── gen_cn_hacktool_scripts.yar
├── gen_cn_hacktools.yar
├── gen_cn_webshells.yar
├── gen_cobaltstrike.yar
├── gen_cobaltstrike_by_avast.yar
├── gen_crime_bitpaymer.yar
├── gen_crimson_rat.yar
├── gen_crunchrat.yar
├── gen_dde_in_office_docs.yar
├── gen_deviceguard_evasion.yar
├── gen_doc_follina.yar
├── gen_dropper_pdb.yar
├── gen_elf_file_anomalies.yar
├── gen_empire.yar
├── gen_enigma_protector.yar
├── gen_event_mute_hook.yar
├── gen_excel_auto_open_evasion.yar
├── gen_excel_xll_addin_suspicious.yar
├── gen_excel_xor_obfuscation_velvetsweatshop.yar
├── gen_exploit_cve_2017_10271_weblogic.yar
├── gen_fake_amsi_dll.yar
├── gen_faked_versions.yar
├── gen_file_anomalies.yar
├── gen_fireeye_redteam_tools.yar
├── gen_floxif.yar
├── gen_frp_proxy.yar
├── gen_gcti_cobaltstrike.yar
├── gen_gcti_sliver.yar
├── gen_gen_cactustorch.yar
├── gen_github_net_redteam_tools_guids.yar
├── gen_github_net_redteam_tools_names.yar
├── gen_github_repo_compromise_myjino_ru.yar
├── gen_gobfuscate.yar
├── gen_google_anomaly.yar
├── gen_gpp_cpassword.yar
├── gen_hawkeye.yar
├── gen_hktl_koh_tokenstealer.yar
├── gen_hktl_roothelper.yar
├── gen_hktl_venom_lib.yar
├── gen_hta_anomalies.yar
├── gen_hunting_susp_rar.yar
├── gen_icon_anomalies.yar
├── gen_impacket_tools.yar
├── gen_imphash_detection.yar
├── gen_invoke_mimikatz.yar
├── gen_invoke_psimage.yar
├── gen_invoke_thehash.yar
├── gen_javascript_powershell.yar
├── gen_kerberoast.yar
├── gen_khepri.yar
├── gen_kirbi_mimkatz.yar
├── gen_lnx_malware_indicators.yar
├── gen_loaders.yar
├── gen_macro_ShellExecute_action.yar
├── gen_macro_builders.yar
├── gen_macro_staroffice_suspicious.yar
├── gen_mal_3cx_compromise_mar23.yar
├── gen_mal_backnet.yar
├── gen_mal_link.yar
├── gen_mal_scripts.yar
├── gen_maldoc.yar
├── gen_malware_MacOS_plist_suspicious.yar
├── gen_malware_set_qa.yar
├── gen_merlin_agent.yar
├── gen_metasploit_loader_rsmudge.yar
├── gen_metasploit_payloads.yar
├── gen_mimikatz.yar
├── gen_mimikittenz.yar
├── gen_mimipenguin.yar
├── gen_net_xorstrings.yar
├── gen_nighthawk_c2.yar
├── gen_nimpackt.yar
├── gen_nopowershell.yar
├── gen_nvidia_leaked_cert.yar
├── gen_onenote_phish.yar
├── gen_osx_backdoor_bella.yar
├── gen_osx_evilosx.yar
├── gen_osx_pyagent_persistence.yar
├── gen_p0wnshell.yar
├── gen_phish_attachments.yar
├── gen_pirpi.yar
├── gen_powerkatz.yar
├── gen_powershdll.yar
├── gen_powershell_empire.yar
├── gen_powershell_invocation.yar
├── gen_powershell_obfuscation.yar
├── gen_powershell_suite.yar
├── gen_powershell_susp.yar
├── gen_powershell_toolkit.yar
├── gen_powersploit_dropper.yar
├── gen_ps1_shellcode.yar
├── gen_ps_empire_eval.yar
├── gen_ps_osiris.yar
├── gen_pua.yar
├── gen_pupy_rat.yar
├── gen_python_encoded_adware.yar
├── gen_python_pty_shell.yar
├── gen_python_pyminifier_encoded_payload.yar
├── gen_python_reverse_shell.yara
├── gen_qakbot_uninstaller.yar
├── gen_rar_exfil.yar
├── gen_rats_malwareconfig.yar
├── gen_recon_indicators.yar
├── gen_redmimicry.yar
├── gen_redsails.yar
├── gen_regsrv32_issue.yar
├── gen_remote_potato0.yar
├── gen_rottenpotato.yar
├── gen_rtf_malver_objects.yar
├── gen_sfx_with_microsoft_copyright.yar
├── gen_sharpcat.yar
├── gen_shikataganai.yar
├── gen_sign_anomalies.yar
├── gen_solarwinds_credential_stealer.yar
├── gen_susp_bat2exe.yar
├── gen_susp_bat_aux.yar
├── gen_susp_cmd_var_expansion.yar
├── gen_susp_hacktool.yar
├── gen_susp_indicators.yar
├── gen_susp_js_obfuscatorio.yar
├── gen_susp_lnk.yar
├── gen_susp_lnk_files.yar
├── gen_susp_net_msil.yar
├── gen_susp_obfuscation.yar
├── gen_susp_office_dropper.yar
├── gen_susp_ps_jab.yar
├── gen_susp_sfx.yar
├── gen_susp_strings_in_ole.yar
├── gen_susp_svg_js_phish_mar25.yar
├── gen_susp_wer_files.yar
├── gen_susp_xor.yar
├── gen_suspicious_InPage_dropper.yar
├── gen_suspicious_strings.yar
├── gen_sysinternals_anomaly.yar
├── gen_tempracer.yar
├── gen_thumbs_cloaking.yar
├── gen_transformed_strings.yar
├── gen_tscookie_rat.yar
├── gen_unicorn_obfuscated_powershell.yar
├── gen_unsigned_thor.yar
├── gen_unspecified_malware.yar
├── gen_url_persitence.yar
├── gen_url_to_local_exe.yar
├── gen_vcruntime140_dll_sideloading.yar
├── gen_vhd_anomaly.yar
├── gen_webshell_csharp.yar
├── gen_webshells.yar
├── gen_webshells_ext_vars.yar
├── gen_win_privesc.yar
├── gen_winpayloads.yar
├── gen_winshells.yar
├── gen_wmi_implant.yar
├── gen_xor_hunting.yar
├── gen_xored_pe.yar
├── gen_xtreme_rat.yar
├── gen_ysoserial_payloads.yar
├── gen_zoho_rcef_logs.yar
├── general_cloaking.yar
├── general_officemacros.yar
├── generic_anomalies.yar
├── generic_cryptors.yar
├── generic_dumps.yar
├── generic_exe2hex_payload.yar
├── hktl_HvS_nfs_security_tooling.yar
├── hktl_badsuccessor_helper_may25.yar
├── hktl_bruteratel_c4.yar
├── hktl_bruteratel_c4_badger.yar
├── hktl_natbypass.yar
├── log_teamviewer_keyboard_layouts.yar
├── mal_avemaria_rat.yar
├── mal_babbleloader_win_jan24.yar
├── mal_bibi_wiper_oct23.yar
├── mal_codecov_hack.yar
├── mal_crime_unknown.yar
├── mal_cryp_rat.yar
├── mal_ducktail_compromised_certs_jun23.yar
├── mal_efile_apr23.yar
├── mal_fake_document_software.yar
├── mal_fortinet_coathanger_feb24.yar
├── mal_go_modbus.yar
├── mal_inc_ransomware.yar
├── mal_katz_stealer.yar
├── mal_lnx_barracuda_cve_2023_2868.yar
├── mal_lnx_implant_may22.yar
├── mal_lockbit4_hashing_alg_win_feb24.yar
├── mal_lockbit4_packed_win_feb24.yar
├── mal_lockbit4_rc4_win_feb24.yar
├── mal_lockbit_lnx_macos_apr23.yar
├── mal_netsha.yar
├── mal_octowave_installer_mar25.yar
├── mal_octowave_loader_mar25.yar
├── mal_passwordstate_backdoor.yar
├── mal_perfctl_oct24.yar
├── mal_phish_feb25.yar
├── mal_qbot_feb23.yar
├── mal_qbot_payloads.yar
├── mal_ralordv1_win_ap25.yar
├── mal_ransom_esxi_attacks_feb23.yar
├── mal_ransom_lorenz.yar
├── mal_ru_sparepart_dec22.yar
├── mal_sophos_pygmy_nov24.yar
├── mal_win_akira_apr25.yar
├── mal_win_go_backorder_loader.yar
├── mal_win_megazord_apr25.yar
├── mal_xlogin_nov24.yar
├── mixed_open_source_export.yar
├── pua_cryptocoin_miner.yar
├── pua_xmrig_monero_miner.yar
├── pup_lightftp.yar
├── seaspy_backdoor_jan25.yar
├── spy_equation_fiveeyes.yar
├── spy_querty_fiveeyes.yar
├── spy_regin_fiveeyes.yar
├── susp_bat_obfusc_jul24.yar
├── susp_email_redirection_spoofing.yar
├── susp_vulndriver_hp_hardware_diagnostics_etdsupp_may23.yar
├── thor-hacktools.yar
├── thor-webshells.yar
├── thor_inverse_matches.yar
├── threat_lenovo_superfish.yar
├── vul_backdoor_antitheftweb.yar
├── vul_confluence_questions_plugin_cve_2022_26138.yar
├── vul_cve_2020_0688.yar
├── vul_cve_2020_1938.yar
├── vul_cve_2021_3438_printdriver.yar
├── vul_cve_2021_386471_omi.yar
├── vul_dell_bios_upd_driver.yar
├── vul_drivecrypt.yar
├── vul_jquery_fileupload_cve_2018_9206.yar
├── vul_php_zlib_backdoor.yar
├── vuln_erlang_otp_ssh_cve_2025_32433.yar
├── vuln_gigabyte_driver.yar
├── vuln_keepass_brute_forcible.yar
├── vuln_moveit_0day_jun23.yar
├── vuln_paloalto_cve_2024_3400_apr24.yar
├── vuln_proxynotshell_cve_2022_41040.yar
├── webshell_regeorg.yar
├── webshell_xsl_transform.yar
├── yara-rules_mal_drivers.yar
├── yara-rules_vuln_drivers_strict.yar
├── yara-rules_vuln_drivers_strict_renamed.yar
└── yara_mixed_ext_vars.yar
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | threatintel/get-otx-iocs_flo.py
3 |
4 | threatintel/get-misp-iocs_flo.py
5 |
6 | yara/gen_winrarsfx_uncom_vendors.yar
7 |
8 | threatintel/get-blueliv-iocs.py
9 | 3rdparty
10 | build
11 | main.log
12 | *.swp
13 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: python
2 | python:
3 | - 2.7
4 | cache: pip
5 | install:
6 | - pip install yara-python
7 |
8 | script:
9 | - python ./build-rules.py
10 | - make all
11 |
12 | notifications:
13 | email:
14 | recipients:
15 | - venom14@gmail.com
16 | on_success: change
17 | on_failure: always
18 |
--------------------------------------------------------------------------------
/.yara-ci.yml:
--------------------------------------------------------------------------------
1 | files:
2 | accept:
3 | - "**.yar"
4 | variables:
5 | filename: ""
6 | filepath: ""
7 | extension: ""
8 | filetype: ""
--------------------------------------------------------------------------------
/Code_of_Conduct.md:
--------------------------------------------------------------------------------
1 | Just kidding. Simply don't be an ass.
--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | theme: jekyll-theme-slate
--------------------------------------------------------------------------------
/iocs/README.txt:
--------------------------------------------------------------------------------
1 | Files in this directory will be initialised according to strings in their filename.
2 |
3 | The string "hash" in the filename will initialise the file as hash IOC list.
4 | The string "filename" in the filename will initialise the file as filename IOC list.
5 | The string "c2" in the filename will initialise the file as C2 server IOC list.
6 |
--------------------------------------------------------------------------------
/iocs/keywords.txt:
--------------------------------------------------------------------------------
1 | # MALICIOUS KEYWORDS
2 | #
3 | # Subset of keywords from THOR APT Scanner
4 |
5 | # Password Dumper
6 | WCESERVICE
7 | WCE_SERVICE
8 | WCE SERVICE
9 |
10 | # Mimikatz
11 | eo.oe.kiwi
12 | <3 eo.oe
13 | mimilib
14 | privilege::debug
15 | sekurlsa::LogonPasswords
16 | sekurlsa::logonpasswords
17 |
18 | # Metasploit PsExec
19 | %COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp
20 |
21 | # Javascript Windows Scripting Host - Suspicious - see http://goo.gl/6HRCbk
22 | wscript.exe /b /nologo /E:javascript
23 |
24 | # Java Deserialisation Exploit Tools
25 | ysoserial-0.
26 |
27 | # Powersploit
28 | Powersploit
29 |
30 | # Powershell Mimikatz https://adsecurity.org/?p=2604
31 | Invoke-Mimikatz
32 |
33 | # Don't remove this line
34 |
--------------------------------------------------------------------------------
/yara/apt_aa19_024a.yar:
--------------------------------------------------------------------------------
1 |
2 | rule APT_MAL_DNS_Hijacking_Campaign_AA19_024A {
3 | meta:
4 | description = "Detects malware used in DNS Hijackign campaign"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://www.us-cert.gov/ncas/alerts/AA19-024A"
7 | date = "2019-01-25"
8 | hash1 = "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
9 | hash2 = "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
10 | id = "6a476052-ba4e-5049-9c7a-f8949d26e7b5"
11 | strings:
12 | $s2 = "/Client/Login?id=" fullword ascii
13 | $s3 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword ascii
14 | $s4 = ".\\Configure.txt" fullword ascii
15 | $s5 = "Content-Disposition: form-data; name=\"files\"; filename=\"" fullword ascii
16 | $s6 = "Content-Disposition: form-data; name=\"txts\"" fullword ascii
17 | condition:
18 | uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
19 | }
20 |
--------------------------------------------------------------------------------
/yara/apt_apt12_malware.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2017-08-30
5 | Identifier: APT 12 Japanese Incident
6 | Reference: http://blog.macnica.net/blog/2017/08/post-fb81.html
7 | */
8 |
9 | /* Rule Set ----------------------------------------------------------------- */
10 |
11 | import "pe"
12 |
13 | rule APT12_Malware_Aug17 {
14 | meta:
15 | description = "Detects APT 12 Malware"
16 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
17 | author = "Florian Roth (Nextron Systems)"
18 | reference = "http://blog.macnica.net/blog/2017/08/post-fb81.html"
19 | date = "2017-08-30"
20 | hash1 = "dc7521c00ec2534cf494c0263ddf67ea4ba9915eb17bdc0b3ebe9e840ec63643"
21 | hash2 = "42da51b69bd6625244921a4eef9a2a10153e012a3213e8e9877cf831aea3eced"
22 | id = "6c9cd68f-b839-5c99-a9f5-14c2d8a28bec"
23 | condition:
24 | ( uint16(0) == 0x5a4d and pe.imphash() == "9ba915fd04f248ad62e856c7238c0264" )
25 | }
26 |
--------------------------------------------------------------------------------
/yara/apt_apt17_malware.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2015-05-14
5 | Identifier: APT17
6 | */
7 |
8 | /* Rule Set ----------------------------------------------------------------- */
9 |
10 | rule APT17_Sample_FXSST_DLL {
11 | meta:
12 | description = "Detects Samples related to APT17 activity - file FXSST.DLL"
13 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
14 | author = "Florian Roth (Nextron Systems)"
15 | reference = "https://goo.gl/ZiJyQv"
16 | date = "2015-05-14"
17 | hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"
18 | id = "e4b9b25e-8895-5ba5-b706-bfb6892c16ae"
19 | strings:
20 | $x1 = "Microsoft? Windows? Operating System" fullword wide
21 | $x2 = "fxsst.dll" fullword ascii
22 |
23 | $y1 = "DllRegisterServer" fullword ascii
24 | $y2 = ".cSV" fullword ascii
25 |
26 | $s1 = "GetLastActivePopup"
27 | $s2 = "Sleep"
28 | $s3 = "GetModuleFileName"
29 | $s4 = "VirtualProtect"
30 | $s5 = "HeapAlloc"
31 | $s6 = "GetProcessHeap"
32 | $s7 = "GetCommandLine"
33 | condition:
34 | uint16(0) == 0x5a4d and filesize < 800KB and
35 | ( all of ($x*) or all of ($y*) ) and all of ($s*)
36 | }
37 |
--------------------------------------------------------------------------------
/yara/apt_apt37.yar:
--------------------------------------------------------------------------------
1 | rule APT_NK_Methodology_Artificial_UserAgent_IE_Win7 {
2 | meta:
3 | author = "Steve Miller aka @stvemillertime"
4 | description = "Detects hard-coded User-Agent string that has been present in several APT37 malware families."
5 | hash1 = "e63efbf8624a531bb435b7446dbbfc25"
6 | score = 45
7 | id = "a747c908-7af7-5c29-8386-a71db7648061"
8 | strings:
9 | $a1 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
10 | $a2 = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 00 00 00 00}
11 |
12 | $fp1 = "Esumsoft" wide
13 | $fp2 = "Acunetix" wide ascii
14 | $fp3 = "TASER SYNC" ascii
15 | condition:
16 | uint16(0) == 0x5A4D and all of ($a*) and not 1 of ($fp*)
17 | }
18 |
--------------------------------------------------------------------------------
/yara/apt_backdoor_ssh_python.yar:
--------------------------------------------------------------------------------
1 |
2 | rule custom_ssh_backdoor_server {
3 | meta:
4 | description = "Custome SSH backdoor based on python and paramiko - file server.py"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://goo.gl/S46L3o"
7 | date = "2015-05-14"
8 | modified = "2022-08-18"
9 | hash = "0953b6c2181249b94282ca5736471f85d80d41c9"
10 | id = "eccf705b-b2c3-5af6-ab86-70292089812b"
11 | strings:
12 | $s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii
13 | $s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii
14 | $s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii
15 | condition:
16 | 2 of them
17 | }
18 |
--------------------------------------------------------------------------------
/yara/apt_backspace.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Author: Bit Byte Bitten
3 | Date: 5/14/2015
4 | */
5 |
6 | rule apt_backspace{
7 | meta:
8 | description = "Detects APT backspace"
9 | author = "Bit Byte Bitten"
10 | date = "2015-05-14"
11 | hash = "6cbfeb7526de65eb2e3c848acac05da1e885636d17c1c45c62ad37e44cd84f99"
12 | id = "3da3337d-b6d3-5661-b43e-535e06817303"
13 | strings:
14 | $s1 = "!! Use Splice Socket !!"
15 | $s2 = "User-Agent: SJZJ (compatible; MSIE 6.0; Win32)"
16 | $s3 = "g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d"
17 | condition:
18 | uint16(0) == 0x5a4d and all of them
19 | }
--------------------------------------------------------------------------------
/yara/apt_beepservice.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2016-05-12
5 | Identifier:
6 | */
7 |
8 | /* Rule Set ----------------------------------------------------------------- */
9 |
10 | rule BeepService_Hacktool {
11 | meta:
12 | description = "Detects BeepService Hacktool used by Chinese APT groups"
13 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
14 | author = "Florian Roth (Nextron Systems)"
15 | reference = "https://goo.gl/p32Ozf"
16 | date = "2016-05-12"
17 | score = 85
18 | hash1 = "032df812a68852b6f3822b9eac4435e531ca85bdaf3ee99c669134bd16e72820"
19 | hash2 = "e30933fcfc9c2a7443ee2f23a3df837ca97ea5653da78f782e2884e5a7b734f7"
20 | hash3 = "ebb9c4f7058e19b006450b8162910598be90428998df149977669e61a0b7b9ed"
21 | hash4 = "6db2ffe7ec365058f9d3b48dcca509507c138f19ade1adb5f13cf43ea0623813"
22 | id = "8813a01a-10db-52e7-bb1e-322864e87b15"
23 | strings:
24 | $x1 = "\\\\%s\\admin$\\system32\\%s" fullword ascii
25 |
26 | $s1 = "123.exe" fullword ascii
27 | $s2 = "regclean.exe" fullword ascii
28 | $s3 = "192.168.88.69" fullword ascii
29 | condition:
30 | uint16(0) == 0x5a4d and filesize < 100KB and $x1 and 1 of ($s*)
31 | }
32 |
--------------------------------------------------------------------------------
/yara/apt_bitter.yar:
--------------------------------------------------------------------------------
1 |
2 | rule EXT_APT_Bitter_Win32k_0day_Feb21 {
3 | meta:
4 | description = "Detects code that exploits a Windows 0day exploited by Bitter APT group"
5 | author = "dbappsecurity_lieying_lab"
6 | date = "2021-01-01"
7 | reference = "https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/"
8 | id = "b1892b52-4b94-5571-ad63-8750a321f1f2"
9 | strings:
10 | $s1 = "NtUserConsoleControl" ascii wide
11 | $s2 = "NtCallbackReturn" ascii wide
12 | $s3 = "CreateWindowEx" ascii wide
13 | $s4 = "SetWindowLong" ascii wide
14 |
15 | $a1 = {48 C1 E8 02 48 C1 E9 02 C7 04 8A}
16 | $a2 = {66 0F 1F 44 00 00 80 3C 01 E8 74 22 FF C2 48 FF C1}
17 | $a3 = {48 63 05 CC 69 05 00 8B 0D C2 69 05 00 48 C1 E0 20 48 03 C1}
18 |
19 | condition:
20 | uint16(0) == 0x5a4d and all of ($s*) and 1 of ($a*)
21 | }
22 |
--------------------------------------------------------------------------------
/yara/apt_cisco_asa_line_dancer_apr24.yar:
--------------------------------------------------------------------------------
1 |
2 | rule Line_Dancer {
3 | meta:
4 | author = "NCSC"
5 | description = "Targets code sections of Line Dancer, a shellcode loader targeting Cisco ASA devices."
6 | reference = "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-dancer.pdf"
7 | date = "2024-04-24"
8 | score = 75
9 | id = "3b49a861-8107-577a-bae1-ae28d424cc13"
10 | strings:
11 | $ = { 48 8D 5E 20 48 8D 3D BB FF FF FF BA 20 00 00 00 }
12 | $ = { 4C 89 EE 44 89 F2 48 8D 3D 9A 27 00 00 }
13 | $ = { 41 FF D7 41 5F 41 5E 41 5D 41 5C 5B 5D 48 C7 C0 01 00 00 00 5F }
14 | condition:
15 | all of them
16 | }
17 |
--------------------------------------------------------------------------------
/yara/apt_cmstar.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2017-10-03
5 | Identifier: CMStar Threat Actor
6 | Reference: https://goo.gl/pTffPA
7 | */
8 |
9 | /* Rule Set ----------------------------------------------------------------- */
10 |
11 | import "pe"
12 |
13 | rule CMStar_Malware_Sep17 {
14 | meta:
15 | description = "Detects CMStar Malware"
16 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
17 | author = "Florian Roth (Nextron Systems)"
18 | reference = "https://goo.gl/pTffPA"
19 | date = "2017-10-03"
20 | hash1 = "16697c95db5add6c1c23b2591b9d8eec5ed96074d057b9411f0b57a54af298d5"
21 | id = "d6c9cd7f-06ce-5641-b9b2-c81daf18628d"
22 | strings:
23 | $s1 = "UpdateService.tmp" fullword ascii
24 | $s2 = "StateNum:%d,FileSize:%d" fullword ascii
25 | condition:
26 | uint16(0) == 0x5a4d and filesize < 100KB and (
27 | pe.imphash() == "22021985de78a48ea8fb82a2ff9eb693" or
28 | pe.exports("WinCred") or
29 | all of them
30 | )
31 | }
32 |
--------------------------------------------------------------------------------
/yara/apt_coreimpact_agent.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Core Impact Agent known from RocketKitten and WoolenGoldfish APT
3 | */
4 |
5 |
6 | rule CoreImpact_sysdll_exe {
7 | meta:
8 | description = "Detects a malware sysdll.exe from the Rocket Kitten APT"
9 | author = "Florian Roth (Nextron Systems)"
10 | score = 70
11 | date = "27.12.2014"
12 | modified = "2023-01-06"
13 | hash = "f89a4d4ae5cca6d69a5256c96111e707"
14 | id = "bac55c00-5d14-59ca-8597-f52b4577be0c"
15 | strings:
16 | $s0 = "d:\\nightly\\sandbox_avg10_vc9_SP1_2011\\source\\avg10\\avg9_all_vs90\\bin\\Rele" ascii
17 |
18 | $s1 = "Mozilla/5.0" fullword ascii
19 | $s3 = "index.php?c=%s&r=%lx" fullword ascii
20 | $s4 = "index.php?c=%s&r=%x" fullword ascii
21 | $s5 = "127.0.0.1" fullword ascii
22 | $s6 = "/info.dat" ascii
23 | $s7 = "needroot" fullword ascii
24 | $s8 = "./plugins/" ascii
25 | condition:
26 | $s0 or 6 of them
27 | }
28 |
--------------------------------------------------------------------------------
/yara/apt_duqu1_5_modules.yar:
--------------------------------------------------------------------------------
1 |
2 | rule Duqu1_5_modules {
3 | meta:
4 | author = "Silas Cutler (havex@chronicle.security)"
5 | desc = "Detection for Duqu 1.5 modules"
6 | hash = "bb3961e2b473c22c3d5939adeb86819eb846ccd07f5736abb5e897918580aace"
7 | reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
8 | id = "7239f5e1-c08f-566c-8998-f7dacc2c4a29"
9 | strings:
10 | $c1 = "%s(%d)disk(%d)fdisk(%d)"
11 | $c2 = "\\Device\\Floppy%d" wide
12 | $c3 = "BrokenAudio" wide
13 | $m1 = { 81 3F E9 18 4B 7E}
14 | $m2 = { 81 BC 18 F8 04 00 00 B3 20 EA B4 }
15 | condition:
16 | all of them
17 | }
18 |
--------------------------------------------------------------------------------
/yara/apt_eqgrp_triangulation_jun23.yar:
--------------------------------------------------------------------------------
1 |
2 | rule APT_Equation_Group_Op_Triangulation_TriangleDB_Implant_Jun23_1 {
3 | meta:
4 | description = "Detects TriangleDB implant found being used in Operation Triangulation on iOS devices (maybe also used on macOS systems)"
5 | author = "Florian Roth"
6 | reference = "https://securelist.com/triangledb-triangulation-implant/110050/"
7 | date = "2023-06-21"
8 | score = 80
9 | id = "d81a5103-41c8-5dba-a560-8fb5514f6c0a"
10 | strings:
11 | $s1 = "unmungeHexString" ascii fullword
12 | $s2 = "CRPwrInfo" ascii fullword
13 | $s3 = "CRConfig" ascii fullword
14 | $s4 = "CRXConfigureDBServer" ascii fullword
15 | condition:
16 | ( uint16(0) == 0xfacf and filesize < 30MB and $s1 and 2 of them )
17 | or all of them
18 | }
19 |
--------------------------------------------------------------------------------
/yara/apt_exile_rat.yar:
--------------------------------------------------------------------------------
1 |
2 | import "pe"
3 |
4 | rule MAL_ExileRAT_Feb19_1 {
5 | meta:
6 | description = "Detects Exile RAT"
7 | author = "Florian Roth (Nextron Systems)"
8 | reference = "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html"
9 | date = "2019-02-04"
10 | license = "https://creativecommons.org/licenses/by-nc/4.0/"
11 | hash1 = "3eb026d8b778716231a07b3dbbdc99e2d3a635b1956de8a1e6efc659330e52de"
12 | id = "f0a510f3-5fea-59a7-8991-9d06dc478b2a"
13 | strings:
14 | $x1 = "Content-Disposition:form-data;name=\"x.bin\"" fullword ascii
15 |
16 | $s1 = "syshost.dll" fullword ascii
17 | $s2 = "\\scout\\Release\\scout.pdb" ascii
18 | $s3 = "C:\\data.ini" fullword ascii
19 | $s4 = "my-ip\" value=\"" fullword ascii
20 | $s5 = "ver:%d.%d.%d" fullword ascii
21 | condition:
22 | uint16(0) == 0x5a4d and filesize < 500KB and (
23 | pe.imphash() == "da8475fc7c3c90c0604ce6a0b56b5f21" or
24 | 3 of them
25 | )
26 | }
27 |
--------------------------------------------------------------------------------
/yara/apt_f5_bigip_expl_payloads.yar:
--------------------------------------------------------------------------------
1 |
2 | rule MAL_Payload_F5_BIG_IP_Exploitations_Jul20_1 {
3 | meta:
4 | description = "Detects code found in report on exploits against CVE-2020-5902 F5 BIG-IP vulnerability by NCC group"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/"
7 | date = "2020-06-07"
8 | score = 75
9 | id = "57705ba1-c0ad-5ca6-8539-44d9da6b5942"
10 | strings:
11 | $x1 = "rm -f /etc/ld.so.preload" ascii fullword
12 | $x2 = "echo \"* * * * * $LDR" ascii
13 | $x3 = ".sh -o /tmp/in.sh" ascii
14 | $x4 = "chmod a+x /etc/.modules/.tmp" ascii
15 | $x5 = "chmod +x /var/log/F5-logcheck"
16 |
17 | $s1 = "ulimit -n 65535" ascii fullword
18 | $s2 = "-s /usr/bin/wget " ascii
19 | $s3 = ".sh | sh" ascii
20 | condition:
21 | filesize < 300KB and
22 | ( 1 of ($x*) or 3 of them )
23 | }
24 |
--------------------------------------------------------------------------------
/yara/apt_fancybear_computrace_agent.yar:
--------------------------------------------------------------------------------
1 | rule PUP_ComputraceAgent {
2 | meta:
3 | description = "Absolute Computrace Agent Executable"
4 | author = "ASERT - Arbor Networks (slightly modified by Florian Roth)"
5 | date = "2018-05-01"
6 | reference = "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/"
7 | id = "676f8f1e-a3b4-5d05-b13b-bd6cb0aabbbd"
8 | strings:
9 | $a = { D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04 }
10 | $b1 = { 72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00 }
11 | $b2 = { 54 61 67 49 64 00 }
12 | condition:
13 | uint16(0) == 0x5a4d and filesize < 40KB and ($a or ($b1 and $b2))
14 | }
15 |
--------------------------------------------------------------------------------
/yara/apt_fancybear_osxagent.yar:
--------------------------------------------------------------------------------
1 | rule MAL_OSX_FancyBear_Agent_Jul18_1 {
2 | meta:
3 | description = "Detects FancyBear Agent for OSX"
4 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://twitter.com/DrunkBinary/status/1018448895054098432"
7 | date = "2018-07-15"
8 | hash1 = "d3be93f6ce59b522ff951cef9d59ef347081ffe33d4203cd5b5df0aaa9721aa2"
9 | id = "ae717f70-7196-561a-916f-1598ab38c77a"
10 | strings:
11 | $x1 = "/Users/kazak/Desktop/" ascii
12 |
13 | $s1 = "launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist" fullword ascii
14 | $s2 = "mkdir -p /Users/Shared/.local/ &> /dev/null" fullword ascii
15 | $s3 = "chmod 755 /Users/Shared/start.sh" fullword ascii
16 | $s4 = "chmod 755 %s/%s &> /dev/null" fullword ascii
17 | $s6 = "chmod 755 /Users/Shared/.local/kextd" fullword ascii
18 | condition:
19 | uint16(0) == 0xfacf and filesize < 3000KB and ( 1 of ($x*) and 4 of them )
20 | }
21 |
--------------------------------------------------------------------------------
/yara/apt_fidelis_phishing_plain_sight.yar:
--------------------------------------------------------------------------------
1 |
2 | rule Fidelis_Advisory_Purchase_Order_pps {
3 | meta:
4 | description = "Detects a string found in a malicious document named Purchase_Order.pps"
5 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
6 | author = "Florian Roth (Nextron Systems)"
7 | reference = "http://goo.gl/ZjJyti"
8 | date = "2015-06-09"
9 | id = "205c4cda-6874-5455-8eb9-b63fb09b13fd"
10 | strings:
11 | $s0 = "Users\\Gozie\\Desktop\\Purchase-Order.gif" ascii
12 | condition:
13 | all of them
14 | }
15 |
16 | rule Fidelis_Advisory_cedt370 {
17 | meta:
18 | description = "Detects a string found in memory of malware cedt370r(3).exe"
19 | author = "Florian Roth (Nextron Systems)"
20 | reference = "http://goo.gl/ZjJyti"
21 | date = "2015-06-09"
22 | id = "b5ebf2d7-e3e4-5b3b-a082-417da9c7fda6"
23 | strings:
24 | $s0 = "PO.exe" ascii fullword
25 | $s1 = "Important.exe" ascii fullword
26 | $s2 = "&username=" ascii fullword
27 | $s3 = "Browsers.txt" ascii fullword
28 | condition:
29 | all of them
30 | }
31 |
--------------------------------------------------------------------------------
/yara/apt_fin8.yar:
--------------------------------------------------------------------------------
1 | rule Shellcode_APIHashing_FIN8 {
2 | meta:
3 | description = "Detects FIN8 Shellcode APIHashing"
4 | author = "Frank Boldewin (@r3c0nst)"
5 | date = "2021-03-16"
6 | reference = "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf"
7 |
8 | id = "bca5601c-2998-545b-8dd0-ec3c861e6291"
9 | strings:
10 | $APIHashing32bit1 = {81 F7 99 5D 52 69 81 F3 30 D7 00 AB}
11 | $APIHashing32bit2 = {68 F2 55 03 88 68 65 19 6D 1E}
12 | $APIHashing32bit3 = {68 9B 59 27 21 C1 E9 17 33 4C 24 10 68 37 5C 32 F4}
13 |
14 | $APIHashing64bit1 = {49 BF 65 19 6D 1E F2 55 03 88 49 BE 37 5C 32 F4 9B 59 27 21}
15 | $APIHashing64bit2 = {48 B8 99 5D 52 69 30 D7 00 AB}
16 |
17 | condition:
18 | all of ($APIHashing32bit*) or all of ($APIHashing64bit*)
19 | }
--------------------------------------------------------------------------------
/yara/apt_fujinama_rat.yar:
--------------------------------------------------------------------------------
1 | rule APT_MAL_Fujinama {
2 | meta:
3 | description = "Fujinama RAT used by Leonardo SpA Insider Threat"
4 | author = "ReaQta Threat Intelligence Team"
5 | reference = "https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa"
6 | date = "2021-01-07"
7 | version = "1"
8 | id = "b10b1e45-aa6c-53fa-8e02-7a325c3e12fb"
9 | strings:
10 | $kaylog_1 = "SELECT" wide ascii nocase
11 | $kaylog_2 = "RIGHT" wide ascii nocase
12 | $kaylog_3 = "HELP" wide ascii nocase
13 | $kaylog_4 = "WINDOWS" wide ascii nocase
14 | $computername = "computername" wide ascii nocase
15 | $useragent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" wide ascii nocase
16 | $pattern = "'()*+,G-./0123456789:" wide ascii nocase
17 | $function_1 = "t_save" wide ascii nocase
18 | $cftmon = "cftmon" wide ascii nocase
19 | $font = "Tahoma" wide ascii nocase
20 | condition:
21 | uint16(0) == 0x5a4d and all of them
22 | }
--------------------------------------------------------------------------------
/yara/apt_goldenspy.yar:
--------------------------------------------------------------------------------
1 | rule APT_MAL_BKA_GoldenSpy_Aug20_1 {
2 | meta:
3 | description = "Detects variants of GoldenSpy Malware"
4 | reference = "https://www.bka.de/SharedDocs/Kurzmeldungen/DE/Warnhinweise/200821_Cyberspionage.html"
5 | author = "BKA"
6 | date = "2020-08-21"
7 | id = "4f47087e-6e68-53ff-9446-72a1751da359"
8 | strings:
9 | $str01 = {c78510ffffff00000000 c78514ffffff0f000000 c68500ffffff00 c78528ffffff00000000 c7852cffffff0f000000 c68518ffffff00 c78540ffffff00000000 c78544ffffff0f000000 c68530ffffff00 c645fc14 80bd04feffff00}
10 | $str02 = "Ryeol HTTP Client Class" ascii
11 | $str03 = "----RYEOL-FB3B405B7EAE495aB0C0295C54D4E096-" ascii
12 | $str04 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\fwkp.exe" ascii
13 | $str05 = "svmm" ascii
14 | $str06 = "PROTOCOL_" ascii
15 | $str07 = "softList" ascii
16 | $str08 = "excuteExe" ascii
17 | condition:
18 | uint16(0) == 0x5A4D and 5 of ($str*)
19 | }
20 |
21 |
--------------------------------------------------------------------------------
/yara/apt_ham_tofu_chches.yar:
--------------------------------------------------------------------------------
1 |
2 | /*
3 | Yara Rule Set
4 | Author: Cylance
5 | Date: 2017-02-28
6 | Identifier: Jap Threat
7 | */
8 |
9 | /* Rule Set ----------------------------------------------------------------- */
10 |
11 | rule Tofu_Backdoor {
12 | meta:
13 | description = "Detects Tofu Trojan"
14 | author = "Cylance"
15 | reference = "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html"
16 | date = "2017-02-28"
17 | id = "03848366-f139-5352-959d-390992d96296"
18 | strings:
19 | $a = "Cookies: Sym1.0"
20 | $b = "\\\\.\\pipe\\1[12345678]"
21 | $c = {66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0}
22 | condition:
23 | $a or $b or $c
24 | }
25 |
--------------------------------------------------------------------------------
/yara/apt_hizor_rat.yar:
--------------------------------------------------------------------------------
1 | rule apt_win32_dll_rat_hiZorRAT
2 | {
3 | meta:
4 | dexcription = "Detects hiZor RAT"
5 | hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf"
6 | hash2 = "d9821468315ccd3b9ea03161566ef18e"
7 | hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a"
8 | ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
9 | reference = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
10 | id = "06fd02f2-2630-5aac-8011-67d67ff42c3f"
11 | strings:
12 | // Part of the encoded User-Agent = Mozilla
13 | $s1 = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 }
14 |
15 | // XOR to decode User-Agent after string stacking 0x10001630
16 | $s2 = { 66 [7] 0d 40 83 ?? ?? 7c ?? }
17 |
18 | // XOR with 0x2E - 0x10002EF6
19 | $s3 = { 80 [2] 2e 40 3b ?? 72 ?? }
20 |
21 | $s4 = "CmdProcessExited" wide ascii
22 | $s5 = "rootDir" wide ascii
23 | $s6 = "DllRegisterServer" wide ascii
24 | $s7 = "GetNativeSystemInfo" wide ascii
25 | $s8 = "%08x%08x%08x%08x" wide ascii
26 | condition:
27 | (uint16(0) == 0x5A4D or uint32(0) == 0x464c457f) and (all of them)
28 | }
29 |
--------------------------------------------------------------------------------
/yara/apt_icefog.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2018-02-26
5 | Identifier: IceFog
6 | Reference: https://twitter.com/ClearskySec/status/968104465818669057
7 | */
8 |
9 | /* Rule Set ----------------------------------------------------------------- */
10 |
11 | rule IceFog_Malware_Feb18_1 {
12 | meta:
13 | description = "Detects IceFog malware"
14 | author = "Florian Roth (Nextron Systems)"
15 | reference = "https://twitter.com/ClearskySec/status/968104465818669057"
16 | date = "2018-02-26"
17 | modified = "2023-01-06"
18 | hash1 = "480373cffc4e60aa5be2954a156e37d689b92e6e33969958230f2ce59d30b9ec"
19 | id = "ce8e3a9b-9f4b-534c-983d-bb5490da5768"
20 | strings:
21 | $s1 = "cmd /c %c%s%c" fullword ascii
22 | $s2 = "temp.bat" fullword ascii
23 | $s3 = "c:\\windows\\debug\\wia\\help" fullword wide
24 | $s4 = "/getorder.aspx?hostname=" fullword wide
25 | $s5 = "\\filecfg_temp.dat" wide
26 | $s6 = "Unknown operating system " fullword wide
27 | $s7 = "kastygost.compress.to" fullword wide
28 | $s8 = "/downloads/" wide
29 | $s9 = "\\key.dat" wide
30 | condition:
31 | uint16(0) == 0x5a4d and filesize < 2000KB and 4 of them
32 | }
33 |
--------------------------------------------------------------------------------
/yara/apt_ism_rat.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Ahmed Zaki
4 | Date: 2017-05-04
5 | Identifier: ISM RAT
6 | Reference: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/february/ism-rat/
7 | */
8 |
9 | rule Trojan_ISMRAT_gen {
10 | meta:
11 | description = "ISM RAT"
12 | author = "Ahmed Zaki"
13 | reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/february/ism-rat/"
14 | hash1 = "146a112cb01cd4b8e06d36304f6bdf7b"
15 | hash2 = "fa3dbe37108b752c38bf5870b5862ce5"
16 | hash3 = "bf4b07c7b4a4504c4192bd68476d63b5"
17 | id = "e72241ce-d6ee-5cb7-a83d-157161938d83"
18 | strings:
19 | $s1 = "WinHTTP Example/1.0" wide
20 | $s2 = "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0" wide
21 | $s3 = "|||Command executed successfully"
22 | $dir = /Microsoft\\Windows\\Tmpe[a-z0-9]{2,8}/
23 | condition:
24 | uint16(0) == 0x5A4D and all of them
25 | }
26 |
--------------------------------------------------------------------------------
/yara/apt_korplug_fast.yar:
--------------------------------------------------------------------------------
1 | rule Korplug_FAST {
2 | meta:
3 | description = "Rule to detect Korplug/PlugX FAST variant"
4 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
5 | author = "Florian Roth (Nextron Systems)"
6 | date = "2015-08-20"
7 | hash = "c437465db42268332543fbf6fd6a560ca010f19e0fd56562fb83fb704824b371"
8 | id = "85c6c460-2902-5bfa-be58-a2b62e3b882e"
9 | strings:
10 | $x1 = "%s\\rundll32.exe \"%s\", ShadowPlay" fullword ascii
11 |
12 | $a1 = "ShadowPlay" fullword ascii
13 |
14 | $s1 = "%s\\rundll32.exe \"%s\"," fullword ascii
15 | $s2 = "nvdisps.dll" fullword ascii
16 | $s3 = "%snvdisps.dll" fullword ascii
17 | $s4 = "\\winhlp32.exe" ascii
18 | $s5 = "nvdisps_user.dat" fullword ascii
19 | $s6 = "%snvdisps_user.dat" fullword ascii
20 | condition:
21 | uint16(0) == 0x5a4d and filesize < 500KB and
22 | (
23 | $x1 or
24 | ($a1 and 1 of ($s*)) or
25 | 4 of ($s*)
26 | )
27 | }
--------------------------------------------------------------------------------
/yara/apt_lazarus_gopuram.yar:
--------------------------------------------------------------------------------
1 | rule MAL_Gopuram_Apr23 {
2 | meta:
3 | description = "Detects Lazarus Gopuram malware"
4 | reference = "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/"
5 | license = "Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License"
6 | author = "Arnim Rupp (https://github.com/ruppde)"
7 | date = "2023-04-04"
8 | hash = "beb775af5196f30e0ee021790a4978ca7a7ac2a7cf970a5a620ffeb89cc60b2c"
9 | hash = "97b95b4a5461f950e712b82783930cb2a152ec0288c00a977983ca7788342df7"
10 | id = "e0bb43b0-542b-5c8e-bcba-0326f80efaa0"
11 | strings:
12 | // VTgrep content:"%s.TxR.0.regtrans-ms" hits only the 2 hashes above
13 | $path = "%s.TxR.0.regtrans-ms"
14 | condition:
15 | uint16(0) == 0x5A4D and $path and filesize < 10MB
16 | }
17 |
18 |
--------------------------------------------------------------------------------
/yara/apt_lazarus_jan21.yar:
--------------------------------------------------------------------------------
1 |
2 | rule SUSP_VEST_Encryption_Core_Accumulator_Jan21 {
3 | meta:
4 | description = "Detects VEST encryption core accumulator in PE file as used by Lazarus malware"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://twitter.com/ochsenmeier/status/1354737155495649280"
7 | date = "2021-01-28"
8 | score = 70
9 | hash1 = "7cd3ca8bdfb44e98a4b9d0c6ad77546e03d169bda9bdf3d1bcf339f68137af23"
10 | id = "8343652b-8865-5213-b735-d6d4084e4a84"
11 | strings:
12 | $sc1 = { 4F 70 46 DA E1 8D F6 41 59 E8 5D 26 1E CC 2F 89
13 | 26 6D 52 BA BC 11 6B A9 C6 47 E4 9C 1E B6 65 A2
14 | B6 CD 90 47 1C DF F8 10 4B D2 7C C4 72 25 C6 97
15 | 25 5D C6 1D 4B 36 BC 38 36 33 F8 89 B4 4C 65 A7
16 | 96 CA 1B 63 C3 4B 6A 63 DC 85 4C 57 EE 2A 05 C7
17 | 0C E7 39 35 8A C1 BF 13 D9 52 51 3D 2E 41 F5 72
18 | 85 23 FE A1 AA 53 61 3B 25 5F 62 B4 36 EE 2A 51
19 | AF 18 8E 9A C6 CF C4 07 4A 9B 25 9B 76 62 0E 3E
20 | 96 3A A7 64 23 6B B6 19 BC 2D 40 D7 36 3E E2 85
21 | 9A D1 22 9F BC 30 15 9F C2 5D F1 23 E6 3A 73 C0 }
22 | condition:
23 | uint16(0) == 0x5a4d and
24 | 1 of them
25 | }
26 |
--------------------------------------------------------------------------------
/yara/apt_lotusblossom_elise.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2018-01-24
5 | Identifier: Lotus Blossom Elise Malware
6 | Reference: https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
7 | */
8 |
9 | import "pe"
10 |
11 | /* Rule Set ----------------------------------------------------------------- */
12 |
13 | rule Elise_Jan18_1 {
14 | meta:
15 | description = "Detects Elise malware samples - fake Norton Security NavShExt.dll"
16 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
17 | author = "Florian Roth (Nextron Systems)"
18 | reference = "https://twitter.com/blu3_team/status/955971742329135105"
19 | date = "2018-01-24"
20 | hash1 = "6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79"
21 | id = "8e4f4ec8-5d31-5990-8c14-861423571a79"
22 | strings:
23 | $s1 = "NavShExt.dll" fullword wide
24 | $s2 = "Norton Security" fullword wide
25 |
26 | $a1 = "donotbotherme" fullword ascii
27 | condition:
28 | uint16(0) == 0x5a4d and filesize < 250KB and (
29 | pe.imphash() == "e9478ee4ebf085d1f14f64ba96ef082f" or
30 | ( 1 of ($s*) and $a1 )
31 | )
32 | }
--------------------------------------------------------------------------------
/yara/apt_mal_ilo_board_elf.yar:
--------------------------------------------------------------------------------
1 |
2 | rule APT_MAL_HP_iLO_Firmware_Dec21_1 {
3 | meta:
4 | description = "Detects suspicios ELF files with sections as described in malicious iLO Board analysis by AmnPardaz in December 2021"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/"
7 | date = "2021-12-28"
8 | score = 80
9 | id = "7f5fa905-07a3-55da-b644-c5ab882b4a9d"
10 | strings:
11 | $s1 = ".newelf.elf.text" ascii
12 | $s2 = ".newelf.elf.libc.so.data" ascii
13 | $s3 = ".newelf.elf.Initial.stack" ascii
14 | $s4 = ".newelf.elf.libevlog.so.data" ascii
15 | condition:
16 | filesize < 5MB and 2 of them or
17 | all of them
18 | }
19 |
--------------------------------------------------------------------------------
/yara/apt_nobellium_rdp_phish.yar:
--------------------------------------------------------------------------------
1 |
2 | rule SUSP_RDP_File_Indicators_Oct24_1 {
3 | meta:
4 | description = "Detects characteristics found in malicious RDP files used as email attachments in spear phishing campaigns"
5 | author = "Florian Roth"
6 | reference = "https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/"
7 | date = "2024-10-25"
8 | score = 75
9 | hash1 = "280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0"
10 | hash2 = "8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5"
11 | hash3 = "9b8cb8b01ce4eafb9204250a3c28bfaf70cc76a99ce411ad52bbf1aa2b6cce34"
12 | hash4 = "ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46"
13 | hash5 = "f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8"
14 | id = "16128c1e-64ed-5a3e-ad1e-e0330d91f5a9"
15 | strings:
16 | $s1 = "redirectclipboard:i:1" wide fullword
17 | $s2 = "redirectprinters:i:1" wide fullword
18 | $s3 = "remoteapplicationmode:i:1" wide fullword
19 | $s4 = "username:s:" wide
20 | $s5 = "emoteapplicationicon:s:C:\\Windows\\SystemApps" wide
21 | condition:
22 | filesize < 50KB
23 | and all of them
24 | }
25 |
26 |
--------------------------------------------------------------------------------
/yara/apt_op_shadowhammer.yar:
--------------------------------------------------------------------------------
1 |
2 | rule MAL_APT_Operation_ShadowHammer_MalSetup {
3 | meta:
4 | description = "Detects a malicious file used by BARIUM group in Operation ShadowHammer"
5 | date = "2019-03-25"
6 | author = "Florian Roth (Nextron Systems)"
7 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
8 | score = 80
9 | hash1 = "ac0711afee5a157d084251f3443a40965fc63c57955e3a241df866cfc7315223"
10 | hash2 = "9acd43af36f2d38077258cb2ace42d6737b43be499367e90037f4605318325f8"
11 | hash3 = "bca9583263f92c55ba191140668d8299ef6b760a1e940bddb0a7580ce68fef82"
12 | hash4 = "c299b6dd210ab5779f3abd9d10544f9cae31cd5c6afc92c0fc16c8f43def7596"
13 | hash5 = "6aedfef62e7a8ab7b8ab3ff57708a55afa1a2a6765f86d581bc99c738a68fc74"
14 | hash6 = "cfbec77180bd67cceb2e17e64f8a8beec5e8875f47c41936b67a60093e07fcfd"
15 | reference = "https://securelist.com/operation-shadowhammer/89992/"
16 | id = "000f840a-848d-5f82-84bf-70690efbd4de"
17 | strings:
18 | $x1 = "\\AsusShellCode\\Release" ascii
19 | $x2 = "\\AsusShellCode\\Debug"
20 | condition:
21 | uint16(0) == 0x5a4d and 1 of them
22 | }
23 |
--------------------------------------------------------------------------------
/yara/apt_peach_sandstorm.yar:
--------------------------------------------------------------------------------
1 | rule APT_MAL_FalseFont_Backdoor_Jan24 {
2 | meta:
3 | description = "Detects FalseFont backdoor, related to Peach Sandstorm APT"
4 | author = "X__Junior, Jonathan Peters"
5 | date = "2024-01-11"
6 | reference = "https://twitter.com/MsftSecIntel/status/1737895710169628824"
7 | hash = "364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614"
8 | score = 80
9 | id = "b6a3efff-2abf-5ac1-9a2b-c7b30b51f92c"
10 | strings:
11 | $x1 = "Agent.Core.WPF.App" ascii
12 | $x2 = "3EzuNZ0RN3h3oV7rzILktSHSaHk+5rtcWOr0mlA1CUA=" wide //AesIV
13 | $x3 = "viOIZ9cX59qDDjMHYsz1Yw==" wide // AesKey
14 |
15 | $sa1 = "StopSendScreen" wide
16 | $sa2 = "Decryption failed :(" wide
17 |
18 | $sb1 = "{0} {1} {2} {3}" wide
19 | $sb2 = "\\BraveSoftware\\Brave-Browser\\User Data\\" wide
20 | $sb3 = "select * from logins" wide
21 | $sb4 = "Loginvault.db" wide
22 | $sb5 = "password_value" wide
23 | condition:
24 | uint16(0) == 0x5a4d
25 | and (
26 | 1 of ($x*)
27 | or all of ($sa*)
28 | or all of ($sb*)
29 | or ( 1 of ($sa*) and 4 of ($sb*) )
30 | )
31 | }
32 |
--------------------------------------------------------------------------------
/yara/apt_plead_downloader.yar:
--------------------------------------------------------------------------------
1 | rule PLEAD_Downloader_Jun18_1 {
2 | meta:
3 | description = "Detects PLEAD Downloader"
4 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html"
7 | date = "2018-06-16"
8 | hash1 = "a26df4f62ada084a596bf0f603691bc9c02024be98abec4a9872f0ff0085f940"
9 | id = "19d588d8-1f03-5f34-b82e-b645c28a19a4"
10 | strings:
11 | $s1 = "%02d:%02d:%02d" ascii fullword
12 | $s2 = "%02d-%02d-%02d" ascii fullword
13 | $s3 = "1111%02d%02d%02d_%02d%02d2222" ascii fullword
14 | $a1 = "Scanning..." wide fullword
15 | $a2 = "Checking..." wide fullword
16 | condition:
17 | uint16(0) == 0x5a4d and filesize < 200KB and (
18 | all of ($s*) or
19 | ( 2 of ($s*) and 1 of ($a*) )
20 | )
21 | }
22 |
--------------------------------------------------------------------------------
/yara/apt_poisonivy_gen3.yar:
--------------------------------------------------------------------------------
1 |
2 | rule PoisonIvy_Generic_3 {
3 | meta:
4 | description = "PoisonIvy RAT Generic Rule"
5 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
6 | author = "Florian Roth (Nextron Systems)"
7 | date = "2015-05-14"
8 | hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd"
9 | id = "0f6a47ee-b741-59cc-b2d6-6bf3989ce8e7"
10 | strings:
11 | $k1 = "Tiger324{" fullword ascii
12 |
13 | $s2 = "WININET.dll" fullword ascii
14 | $s3 = "mscoree.dll" fullword wide
15 | $s4 = "WS2_32.dll" fullword
16 | $s5 = "Explorer.exe" fullword wide
17 | $s6 = "USER32.DLL"
18 | $s7 = "CONOUT$"
19 | $s8 = "login.asp"
20 |
21 | $h1 = "HTTP/1.0"
22 | $h2 = "POST"
23 | $h3 = "login.asp"
24 | $h4 = "check.asp"
25 | $h5 = "result.asp"
26 | $h6 = "upload.asp"
27 | condition:
28 | uint16(0) == 0x5a4d and filesize < 500KB and
29 | (
30 | $k1 or all of ($s*) or all of ($h*)
31 | )
32 | }
33 |
--------------------------------------------------------------------------------
/yara/apt_poshspy.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2017-07-15
5 | Identifier: APT29 POSHSPY
6 | Reference: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
7 | */
8 |
9 | /* Rule Set ----------------------------------------------------------------- */
10 |
11 | rule POSHSPY_Malware {
12 | meta:
13 | description = "Detects"
14 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
15 | author = "Florian Roth (Nextron Systems)"
16 | reference = "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"
17 | date = "2017-07-15"
18 | id = "7e908efc-0023-5be1-9871-8bfbf8b9e53a"
19 | strings:
20 | $x1 = "function sWP($cN, $pN, $aK, $aI)" fullword ascii
21 | $x2 = "$aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2" ascii
22 | $x3 = "(('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len',"
23 | $x4 = "$cPairKey = \"BwIAAACkAABSU0EyAAQAAAEAA"
24 | $x5 = "$exeRes = exePldRoutine"
25 | $x6 = "ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA"
26 | condition:
27 | 1 of them
28 | }
29 |
--------------------------------------------------------------------------------
/yara/apt_quarkspwdump.yar:
--------------------------------------------------------------------------------
1 |
2 | rule QuarksPwDump_Gen {
3 | meta:
4 | description = "Detects all QuarksPWDump versions"
5 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
6 | author = "Florian Roth (Nextron Systems)"
7 | date = "2015-09-29"
8 | score = 80
9 | hash1 = "2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa"
10 | hash2 = "87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f"
11 | hash3 = "a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9"
12 | hash4 = "c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab"
13 | hash5 = "677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa"
14 | hash6 = "d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674"
15 | hash7 = "8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819"
16 | id = "7de4f59e-6cf5-5ad7-ae1f-8532d9e80c9e"
17 | strings:
18 | $s1 = "OpenProcessToken() error: 0x%08X" fullword ascii
19 | $s2 = "%d dumped" fullword ascii
20 | $s3 = "AdjustTokenPrivileges() error: 0x%08X" fullword ascii
21 | $s4 = "\\SAM-%u.dmp" ascii
22 | condition:
23 | all of them
24 | }
25 |
--------------------------------------------------------------------------------
/yara/apt_rocketkitten_keylogger.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2015-09-01
5 | Identifier: Rocket Kitten Keylogger
6 | */
7 |
8 | rule RocketKitten_Keylogger {
9 | meta:
10 | description = "Detects Keylogger used in Rocket Kitten APT"
11 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
12 | author = "Florian Roth (Nextron Systems)"
13 | reference = "https://goo.gl/SjQhlp"
14 | date = "2015-09-01"
15 | super_rule = 1
16 | hash1 = "1c9e519dca0468a87322bebe2a06741136de7969a4eb3efda0ab8db83f0807b4"
17 | hash2 = "495a15f9f30d6f6096a97c2bd8cc5edd4d78569b8d541b1d5a64169f8109bc5b"
18 | id = "558341db-a30d-586e-8efc-0fff1d8f94a1"
19 | strings:
20 | $x1 = "\\Release\\CWoolger.pdb" ascii
21 | $x2 = "WoolenLoger\\obj\\x86\\Release" ascii
22 | $x3 = "D:\\Yaser Logers\\"
23 |
24 | $z1 = "woolger" fullword wide
25 |
26 | $s1 = "oShellLink.TargetPath = \"" fullword ascii
27 | $s2 = "wscript.exe " fullword ascii
28 | $s3 = "strSTUP = WshShell.SpecialFolders(\"Startup\")" fullword ascii
29 | $s4 = "[CapsLock]" fullword ascii
30 | condition:
31 | /* File detection */
32 | (uint16(0) == 0x5a4d and filesize < 200KB and (1 of ($x*) or ($z1 and 2 of ($s*)))) or
33 | /* Memory detection */
34 | ($z1 and all of ($s*))
35 | }
36 |
--------------------------------------------------------------------------------
/yara/apt_ru_crywiper.yar:
--------------------------------------------------------------------------------
1 |
2 | rule APT_CryWiper_Dec22 {
3 | meta:
4 | description = "Detects CryWiper malware samples"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://securelist-ru.translate.goog/novyj-troyanec-crywiper/106114/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en"
7 | date = "2022-12-05"
8 | score = 75
9 | id = "d56ccf4e-30ba-5308-ad68-ffc2ae5a1718"
10 | strings:
11 | $x1 = "Software\\Sysinternals\\BrowserUpdate"
12 |
13 | $sx1 = "taskkill.exe /f /im MSExchange*"
14 |
15 | $s1 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server" ascii
16 | $s2 = "fDenyTSConnections" ascii
17 | condition:
18 | 1 of ($x*) or all of ($s*)
19 | }
20 |
--------------------------------------------------------------------------------
/yara/apt_saudi_aramco_phish.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2017-10-12
5 | Identifier: Saudi Aramco Phishing
6 | */
7 |
8 | /* Rule Set ----------------------------------------------------------------- */
9 |
10 | rule Saudi_Phish_Trojan {
11 | meta:
12 | description = "Detects a trojan used in Saudi Aramco Phishing"
13 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
14 | author = "Florian Roth (Nextron Systems)"
15 | reference = "https://goo.gl/Z3JUAA"
16 | date = "2017-10-12"
17 | hash1 = "8ad94dc5d59aa1e9962c76fd5ca042e582566049a97aef9f5730ba779e5ebb91"
18 | id = "d805391d-1256-5dac-8585-ccf3391d4e91"
19 | strings:
20 | $s1 = { 7B 00 30 00 7D 00 7B 00 31 00 7D 00 5C 00 00 09
21 | 2E 00 64 00 6C 00 6C 00 00 11 77 00 33 00 77 00
22 | 70 00 2E 00 65 00 78 00 65 00 00 1B 61 00 73 00
23 | 70 00 6E 00 65 00 74 00 5F 00 77 00 70 00 2E 00
24 | 65 00 78 00 65 }
25 | condition:
26 | ( uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them )
27 | }
28 |
--------------------------------------------------------------------------------
/yara/apt_scarcruft.yar:
--------------------------------------------------------------------------------
1 |
2 | rule Scarcruft_malware_Feb18_1 {
3 | meta:
4 | description = "Detects Scarcruft malware - February 2018"
5 | author = "Florian rootpath"
6 | reference = "https://twitter.com/craiu/status/959477129795731458"
7 | date = "2018-02-03"
8 | score = 90
9 | id = "43a87f2a-cf60-5035-8d40-c360a789a1ac"
10 | strings:
11 | $x1 = "d:\\HighSchool\\version 13\\2ndBD\\T+M\\" ascii
12 | $x2 = "cmd.exe /C ping 0.1.1.2" wide
13 | condition:
14 | uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
15 | }
16 |
--------------------------------------------------------------------------------
/yara/apt_seaduke_unit42.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2015-07-14
5 | Identifier: SeaDuke
6 | */
7 |
8 | /* Rule Set ----------------------------------------------------------------- */
9 |
10 | rule SeaDuke_Sample {
11 | meta:
12 | description = "SeaDuke Malware"
13 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
14 | author = "Florian Roth (Nextron Systems)"
15 | reference = "http://goo.gl/MJ0c2M"
16 | date = "2015-07-14"
17 | score = 70
18 | hash = "d2e570129a12a47231a1ecb8176fa88a1bf415c51dabd885c513d98b15f75d4e"
19 | id = "011a303b-b051-519f-9687-668c9bcd15ca"
20 | strings:
21 | $s0 = "bpython27.dll" fullword ascii
22 | $s1 = "email.header(" ascii /* PEStudio Blacklist: strings */
23 | $s2 = "LogonUI.exe" fullword wide /* PEStudio Blacklist: strings */
24 | $s3 = "Crypto.Cipher.AES(" ascii /* PEStudio Blacklist: strings */
25 | $s4 = "mod is NULL - %s" fullword ascii
26 | condition:
27 | uint16(0) == 0x5a4d and filesize < 4000KB and all of them
28 | }
29 |
--------------------------------------------------------------------------------
/yara/apt_servantshell.yar:
--------------------------------------------------------------------------------
1 | rule Servantshell {
2 | meta:
3 | author = "Arbor Networks ASERT Nov 2015"
4 | description = "Detects Servantshell malware"
5 | date = "2017-02-02"
6 | reference = "https://tinyurl.com/jmp7nrs"
7 | score = 70
8 | id = "f41e9191-0be1-59f7-9be4-e39c8a37b2c5"
9 | strings:
10 | $string1 = "SelfDestruction.cpp"
11 | $string2 = "SvtShell.cpp"
12 | $string3 = "InitServant"
13 | $string4 = "DeinitServant"
14 | $string5 = "CheckDT"
15 | condition:
16 | uint16(0) == 0x5a4d and all of them
17 | }
18 |
--------------------------------------------------------------------------------
/yara/apt_shamoon.yar:
--------------------------------------------------------------------------------
1 | rule CrowdStrike_Shamoon_DroppedFile {
2 | meta:
3 | description = "Rule to detect Shamoon malware http://goo.gl/QTxohN"
4 | reference = "http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf"
5 | id = "b350f1b1-db73-574b-957b-34e5a84f68b0"
6 | strings:
7 | $testn123 = "test123" wide
8 | $testn456 = "test456" wide
9 | $testn789 = "test789" wide
10 | $testdomain = "testdomain.com" wide $pingcmd = "ping -n 30 127.0.0.1 >nul" wide
11 | condition:
12 | (any of ($testn*) or $pingcmd) and $testdomain
13 | }
14 |
--------------------------------------------------------------------------------
/yara/apt_sofacy_zebrocy.yar:
--------------------------------------------------------------------------------
1 | rule apt28_win_zebrocy_golang_loader_modified {
2 | meta:
3 | description = "Detects unpacked modified APT28/Sofacy Zebrocy Golang."
4 | author = "@VK_Intel"
5 | date = "2018-12-25"
6 | reference = "https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html"
7 | id = "cce9ba6c-954c-5b13-a058-cdf7895d63fc"
8 | strings:
9 | // Go build
10 | $go = { 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 }
11 | $init = { 6d 61 69 6e 2e 69 6e 69 74 }
12 | $main = "main" ascii wide fullword
13 | $scr_git = {67 69 74 68 75 62 2e 63 6f 6d 2f 6b 62 69 6e 61}
14 | $s0 = "os/exec.(*Cmd).Run" fullword ascii
15 | $s1 = "net/http.(*http2clientConnReadLoop).processHeaders" fullword ascii
16 | $s2 = "os.MkdirAll" fullword ascii
17 | $s3 = "os.Getenv" fullword ascii
18 | $s4 = "os.Create" fullword ascii
19 | $s5 = "io/ioutil.WriteFile" fullword ascii
20 | condition:
21 | uint16(0) == 0x5a4d and $go and $init and all of ($s*) and #main > 10 and #scr_git > 5
22 | }
23 |
--------------------------------------------------------------------------------
/yara/apt_terracotta_liudoor.yar:
--------------------------------------------------------------------------------
1 | rule APT_Liudoor {
2 | meta:
3 | author = "RSA FirstWatch"
4 | date = "2015-07-23"
5 | description = "Detects Liudoor daemon backdoor"
6 | hash0 = "78b56bc3edbee3a425c96738760ee406"
7 | hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e"
8 | hash2 = "531d30c8ee27d62e6fbe855299d0e7de"
9 | hash3 = "2be2ac65fd97ccc97027184f0310f2f3"
10 | hash4 = "6093505c7f7ec25b1934d3657649ef07"
11 | type = "Win32 DLL"
12 | id = "cf7e08b8-2ccd-5828-917b-11340b4a86b1"
13 | strings:
14 | $string0 = "Succ"
15 | $string1 = "Fail"
16 | $string2 = "pass"
17 | $string3 = "exit"
18 | $string4 = "svchostdllserver.dll"
19 | $string5 = "L$,PQR"
20 | $string6 = "0/0B0H0Q0W0k0"
21 | $string7 = "QSUVWh"
22 | $string8 = "Ht Hu["
23 | condition:
24 | all of them
25 | }
26 |
--------------------------------------------------------------------------------
/yara/apt_ua_caddywiper.yar:
--------------------------------------------------------------------------------
1 |
2 | rule MAL_WIPER_CaddyWiper_Mar22_1 {
3 | meta:
4 | description = "Detects CaddyWiper malware"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"
7 | date = "2022-03-15"
8 | score = 85
9 | hash1 = "1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176"
10 | hash2 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
11 | hash3 = "ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72"
12 | hash4 = "f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902"
13 | id = "83495a0d-a295-5ec7-9761-ce79918e1034"
14 | strings:
15 | $op1 = { ff 55 94 8b 45 fc 50 ff 55 f8 8a 4d ba 88 4d ba 8a 55 ba 80 ea 01 }
16 | $op2 = { 89 45 f4 83 7d f4 00 74 04 eb 47 eb 45 6a 00 8d 95 1c ff ff ff 52 }
17 | $op3 = { 6a 20 6a 02 8d 4d b0 51 ff 95 68 ff ff ff 85 c0 75 0a e9 4e 02 00 00 }
18 | $op4 = { e9 67 01 00 00 83 7d f4 05 74 0a e9 5c 01 00 00 e9 57 01 00 00 8d 45 98 50 6a 20 }
19 | condition:
20 | uint16(0) == 0x5a4d and
21 | filesize < 50KB and 3 of them or all of them
22 | }
23 |
--------------------------------------------------------------------------------
/yara/apt_ua_isaacwiper.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule MAL_WIPER_IsaacWiper_Mar22_1 {
4 | meta:
5 | description = "Detects IsaacWiper malware"
6 | author = "Florian Roth (Nextron Systems)"
7 | reference = "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/"
8 | date = "2022-03-03"
9 | score = 85
10 | hash1 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
11 | hash2 = "7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0"
12 | id = "97d8d8dd-db65-5156-8f97-56c620cf2d56"
13 | strings:
14 | $s1 = "C:\\ProgramData\\log.txt" wide fullword
15 | $s2 = "Cleaner.dll" ascii fullword
16 | $s3 = "-- system logical drive: " wide fullword
17 | $s4 = "-- FAILED" wide fullword
18 |
19 | $op1 = { 8b f1 80 3d b0 66 03 10 00 0f 85 96 00 00 00 33 c0 40 b9 a8 66 03 10 87 01 33 db }
20 | $op2 = { 8b 40 04 2b c2 c1 f8 02 3b c8 74 34 68 a2 c8 01 10 2b c1 6a 04 }
21 | $op3 = { 8d 4d f4 ff 75 08 e8 12 ff ff ff 68 88 39 03 10 8d 45 f4 50 e8 2d 1d 00 00 cc }
22 | condition:
23 | uint16(0) == 0x5a4d and
24 | filesize < 700KB and
25 | (
26 | pe.imphash() == "a4b162717c197e11b76a4d9bc58ea25d" or
27 | 3 of them
28 | )
29 | }
30 |
--------------------------------------------------------------------------------
/yara/apt_unc1151_ua.yar:
--------------------------------------------------------------------------------
1 | rule APT_UNC1151_WindowsInstaller_Silent_InstallProduct_MacroMethod {
2 | meta:
3 | author = "Proofpoint Threat Research"
4 | date = "2021-07-28"
5 | hash1 = "1561ece482c78a2d587b66c8eaf211e806ff438e506fcef8f14ae367db82d9b3"
6 | hash2 = "a8fd0a5de66fa39056c0ddf2ec74ccd38b2ede147afa602aba00a3f0b55a88e0"
7 | reference = "Thttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails"
8 | id = "9ae80d54-33b9-55d7-957f-0738243e089f"
9 | strings:
10 | $doc_header = {D0 CF 11 E0 A1 B1 1A E1}
11 | $s1 = ".UILevel = 2"
12 | $s2 = "CreateObject(\"WindowsInstaller.Installer\")"
13 | $s3 = ".InstallProduct \"http"
14 | condition:
15 | $doc_header at 0 and all of ($s*)
16 | }
--------------------------------------------------------------------------------
/yara/apt_unc2546_dewmode.yar:
--------------------------------------------------------------------------------
1 |
2 | rule WEBSHELL_APT_PHP_DEWMODE_UNC2546_Feb21_1 {
3 | meta:
4 | description = "Detects DEWMODE webshells"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html"
7 | date = "2021-02-22"
8 | hash1 = "2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7"
9 | hash2 = "5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b"
10 | id = "ea883f25-0e9b-5617-b05e-191a4a5c5a52"
11 | strings:
12 | $x1 = "Cleanup Shell';" ascii fullword
13 | $x2 = "$(sh /tmp/.scr)"
14 | $x3 = "@system('sudo /usr/local/bin/admin.pl --mount_cifs=" ascii
15 |
16 | $s1 = "target=\\\"_blank\\\">Download\";" ascii
17 | $s2 = ",PASSWORD 1>/dev/null 2>/dev/null');" ascii
18 | $s3 = ",base64_decode('" ascii
19 | $s4 = "include \"remote.inc\";" ascii
20 | $s5 = "@system('sudo /usr/local" ascii
21 | condition:
22 | uint16(0) == 0x3f3c and
23 | filesize < 9KB and
24 | ( 1 of ($x*) or 2 of them ) or 3 of them
25 | }
26 |
--------------------------------------------------------------------------------
/yara/apt_venom_linux_rootkit.yar:
--------------------------------------------------------------------------------
1 | /*
2 | Yara Rule Set
3 | Author: Florian Roth
4 | Date: 2017-01-10
5 | Identifier: Venom Rootkit
6 | */
7 |
8 | /* Rule Set ----------------------------------------------------------------- */
9 |
10 | rule Venom_Rootkit {
11 | meta:
12 | description = "Venom Linux Rootkit"
13 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
14 | author = "Florian Roth (Nextron Systems)"
15 | reference = "https://security.web.cern.ch/security/venom.shtml"
16 | date = "2017-01-12"
17 | id = "fedc6fa9-7dfb-5e54-a7bf-9a16f96d6886"
18 | strings:
19 | $s1 = "%%VENOM%CTRL%MODE%%" ascii fullword
20 | $s2 = "%%VENOM%OK%OK%%" ascii fullword
21 | $s3 = "%%VENOM%WIN%WN%%" ascii fullword
22 | $s4 = "%%VENOM%AUTHENTICATE%%" ascii fullword
23 | $s5 = ". entering interactive shell" ascii fullword
24 | $s6 = ". processing ltun request" ascii fullword
25 | $s7 = ". processing rtun request" ascii fullword
26 | $s8 = ". processing get request" ascii fullword
27 | $s9 = ". processing put request" ascii fullword
28 | $s10 = "venom by mouzone" ascii fullword
29 | $s11 = "justCANTbeSTOPPED" ascii fullword
30 | condition:
31 | filesize < 4000KB and 2 of them
32 | }
33 |
--------------------------------------------------------------------------------
/yara/apt_webshell_chinachopper.yar:
--------------------------------------------------------------------------------
1 |
2 | rule ChinaChopper_Generic {
3 | meta:
4 | description = "China Chopper Webshells - PHP and ASPX"
5 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
6 | author = "Florian Roth (Nextron Systems)"
7 | reference = "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf"
8 | date = "2015/03/10"
9 | modified = "2022-10-27"
10 | id = "2473cef1-88cf-5b76-a87a-2978e6780b4f"
11 | strings:
12 | $x_aspx = /%@\sPage\sLanguage=.Jscript.%><%eval\(Request\.Item\[.{,100}unsafe/
13 | $x_php = / %u" fullword ascii
14 | $s8 = "TSULoader.exe" fullword wide
15 | $s15 = "\\StringFileInfo\\%04x%04x\\Arguments" wide
16 | $s17 = "Tsu%08lX.dll" fullword wide
17 | condition:
18 | uint16(0) == 0x5a4d and all of them
19 | }
20 |
--------------------------------------------------------------------------------
/yara/crime_atm_dispenserxfs.yar:
--------------------------------------------------------------------------------
1 |
2 | import "pe"
3 |
4 | rule ATM_Malware_DispenserXFS {
5 | meta:
6 | description = "Detects ATM Malware DispenserXFS"
7 | author = "@Xylit0l @r3c0nst / Modified by Florian Roth"
8 | reference = "https://twitter.com/r3c0nst/status/1100775857306652673"
9 | date = "2019/02/27"
10 | modified = "2023-01-06"
11 | score = 80
12 | id = "7c06102c-93d3-52f4-8c25-430f6f7a601f"
13 | strings:
14 | $xc1 = { 68 FF FF 00 00 68 60 EA 00 00 6A 10 }
15 | $s1 = "\\dispenserXFS.pdb" ascii
16 | $s3 = "C:\\xfsasdf.txt" fullword ascii
17 | $s4 = "Injected mxsfs killer into %d." fullword ascii
18 | $s5 = "Waiting for freeze msxfs processes..." fullword ascii
19 | condition:
20 | uint16(0) == 0x5A4D and (
21 | 1 of them or
22 | pe.imphash() == "617e037ae26d1931818db0790fb44bfe"
23 | )
24 | }
25 |
--------------------------------------------------------------------------------
/yara/crime_atm_javadipcash.yar:
--------------------------------------------------------------------------------
1 | rule ATM_Malware_JavaDispCash {
2 | meta:
3 | description = "Detects ATM Malware JavaDispCash"
4 | author = "Frank Boldewin (@r3c0nst)"
5 | reference = "https://twitter.com/r3c0nst/status/1111254169623674882"
6 | date = "2019-03-28"
7 | hash1 = "0149667c0f8cbfc216ef9d1f3154643cbbf6940e6f24a09c92a82dd7370a5027"
8 | hash2 = "ef407db8c79033027858364fd7a04eeb70cf37b7c3a10069a92bae96da88dfaa"
9 |
10 | id = "7aa91719-6539-572a-8618-bfb5290a5b59"
11 | strings:
12 | $CashInfo = "getNumberOfCashUnits" ascii wide
13 | $Dispense = "waitforbillstaken" ascii wide
14 | $Inject = "No code to inject!" ascii wide
15 | $config = ".Agentcli" ascii wide
16 | $log1 = "logft.log" ascii wide
17 | $log2 = ".loginside" ascii wide
18 |
19 | condition:
20 | uint16(0) == 0x4B50 and filesize < 500KB and all of them
21 | }
22 |
--------------------------------------------------------------------------------
/yara/crime_atm_loup.yar:
--------------------------------------------------------------------------------
1 | /* slightly modified by Florian Roth - removed the nocase statements for lower memory usage */
2 |
3 | rule ATM_Malware_Loup {
4 | meta:
5 | description = "Detects ATM Malware Loup"
6 | author = "Frank Boldewin (@r3c0nst)"
7 | reference = "https://twitter.com/r3c0nst/status/1295275546780327936"
8 | date = "2020-08-17"
9 | hash = "6c9e9f78963ab3e7acb43826906af22571250dc025f9e7116e0201b805dc1196"
10 |
11 | id = "2215a93f-d854-5f9b-b5cd-53962c45db08"
12 | strings:
13 | $String1 = "C:\\Users\\muham\\source\\repos\\loup\\Debug\\loup.pdb" ascii /* nocase */
14 | $String2 = "CurrencyDispenser1" ascii /* nocase */
15 | $Code = {50 68 C0 D4 01 00 8D 4D E8 51 68 2E 01 00 00 0F B7 55 08 52 E8} // Dispense
16 |
17 | condition:
18 | uint16(0) == 0x5A4D and filesize < 100KB and all of ($String*) and $Code
19 | }
--------------------------------------------------------------------------------
/yara/crime_atm_xfsadm.yar:
--------------------------------------------------------------------------------
1 | rule ATM_Malware_XFSADM {
2 | meta:
3 | description = "Detects ATM Malware XFSADM"
4 | author = "Frank Boldewin (@r3c0nst), modified by Florian Roth"
5 | reference = "https://twitter.com/r3c0nst/status/1149043362244308992"
6 | date = "2019-06-21"
7 | hash1 = "2740bd2b7aa0eaa8de2135dd710eb669d4c4c91d29eefbf54f1b81165ad2da4d"
8 | id = "7bd7e194-1cf1-5d12-809b-25aaf7f62ca3"
9 | strings:
10 | $Code1 = {68 88 13 00 00 FF 35 ?? ?? ?? ?? 68 CF 00 00 00 50 FF 15} // Read Card Data
11 | $Code2 = {68 98 01 00 00 50 FF 15} // Get PIN Data
12 | $Mutex = "myXFSADM" wide
13 | $MSXFSDIR = "C:\\Windows\\System32\\msxfs.dll" ascii
14 | $XFSCommand1 = "WfsExecute" ascii
15 | $XFSCommand2 = "WfsGetInfo" ascii
16 | $PDB = "C:\\Work64\\ADM\\XFS\\Release\\XFS.pdb" ascii
17 | $WindowName = "XFS ADM" wide
18 | $FindWindow = "ADM rec" wide
19 | $LogFile = "xfs.log" ascii
20 | $TmpFile = "~pipe.tmp" ascii
21 | condition:
22 | uint16(0) == 0x5A4D and filesize < 500KB and ( 4 of them or $PDB )
23 | }
24 |
--------------------------------------------------------------------------------
/yara/crime_atm_xfscashncr.yar:
--------------------------------------------------------------------------------
1 |
2 | rule ATM_Malware_XFSCashNCR {
3 | meta:
4 | description = "Detects ATM Malware XFSCashNCR"
5 | author = "Frank Boldewin (@r3c0nst), modified by Florian Roth"
6 | reference = "https://twitter.com/r3c0nst/status/1166773324548063232"
7 | date = "2019-08-28"
8 | hash1 = "d6dff67a6b4423b5721908bdcc668951f33b3c214e318051c96e8c158e8931c0"
9 |
10 | id = "0a70ef9a-9dde-54c9-a3a2-dfceff32932b"
11 | strings:
12 | $Code1 = {50 8b 4d e8 8b 51 10 52 6a 00 68 2d 01 00 00 8b 45 e8 0f b7 48 1c 51 e8} // CDM Status
13 | $Code2 = {52 8d 45 d0 50 68 2e 01 00 00 8b 4d e8 0f b7 51 1c 52 e8} // Dispense
14 | $x_StatusMessage1 = "[+] Ingrese Denominacion ISO" nocase ascii
15 | $x_StatusMessage2 = "[+] Ingrese numero de billetes" nocase ascii
16 | $x_StatusMessage3 = "[!] FAIL.. dispensadores no encontrados" nocase ascii
17 | $x_StatusMessage4 = "[!] Unable continue, IMPOSIBLE abrir dispenser" nocase ascii
18 | $x_PDB = "C:\\Users\\cyttek\\Downloads\\xfs_cashXP\\Debug\\xfs_cash_ncr.pdb" nocase ascii
19 | $LogFile = "XfsLog.txt" nocase ascii
20 |
21 | condition:
22 | uint16(0) == 0x5A4D and filesize < 1500KB and ( 1 of ($x*) or 2 of them )
23 | }
24 |
--------------------------------------------------------------------------------
/yara/crime_bernhard_pos.yar:
--------------------------------------------------------------------------------
1 | rule BernhardPOS {
2 | meta:
3 | author = "Nick Hoffman / Jeremy Humble"
4 | last_update = "2015-07-14"
5 | source = "Morphick Inc."
6 | description = "BernhardPOS Credit Card dumping tool"
7 | reference = "http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick"
8 | md5 = "e49820ef02ba5308ff84e4c8c12e7c3d"
9 | score = 70
10 | id = "9b9e1507-cf1b-5653-beaa-458205e367c3"
11 | strings:
12 | $shellcode_kernel32_with_junk_code = { 33 c0 83 ?? ?? 83 ?? ?? 64 a1 30 00 00 00 83 ?? ?? 83 ?? ?? 8b 40 0c 83 ?? ?? 83 ?? ?? 8b 40 14 83 ?? ?? 83 ?? ?? 8b 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b 00 83 ?? ?? 83 ?? ?? 8b 40 10 83 ?? ?? }
13 | $mutex_name = "OPSEC_BERNHARD"
14 | $build_path = "C:\\bernhard\\Debug\\bernhard.pdb"
15 | $string_decode_routine = { 55 8b ec 83 ec 50 53 56 57 a1 ?? ?? ?? ?? 89 45 f8 66 8b 0d ?? ?? ?? ?? 66 89 4d fc 8a 15 ?? ?? ?? ?? 88 55 fe 8d 45 f8 50 ff ?? ?? ?? ?? ?? 89 45 f0 c7 45 f4 00 00 00 00 ?? ?? 8b 45 f4 83 c0 01 89 45 f4 8b 45 08 50 ff ?? ?? ?? ?? ?? 39 45 f4 ?? ?? 8b 45 08 03 45 f4 0f be 08 8b 45 f4 99 f7 7d f0 0f be 54 15 f8 33 ca 8b 45 08 03 45 f4 88 08 ?? ?? 5f 5e 5b 8b e5 5d }
16 | condition:
17 | any of them
18 | }
--------------------------------------------------------------------------------
/yara/crime_bluenoroff_pos.yar:
--------------------------------------------------------------------------------
1 |
2 | rule BluenoroffPoS_DLL {
3 | meta:
4 | description = "Bluenoroff POS malware - hkp.dll"
5 | author = "http://blog.trex.re.kr/"
6 | reference = "http://blog.trex.re.kr/3?category=737685"
7 | date = "2018-06-07"
8 | id = "d2b34b50-c7eb-5852-ba5d-734dd5038c2e"
9 | strings:
10 | $dll = "ksnetadsl.dll" ascii wide fullword nocase
11 | $exe = "xplatform.exe" ascii wide fullword nocase
12 | $agent = "Nimo Software HTTP Retriever 1.0" ascii wide nocase
13 | $log_file = "c:\\windows\\temp\\log.tmp" ascii wide nocase
14 | $base_addr = "%d-BaseAddr:0x%x" ascii wide nocase
15 | $func_addr = "%d-FuncAddr:0x%x" ascii wide nocase
16 | $HF_S = "HF-S(%d)" ascii wide
17 | $HF_T = "HF-T(%d)" ascii wide
18 | condition:
19 | 5 of them
20 | }
21 |
--------------------------------------------------------------------------------
/yara/crime_buzus_softpulse.yar:
--------------------------------------------------------------------------------
1 |
2 | rule Win32_Buzus_Softpulse {
3 | meta:
4 | description = "Trojan Buzus / Softpulse"
5 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
6 | author = "Florian Roth (Nextron Systems)"
7 | date = "2015-05-13"
8 | hash = "2f6df200e63a86768471399a74180466d2e99ea9"
9 | score = 75
10 | id = "3b555916-030a-5773-b2f1-e995fc81b697"
11 | strings:
12 | $x1 = "pi4izd6vp0.com" fullword ascii
13 |
14 | $s1 = "SELECT * FROM Win32_Process" fullword wide
15 | $s4 = "CurrentVersion\\Uninstall\\avast" fullword wide
16 | $s5 = "Find_RepeatProcess" fullword ascii
17 | $s6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\" wide
18 | $s7 = "myapp.exe" fullword ascii
19 | $s14 = "/c ping -n 1 www.google" wide
20 | condition:
21 | uint16(0) == 0x5a4d and
22 | (
23 | ( $x1 and 2 of ($s*) ) or
24 | all of ($s*)
25 | )
26 | }
27 |
--------------------------------------------------------------------------------
/yara/crime_cmstar.yar:
--------------------------------------------------------------------------------
1 |
2 | rule ce_enfal_cmstar_debug_msg {
3 | meta:
4 | author = "rfalcone"
5 | description = "Detects the static debug strings within CMSTAR"
6 | reference = "http://goo.gl/JucrP9"
7 | hash = "9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c"
8 | date = "5/10/2015"
9 | id = "2c483f20-4fa8-5246-9dcb-8868db64b6e3"
10 | strings:
11 | $d1 = "EEE\x0d\x0a" fullword
12 | $d2 = "TKE\x0d\x0a" fullword
13 | $d3 = "VPE\x0d\x0a" fullword
14 | $d4 = "VPS\x0d\x0a" fullword
15 | $d5 = "WFSE\x0d\x0a" fullword
16 | $d6 = "WFSS\x0d\x0a" fullword
17 | $d7 = "CM**\x0d\x0a" fullword
18 | condition:
19 | uint16(0) == 0x5a4d and all of ($d*)
20 | }
--------------------------------------------------------------------------------
/yara/crime_cobalt_gang_pdf.yar:
--------------------------------------------------------------------------------
1 | rule Cobaltgang_PDF_Metadata_Rev_A {
2 | meta:
3 | description = "Find documents saved from the same potential Cobalt Gang PDF template"
4 | author = "Palo Alto Networks Unit 42"
5 | date = "2018-10-25"
6 | reference = "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/"
7 | id = "bcf5bf6e-c786-5f78-bf58-e0631a17e62e"
8 | strings:
9 | $ = "uuid:31ac3688-619c-4fd4-8e3f-e59d0354a338" ascii wide
10 | condition:
11 | any of them
12 | }
13 |
--------------------------------------------------------------------------------
/yara/crime_corkow_dll.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule CorkowDLL {
4 | meta:
5 | description = "Rule to detect the Corkow DLL files"
6 | author = "Group IB"
7 | date = "01.02.2016"
8 | referenced = "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
9 | id = "cc9d2bb3-8db3-54a0-bd05-7f054ce84633"
10 | strings:
11 | $binary1 = { 60 [0-8] 9C [0-8] BB ?? ?? ?? ?? [0-8] 81 EB ?? ?? ?? ?? [0-8] E8 ?? 00 00 00 [0-8] 58 [0-8] 2B C3 }
12 | $binary2 = { (FF 75 ?? | 53) FF 75 10 FF 75 0C FF 75 08 E8 ?? ?? ?? ?? [3-9] C9 C2 0C 00 }
13 | condition:
14 | uint16(0) == 0x5a4d and (
15 | all of ($binary*) and (
16 | pe.exports("Control_RunDLL") or
17 | pe.exports("ServiceMain") or
18 | pe.exports("DllGetClassObject")
19 | ) or (
20 | pe.exports("ServiceMain") and /* Service DLL */
21 | pe.exports("Control_RunDLL") /* Sufficiently specific in this combination */
22 | )
23 | )
24 | }
25 |
--------------------------------------------------------------------------------
/yara/crime_covid_ransom.yar:
--------------------------------------------------------------------------------
1 |
2 | rule MAL_RANSOM_COVID19_Apr20_1 {
3 | meta:
4 | description = "Detects ransomware distributed in COVID-19 theme"
5 | author = "Florian Roth (Nextron Systems)"
6 | reference = "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/"
7 | date = "2020-04-15"
8 | hash1 = "2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326"
9 | id = "fc723d1f-e969-5af6-af57-70d00bf797f4"
10 | strings:
11 | $s1 = "/savekey.php" wide
12 |
13 | $op1 = { 3f ff ff ff ff ff 0b b4 }
14 | $op2 = { 60 2e 2e 2e af 34 34 34 b8 34 34 34 b8 34 34 34 }
15 | $op3 = { 1f 07 1a 37 85 05 05 36 83 05 05 36 83 05 05 34 }
16 | condition:
17 | uint16(0) == 0x5a4d and
18 | filesize < 700KB and
19 | 2 of them
20 | }
21 |
--------------------------------------------------------------------------------
/yara/crime_credstealer_generic.yar:
--------------------------------------------------------------------------------
1 |
2 | rule CredentialStealer_Generic_Backdoor {
3 | meta:
4 | description = "Detects credential stealer byed on many strings that indicate password store access"
5 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
6 | author = "Florian Roth (Nextron Systems)"
7 | reference = "Internal Research"
8 | date = "2017-06-07"
9 | hash1 = "edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c"
10 | id = "b3124f6c-4e18-562c-84d9-d51e086da446"
11 | strings:
12 | $s1 = "GetOperaLoginData" fullword ascii
13 | $s2 = "GetInternetExplorerCredentialsPasswords" fullword ascii
14 | $s3 = "%s\\Opera Software\\Opera Stable\\Login Data" fullword ascii
15 | $s4 = "select * from moz_logins" fullword ascii
16 | $s5 = "%s\\Google\\Chrome\\User Data\\Default\\Login Data" fullword ascii
17 | $s6 = "Host.dll.Windows" fullword ascii
18 | $s7 = "GetInternetExplorerVaultPasswords" fullword ascii
19 | $s8 = "GetWindowsLiveMessengerPasswords" fullword ascii
20 | $s9 = "%s\\Chromium\\User Data\\Default\\Login Data" fullword ascii
21 | $s10 = "%s\\Opera\\Opera\\profile\\wand.dat" fullword ascii
22 | condition:
23 | ( uint16(0) == 0x5a4d and 4 of them )
24 | }
25 |
--------------------------------------------------------------------------------
/yara/crime_cryptowall_svg.yar:
--------------------------------------------------------------------------------
1 |
2 | rule SVG_LoadURL {
3 | meta:
4 | description = "Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections)"
5 | license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
6 | author = "Florian Roth (Nextron Systems)"
7 | reference = "http://goo.gl/psjCCc"
8 | date = "2015-05-24"
9 | hash1 = "ac8ef9df208f624be9c7e7804de55318"
10 | hash2 = "3b9e67a38569ebe8202ac90ad60c52e0"
11 | hash3 = "7e2be5cc785ef7711282cea8980b9fee"
12 | hash4 = "4e2c6f6b3907ec882596024e55c2b58b"
13 | score = 50
14 | id = "c3d4c95f-ef8b-52ff-9cf9-d66d9b99a490"
15 | strings:
16 | $s1 = "" nocase
17 | $s2 = "