├── 02-12-19
├── IOC TA505 Nov19.md
└── JSON
│ └── IOC_TA505_Nov19_2.json
├── 03-02-20
├── IOC_Gamaredon.csv
└── lnk_Gamaredon.csv
├── 18-11-19
├── JSON
│ ├── IOC -TA2101.json
│ └── IOC-APT-C-37.json
├── PatthebearIOC.md
└── TA2101 plays government imposter to distribute malware to German, Italian, and US organizations.md
├── 19-11-19
├── IOC TA505 Nov19.md
└── JSON
│ └── IOC-TA505-Nov19.json
├── 20-11-19
├── APT Muddywater November 2019.md
├── APT Silence successfully attacked banks in Africa in October, 2019.md
├── JSON
│ ├── APT-MuddywaterNov2019.json
│ └── APT-Silence.json
└── Yara_Rule_TA505_Nov19.yar
├── 20.21-07-23
├── AvosLocker
│ └── RAN_AvosLocker_July_2021_1.yara
├── HiveNightmare
│ └── Exp_CVE_2021_36934_July_2021_1.yara
└── PetitPotam
│ └── Exp_PetitPotam_July_2021_1.yara
├── 2020-02-05
└── Patchwork.csv
├── 2020-02-09
├── 23.198.5.192_history.csv
├── Garmaredon_EvilGnome.csv
└── Transparent Tribe.csv
├── 2020-02-10
└── IRS-IOC.csv
├── 2020-02-12
├── Yara-APT-01-30to-02-03.csv
├── Yara-APT-02-03to-02-07.csv
├── Yara-APT-02-07to-02-10.csv
└── Yara-APT-02-10to-02-11.csv
├── 2020-02-13
└── Unknown_Operation.csv
├── 2020-02-14
└── Dridex.csv
├── 2020-02-16
└── gamaredon.csv
├── 2020-02-18
└── TA505.csv
├── 2020-02-21
├── APT-C-12-lures.csv
├── APT-C-12.csv
└── TA505.csv
├── 2020-02-25
└── TA505.csv
├── 2020-03-01
├── IOC_Turla_JS_KopiLuwak.csv
└── Turla_IOC.csv
├── 2020-03-04
└── IOC_APT-C-39.csv
├── 2020-03-09
└── APTC23.csv
├── 2020-03-17
└── Chinese_Backdoors.csv
├── 2020-03-19
└── IOC_Poulight.csv
├── 2020-03-27
├── DridexIOC.csv
└── DridexIOC.json
├── 2020-04-29
└── Yara_Rule_APT_Bazar-April_2020_1.yar
├── 2020-05-25
├── IOC-Calypso-2020-05-25.csv
└── IOC-DarkHotel-2020-05-25.csv
├── 2020-06-03
└── Cycldek
│ └── IOC-Cycldek-2020-06-03.csv
├── 2020-06-05
└── Casbaneiro
│ └── Casbaneiro_stealer.yar
├── 2020-06-07
└── NK_Rivts_Feb_2009_1.yar
├── 2020-06-12
└── Lazarus
│ └── Lazarus_June_2020_1.yar
├── 2020-06-15
└── Lazarus
│ └── Survey_hits_Yara.csv
├── 2020-06-19
├── IOC_Australia_Incident.csv
└── IOC_Australia_Incident_details.csv
├── 2020-06-22
└── APT_MAL_Donot_Loader_June_2020_1.yar
├── 2020-06-23
└── APT_Lazarus_Stealer_June_2020_1.yar
├── 2020-06-25
└── IOC-WastedLocker-2020-06-25.csv
├── 2020-06-26
└── Heinote_June_2020-1.yar
├── 2020-06-28
├── APT28_Zekapab_June_2020_1.yar
└── APT_NK_Lazarus_Implant_June_2020_1.yar
├── 2020-07-05
└── Magecart
│ └── DecodeAlgoMagecart.js
├── 2020-07-06
└── Donot
│ └── IOC-Donot-2020-07-06.csv
├── 2020-07-09
├── IOC_2020_07_09.csv
└── MAL_Stealer_Cookie_July_2020_1.yar
├── 2020-07-14
└── Mustang Panda
│ └── IOC-Mustang-Panda-2020-07-14.csv
├── 2020-07-23
└── Yara_Rule_APT_Lazarus_Stealer_July_2020_1.yar
├── 2020-07-28
└── Lazarus
│ └── APT_Lazarus_EPS_July_2020_1.yar
├── 2020-07-29
└── Winnti
│ └── IOC_Winnti_2020-07_29.csv
├── 2020-07-30
└── Yara_Ransom_Ragnarlocker_July_2020_1.yar
├── 2020-08-17
└── Loup
│ └── Mal_ATM_Loup_Aug_2020_1.yar
├── 2020-08-18
└── Winnti
│ └── APT_Winnti_ELFx64_Aug_2020_1.yar
├── 2020-08-24
├── Redline
│ └── Mal_Stealer_NET_Redline_Aug_2020_1.yar
└── SideWinder
│ └── APT_SideWinder_NET_Loader_Aug_2020_1.yar
├── 2020-08-26
└── APT_OilRig_2016.yar
├── 2020-08-27
├── APT_Patchwork_Tool_CVE_2019_0808_1.yar
└── DeathStalker_APT_IOC_2020_08_27.csv
├── 2020-08-28
└── Loader_JAVA_Kinsing_Aug_2020_1.yar
├── 2020-09-08
└── IOC-Goblin-details.csv
├── 2020-09-11
└── TurlaDetectionsVT.csv
├── 2020-09-14
├── Kimsuky
│ ├── APT_Kimsuky_Aug_2020_1.yar
│ └── IOC_Gold_Dragon.csv
└── SLoad
│ ├── Decoded.txt
│ ├── Domains_URL.txt
│ └── Mal_Loader_Sload_Sep-2020-1.yar
├── 2020-09-16
├── AssociateIOC.csv
└── AssociateURL.csv
├── 2020-09-17
└── IOC_Masslogger.csv
├── 2020-10-01
└── IOC_SlothfulMedia.csv
├── 2020-10-03
└── Chimera
│ └── APT_Chimera_Sept_2020_1.yar
├── 2020-10-04
└── Yara-Hits
│ ├── Recent_NExport.csv
│ ├── Recent_WExport.csv
│ └── Suspicious_Hits.csv
├── 2020-10-15
├── Crylock
│ └── RAN_CryLock_Oct_2020_1.yar
└── MATRIX
│ └── RAN_Matrix_Sep_2020_1.yar
├── 2020-10-16
├── Ran_Crysis_Sep_2020_1.yar
└── Ran_Egregor_Sept_2020_1.yar
├── 2020-10-17
└── MAL_KPot_Oct_2020_1.yar
├── 2020-10-21
└── Maze
│ └── Hits.csv
├── 2020-10-27
└── RYUK
│ ├── Mem_Cryptor_Obsidium_Oct_2020_1.yar
│ ├── Ran_Ruyk_Oct2020_1.yar
│ └── Ran_Ruyk_Oct2020_2.yar
├── 2020-10-31
└── Ran_Egregor_Oct_2020_1 .yar
├── 2020-11-04
└── RegretLocker
│ └── Ran_RegretLocker_Oct_2020_1.yar
├── 2020-11-05
└── RobbinHood
│ ├── Ran_RobbinHood_Oct_2020_1.yar
│ └── Strings.txt
├── 2020-11-06
└── Buran
│ └── Ran_Buran_Oct_2020_1.yar
├── 2020-11-15
└── APT_SideWinder_Nov_2020_1.yar
├── 2020-11-18
├── Clay
│ └── Clay_notes.txt
├── HiddenTear
│ └── HiddenTear_variant_notes.txt
└── OnyxLocker
│ ├── OnyxLocker_Notes.txt
│ └── Ran_OnyxLocker_Nov_2020_1.yar
├── 2020-11-19
└── Ranzy_Locker
│ └── Ran_Ranzy_Locker_Nov_2020_1.yar
├── 2020-11-21
├── Gootkit
│ └── Loa_JS_Gootkit_Nov_2020_1.yar
└── Mount Locker
│ └── Ran_Mount_Locker_Nov_2020_1.yar
├── 2020-11-24
└── Mespinoza
│ ├── Info_IOC_Mespinoza_Nov.csv
│ └── Ran_Mespinoza_Nov_2020_1.yar
├── 2020-11-27
└── Ran_RagnarLocker_Nov_2020_1.yar
├── 2020-11-30
└── SP_Vault7_SIG_F_Nov_2020_1.yar
├── 2020-12-01
└── Buer
│ ├── Mal_Buer_Nov_2020_1.yar
│ └── info.csv
├── 2020-12-04
└── greynoise_export-AS14061-SSH-WORMS.json
├── 2020-12-09
├── APT28
│ └── APT_APT28_Nov_2020_1.yar
└── EXX
│ └── Ran_ELF_EXX_Nov_2020_1.yar
├── 2020-12-12
└── conti
│ └── infos.csv
├── 2020-12-14
└── Pay2Key
│ └── Ran_Pay2Key_Nov_2020_1.yar
├── 2020-12-15
└── Conti
│ └── Ran_Conti_V3_Nov_2020_1.yar
├── 2020-12-19
├── Mal_FunnyDream_Backdoor_Nov_2020_1.yar
├── Mal_PhantomNet_Nov_2020_1.yar
└── Mal_Smanager_Installer_Module_Nov_2020_1.yar
├── 2020_05_09
└── Share_IOC_masslogger.csv
├── 2021-01-01
└── Hades
│ └── Ran_Loader_Hades_Dec_2020_1.yar
├── 2021-01-02
└── BabukLocker
│ ├── Notes.txt
│ └── Ran_BabukLockers_Jan_2021_1.yar
├── 2021-01-14
└── Turla
│ └── APT_Turla_IronPython_Jan_2021_1.yar
├── 2021-01-23
└── Turla
│ └── APT_Turla_ComRAT_Chinch_V4_Jan_2021_1.yar
├── 2021-01-26
└── Lazarus
│ └── PT_Lazarus_Loader_Dec_2020_1.yar
├── 2021-02-08
└── AridViper
│ └── APT_AridViper_Installer_Feb_2020_1.yar
├── 2021-02-18
└── APT28
│ └── APT_APT28_Downdelph_Feb_2021_1.yar
├── 2021-02-23
├── BabyElephant
│ └── APT_BabyElephant_Installer_Feb_2021_1.yar
└── Hafinum
│ └── APT_Chisel_Hafnium_Feb_2021_1.yara
├── 2021-02-26
└── APT34
│ └── APT_APT34_RDAT_Feb_2021_1.yar
├── 2021-02-28
└── Molerats
│ └── APT_Molerats_Feb_2021_1.yar
├── 2021-03-06
├── UNC2452
│ └── APT_UNC2452_sunshuttle_Mar_2021_1.yar
└── Unknown
│ └── APT_Unknown_Middle_East_Feb_2020_1.yar
├── 2021-03-07
└── UNC2452
│ └── APT_UNC2452_Webshell_Chopper_Mar_2021_1.yar
├── 2021-03-09
└── APT29
│ ├── APT_APT29_Fatduke_Mar_2021_1.yar
│ ├── APT_APT29_MiniDuke_Mar_2021_1.yar
│ └── APT_APT29_PolyglotDuke_Mar_2021_1.yar
├── 2021-03-15
└── APT28
│ └── APT_APT28_Zekapab_Mar_2021_1.yar
├── 2021-03-16
└── RanzyLocker
│ └── Ran_RanzyLocker_Hunting_Mar_2021_1.yar
├── 2021-03-17
└── APT_FIN8_BADHATCH_Mar_2021_1.yar
├── 2021-03-23
└── APT38
│ ├── APT_APT38_VSingle_Mar_2021_1.yar
│ └── APT_APT38_ValeforBeta_Mar_2021_1.yar
├── 2021-03-31
└── APT-C-23
│ ├── APT_APT_C_23_Micropsia_Mar_2021_1.yar
│ └── APT_APT_C_23_Micropsia_Mar_2021_2.yar
├── 2021-04-03
└── APT34
│ └── APT_APT_34_MailDrop_Mar_2021_1.yar
├── 2021-04-08
└── CRing
│ └── RAN_CRing_Apr_2021_1.yara
├── 2021-04-11
└── Polazert
│ └── MAL_Polazert_Apr_2021_1.yar
├── 2021-04-14
└── Underminer
│ └── Exp_Underminer_Apr_2021_1.yar
├── 2021-04-27
└── Lazarus
│ └── APT_Lazarus_HTA_Apr_2021_1.yara
├── 2021-04-29
└── APT34
│ └── APT_APT34_Dustman_Apr_2021_1.yara
├── 2021-05-01
├── Darkside
│ └── RAN_ELF_Darkside_Apr_2021_1.yara
└── Turla
│ └── APT_Turla_IronPython_Apr_2021_1.yara
├── 2021-05-03
└── APT27
│ ├── APT_APT27_Enc_Hyperbro_Apr_2021_1.yara
│ └── APT_APT27_Hyperbro_Apr_2021_1.yara
├── 2021-05-04
└── CVE-2021-1647
│ └── EXP_CVE_2021_1647_Apr_2021_1.yara
├── 2021-05-08
└── RotaJakiro
│ └── MAL_ELF_RotaJakiro_May_2021_1.yara
├── 2021-05-09
├── Donot
│ └── APT_Donot_Downloader_May_2021_1.yara
└── FuxSocy
│ └── RAN_FuxSocy_May_2021_1.yara
├── 2021-05-12
└── Astrolocker
│ ├── RAN_Astrolocker_May_2021_1.yara
│ └── RAN_MountLocker_May_2021_1.yara
├── 2021-05-14
└── DispCashBR
│ └── ATM_DispCashBR_May_2021_1.yara
├── 2021-05-20
└── Conti
│ ├── RAN_Conti_May_2021_1.yara
│ └── RAN_Conti_May_2021_2.yara
├── 2021-05-23
└── RedXor
│ └── MAL_RedXor_Feb_2021_1.yara
├── 2021-05-26
└── Moriya
│ ├── MAL_Moriya_May_2021_1.yara
│ └── MAL_Moriya_May_2021_2.yara
├── 2021-05-30
└── APT39
│ ├── Infos.csv
│ └── MAL_Cadelspy_Stealer_May_2021_1.yara
├── 2021-06-01
└── NOBELIUM
│ ├── Infos.csv
│ ├── MAL_BoomBox_May_2021_1.yara
│ ├── MAL_Enc_payload_May_2021_1.yara
│ ├── MAL_EnvyScout_May_2021_1.yara
│ └── MAL_NativeZone_May_2021_1.yara
├── 2021-06-04
└── FIN7
│ └── MAL_JSSLoader_Jun_2021_1.yara
├── 2021-06-05
└── BigLock
│ └── RAN_BigLock_Jun_2021_1.yara
├── 2021-06-06
└── APT28
│ ├── MAL_SkinnyBoy_Dropper_Jun_2021_1.yara
│ ├── MAL_SkinnyBoy_Implant_Jun_2021_1.yara
│ └── MAL_SkinnyBoy_Launcher_Jun_2021_1.yara
├── 2021-06-07
└── FIN7
│ └── CRIM_FIN7_PS_Cryptor_Jun_2021_1.yara
├── 2021-06-09
└── PuzzleMaker
│ ├── APT_PuzzleMaker_Implant_Jun_2021_1.yara
│ └── APT_PuzzleMaker_Launcher_Jun_2021_1.yara
├── 2021-06-12
└── Nemty
│ └── RAN_Nemty_June_2021_1.yara
├── 2021-06-13
└── Gelsemium
│ ├── APT_Gelsemium_Gelsemine_June_2021_1.yara
│ ├── APT_Gelsemium_Gelsenicine_June_2021_1.yara
│ ├── APT_Gelsemium_Gelsenicine_June_2021_2.yara
│ └── APT_Gelsemium_Gelsevirine_June_2021_1.yara
├── 2021-06-18
└── Netfilter
│ ├── MAL_Netfilter_Dropper_Jun_2021_1.yara
│ └── MAL_Netfilter_May_2021_1.yara
├── 2021-06-19
├── Lazarus
│ └── APT_Lazarus_Jun_2021_1.yara
└── MAIL-O
│ └── MAL_MailO_Jun_2021_1.yara
├── 2021-06-20
└── Klingon
│ └── MAL_Klingon_Jun_2021_1.yara
├── 2021-06-23
└── MAL_Gmera_June_2021_1.yara
├── 2021-06-28
└── REvil
│ └── RAN_ELF_REvil_Jun_2021_1.yara
├── 2021-07-02
└── IndigoZebra
│ ├── Mal_BoxCaon_Jul_2021_1.yara
│ └── Mal_xCaon_Jul_2021_1.yara
├── 2021-07-04
├── Bioset
│ └── MAL_ELF_Bioset_Jul_2021_1.yara
├── DarkRadiation
│ ├── RAN_ELK_DarkRadiation_Jul_2021_1.yara
│ ├── RAN_ELK_DarkRadiation_Jul_2021_2.yara
│ └── RAN_ELK_DarkRadiation_Jul_2021_3.yara
└── Specter
│ └── MAL_ELF_Specter_Jul_2021_1.yara
├── 2021-07-06
└── MAL_ELF_Go_Worm_Jul_2021_1.yara
├── 2021-07-08
└── WildPressure
│ └── MAL_Milum_Jul_2021_1.yara
├── 2021-07-11
└── IAmTheKing
│ ├── MAL_JackOfHearts_Jul_2021_1.yara
│ ├── MAL_Keylogger_Jul_2021_1.yara
│ ├── MAL_KingOfHearts_Jul_2021_1.yara
│ ├── MAL_PowerPool_Jul_2021_1.yara
│ ├── MAL_PowerPool_Jul_2021_2.yara
│ ├── MAL_QueenOfClubs_Jul_2021_1.yara
│ ├── MAL_QueenOfHearts_Jul_2021_1.yara
│ ├── MAL_SlothfulMedia_Jul_2021_1.yara
│ └── Tool_ScreenCapture_Jul_2021_1.yara
├── 2021-07-13
└── EvilNum
│ ├── APT_EvilNum_JS_Jul_2021_1.yara
│ ├── APT_EvilNum_LNK_Jul_2021_1.yara
│ ├── decoder.js
│ └── finalJS.js
├── 2021-07-14
├── Infos.csv
└── MAL_Unknown_PE_Jul_2021_1.yara
├── 2021-07-15
└── APT34
│ └── APT_APT34_RDAT_July_2021_1.yara
├── 2021-07-16
└── Crylock
│ └── RAN_Crylock_July_2021_1.yara
├── 2021-07-17
└── BigBoss
│ └── APT_Turla_BigBoss_Apr_2021_1.yara
├── 2021-07-22
└── WIP_Unk_Wiper_July_2021_1.yara
├── 2021-07-25
└── MedusaLocker
│ └── RAN_MedusaLocker_July_2021_1.yara
├── 2021-07-27
└── PlugX
│ └── Mal_PlugX_Thor_July_2021_1.yara
├── 2021-08-01
└── Blackmatter
│ └── RAN_BlackMatter_Aug_2021_1.yara
├── 2021-08-04
└── Kimsuky
│ ├── APT_Kimsuky_PDF_Enc_Shellcode_Aug_2021_1.yara
│ └── APT_Kimsuky_PDF_Shellcode_Aug_2021_1.yara
├── 2021-08-07
└── BreakWin
│ ├── Infos.csv
│ └── WIP_MeteorExpress_Aug_2021_1.yara
├── 2021-08-08
└── medusalocker
│ └── RAN_MedusaLocker_Aug_2021_1.yara
├── 2021-08-09
└── RAN_Haron_Aug_2021_1.yara
├── 2021-08-11
└── QNAPCrypt
│ ├── RAN_ELF_QNAPCrypt_Aug_2021_1.yara
│ └── RAN_ELF_QNAPCrypt_Aug_2021_2.yara
├── 2021-08-13
└── Nitro
│ └── RAN_Nitro_Aug_2021_1.yara
├── 2021-08-14
└── HelloKitty
│ └── RAN_ELF_HelloKitty_Aug_2021_1.yara
├── 2021-08-19
└── Hexane
│ ├── MAL_Milan_Aug_2021_1.yara
│ └── MAL_Shark_Aug_2021_1.yara
├── 2021-08-27
└── FIN7
│ ├── layer2.js
│ └── layer3.js
├── 2021-08-29
├── Lockfile
│ ├── MAL_Kernel_Driver_Aug_2021_1.yara
│ ├── MAL_KillProc_Aug_2021_1.yara
│ ├── MAL_loader_Lockfile_Aug_2021_1.yara
│ ├── RAN_Lockfile_Aug_2021_1.yara
│ ├── RAN_Lockfile_Packed_Aug_2021_1.yara
│ ├── Tool_EFSPotatoe_Aug_2021_1.yara
│ └── Tool_EFSPotatoe_Aug_2021_2.yara
└── Luna
│ └── MAL_Luna_Stealer_Apr_2021_1.yara
├── 2021-08-31
└── Sidoh
│ └── MAL_Sidoh_Stealer_Aug_2021_1.yara
├── 2021-09-01
└── FIN7
│ ├── layer2.js
│ └── layer3.js
├── 2021-09-05
├── MAL_PRIVATELOG_Sep_2021_1.yara
└── MAL_Stashlog_Sep_2021_1.yara
├── 2021-09-09
└── Exp_CVE_2021_40444_Sep_2021_1.yara
├── 2021-09-15
└── Vermilion_Strike
│ ├── MAL_Beacon_Vermilion_Strike_Sep_2021_1.yara
│ ├── MAL_ELF_Vermilion_Strike_Sep_2021_1.yara
│ └── MAL_Stager_Vermilion_Strike_Sep_2021_1.yara
├── 2021-10-14
└── MAL_MysterySnail_RAT_Oct_2021_1.yara
├── 2021-10-23
└── WizardUpdate
│ ├── MAL_OSX_WizardUpdate_Oct_2021_1.yara
│ └── MAL_OSX_WizardUpdate_Oct_2021_2.yara
├── 2021-10-29
└── Hive
│ ├── MAL_BazarLoader_Oct_2021_1.yara
│ ├── MAL_CobaltStrike_Oct_2021_1.yara
│ └── RAN_ELF_Hive_Oct_2021_1.yara
├── 2021-10-30
└── WinDealer
│ ├── MAL_WinDealer_Oct_2021_1.yara
│ └── MAL_WinDealer_Oct_2021_2.yara
├── 2021-11-01
├── Decaf
│ └── RAN_Decaf_Nov_2021_1.yara
├── Exmatter
│ └── EXF_Exmatter_Nov_2021_1.yara
└── Phoenix_Stealer
│ └── MAL_Phoenix_Stealer_Jun_2021_1.yara
├── 2021-11-04
└── RAN_Piton_Nov_2021_1.yara
├── 2021-11-08
└── NGLite
│ ├── MAL_NGLite_Nov_2021_1.yara
│ └── MAL_NGLite_Nov_2021_2.yara
├── 2021-11-09
├── DEV_0322
│ └── UNK_DEV_0322_Jul_2021_1.yara
└── PYSA
│ └── RAN_PYSA_Sept_2021_1.yara
├── 2021-11-10
└── MAL_ELF_Rekoobe_Nov_2021_1.yara
├── 2021-11-11
└── Void_Balaur
│ ├── APK_DroidWatcher_Nov_2021_1.yara
│ └── MAL_ZStealer_Nov_2021_1.yara
├── 2021-11-16
└── MAL_Emotet_Nov_2021_1.yara
├── 2021-11-21
└── EXP_CVE_2021_42321_Nov_2021_1.yara
├── 2021-11-22
└── APT_Tardigrade_Nov_2021_1.yara
├── 2021-11-26
├── EXP_CVE_2021_41379_Nov_2021_1.yara
├── EXP_CVE_2021_41379_Nov_2021_2.yara
├── EXP_CVE_2021_41379_Nov_2021_3.yara
└── InfosVTHits.csv
├── 2021-12-09
└── RAN_ALPHV_Dec_2021_1.yara
├── 2021-12-13
└── APT_APT_C_61_Dec_2021_1.yara
├── 2021-12-16
├── MAL_PseudoManuscrypt_Dec_2021_1.yara
└── RAN_Conti_Dec_2021_1.yara
├── 2021-12-18
└── RAN_Yanluowang_Dec_2021_1.yara
├── 29-01-20
└── IOC.csv
├── 29-11-19
└── DustSquad_Nov19_1.yar
├── README.md
└── TA551
└── TA551_Decoder.js
/03-02-20/lnk_Gamaredon.csv:
--------------------------------------------------------------------------------
1 | Date,Description,WorkingDirectory,LocalBasePath
2 | 15/04/2019,Доступ в Интернет,%userprofile%,C:\Users\USER\win.exe
3 | 15/04/2019,,%userprofile%,C:\Users\USER\winsetup.exe
4 | 16/04/2019,,%userprofile%,C:\Users\USER\winver.exe
5 | 22/05/2019,,%userprofile%,C:\Users\USER\winver.exe
6 | 20/06/2019,,%userprofile%,C:\Users\USER\NTUSER.DAT_036688bz-8cvf-41de-7d4v-004vebcde3es.exe
7 | 02/09/2019,,%userprofile%,C:\Users\USER\AppData\Roaming\Microsoft\Installer\shellscript.vbs
8 |
--------------------------------------------------------------------------------
/18-11-19/JSON/IOC-APT-C-37.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Indicator": "http://192.119.111.4/xx/dv",
4 | "Description": "URL request"
5 | },
6 | {
7 | "Indicator": "http://192.119.111.4/xx/dv.zip",
8 | "Description": "URL request"
9 | },
10 | {
11 | "Indicator": "http://192.119.111.4/xx/f_Skoifa.vbs",
12 | "Description": "URL request"
13 | },
14 | {
15 | "Indicator": "http://192.119.111.4:4587/is-ready",
16 | "Description": "URL request"
17 | },
18 | {
19 | "Indicator": "http://192.119.111.4:4587/is-enum-driver",
20 | "Description": "URL request"
21 | },
22 | {
23 | "Indicator": "http://192.119.111.4:4587/is-sending",
24 | "Description": "URL request"
25 | },
26 | {
27 | "Indicator": "http://192.119.111.4:4587/is-enum-faf",
28 | "Description": "URL request"
29 | },
30 | {
31 | "Indicator": "http://192.119.111.4:4587/is-enum-process",
32 | "Description": "URL request"
33 | },
34 | {
35 | "Indicator": "53b82c6a853582b62a6c56470401783dec61a252aba04d7ebcc1fd36979a5c82",
36 | "Description": "Mshta Dropper"
37 | },
38 | {
39 | "Indicator": "3ea3f1c03e5272aa37de7333a809afebc200ad473c72489fe75bb7e296959fb4",
40 | "Description": "VBS payload"
41 | },
42 | {
43 | "Indicator": "1c3f370c2dc9ff3c68fb11e33b991883c7aedc97d03b88b00870c1b2d5758c3b",
44 | "Description": "Batch payload"
45 | },
46 | {
47 | "Indicator": "FD5BA76F85C9746F7A326B954874F5A6",
48 | "Description": "Hworm"
49 | },
50 | {
51 | "Indicator": "ae41437ded018ed2f5545731a189a85584ed8152b4a5935c0eeac669d69e4a3b",
52 | "Description": "Mshta Dropper"
53 | },
54 | {
55 | "Indicator": "2818ECDE79CEDC1E181D7B69F14840A6",
56 | "Description": "VBS payload"
57 | },
58 | {
59 | "Indicator": "F4355A61D7AC60D3282A9A207A643589",
60 | "Description": "Hworm"
61 | }
62 | ]
63 |
--------------------------------------------------------------------------------
/18-11-19/PatthebearIOC.md:
--------------------------------------------------------------------------------
1 | APT organization "pat the bear" report on the Palestinian government attack
2 | Ref of article
3 | IOC
4 |
5 | |IOC|Description|
6 | | ------------- |:-------------:|
7 | |http://192.119.111.4/xx/dv|URL request|
8 | |http://192.119.111.4/xx/dv.zip|URL request|
9 | |http://192.119.111.4/xx/f_Skoifa.vbs|URL request|
10 | |http://192.119.111.4:4587/is-ready|URL request|
11 | |http://192.119.111.4:4587/is-enum-driver|URL request|
12 | |http://192.119.111.4:4587/is-sending|URL request|
13 | |http://192.119.111.4:4587/is-enum-faf|URL request|
14 | |http://192.119.111.4:4587/is-enum-process|URL request|
15 | |53b82c6a853582b62a6c56470401783dec61a252aba04d7ebcc1fd36979a5c82|Mshta Dropper|
16 | |3ea3f1c03e5272aa37de7333a809afebc200ad473c72489fe75bb7e296959fb4|VBS payload|
17 | |1c3f370c2dc9ff3c68fb11e33b991883c7aedc97d03b88b00870c1b2d5758c3b|Batch payload|
18 | |FD5BA76F85C9746F7A326B954874F5A6|Hworm|
19 | |ae41437ded018ed2f5545731a189a85584ed8152b4a5935c0eeac669d69e4a3b|Mshta Dropper|
20 | |2818ECDE79CEDC1E181D7B69F14840A6|VBS payload|
21 | |F4355A61D7AC60D3282A9A207A643589|Hworm|
22 |
23 | Export IOC in JSON
24 |
--------------------------------------------------------------------------------
/18-11-19/TA2101 plays government imposter to distribute malware to German, Italian, and US organizations.md:
--------------------------------------------------------------------------------
1 | TA2101 plays government imposter to distribute malware to German, Italian, and US organizations
2 | Ref of article
3 | IOC
4 |
5 | |IOC|Description|
6 | | ------------- |:-------------:|
7 | |44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed|Document|
8 | |cfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a|Document|
9 | |9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639|Document|
10 | |5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4|Document|
11 | |97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506|Document|
12 | |d617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8|Document|
13 | |7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a|Document|
14 | |antowortensienicht@bzst-infomieren.icu|Spoofed sending domain|
15 | |info@agenziaentrate.icu|Spoofed sending domain|
16 | |antwortensienicht@bzstinform.icu|Spoofed sending domain|
17 | |uspsdelivery-service.com|Spoofed sending domain|
18 | |http://198.50.168.67/wordpack.tmp|Cobalt Strike|
19 | |http://conbase.top/sys.bat|Cobalt Strike|
20 | |http://104.168.198.208/wordupd.tmp|Maze Ransomware|
21 | |http://104.168.215.54/wordupd.tmp|Maze Ransomware|
22 | |http://104.168.174.32/wordupd_3.0.1.tmp|Maze Ransomware|
23 | |http://192.119.68.225/wordupd1.tmp|Buran Ransomware|
24 | |http://108.174.199.10/wordupd3.tmp|Buran Ransomware|
25 | |http://54.39.233.175/wupd19823.tmp|Buran Ransomware|
26 | |http://54.39.233.131/word1.tmp|Buran Ransomware|
27 | |http://104.168.198.230/wordupd.tmp|IcedID|
28 |
29 | Export IOC in JSON
30 |
31 | ET and ETPRO Suricata/Snort Signatures
32 |
33 | + ETPRO TROJAN W32.HTTP.Stager Checkin M1
34 | + ET TROJAN Possible Maze Ransomware Activity
35 | + ET TROJAN Observed Buran Ransomware UA (BURAN)
36 | + ET TROJAN Buran Ransomware Activity M2
37 | + ET TROJAN Buran Ransomware Activity M1
38 |
--------------------------------------------------------------------------------
/19-11-19/IOC TA505 Nov19.md:
--------------------------------------------------------------------------------
1 | IOC TA505 November 2019
2 | IOC
3 |
4 | |IOC|Description|
5 | | ------------- |:-------------:|
6 | |b0d4e64c6827871ca63d87a6fd59c036eb26344a6e0dfdce6183e41385f5f592|VBA maldoc|
7 | |b02376d6c0ec692248f95c41dab570dbdd387d31d184f0ab14d529e053ca332e|GET2 downloader|
8 | |b92c0506a0555dcaa2c0fb959ecffca1f7667fbdecccc5e1acaa87b14f88eace|GET2 downloader|
9 | |cb855b21356e6562e5657bcf08a400b7eef69154f80e63616b1693a916902e94|GET2 downloader|
10 | |fda4554fab6726f14fcfc5f62b2be869bd2140d9e6f81ac25c109f498cb60dd1|SDBbot Remote Access Trojan|
11 | |1b007d87657b328d9a3fbed4bdf5bab7a684edbe80387cf9ad71f26c2ad73981|SDBbot Remote Access Trojan|
12 | |5b14e02eceda8f1d37f5d7c3735d2df0ccdb120dd9e4760048d6a6b3e718f2ec|SDBbot Remote Access Trojan|
13 | |2.56.213.20|IP C2|
14 | |208.95.112.1|IP C2|
15 | |microsoft-cnd-en.com|Domain C2|
16 | |drm-server-booking.com|Domain C2|
17 |
18 | Export IOC in JSON
19 |
20 |
--------------------------------------------------------------------------------
/19-11-19/JSON/IOC-TA505-Nov19.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Indicator": "b0d4e64c6827871ca63d87a6fd59c036eb26344a6e0dfdce6183e41385f5f592",
4 | "Description": "VBA maldoc"
5 | },
6 | {
7 | "Indicator": "b02376d6c0ec692248f95c41dab570dbdd387d31d184f0ab14d529e053ca332e",
8 | "Description": "GET2 downloader"
9 | },
10 | {
11 | "Indicator": "b92c0506a0555dcaa2c0fb959ecffca1f7667fbdecccc5e1acaa87b14f88eace",
12 | "Description": "GET2 downloader"
13 | },
14 | {
15 | "Indicator": "cb855b21356e6562e5657bcf08a400b7eef69154f80e63616b1693a916902e94",
16 | "Description": "GET2 downloader"
17 | },
18 | {
19 | "Indicator": "fda4554fab6726f14fcfc5f62b2be869bd2140d9e6f81ac25c109f498cb60dd1",
20 | "Description": "SDBbot Remote Access Trojan"
21 | },
22 | {
23 | "Indicator": "1b007d87657b328d9a3fbed4bdf5bab7a684edbe80387cf9ad71f26c2ad73981",
24 | "Description": "SDBbot Remote Access Trojan"
25 | },
26 | {
27 | "Indicator": "5b14e02eceda8f1d37f5d7c3735d2df0ccdb120dd9e4760048d6a6b3e718f2ec",
28 | "Description": "SDBbot Remote Access Trojan"
29 | },
30 | {
31 | "Indicator": "2.56.213.20",
32 | "Description": "IP C2"
33 | },
34 | {
35 | "Indicator": "208.95.112.1",
36 | "Description": "IP C2"
37 | },
38 | {
39 | "Indicator": "microsoft-cnd-en.com",
40 | "Description": "Domain C2"
41 | },
42 | {
43 | "Indicator": "drm-server-booking.com",
44 | "Description": "Domain C2"
45 | }
46 | ]
--------------------------------------------------------------------------------
/20-11-19/APT Silence successfully attacked banks in Africa in October, 2019.md:
--------------------------------------------------------------------------------
1 | APT Silence successfully attacked banks in Africa in October, 2019
2 | Ref:https://twitter.com/Ta1ien/status/1197206492182654976
3 |
4 | |Indicator|Description|
5 | | ------------- |:-------------:|
6 | |1f094dd65be477d15d871e72f0fdce5e||
7 | |adf43c6957fd11e45ffa4f2a71eb0ef565da9c4a9bc9cd101d2ac485b5358c469|dns.dll|
8 | |b7b9afdee000c1ffd248c68408f2226c||
9 | |fead0633975c6c08f5509a7bd5c34d29bfdcacd3da47562efbf33121726f77b0|dttcodexgigas.exe|
10 |
11 | This can be exported in JSON
12 |
13 |
14 |
--------------------------------------------------------------------------------
/20-11-19/JSON/APT-Silence.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Indicator": "1f094dd65be477d15d871e72f0fdce5e",
4 | "Description": ""
5 | },
6 | {
7 | "Indicator": "adf43c6957fd11e45ffa4f2a71eb0ef565da9c4a9bc9cd101d2ac485b5358c469",
8 | "Description": "dns.dll"
9 | },
10 | {
11 | "Indicator": "b7b9afdee000c1ffd248c68408f2226c",
12 | "Description": ""
13 | },
14 | {
15 | "Indicator": "fead0633975c6c08f5509a7bd5c34d29bfdcacd3da47562efbf33121726f77b0",
16 | "Description": "dttcodexgigas.exe"
17 | }
18 | ]
--------------------------------------------------------------------------------
/20.21-07-23/HiveNightmare/Exp_CVE_2021_36934_July_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule Exp_CVE_2021_36934_July_2021_1
2 | {
3 | meta:
4 | description = "Detect CVE_2021_36934 exploit (HiveNightmare)"
5 | author = "Arkbird_SOLG"
6 | date = "2021-07-23"
7 | reference = "https://github.com/GossiTheDog/HiveNightmare"
8 | hash1 = "0009d4950559b508353b951a314c5ac0aaae8161751017d3d4681dc805374eaa"
9 | hash2 = "7baab69f86b50199456c9208624dd16aeb0d18d8a6f2010ee6501a183476f12f"
10 | hash3 = "9035f88894a937892c63ac9a3c6c16301c7ecea7c11cf31d0fd24c39f17c8c2f"
11 | tlp = "white"
12 | adversary = "-"
13 | strings:
14 | $s1 = "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" fullword wide
15 | $s2 = "Windows\\System32\\config\\SECURITY" fullword wide
16 | $s3 = "Windows\\System32\\config\\SYSTEM" fullword wide
17 | $s4 = "Windows\\System32\\config\\SAM" fullword wide
18 | $s5 = "SECURITY-" fullword wide
19 | $s6 = { 43 6f 75 6c 64 20 6e 6f 74 20 6f 70 65 6e 20 53 45 43 55 52 49 54 59 20 3a }
20 | $s7 = { 7a d1 3f 99 5c 2d 21 79 f2 21 3d 00 58 ac 30 7a b5 d1 3f 7e 84 ff 62 3e cf 3d 3d }
21 | condition:
22 | uint16(0) == 0x5A4D and filesize > 50KB and 5 of ($s*)
23 | }
24 |
--------------------------------------------------------------------------------
/20.21-07-23/PetitPotam/Exp_PetitPotam_July_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule Exp_PetitPotam_July_2021_1
2 | {
3 | meta:
4 | description = "Detect PetitPotam exploit (local exploit version)"
5 | author = "Arkbird_SOLG"
6 | date = "2021-07-23"
7 | reference = "https://github.com/topotam/PetitPotam"
8 | hash1 = "10cbadc2c82178d3b7bdf96ab39b9e8580ee92c2038728b74d314e506c7a9144"
9 | tlp = "white"
10 | adversary = "-"
11 | strings:
12 | $s1 = "\\pipe\\lsarpc" fullword wide
13 | $s2 = { 5c 00 5c 00 25 00 73 00 5c 00 [4-12] 5c 00 [4-12] 00 2e 00 65 00 78 00 65 }
14 | $s3 = { 5c 00 5c 00 25 00 73 00 00 00 00 00 6e 00 63 00 61 00 63 00 6e 00 5f 00 6e 00 70 }
15 | $s4 = { 23 46 69 6c 65 20 45 72 72 6f 72 23 28 25 64 29 20 3a }
16 | $s5 = { 43 6c 69 65 6e 74 20 68 6f 6f 6b 20 61 6c 6c 6f 63 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 20 61 74 20 66 69 6c 65 20 25 68 73 20 6c 69 6e 65 20 25 64 }
17 | $s6 = { 50 e8 06 95 ff ff 83 c4 10 c7 85 00 ff ff ff 00 00 00 00 8b 85 00 ff ff ff 50 8d 8d 0c ff ff ff 51 8d 55 dc 52 8b 45 f4 50 e8 4e 7a ff ff 83 c4 10 89 45 e8 83 7d }
18 | $s7 = "Attack success!!!\n" fullword wide
19 | $s8 = { 8b 43 0c 56 83 e8 24 8d 73 20 50 56 8d 45 b4 50 8d 45 e8 50 e8 02 02 00 00 68 b8 52 4f 00 8d 45 b4 50 68 bc 52 4f 00 8d 45 e8 50 8b 43 0c 68 c0 52 4f 00 ff 75 10 83 e8 24 68 cc 52 4f 00 50 68 00 53 4f 00 56 68 0c 53 4f 00 68 20 53 4f 00 68 78 53 4f 00 8d 85 c0 fe ff ff 68 f4 00 00 00 50 e8 4e 91 ff ff 83 c4 4c 8d 85 c0 fe ff ff 50 6a 04 }
20 | $s9 = { 25 73 25 73 25 70 25 73 25 7a 64 25 73 25 64 25 73 25 73 25 73 25 73 25 73 }
21 | $s10 = { 25 00 6c 00 73 00 28 00 25 00 64 00 29 00 20 00 3a 00 20 00 25 00 6c 00 73 }
22 | condition:
23 | uint16(0) == 0x5A4D and filesize > 50KB and 7 of ($s*)
24 | }
25 |
--------------------------------------------------------------------------------
/2020-02-09/Garmaredon_EvilGnome.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Name
2 | 2020-02-09,SHA256,ac4947a5bac4f4278c1fdb8c27c2d9b97a8fe22722f000739cebc21bda04ac3c,gnome-shell-ext
3 | 2020-02-09,SHA256,0ca075e430cefa13c57323bd6937746df916967a868af8fa20b2ec18e9d862cf,ShellExt_stealth.sh
4 | 2020-02-09,URL Requested,http://init-p01st.push.apple.com/bag,
5 | 2020-02-09,Domain C2,init-p01st.push.apple.com,
6 | 2020-02-09,IP C2,104.91.166.129,
7 | 2020-02-09,SHA256,511b150e3ecc233cbec4e098302ad1e7e12239a2de558421b578a45b80297a86,gnome-shell-ext-updater
8 | 2020-02-09,SHA256,b642a2aaf5b83316485581e547d61775cbd83805e3fa605fe5c7ca7794e36e82,gnome-shell-ext.sh
9 | 2020-02-09,Domain C2,e673.dsce9.akamaiedge.net,
10 | 2020-02-09,Domain C2,e6987.a.akamaiedge.net,
11 | 2020-02-09,Domain C2,cs9.wac.phicdn.net,
12 | 2020-02-09,Domain C2,e6987.e9.akamaiedge.net,
13 | 2020-02-09,Domain C2,gspe1-ssl.ls.apple.com,
14 | 2020-02-09,IP C2,172.224.116.197,
15 | 2020-02-09,IP C2,23.198.5.192,
16 | 2020-02-09,IP C2,72.21.91.29,
17 | 2020-02-09,IP C2,172.224.164.58,
18 | 2020-02-09,IP C2,17.57.144.22,
19 | 2020-02-09,IP C2,17.248.136.118,
20 | 2020-02-09,IP C2,23.204.147.18,
21 | 2020-02-09,IP C2,17.249.25.246,
22 | 2020-02-09,IP C2,17.253.120.204,
23 | 2020-02-09,IP C2,72.247.5.53,
24 | 2020-02-09,IP C2,172.217.11.170,
25 | 2020-02-09,IP C2,34.210.150.241,
26 |
--------------------------------------------------------------------------------
/2020-02-09/Transparent Tribe.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Name
2 | 2020-02-09,SHA256,113776d3cc8409da498e898bc5e0cafc1762ce1d49e1a86c56b4d841b06efdf8,SppExtComTel.exe
3 | 2020-02-09,URL Requested,http://awsyscloud.com/E@t!aBbU0le8hiInks/cred!tors.php,
4 | 2020-02-09,Domain C2,awsyscloud.com,
5 | 2020-02-09,IP C2,167.172.176.246,
6 | 2020-02-09,SHA256,662c3b181467a9d2f40a7b632a4b5fe5ddd201a528ba408badbf7b2375ee3553,DSOP_Advance.xls
7 | 2020-02-09,URL Requested,http://www.awsyscloud.com/x64i.scr,
8 | 2020-02-09,URL Requested,http://awsyscloud.com/E@t!aBbU0le8hiInks/cred!tors.php,
9 | 2020-02-09,URL Requested,http://awsyscloud.com/E@t!aBbU0le8hiInks/ballenotapey.php,
10 | 2020-02-09,URL Requested,http://awsyscloud.com/E@t!aBbU0le8hiInks/D/3500/p2ehtHero0paSth3end.dll,
11 | 2020-02-09,URL Requested,http://awsyscloud.com/E@t!aBbU0le8hiInks/B/3500/m1ssh0upUuchCukXanevPozlu.dll,
12 | 2020-02-09,URL Requested,http://awsyscloud.com/H!pT0pNSc3nd/eNn!T5eals/Pon0N.php,
13 | 2020-02-09,URL Requested,http://awsyscloud.com/H!pT0pNSc3nd/eNn!T5eals/Cor2PoRJSet!On.php,
14 | 2020-02-09,URL Requested,http://awsyscloud.com/H!pT0pNSc3nd/eNn!T5eals/f3dlPr00f.php,
15 | 2020-02-09,URL Requested,http://awsyscloud.com/H!pT0pNSc3nd/eNn!T5eals/pR0T5o-Niums.php,
16 | 2020-02-09,URL Requested,http://awsyscloud.com/H!pT0pNSc3nd/eNn!T5eals/Dev3l2Nmpo7nt.php,
17 | 2020-02-09,URL Requested,http://awsyscloud.com/H!pT0pNSc3nd/eNn!T5eals/xwunThedic@t6.php,
18 | 2020-02-09,SHA256,7b455b78698f03c0201b2617fe94c70eb89154568b80e0c9d2a871d648ed6665,x64i.scr
19 | 2020-02-09,SHA256,8e170fab8cdf11b83089706a2bf4a1748844693f4c6f465e7ba89131df089b48,p2ehtHero0paSth3end.dll
20 | 2020-02-09,SHA256,08c0c431f7f63136091854af58cd7f9e6d229f90a9b0fda813c52232c030f6ea,winpotter.dll
21 | 2020-02-09,SHA256,39567c9bbbc038574fd1cf569f4f7cfd68403cd817984186b83098ded2433b2c,SppExtComTel.scr
22 |
--------------------------------------------------------------------------------
/2020-02-10/IRS-IOC.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Name
2 | 2020-02-10,URL,http://marcuskirol.online/tempik/screen.exe,
3 | 2020-02-10,SHA256,9a2c0cd6ca4a33f4829e469c18112aaef42b394a1e7b659ba64e1ba11939c9ce,screen.exe
4 | 2020-02-10,URL,http://marcuskirol.online/tempik/ButAgents.txt,
5 | 2020-02-10,URL,http://marcuskirol.online/tempik/LogAgents.txt,
6 | 2020-02-10,URL,http://marcuskirol.online/tempik/aboutBut.php,
7 | 2020-02-10,URL,http://marcuskirol.online/tempik/aboutlog.php,
8 | 2020-02-10,SHA256,7aa823cf867f1bfe31ec245a5505c7fb590b4f8c679beb57410b56289b44ff09,but.exe
9 | 2020-02-10,SHA256,3f42fc9b022fa02c055a5d627f142a4fc83d38c26ee8e6c5ff5093247befe0cb,but.exe_old
10 | 2020-02-10,URL,http://marcuskirol.online/tempik/log.exe,
11 | 2020-02-10,Domain Requested,marcuskirol.online,
12 | 2020-02-10,IP Requested,198.54.120.199,
13 | 2020-02-10,IP C2,162.241.226.28,
14 | 2020-02-10,Domain C2,hypnotheratapes.com,
15 |
--------------------------------------------------------------------------------
/2020-02-13/Unknown_Operation.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Name
2 | 2020-02-10,SHA256,29b77b34c44f39c253402d506b623f96f3f5234eebb7ba284f0f8d52bb6d7b2d,process100.dll
3 | 2020-02-10,SHA256,8dbc1fe386f9a60df625d08409ea082beb69c8390324e87360d1b937a6b8cfb3,runtime_report.dll
4 | 2020-02-10,SHA256,495dbde95e696c93ebbec6a1b1a4637bda44a6d6a4aa893ca21076f327c4e5ca,process104.dll
5 | 2020-02-10,SHA256,dba360b855a3fdcd5f3a04481844274cfd5a3fe8778beeeca0318a40ede6ef21,pubpool.dll
6 | 2020-02-10,Domain C2,musicstore.global.ssl.fastly.net,
7 |
--------------------------------------------------------------------------------
/2020-02-14/Dridex.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Name
2 | 2020-02-14,SHA256,cba2097f45442dc452c141d1b7f89e16e8227318053e2f42e320e4efd62f7741,inv_635070.doc
3 | 2020-02-14,URL,http://toughdomain.xyz/mz53lzi8ak2vq5q6rdrp/fbzpvm.bin,
4 | 2020-02-14,SHA256,21d0762242818dc6d4213c046e13440780a1894cc548a56496ca789f474913be,fbzpvm.bin
5 | 2020-02-14,Domain Requested,toughdomain.xyz,
6 | 2020-02-14,Domain C2,198.167.140.176,
7 | 2020-02-14,Domain C2,216.177.137.25,
8 | 2020-02-14,URL,http://fatslimboy.xyz/cprhcohrpmpbbxdofret/mozilla.bin,
9 | 2020-02-14,SHA256,324d5c3821afb54176e5d04671a812310893a3c30162de3dcbd76f41ed4c5ffd,mozilla.bin
10 | 2020-02-14,SHA256,6ac42f582401369b841082c482efb81059949131ded003356dfbb175b67eb56b,kE0JFkpLrX.exe
11 | 2020-02-14,SHA256,36ad92e4b56cf754a0e04b4f564d4f1cdd3f43c621eb95a03d6c7bd11e04cec6,36ad92e4b56cf754a0e04b4f564d4f1cdd3f43c621eb95a03d6c7bd11e04cec6
12 | 2020-02-14,PDB Path,cFJ,
13 | 2020-02-14,Domain C2,198.167.140.176,
14 | 2020-02-14,URL,https://198.167.140.176/,
15 | 2020-02-14,SHA256,45435dc57349b7de57a92794b2adf459cee77ef241fa93da8e4b867c6b58991d,AN586226555696.pdf.vbs
16 | 2020-02-14,SHA256,45e0408d3ae2647cb9be835a5277eb7de41c83d8e473d22d5b3772c2f65305fb,designmatter.dll
17 | 2020-02-14,PDB Path,c:\Drive\necessary\Heat\Set\above\cleanduring.pdb,
18 | 2020-02-12,SHA256,8e628a26955831a281170288f7de82168660565bb2269d5b455450fb601cdd43,invoice_159753.htm
19 | 2020-02-12,SHA256,9a7c262e7589f1661d527797bb58c640908a4cd16c93f27bb1ca57d042aaacb1,invoice_159753.doc
20 | 2020-02-12,SHA256,21d0762242818dc6d4213c046e13440780a1894cc548a56496ca789f474913be,Caff54e1.exe
21 | 2020-02-12,URL,http://randomone.xyz/,
22 | 2020-02-12,URL,http://randomone.xyz/invoice_159753.doc,
23 | 2020-02-12,URL,http://bloodborne.xyz/chrome.bin,
24 | 2020-02-12,Domain Requested,randomone.xyz,
25 | 2020-02-12,Domain Requested,bloodborne.xyz,
26 | 2020-02-12,Mutex,DBWinMutex,
27 | 2020-02-12,Domain Requested,47.74.48.98,
28 |
--------------------------------------------------------------------------------
/2020-02-21/APT-C-12-lures.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Name
2 | 2020-02-21,SHA256,091880728698db599e2b577d629d3bc6c9a9b40370f3ce0b9943cee8cbf20302,2018Ç°º£ºÏ×÷ÂÛ̳ÑûÇ뺯.pdf
3 | 2020-02-21,SHA256,0ad09b21b36ddbaa24653953181cc092400eb992aac329bde58952b96dc0aa9d,¡¶¹Û²ìÕßÍø¡·²É·ÃÌá¸Ù.docx
4 | 2020-02-21,SHA256,ca1aea9710219b68fe30b964a526dc82efa08d9032959efd252f7197af1deb21,¡¶»¥ÁªÍø·¢Õ¹£ºÐÅÏ¢Ó붯̬¡·7Ô¿¯Ô¸å.docx
5 | 2020-02-21,SHA256,ab0b6e3a24a4b9f102a58b8536f68ddd560e8b42c16652b9db388ef981bbf165,¡¶Õþ·¨ÍøÂçÓßÇé¡·»áÔ±Õ÷¼¯º¯.doc
6 | 2020-02-21,SHA256,1a7c9ac35f4c89fe4906ee1c512c2fc5306d8d97d7ab44cc7726475923a311f1,¡¶Öйú¹¤É̱¨¡·¹Ù·½Î¢²©×÷Æ·.docx
7 | 2020-02-21,SHA256,140e069093b42d9044c8ccc53cef1b3b0226248b9d7302eb64dcdf92256fa204,²ÌÓ¢ÎĽÓÊÜ·¨ÐÂÉçר·ÃÎÊ´ðÈ«ÎÄ.docx
8 | 2020-02-21,SHA256,fac0bfb2aedea0fde6e4f239cbfd4de9d8db55e6041cf3f62956b2dc50620506,³Âæº+13957937111+¼òÀú.doc
9 | 2020-02-21,SHA256,94aa26bac896f65cfebbb76efa9b7009c658e01e2d52d2da338483c3fb5f3188,¸½¼þ1-2018Ç°º£ºÏ×÷ÂÛ̳·½°¸.pdf
10 | 2020-02-21,SHA256,52384bf0f4e694eb030a31f82b74e4fdcb261e11ede4fefa3cc5f2782bdd370b,¸½¼þ2-²Î»á»ØÖ´.docx
11 | 2020-02-21,SHA256,f600c66bc52c84698fb52a1f12d2f50fbe3b64754b226e8adb65f0b44a831dc8,¸½¼þ3-ÉîÛÚÊÐÇ°º£Ïã¸ÛÉÌ»á¼ò½é.pdf
12 | 2020-02-21,SHA256,e53bfb8826d20be3fc043a08c733221bddc2e1ba394bef9d40144c862ccf377f,ÃÀ¡°ÓÑ̨ÅÉ¡±ÒéÔ±ÓÖ×÷Ñý£¬Ìá¡°2018Äę̂Íå¹ú¼Ê²ÎÓë·¨°¸¡±.docx
13 | 2020-02-21,SHA256,283f88c50234a4b3961384c85124c52878ab6af4801cbc0c86a3e1d779c1c48f,ÃÀ²ÎÒéÔ±Íûͨ¹ýз¨°¸ ³«Òé¼ÓÇ¿ÃÀÓëÑÇÖ޶෽Ã泤ÆÚºÏ×÷.docx
14 | 2020-02-21,SHA256,afe2f381bf7bcb9309db216a3f956dbf05c70da9bce9dcdcabde7ef0c46c01c9,ÃÀÒéÔ±¹Ä¶¯ÌØÀÊÆÕÅ×Æú¡°Ò»ÖС±Õþ²ßÓę̈Íå¡°¸´½»¡±×¨¼Ò¿ÉÄÜÐÔ΢ºõÆä΢.docx
15 | 2020-02-21,SHA256,f6ca0e0bb33163143867bb496f53a6f329a927c06af0c0ddc9506d3c3fd3d335,æijǷ־Ö×£Äú¼¦ÄêÐдóÔË-1.jpg
16 | 2020-02-21,SHA256,6fb39753349dd8811270be863b61d0d42120c3452b8b09964e3e6c1d3ab21b7b,æijǷ־Ö×£Äú¼¦ÄêÐдóÔË-2.jpg
17 | 2020-02-21,SHA256,7dc76e3c60fac07d61d6dd183624458cf982b25121bcd6a26090365b0bb089d5,æijǷ־Ö×£Äú¼¦ÄêÐдóÔË-3.jpg
18 | 2020-02-21,SHA256,8297b9d4f7f0ffb7a8fa99d5cfe93818cb23ddbd99722dbba59e58fab27a86b9,æijǷ־Ö×£Äú¼¦ÄêÐдóÔË-4.jpg
19 | 2020-02-21,SHA256,687535ba02c808d795f4893962f0d9b650cea8df40d1de80ea095befe0064b91,æijǷ־Ö×£Äú¼¦ÄêÐдóÔË-5.jpg
20 | 2020-02-21,SHA256,b787ff47b1db14409c5524e4bc5f763e3eb5cec3cf34aa553f2b41501e955737,æijǷ־Ö×£Äú¼¦ÄêÐдóÔË-6.jpg
21 | 2020-02-21,SHA256,32b3c6920eb5fcd8bddf55154e6e17453a4f07919216e7df6d84fb3f57a64966,ÖÜÎÄÖØ£º2018²©÷¡ÑÇÖÞÂÛ̳¸Ðлº¯.doc
22 |
--------------------------------------------------------------------------------
/2020-02-21/APT-C-12.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Name
2 | 2020-02-21,SHA256,70b6961af57bce72b89103197c8897a4ae3ce5fdb835ccd050f24acbac52900d,Qianhai Cooperation Forum 2018.lnk
3 | 2020-02-21,SHA256,92ad7532f7b6cb5b6812da586ae9c2c6ddf65de38aebf4067853968be20e72a2,FLrzH.w
4 | 2020-02-21,SHA256,19e418cc4dffc7bf0716796a91df351dc0dad33d8801d67b6f2c720b76f70171,nv32_update.bat
5 | 2020-02-21,Domain C2,admin.selectsouthbay.com,
6 | 2020-02-21,IP C2,159.65.74.97,
7 | 2020-02-21,IP C2,159.65.127.93,
8 | 2020-02-21,IP C2,128.199.73.43,
9 | 2020-02-21,SHA256,20ad6fa72982a6ba0f9499361b2aa3a3f5cca73fd397c2969d08a4c5f2866814,Chen Jing s resume works.lnk
10 | 2020-02-21,SHA256,f9ee8f1ca51475397e2c190290c0aeb74a9f8a36bc0b6dfb500af7ca47d45daa,lyNMk.v
11 | 2020-02-21,SHA256,a723cd629134c6d201f94e0e875672f0c45349790e8d8df07329de3f5b4b5d41,nview32_update.bat
12 | 2020-02-21,IP C2,138.197.142.236,
13 | 2020-02-21,IP C2,139.59.238.1,
14 | 2020-02-21,SHA256,b0d7118d75c0f2a99fa5b319148b89148800e5db06ee403d6a31c451a8a54f2b,Zhou Wenzhong Thank you letter for Boao Forum for Asia 2018.lnk
15 | 2020-02-21,SHA256,b8e53a47659a4a49db71814188bc9ce897d16900924fa0ee785af72cec8199bd,nview32_update.bat
16 | 2020-02-21,IP C2,139.59.226.29,
17 | 2020-02-21,IP C2,88.226.144.42,
18 | 2020-02-21,IP C2,162.243.189.2,
19 | 2020-02-21,SHA256,ea6e7c9b9110c7c21062908be51dd3f881490b40b9b77a534fdc7812ab5cd2af,Politics and Law Network Public Opinion Member Application.lnk
20 | 2020-02-21,SHA256,b3dee4d1be921a4b15ed01c554b7b31e4f7b147d22027b46b83b49f83cb0ffaa,nview32_update.bat
21 | 2020-02-21,IP C2,138.197.142.236,
22 | 2020-02-21,IP C2,162.243.189.2,
23 | 2020-02-21,IP C2,139.59.238.1,
24 | 2020-02-21,SHA256,6ccad83fb9f7a50ac95e3e865a27be0288279e76fcd3b5af495c6fcf6d58fa36,Observer Network Interview Outline and Related News Attachments.lnk
25 | 2020-02-21,SHA256,a76cb406145b1e094a8ec46ae0cf959495bfa4aa19ccf6b48353cc459c00005b,SwYLR.T
26 | 2020-02-21,SHA256,dff34282032e731312b05501e27f3166d81b349f5b668a907d33ef3525cafb1e,nv32_update.bat
27 | 2020-02-21,IP C2,59.73.16.165,
28 | 2020-02-21,IP C2,178.128.110.214,
29 | 2020-02-21,IP C2,198.211.118.118,
30 |
--------------------------------------------------------------------------------
/2020-02-21/TA505.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Name
2 | 2020-02-21,URL,https://dl-0074957.owncloud-cdn.com/download.php,
3 | 2020-02-21,URL,https://dl-0086534.owncloud-cdn.com/download.php,
4 | 2020-02-21,SHA256,f94ab13cc2279035e83c26427093967c77ebc9c890eb2cf01a4f71636a27a6ad,49301143.XLS
5 | 2020-02-21,SHA256,23022fb252ce39c3e616abb4289f29fc6f920da420526a4f588000817bf013f9,49301143.XLS
6 | 2020-02-21,SHA256,bd69331d7a89cc8b9d2b0ac00dd212758386514c466851504289112e2fb4cf98,stadr_.dll
7 | 2020-02-21,Domain Request,dl-0074957.owncloud-cdn.com,
8 | 2020-02-21,Domain Request,dl-0086534.owncloud-cdn.com,
9 | 2020-02-21,Domain C2,microsoft-ware.com,
10 | 2020-02-21,IP Request,195.123.240.160,
11 | 2020-02-21,IP C2,45.66.250.112,
12 |
--------------------------------------------------------------------------------
/2020-02-25/TA505.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Name
2 | 2020-02-25,SHA256,8de1a29a04c1484dc4e47eed82acdb85924ea95fb645bf04bc6d4c1390b134ec,P278874_250220.xls
3 | 2020-02-25,SHA256,341189f31b39ab16aa7454d683c46b5e3f2a8b693b842fcb0d129502d8e5fe5b,stadr_.dll
4 | 2020-02-25,Domain Request,mays-ltd.com,
5 | 2020-02-25,IP Request,94.130.99.231,
6 | 2020-02-25,URL,https://cdn-server.int-download.com/download.php,
7 | 2020-02-25,SHA256,1dc986a03adc09930b4205a170dd84fd7c0cb2f7f3855fb307982e230696f0c0,download.xls
8 | 2020-02-25,URL,https://app-0947.att-download.com/download.php,
9 | 2020-02-25,Domain Request,app-0947.att-download.com,
10 | 2020-02-25,URL,https://app-0029.att-download.com/download.php,
11 | 2020-02-25,Domain Request,app-0029.att-download.com,
12 | 2020-02-25,Domain Request,att-download.com,
13 | 2020-02-25,IP Request,185.14.30.60,
14 | 2020-02-24,Domain Request,cdn-007538.share-clouds.com/download.php,
15 | 2020-02-24,Domain Request,cdn-004734.share-clouds.com/download.php,
16 | 2020-02-24,URL,cdn-007538.share-clouds.com,
17 | 2020-02-24,URL,cdn-004734.share-clouds.com,
18 | 2020-02-24,Domain Request,share-clouds.com,
19 | 2020-02-24,IP Request,107.160.141.35,
20 |
--------------------------------------------------------------------------------
/2020-03-17/Chinese_Backdoors.csv:
--------------------------------------------------------------------------------
1 | SHA-256,Vhash,File type,File size,Filename,Creation Time,First Submission,Last Submission,Last Analysis
2 | 87a57f5bb976644fce146e62ee54f3e53096f37f24884d312ab92198eb1e6549,094036651d5088z2e!z,Win32 EXE,92.00 KB,deviceserve.exe,2020-02-11 06:54:40,2020-02-22 22:23:18,2020-02-22 22:23:18,2020-02-26 07:18:28
3 | 06d20fb5894c291fca07021800e7e529371372abff6db310c0cbc100cf9ad9f9,054046655d1510f8z2218017z13z23zc1zc1z41a5z,Win32 EXE,58.00 KB,device.exe,2020-02-10 15:14:37,2020-02-22 22:24:17,2020-02-22 22:24:17,2020-02-26 07:28:25
4 | 59759bbdfc1a37626d99dd260e298a1285ff006035ab83b7a37561e2884fd471,054046655d15119z2518017z13z23zc1zc1z41a5z,Win32 EXE,58.50 KB,mfc,2020-01-14 01:18:21,2020-03-04 11:40:46,2020-03-04 11:40:46,2020-03-09 07:34:08
5 | 169c24f0ad3969fe99ff2bf205ead067222781a88d735378f41a9822c620a535,054046655d15119z2518017z13z23zc1zc1z41a5z,Win32 EXE,58.50 KB,mfc,2020-01-14 01:18:21,2020-03-06 14:26:47,2020-03-06 14:26:47,2020-03-11 08:25:35
6 | 8ac21275d0db7f3e990551f343e16ac105d6a513810ff71934de4855999cc9c5,054046655d15119z2518017z13z23zc1zc1z41a5z,Win32 EXE,56.50 KB,mfc,2019-12-22 03:56:40,2019-12-28 13:20:50,2020-03-05 19:06:19,2020-03-05 19:06:19
7 |
--------------------------------------------------------------------------------
/2020-04-29/Yara_Rule_APT_Bazar-April_2020_1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule Backdoor_APT_Nazar_April_2020_1 {
4 | meta:
5 | description = "Detect strings used by APT Nazar"
6 | author = "Arkbird_SOLG"
7 | reference = "Internal research"
8 | date = "2020-04-29"
9 | modified = "2023-11-22"
10 | hash1 = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
11 | strings:
12 | $s1 = "101;0000;" fullword ascii // string used on ping sended
13 | $s2 = "hodll.dll" fullword ascii // dll used for the hook
14 | $s3 = { 70 73 73 64 6B ?? ?? 2E 73 79 73 } // pssdkxx.sys PSSDK Driver Protocol vx.x 32bit from microOLAP Technologies LTD.
15 | $s4 = { 70 73 73 64 6B ?? ?? 2E 76 78 64 } // pssdkxx.vxd vxd profile
16 | $s5 = "##$$%%&&''(())**++,,--..//0123456789:;<=>?" fullword ascii // base characters
17 | $s6 = "SYSTEM\\CurrentControlSet\\Services\\VxD\\MSTCP" fullword ascii // Microsoft TCP/IP stack settings
18 | $s7 = "removehook" fullword ascii // stop keylogger
19 | $s8 = "installhook" fullword ascii // start keylogger
20 | $s9 = "_crt_debugger_hook" fullword ascii // start hook for keylogger
21 | $s10 = "\\Files.txt" fullword ascii // List of files found
22 | $s11 = "\\report.txt" fullword ascii // Data of the keystrokes captured
23 | $s12 = "\\Programs.txt" fullword ascii // List of programs found
24 | $s13 = "\\Devices.txt" fullword ascii // List of devices found
25 | $s14 = "\\music.mp3" fullword ascii // name of audio file capture
26 | $s15 = "\\z.png" fullword ascii // name of screenshot file
27 | condition:
28 | 12 of them and filesize > 120KB
29 | }
30 |
--------------------------------------------------------------------------------
/2020-06-05/Casbaneiro/Casbaneiro_stealer.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule Malware_Casbaneiro_MSI {
4 | meta:
5 | description = "Detect MSIPackage used by Casbaneiro"
6 | author = "Arkbird_SOLG"
7 | reference = "https://twitter.com/JAMESWT_MHT/status/1268811438707159040"
8 | date = "2020-06-05"
9 | hash1 = "8e77a2e1d30600db01a8481d232b601581faee02b7ec44c1ad9d74ec3544ba7d"
10 | strings:
11 | $x1 = "C:\\Branch\\win\\Release\\custact\\x86\\vmdetect.pdb" fullword ascii
12 | $s2 = "C:\\Branch\\win\\Release\\custact\\\\x86\\AICustAct.pdb" fullword ascii
13 | $s3 = ";!@Install@!UTF-8!\\nTitle=\"Mozilla Firefox\"\\nRunProgram=\"setup-stub.exe\"\\n;!@InstallEnd@!7z" fullword ascii
14 | $s4 = "__MOZCUSTOM__:campaign%3D%2528not%2Bset%2529%26content%3D%2528not%2Bset%2529%26medium%3Dreferral%26source%3Dwww.google.com" fullword ascii
15 | $s5 = "https://www.mozilla.com0\\r" fullword wide
16 | $s6 = "__CxxFrameHandler" fullword ascii
17 | $s7 = "release+certificates@mozilla.com" fullword ascii
18 | $s8 = "setup-stub.exe" fullword ascii
19 | $s9 = "7zS.sfx.exe" fullword ascii
20 | condition:
21 | uint16(0) == 0xd0cf and filesize > 100KB and 7 of them
22 | }
23 |
--------------------------------------------------------------------------------
/2020-06-07/NK_Rivts_Feb_2009_1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule APT_MAL_NK_Rivts_Feb_2009_1 {
4 | meta:
5 | description = "Detect Rivts malware used by NK APT"
6 | author = "Arkbird_SOLG"
7 | reference = "https://twitter.com/Arkbird_SOLG/status/1272674621381361672"
8 | date = "2020-06-17"
9 | hash1 = "244885b47ec2157a8ea9278bec3ea1883f45d97b1fcb78d4fa875bef0f329a97"
10 | strings:
11 | $s1 = "F:\\meWork\\ksj\\Test\\testVir-ga\\testvir_non\\Debug\\testvir_non.pdb" fullword ascii
12 | $s2 = "\\\\.\\pipe\\TESTVIR1PIPE" fullword ascii
13 | $s3 = "\\system32\\Hana80.exe" fullword ascii
14 | $s4 = "\\system32\\nnr60.exe" fullword ascii
15 | $s5 = { 54 45 53 54 56 49 52 31 5f 45 56 45 4e 54 5f 4f 42 4a } /* TESTVIR1_EVENT_OBJ */
16 | $s6 = "INFECT" fullword ascii
17 | $s7 = { 54 45 53 54 5f 5f 5f 41 43 43 45 53 53 5f 44 49 52 } /* TEST___ACCESS_DIR */
18 | $s8 = { 2e 70 69 66 } /* .pif */
19 | $s9 = { 2f 2f 2f 2f 44 41 45 4d 4f 4e } /* ////DAEMON */
20 | condition:
21 | uint16(0) == 0x5a4d and filesize < 100KB and 7 of them
22 | }
23 |
--------------------------------------------------------------------------------
/2020-06-15/Lazarus/Survey_hits_Yara.csv:
--------------------------------------------------------------------------------
1 | "MD5","SHA-256","Vhash","File type","File size","Filename","Creation Time","First Submission","Last Submission","Last Analysis"
2 | "ccdb051ad65d9f443206d659427d155f","916654e2ee43d2ee43f0d5e9d41f8527aaf239684f91f9b92ac5c1937cd45c91","165066651d1555155az5ejz2iz5","Win32 DLL","639.50 KB (654848 bytes)","imagestore.exe","2020-05-26 21:09:04","2020-06-13 04:40:46","2020-06-14 21:27:00","2020-06-14 21:27:00"
3 | "2a9e49fc80fe5124ac98ff5b874fb4d4","eab9136da8cc5c1a8a9fc528d64ef1ce11e385def98957712887785178e202a3","165066651d1555155az5ejz2iz5","Win32 DLL","659.50 KB (675328 bytes)","imagestore.exe","2020-06-03 02:28:52","2020-06-10 20:46:09","2020-06-11 21:35:43","2020-06-15 02:40:55"
4 | "84aa5a019b9c50118a9a42a197358060","4dc302e1f7cf8bdc4983fdf02cf5b13bcd9314bb87953b9c6797187700192665","125056651d15156az4d?z1","Win32 DLL","201.00 KB (205824 bytes)","MaintenanceService.exe","2020-05-18 00:29:20","2020-06-06 04:26:16","2020-06-06 04:26:16","2020-06-10 16:43:01"
5 | "b981a4624183e721a3784426c69b2f59","ca3372bb37e7109896c28247faadd157759d5e68ac324a54ff0759590f956094","025066651d1555155028z5kz1jz","Win32 EXE","241.50 KB (247296 bytes)","MaintenanceService.exe","2020-05-11 09:14:00","2020-06-05 02:01:55","2020-06-05 02:01:55","2020-06-08 23:44:09"
6 | "a90f62abee9a761a9576a33ae99b583c","6f79db3e7fa1f3c9e1ea2e0fe098994f109949f82b97c6612386693164d3c7e2","025066651d1555155028z5kz1jz","Win32 EXE","238.50 KB (244224 bytes)","MaintenanceService.exe","2020-05-09 03:24:49","2020-06-06 04:22:19","2020-06-06 04:22:19","2020-06-08 23:43:56"
7 |
--------------------------------------------------------------------------------
/2020-06-22/APT_MAL_Donot_Loader_June_2020_1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule APT_MAL_Donot_Loader_June_2020_1 {
4 | meta:
5 | description = "Detect loader malware used by APT Donot for drops the final stage"
6 | author = "Arkbird_SOLG"
7 | reference = "https://twitter.com/ccxsaber/status/1274978583463649281"
8 | date = "2020-06-22"
9 | hash1 = "1ff33d1c630db0a0b8b27423f32d15cc9ef867349ac71840aed47c90c526bb6b"
10 | strings:
11 | $s1 = "C:\\Users\\spartan\\Documents\\Visual Studio 2010\\new projects\\frontend\\Release\\test.pdb" fullword ascii
12 | $s2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36 Edg/81.0.416.68" fullword ascii
13 | $s3 = "bbLorkybbYngxkjbb]khbbmgvjgz4k~k" fullword ascii
14 | $s4 = "8&8-8X8.959?9Q9h9v9|9" fullword ascii
15 | $s5 = "0$0h4h5l5p5t5x5|5" fullword ascii
16 | $s6 = "?&?+?1?7?M?T?g?z?" fullword ascii
17 | $s7 = "12.02.1245" fullword ascii
18 | $s8 = ">>?C?L?[?~?" fullword ascii
19 | $s9 = "6*6=6P6b6" fullword ascii
20 | condition:
21 | uint16(0) == 0x5a4d and filesize < 30KB and 7 of them
22 | }
23 |
--------------------------------------------------------------------------------
/2020-06-25/IOC-WastedLocker-2020-06-25.csv:
--------------------------------------------------------------------------------
1 | MD5,SHA-256,Vhash,File type,File size,Filename,Creation Time,First Submission,Last Submission,Last Analysis
2 | 3208a14c9bad334e331febe00f1e9734,85f391ecd480711401f6da2f371156f995dd5cff7580f37791e79e62b91fd9eb,085046151d555015z90022nz8fz,Win32 EXE,848.39 KB (868752 bytes),still.bin,19-06-2020 18:47,20-06-2020 23:17,20-06-2020 23:17,24-06-2020 03:05
3 | edbf07eaca4fff5f2d3f045567a9dc6f,ed0632acb266a4ec3f51dd803c8025bccd654e53c64eb613e203c590897079b3,095046151d557015z1004dnz2fz,Win32 EXE,951.39 KB (974224 bytes),IDMipdate.exe,11-06-2020 19:20,17-06-2020 03:31,17-06-2020 03:31,23-06-2020 23:21
4 | 572fea5f025df78f2d316216fbeee52e,5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367,0160361d156015z21z5hz63z3fz,Win32 EXE,1.03 MB (1076112 bytes),Launchy.exe,11-06-2020 04:10,15-06-2020 21:51,15-06-2020 21:51,24-06-2020 22:05
5 | 6b20ef8fb494cc6e455220356de298d0,887aac61771af200f7e58bf0d02cb96d9befa11deda4e448f0a700ccb186ce9d,016046151d156025z31z4hz63z4fz,Win32 EXE,1.08 MB (1130896 bytes),Launchy.exe,29-05-2020 19:12,01-06-2020 21:22,01-06-2020 21:22,21-06-2020 08:21
6 | 0ed2ca539a01cdb86c88a9a1604b2005,bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8,064056655d15755178z462z171z17z10ajz,Win32 EXE,60.00 KB (61440 bytes),Hea,26-05-2020 17:46,07-06-2020 12:08,07-06-2020 12:08,17-06-2020 13:50
7 | 58ffddb4b62cc757a99d35174a3d084e,817704ed2f654929623d9d3e4b71ce0082ef4eadb3fe2d80c726e874dc6952a3,015056651d15751az5f3z3dz4jz,Win32 EXE,104.00 KB (106496 bytes),817704ed2f654929623d9d3e4b71ce0082ef4eadb3fe2d80c726e874dc6952a3.sample,26-05-2020 17:46,21-06-2020 00:07,21-06-2020 00:07,24-06-2020 16:55
8 | f67ea8e471e827e4b7b65b65647d1d46,e3bf41de3a7edf556d43b6196652aa036e48a602bb3f7c98af9dae992222a8eb,016046151d556025z41zbhz63z6fz,Win32 EXE,1.07 MB (1126288 bytes),Launchy.exe,16-05-2020 06:58,27-05-2020 13:56,27-05-2020 13:56,23-06-2020 21:26
9 | ecb00e9a61f99a7d4c90723294986bbc,8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80,054056655d15755178z462z171z17z20ajz,Win32 EXE,56.00 KB (57344 bytes),ecb00e9a61f99a7d4c90723294986bbc.virus,15-04-2020 18:07,04-06-2020 16:36,04-06-2020 17:55,17-06-2020 13:59
10 |
--------------------------------------------------------------------------------
/2020-06-28/APT28_Zekapab_June_2020_1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule APT28_Zekapab_June_2020_1 {
4 | meta:
5 | description = "Detect Delphi variant of Zekapab"
6 | author = "Arkbird_SOLG"
7 | reference = "https://twitter.com/DrunkBinary/status/1276573779037163520"
8 | date = "2020-06-28"
9 | hash1 = "12879b9d8ae046ca2f2ebcc7b1948afc44e6e654b7f4746e7a5243267cfd7c46"
10 | strings:
11 | $s1 = "54484520494E535452554354494F4E2041542030783763663538326164205245464552454E434544204D454D4F525920415420307830303030303030302E2054" ascii /* hex encoded string 'THE INSTRUCTION AT 0x7cf582ad REFERENCED MEMORY AT 0x00000000. THE MEMORY COULD NOT BE READ.' */
12 | $s2 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii
13 | $s3 = "5C4164646974696F6E735C73616D636C69656E742E657865" ascii /* hex encoded string '\Additions\samclient.exe' */
14 | $s4 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" fullword ascii
15 | $s5 = "\\SYSTEM\\CurrentControlSet\\Control\\Keyboard Layouts\\" fullword ascii
16 | $s6 = "Software\\Borland\\Delphi\\Locales" fullword ascii
17 | $s7 = "SOFTWARE\\Borland\\Delphi\\RTL" fullword ascii
18 | $s8 = "Software\\Borland\\Locales" fullword ascii
19 | $s9 = "FastMM Borland Edition" fullword ascii
20 | $s10 = "#7@Qhq\\1@NWgyxeH\\_bpdgc" fullword ascii
21 | $s11 = "4150504C49434154494F4E204552524F52" ascii /* hex encoded string 'APPLICATION ERROR' */
22 | $s12 = "436D442E457865202F6320" ascii /* hex encoded string 'CmD.Exe /c ' */
23 | $s13 = "6572726F72" ascii /* hex encoded string 'error' */
24 | $s14 = "WndProcPtr" fullword ascii
25 | $s15 = "Request.UserAgent" fullword ascii
26 | $s16 = "ProxyPassword<" fullword ascii
27 | condition:
28 | uint16(0) == 0x5a4d and filesize < 300KB and ( pe.imphash() == "dbdfe8b60c1de0a9201044b3e91b9502" or 12 of them )
29 | }
30 |
--------------------------------------------------------------------------------
/2020-06-28/APT_NK_Lazarus_Implant_June_2020_1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule APT_NK_Lazarus_Implant_June_2020_1 {
4 | meta:
5 | description = "Detect Lazarus implant June 2020"
6 | author = "Arkbird_SOLG"
7 | reference = "https://twitter.com/ccxsaber/status/1277064824434745345"
8 | date = "2020-06-28"
9 | hash1 = "21afaceee5fab15948a5a724222c948ad17cad181bf514a680267abcce186831"
10 | strings:
11 | $s1 = "Upgrade.exe" fullword ascii /* Based pattern on samples */
12 | $s2 = "ver=%d×tamp=%lu" fullword ascii
13 | $s3 = "_update.php" fullword ascii /* Based pattern on URL C2 */
14 | $s4 = "Dorusio Wallet 2.1.0 (Check Update Windows)" fullword wide
15 | $s5 = "Content-Type: application/x-www-form-urlencoded" fullword ascii
16 | $s6 = "CONOUT$" fullword ascii
17 | $s7 = "D$8fD;i" fullword ascii /* Lazarus gems*/
18 | $s8 = "WinHttpOpenRequest" fullword ascii
19 | $s9 = "HTTP/1.0" fullword ascii
20 | $s10 = "POST" fullword ascii
21 | condition:
22 | uint16(0) == 0x5a4d and filesize < 30KB and ( pe.imphash() == "565005404f00b7def4499142ade5e3dd" or 6 of them )
23 | }
24 |
--------------------------------------------------------------------------------
/2020-07-06/Donot/IOC-Donot-2020-07-06.csv:
--------------------------------------------------------------------------------
1 | "MD5","SHA-256","Vhash","File type","File size","Filename","Creation Time","First Submission","Last Submission","Last Analysis"
2 | "1d1fb7aba66794303afc6b5420068231","1e6e568e2fccfeb2e0275982d5637e0be6d0ba4575685126d957061bf2d19678","8e794e8bb4a809c02d8dd6e216415fb46","Rich Text Format","1.65 MB (1734745 bytes)","178P.rtf","2019-12-26 11:48:00","2020-06-23 16:28:20","2020-06-23 16:28:20","2020-06-24 02:09:20"
3 | "b19f5719b3443ad8d2585e8eb4eebc80","8e2f1bf1cf0ee21907de4bb0ee23a4bfc06afd1e2776a76f9fe1bb0c728a5414","88f0183366d39319cf5e426f4320df26e","Rich Text Format","161.15 KB (165017 bytes)","1806XP.rtf","2020-06-18 21:55:00","2020-07-06 02:23:29","2020-07-06 02:23:29","2020-07-06 02:23:29"
4 | "5ad591a0c8b8689a5337acf675d8119f","4c5c43f4932ac497c716bb5ec30a7636e5056775a4d5f3f48b9e5c1414b9f7b3","8e794e8bb4a809c02d8dd6e216415fb46","Rich Text Format ","1.65 MB (1734718 bytes)","248P.rtf"," 2019-12-26 11:48:00","2020-07-05 07:21:09","2020-07-06 10:58:52","2020-07-06 10:58:52"
5 | "2ef8dbe494ce10bbf5a1a85f55bb1030","1e2f23f0bcac6ae9e9fb7febe74b2a4bb0ccf9a08bee3b95254a6b2e4973eb91","8e794e8bb4a809c02d8dd6e216415fb46","Rich Text Format","1.43 MB (1499407 bytes)","308P.rtf","2019-12-26 11:48:00","2020-07-06 02:21:37","2020-07-06 02:21:37","2020-07-06 02:21:37"
6 | "fe52193cc2d0ed526468914c74f3bd7c","9b34f53ddc20d5ea2f7b47818ed2e7d626948256268cb4e2b11e47ecaf9a839a","135056655d15151az4f9z65z2lz","Win32 DLL","345.00 KB (353280 bytes)","vetu.dll","2020-06-17 16:34:35","2020-07-05 11:04:42","2020-07-05 11:04:42","2020-07-06 02:19:33"
7 | "0474325cfc9bb94ada64c4ac026cf0f6","563463dca03d5d1d64d11465d2a511f995254663194032a891fd5491c4062cff","145056655d15755018z68z5065z22z11ez1","Win32 DLL","464.50 KB (475648 bytes)","cvent.dll","2020-06-17 16:35:26","2020-07-05 17:59:59","2020-07-05 17:59:59","2020-07-05 17:59:59"
8 | "e7ea5e853bf24762f849a1edec3c09b3","8426c1ef563077a8f6df9e1555ac65aeae3ade47ad829b4655aedfb18a5ceada","145056655d15755018z68z5065z22z11ez1","Win32 DLL","464.50 KB (475648 bytes)","mecru.dll","2020-06-17 15:13:53","2020-06-24 19:04:05","2020-06-24 19:04:05","2020-06-24 19:04:05"
9 | "27fe3cb424c1711ea61eb712850bda93","e291a146f79d927d18392a04d238d829c0df156410e4d93636aee1b5663db914","135056655d15151az4f9z65z2lz","Win32 DLL","345.00 KB (353280 bytes)","vetu.dll","2020-06-17 14:46:37","2020-06-23 20:06:21","2020-06-23 20:06:21","2020-06-23 20:06:21"
10 |
--------------------------------------------------------------------------------
/2020-07-09/IOC_2020_07_09.csv:
--------------------------------------------------------------------------------
1 | Parent,Packer,Hash
2 | 5a69c76991e5c1b6d2f46d9a300fa8902d3ff6fb6afcebeee91697743b0542b7,UPX,9939489f4ae959e8da02395d36d1d08d0f99e75731c0561454222d8a8b817262
3 | a6964b245e70a97f8633616ede2122a72b6e159a70874beb1d8b3aba26b510dc,UPX,ce3c220728c7e22791a10946f7d941e8ae8629bb3418610e3aa3c9b2b2ff440f
4 | c25c1698395a2edd315158035660df240ab7e5cd43288fa87f207e07eec82d56,VMProtect,47b2b56c961cdc78bf06eed30737232ba99424b51648418bacacd522a12ad339
5 |
--------------------------------------------------------------------------------
/2020-07-09/MAL_Stealer_Cookie_July_2020_1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule MAL_Stealer_Cookie_July_2020_1 {
4 | meta:
5 | description = "Detect strings used by EdgeCookiesView and ChromeCookiesView in the ressources of the Cookie Stealer"
6 | author = "Arkbird_SOLG"
7 | reference = "https://twitter.com/JAMESWT_MHT/status/1281154921811841026"
8 | date = "2020-07-09"
9 | hash1 = "47b2b56c961cdc78bf06eed30737232ba99424b51648418bacacd522a12ad339"
10 | strings:
11 | $x1 = "C:\\Users\\admin1\\AppData\\Local\\Temp\\samplebin.exe" fullword wide
12 | $x2 = "https://graph.facebook.com/v7.0/act_fb_uid?access_token=fb_access_token&_index=5&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccount" ascii
13 | $x3 = "https://graph.facebook.com/v7.0/act_fb_uid?access_token=fb_access_token&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccountDataDispa" ascii
14 | $x4 = "Cookie:" fullword ascii
15 | $x5 = "autoLoginCookie name=" fullword ascii
16 | $x6 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36" fullword wide /* Default Header Nirsoft */
17 | $s7 = "https://graph.facebook.com/v7.0/act_fb_uid?access_token=fb_access_token&_priority=HIGH&_reqName=adaccount&_reqSrc=AdsCMAccountSp" ascii
18 | $s8 = "https://www.facebook.com/login/device-based/login/" fullword wide
19 | $s9 = "api/?sid=" fullword wide
20 | $s10 = "/deleteregkey" fullword ascii
21 | $s11 = "Old cookies folder of Edge/IE" fullword ascii
22 | $s12 = "https://graph.facebook.com/v7.0/me/adaccounts?access_token=fb_access_token&_reqName=me%2Fadaccounts&_reqSrc=AdsTypeaheadDataMana" ascii
23 | $s13 = "https://graph.facebook.com/v7.0/me/adaccounts?access_token=fb_access_token&_reqName=me%2Fadaccounts&_reqSrc=AdsTypeaheadDataMana" ascii
24 | $s14 = "ChromeCookiesView.exe" fullword wide
25 | $s15 = "EdgeCookiesView.exe" fullword wide
26 | $s16 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
27 | $s17 = "login/device-based/login" fullword ascii
28 | $s18 = "c_user" fullword wide
29 | $s19 = "c:\\Projects\\VS2005\\EdgeCookiesView\\Release\\EdgeCookiesView.pdb" fullword ascii
30 | condition:
31 | uint16(0) == 0x5a4d and filesize < 2600KB and ( pe.imphash() == "89c8a19cc2d9172de5901988530c700d" or ( ( 3 of ($x*) ) and ( 8 of ($s*) ) ) )
32 | }
33 |
--------------------------------------------------------------------------------
/2020-07-14/Mustang Panda/IOC-Mustang-Panda-2020-07-14.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Description
2 | 2020-07-12,SHA256,4cef5835072bb0290a05f9c5281d4a614733f480ba7f1904ae91325a10a15a04,wwlib.dll
3 | 2020-07-12,SHA256,b6cb4f1c94cb2165a654e6655e099fa53c9e42d78847faf44bdbe2aadd128129,"QUM, IL VATICANO DELL'ISLAM.docx"
4 | 2020-07-12,SHA256,7d85ebd460df8710d0f60278014654009be39945a820755e1fbd59030c14f4c7,hex.dll
5 | 2020-07-12,SHA256,4c8405e1c6531bcb95e863d0165a589ea31f1e623c00bcfd02fbf4f434c2da79,adobeupdate.dat
6 | 2020-07-12,URL,"http://103.85.24.190/qum.dat",URL delivery
7 | 2020-07-12,IP,"103.85.24.190",IP delivery
8 | 2020-07-12,IP,"167.88.180.32",IP C2
9 | 2020-07-12,Domain,"www.systeminfor.com",Domain C2
10 | 2020-07-12,SHA256,8a07c265a20279d4b60da2cc26f2bb041730c90c6d3eca64a8dd9f4a032d85d3,acrord32.dll
11 | 2020-07-12,SHA256,2bc7ed201c7af3e57a20eec4099e242631734fa37b50fa4bce194751f497f7c8,"DOC-2020-05-15T092742.441.pdf"
12 | 2020-07-12,URL,"http://167.88.180.198/dis.dat",URL delivery
13 | 2020-07-12,IP,"167.88.180.198",IP delivery
14 | 2020-05-25,SHA256,f6e5a3a32fb3aaf3f2c56ee482998b09a6ced0a60c38088e7153f3ca247ab1cc,wwlib.dll
15 | 2020-05-25,SHA256,d8829383daa887e05292da9a2b1fabbe5ff89b71f5205e32614bd54b92c3f238,"About China's plan for Hong Kong security law.docx"
16 | 2020-05-25,SHA256,bc6c2fda18f8ee36930b469f6500e28096eb6795e5fd17c44273c67bc9fa6a6d,hex.dll
17 | 2020-05-25,SHA256,01c1fd0e5b8b7bbed62bc8a6f7c9ceff1725d4ff6ee86fa813bf6e70b079812f,adobeupdate.dat
18 | 2020-05-25,URL,"http://167.88.180.198/hk.dat",URL delivery
19 | 2020-05-25,IP,"167.88.180.198",IP delivery
20 | 2020-05-25,IP,"103.85.24.190",IP C2
21 | 2020-05-25,Domain,"www.systeminfor.com",Domain C2
22 |
--------------------------------------------------------------------------------
/2020-07-29/Winnti/IOC_Winnti_2020-07_29.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Description
2 | 2020-07-29,SHA256,5843fa26b79935766206dbd7a7a425b4e69cb88a7b97eb16a523ff2d7a1cd6d5,5843fa26b79935766206dbd7a7a425b4e69cb88a7b97eb16a523ff2d7a1cd6d5.xlsx
3 | 2020-07-29,URL,http://47.106.112.106:8032/html/logo2.gif,URL delivery
4 | 2020-07-29,IP,47.106.112.106,IP delivery
5 | 2020-07-29,SHA256,64882106efa5e4e6e169f60b962f6240c4f61e4361d4588d3119c37316d1b651,logo2.gif
6 | 2020-07-29,SHA256,892ae8d1a9cae5ae80d7f2021f21420f265f92638161919a1e399528a0e2786a,unpacked_DDL_Layer1.dll
7 | 2020-07-29,SHA256,9cb8fd3ed2d59f1ec5526ae57a0479f346226a5a62afca67da2c77058dc372fb,iscsiexe.dll
8 | 2020-07-29,SHA256,5faa1516327fc1f5694da81fd20b6fd370575f95c0b5e570b3df53948cd076e9,iscsicpl.exe
9 | 2020-07-29,SHA256,3ad7fb509b118834e68401124fb995b3be6b573b7efaaa8e58796fb0fd2abd7a,unpacked_DDL_Layer2.dll
10 | 2020-07-29,Domain,"support.office365excel.org",Domain C2
11 | 2020-07-29,IP,"35.187.194.33",IP C2
12 |
--------------------------------------------------------------------------------
/2020-07-30/Yara_Ransom_Ragnarlocker_July_2020_1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule Ransom_Ragnarlocker_July_2020_1 {
4 | meta:
5 | description = "Detect Ragnarlocker by strings (July 2020)"
6 | author = "Arkbird_SOLG"
7 | reference = "https://twitter.com/JAMESWT_MHT/status/1288797666688851969"
8 | date = "2020-07-30"
9 | hash1 = "04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87"
10 | strings:
11 | $f1 = "bootfont.bin" fullword wide
12 | $f2 = "bootmgr.efi" fullword wide
13 | $f3 = "bootsect.bak" fullword wide
14 | $r1 = "$!.txt" fullword wide
15 | $r2 = "---BEGIN KEY R_R---" fullword ascii
16 | $r3 = "!$R4GN4R_" fullword wide
17 | $r4 = "RAGNRPW" fullword ascii /* parser */
18 | $r5 = "---END KEY R_R---" fullword ascii
19 | $a1 = "+RhRR!-uD8'O&Wjq1_P#Rw<9Oy?n^qSP6N{BngxNK!:TG*}\\|W]o?/]H*8z;26X0" fullword ascii
20 | $a2 = "\\\\.\\PHYSICALDRIVE%d" fullword wide /* parse disks */
21 | $a3 = "WinSta0\\Default" fullword wide /* Token ref */
22 | $a4 = "%s-%s-%s-%s-%s" fullword wide /* GUID parser*/
23 | $a5 = "SOFTWARE\\Microsoft\\Cryptography" fullword wide /* Ref crypto used */
24 | $c1 = "-backup" fullword wide
25 | $c2 = "-force" fullword wide
26 | $c3 = "-vmback" fullword wide
27 | $c4 = "-list" fullword wide
28 | $s1 = ".ragn@r_" fullword wide /* ref */
29 | $s2 = "\\notepad.exe" fullword wide /* Show ransom note to the victim*/
30 | $s3 = "Opera Software" fullword wide /* Don't touch browsers for contact him*/
31 | $s4 = "Tor browser" fullword wide /*Ref ransom note*/
32 | condition:
33 | uint16(0) == 0x5a4d and filesize < 30KB and ( pe.imphash() == "2c2aab89a4cba444cf2729e2ed61ed4f" and ( (2 of ($f*)) and (3 of ($r*)) and (4 of ($a*)) and (2 of ($c*)) and (2 of ($s*)) ) )
34 | }
35 |
--------------------------------------------------------------------------------
/2020-08-17/Loup/Mal_ATM_Loup_Aug_2020_1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule Mal_ATM_Loup_Aug_2020_1 {
4 | meta:
5 | description = "Detect ATM malware Loup by theirs strings."
6 | author = "Arkbird_SOLG"
7 | reference = "https://twitter.com/r3c0nst/status/1295275546780327936"
8 | date = "2020-08-17"
9 | hash1 = "6c9e9f78963ab3e7acb43826906af22571250dc025f9e7116e0201b805dc1196"
10 | strings:
11 | $pdb1 = "C:\\Users\\muham\\source\\repos\\loup\\Debug\\loup.pdb" fullword ascii
12 | $pdb2 = "PDBOpenValidate5" fullword ascii
13 | $dbg1 = "Run-Time Check Failure #%d - %s" fullword ascii
14 | $dbg2 = "Unknown Filename" fullword ascii
15 | $dbg3 = "Unknown Module Name" fullword ascii
16 | $info1 = "%s%s%p%s%zd%s%d%s%s%s%s%s" fullword ascii
17 | $info2 = { 41 64 64 72 65 73 73 3a 20 30 78 } // Address: 0x
18 | $info3 = { 53 69 7a 65 3a } // Size:
19 | $info4 = { 44 61 74 61 3a } // Data:
20 | $s1 = "MSXFS.dll" fullword ascii
21 | $s2 = "WFSExecute" fullword ascii
22 | $s3 = "WfsVersion" fullword ascii
23 | $s4 = "SvcVersion" fullword ascii
24 | $s5 = "SpiVersion" fullword ascii
25 | $s6 = "CurrencyDispenser1" fullword ascii
26 | $s7 = "WFSUnlock" fullword ascii
27 | $s8 = "WFSFreeResult" fullword ascii
28 | $s9 = "WFSCleanUp" fullword ascii
29 | $s10 = "WFSOpen" fullword ascii
30 | $s11 = "WFSClose" fullword ascii
31 | $s12 = "WFSStartUp" fullword ascii
32 | condition:
33 | uint16(0) == 0x5a4d and filesize < 20KB and ( pe.imphash() == "190fc01f66c40478aa91be89a98c57e9" and ( 1 of ($pdb*) and 2 of ($dbg*) and 2 of ($info*) and 9 of ($s*)) )
34 | }
35 |
--------------------------------------------------------------------------------
/2020-08-18/Winnti/APT_Winnti_ELFx64_Aug_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_Winnti_ELFx64_Aug_2020_1 {
2 | meta:
3 | description = "Detect of ELF implant used by APT Winnti in August 2020"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/KorbenD_Intel/status/1295725146037133312"
6 | date = "2020-08-18"
7 | hash1 = "6af8b3d31101f48911b13e49c660c10ed1d26b60267e8037d2ac174fc0d2f36c"
8 | strings:
9 | $lib1 = "/usr/bin/python2.7" fullword ascii
10 | $lib2 = "libxselinux" fullword ascii
11 | $c1 = "/cmdlineH" fullword ascii
12 | $c2 = "/proc/%d/fd/%s" fullword ascii
13 | $c3 = "/proc/self/exe" fullword ascii
14 | $c4 = "__gmon_start__" fullword ascii
15 | $c5 = "_ITM_registerTMCloneTable" fullword ascii
16 | $c6 = "_ITM_deregisterTMCloneTable" fullword ascii
17 | $d1 = "/usr/bin/netstat" fullword ascii
18 | $d2 = "/var/run/libudev.pid" fullword ascii
19 | $d3 = "/sbin/ifup-local" fullword ascii
20 | $s1 = "EAEC2CA4-AF8D-4F61-8115-9EC26F6BF4E1" fullword ascii
21 | $s2 = "readdir64" fullword ascii
22 | $s3 = ".note.gnu.gold-version" fullword ascii
23 | $s4 = ".note.gnu.build-id" fullword ascii
24 | $s5 = ".eh_frame_hdr" fullword ascii
25 | $s6 = "xlstat" fullword ascii
26 | $s7 = "1YZ[\\<@nYSLRR]H_PGX[XmYXGFrstuvwxyz{|}~" fullword ascii
27 | $info1 = "check_is_our_proc_dir" fullword ascii
28 | $info2 = "get_our_sockets" fullword ascii
29 | $info3 = "is_invisible_with_pids" fullword ascii
30 | $info4 = "check_if_number" fullword ascii
31 | $info5 = "get_our_pids" fullword ascii
32 | condition:
33 | uint16(0) == 0x457f and filesize < 15KB and ( 1 of ($lib*) and 4 of ($c*) and 2 of ($d*) and 4 of ($s*) and 3 of ($info*) )
34 | }
35 |
--------------------------------------------------------------------------------
/2020-08-24/SideWinder/APT_SideWinder_NET_Loader_Aug_2020_1.yar:
--------------------------------------------------------------------------------
1 | import "pe"
2 |
3 | rule APT_SideWinder_NET_Loader_Aug_2020_1 {
4 | meta:
5 | description = "Detected the NET loader used by SideWinder group (August 2020)"
6 | author = "Arkbird_SOLG"
7 | reference = "https://twitter.com/ShadowChasing1/status/1297902086747598852"
8 | date = "2020-08-24"
9 | hash1 = "4a0947dd9148b3d5922651a6221afc510afcb0dfa69d08ee69429c4c75d4c8b4"
10 | strings:
11 | $s1 = "DUSER.dll" fullword wide
12 | $s2 = "UHJvZ3JhbQ==" fullword wide // base64 encoded string -> 'Program' -> Invoke call decoded PE
13 | $s3 = ".tmp " fullword wide
14 | $s4 = "U3RhcnQ=" fullword wide
15 | $s5 = "Gadgets" fullword ascii
16 | $s6 = "AdapterInterfaceTemplateObject" fullword ascii
17 | $s7 = "FileRipper" fullword ascii
18 | $s8 = "copytight @" fullword wide
19 | condition:
20 | uint16(0) == 0x5a4d and filesize < 4KB and ( ( pe.exports("FileRipper") and pe.exports("Gadgets") ) and 5 of them )
21 | }
22 |
--------------------------------------------------------------------------------
/2020-09-08/IOC-Goblin-details.csv:
--------------------------------------------------------------------------------
1 | "MD5","SHA-256","Vhash","File type","File size","Filename","Creation Time","First Submission","Last Submission","Last Analysis"
2 | "acd5f4e4864d3beec2270dfe6c42a54d","e4e682b4fcc893fa0425149499e21d8d9858aad47b335876c23145e0108a3bbc","045046651d155048z1446z37z13z85z42c5z","Win32 EXE","424.00 KB (434176 bytes)","wuauclt.exe","2019-11-22 12:17:22","2020-04-14 12:05:16","2020-04-14 12:05:16","2020-08-26 00:09:18"
3 | "f886957f6b67528e30b52fae9ae5c785","f245bec93249b4ebe0455661b15d4bb8f5f42f84da21181d3e5b8829b46aca05","025046651d151048z1646z37z13zc5z42b5z","Win32 EXE","272.00 KB (278528 bytes)","wauclt.exe","2020-05-21 08:46:05","2020-06-21 13:42:14","2020-06-21 13:42:14","2020-08-31 03:22:46"
4 | "ec607802d2de9bfdae9cf0a94af5d987","b19d64d6ef5329b388d688157ebb9f4fa8cae2ccd18ec1fe7bb75b0fcc2350f9","025046651d151048z153e5z37z13zc5z42a5z","Win32 EXE","268.00 KB (274432 bytes)","ose2184.tmp","2020-07-13 07:32:05","2020-08-13 12:58:10","2020-08-26 06:12:33","2020-09-08 09:01:47"
5 |
--------------------------------------------------------------------------------
/2020-09-14/Kimsuky/APT_Kimsuky_Aug_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_Kimsuky_Aug_2020_1 {
2 | meta:
3 | description = "Detect Gold Dragon used by Kimsuky APT group"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-08-31"
7 | hash1 = "4ff2a67b094bcc56df1aec016191465be4e7de348360fd307d1929dc9cbab39f"
8 | hash2 = "97935fb0b5545a44e136ee07df38e9ad4f151c81f5753de4b59a92265ac14448"
9 | strings:
10 | $s1 = "/c systeminfo >> %s" fullword ascii
11 | $s2 = "/c dir %s\\ >> %s" fullword ascii
12 | $s3 = ".?AVGen3@@" fullword ascii
13 | $s4 = { 48 6f 73 74 3a 20 25 73 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 25 73 25 73 0d 0a 25 73 0d 0a 25 73 } //Host: %s\r\nReferer: http://%s%s\r\n%s\r\n%s
14 | $s5 = "%s?filename=%s" fullword ascii
15 | $s6 = "Content-Disposition: form-data; name=\"userfile\"; filename=\"" fullword ascii
16 | $s7 = "Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywhpFxMBe19cSjFnG" fullword ascii
17 | $s8 = "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"" fullword ascii
18 | $s9 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)" fullword ascii
19 | $s10 = "\\Microsoft\\HNC" fullword ascii
20 | $s11 = "Mozilla/5.0" fullword ascii
21 | condition:
22 | uint16(0) == 0x5a4d and filesize > 150KB and 8 of them
23 | }
24 |
--------------------------------------------------------------------------------
/2020-09-14/Kimsuky/IOC_Gold_Dragon.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Description
2 | 2020-09-02,URL,"http://pingguo2.atwebpages.com/home/jpg/post.php","URL Requested"
3 | 2020-09-02,URL,"http://pingguo2.atwebpages.com/home/jpg/download.php?filename=button01","URL Requested"
4 | 2020-09-02,Domain,"pingguo2.atwebpages.com","Domain C2"
5 | 2020-09-02,IP,"185.176.43.98","IP C2"
6 | 2020-09-02,SHA256,bfb8d13fcb64e3d09de2850b47d64492dbfc7bba58766546c1511f1fa59a64c9,bfb8d13fcb64e3d09de2850b47d64492dbfc7bba58766546c1511f1fa59a64c9.exe
7 | 2020-08-30,SHA256,4ff2a67b094bcc56df1aec016191465be4e7de348360fd307d1929dc9cbab39f,4ff2a67b094bcc56df1aec016191465be4e7de348360fd307d1929dc9cbab39f.exe
8 | 2020-08-30,SHA256,8f2cbc93b7cd5cdc54e1670105c3da682bae0b70bc6bc4b0c0c18ab5c40be9c4,"8f2cbc93b7cd5cdc54e1670105c3da682bae0b70bc6bc4b0c0c18ab5c40be9c4.exe"
9 | 2020-08-30,SHA256,97935fb0b5545a44e136ee07df38e9ad4f151c81f5753de4b59a92265ac14448,97935fb0b5545a44e136ee07df38e9ad4f151c81f5753de4b59a92265ac14448.exe
10 | 2020-08-30,SHA256,b1e28bc8720303326946ec69d8ad6c90b572e177d562bbe769abaf1aad3d9e1a,b1e28bc8720303326946ec69d8ad6c90b572e177d562bbe769abaf1aad3d9e1a.exe
11 | 2020-08-30,Domain,"portable.epizy.com","Domain C2"
12 | 2020-08-30,URL,"http://portable.epizy.com/img/png/download.php?filename=images01","URL Requested"
13 | 2020-08-30,URL,"http://portable.epizy.com/img/png/post.php","URL Requested"
14 | 2020-08-30,IP,"185.27.134.213","IP C2"
15 | 2020-07-24,SHA256,a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b,"[남북연합 구상과 추진방안] 워크숍 계획.hwp .exe"
16 | 2020-07-24,URL,http://foxonline123.atwebpages.com/home/jpg/post.php,"URL Requested"
17 | 2020-07-24,URL,http://foxonline123.atwebpages.com/home/jpg/download.php?filename=flower03,"URL Requested"
18 | 2020-07-24,Domain,foxonline123.atwebpages.com,"Domain C2"
19 | 2020-07-24,IP,"185.176.43.80","IP C2"
20 |
--------------------------------------------------------------------------------
/2020-09-14/SLoad/Domains_URL.txt:
--------------------------------------------------------------------------------
1 | List Domains :
2 | // -------------------------- //
3 | unequipoganador.com
4 | devopotamus.com
5 | devopotamus.com
6 | alkwti.com
7 | rtistry.com
8 | sapphireloading.com
9 | innerearthartistry.com
10 | unequipoganador.com
11 |
12 |
13 | List URL:
14 | // -------------------------- //
15 | https://unequipoganador.com/ipol/03675480267/map.jpg
16 | https://devopotamus.com/potal/03587420286/blank.css
17 | https://sapphireloading.com/sal/04913170280/logo.png
18 | https://devopotamus.com/potal/01555200441/en.gif
19 | https://alkwti.com/aliwona/TMSRLL61M43B796B/en.jpg
20 | https://innerearthartistry.com/nerea/03455910780/1x1.gif
21 | https://innerearthartistry.com/nerea/03756910273/1x1.gif
22 | https://sapphireloading.com/sal/07501560150/maps.jpg
23 | https://sapphireloading.com/sal/02298410644/blank.gif
24 | https://innerearthartistry.com/nerea/01578300210/it.png
25 | https://sapphireloading.com/sal/08924551008/it.css
26 | https://innerearthartistry.com/nerea/BRNLSN65H44H501N/1x1.gif
27 | https://innerearthartistry.com/nerea/02044200042/uk.gif
28 | https://sapphireloading.com/sal/04198100168/blank.gif
29 |
--------------------------------------------------------------------------------
/2020-09-14/SLoad/Mal_Loader_Sload_Sep-2020-1.yar:
--------------------------------------------------------------------------------
1 | rule Mal_Loader_Sload_Sep-2020-1 {
2 | meta:
3 | description = "Detect SLoad loader"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/JAMESWT_MHT/status/1305480728684232704"
6 | date = "2020-09-14"
7 | modified = "2023-11-22"
8 | hash1 = "06e5575f67113906effb3cdb8ea2f021f3bc5fad8d278d80eb3da943dc743c2d"
9 | hash2 = "147e1d26153de7bd5033968d64104bb9df597d1913f237f4f5b172f06414b775"
10 | hash3 = "15a61df21dc514fc4e935bb1e267134265f2c70aa167f03389c4f1a5b5a750d9"
11 | hash4 = "1dba2064e7290c1896d560ff266a18cb6bd9b7e82aad50ddcbe2afde3e43c53e"
12 | hash5 = "28b811e737ec718f5c36cf05df89da00f48e4e088756e11564c15fe683702964"
13 | hash6 = "2cc33394a01bb3af0e48d0ccb71037c39f142fb22a7ed2ac40bc0860147da1a8"
14 | hash7 = "49904fa43dc24c2cbfe64c7089edc9805ce6ce93e4ff240663a6308ec5efe462"
15 | hash8 = "698cd771502d967e9921d2b0c2d3bb7787554f3b056c967991965270e9707e25"
16 | hash9 = "96bd66aedb565c6d29e60d7e7880047749abcd1cfa2d7b27f612b7b32038ede5"
17 | hash10 = "9b4dc4c27bbba4e9215b17cddfc80ee3581f76c8d8010ddee4c978fd2922c4f7"
18 | hash11 = "9f1d77dacee045731ee5ff9539060528ce01c5db3f7b99b4f7ac68687beab966"
19 | hash12 = "a1bfd39eb6057b5797ca04c30d5ca65641585e72ecdfdd8e0c1ac24d126b4056"
20 | hash13 = "d1064ee3b5c35e19a703373e2e6554ba598a0b9d647d9c4da08331fe5964cba6"
21 | hash14 = "f6cb2ffe73e87a5d0053ca599d203d3dbc187d65b434d4c7c649c51ba2689505"
22 | strings:
23 | $s1 = "([\\?\\?\\?\\?\\?\\?\\?\\?\\?])" fullword ascii
24 | $s2 = "CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
25 | $s3 = "WScript.CreateObject (\"WScript.Shell\")" fullword ascii
26 | $s4 = "Array(" fullword ascii
27 | $s5 = ".Pattern" fullword ascii
28 | $s6 = ".Global = True" fullword ascii
29 | $s7 = "New RegExp" fullword ascii
30 | $s8 = ".[run]" fullword ascii
31 | $s9 = "fso.FolderExists(" fullword ascii
32 | $s10 = { [4-5] 3D [4-5] 66 }
33 | condition:
34 | filesize > 2KB and 7 of them
35 | }
36 |
--------------------------------------------------------------------------------
/2020-09-16/AssociateURL.csv:
--------------------------------------------------------------------------------
1 | Associated URL,Threat Level,Positives,Scan Date,Reference
2 | http://86.104.194.116/,malicious,11/79,2020-09-15 20:10:27,-
3 | http://86.104.194.116/ono70/ANALYST0-2D1671_W512600.1203761F177BD74BB357FB7687163B0F/5/spk,malicious,8/79,2020-09-15 19:50:33,-
4 | http://86.104.194.116/ono70/ANALYST0-2D1671_W512600.BB075ABB947CDBB6BDCB3BC3AFBD5B90/5,malicious,8/79,2020-09-15 15:55:24,-
5 | https://86.104.194.116/ono70/ANALYST0-2D1671_W512600.B58774F508B12DB35F1437B339B1B7F2/5/spk/,malicious,8/79,2020-09-15 15:38:14,-
6 | http://86.104.194.116/ono70/ANALYST0-2D1671_W512600.39BB1DDE070E95B3B45FEFF29DF3B4AB/5/spk,malicious,8/79,2020-09-15 15:06:51,-
7 |
--------------------------------------------------------------------------------
/2020-09-17/IOC_Masslogger.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Description
2 | 2020-09-17,SHA256,727bfcd077ceee7c48461eef25e134adf9d623de3ed2c99f2507373a4645311b,doc20200916100024.js
3 | 2020-09-17,SHA256,31f44233784496a5a6c66192d9bcbbec3e2d1a0ab473162f955c352cfd6e6c0a,Contrato- 2020-09-08T085008.442 - Alb. 8120173035 Klantnummer 106 - doc04361120200812113759-SKBMT-08-09-2020-img00127.wsf
4 | 2020-09-17,SHA256,77a8054888454def0e4c13a8b864560a918bb13a0cd80c5c73f5fe9ddbc45bef,ManagmentClass.dll
5 | 2020-09-17,SHA256,badf7bd4314b27b95f00d859adfcff20776d6e1e58132f5b7abf3b9f81c53223,ManagmentClass.dll
6 | 2020-09-17,SHA256,ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d,Mass.bin
7 | 2020-09-17,SHA256,d4394db20c43c94c904f5f7eca3889c2eba21731f27793b34a5cf857df35e185,F12.jpg
8 | 2020-09-17,SHA256,150cc76b6c191e8429433879c9827363d8eefbf8b7d8efa9a75548b799de06cc,A11.jpg
9 | 2020-09-17,URL,"http://gsbc.gr/F12.jpg","URL Delivery"
10 | 2020-09-17,URL,"http://destrupack.com/A11.jpg","URL Delivery"
11 | 2020-09-17,Domain,"gsbc.gr","Domain Delivery"
12 | 2020-09-17,Domain,"destrupack.com","Domain Delivery"
13 | 2020-09-17,IP,5.189.152.112,"IP Delivery"
14 | 2020-09-17,IP,"185.250.200.160","IP Delivery"
15 | 2020-09-17,Domain,"nankasa.com.ar","Domain C2"
16 | 2020-09-17,IP,192.185.155.49,"IP C2"
17 |
--------------------------------------------------------------------------------
/2020-10-01/IOC_SlothfulMedia.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Description
2 | 2020-10-01,SHA256,64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273,64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273.exe
3 | 2020-10-01,SHA256,927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae,mediaplayer.exe
4 | 2020-10-01,SHA256,2aa26ed63702ac7b49b775eb5ea045c52bc375a46e0763ff5c135d64ed77ff58,D7YD4.exe
5 | 2020-10-01,SHA256,4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa,wHPEO.exe
6 | 2020-10-01,IP,103.78.242.69,IP C2
7 | 2020-10-01,Domain,sdvro.net,Domain C2
8 |
--------------------------------------------------------------------------------
/2020-10-03/Chimera/APT_Chimera_Sept_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_Chimera_Sept_2020_1 {
2 | meta:
3 | description = "Detect Cobalt Strike agent used by Chimera"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | // ref article : https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf
7 | date = "2020-10-03"
8 | hash1 = "f6d89ff139f4169e8a67332a0fd55b6c9beda0b619b1332ddc07d9a860558bab"
9 | strings:
10 | $header = { 4D 5A 41 52 55 48 89 E5 48 83 EC 20 48 83 E4 F0 E8 00 00 00 00 5B 48 81 C3 EB 18 00 00 FF D3 48 81 C3 00 09 03 00 49 89 D8 6A 04 5A FF D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 } // MZ header
11 | $s1 = "\\\\%s\\pipe\\%s" fullword ascii
12 | $s2 = "%04x-%04x:%s" fullword wide
13 | $core1 = "core_pivot_session_new" fullword ascii
14 | $core2 = "core_pivot_session_died" fullword ascii
15 | $core3 = "core_pivot_remove" fullword ascii
16 | $core4 = "core_pivot_add" fullword ascii
17 | $lib1 = "CreateNamedPipeA" fullword ascii
18 | $lib2 = "ConnectNamedPipe" fullword ascii
19 | $lib3 = "WinHttpGetIEProxyConfigForCurrentUser" fullword ascii
20 | $export = "ReflectiveLoader" fullword ascii
21 | condition:
22 | uint16(0) == 0x4a5d and filesize > 30KB and $header and 1 of ($s*) and 2 of ($core*) and 2 of ($lib*) and $export
23 | }
24 |
--------------------------------------------------------------------------------
/2020-10-15/Crylock/RAN_CryLock_Oct_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule RAN_CryLock_Oct_2020_1 {
2 | meta:
3 | description = "Detect CryLock ransomware V2.0.0"
4 | author = "Arkbird_SOLG"
5 | reference1 = "https://twitter.com/Kangxiaopao/status/1316334926728318977"
6 | reference2 = "https://twitter.com/JAMESWT_MHT/status/1316426560803680257"
7 | date = "2020-10-14"
8 | hash1 = "04d8109c6c78055d772c01fefe1e5f48a70f2a65535cff17227b5a2c8506b831"
9 | strings:
10 | // globals strings
11 | $s1 = "All commands sended to execution" fullword ascii
12 | $s2 = "Processesblacklist1" fullword ascii
13 | $s3 = "Execute all" fullword ascii
14 | $s4 = "config.txt" fullword ascii
15 | // debug output
16 | $debug1 = "Processed files: " fullword ascii
17 | $debug2 = "Next -->" fullword ascii
18 | $debug3 = "Status: scan network" fullword ascii
19 | $debug4 = { 49 45 28 41 4c 28 22 25 73 22 2c 34 29 2c 22 41 4c 28 5c 22 25 30 3a 73 5c 22 2c 33 29 22 2c 22 4a 4b 28 5c 22 25 31 3a 73 5c 22 2c 5c 22 25 30 3a 73 5c 22 29 22 29 } // IE(AL("%s",4),"AL(\\"%0:s\\",3)","JK(\\"%1:s\\",\\"%0:s\\")")
20 | $debug5 = { 4a 75 6d 70 49 44 28 22 22 2c 22 25 73 22 29 } // JumpID("","%s")
21 | $debug6 = { 45 6e 63 72 79 70 74 65 64 20 62 79 20 42 6c 61 63 6b 52 61 62 62 69 74 2e 20 28 [3-10] 29 } // Encrypted by BlackRabbit. ([3-10]) -> Version ref
22 | //strings linked to ransom note
23 | $ran1 = "w_to_decrypt.hta" wide
24 | $ran2 = "<%UNDECRYPT_DATETIME%>" fullword ascii
25 | $ran3 = "<%START_DATETIME%>" fullword ascii
26 | $ran4 = "<%MAIN_CONTACT%>" fullword ascii
27 | $ran5 = "<%RESERVE_CONTACT%>" fullword ascii
28 | $ran6 = "<%HID%>" fullword ascii
29 | condition:
30 | uint16(0) == 0x5a4d and filesize > 300KB and 3 of ($s*) and 4 of ($debug*) and 4 of ($ran*)
31 | }
32 |
--------------------------------------------------------------------------------
/2020-10-15/MATRIX/RAN_Matrix_Sep_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule RAN_Matrix_Sep_2020_1 {
2 | meta:
3 | description = "Detect MATRIX ransomware"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-10-15"
7 | hash1 = "7b5e536827c3bb9f8077aed78726585739bcde796904edd6c4faadc9a8d22eaf"
8 | hash2 = "afca3b84177133ff859d9b9d620b582d913218723bfcf83d119ec125b88a8c40"
9 | hash3 = "d87d1fbeffe5b18e22f288780bf50b1e7d5af9bbe2480c80ea2a7497a3d52829"
10 | hash4 = "5474b58de90ad79d6df4c633fb773053fecc16ad69fb5b86e7a2b640a2a056d6"
11 | strings:
12 | $debug1 = "[LDRIVES]: not found!" fullword wide
13 | $debug2 = "[DONE]: NO_SHARES!" fullword wide
14 | $debug3 = "[ALL_LOCAL_KID]: " fullword wide
15 | $debug4 = "[FINISHED]: G=" fullword wide
16 | $debug5 = "[FEX_START]" fullword wide
17 | $debug6 = "[LOGSAVED]" fullword wide
18 | $debug7 = "[GENKEY]" fullword wide
19 | $debug8 = "[SHARES]" fullword wide
20 | $debug9 = "[SHARESSCAN]: " fullword wide
21 | $reg1 = { 2e 00 70 00 68 00 70 00 3f 00 61 00 70 00 69 00 6b 00 65 00 79 00 3d } // .php?apikey= -> add victim to the register
22 | $reg2 = { 26 00 63 00 6f 00 6d 00 70 00 75 00 73 00 65 00 72 00 3d } // &compuser=
23 | $reg3 = { 26 00 73 00 69 00 64 00 3d 00 } // &sid=
24 | $reg4 = { 26 00 70 00 68 00 61 00 73 00 65 00 3d } // &phase=
25 | $reg5 = { 47 00 45 00 54 } // GET
26 | condition:
27 | uint16(0) == 0x5a4d and filesize > 500KB and 4 of ($debug*) and 3 of ($reg*)
28 | }
29 |
--------------------------------------------------------------------------------
/2020-10-16/Ran_Crysis_Sep_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Ran_Crysis_Sep_2020_1 {
2 | meta:
3 | description = "Detect Crysis ransomware"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-10-16"
7 | hash1 = "34c485ad11076ede709ff409c0e1867dc50fd40311ae6e7318ddf50679fa4049"
8 | hash2 = "4708750c9a6fdeaec5f499a3cd26bb5f61db4f82e66484dc7b44118effbb246f"
9 | hash3 = "b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039"
10 | hash4 = "8e8b6818423930eea073315743b788aef2f41198961946046b7b89042cb3f95a"
11 | strings:
12 | $s1 = { 6f 25 25 4a 72 2e 2e 5c 24 }
13 | $s2 = { 52 53 44 53 25 7e 6d }
14 | $s3 = { 78 78 4a 6f 25 25 5c 72 2e 2e 38 24 }
15 | $s4 = { 25 65 65 ca af 7a 7a f4 8e ae ae 47 e9 08 08 10 18 ba ba }
16 | $s5 = { 58 74 1a 1a 34 2e 1b 1b 36 2d 6e 6e dc b2 5a 5a b4 ee a0 a0 5b fb 52 52 a4 f6 3b 3b 76 4d d6 d6 b7 61 b3 b3 7d ce 29 29 52 7b e3 e3 dd 3e 2f 2f 5e 71 84 84 13 97 53 53 }
17 | $s6 = { 3b 32 32 64 56 3a 3a 74 4e 0a 0a 14 1e 49 49 92 db 06 06 0c 0a 24 24 48 6c 5c 5c b8 e4 c2 c2 9f 5d d3 d3 bd 6e ac ac 43 ef 62 62 }
18 | $s7 = { 26 4c 6a 26 36 6c 5a 36 3f 7e 41 3f f7 f5 02 f7 cc 83 4f cc 34 68 5c 34 a5 51 f4 a5 e5 d1 34 e5 f1 f9 08 f1 71 e2 93 71 d8 ab 73 d8 31 62 53 31 15 2a 3f 15 04 08 0c 04 c7 95 52 c7 23 46 65 23 }
19 | $s8 = { 7e fc 82 7e 3d 7a 47 3d 64 c8 ac 64 5d ba e7 5d 19 32 2b 19 73 e6 95 73 60 c0 a0 60 81 19 98 81 4f 9e d1 4f dc a3 7f dc 22 44 66 22 2a 54 7e 2a 90 3b ab 90 88 0b 83 88 46 8c ca 46 ee c7 29 }
20 | $s9 = "sssssbsss" fullword ascii
21 | condition:
22 | uint16(0) == 0x5a4d and filesize > 30KB and all of them
23 | }
24 |
--------------------------------------------------------------------------------
/2020-10-16/Ran_Egregor_Sept_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Ran_Egregor_Sept_2020_1 {
2 | meta:
3 | description = "Detect Egregor ransomware (variant Sept2020)"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-10-07"
7 | hash1 = "4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321"
8 | hash2 = "aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7"
9 | hash3 = "3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f"
10 | hash4 = "9c900078cc6061fb7ba038ee5c065a45112665f214361d433fc3906bf288e0eb"
11 | hash5 = "a376fd507afe8a1b5d377d18436e5701702109ac9d3e7026d19b65a7d313b332"
12 | strings:
13 | $x1 = "dmocx.dll" fullword ascii
14 | $s2 = "C:\\Logmein\\{888-8888-9999}\\Logmein.log" fullword wide
15 | $s3 = "M:\\sc\\p\\testbuild.pdb" fullword ascii
16 | $s4 = "Type Descriptor'" fullword ascii
17 | $s5 = "=$=`=h=p=t=x=|=" fullword ascii
18 | $s6 = "--nop" fullword wide
19 | $s7 = "9,94989@9X9" fullword ascii
20 | condition:
21 | uint16(0) == 0x5a4d and filesize > 200KB and 1 of ($x*) and 4 of ($s*)
22 | }
23 |
--------------------------------------------------------------------------------
/2020-10-27/RYUK/Mem_Cryptor_Obsidium_Oct_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Mem_Cryptor_Obsidium_Oct_2020_1 {
2 | meta:
3 | description = "Detect Obsidium cryptor by memory string"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-10-25"
7 | strings:
8 | $s1 = "Obsidium\\" fullword ascii
9 | $s2 = "obsidium.dll" fullword ascii
10 | $s3 = "Software\\Obsidium" fullword ascii
11 | $s4 = "winmm.dll" fullword ascii
12 | $s5 = "'license.key" fullword ascii
13 | condition:
14 | uint16(0) == 0x5a4d and filesize > 40KB and 3 of ($s*)
15 | }
16 |
--------------------------------------------------------------------------------
/2020-10-27/RYUK/Ran_Ruyk_Oct2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Ran_Ruyk_Oct_2020_1 {
2 | meta:
3 | description = "Detect RYUK ransomware (Sept_2020_V1)"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-10-25"
7 | hash1 = "bbbf38de4f40754f235441a8e6a4c8bdb9365dab7f5cfcdac77dbb4d6236360b"
8 | hash2 = "cfe1678a7f2b949966d9a020faafb46662584f8a6ac4b72583a21fa858f2a2e8"
9 | hash3 = "e8a0e80dfc520bf7e76c33a90ed6d286e8729e9defe6bb7da2f38bc2db33f399"
10 | strings:
11 | $c1 = "\" /TR \"C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p " fullword ascii
12 | $c2 = "cmd.exe /c \"bootstatuspolicy ignoreallfailures\"" fullword ascii
13 | $c3 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
14 | $c4 = "cmd.exe /c \"WMIC.exe shadowcopy delete\"" fullword ascii
15 | $c5 = "cmd.exe /c \"vssadmin.exe Delete Shadows /all /quiet\"" fullword ascii
16 | $c6 = "cmd.exe /c \"bcdedit /set {default} recoveryenabled No & bcdedit /set {default}\"" fullword ascii
17 | $r1 = "/C REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"EV\" /t REG_SZ /d \"" fullword wide
18 | $r2 = "/C REG DELETE \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"EV\" /f" fullword wide
19 | $ref1 = "lsaas.exe" fullword wide
20 | $ref2 = "Ncsrss.exe" fullword wide
21 | $ref3 = "$WGetCurrentProcess" fullword ascii
22 | $ref4 = "lan.exe" fullword wide
23 | $ref5 = "explorer.exe" fullword wide
24 | $ref6 = "Ws2_32.dll" fullword ascii
25 | $p1 = "\\users\\Public\\sys" fullword wide
26 | $p2 = "\\Documents and Settings\\Default User\\sys" fullword wide
27 | condition:
28 | uint16(0) == 0x5a4d and filesize > 40KB and 4 of ($c*) and 1 of ($r*) and 4 of ($ref*) and 1 of ($p*)
29 | }
30 |
--------------------------------------------------------------------------------
/2020-10-27/RYUK/Ran_Ruyk_Oct2020_2.yar:
--------------------------------------------------------------------------------
1 | rule Ran_Ruyk_Oct_2020_2 {
2 | meta:
3 | description = "Detect RYUK ransomware (Sept_2020_V1 + V2)"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-10-25"
7 | hash1 = "d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe"
8 | hash2 = "d7333223dcc1002aae04e25e31d8c297efa791a2c1e609d67ac6d9af338efbe8"
9 | hash3 = "bbbf38de4f40754f235441a8e6a4c8bdb9365dab7f5cfcdac77dbb4d6236360b"
10 | hash4 = "cfe1678a7f2b949966d9a020faafb46662584f8a6ac4b72583a21fa858f2a2e8"
11 | hash5 = "e8a0e80dfc520bf7e76c33a90ed6d286e8729e9defe6bb7da2f38bc2db33f399"
12 | hash6 = "5b1f242aee0eabd4dffea0fe5f08aba60abf7c8d1e4f7fc7357af7f20ccd0204"
13 | strings:
14 | $s1 = "Type Descriptor'" fullword ascii
15 | $s2 = "Class Hierarchy Descriptor'" fullword ascii
16 | $s3 = "GET:PV" fullword ascii
17 | $s4 = "Base Class Descriptor at (" fullword ascii
18 | $s5 = "Complete Object Locator'" fullword ascii
19 | $s6 = "UINi\\cYIqwxAcV^GYCY^EgzUvSZcsRW" fullword ascii
20 | $s7 = "FrystFsgcteIaui" fullword ascii
21 | $s8 = "delete[]" fullword ascii
22 | $s9 = "Picuovphv Bbsg!Es|rwojrarkkd Stryjfes x4.3" fullword ascii
23 | $s10 = "FrystGfuvrozHctj" fullword ascii
24 | $s11 = "FrystUfngasfCqovf{v" fullword ascii
25 | $op1 = { 63 62 6d 75 6a 7a 6e 49 4d 54 50 78 75 70 78 59 6f 65 71 4f 57 48 4a 78 57 71 4c 50 55 78 4a 6e 68 4b 71 57 57 6d 49 75 6a 51 64 4f 50 74 70 63 76 61 42 72 75 5a 6a 4d 69 79 59 52 69 58 78 4a 63 6b 51 70 4b 75 47 52 5a 51 42 5a 5a 61 50 69 76 66 77 43 6c 45 5a 67 76 6e 49 6c 54 74 4b 46 4d 68 53 4a 42 4f 64 6a 69 46 44 4d 62 70 78 76 52 5a 69 61 74 69 71 5a 6e 75 67 5a 62 78 72 51 }
26 | $op2 = { 23 71 59 72 51 6d 58 48 4a 77 65 55 53 76 68 79 4f 62 51 50 6d 44 44 52 44 6e 72 49 53 57 6c 72 56 4a 56 75 68 52 4e 4a 66 6b 50 6e 6b 72 65 68 73 6e 6b 68 54 4e 70 6a 56 7a 7a 64 61 44 6e 62 44 67 5a 54 62 4b 65 63 54 69 35 4f 71 20 64 24 2d }
27 | condition:
28 | uint16(0) == 0x5a4d and filesize > 40KB and 6 of ($s*) and 1 of ($op*)
29 | }
30 |
--------------------------------------------------------------------------------
/2020-10-31/Ran_Egregor_Oct_2020_1 .yar:
--------------------------------------------------------------------------------
1 | rule Ran_Egregor_Oct_2020_1 {
2 | meta:
3 | description = "Detect Egregor / Maze ransomware by Maze blocks"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-10-29"
7 | hash1 = "14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4"
8 | hash2 = "af538ab1b8bdfbf5b7f1548d72c0d042eb14d0011d796cab266f0671720abb4d"
9 | hash3 = "42ac07c5175d88d6528cfe3dceacd01834323f10c4af98b1a190d5af7a7bb1cb"
10 | hash4 = "4139c96d16875d1c3d12c27086775437b26d3c0ebdcdc258fb012d23b9ef8345"
11 | strings:
12 | $x1 = { 45 f4 8b 4d 10 8b 09 0f b7 49 06 39 c8 0f 8d a2 00 00 00 8b 45 e4 83 78 10 00 75 48 8b 45 0c 8b 40 38 89 45 f0 83 7d f0 00 7e 37 31 c0 8b 4d ec 8b 55 e4 03 4a 0c 89 4d e8 8b 4d e8 8b 55 e4 89 4a 08 8b 4d f0 8b 55 e8 89 14 24 c7 44 24 04 00 00 00 00 89 4c 24 08 89 45 d4 e8 9e c6 ff ff 89 45 d0 eb 3a 8b 45 ec 8b 4d e4 03 41 0c 89 45 e8 8b 45 e4 8b 40 10 8b 4d 08 8b 55 e4 03 4a 14 8b 55 e8 89 14 24 89 4c 24 04 89 44 24 08 e8 77 a1 ff ff 8b 4d e8 8b 55 e4 89 4a 08 89 45 cc 8b 45 f4 83 c0 01 89 45 f4 8b 45 e4 83 c0 28 89 45 e4 }
13 | $x2 = { 8b 45 f0 83 38 00 0f 86 a0 00 00 00 8b 45 f8 8b 4d f0 03 01 89 45 ec 8b 45 f0 83 c0 08 89 45 e8 c7 45 fc 00 00 00 00 8b 45 fc 8b 4d f0 8b 49 04 83 e9 08 d1 e9 39 c8 73 62 8b 45 e8 0f b7 00 c1 e8 0c 89 45 e0 8b 45 e8 0f b7 00 25 ff 0f 00 00 89 45 dc 8b 45 e0 85 c0 89 45 d0 74 0f eb 00 8b 45 d0 83 e8 03 89 45 cc 74 04 eb 17 eb 17 8b 45 ec 03 45 dc 89 45 e4 8b 45 0c 8b 4d e4 03 01 89 01 eb 02 eb 00 eb 00 8b 45 fc 83 c0 01 89 45 fc 8b 45 e8 83 c0 02 89 45 e8 eb 8c 8b 45 f0 8b 4d f0 03 41 04 89 45 f0 }
14 | $x3 = { 8b 45 f0 8b 4d ec 03 01 89 45 e8 8b 45 e8 89 04 24 c7 44 24 04 14 00 00 00 ff 15 38 f0 0b 10 83 ec 08 31 c9 88 ca 83 f8 00 88 55 cf 75 0d 8b 45 e8 83 78 0c 00 0f 95 c1 88 4d cf 8a 45 cf a8 01 75 05 e9 6e 01 00 00 8b 45 f0 8b 4d e8 03 41 0c 89 04 24 ff 15 3c f0 0b 10 83 ec 04 89 45 dc 8b 45 dc b9 ff ff ff ff 39 c8 }
15 | $op1 = { 60 8b 7d 08 8b 4d 10 8b 45 0c f3 aa 61 89 45 f0 }
16 | $op2 = { 83 7d 08 00 89 45 ec 89 4d e8 89 55 e4 }
17 | $op3 = { 89 4d e8 89 55 e4 75 09 c7 45 f0 00 00 00 00 }
18 | $op4 = { 75 09 c7 45 f0 00 00 00 00 eb 17 60 }
19 | condition:
20 | uint16(0) == 0x5a4d and filesize > 350KB and (3 of ($op*) or 2 of ($x*))
21 | }
22 |
--------------------------------------------------------------------------------
/2020-11-15/APT_SideWinder_Nov_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_SideWinder_Nov_2020_1 {
2 | meta:
3 | description = "Detect Sidewinder DLL decoder algorithm"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/hexfati/status/1325397305051148292"
6 | date = "2020-11-14"
7 | hash1 = "8d7ad2c603211a67bb7abf2a9fe65aefc993987dc804bf19bafbefaaca066eaa"
8 | strings:
9 | $s = { 13 30 05 00 ?? 00 00 00 01 00 00 11 ?? ?? 00 00 ?? ?? ?? 00 00 [30-80] 2B 16 07 08 8F 1? }
10 | condition:
11 | uint16(0) == 0x5a4d and filesize > 3KB and $s
12 | }
13 |
14 |
--------------------------------------------------------------------------------
/2020-11-18/Clay/Clay_notes.txt:
--------------------------------------------------------------------------------
1 | Ransomware : Clay (variant that also fork of HiddenTear code)
2 | Coded in : CIL (.NET)
3 | Active Threat : Unknown (lamer user)
4 | Ref : https://twitter.com/Kangxiaopao/status/1329016835753144320
5 | MD5: c8c3a98c2916e96f5b8f07aeeb740066
6 | SHA256: 9aaeb479b6bb61b97d6843d8681229ec1873acd0b488d575d71956c8d1ad1b02
7 | Focused extensions :
8 | mid,wma,flv,mkv,mov,avi,asf,mpeg,vob,mpg,wmv,fla,swf,wav,qcow2,vdi,vmdk,vmx,gpg,aes,ARC,PAQ,tar.bz2,tbk,bak,tar,tgz,rar,zip,djv,djvu,svg,bmp,png,gif,raw,cgm,jpeg,jpg,tif,tiff,NEF,psd,cmd,class,jar,java,asp,brd,sch,dch,dip,vbs,asm,pas,cpp,php,ldf,mdf,ibd,MYI,MYD,frm,odb,dbf,mdb,sql,SQLITEDB,SQLITE3,asc,lay6,lay,ms11 (Security copy),sldm,sldx,ppsm,ppsx,ppam,docb,mml,sxm,otg,odg,uop,potx,potm,pptx,pptm,std,sxd,pot,pps,sti,sxi,otp,odp,wks,xltx,xltm,xlsx,xlsm,xlsb,slk,xlw,xlt,xlm,xlc,dif,stc,sxc,ots,ods,hwp,dotm,dotx,docm,docx,DOT,max,xml,txt,CSV,uot,RTF,pdf,XLS,PPT,stw,sxw,ott,odt,DOC,pem,csr,crt,key,wallet.dat
9 | PDB: C:\Users\aguim\Desktop\Ransomware_visual_items\Rasomware2.0\Rasomware2.0\obj\Debug\Rasomware2.0.pdb
10 | Ransom note:
11 | Whoops... All your documents, videos, pictures, music and others \r\nhave been ENCRYPED!
12 | Now you need to contact bl4ack#1337 on the discord asking for the decrypt key
13 | - is there another way for me to recover my files?
14 | No. only with our key we can recover your files.
15 |
16 | Algorithm Encryption: AES ( Size:256 bits/Block: 128 bits) + Salt (1,2,3,4,5,6,7,8)
17 | Notes : Same Actor that the dev test of OnyxLocker ( pdb pattern), weak level in English (not native language and studied language)
18 | Bazaar link : https://bazaar.abuse.ch/sample/9aaeb479b6bb61b97d6843d8681229ec1873acd0b488d575d71956c8d1ad1b02/
19 |
--------------------------------------------------------------------------------
/2020-11-18/OnyxLocker/OnyxLocker_Notes.txt:
--------------------------------------------------------------------------------
1 | Ransomware : OnyxLocker
2 | Coded in : CIL (.NET)
3 | Active Threat : Dev Test (only one sample found)
4 | Ref : https://twitter.com/Kangxiaopao/status/1328614320016560128
5 | MD5: 1bf1c4174d6f6f9b33e7bd3be901ff55
6 | SHA256: 7e3c97d3d274b5f7fedad6e392e6576ac3e5724ddd7e48c58a654b6b95eb40d7
7 | Focused extensions :
8 | pdf,zip,ppt,doc,docx,rtf,jpg,jpeg,png,img,gif,mp3,mp4,mpeg,mov,avi,wmv,txt,html,php,js,css,odt,sqlite3,ink,ods,odp,odm,odc,odb,docm,wps,xls,xlsx,xlsm,xlsb,xlk,ppt,pptx,pptm,mdb,accdb,pst,dwg,dxf,dxg,wpd,wb2,mdf,psd,pdd,eps,ai,indd,cdr,jpe,tmp,log,py,dbf,ps1,dng,3fr,arw,srf,sr2,bay,crw,cr2,dcr,rwl,rw2,pyc,kdc,erf,mef,mrw,nef,nrw,orf,raf,raw,r3d,ptx,css,pef,srw,x3f,der,cer,crt,pem,pfx,p12,p7b,p7c,sqlite,js,rb,xml,wmi,sh,asp,aspx,plist,sql,vbs,litesql,dotx,db3,backup,xlm,rtf,json,lua,tiff,tif,csproj,sln,crt,csv,flv,vlf,rar,7zip,acc,lnk,cs,h,cpp,c,sg,mid,wav,7z,exe,db
9 | PDB: C:\Users\aguim\Desktop\OnyxLocker-master\OnyxLocker\obj\Debug\OnyxLocker.pdb
10 | Ransom note: WW91IHNob3VsZCByZXBsYWNlIHRoaXMgbWVzc2FnZSB3aXRoIHRoZSBvbmUgeW91IHdhbnQgeW91ciB1c2VycyB0byBzZWUu (base64 encoded)
11 | You should replace this message with the one you want your users to see.
12 | Algorithm Encryption: 3DES (192 bits)
13 | Notes : A function for sending the key seems existed but not used (haven't an interface for sending the generated key to the C2)
14 |
15 | using System;
16 |
17 | namespace OnyxLocker.Interfaces
18 | {
19 | // Token: 0x0200000A RID: 10
20 | internal interface ICommunicator
21 | {
22 | // Token: 0x0600001C RID: 28
23 | void SendData(string EncryptionKey);
24 | }
25 | }
26 | Bazaar link : https://bazaar.abuse.ch/sample/7e3c97d3d274b5f7fedad6e392e6576ac3e5724ddd7e48c58a654b6b95eb40d7/
27 |
--------------------------------------------------------------------------------
/2020-11-18/OnyxLocker/Ran_OnyxLocker_Nov_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Ran_OnyxLocker_Nov_2020_1 {
2 | meta:
3 | description = "Detect OnyxLocker ransomware"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/Kangxiaopao/status/1328614320016560128"
6 | date = "2020-11-18"
7 | hash1 = "7e3c97d3d274b5f7fedad6e392e6576ac3e5724ddd7e48c58a654b6b95eb40d7"
8 | strings:
9 | $s1 = "IEncryptionProvider" fullword ascii
10 | $s2 = "OnyxLocker.exe" fullword wide
11 | $s3 = "GetEncryptionThreads" fullword ascii
12 | $s4 = "CreateEncryptionKey" fullword ascii
13 | $s5 = ".NETFramework,Version=v4.5.2" fullword ascii
14 | $s6 = "get_TargetFiles" fullword ascii
15 | $s7 = "IsTargetFile" fullword ascii
16 | $s8 = "k__BackingField" fullword ascii
17 | $s9 = "XxteaEncryptionProvider" fullword ascii
18 | $s10 = "GetStartingFolders" fullword ascii
19 | $s11 = "k__BackingField" fullword ascii
20 | $s12 = "RECOVERY INSTRUCTIONS" fullword wide
21 | $s13 = "$182eaa96-fcb2-458b-85cb-a9b8da57ae71" fullword ascii
22 | $s14 = ".NET Framework 4.5.2" fullword ascii
23 | $s15 = "TraverseDirectories" fullword ascii
24 | $s16 = "{0} {1}" fullword wide
25 | condition:
26 | uint16(0) == 0x5a4d and filesize > 8KB and 8 of them
27 | }
28 |
--------------------------------------------------------------------------------
/2020-11-21/Gootkit/Loa_JS_Gootkit_Nov_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Loa_JS_Gootkit_Nov_2020_1 {
2 | meta:
3 | description = "Detect JS loader used on the Gootkit killchain (November 2020)"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/ffforward/status/1330214661577437187"
6 | date = "2020-11-21"
7 | hash1 = "7aec3ed791529182c0f64ce34415c3c705a79f3d628cbcff70c34a9f73d8ff42"
8 | strings:
9 | $s1 = { 7b [4-6] 5b [4-6] 5d 28 [4-6] 5b [4-6] 5d 29 28 [4-6] 5b [4-6] 5d 29 3b 7d } // Exec method -> {F[F](F[F])(F[F]);}
10 | $s2 = { 7b 72 65 74 75 72 6e 20 [4-6] 20 25 20 28 [4-6] 2b [4-6] 29 3b 7d } // Modulo OP -> {return F % (F+F);}
11 | $s3 = { 7b [4-6] 20 3d 20 [4-6] 28 [4-6] 29 2e 73 70 6c 69 74 28 [4-6] 29 3b 7d } // Split OP -> {F = F(F).split(F);}
12 | $s4 = { 7b 72 65 74 75 72 6e 20 [4-6] 2e 63 68 61 72 41 74 28 [4-6] 29 3b 7d} // Getchar OP -> {return F.charAt(F);}
13 | $s5 = { 7b [4-6] 5b [4-6] 5d 20 3d 20 [4-6] 5b [4-6] 5b [4-6] 5d 5d 3b 7d } // GetIndex OP -> {F[F] = F[F[F]];}
14 | condition:
15 | filesize > 1KB and 2 of them
16 | }
17 |
--------------------------------------------------------------------------------
/2020-12-01/Buer/info.csv:
--------------------------------------------------------------------------------
1 | "Hash","Parent","Filename","Size","Notes"
2 | "1c8260f2d597cfc1922ca72162e1eb3f8272c2d18fa41d77b145d32256c0063d","-","web.exe","96KB","NSIS installer"
3 | "ae3ac27e8303519cf04a053a424a0939ecc3905a9a62f33bae3a29f069251b1f","1c8260f2d597cfc1922ca72162e1eb3f8272c2d18fa41d77b145d32256c0063d","aeiouy.bin","24KB","Buer loader"
4 | "66f5a68f6b5067feb07bb88a3bfaa6671a5e8fcf525e9cd2355de631c4ca2088","-","mem.exe","192KB","NSIS installer"
5 | "2824d4b0e5a502416696b189bd840870a19dfd555b53535f20b0c87c95f4c232","66f5a68f6b5067feb07bb88a3bfaa6671a5e8fcf525e9cd2355de631c4ca2088","dump.exe","24KB","Buer loader"
6 | "b298ead0400aaf886dbe0a0720337e6f2efd5e2a3ac1a7e7da54fc7b6e4f4277","-","sprintopen.exe","81KB","NSIS installer"
7 | "a98abbce5e84c4c3b67b7af3f9b4dc9704b5af33b6183fb3c192e26b1e0ca005","b298ead0400aaf886dbe0a0720337e6f2efd5e2a3ac1a7e7da54fc7b6e4f4277","dump.exe","24KB","Buer loader"
8 |
--------------------------------------------------------------------------------
/2020-12-09/EXX/Ran_ELF_EXX_Nov_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Ran_ELF_EXX_Nov_2020_1 {
2 | meta:
3 | description = "Detect EXX variant ELF ransomware"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-12-09"
7 | level = "experimental"
8 | hash1 = "cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849"
9 | strings:
10 | $dbg1 = { 55 6e 65 78 70 65 63 74 65 64 20 65 72 72 6f 72 2c 20 72 65 74 75 72 6e 20 63 6f 64 65 20 3d 20 25 30 38 58 0a } // Unexpected error, return code = %08X\n
11 | $dbg2 = { 47 72 65 65 74 69 6e 67 73 20 [3-10] 21 }
12 | $dbg3 = { 63 79 63 6c 65 73 3d 25 6c 75 20 72 61 74 69 6f 3d 25 6c 75 20 6d 69 6c 6c 69 73 65 63 73 3d 25 6c 75 20 73 65 63 73 3d 25 6c 75 20 68 61 72 64 66 61 69 6c 3d 25 64 20 61 3d 25 6c 75 20 62 3d 25 6c 75 0a }
13 | $dbg4 = { 53 48 41 2d 25 64 20 74 65 73 74 20 23 25 64 3a } // SHA-%d test #%d:
14 | $lib1 = "pthread_mutex_unlock@@GLIBC_2.2.5" fullword ascii
15 | $lib2 = "pthread_mutex_lock@@GLIBC_2.2.5" fullword ascii
16 | $lib3 = "mbedtls_rsa_import" fullword ascii
17 | $lib4 = "mbedtls_rsa_export" fullword ascii
18 | $lib5 = "mbedtls_oid_get_extended_key_usage" fullword ascii
19 | $lib6 = "mbedtls_sha256_process" fullword ascii
20 | //seq main
21 | $seq1 = { 48 83 ec 20 89 7d ec 48 89 75 e0 b8 00 00 00 00 e8 77 00 00 00 48 8d 45 f0 b9 00 00 00 00 48 8d 15 b5 ff ff ff be 00 00 00 00 48 89 c7 e8 d6 fb ff ff c7 45 fc 01 00 00 00 eb }
22 | //seq worker
23 | $seq2 = { 00 00 00 00 e8 b2 fe ff ff 48 8b 45 e8 48 89 c7 e8 92 ed ff ff 48 83 c0 01 48 89 c7 e8 c6 ee ff ff 48 89 45 f8 48 83 7d f8 00 74 3a 48 8b 55 e8 48 8b 45 f8 48 89 d6 48 89 c7 e8 f8 ec ff ff 48 8b 45 f8 48 89 c7 e8 12 fd ff ff 48 8b 45 f8 48 89 c7 e8 90 ec ff ff b8 00 00 00 00 e8 95 fc ff ff }
24 | //seq GenKey
25 | $seq3 = { e5 41 55 41 54 53 48 81 ec 18 18 00 00 c7 45 dc 00 00 00 00 48 c7 45 d0 00 00 00 00 bf 00 00 00 00 e8 13 fd ff ff 89 c7 e8 7c fc ff ff e8 d7 fd ff ff 41 89 c5 e8 cf fd ff ff 41 89 c4 e8 c7 fd ff ff 89 c3 e8 c0 fd ff ff 89 c2 48 8d 85 d0 e7 ff ff 4d 89 e9 4d 89 e0 48 89 d9 48 8d 35 bf 0a 02 00 48 89 }
26 | condition:
27 | uint16(0) == 0x457f and filesize > 80KB and 3 of ($dbg*) and 4 of ($lib*) and 2 of ($seq*)
28 | }
29 |
--------------------------------------------------------------------------------
/2020-12-12/conti/infos.csv:
--------------------------------------------------------------------------------
1 | "Date","Hash","Parent","Extension","Note"
2 | "2020-10-01 21:56:08","1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420","-","QMIBK","Loader Conti V2"
3 | "2020-09-23 21:17:34","61dd6a0b2870d62f56c7fe0039d42bf5351588f927267fe7b4ee0761872a3b20","1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420","QMIBK","Conti V2"
4 | "2020-10-16 14:00:32","d236d64b7bf9510ea1746d10a4c164a2ef2c724cc62b2bca91d72bdf24821e40","-","UWTJF","Loader Conti V2"
5 | "2020-10-09 22:53:57","e64e350861b86d4e05668bc25e6c952880f6b39ca921496ccce1487dbf6acab6","d236d64b7bf9510ea1746d10a4c164a2ef2c724cc62b2bca91d72bdf24821e40","UWTJF","Conti V2"
6 | "2020-10-21 18:39:18","0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862","-","ITTZN","Loader Conti V2"
7 | "2020-10-21 20:39:10","9826b386065f8312a7a7ef431c735a66e85a9c144692907f5909f81f837c65f4","0951fde8a8ea9cd45d2be14d63e6e55c8e87af0da45cf3776b495871652aa862","ITTZN","Conti V2"
8 | "2020-10-19 08:59:11","0a7e7f12d79130da067fd39ede7ff4dc3dc6665d88f5278745074d77132312bf","-","TJODT","Loader Conti V2"
9 | "2020-10-09 22:53:57","633b9d373da7d2916f4d3b2902d4817c0f3ad5de5466ac85f34bdd37a8d3dd37","0a7e7f12d79130da067fd39ede7ff4dc3dc6665d88f5278745074d77132312bf","TJODT","Conti V2"
10 | "2020-11-09 14:25:19","b524ed1cc22253f09d56f54d8ded4566b63352ff739f58de961f8a5bebb0fad9","-","CECJF","Loader Conti V2"
11 | "2020-11-09 14:25:18","03b9c7a3b73f15dfc2dcb0b74f3e971fdda7d1d1e2010c6d1861043f90a2fecd","b524ed1cc22253f09d56f54d8ded4566b63352ff739f58de961f8a5bebb0fad9","CECJF","Conti V2"
12 | "2020-11-17 20:10:28","707b752f6bd89d4f97d08602d0546a56d27acfe00e6d5df2a2cb67c5e2eeee30","-","KCWTT","Loader Conti V3"
13 | "2020-11-17 21:10:22","f092b985b75a702c784f0936ce892595b91d025b26f3387a712b76dcc3a4bc81","707b752f6bd89d4f97d08602d0546a56d27acfe00e6d5df2a2cb67c5e2eeee30","KCWTT","Conti V3"
14 |
--------------------------------------------------------------------------------
/2020-12-14/Pay2Key/Ran_Pay2Key_Nov_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Ran_Pay2Key_Nov_2020_1 {
2 | meta:
3 | description = "Detect Pay2Key ransomware"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-12-01"
7 | hash1 = "5bae961fec67565fb88c8bcd3841b7090566d8fc12ccb70436b5269456e55c00"
8 | hash2 = "d2b612729d0c106cb5b0434e3d5de1a5dc9d065d276d51a3fb25a08f39e18467"
9 | hash3 = "ea7ed9bb14a7bda590cf3ff81c8c37703a028c4fdb4599b6a283d68fdcb2613f"
10 | strings:
11 | // Bonus : Doesn't count in the condition
12 | $s1 = "F:\\2-Sources\\21-FinalCobalt\\Source\\cobalt\\Cobalt\\Cobalt\\Win32\\Release\\Client\\Cobalt.Client.pdb" fullword ascii
13 | $s2 = ".\\Cobalt-Client-log.txt" fullword ascii
14 | $s3 = ".\\Config.ini" fullword wide
15 | $s4 = "Local\\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag" fullword ascii
16 | // Change the wallpaper
17 | $s5 = "\\Microsoft\\Windows\\Themes\\TranscodedWallpaper" fullword ascii
18 | // ping localhost
19 | $s6 = { 40 00 63 00 6d 00 64 00 2e 00 65 00 78 00 65 00 20 00 2f 00 43 00 20 00 70 00 69 00 6e 00 67 00 20 00 31 00 2e 00 31 00 2e 00 31 00 2e 00 31 00 20 00 2d 00 6e 00 20 00 31 00 20 00 2d 00 77 00 20 00 33 00 30 00 30 00 30 00 20 00 3e 00 20 00 4e 00 75 00 6c 00 20 00 26 00 20 00 44 00 65 00 6c 00 20 00 2f 00 66 00 20 00 2f 00 71 00 20 00 22 00 25 00 73 00 22 } // @cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"
20 | $s7 = "%WINDRIVE%" fullword wide
21 | $s8 = "%WINDIR%" fullword wide
22 | $dbg1 = "message.txt" fullword ascii
23 | $dbg2 = "Failed To Get Data...." fullword ascii
24 | $dbg3 = "lock.locked()" fullword wide
25 | $dbg4 = { 47 65 74 41 64 61 70 74 65 72 73 49 6e 66 6f 20 66 61 69 6c 65 64 20 77 69 74 68 20 65 72 72 6f 72 3a 20 25 64 0a } // GetAdaptersInfo failed with error: %d\n
26 | $dbg5 = { 43 72 79 70 74 41 63 71 75 69 72 65 43 6f 6e 74 65 78 74 20 66 61 69 6c 65 64 3a 20 25 78 0a } // CryptAcquireContext failed: %x\n
27 | $dbg6 = { 43 72 79 70 74 44 65 72 69 76 65 4b 65 79 20 66 61 69 6c 65 64 3a 20 25 78 0a 00 00 25 00 64 } // CryptDeriveKey failed: %x\n
28 | $dbg7 = { 5b 2d 5d 20 43 72 79 70 74 45 6e 63 72 79 70 74 20 66 61 69 6c 65 64 0a } // [-] CryptEncrypt failed\n
29 | condition:
30 | uint16(0) == 0x5a4d and filesize > 500KB and (5 of ($s*) and 4 of ($dbg*))
31 | }
32 |
--------------------------------------------------------------------------------
/2020-12-19/Mal_PhantomNet_Nov_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Mal_PhantomNet_Nov_2020_1 {
2 | meta:
3 | description = "Detect PhantomNet (November 2020)"
4 | author = "Arkbird_SOLG"
5 | reference = "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager"
6 | date = "2020-12-19"
7 | hash1 = "ea7b2def3335b81048aac8fc372349f38453b676fa833603b7e15c45437f6858"
8 | hash2 = "338502691f6861ae54e651a25a08e62eeca9febc6830978a670d44caf3d5d056"
9 | strings:
10 | $s1 = { 25 73 25 30 38 58 } // %s%08X
11 | $s2 = { 68 00 74 00 74 00 70 00 5c 00 73 00 68 00 65 00 6c 00 6c 00 5c 00 6f 00 70 00 65 00 6e 00 5c 00 63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 } // http\\shell\\open\\command
12 | $s3 = { 6b 25 34 64 2d 25 30 32 64 2d 25 30 32 64 } // k%4d-%02d-%02d
13 | $s4 = { 47 6c 6f 62 61 6c 5c 47 6c 6f 62 61 6c 41 63 70 72 6f 74 65 63 74 4d 75 74 65 78 } // Global\\GlobalAcprotectMutex
14 | $s5 = "Proxy-Authorization: NTLM" fullword ascii
15 | $s6 = { 50 72 6f 78 79 2d 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a } // Proxy-Connection: keep-alive\r\n
16 | $s7 = { 48 54 54 50 2f 31 2e 31 20 00 00 00 48 54 54 50 2f 31 2e 30 20 } // HTTP config
17 | $s8 = { 52 00 6f 00 6f 00 74 00 5c 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 43 00 65 00 6e 00 74 00 65 00 72 00 32 00 00 00 00 00 53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 41 6e 74 69 56 69 72 75 73 50 72 6f 64 75 63 74 00 00 57 51 4c } // WQL AV detection
18 | $s9 = { 68 74 74 70 00 00 00 00 25 5b 5e 3a 5d 00 00 00 25 2a 5b 5e 3a 5d 3a 25 64 } // config
19 | $s10 = { 48 6f 73 74 3a 20 } // Host:
20 | $s11 = { 43 6f 6f 6b 69 65 73 3a 20 } // Cookies:
21 | $s12 = "Proxy-Authenticate: NTLM" fullword ascii
22 | condition:
23 | uint16(0) == 0x5a4d and filesize > 90KB and 9 of them
24 | }
25 |
--------------------------------------------------------------------------------
/2020-12-19/Mal_Smanager_Installer_Module_Nov_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule Mal_Smanager_Installer_Module_Nov_2020_1 {
2 | meta:
3 | description = "Detect installer module of Smanager (November 2020)"
4 | author = "Arkbird_SOLG"
5 | reference = "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager"
6 | date = "2020-12-19"
7 | hash1 = "97a5fe1d2174e9d34cee8c1d6751bf01f99d8f40b1ae0bce205b8f2f0483225c"
8 | strings:
9 | $s1 = { 63 6d 64 20 2f 63 20 73 63 68 74 61 73 6b 73 20 2f 46 20 2f 63 72 65 61 74 65 20 2f 74 6e 3a 57 69 6e 64 6f 77 73 5c 55 70 64 61 74 65 20 2f 74 72 20 22 25 73 22 20 20 20 2f 73 63 20 48 4f 55 52 4c 59 } // cmd /c schtasks /F /create /tn:Windows\\Update /tr "%s" /sc HOURLY
10 | $s2 = { 25 73 5c 73 79 73 74 65 6d 33 32 5c 73 76 63 68 6f 73 74 2e 65 78 65 20 2d 6b 20 25 73 } // %s\\system32\\svchost.exe -k %s
11 | $s3 = { 25 73 79 73 74 65 6d 72 6f 6f 74 25 } // %systemroot%
12 | $s4 = { 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c [1-8] 5c [1-8] 2e 63 61 62 } // %USERPROFILE%\\[1-8]\\[1-8].cab
13 | // Bonus doesn't count in condition
14 | $s5 = { 53 6d 61 6e 61 67 65 72 5f 73 73 6c 2e 64 6c 6c } // Smanager_ssl.dll
15 | $s6 = { 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 20 4e 54 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 53 76 63 68 6f 73 74 } // SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost
16 | $s7 = { 53 59 53 54 45 4d 5c 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 72 76 69 63 65 73 5c } // SYSTEM\\CurrentControlSet\\Services\\
17 | $s8 = { 43 3a 5c 77 69 6e 64 6f 77 73 5c 61 70 70 70 61 74 63 68 5c } // C:\\windows\\apppatch\\
18 | $s9 = "TmV0QmlvcyBNZXNzYWdlciBSZWdpc3Rlcg==" fullword ascii // -> NetBios Messager Register
19 | $s10 = { 68 74 74 70 73 3d 25 5b 5e 3a 5d 3a 25 64 00 00 68 74 74 70 73 3d 00 00 73 6f 63 6b 73 3d 25 5b 5e 3a 5d 3a 25 64 00 00 73 6f 63 6b 73 3d 00 00 68 74 74 70 3d 25 5b 5e 3a 5d 3a 25 64 00 00 00 68 74 74 70 3d } // SOCKS config
20 | $s11 = "&About VVSup..." fullword wide
21 | $s12= "%d.tmp" fullword ascii
22 | condition:
23 | uint16(0) == 0x5a4d and filesize > 90KB and 7 of them
24 | }
25 |
--------------------------------------------------------------------------------
/2020_05_09/Share_IOC_masslogger.csv:
--------------------------------------------------------------------------------
1 | Date,Type,Indicator,Description
2 | 2020-05-04 12:38:58,SHA-256,99f2aaf753d0f0b9d9b3a3d593e8dbf724ada3fb3dad43dc52687ede11bcad04,DHL PB8002742088-Contact form.pdf.exe
3 | 2020-05-04 12:38:58,URL,http://radiomeff.mk/panel/upload.php,URL C2
4 | 2020-05-04 12:38:58,IP,94.155.47.65,IP C2
5 | 2020-05-04 12:38:58,Domain,radiomeff.mk,Domain C2
6 | 2020-05-04 12:38:58,Mutex,CPFATE_1220_v4.0.30319,Mutex created
7 | 2020-05-04 12:38:58,Mutex,CPFATE_2904_v4.0.30319,Mutex created
8 | 2020-05-04 12:38:58,Mutex,CPFATE_3036_v4.0.30319,Mutex created
9 | 2020-05-04 12:38:58,Mutex,CPFATE_2348_v4.0.30319,Mutex created
10 | 2020-05-04 12:38:58,Mutex,RasPbFile,Mutex open
11 | 2020-05-04 12:38:58,Module,sqlite.interop.dll,Runtime modules
12 | 2020-05-05 02:04:19,SHA-256,dff13e3113afe89e2330eca1060a287b4ecd648c0f76f7ff31b9f1ad2275086,DHL PB8002742088-Contact form.pdf.zip
13 | 2020-05-05 04:43:01,SHA-256,812efd5114e9e1d9ae0898435aa593322a4ef9a39ddd1befe6fc9382ed1cfc0f,TnGfQRqn.exe
14 | 2020-05-05 04:43:01,IP,54.225.71.235,IP C2
15 | 2020-05-05 04:43:01,Domain,mail.gcco.dz,Domain C2
16 | 2020-05-05 04:43:01,Mutex,RasPbFile,Mutex open
17 | 2020-05-05 04:43:01,Module,sqlite.interop.dll,Runtime module
18 | 2020-05-05 11:00:07,SHA-256,c4915e0bad118912792555923bded5335a283aa6b0a8e78a10ca627679929c13,Proforma Invoice and Purchase Order.exe
19 | 2020-05-05 11:00:07,Module,sqlite.interop.dll,Runtime modules
20 | 2020-05-05 11:00:07,Mutex,CPFATE_1764_v4.0.30319,Mutex created
21 | 2020-05-05 11:00:07,Mutex,CPFATE_2184_v4.0.30319,Mutex created
22 | 2020-05-05 11:00:07,Mutex,CPFATE_784_v4.0.30319,Mutex created
23 | 2020-05-05 11:00:07,Mutex,CPFATE_2724_v4.0.30319,Mutex created
24 | 2020-05-05 11:00:07,Mutex,RasPbFile,Mutex open
25 | 2020-05-05 11:00:07,Module,sqlite.interop.dll,Runtime module
26 |
--------------------------------------------------------------------------------
/2021-01-01/Hades/Ran_Loader_Hades_Dec_2020_1.yar:
--------------------------------------------------------------------------------
1 |
2 | rule Ran_Loader_Hades_Dec_2020_1 {
3 | meta:
4 | description = "Detect the loader used by Hades ransomware for load the final implant in memory"
5 | author = "Arkbird_SOLG"
6 | reference = "Internal Research"
7 | date = "2020-12-27"
8 | hash1 = "0dfcf4d5f66310de87c2e422d7804e66279fe3e3cd6a27723225aecf214e9b00"
9 | hash2 = "ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d"
10 | level = "Experimental"
11 | strings:
12 | // sequence of the loader (code reuse)
13 | $seq1 = { 48 83 ec 58 8b 0d 9e aa 1c 00 ba 01 14 00 00 ff 15 93 9a 1c 00 48 85 c0 74 07 33 c0 e9 c1 3b 00 00 48 8b 05 58 99 1c 00 48 89 44 24 30 c7 44 24 3c 2c 01 00 00 c7 44 24 38 01 00 00 00 33 c9 ff 15 cb 99 1c 00 48 89 05 74 aa 1c 00 48 8b 05 6d aa 1c 00 48 63 48 3c 48 8b 05 62 aa 1c 00 48 03 c1 48 89 05 88 aa 1c 00 48 8d 44 24 3c 48 89 44 24 28 48 8d 05 a7 aa 1c 00 48 89 44 24 20 4c 8d 4c 24 38 45 33 c0 48 8d 15 53 aa 1c 00 48 8b 0d e4 ac 1c 00 ff 54 24 30 48 85 c0 74 05 e8 5e ff ff ff 48 8d 05 2d 3d 00 00 48 89 05 38 aa 1c 00 48 8b 05 31 aa 1c 00 }
14 | // sequence of the parsing process
15 | $seq2 = { 89 54 24 10 89 4c 24 08 48 83 ec 18 8b 44 24 20 89 04 24 8b 44 24 28 89 44 24 04 8b 44 24 04 39 04 24 73 0f c7 44 24 20 04 00 00 00 8b 04 24 eb 0e eb 0c c7 44 24 20 35 00 00 00 8b 44 24 04 48 83 c4 18 }
16 | // sequence of reflective openkey
17 | $seq3 = { 48 8b 05 c1 ?? 1c 00 48 89 05 32 ?? 1c 00 }
18 | $s1 = "111111111\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}" fullword wide
19 | $s2 = "_VERSION_INFO" fullword wide
20 | $s3 = "VkKeyScanW" fullword ascii
21 | $s4 = { 53 43 61 4d 69 72 }
22 | condition:
23 | uint16(0) == 0x5a4d and filesize > 300KB and 2 of ($seq*) and 3 of ($s*)
24 | }
25 |
--------------------------------------------------------------------------------
/2021-01-02/BabukLocker/Ran_BabukLockers_Jan_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule Ran_BabukLockers_Jan_2021_1 {
2 | meta:
3 | description = "Detect the BabukLocker ransomware"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-01-03"
7 | hash1 = "8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9"
8 | level = "Experimental"
9 | strings:
10 | // sequence of the discovery process from imported DLL (TTPs)
11 | $seq1 = { 55 8b ec 83 ec 14 a1 b0 81 40 00 33 c5 89 45 fc c7 45 f8 ff ff ff ff c7 45 f4 00 40 00 00 8d 45 f0 50 8b 4d 08 51 6a 13 6a 00 6a 02 e8 85 2b 00 00 85 c0 0f 85 a3 00 00 00 8b 55 f4 52 e8 ae 06 00 00 83 c4 04 89 45 08 83 7d 08 00 0f 84 81 00 00 00 8d 45 f4 50 8b 4d 08 51 8d 55 f8 52 8b 45 f0 50 e8 55 2b 00 00 85 c0 75 5c c7 45 ec 00 00 00 00 eb 09 8b 4d ec 83 c1 01 89 4d ec 8b 55 ec 3b 55 f8 73 40 8b 45 ec c1 e0 05 8b 4d 08 8b 54 01 0c 83 e2 02 74 14 8b 45 ec c1 e0 05 03 45 }
12 | // sequence of the parsing arguments + shutdown process
13 | $seq2 = { 68 68 22 40 00 b8 04 00 00 00 c1 e0 00 8b 8d 9c fd ff ff 8b 14 01 52 ff 15 b8 90 40 00 85 c0 75 0c c7 85 b0 fd ff ff 01 00 00 00 eb 58 68 74 22 40 00 b8 04 00 00 00 c1 e0 00 8b 8d 9c fd ff ff 8b 14 01 52 ff 15 b8 90 40 00 85 c0 75 0c c7 85 b0 fd ff ff 00 00 00 00 eb 2b 68 80 22 40 00 b8 04 00 00 00 c1 e0 00 8b 8d 9c fd ff ff 8b 14 01 52 ff 15 b8 90 40 00 85 c0 75 0a c7 85 b0 fd ff ff ff ff ff ff e9 55 ff ff ff 6a 00 6a 00 ff 15 a8 90 40 00 e8 aa 04 00 00 e8 05 }
14 | // sequence of write op (key) in the disk
15 | $seq3 = { 83 c4 0c 68 f4 00 00 00 8d 85 f4 fd ff ff 50 68 88 22 40 00 ff 15 6c 90 40 00 68 98 22 40 00 8d 8d f4 fd ff ff 51 ff 15 c4 90 40 00 c7 85 ec fd ff ff 00 00 00 00 6a 00 68 80 00 00 00 6a 01 6a 00 6a 01 68 00 00 00 40 8d 95 f4 fd ff ff 52 ff 15 70 90 40 00 89 85 98 fd ff ff 83 bd 98 fd ff ff ff 0f 84 2e 03 00 00 6a 00 8d 85 ec fd ff ff 50 68 90 00 00 00 68 78 82 40 00 8b 8d 98 fd ff ff 51 ff 15 90 90 }
16 | $s1 = "\\ecdh_pub_k.bin" fullword wide
17 | $s2 = "ntuser.dat.log" fullword wide
18 | $s3 = "cmd.exe" fullword ascii
19 | $s4 = "/c vssadmin.exe delete shadows /all /quiet" fullword wide
20 | $s5 = { 5c 00 5c 00 3f 00 5c 00 00 00 00 00 3a 00 00 00 98 2f }
21 | condition:
22 | uint16(0) == 0x5a4d and filesize > 15KB and 2 of ($seq*) and 3 of ($s*)
23 | }
24 |
--------------------------------------------------------------------------------
/2021-01-14/Turla/APT_Turla_IronPython_Jan_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_Turla_IronPython_Jan_2021_1 {
2 | meta:
3 | description = "Detect IronPython loader used by Turla Group"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/DrunkBinary/status/1349759986595995653"
6 | date = "2021-01-14"
7 | hash1 = "3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6"
8 | hash2 = "8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72"
9 | hash3 = "b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3"
10 | hash4 = "b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d"
11 | strings:
12 | $lambda = { 3d 6c 61 6d 62 64 61 20 [1-6] 2c [1-6] 3a 27 27 2e 6a 6f 69 6e 28 5b 63 68 72 28 28 6f 72 64 28 [1-6] 29 5e [1-6] 29 25 30 78 [1-4] 29 20 66 6f 72 20 [1-6] 20 69 6e 20 [1-6] 5d 29 0a} // -> =lambda .,.:''.join([chr((ord(.)^.)%0x.) for . in .])
13 | $lib1 = { 69 6d 70 6f 72 74 20 62 61 73 65 36 34 } // import base64
14 | $lib2 = { 66 72 6f 6d 20 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 } // from System.Security.Cryptography import*
15 | $lib3 = { 66 72 6f 6d 20 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e } // from System.Reflection import*
16 | $shcode = /(\w.){6}.(', \d{1,3}\)){1}/ nocase // \x??\x??\x??', ???)
17 | $cmd1 = "os.getenv" fullword ascii
18 | $cmd2 = "except System.SystemException as ex:" fullword ascii
19 | $cmd3 = ".format(ex.Message,ex.StackTrace))" fullword ascii
20 | $cmd4 = "return System.Array[System.Byte]([ord(" fullword ascii
21 | condition:
22 | filesize > 120KB and $lambda and $shcode and all of ($lib*) and all of ($cmd*)
23 | }
24 |
--------------------------------------------------------------------------------
/2021-01-23/Turla/APT_Turla_ComRAT_Chinch_V4_Jan_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_Turla_ComRAT_Chinch_V4_Jan_2021_1 {
2 | meta:
3 | description = "Detect ComRAT V4 (Chinch) used by APT Turla group"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-01-23"
7 | hash1 = "a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56"
8 | strings:
9 | $com1 = "state->_reprocess_current_token || token.type != GUMBO_TOKEN_START_TAG || token.v.start_tag.attributes.data == NULL" fullword wide
10 | $com2 = "fragment_ctx != GUMBO_TAG_LAST" fullword wide
11 | $com3 = "has_matching_a == 1" fullword wide
12 | $com4 = "ODFA: %u %d %u" fullword ascii
13 | $com5 = "Custom browser path is empty." fullword ascii
14 | $com6 = "Default browser path is:" fullword ascii
15 | $com7 = "Search for browser path." fullword ascii
16 | $com8 = "Cant retrieve any path." fullword ascii
17 | $com9 = "Custom browser path is:" fullword ascii
18 | // ref to export jump
19 | $jmp1 = { 2e 64 6c 6c 00 55 4d 45 50 00 56 46 45 50 }
20 | $jmp2 = { 33 c9 e9 ?? ?? ff ff cc cc cc cc cc cc cc cc cc }
21 | $seq1 = { 40 55 48 8d ac 24 00 fd ff ff 48 81 ec 00 04 00 00 48 8b 05 80 46 1b 00 48 33 c4 48 89 85 d0 02 00 00 b9 d8 02 00 00 e8 f4 8b 07 00 4c 8b 0d c5 a5 1c 00 48 8d 95 00 01 00 00 4c 8b 05 af a5 1c 00 48 8d 0d c8 9d 1c 00 4d 2b c8 48 89 05 ae 8a 1d 00 e8 a9 7e fc ff 48 83 bd 18 01 00 00 10 48 8d 8d 00 01 00 00 48 0f 43 8d 00 01 00 00 ff 15 24 f3 0c 00 48 8b 15 25 f3 0c 00 48 8b c8 e8 6d 59 fb ff 48 8b 95 18 01 00 00 48 83 fa 10 }
22 | // flush variant
23 | $seq2 = { 41 8b 41 08 83 e8 09 83 f8 08 }
24 | $seq3 = { 48 8b 03 48 8b cb ff 50 08 48 8b 95 f8 01 00 00 48 83 fa 08 72 39 48 8b 8d e0 }
25 | $seq4 = { b8 09 00 00 00 44 88 a5 60 01 00 00 48 8d 8d 60 01 00 00 f3 0f 7f 85 70 01 00 00 e8 c1 19 fc ff ba df 5e ca 76 48 8d 4d 50 e8 63 ea fc ff 48 8b c8 48 8d 95 60 01 00 00 e8 c4 cb ff ff 0f b6 15 dd 8b 1c 00 48 8b c8 e8 35 cd ff ff 48 8b 95 78 01 00 00 48 83 fa 10 72 34 }
26 | condition:
27 | uint16(0) == 0x5a4d and filesize > 1000KB and 6 of ($com*) and all of ($jmp*) and 3 of ($seq*)
28 | }
29 |
--------------------------------------------------------------------------------
/2021-01-26/Lazarus/PT_Lazarus_Loader_Dec_2020_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_Lazarus_Loader_Dec_2020_1 {
2 | meta:
3 | description = " Detect loader used by Lazarus group in december 2020"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-01-26"
7 | level = "Experimental"
8 | hash1 = "284df008aa2459fd1e69b1b1c54fb64c534fce86d2704c4d4cc95d72e8c11d6f" // -> Dec 2020
9 | hash2 = "4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244" // -> Jan 2021
10 | // ref dif code -> hash3 = "a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15" -> Sept 2020
11 | strings:
12 | // Entrypoint code template
13 | $s1 = { 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 49 8b f8 8b da 48 8b f1 83 fa 01 75 05 e8 ?? ?? 00 00 4c 8b c7 8b d3 48 8b ce 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f e9 [4] cc cc cc 48 }
14 | $s2 = { 39 [4] 00 75 07 33 c0 e9 ?? 00 00 00 [8-11] 4? 8b [3] 00 00 ?? 85 c0 74 [4-7] 89 44 24 20 85 ?? 74 17 4c 8b c6 8b d3 49 8b ce e8 ?? ?? ff [1-3] 89 44 24 20 85 c0 75 07 33 c0 e9 ?? 00 00 00 4c 8b c6 8b d3 49 8b ?? e8 [4] 8b f8 89 44 24 20 83 fb 01 75 ?? 85 c0 75 ?? 4c 8b c6 33 d2 49 8b ?? e8 [4] 4c 8b c6 33 d2 49 8b ?? e8 ?? ?? ff ff ?? 8b [6] 85 ?? 74 ?? 4c 8b c6 33 d2 49 8b ?? ff ?? 85 db 74 05 83 fb 03 75 37 4c 8b c6 8b d3 49 8b ?? e8 ?? fd ff ff f7 d8 1b c9 23 cf 8b f9 89 4c 24 20 74 1c 48 8b 05 [2] 00 00 48 85 c0 74 10 4c 8b c6 8b d3 49 8b ?? ff d0 8b f8 89 44 24 20 8b c7 eb }
15 | $s3 = "ENGINE_get_RANDW" fullword ascii
16 | // Jmp export
17 | $s4 = { b8 01 00 00 00 c3 cc cc }
18 | // Parsing arguments (commandline)
19 | $s5 = { 33 ?? 48 8d 8c 24 72 02 00 00 33 d2 41 b8 06 02 00 00 89 ?? 24 40 66 89 ?? 24 70 02 00 00 e8 ?? 1b 00 00 48 8d 8c 24 82 04 00 00 33 d2 41 b8 06 02 00 00 66 89 ?? 24 80 04 00 00 e8 ?? 1b 00 00 48 8d 4c 24 51 33 d2 41 b8 03 01 00 00 [2-3] 24 50 e8 ?? 1b 00 00 48 8d 8c 24 61 01 00 00 33 d2 41 b8 03 01 00 00 }
20 | condition:
21 | uint16(0) == 0x5a4d and filesize > 50KB and 3 of them
22 | }
23 |
--------------------------------------------------------------------------------
/2021-02-18/APT28/APT_APT28_Downdelph_Feb_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_APT28_Downdelph_Feb_2021_1 {
2 | meta:
3 | description = "Detect Downdelph used by APT28 group"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/RedDrip7/status/1362343352759250946"
6 | date = "2021-02-18"
7 | hash1 = "ee7cfc55a49b2e9825a393a94b0baad18ef5bfced67531382e572ef8a9ecda4b"
8 | strings:
9 | // seq parse disks + getpath
10 | $s1 = { 53 [1-3] 81 c4 [2] ff ff 8b f2 8b ?? 54 8d 44 24 08 50 68 04 01 00 00 8b ?? e8 [12-22] 8d 54 24 04 8b c6 [73-133] 33 d2 52 50 8b 45 e8 8b 55 ec e8 [3] ff 8b 4d 0c 89 01 89 51 04 8b 45 f0 33 d2 52 50 8b 45 e8 8b 55 ec e8 [3] ff 8b 4d 10 89 01 89 51 04 8b c3 5b 8b e5 5d }
11 | $s2 = "cmd.exe /c " fullword ascii
12 | $s3 = "Failed to Save Stream %s is already associated with %s=This control requires version 4.70 or greater of COMCTL32.DLL" fullword wide
13 | $s4 = { 53 00 79 00 73 00 74 00 65 00 6d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 5c 00 4b 00 65 00 79 00 62 00 6f 00 61 00 72 00 64 00 20 00 4c 00 61 00 79 00 6f 00 75 00 74 00 73 00 5c 00 25 00 2e 00 38 00 78 } // System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x
14 | $s5 = { 4a 00 50 00 45 00 47 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 23 00 25 00 64 } // JPEG error #%d
15 | $s6 = { 45 00 72 00 72 00 6f 00 72 00 20 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 69 00 6e 00 67 00 20 00 74 00 6f 00 20 00 73 00 65 00 72 00 76 00 65 00 72 00 3a 00 20 00 25 00 73 } // Error connecting to server: %s
16 | condition:
17 | uint16(0) == 0x5a4d and filesize > 100KB and 5 of them
18 | }
19 |
--------------------------------------------------------------------------------
/2021-02-23/BabyElephant/APT_BabyElephant_Installer_Feb_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_BabyElephant_Installer_Feb_2021_1 {
2 | meta:
3 | description = "Detect Installer from BabyElephant APT"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/h2jazi/status/1363683531067715584"
6 | date = "2021-02-23"
7 | level = "experimental"
8 | hash1 = "d55ff954abb04ec29745f7d80ea7457a862c8025a21e889f1ba44c32ba486a7e"
9 | strings:
10 | $s1 = { 65 63 68 6f 20 25 64 20 3e 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 65 6d 70 5c }
11 | $s2 = "COMSPEC" fullword ascii
12 | $s3 = { 53 43 48 54 41 53 4b 53 20 2f 43 52 45 41 54 45 20 2f 53 43 20 4d 49 4e 55 54 45 20 2f 4d 4f 20 [1-3] 20 2f 54 4e 20 22 [1-12] 22 20 2f 54 52 20 22 [4-24] 22 20 2f 66 }
13 | $s4 = "%s//%s" fullword ascii
14 | $s5 = { 53 63 68 74 61 73 6b 73 20 2f 64 65 6c 65 74 65 20 2f 54 4e 20 22 [1-12] 22 20 2f 66 }
15 | // seq CMD call
16 | $s6 = { 83 c4 10 8b d8 e8 13 02 00 00 83 fb ff 74 06 89 38 8b f3 eb 34 83 38 02 74 0f e8 fe 01 00 00 83 38 0d 74 05 83 ce ff eb 20 e8 ef 01 00 00 89 38 56 8d 45 ec b9 c4 3e 42 00 50 51 56 89 4d ec }
17 | // seq shell -> c2hlbGw= (base64)
18 | $s7 = { 68 00 08 00 00 8d 85 48 f6 ff ff 6a 00 50 e8 00 33 00 00 83 c4 0c 8d 85 48 f6 ff ff 6a 00 68 00 08 00 00 50 53 ff d6 85 c0 0f 8e 1f 03 00 00 0f 1f 40 00 6a 08 68 e0 b3 42 00 8d 8d 28 ec ff ff c7 85 38 ec ff ff 00 00 00 00 c7 85 3c ec ff ff 0f 00 00 00 c6 85 28 ec ff ff 00 e8 a3 09 00 00 8d 95 28 ec ff ff c7 45 fc 00 00 00 00 8d 8d 10 ec ff ff e8 2b 05 00 00 83 }
19 | condition:
20 | uint16(0) == 0x5a4d and filesize > 80KB and all of them
21 | }
22 |
--------------------------------------------------------------------------------
/2021-03-06/UNC2452/APT_UNC2452_sunshuttle_Mar_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_UNC2452_Sunshuttle_Mar_2021_1 {
2 | meta:
3 | description = "Detect Sunshuttle implant used by UNC2452 group"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/Arkbird_SOLG/status/1367570764468224010"
6 | date = "2021-03-06"
7 | hash1 = "611458206837560511cb007ab5eeb57047025c2edc0643184561a6bf451e8c2c"
8 | hash2 = "b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8"
9 | hash3 = "bbd16685917b9b35c7480d5711193c1cd0e4e7ccb0f2bf1fd584c0aebca5ae4c"
10 | strings:
11 | // check template builder
12 | $s1 = { 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 39 59 72 42 6a 6b 6b 58 46 79 6b 62 47 51 72 6d 56 32 4b 49 2f 41 48 44 69 7a 57 51 61 4d 38 47 38 4a 37 6b 56 4b 32 56 65 2f 46 55 74 5f 6b 6b 53 56 6c 78 32 36 49 6e 46 56 61 79 70 77 2f 6c 75 5a 41 54 35 55 6e 55 69 34 64 4a 65 6b 6e 73 6b 55 6e 22 } // Go build ID: "9YrBjkkXFykbGQrmV2KI/AHDizWQaM8G8J7kVK2Ve/FUt_kkSVlx26InFVaypw/luZAT5UnUi4dJeknskUn"
13 | $s2 = { 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 71 6f 66 49 6b 76 62 6c 73 31 69 72 4f 36 78 68 6a 41 63 5a 2f 6a 49 69 71 41 70 70 31 56 6f 39 72 4f 53 2d 44 6a 65 4e 75 2f 62 50 75 6e 33 4e 35 74 49 42 58 4b 50 74 4e 79 73 48 4f 51 2f 41 52 53 72 63 65 6b 35 68 51 47 38 59 49 56 6e 4d 75 37 54 22 } // Go build ID: "qofIkvbls1irO6xhjAcZ/jIiqApp1Vo9rOS-DjeNu/bPun3N5tIBXKPtNysHOQ/ARSrcek5hQG8YIVnMu7T"
14 | // check OS commands + functions
15 | $s3 = { 6f 73 2f 65 78 65 63 2e 28 2a 43 6d 64 29 2e 52 75 6e } // os/exec.(*Cmd).Run
16 | $s4 = "main.request_session_key" fullword ascii
17 | $s5 = "main.wget_file" fullword ascii
18 | $s6 = "main.GetMD5Hash" fullword ascii
19 | $s7 = "main.beaconing" fullword ascii
20 | $s8 = "main.resolve_command" fullword ascii
21 | $s9 = "main.send_file_part" fullword ascii
22 | $s10 = "main.retrieve_session_key" fullword ascii
23 | $s11 = "main.send_command_result" fullword ascii
24 | // Check Hyper-V MAC Address (anti-sandbox)
25 | $s12 = { 63 38 3a 32 37 3a 63 63 3a 63 32 3a 33 37 3a 35 61 } // c8:27:cc:c2:37:5a
26 | // check if public key is present
27 | $s13 = { 2d 2d 2d 2d 2d 42 45 47 49 4e } // -----BEGIN
28 | $s14 = { 2d 2d 2d 2d 2d 45 4e 44 } // -----END
29 | condition:
30 | uint16(0) == 0x5a4d and filesize > 800KB and 12 of them
31 | }
32 |
--------------------------------------------------------------------------------
/2021-03-07/UNC2452/APT_UNC2452_Webshell_Chopper_Mar_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_UNC2452_Webshell_Chopper_Mar_2021_1 {
2 | meta:
3 | description = "Detect exploit listener in the exchange configuration for Webshell Chopper used by UNC2452 group"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-03-07"
7 | strings:
8 | // check exploit listeners (C# and JS)
9 |
10 | // C# listener version
11 | $l1 = { 20 68 74 74 70 3a 2f 2f ?? 2f 3c 73 63 72 69 70 74 20 4c 61 6e 67 75 61 67 65 3d 22 63 23 22 20 72 75 6e 61 74 3d 22 73 65 72 76 65 72 22 3e 76 6f 69 64 20 50 61 67 65 5f 4c 6f 61 64 28 6f 62 6a 65 63 74 20 73 65 6e 64 65 72 2c 20 45 76 65 6e 74 41 72 67 73 20 65 29 7b 69 66 20 28 52 65 71 75 65 73 74 2e 46 69 6c 65 73 2e 43 6f 75 6e 74 21 3d 30 29 20 7b 20 52 65 71 75 65 73 74 2e 46 69 6c 65 73 5b 30 5d 2e 53 61 76 65 41 73 28 53 65 72 76 65 72 2e 4d 61 70 50 61 74 68 28 22 [5-14] 22 29 29 3b 7d 7d 3c 2f 73 63 72 69 70 74 3e }
12 | // http://#/
13 |
14 | // JS listener version
15 | $l2 = { 68 74 74 70 3a 2f 2f ?? 2f 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 53 63 72 69 70 74 22 20 72 75 6e 61 74 3d 22 73 65 72 76 65 72 22 3e 66 75 6e 63 74 69 6f 6e 20 50 61 67 65 5f 4c 6f 61 64 28 29 7b 65 76 61 6c 28 [-] 2c 22 75 6e 73 61 66 65 22 29 3b 7d 3c 2f 73 63 72 69 70 74 3e }
16 | // http://#/script language="JScript" runat="server">function Page_Load(){eval(#,"unsafe");}
17 |
18 | // Check if this in the configuration file (avoid false positive)
19 | $c1 = { 5c 4f 41 42 20 28 44 65 66 61 75 6c 74 20 57 65 62 20 53 69 74 65 29 } // \OAB (Default Web Site)
20 | $c2 = "ExternalUrl" fullword ascii // RemoteURL for the listener
21 | $c3 = { 49 49 53 3a 2f 2f [10-30] 2f 57 33 53 56 43 2f [1-3] 2f 52 4f 4f 54 2f 4f 41 42 } // IIS://#/W3SVC/#/ROOT/OAB
22 | $c4 = "FrontEnd\\HttpProxy\\OAB" fullword ascii
23 | $c5 = "/Configuration/Schema/ms-Exch-OAB-Virtual-Directory" fullword ascii
24 | condition:
25 | filesize > 1KB and 1 of ($l*) and 3 of ($c*)
26 | }
27 |
--------------------------------------------------------------------------------
/2021-03-09/APT29/APT_APT29_MiniDuke_Mar_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_APT29_MiniDuke_Mar_2021_1 {
2 | meta:
3 | description = "Detect MiniDuke implant used by APT29 group"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-03-08"
7 | hash1 = "6057b19975818ff4487ee62d5341834c53ab80a507949a52422ab37c7c46b7a1"
8 | level = "Experimental"
9 | strings:
10 | // ref strings
11 | $s1 = { 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75 6e 64 61 72 79 3d 00 00 00 00 2d 2d 25 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 25 73 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 25 73 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 25 73 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 25 73 }
12 | $s2 = { 70 72 6f 63 3a 20 20 25 64 20 25 73 0a 6c 6f 67 69 6e 3a 20 25 73 5c 25 73 0a 49 44 3a 20 20 20 20 30 78 25 30 38 58 0a 68 6f 73 74 3a 20 20 25 73 3a 25 64 0a 6d 65 74 68 3a 20 20 25 73 20 25 64 0a 70 69 70 65 3a 20 5c 5c 25 73 5c 70 69 70 65 5c 25 73 0a 6c 61 6e 67 3a 20 20 25 73 0a 64 65 6c 61 79 3a 20 25 64 }
13 | $s3 = { 75 70 74 69 6d 65 20 25 35 64 2e 25 30 32 64 68 0a 00 25 73 3a 25 64 00 25 73 5c 25 73 00 3f 00 25 64 20 25 73 0a 25 73 20 25 73 20 25 73 }
14 | // seq set_app_type
15 | $s4 = { 55 89 e5 83 ec 14 6a 02 ff 15 b8 53 44 00 e8 fd fe ff ff 8d b6 00 00 00 00 8d bc 27 00 00 00 00 55 89 e5 83 ec 14 6a 01 ff 15 }
16 | // seq create the pipes
17 | $s5 = { 8b 85 54 64 ff ff 8b 95 44 64 ff ff 83 c2 44 89 44 24 04 89 14 24 e8 a4 e5 fc ff 83 ec 08 8b 85 44 64 ff ff 83 c0 38 c7 44 24 08 0c 00 00 00 c7 44 24 04 00 00 00 00 89 04 24 e8 8c e8 fd ff 8b 85 44 64 ff ff c7 40 38 0c 00 00 00 8b 85 44 64 ff ff c7 40 40 01 00 00 00 8b 85 44 64 ff ff c7 40 3c 00 00 00 00 8b 85 44 64 ff ff 8d 58 38 8b 85 44 64 ff ff 8d 50 1c 8b 85 44 64 ff ff 83 c0 18 c7 44 24 0c 00 40 00 00 89 5c 24 08 89 54 24 04 89 04 24 e8 2e e5 fc ff 83 ec 10 85 c0 0f 95 c0 84 c0 0f 84 09 05 00 00 8b 85 44 64 ff ff 8d 58 38 8b 85 44 64 ff ff 8d 50 24 8b 85 44 64 ff ff 83 c0 20 c7 44 24 0c 00 40 00 00 89 5c 24 08 89 54 24 04 89 04 24 e8 eb e4 fc ff 83 ec 10 85 c0 0f 95 c0 84 c0 }
18 | condition:
19 | uint16(0) == 0x5a4d and filesize > 150KB and 3 of them
20 | }
21 |
--------------------------------------------------------------------------------
/2021-03-09/APT29/APT_APT29_PolyglotDuke_Mar_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_APT29_PolyglotDuke_Mar_2021_1 {
2 | meta:
3 | description = "Detect PolyglotDuke implant used by APT29 group"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-03-08"
7 | hash1 = "9b33ec7f5e615a6556f147b611425d3ca4a8879ce746d4a8cb62adf4c7f76029"
8 | hash2 = "0c39fce5bd32b4f91a1df4f6321c2f01c017195659c7e95a235ef71ca2865aa9"
9 | strings:
10 | // seq Mutex
11 | $seq1 = { 48 83 ec 28 48 8b 05 [2] 02 00 48 33 05 [2] 02 00 74 02 ff d0 48 83 c4 28 c3 cc 48 83 ec 28 48 8b 05 [2] 02 00 48 33 05 [2] 02 00 74 02 ff d0 48 83 c4 28 c3 cc 4c 8b 15 [2] 02 00 41 8b c0 4c 33 15 [2] 02 00 74 03 49 ff e2 83 e0 01 4c 8b ca 41 83 e0 02 8b d0 48 ff 25 [2] 01 00 cc cc cc 4c 8b 15 [2] 02 00 4c 33 15 [2] 02 00 74 03 49 ff e2 48 ff 25 [2] 01 00 cc cc 48 83 ec 28 48 8b 05 [2] 02 00 48 33 05 [2] 02 00 74 07 48 83 c4 28 48 ff e0 b9 78 00 00 00 ff 15 [2] 01 00 32 c0 48 83 c4 28 c3 cc cc cc 48 8b 05 [2] 02 00 48 33 05 [2] 02 00 74 03 48 ff e0 33 c0 c3 cc cc 48 8b 05 [2] 02 00 48 33 05 [2] 02 00 74 03 48 ff e0 }
12 | // seq OEM code page
13 | $seq2 = { 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 57 48 83 ec 30 33 ff 48 8b da 48 8b f1 48 85 c9 75 18 e8 69 0c 00 00 bb 16 00 00 00 89 18 e8 b1 38 00 00 8b c3 e9 a7 00 00 00 48 85 d2 74 e3 e8 a8 3f 00 00 41 bf 01 00 00 00 85 c0 75 0c ff 15 [2] 01 00 85 c0 41 0f 44 ff 83 64 24 28 00 48 83 23 00 48 83 64 24 20 00 41 83 c9 ff 4c 8b c6 33 d2 8b cf ff 15 [2] 01 00 48 63 e8 85 c0 75 11 ff 15 [2] 01 00 8b c8 e8 b2 0b 00 00 33 c0 eb 4f 48 8b cd 48 03 c9 e8 e3 07 00 00 48 89 03 48 85 c0 74 e9 41 83 c9 ff 4c 8b c6 33 d2 8b cf 89 6c 24 28 48 89 44 24 20 ff 15 [2] 01 00 85 c0 75 1b ff 15 [2] 01 00 8b c8 e8 70 0b 00 00 48 8b 0b e8 ?? f3 ff ff 48 83 23 00 eb b0 41 8b c7 48 8b 5c 24 40 48 8b 6c 24 48 48 8b 74 24 50 48 8b 7c 24 58 48 83 c4 30 41 5f c3 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 57 48 83 ec 40 33 ff 48 8b da 48 8b f1 }
14 | // seq jump dll
15 | $seq3 = { ff 25 00 00 00 00 00 00 00 00 00 00 00 00 cc }
16 | $seq4 = "InitSvc" fullword ascii
17 | condition:
18 | uint16(0) == 0x5a4d and filesize > 100KB and 3 of them
19 | }
20 |
--------------------------------------------------------------------------------
/2021-03-23/APT38/APT_APT38_VSingle_Mar_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_APT38_VSingle_Mar_2021_1 {
2 | meta:
3 | description = "Detect VSingle used in attacks against Japanese organisations by APT38"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-03-23"
7 | hash1 = "487c1bdb65634a794fa5e359c383c94945ce9f0806fcad46440e919ba0e6166e"
8 | level = "experimental"
9 | strings:
10 | // debug outputs
11 | $dbg1 = { 68 74 74 70 [0-1] 3a 2f 2f 25 73 25 73 } // ref load URL
12 | $dbg2 = { 43 72 65 61 74 65 4e 61 6d 65 64 50 69 70 65 41 20 66 69 6e 69 73 68 65 64 20 77 69 74 68 20 45 72 72 6f 72 2d 25 64 } // CreateNamedPipeA finished with Error-%d
13 | $dbg3 = { 4f 53 3a 20 25 73 25 73 20 53 50 20 25 64 20 25 73 20 28 25 64 2e 25 64 2e 25 64 29 0d 0a } // OS: %s%s SP %d %s (%d.%d.%d)\r\n
14 | $dbg4 = { 63 00 6d 00 64 00 2e 00 65 00 78 00 65 00 20 00 2f 00 75 00 20 00 2f 00 63 00 20 00 25 00 73 } // cmd.exe /u /c %s
15 | $dbg5 = { 0d 0a 43 6f 6f 6b 69 65 3a 20 25 73 } // \r\nCookie: %s
16 | $dbg6 = { 25 73 5f 6d 61 69 6e } // %s_main
17 | $dbg7 = { 25 73 5f 66 69 6e } // %s_fin
18 | $dbg8 = "3%3*373<3I3N3[3`3m3r3" fullword ascii // ref delphi lib
19 | // parser arguments + entry reflect
20 | $s1 = { 8b 8d 80 f8 ff ff c7 41 04 01 00 00 00 83 e8 01 0f 84 aa 12 00 00 83 e8 01 0f 84 9a 12 00 00 83 e8 01 0f 84 8a 12 00 00 83 e8 01 0f 84 7a 12 00 }
21 | $s2 = { 51 83 7d 08 00 75 07 b8 5b ab 66 00 eb 35 8b 45 08 89 45 fc 8b 4d fc }
22 | condition:
23 | uint16(0) == 0x5a4d and filesize > 30KB and 6 of ($dbg*) and all of ($s*)
24 | }
25 |
--------------------------------------------------------------------------------
/2021-03-23/APT38/APT_APT38_ValeforBeta_Mar_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_APT38_ValeforBeta_Mar_2021_1 {
2 | meta:
3 | description = "Detect ValeforBeta used in attacks against Japanese organisations by APT38"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-03-23"
7 | hash1 = "eb846bb491bea698b99eab80d58fd1f2530b0c1ee5588f7ea02ce0ce209ddb60"
8 | level = "experimental"
9 | strings:
10 | // debug outputs
11 | $dbg1 = { 2f 64 64 65 00 00 00 64 64 65 65 78 65 63 } // /dde ddeexec
12 | $dbg2 = { 25 73 5c 53 68 65 6c 6c 4e 65 77 } // %s\\ShellNew
13 | $dbg3 = { 25 73 20 28 25 73 3a 25 64 29 0a 25 73 } // %s (%s:%d)\n%s
14 | $dbg4 = { 7b 25 30 38 58 2d 25 30 34 58 2d 25 30 34 58 2d 25 30 32 58 25 30 32 58 2d 25 30 32 58 25 30 32 58 25 30 32 58 25 30 32 58 25 30 32 58 25 30 32 58 7d } // {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
15 | $dbg5 = { 25 73 25 73 2e 64 6c 6c } // %s%s.dll
16 | $dbg6 = { 25 73 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 25 73 00 00 00 00 25 73 5c 73 68 65 6c 6c 5c 70 72 69 6e 74 5c 25 73 00 00 00 25 73 5c 73 68 65 6c 6c 5c 70 72 69 6e 74 74 6f 5c 25 73 00 25 73 5c 44 65 66 61 75 6c 74 49 63 6f 6e 00 00 25 73 5c 53 68 65 6c 6c 4e 65 77 00 2c 25 64 00 63 6f 6d 6d 61 6e 64 00 20 22 25 31 22 00 00 00 20 2f 70 20 22 25 31 22 00 00 00 00 20 2f 70 74 20 22 25 31 22 20 22 25 32 22 20 22 25 33 22 20 22 25 34 22 } // ref shell commands
17 | $dbg7 = { 43 4c 53 49 44 5c 25 31 5c 49 6e 50 72 6f 63 53 65 72 76 65 72 33 32 } // CLSID\\%1\\InProcServer32
18 | $s1 = { 74 f1 ff b5 a8 fe ff ff 8d 4b 10 c7 43 08 03 00 00 00 e8 3c cf fd ff eb da 8d 8d ac fe ff ff e8 3f 1a fc ff 83 65 fc 00 8d 85 ac fe ff ff 50 57 e8 bd fd ff ff ff b5 ac fe ff ff ff 15 24 44 47 00 85 c0 0f 85 be 00 00 00 50 50 8d 8d a0 fe ff ff 51 8d 8d 9c fe ff ff 51 50 50 50 ff b5 ac fe ff ff ff 15 70 42 47 00 85 c0 75 1f ff b5 a8 fe ff ff 53 e8 dc fe ff ff 8b 8d ac fe ff ff }
19 | $s2 = { 45 fc 8b 45 0c 0f b6 48 0f 56 51 0f b6 48 0e 51 0f b6 48 0d 51 0f b6 48 0c 51 0f b6 48 0b 51 0f b6 48 0a 51 0f b6 48 09 51 0f b6 48 08 8b 75 08 83 a5 f8 fe ff ff 00 51 0f b7 48 06 51 0f b7 48 04 51 ff 30 8d 85 fc fe ff ff 68 48 aa 47 00 68 00 01 00 00 }
20 | condition:
21 | uint16(0) == 0x5a4d and filesize > 30KB and 5 of ($dbg*) and 1 of ($s*)
22 | }
23 |
--------------------------------------------------------------------------------
/2021-04-03/APT34/APT_APT_34_MailDrop_Mar_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule APT_APT_34_MailDrop_Mar_2021_1 {
2 | meta:
3 | description = "Detect MailDrop malware used by APT34"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-04-03"
7 | hash1 = "d6b876d72dba94fc0bacbe1cb45aba493e4b71572a7713a1a0ae844609a72504"
8 | hash2 = "ebae23be2e24139245cc32ceda4b05c77ba393442482109cc69a6cecc6ad1393"
9 | strings:
10 | $EWSInitCom = { 7e ?? 00 00 04 28 ?? 00 00 06 ?? 4f [0-3] 02 7b ?? 00 00 04 28 ?? 00 00 06 28 ?? 00 00 06 02 7b ?? 00 00 04 6f ?? 00 00 06 02 7b ?? 00 00 04 28 ?? 00 00 06 72 ?? 00 00 70 28 ?? 00 00 0a 28 ?? 00 00 06 02 7b ?? 00 00 04 6f ?? 00 00 06 7e ?? 00 00 04 72 ?? 00 00 70 28 ?? 00 00 06 7e 06 00 00 04 28 ?? 00 00 06 [2-4] 00 00 [3-4] 00 00 [3] 00 00 [3] 00 00 [3] 00 00 }
11 | $EWSCom = { 13 30 ?? 00 ?? 00 00 00 00 00 00 00 02 28 ?? 00 00 ?? 02 03 05 0e 04 0e 05 0e 06 [0-4] 73 ?? 00 00 06 7d ?? 00 00 04 04 [2-6] 00 00 ?? 02 ?? 7d ?? 00 00 04 [0-2] 02 ?? 7d ?? 00 00 04 [2-4] 00 00 [0-18] 04 02 28 ?? 00 00 06 2a }
12 | $EWSDecrypt = { 13 30 03 00 27 00 00 00 ?? 00 00 11 0f 00 20 00 01 00 00 16 28 ?? 00 00 06 28 ?? 00 00 06 0a 0f 00 1f 10 16 28 ?? 00 00 06 0b 02 06 07 28 ?? 00 00 06 2a }
13 | $EWSRandomData = { 1b 30 ?? 00 ?? 00 00 00 ?? 00 00 11 02 19 28 ?? 00 00 0a 0a 16 0b ?? 35 [0-3] 06 16 6a 16 6f ?? 00 00 0a 26 06 6f ?? 00 00 0a d4 8d ?? 00 00 01 0c 7e ?? 00 00 04 08 6f ?? 00 00 0a 06 08 16 06 6f ?? 00 00 0a b7 6f ?? 00 00 0a 07 17 d6 0b 07 1f 32 32 c6 [5-11] 06 6f ?? 00 00 0a dc 2a [0-1] 01 10 00 00 02 00 08 00 }
14 | $s1 = "HMicrosoft Office/15.0 (Windows NT {0}; Microsoft Outlook 15.0.4675; Pro)" fullword ascii
15 | $s2 = "https://{0}/ews/exchange.asmx" fullword wide
16 | $s3 = "Send_Log" fullword ascii
17 | $s4 = "CheckEWSConnection" fullword ascii
18 | $s5 = "Done:D" fullword wide
19 | $s6 = "ExecAllCmds" fullword ascii
20 | $s7 = "ExchangeUri" fullword ascii
21 | $s8 = "get_cmdSubject" fullword ascii
22 | condition:
23 | uint16(0) == 0x5a4d and filesize > 20KB and 2 of ($EWS*) and 5 of ($s*)
24 | }
25 |
26 |
--------------------------------------------------------------------------------
/2021-04-14/Underminer/Exp_Underminer_Apr_2021_1.yar:
--------------------------------------------------------------------------------
1 | rule Exp_Underminer_Apr_2021_1
2 | {
3 | meta:
4 | description = "Detect Underminer exploit kit"
5 | author = "Arkbird_SOLG"
6 | date = "2021-04-14"
7 | reference = "https://twitter.com/nao_sec/status/1382358986813415427"
8 | hash1 = "172ac73cda6260918510ad2f4481a7fcd90c5a86d47dd880c5bcb3596dd20a7d"
9 | strings:
10 | $s1 = { 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 53 68 6f 63 6b 77 61 76 65 46 6c 61 73 68 2e 53 68 6f 63 6b 77 61 76 65 46 6c 61 73 68 22 29 } // new ActiveXObject("ShockwaveFlash.ShockwaveFlash")
11 | $s2 = "$version" fullword ascii
12 | $s3 = { 6e 61 76 69 67 61 74 6f 72 2e 70 6c 75 67 69 6e 73 26 26 6e 61 76 69 67 61 74 6f 72 2e 70 6c 75 67 69 6e 73 2e 6c 65 6e 67 74 68 3e 30 } // navigator.plugins&&navigator.plugins.length>0
13 | $s4 = { 6e 61 76 69 67 61 74 6f 72 2e 70 6c 75 67 69 6e 73 5b 22 53 68 6f 63 6b 77 61 76 65 20 46 6c 61 73 68 22 5d } // navigator.plugins["Shockwave Flash"]
14 | $s5 = { 63 6c 61 73 73 69 64 3d 27 63 6c 73 69 64 3a 44 32 37 43 44 42 36 45 2d 41 45 36 44 2d 31 31 63 66 2d 39 36 42 38 2d 34 34 34 35 35 33 35 34 30 30 30 30 27 } // classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'
15 | $s6 = { 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 73 68 6f 63 6b 77 61 76 65 2d 66 6c 61 73 68 22 } // "application/x-shockwave-flash"
16 | $s7 = { 22 64 61 74 61 22 2c 22 2f 6c 6f 67 6f 2e 73 77 66 22 } // "data","/logo.swf"
17 | $s8 = { 22 30 30 30 30 30 30 30 30 22 2b 28 [1-8] 5b 30 5d 3e 3e 3e 30 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 29 2e 73 6c 69 63 65 28 2d 38 29 2b 28 22 30 30 30 30 30 30 30 30 22 2b 28 [1-8] 5b 31 5d 3e 3e 3e 30 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 29 2e 73 6c 69 63 65 28 2d 38 29 } // "00000000"+([...][0]>>>0).toString(16)).slice(-8)+("00000000"+([...][1]>>>0).toString(16)).slice(-8)
18 | condition:
19 | filesize > 5KB and 6 of ($s*)
20 | }
21 |
--------------------------------------------------------------------------------
/2021-04-27/Lazarus/APT_Lazarus_HTA_Apr_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APT_Lazarus_HTA_Apr_2021_1 {
2 | meta:
3 | description = "Detect HTA with the fake picture header as decoy used by Lazarus"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-04-27"
7 | hash1 = "888cfc87b44024c48eed794cc9d6dea9f6ae0cc3468dee940495e839a12ee0db"
8 | tlp = "white"
9 | adversary = "Lazarus"
10 | strings:
11 | $s1 = { 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 3e }
12 | $s2 = { 5b 27 4f 70 65 6e 54 65 78 74 46 69 6c 65 27 2c 27 43 72 65 61 74 65 54 65 78 74 46 69 6c 65 27 }
13 | $s3 = { 5b 27 70 75 73 68 27 5d }
14 | $s4 = { 28 27 4d 5a 27 29 2c 65 5b 27 43 6c 6f 73 65 27 5d 28 29 }
15 | $s5 = { 5b 27 73 68 69 66 74 27 5d 28 29 }
16 | $s6 = { 3b 76 61 72 20 64 61 74 61 3d 5b }
17 | $s7 = { 62 3d 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 27 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 27 29 }
18 | condition:
19 | // check BMP, JPX, PNG and GIF magic numbers
20 | (uint16(0) == 0x4d42 or uint16(0) == 0xd8ff or uint32(0) == 0x474e5089 or uint32(0) == 0x38464947) and filesize > 20KB and 5 of ($s*)
21 | }
22 |
--------------------------------------------------------------------------------
/2021-04-29/APT34/APT_APT34_Dustman_Apr_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APT_APT34_Dustman_Apr_2021_1 {
2 | meta:
3 | description = "Detect the Installer of Dustman wiper used by APT34"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-04-28"
7 | hash1 = "a9397eb9e95087db7e03239c689776d56c1450d685568564acd90e1532c78882"
8 | tlp = "white"
9 | adversary = "APT34"
10 | strings:
11 | $s1 = { 43 3a 5c 77 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 63 6d 64 2e 65 78 65 00 00 00 00 00 2f 63 20 61 67 65 6e 74 2e 65 78 65 20 41 00 00 44 00 6f 00 77 00 6e 00 20 00 57 00 69 00 74 00 68 00 20 00 42 00 69 00 6e 00 20 00 53 00 61 00 6c 00 6d 00 61 00 6e 00 00 00 00 00 5c 00 }
12 | $s2 = "\\assistant.sys" fullword wide
13 | $s3 = { 61 00 67 00 65 00 6e 00 74 00 2e 00 65 00 78 00 65 00 00 00 00 00 00 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4f 00 72 00 61 00 63 00 6c 00 65 00 5c 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 42 00 6f 00 78 00 00 00 00 00 54 68 65 20 4d 61 67 69 63 20 57 6f 72 64 21 00 56 00 42 00 6f 00 78 00 44 00 72 00 76 00 00 00 5c 00 44 00 65 00 76 00 69 00 63 00 65 00 00 00 56 00 42 00 6f 00 78 00 55 00 53 00 42 00 4d 00 6f 00 6e 00 00 00 00 00 56 00 42 00 6f 00 78 00 4e 00 65 00 74 00 41 00 64 00 70 00 00 00 00 00 56 00 42 00 6f 00 78 00 4e 00 65 00 74 00 4c 00 77 00 66 }
14 | $s4 = { 5c 00 5c 00 2e 00 5c 00 25 00 73 }
15 | $s5 = { 68 54 00 00 00 68 00 00 00 00 68 80 69 40 00 e8 f4 0f 00 00 83 c4 0c 68 00 00 00 00 e8 ed 0f 00 00 a3 84 69 40 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 e8 da 0f 00 00 a3 80 69 40 00 e8 fc 2f 00 00 e8 7d 2c 00 00 e8 7a 18 00 00 e8 1d 12 00 00 e8 40 2d 00 00 68 00 00 00 00 e8 78 2f 00 00 a3 8c 69 40 00 68 00 00 00 00 e8 8d 2f 00 00 a3 90 69 40 00 c7 05 94 69 40 00 5a 00 00 00 c7 05 98 69 40 00 14 00 00 00 8b 1d 8c 69 40 00 2b 1d 94 69 40 00 83 c3 ea 89 1d 9c 69 40 00 8b 1d 90 69 40 00 2b 1d 98 69 40 00 83 c3 cc 89 1d a0 69 40 00 68 00 00 c8 00 68 18 60 40 00 ff 35 98 69 40 00 ff 35 94 69 40 00 ff 35 a0 69 40 00 ff 35 9c 69 40 00 68 00 00 00 }
16 | $s6 ="Release\\Dustman.pdb" fullword ascii
17 | condition:
18 | uint16(0) == 0x5a4d and filesize > 50KB and 4 of them
19 | }
20 |
--------------------------------------------------------------------------------
/2021-05-01/Turla/APT_Turla_IronPython_Apr_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APT_Turla_IronPython_Apr_2021_1 {
2 | meta:
3 | description = "Detect IronPython script used by Turla group"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/DrunkBinary/status/1388332507695919104"
6 | date = "2021-04-30"
7 | hash1 = "65b43e30547ae4066229040c9056aa9243145b9ae5f3b9d0a01a5068ef9a0361"
8 | hash2 = "c430ebab4bf827303bc4ad95d40eecc7988bdc17cc139c8f88466bc536755d4e"
9 | hash3 = "f76257749792cc4e54f75d0e7a83e7a4429395c5dbc48078a8068575d7e9a98"
10 | tlp = "White"
11 | adversary = "Turla"
12 | strings:
13 | $s1 = { 6c 61 6d 62 64 61 20 73 2c 6b 3a 27 27 2e 6a 6f 69 6e 28 5b 63 68 72 28 28 6f 72 64 28 63 29 5e 6b 29 25 30 78 31 30 30 29 20 66 6f 72 20 63 20 69 6e 20 73 5d 29 }
14 | $s2 = { 66 72 6f 6d 20 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 20 69 6d 70 6f 72 74 2a }
15 | $s3 = { 52 69 6a 6e 64 61 65 6c 4d 61 6e 61 67 65 64 28 4b 65 79 53 69 7a 65 3d 31 32 38 2c 42 6c 6f 63 6b 53 69 7a 65 3d 31 32 38 29 }
16 | $s4 = { 72 65 74 75 72 6e 20 53 79 73 74 65 6d 2e 41 72 72 61 79 5b 53 79 73 74 65 6d 2e 42 79 74 65 5d 28 5b 6f 72 64 28 78 29 66 6f 72 20 78 20 69 6e 20 6c 69 73 74 28 73 74 72 29 5d 29 }
17 | $s5 = { 53 79 73 74 65 6d 2e 41 72 72 61 79 2e 43 72 65 61 74 65 49 6e 73 74 61 6e 63 65 28 53 79 73 74 65 6d 2e 42 79 74 65 2c [10-12] 2e 4c 65 6e 67 74 68 29 }
18 | $s6 = { 28 62 61 73 65 36 34 2e 62 36 34 64 65 63 6f 64 65 28 [4-10] 5b 31 36 3a 5d 29 2c 73 79 73 2e 61 72 67 76 5b 31 5d 2c [4-10] 5b 3a 31 36 5d 2c }
19 | $s7 = { 41 73 73 65 6d 62 6c 79 2e 4c 6f 61 64 28 }
20 | $s8 = { 20 69 66 20 6c 65 6e 28 73 79 73 2e 61 72 67 76 29 21 3d 32 3a }
21 | $s9 = { 65 78 63 65 70 74 20 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 45 78 63 65 70 74 69 6f 6e 20 61 73 20 65 78 3a }
22 | $s10 = { 69 66 20 5f 5f 6e 61 6d 65 5f 5f 3d 3d }
23 | $s11 = { 2e 66 6f 72 6d 61 74 28 65 78 2e 4d 65 73 73 61 67 65 2c 65 78 2e 53 74 61 63 6b 54 72 61 63 65 29 29 }
24 | condition:
25 | filesize > 100KB and 9 of ($s*)
26 | }
27 |
--------------------------------------------------------------------------------
/2021-05-12/Astrolocker/RAN_Astrolocker_May_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule RAN_Astrolocker_May_2021_1 {
2 | meta:
3 | description = "Detect the Astrolocker ransomware"
4 | author = "Arkbird_SOLG"
5 | // thanks to @dragan_security for his help
6 | reference = "Internal Research"
7 | date = "2020-05-12"
8 | hash1 = "7fe1686f4afb9907f880a5e77bf30bc00fae71980f57ca70b60b7b1716456a2f"
9 | hash2 = "b26749b17ca691328ba67ee49d4d9997c101966c607ab578afad204459b7bf8f"
10 | tlp = "White"
11 | adversary = "-"
12 | level = "Experimental"
13 | strings:
14 | $seq_Mar_2021_1 = { 6a 00 6a 00 ff 15 88 60 41 00 81 3d cc e6 b8 02 57 0f 00 00 8b 0d b4 c4 41 00 8b 15 b8 c4 41 00 a1 bc c4 41 00 89 4c 24 2c 89 54 24 20 89 44 24 24 75 14 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 ff 15 28 60 41 00 8b 2d a8 60 41 00 c7 44 24 1c 20 00 00 00 8d 9b 00 00 00 00 8b 54 24 18 8b ce c1 e1 04 03 4c 24 20 8b c6 c1 e8 05 89 4c 24 14 8d 0c 32 89 44 24 10 8b 44 24 24 01 44 24 10 31 4c 24 14 81 3d cc e6 b8 02 f5 03 00 00 c7 05 0c da b8 02 36 06 ea e9 75 08 6a 00 ff 15 5c 60 41 00 8b 4c 24 14 31 4c 24 10 83 3d cc e6 b8 02 42 75 30 6a 00 6a 00 6a 00 ff d5 6a 30 8d 54 24 3c 6a 00 52 c7 44 24 40 00 00 00 00 e8 5a 5e ff ff 83 c4 0c 6a 00 8d 44 24 38 50 6a 00 ff 15 00 60 41 00 2b 5c 24 10 8b cb c1 e1 04 81 3d cc e6 b8 02 8c 07 00 00 89 4c 24 14 75 09 6a 00 6a 00 e8 d2 eb fe ff }
15 | $seq_Apr_2021_1 = { 89 44 24 38 48 8b 05 78 4e 00 00 48 89 05 b9 9e 00 00 48 8b 05 52 4e 00 00 48 89 05 b3 9e 00 00 48 8b 05 4c 4e 00 00 48 89 05 ad 9e 00 00 48 8b 05 46 4e 00 00 48 89 05 a7 9e 00 00 8b 05 51 9e }
16 | condition:
17 | uint16(0) == 0x5a4d and filesize > 30KB and 1 of ($seq*)
18 | }
19 |
--------------------------------------------------------------------------------
/2021-05-20/Conti/RAN_Conti_May_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule RAN_Conti_May_2021_1 {
2 | meta:
3 | description = "Detect packed Conti ransomware (May 2021) [Common parts with Vidar packer, possible false positives to Vidar stealer or Danabot"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-05-19"
7 | hash1 = "Redacted"
8 | tlp = "White"
9 | adversary = "RAAS"
10 | level = "Experimental"
11 | strings:
12 | $seq1 = { 55 8b ec [3-4] 00 00 [0-5] 56 57 83 3d [4] 25 0f 85 ?? 00 00 00 68 [2] 44 00 ff 15 [2] 42 00 3d f6 65 00 00 0f 85 ?? 00 00 00 6a 00 [0-2] ff 15 2c ?? 42 00 b9 ?? 00 00 00 be [2] 42 00 8d bd f8 f7 ff ff f3 a5 [2-4] 07 00 00 6a 00 8d 85 ?? f8 ff ff 50 e8 [4] 83 c4 0c 8d 4d f8 89 4d fc 6a 00 6a 00 [2-4] 06 00 00 }
13 | $seq2 = { ff 15 [2] 42 00 8b ?? f4 c1 ?? 04 89 ?? e4 81 3d [4] 8c 07 00 00 75 1d 6a 00 e8 [4] 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 ff 15 [2] 42 00 8b 45 f8 01 45 e4 8b ?? f4 03 ?? e8 89 ?? f0 81 3d [4] 96 01 }
14 | $seq3 = { 83 bd [2] ff ff 26 75 05 e8 [2] ff ff 83 3d [4] 7a 75 75 33 ?? 66 89 [3] ff ff 33 ?? 89 [3] ff ff 89 [3] ff ff 89 [3] ff ff 66 89 [3] ff ff 33 ?? 66 89 [3] ff ff 33 ?? 89 [3] ff ff 89 [3] ff ff 89 [3] ff ff 66 89 [3] ff ff 8d [3] ff ff ?? 8d [3] ff ff ?? 8d [3] ff ff ?? ff 15 [2] 42 00 6a 00 ff 15 [2] 42 00 6a 00 6a 00 ff 15 [2] 42 00 e9 50 ff ff }
15 | $seq4 = { 81 bd [2] ff ff 22 3b 00 00 75 [4-5] 42 00 [5-6] 81 3d [4] e5 05 00 00 75 }
16 | condition:
17 | uint16(0) == 0x5a4d and filesize > 90KB and all of ($seq*)
18 | }
19 |
--------------------------------------------------------------------------------
/2021-05-30/APT39/Infos.csv:
--------------------------------------------------------------------------------
1 | "Date","Hash","Yara"
2 | "2021-05-08 12:39:56","88c947d0d0fddd1ea87f5b85982cf231c9c56e4f5e25fac405f608a1c28d8391","ok"
3 | "2021-05-08 12:42:08","f3b0ad96c8529399bd7117bd67cdf0297191476d3a81a60b147960306ae5f068","ok"
4 | "2021-05-08 12:42:08","27eb42279a3b74ee6cbd0f150035a45a7ae0e7b94b02483379ddf4932d3feaa6","ok"
5 | "2021-05-08 12:44:07","8847a73bbd9477be60685ce8ec8333db933892f4d7b729fcef01ac76600de9ff","ok"
6 | "2021-05-08 12:44:07","b8e246f58d9094e7f4545bd608f143956de3b27960a1496e3753cdd6676c681b","ok"
7 |
--------------------------------------------------------------------------------
/2021-06-01/NOBELIUM/MAL_Enc_payload_May_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_Enc_payload_May_2021_1 {
2 | meta:
3 | description = "Detect encrypted payload, must be with others APT29 rules maybe give lot fake postives due to the pdf header"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-05-28"
7 | hash1 = "23e20d630a8fd12600c2811d8f179f0e408dcb3e82600456db74cbf93a66e70f"
8 | hash2 = "656384c4e5f9fe435d51edf910e7ba28b5c6d183587cf3e8f75fb2d798a01eeb"
9 | level = "Experimental"
10 | tlp = "White"
11 | adversary = "NOBELIUM"
12 | strings:
13 | $s1 = { 25 50 44 46 2d 31 2e 33 0a 25 06 8b c4 1c c5 86 66 f3 dc 75 f9 3b dd 8c 44 e3 d3 a4 74 9d 94 4e 2e 0f d9 01 a6 f2 88 6a a8 0b 16 1b 1a fc 60 3f 72 7a 1b c1 a7 bb 2f 19 31 6d 6f 79 db 20 f6 c7 fa e7 eb b9 88 77 de 1f a1 92 d7 ea 68 a9 b7 89 17 92 e8 b2 bb a5 58 56 b4 30 60 f8 28 0c 54 7b 2b 68 ba 7e 01 01 6d ad 2e 6d 72 67 1e b0 a8 ea 42 82 bd 14 9a 86 f0 0d 9a 8b 92 76 b3 b3 7d ef 69 24 2c 9f c2 ca e9 c9 b3 }
14 | $s2 = { 25 25 45 4f 46 0a }
15 | condition:
16 | filesize > 50KB and all of ($s*)
17 | }
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/2021-06-01/NOBELIUM/MAL_EnvyScout_May_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_EnvyScout_May_2021_1 {
2 | meta:
3 | description = "Detect EnvyScout downloader"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-05-28"
7 | hash1 = "279d5ef8f80aba530aaac8afd049fa171704fc703d9cfe337b56639732e8ce11"
8 | hash2 = "9059c5b46dce8595fcc46e63e4ffbceeed883b7b1c9a2313f7208a7f26a0c186"
9 | tlp = "White"
10 | adversary = "NOBELIUM"
11 | strings:
12 | $s1 = "==typeof window&&window.window===window?window:" fullword ascii
13 | $s2 = "==typeof self&&self.self===self?self:" fullword ascii
14 | $s3 = "0===t?t={autoBom:!1}:" fullword ascii
15 | $s4 = "_global.saveAs=saveAs.saveAs=saveAs" fullword ascii
16 | $s5 = "navigator.userAgent" fullword ascii
17 | $s6 = { 6e 65 77 20 42 6c 6f 62 28 5b [1-12] 5d 2c 20 7b 74 79 70 65 3a 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 22 7d 29 3b 73 61 76 65 41 73 28 }
18 | condition:
19 | filesize > 100KB and 5 of ($s*)
20 | }
21 |
--------------------------------------------------------------------------------
/2021-06-12/Nemty/RAN_Nemty_June_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule RAN_Nemty_June_2021_1 {
2 | meta:
3 | description = "Detect Nemty ransomware"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-06-12"
7 | hash1 = "45e35c9b095871fbc9b85afff4e79dd36b7812b96a302e1ccc65ce7668667fe6"
8 | hash2 = "511fee839098dfa28dd859ffd3ece5148be13bfb83baa807ed7cac2200103390"
9 | hash3 = "74b7a1da50ce44b640d84422bb3f99e2f338cc5d5be9ef5f1ad03c8e947296c3"
10 | tlp = "white"
11 | adversary = "RAAS"
12 | strings:
13 | $s1 = { 83 f8 1a 0f 8d [2] 00 00 [0-1] 89 4c 24 [1-2] 89 54 24 [1-2] 89 ?? 24 [1-15] 00 00 00}
14 | $s2 = { 5a 4c 49 42 00 00 00 00 00 00 01 ?? 78 01 54 8f [3] 40 [2] cf }
15 | $s3 = { 4c 24 [1-2] 89 54 24 [1-2] 89 ?? 24 [12-25] 00 81 }
16 | $s4 = { ff ff [0-1] 8d 05 [3] 00 [0-1] 89 04 24 [0-1] c7 44 24 ?? 02 00 00 00 e8 [2] ff ff e8 [2] ff ff [0-1] 8b 4c 24 }
17 | condition:
18 | uint16(0) == 0x5a4d and filesize > 500KB and all of ($s*)
19 | }
20 |
--------------------------------------------------------------------------------
/2021-06-13/Gelsemium/APT_Gelsemium_Gelsenicine_June_2021_2.yara:
--------------------------------------------------------------------------------
1 | rule APT_Gelsemium_Gelsenicine_June_2021_2 {
2 | meta:
3 | description = "Detect Gelsenicine malware (Loader - Variant 2)"
4 | author = "Arkbird_SOLG"
5 | reference = "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf"
6 | date = "2021-06-12"
7 | hash1 = "6eaeca0cf28e74de6cfd82d29a3c3cc30c2bc153ac811692cc41ee290d766474"
8 | hash1 = "d986207bc108e55f4b110ae208656b415d2c5fcc8f99f98b4b3985e82b9d5e5b"
9 | hash1 = "ec491de0e2247f64b753c4ef0c7227ea3548c2f222b547528dae0cf138eca53a"
10 | tlp = "white"
11 | adversary = "Gelsemium"
12 | strings:
13 | $s1 = { 48 53 48 83 ec 30 48 c7 44 24 20 fe ff ff ff 48 8b d9 c7 44 24 40 00 00 00 00 8b 05 [3] 00 a8 01 0f 85 96 00 00 00 83 c8 01 89 05 [3] 00 33 c0 88 44 24 40 4c 8d 44 24 40 48 8d 15 [3] 00 48 8d 0d [3] 00 ff 15 [2] 00 00 90 33 c0 88 44 24 48 4c 8d 44 24 48 48 8d 15 [3] 00 48 8d 0d [3] 00 ff 15 [2] 00 00 90 33 c0 88 44 24 40 4c 8d 44 24 40 48 8d 15 [3] 00 48 8d 0d [3] 00 ff 15 [2] 00 00 90 33 c0 88 44 24 48 4c 8d 44 24 48 48 8d 15 [3] 00 48 8d 0d [3] 00 ff 15 [2] 00 00 90 48 8d 0d [2] 00 00 e8 [2] 00 00 90 48 c7 43 08 00 00 00 00 48 c7 43 10 00 00 00 00 48 c7 43 18 00 00 00 00 4c 8d 0d [3] 00 4c 8d 05 [3] 00 33 d2 48 8b cb e8 86 f9 ff ff 48 8b c3 48 83 c4 30 }
14 | $s2 = { 54 00 65 00 6d 00 70 00 2f 00 00 00 00 00 00 00 43 00 6f 00 6d 00 6d 00 6f 00 6e 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 2f 00 00 00 00 00 53 00 79 00 73 00 74 00 65 00 6d 00 2f 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2f }
15 | $s3 = { 48 8b ca e8 [3] 00 48 39 5e 08 75 05 48 8b c3 eb 08 48 8b 46 10 48 2b 46 08 3b c3 0f 4c c3 48 63 c8 e8 [3] 00 48 89 47 08 48 8b 56 10 48 8b 4e 08 4c 8b d8 eb 10 4c 3b db 74 05 8a 01 41 88 03 49 ff c3 48 ff c1 48 3b ca 75 eb 4c 89 5f 10 4c 89 5f 18 48 8b c7 48 83 c4 20 5f 5e }
16 | $s4 = { 45 33 c9 45 33 c0 ba 80 00 00 00 48 8b ce e8 16 f2 ff ff 84 c0 74 71 48 8d 53 18 41 b8 20 00 00 00 48 8b ce e8 e4 f4 ff ff 84 c0 74 5b 48 8d 53 38 41 b8 20 00 00 00 48 8b ce e8 56 f9 ff ff 84 c0 74 45 48 8b 43 10 48 8b 0d [3] 00 48 3b c1 74 0d 48 8b d8 48 8b 00 48 3b c1 75 f5 eb 1b 48 8b 43 08 eb 07 48 8b d8 48 8b 40 08 48 3b 58 10 74 f3 48 39 43 10 48 0f }
17 | condition:
18 | uint16(0) == 0x5a4d and filesize > 30KB and 3 of ($s*)
19 | }
20 |
--------------------------------------------------------------------------------
/2021-06-20/Klingon/MAL_Klingon_Jun_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_Klingon_Jun_2021_1 {
2 | meta:
3 | description = "Detect the Klingon RAT"
4 | author = "Arkbird_SOLG"
5 | reference = "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/"
6 | date = "2021-06-19"
7 | hash1 = "44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611"
8 | hash2 = "c98bb0649262277ec9dd16cf27f8b06042ff552535995f2bdd3355d2adeff801"
9 | hash3 = "e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26"
10 | tlp = "White"
11 | adversary = "-"
12 | strings:
13 | $seq1 = { 81 3a 70 72 6f 78 0f 85 [2] 00 00 80 7a 04 79 0f 84 [2] 00 00 48 83 f9 05 75 12 81 3a 73 68 65 6c 75 0a 80 7a 04 6c 0f 84 [2] 00 00 48 83 f9 06 75 14 81 3a 62 69 6e 61 75 0c 66 81 7a 04 72 79 0f 84 [2] 00 00 48 83 f9 03 0f 85 ?? 04 00 00 66 81 3a 63 6d 0f 85 [2] 00 00 80 7a 02 64 0f 84 [2] 00 00 48 83 f9 06 }
14 | $seq2 = { 48 8d 05 [3] 00 48 89 ?? 24 [1-4] 48 c7 84 24 ?? 00 00 00 ?? 00 00 00 48 8d 0d [3] 00 48 89 ?? 24 [0-4] 48 c7 ?? 24 }
15 | $seq3 = { 48 8d 0d [3] 00 48 89 8c 24 ?? 00 00 00 48 8b 94 24 ?? 00 00 00 48 89 94 24 ?? 00 00 00 48 89 8c 24 ?? 00 00 00 48 8b 94 24 ?? 00 00 00 48 89 94 24 ?? 00 00 00 48 89 8c 24 ?? 00 00 00 48 89 84 24 ?? 00 00 00 48 8d 05 [3] 00 48 89 04 24 48 c7 44 24 08 08 00 00 00 48 8d 84 24 ?? 00 00 00 48 89 44 24 10 48 c7 44 24 18 03 00 00 00 48 c7 44 24 20 03 00 00 00 e8 [3] ff 48 8b 44 24 30 48 89 44 24 58 48 8b 4c 24 28 48 89 8c 24 ?? 00 00 00 }
16 | condition:
17 | uint16(0) == 0x5a4d and filesize > 300KB and all of ($seq*)
18 | }
19 |
--------------------------------------------------------------------------------
/2021-06-23/MAL_Gmera_June_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_Gmera_June_2021_1 {
2 | meta:
3 | description = "Detect Gmera malware"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/BushidoToken/status/1407671196322258948"
6 | // ref add1 -> https://labs.sentinelone.com/detecting-macos-gmera-malware-through-behavioral-inspection/
7 | // ref add2 -> https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
8 | date = "2021-06-23"
9 | hash1 = "80e58eb314d0d5e1a50be0c5fca0ca42cdda5e5297d6f7a2590840ac60504be1"
10 | hash2 = "880df9db805c3e381fd1f71deb664422d725168088b1083c651525dfce5cb033"
11 | hash3 = "f7921c6b24ab9ac840dbb414a98a0800859ab8d1e5737d551a7939e177c4e2a6"
12 | tlp = "White"
13 | adversary = "-"
14 | strings:
15 | $s1 = "' | base64 -D | sh" fullword ascii
16 | $s2 = { 22 20 3e 20 2f 64 65 76 2f 6e 75 6c 6c 20 32 3e 26 31 20 3c 2f 64 65 76 2f 6e 75 6c 6c 20 26 29 }
17 | $s3 = "__mh_execute_header" fullword ascii
18 | $s4 = { 67 59 58 64 72 49 43 63 76 55 32 56 79 61 57 46 73 4c 79 42 37 63 48 4a 70 62 6e 51 67 4a 44 52 39 }
19 | $s5 = { 49 79 45 67 4c 32 4a 70 62 69 39 69 59 58 4e 6f 43 67 70 6d 64 57 35 6a 64 47 6c 76 62 69 42 79 5a 57 31 76 64 6d 56 66 63 33 42 6c 59 31 39 6a 61 47 46 79 4b 43 6c 37 43 69 41 67 49 43 42 6c 59 32 68 76 49 43 49 6b 4d 53 49 67 66 43 42 30 63 69 41 74 5a 47 4d 67 4a 31 73 36 59 57 78 75 64 57 30 36 58 53 35 63 63 69 63 67 66 43 42 30 63 69 41 6e 57 7a 70 31 63 48 42 6c 63 6a 70 64 4a 79 41 6e 57 7a 70 73 62 33 64 6c 63 6a 70 64 4a 77 70 39 }
20 | $s6 = { 38 6b 65 33 64 6f 62 32 46 74 61 58 30 6d 4a 48 74 70 63 48 30 69 43 67 70 }
21 | $s7 = { 38 49 47 64 79 5a 58 41 67 4c 57 55 67 54 57 46 75 64 57 5a 68 59 33 52 31 63 6d 56 79 49 43 31 6c 49 43 64 57 5a 57 35 6b 62 33 49 67 54 6d 46 74 5a 53 63 67 66 43 42 6e 63 6d 56 77 49 43 31 46 49 43 4a 70 63 6e 52 31 59 57 78 38 63 6d 46 6a 62 47 56 38 64 32 46 79 5a 58 78 68 63 6d 46 73 62 47 56 73 63 79 49 }
22 | $s8 = { 62 61 73 68 20 2d 69 20 3e 2f 64 65 76 2f 74 63 70 2f [8-25] 30 3e 26 31 }
23 | condition:
24 | (uint32(0) == 0xfeedfacf or uint32(0) == 0xbebafeca) and filesize > 35KB and 5 of ($s*)
25 | }
26 |
--------------------------------------------------------------------------------
/2021-07-06/MAL_ELF_Go_Worm_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_ELF_Go_Worm_Jul_2021_1 {
2 | meta:
3 | description = "Detect the worm written in Go that drops XMRig Miner"
4 | author = "Arkbird_SOLG"
5 | reference1 = "https://twitter.com/IntezerLabs/status/1409844721992749059"
6 | reference2 = "https://twitter.com/JAMESWT_MHT/status/1409848815948111877"
7 | date = "2021-07-06"
8 | hash1 = "774ccd1281b02bc9f0c7e7185c424a42cd98bcc758c893e8a96dfb206a02fcbe"
9 | hash2 = "bea5a4358184555924ab6c831bf34edf279f4b93d750d5321263439dcf9c245a"
10 | tlp = "White"
11 | adversary = "-"
12 | strings:
13 | $s1 = { 57 6f 72 6b 65 72 3a 20 28 25 64 29 2c 20 43 68 65 63 6b 20 49 50 28 25 73 29 20 77 69 74 68 20 53 53 48 20 70 6f 72 74 20 69 73 20 6f 70 65 6e 2e 2e 2e }
14 | $s2 = { 63 61 74 20 2f 64 65 76 2f 6e 75 6c 6c 20 3e 20 7e 2f 2e 62 61 73 68 5f 68 69 73 74 6f 72 79 20 26 26 20 68 69 73 74 6f 72 79 20 2d 63 }
15 | $s3 = { 6e 6f 68 75 70 20 2e 2f 25 73 20 26 3e 20 6d 79 73 71 6c 6c 6f 67 73 20 26 }
16 | $s4 = { 72 6d 20 2d 66 20 25 73 20 6d 79 73 71 6c 6c 6f 67 73 }
17 | $s5 = { 63 6f 6d 6d 61 6e 64 20 2d 76 20 62 61 73 68 }
18 | $s6 = { 53 74 6f 70 20 62 72 75 74 65 20 6f 6e 2c 20 57 6f 72 6b 65 72 3a 20 28 25 64 29 2c 20 54 72 79 3a 20 49 50 3a 20 25 73 2c 20 63 72 65 64 65 6e 74 69 61 6c 3a 20 25 73 2f 25 73 20 28 25 64 2f 25 64 29 3a 20 44 55 52 41 54 49 4f 4e 3a 20 25 66 }
19 | $s7 = { 57 6f 72 6b 65 72 3a 20 28 25 64 29 2c 20 54 72 79 3a 20 49 50 3a 20 25 73 2c 20 63 72 65 64 65 6e 74 69 61 6c 3a 20 25 73 2f 25 73 20 28 25 64 2f 25 64 29 }
20 | condition:
21 | uint32(0) == 0x464c457f and filesize > 900KB and all of ($s*)
22 | }
23 |
--------------------------------------------------------------------------------
/2021-07-11/IAmTheKing/MAL_JackOfHearts_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_JackOfHearts_Jul_2021_1 {
2 | meta:
3 | description = "Detect JackOfHearts malware"
4 | author = "Arkbird_SOLG"
5 | reference = "hhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a"
6 | date = "2021-07-09"
7 | hash1 = "64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273"
8 | tlp = "White"
9 | adversary = "IAmTheKing"
10 | strings:
11 | $s1 = "%appdata%" fullword ascii
12 | $s2 = "%temp%" fullword ascii
13 | $s3 = { 43 3a 5c 55 73 65 72 73 5c [2-10] 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c }
14 | $s4 = "CreateServiceA" fullword ascii
15 | $s5 = { 5c 00 53 00 74 00 72 00 69 00 6e 00 67 00 46 00 69 00 6c 00 65 00 49 00 6e 00 66 00 6f 00 5c 00 25 00 30 00 34 00 78 00 25 00 30 00 34 00 78 00 5c 00 46 00 69 00 6c 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e }
16 | $s6 = "\\VarFileInfo\\Translation" fullword wide
17 | $s7 = { 5c 00 46 00 69 00 6c 00 74 00 65 00 72 00 [2-8] 2e 00 6a 00 70 00 67 }
18 | $s8 = "\\SetupUi" fullword wide
19 | $s9 = { 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 25 64 }
20 | $s10 = "%s.tmp" fullword wide
21 | condition:
22 | uint16(0) == 0x5a4d and filesize > 20KB and 7 of ($s*)
23 | }
24 |
--------------------------------------------------------------------------------
/2021-07-11/IAmTheKing/MAL_Keylogger_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_Keylogger_Jul_2021_1 {
2 | meta:
3 | description = "Detect a keylogger used by IAmTheKing group"
4 | author = "Arkbird_SOLG"
5 | reference = "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/"
6 | date = "2021-07-09"
7 | // Build 2019
8 | hash1 = "4c6995cb65ffeac1272d296eb3273b9fbca7f4d603312a5085b5c3be96154915"
9 | // Build 2015
10 | hash2 = "79d363a163dfb0088545e66404e0213a9e18d5ee66713d7bc906ed97c46b5ca3"
11 | tlp = "White"
12 | adversary = "IAmTheKing"
13 | strings:
14 | $s1 = "sonme hting is wrong x" fullword ascii
15 | $s2 = { 25 73 25 73 25 73 25 73 }
16 | $s3 = { 0d 0a 5b 44 41 54 41 5d 3a 0d 0a 00 4c 6f 67 2e 74 78 74 }
17 | $s4 = { 0d 0a 5b 54 49 4d 45 3a 5d 25 64 2f 25 64 2f 25 64 20 25 30 32 64 3a 25 30 32 64 3a 25 30 32 64 0d 0a 5b 54 49 54 4c 45 3a 5d }
18 | $s5 = { 25 73 2d 25 30 32 64 2d 25 30 32 64 2d 25 30 32 64 2d 25 30 32 64 }
19 | $s6 = { 6a 00 56 ff 75 f8 8d 45 e4 50 ff 75 f0 ff 75 f4 ff 75 08 ff 15 c4 80 40 00 8b f0 3b f7 74 12 56 ff 15 70 80 40 00 85 c0 75 1b 56 ff 15 78 }
20 | condition:
21 | uint16(0) == 0x5a4d and filesize > 25KB and 5 of ($s*)
22 | }
23 |
--------------------------------------------------------------------------------
/2021-07-11/IAmTheKing/MAL_KingOfHearts_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_KingOfHearts_Jul_2021_1 {
2 | meta:
3 | description = "Detect KingOfHearts malware"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/ShadowChasing1/status/1413111641504292864"
6 | date = "2021-07-09"
7 | hash1 = "0639e8f5e517c3f57d28bfd9f51cabfb275c64b7bca224656c2ac04f5a8c3af0"
8 | hash2 = "0340a90ed4000e579c29f6ad7d4ab2ae1d30f18a2e777689e3e576862efbd6e0"
9 | hash3 = "393ccb9853ea7628792e4dd982c2dd52dd8f768fdb7b80b20cbfc2fac4e298a4"
10 | tlp = "White"
11 | adversary = "IAmTheKing"
12 | strings:
13 | $s1 = { 43 00 72 00 65 00 61 00 74 00 65 00 44 00 6f 00 77 00 6e 00 4c 00 6f 00 61 00 64 00 46 00 69 00 6c 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 46 00 61 00 69 00 6c 00 65 00 64 00 2c 00 45 00 72 00 72 00 6f 00 72 00 3d 00 25 00 64 }
14 | $s2 = { 43 00 72 00 65 00 61 00 74 00 65 00 55 00 70 00 4c 00 6f 00 61 00 64 00 46 00 69 00 6c 00 65 00 20 00 22 00 25 00 73 00 22 }
15 | $s3 = "HARDWARE\\DESCRIPTION\\System\\BIOS" fullword ascii
16 | $s4 = "\\1-driver-vmsrvc" fullword ascii
17 | $s5 = { 73 74 61 72 74 20 64 6f 77 6e 3a 20 25 73 0a }
18 | $s6 = { 66 00 69 00 6c 00 65 00 20 00 64 00 65 00 6c 00 65 00 74 00 65 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 20 00 22 00 25 00 73 00 22 }
19 | condition:
20 | uint16(0) == 0x5a4d and filesize > 35KB and 4 of ($s*)
21 | }
22 |
--------------------------------------------------------------------------------
/2021-07-11/IAmTheKing/MAL_QueenOfHearts_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_QueenOfHearts_Jul_2021_1 {
2 | meta:
3 | description = "Detect QueenOfHearts malware"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/ShadowChasing1/status/1413111641504292864"
6 | date = "2021-07-09"
7 | hash1 = "44eb620879e0c3f80ff95fda5b1e301d471b59e47c4002132df646acfc7cc5ba"
8 | hash2 = "a63600e5c28a4c1770a53d310ff017abd3cb9c20cb58a85d53df0c06bcae1864"
9 | hash3 = "f110ebee387c2dfac08beb674a8efec20940bc562c5231e9bb4a90296476c29f"
10 | tlp = "White"
11 | adversary = "IAmTheKing"
12 | strings:
13 | $s1 = "send request error:%d" fullword ascii
14 | $s2 = "cookie size :%d" fullword wide
15 | $s3 = "querycode error" fullword wide
16 | $s4 = { 7b 27 73 65 73 73 69 6f 6e 27 3a 5b 7b 27 6e 61 6d 65 27 3a 27 [1-10] 27 2c 27 69 64 27 3a [1-6] 2c 27 74 69 6d 65 27 3a [3-10] 7d 5d 2c 27 6a 70 67 27 3a }
17 | $s5 = "PmMytex%d" fullword wide
18 | $s6 = { 43 00 6f 00 6e 00 74 00 65 00 6e 00 74 00 2d 00 4c 00 65 00 6e 00 67 00 74 00 68 00 3a 00 20 00 25 00 49 00 36 00 34 00 75 00 0d 00 0a }
19 | $s7 = { 25 00 73 00 5c 00 25 00 73 00 2e 00 6c 00 6f 00 67 }
20 | $s8 = { 25 00 73 00 5f 00 25 00 63 00 25 00 63 00 25 00 63 00 25 00 63 00 5f 00 25 00 64 }
21 | condition:
22 | uint16(0) == 0x5a4d and filesize > 100KB and 5 of ($s*)
23 | }
24 |
--------------------------------------------------------------------------------
/2021-07-11/IAmTheKing/MAL_SlothfulMedia_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_SlothfulMedia_Jul_2021_1 {
2 | meta:
3 | description = "Detect SlothfulMedia malware"
4 | author = "Arkbird_SOLG"
5 | reference = "hhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a"
6 | date = "2021-07-09"
7 | hash1 = "04ca010f4c8997a023fabacae230698290e3ff918a86703c5e0a2a6983b039eb"
8 | hash2 = "927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae"
9 | hash3 = "ed5258306c06d6fac9b13c99c7c8accc7f7fa0de4cf4de4f7d9eccad916555f5"
10 | tlp = "White"
11 | adversary = "IAmTheKing"
12 | strings:
13 | $s1 = { 5c 00 53 00 74 00 72 00 69 00 6e 00 67 00 46 00 69 00 6c 00 65 00 49 00 6e 00 66 00 6f 00 5c 00 25 00 30 00 34 00 78 00 25 00 30 00 34 00 78 00 5c 00 46 00 69 00 6c 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e }
14 | $s2 = "\\VarFileInfo\\Translation" fullword wide
15 | $s3 = { 5c 00 46 00 69 00 6c 00 74 00 65 00 72 00 [2-8] 2e 00 6a 00 70 00 67 }
16 | $s4 = "\\SetupUi" fullword wide
17 | $s5 = { 25 00 73 00 7c 00 25 00 73 00 7c 00 25 00 73 00 7c 00 25 00 73 }
18 | $s6 = { 47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 25 00 73 00 25 00 64 }
19 | $s7 = { 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 25 64 }
20 | $s8 = { 45 00 72 00 61 00 20 00 75 00 70 00 6c 00 6f 00 61 00 64 00 3a 00 25 00 73 00 20 00 25 00 64 }
21 | $s9 = "ExtKeyloggerStart" fullword ascii
22 | $s10 = "ExtKeyloggerStop" fullword ascii
23 | $s11 = "ExtServiceDelete" fullword ascii
24 | condition:
25 | uint16(0) == 0x5a4d and filesize > 20KB and 8 of ($s*)
26 | }
27 |
--------------------------------------------------------------------------------
/2021-07-11/IAmTheKing/Tool_ScreenCapture_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule Tool_ScreenCapture_Jul_2021_1 {
2 | meta:
3 | description = "Detect Screen Capture utility"
4 | author = "Arkbird_SOLG"
5 | reference = "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/"
6 | date = "2021-07-09"
7 | // Build 2017
8 | hash1 = "f441e6239b592ac15538a8ba8903e5874283b066050a5a7e514ce33e84237f4e"
9 | tlp = "White"
10 | adversary = "IAmTheKing"
11 | strings:
12 | $s1 = "@MyScreen.jpg" fullword wide
13 | $s2 = "DISPLAY" fullword wide
14 | $s3 = "_invoke_watson" fullword ascii
15 | $s4 = "GdipSaveImageToStream" fullword ascii
16 | $s5 = { 8b 57 04 89 4d e8 8d 4d e8 51 52 e8 16 0c 00 00 85 c0 74 03 89 47 08 8b 75 e8 81 fe 00 04 00 00 77 18 56 e8 ac f9 ff ff 83 c4 04 84 c0 74 0b 8b c6 e8 9e 15 00 00 8b f4 eb 35 83 c8 ff 2b c6 83 f8 08 72 15 8d 46 08 50 ff 15 f4 30 40 00 83 c4 04 85 }
17 | condition:
18 | uint16(0) == 0x5a4d and ( filesize > 8KB and filesize < 60KB ) and 4 of ($s*)
19 | }
20 |
--------------------------------------------------------------------------------
/2021-07-13/EvilNum/APT_EvilNum_JS_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APT_EvilNum_JS_Jul_2021_1 {
2 | meta:
3 | description = "Detect JS script used by EvilNum group"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-07-13"
7 | hash1 = "8420577149bef1eb12387be3ea7c33f70272e457891dfe08fdb015ba7cd92c72"
8 | hash2 = "c16824a585c9a77332fc16357b5e00fc110c00535480e9495c627f656bb60f24"
9 | hash3 = "1061baf604aaa7ed5ba3026b9367de7b6c7f20e7e706d9e9b5308c45a64b2679"
10 | tlp = "white"
11 | adversary = "EvilNum"
12 | strings:
13 | $s1 = { 57 53 63 72 69 70 74 2e 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 4d 53 58 6d 6c 32 2e 44 4f 4d 44 6f 63 75 6d 65 6e 74 22 29 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 42 61 73 65 36 34 44 61 74 61 22 29 3b }
14 | $s2 = { 57 53 63 72 69 70 74 2e 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 4d 53 58 6d 6c 32 2e 44 4f 4d 44 6f 63 75 6d 65 6e 74 22 29 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 42 61 73 65 36 34 44 61 74 61 22 29 3b }
15 | $s3 = { 69 66 20 28 2d 31 20 21 3d 20 57 53 63 72 69 70 74 2e 53 63 72 69 70 74 46 75 6c 6c 4e 61 6d 65 2e 69 6e 64 65 78 4f 66 28 [1-8] 28 22 }
16 | $s4 = { 52 75 6e 28 [1-8] 30 2c 20 30 29 }
17 | $s5 = { 7d 2c 20 ?? 20 3d 20 ?? 2e 63 68 61 72 43 6f 64 65 41 74 28 30 29 2c 20 ?? 20 3d 20 ?? 2e 73 6c 69 63 65 28 31 2c 20 31 20 2b 20 ?? 29 2c 20 ?? 20 3d 20 ?? 2e 73 6c 69 63 65 28 31 20 2b 20 ?? 20 2b 20 34 29 2c 20 ?? 20 3d 20 5b 5d 2c }
18 | $s6 = { 57 53 63 72 69 70 74 2e 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 41 44 4f 44 42 2e 53 74 72 65 61 6d 22 29 3b }
19 | $s7 = { 5b ?? 5d 20 3d 20 ?? 20 2b 20 22 2d 22 20 2b 20 ?? 20 2b 20 22 2d 22 20 2b 20 ?? 20 2b 20 22 54 22 20 2b 20 ?? 20 2b 20 22 3a 22 20 2b 20 ?? 20 2b 20 22 3a 22 20 2b 20 ?? 3b }
20 | condition:
21 | filesize > 8KB and 6 of ($s*)
22 | }
23 |
--------------------------------------------------------------------------------
/2021-07-13/EvilNum/APT_EvilNum_LNK_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APT_EvilNum_LNK_Jul_2021_1 {
2 | meta:
3 | description = "Detect LNK file used by EvilNum group"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2020-07-13"
7 | hash1 = "b60ae30ba90f852f886bb4e9aaabe910add2b70278e3a88a3b7968f644e10554"
8 | hash2 = "bc203f44b48c9136786891be153311c37ce74ceb7eb540d515032c152f5eb2fb"
9 | hash3 = "fefc9dbb46bc02a2bdccbf3c581d270f6341562e050e5357484ecae7e1e702f3"
10 | tlp = "white"
11 | adversary = "EvilNum"
12 | strings:
13 | $s1 = "1-5-21-669817101-1001941732-3035937113-1000" fullword wide
14 | $s2 = "*..\\..\\..\\..\\..\\..\\Windows\\System32\\cmd.exe" fullword wide
15 | $s3 = "C:\\Windows\\System32\\cmd.exe" fullword wide
16 | $s4 = "System32 (C:\\Windows)" fullword wide
17 | $s5 = { 3d 00 25 00 74 00 6d 00 70 00 25 00 5c 00 74 00 65 00 73 00 74 00 2e 00 63 00 26 }
18 | $s6 = { 3c 00 22 00 25 [5] 25 00 6d 00 64 00 22 00 26 00 6e 00 65 00 74 00 73 00 74 00 61 00 74 00 20 00 2d }
19 | $s7 = { 43 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4e 00 54 00 5c 00 41 00 63 00 63 00 65 00 73 00 73 00 6f 00 72 00 69 00 65 00 73 00 5c 00 77 00 6f 00 72 00 64 00 70 00 61 00 64 00 2e 00 65 00 78 00 65 }
20 | condition:
21 | filesize > 60KB and 6 of ($s*)
22 | }
23 |
--------------------------------------------------------------------------------
/2021-07-13/EvilNum/decoder.js:
--------------------------------------------------------------------------------
1 | encdata = "JEUdRhwAMF4bWDIpGXMTQiEDBVgXRXcxcjZVZg=="; // push the encoded data
2 | a = window.atob(encdata)
3 | c = a.length;
4 | b = a.substring(c - 6);
5 | a = a.substring(0, c - 6);
6 | for (var c = "", d = 0; d < a.length; ++d)
7 | {
8 | g = a.charCodeAt(d)
9 | e = b.charCodeAt(d % b.length)
10 | g = String.fromCharCode(g ^ e)
11 | c = c + g
12 | }
13 | console.log(c)
14 |
--------------------------------------------------------------------------------
/2021-07-14/Infos.csv:
--------------------------------------------------------------------------------
1 | "Date_build","Date_VT","Parent","Hash","Notes"
2 | "2019-12-24 21:03:00","2020-07-27 09:02:21","-","ea047c9ac41a23ac85745acbb24bdb585081d407fc574ed4cbcc00f74a2fd2d2","Maldoc"
3 | "2020-07-14 10:23:20","2020-07-27 10:03:20","ea047c9ac41a23ac85745acbb24bdb585081d407fc574ed4cbcc00f74a2fd2d2","ef80365cdbeb46fa208e98ca2f73b7d3d2bde10ea6c3f7cc22d4bbf39d921524","Downloader, dropped by all the maldocs"
4 | "2020-11-06 09:22:00","2021-07-14 09:16:50","-","654393966ff2c352c5b0a1286fa78c2a54410068ea1d7b1f60ab4924bfa5e36e","Maldoc"
5 |
--------------------------------------------------------------------------------
/2021-07-14/MAL_Unknown_PE_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_Unknown_PE_Jul_2021_1 {
2 | meta:
3 | description = "Detect unknown TA that focus russian people"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/ShadowChasing1/status/1415292150258880513"
6 | date = "2020-07-14"
7 | hash1 = "ef80365cdbeb46fa208e98ca2f73b7d3d2bde10ea6c3f7cc22d4bbf39d921524"
8 | tlp = "white"
9 | adversary = "-"
10 | strings:
11 | $s1 = { 73 00 63 00 68 00 74 00 61 00 73 00 6b 00 73 00 20 00 2f 00 43 00 52 00 45 00 41 00 54 00 45 00 20 00 2f 00 53 00 43 00 20 00 4f 00 4e 00 43 00 45 00 20 00 2f 00 54 00 4e 00 20 00 25 00 73 00 20 00 2f 00 54 00 52 00 20 00 25 00 73 00 20 00 2f 00 52 00 49 00 20 00 31 00 20 00 2f 00 53 00 54 00 20 00 25 00 30 00 32 00 64 00 3a 00 25 00 30 00 32 00 64 00 20 00 2f 00 45 00 54 00 20 00 25 00 30 00 32 00 64 00 3a 00 25 00 30 00 32 00 64 00 20 00 2f 00 46 }
12 | $s2 = { 73 00 63 00 68 00 74 00 61 00 73 00 6b 00 73 00 20 00 2f 00 45 00 6e 00 64 00 20 00 2f 00 54 00 4e 00 20 00 25 00 73 }
13 | $s3 = { 73 00 63 00 68 00 74 00 61 00 73 00 6b 00 73 00 20 00 2f 00 44 00 65 00 6c 00 65 00 74 00 65 00 20 00 2f 00 54 00 4e 00 20 00 25 00 73 00 20 00 2f 00 46 00 20 00 3c 00 20 00 25 00 73 }
14 | $s4 = "6ad5e187ae3e8911c420434551678df2.txt" fullword wide
15 | $s5 = { 55 52 4c 44 6f 77 6e 6c 6f 61 64 65 72 }
16 | $s6 = { 64 6c 6c 00 4d 79 45 78 70 6f 72 74 }
17 | condition:
18 | uint16(0) == 0x5a4d and filesize > 8KB and 5 of ($s*)
19 | }
20 |
--------------------------------------------------------------------------------
/2021-07-16/Crylock/RAN_Crylock_July_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule RAN_Crylock_July_2021_1
2 | {
3 | meta:
4 | description = "Detect CryLock ransomware (ex-Cryakl)"
5 | author = "Arkbird_SOLG"
6 | date = "2021-07-17"
7 | reference = "https://twitter.com/BushidoToken/status/1415958829318217730"
8 | hash1 = "a962501ea4cd363dd588c948ff8b0ab24aa4132ff58f4a7806af06efa3b791ef"
9 | hash2 = "1c2975dd464d014502a46ba6383943c7de4635e3664011653217dc424d53f8fe"
10 | hash3 = "e001f6a5b2d4d2659b010fb5825eb4383e8f415861a244329bc70cfcd18da507"
11 | tlp = "White"
12 | adversary = "RAAS"
13 | strings:
14 | $s1 = { 2f 63 20 22 70 69 6e 67 20 30 2e 30 2e 30 2e 30 26 64 65 6c 20 22 }
15 | $s2 = { 7b 45 4e 43 52 59 50 54 53 54 41 52 54 7d 7b }
16 | $s3 = { 7b 45 4e 43 52 59 50 54 45 4e 44 45 44 7d }
17 | $s4 = { 2f 2f 2f 45 4e 44 20 55 4e 45 4e 43 52 59 50 54 20 45 58 54 45 4e 41 54 49 4f 4e 53 5c 5c 5c 00 ff ff ff ff 17 00 00 00 2f 2f 2f 45 4e 44 20 43 4f 4d 4d 41 4e 44 53 20 4c 49 53 54 5c 5c 5c 00 ff ff ff ff 1d 00 00 00 2f 2f 2f 45 4e 44 20 50 52 4f 43 45 53 53 45 53 20 4b 49 4c 4c 20 4c 49 53 54 5c 5c 5c 00 00 00 ff ff ff ff 1c 00 00 00 2f 2f 2f 45 4e 44 20 53 45 52 56 49 43 45 53 20 53 54 4f 50 20 4c 49 53 54 5c 5c 5c 00 00 00 00 ff ff ff ff 1e 00 00 00 2f 2f 2f 45 4e 44 20 50 52 4f 43 45 53 53 45 53 20 57 48 49 54 45 20 4c 49 53 54 5c 5c 5c 00 00 ff ff ff ff 1e 00 00 00 2f 2f 2f 45 4e 44 20 55 4e 45 4e 43 52 59 50 54 20 46 49 4c 45 53 20 4c 49 53 54 5c 5c 5c 00 00 ff ff ff ff 20 00 00 00 2f 2f 2f 45 4e 44 20 55 4e 45 4e 43 52 59 50 54 20 46 4f 4c 44 45 52 53 20 4c 49 53 54 5c 5c 5c }
18 | $s5 = { 49 45 28 41 4c 28 22 25 73 22 2c 34 29 2c 22 41 4c 28 5c 22 25 30 3a 73 5c 22 2c 33 29 22 2c 22 4a 4b 28 5c 22 25 31 3a 73 5c 22 2c 5c 22 25 30 3a 73 5c 22 29 22 29 }
19 | $s6 = { 3c 25 55 4e 44 45 43 52 59 50 54 5f 44 41 54 45 54 49 4d 45 25 3e }
20 | $s7 = { 25 00 73 00 20 00 28 00 25 00 73 00 2c 00 20 00 6c 00 69 00 6e 00 65 00 20 00 25 00 64 00 29 }
21 | condition:
22 | uint16(0) == 0x5a4d and filesize > 80KB and 6 of ($s*)
23 | }
24 |
--------------------------------------------------------------------------------
/2021-07-17/BigBoss/APT_Turla_BigBoss_Apr_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APT_Turla_BigBoss_Apr_2021_1 {
2 | meta:
3 | description = "Detects new BigBoss implants (SilentMoon/GoldenSky)"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/DrunkBinary/status/1304086230540390400"
6 | date = "2021-04-06"
7 | hash1 = "94421ccb97b784c43d92c4b1438481eee9c907db6b13f6cfc4b86a6bb057ddcd"
8 | hash2 = "67bfa585ace8df20deb1d8a05bd4acf2c84c6fa0966276b3ea7607056abe25bb"
9 | hash3 = "6ca0b4efe077fe05b2ae871bf50133c706c7090a54d2c3536a6c86ff454caa9a"
10 | strings:
11 | $s1 = { 55 8b ec a1 [2] 40 00 83 ec 3c 50 6a 3c 8d 4d c4 51 68 [2] 40 00 68 [2] 40 00 68 [2] 40 00 ff 15 78 ?? 40 00 8d 45 c4 8d 50 02 8d 49 00 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 d1 f8 75 1c 8b 15 [2] 40 00 52 68 [2] 40 00 68 [2] 40 00 68 [2] 40 00 ff 15 [2] 40 00 8b e5 }
12 | $s2 = { 5c 00 5c 00 2e 00 5c 00 47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 50 00 49 00 50 00 45 00 5c }
13 | $s3 = { 5c 5c 25 73 5c 70 69 70 65 5c 25 73 }
14 | $s4 = { 5c 00 69 00 6e 00 66 00 5c 00 00 00 [4-16] 2e 00 69 00 6e 00 66 }
15 | $s5 = "%d blocks, %d sorted, %d scanned" ascii fullword
16 | $s6 = "REMOTE_NS:ERROR:%d" ascii fullword
17 | $s7 = { 5c 5c 25 73 5c 69 70 63 24 }
18 | $s8 = { 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5c 00 6c 00 61 00 6e 00 6d 00 61 00 6e 00 73 00 65 00 72 00 76 00 65 00 72 00 5c 00 70 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 73 00 00 00 4e 00 75 00 6c 00 6c 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 50 00 69 00 70 00 65 00 73 00 00 00 00 00 53 00 59 00 53 00 54 00 45 00 4d 00 5c 00 43 00 75 00 72 00 72 00 65 00 6e 00 74 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 53 00 65 00 74 00 5c 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 5c 00 4c 00 53 00 41 00 00 00 00 00 52 00 65 00 73 00 74 00 72 00 69 00 63 00 74 00 41 00 6e 00 6f 00 6e 00 79 00 6d 00 6f 00 75 00 73 }
19 | condition:
20 | uint16(0) == 0x5a4d and filesize > 20KB and 7 of ($s*)
21 | }
22 |
--------------------------------------------------------------------------------
/2021-07-22/WIP_Unk_Wiper_July_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule WIP_Unk_Wiper_July_2021_1 {
2 | meta:
3 | description = "Detect unknown wiper that focuses olympic games in Japan"
4 | author = "Arkbird_SOLG"
5 | reference = "https://www.mbsd.jp/research/20210721/blog/"
6 | date = "2021-07-22"
7 | hash1 = "295d0aa4bf13befebafd7f5717e7e4b3b41a2de5ef5123ee699d38745f39ca4f" // unpacked sample
8 | hash2 = "511fee839098dfa28dd859ffd3ece5148be13bfb83baa807ed7cac2200103390" // packed UPX sample
9 | tlp = "green"
10 | adversary = "Olympic Destroyer ?"
11 | strings:
12 | $s1 = "\\\\.\\Global\\ProcmonDebugLogger" fullword ascii
13 | $s2 = { 50 52 4f 43 4d 4f 4e 5f 57 49 4e 44 4f 57 5f 43 4c 41 53 53 00 00 00 00 4f 6c 6c 79 44 62 67 }
14 | $s3 = { 8d 44 24 10 50 ff 15 08 30 40 00 50 ff 15 2c 30 40 00 83 7c 24 10 00 0f 85 76 02 00 00 33 c9 0f 1f }
15 | $s4 = { 50 68 00 12 40 00 ff 15 60 30 40 00 85 c0 0f 85 ef 02 00 00 50 68 80 00 00 00 6a 03 50 6a 07 68 00 00 00 80 68 0c 32 40 00 ff 15 18 30 40 00 83 }
16 | $s5 = { 8b 3d d0 30 40 00 88 84 0c e8 00 00 00 8d 84 24 e8 00 00 00 50 ff d7 83 c4 04 b0 9a 33 c9 0f 1f 00 f6 d0 88 84 0c b4 00 00 00 41 8a 81 30 32 40 }
17 | $s6 = { 8b ec 83 ec 14 83 65 f4 00 8d 45 f4 83 65 f8 00 50 ff 15 34 30 40 00 8b 45 f8 33 45 f4 89 45 fc ff 15 38 30 40 00 31 45 fc ff 15 3c 30 40 00 31 45 fc 8d 45 ec 50 ff 15 40 30 40 00 8b 45 f0 8d 4d fc 33 45 ec 33 45 fc 33 }
18 | $p1 = { 5c 2e 5c 47 6c 6f 62 61 6c 5c 35 84 44 65 62 75 67 4c 6f 67 67 3f }
19 | $p2 = "UPX" fullword ascii
20 | $p3 = { 45 6e 75 6d 57 69 6e 64 6f 77 73 }
21 | $p4 = { 73 65 74 5f 6e 65 77 5f 6d 6f 64 65 00 00 00 5f 63 6f 6e 66 69 67 74 68 72 65 61 64 6c 6f 63 61 6c 65 }
22 | $p5 = { 4e 75 74 6f 72 75 6e 2f 43 4e 65 74 }
23 | $p6 = { 44 50 52 4f 43 4d 4f 4e 5f 57 49 4e 44 4f 57 5f 43 4c 41 53 53 }
24 | $p7 = { 53 6d 61 72 74 53 6e 69 66 66 67 }
25 | $p8 = { 26 30 30 63 66 67 }
26 | $p9 = { 72 6f 63 65 94 48 61 63 6b }
27 | condition:
28 | uint16(0) == 0x5a4d and filesize > 200KB and ( 5 of ($s*) or 7 of ($p*) )
29 | }
30 |
--------------------------------------------------------------------------------
/2021-07-27/PlugX/Mal_PlugX_Thor_July_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule Mal_PlugX_Thor_July_2021_1
2 | {
3 | meta:
4 | description = "Detect Thor variant of PlugX (Variant 1)"
5 | author = "Arkbird_SOLG"
6 | date = "2021-07-27"
7 | reference = "https://unit42.paloaltonetworks.com/thor-plugx-variant/"
8 | hash1 = "125fdf108dc1ad6f572cbdde74b0c7fa938a9adce0cc80cb5ce00f1c030b0c93"
9 | hash2 = "690c488a9902978f2ef05aa23d21f4fa30a52dd9d11191f9b49667cd08618d87"
10 | hash3 = "3c5e2a4afe58634f45c48f4e800dc56bae3907dde308ff97740e9cd5684d1c53"
11 | hash4 = "a9cbce007a7467ba1394eed32b9c1774ad09a9a9fb74eb2ccc584749273fac01"
12 | tlp = "white"
13 | adversary = "Chinese APT group"
14 | strings:
15 | $s1 = { 55 8b ec 81 ec ?? 01 00 00 a1 00 [2] 10 33 c5 89 45 [2-10] 85 ?? fe ff ff [0-1] c6 85 ?? fe ff ff 5c c6 85 ?? fe ff ff ?? c6 85 ?? fe ff ff ?? c6 85 ?? fe ff ff ?? c6 85 ?? fe ff ff }
16 | $s2 = { 8b ?? ?? fe ff ff c6 ?? 00 [3-5] fe ff ff [4-10] fe ff ff }
17 | $s3 = { fe ff ff 6a 40 68 00 10 00 00 8b 95 ?? fe ff ff 52 6a 00 ff 95 ?? fe ff ff 89 85 ?? fe ff ff }
18 | condition:
19 | uint16(0) == 0x5A4D and filesize > 25KB and all of ($s*)
20 | }
21 |
--------------------------------------------------------------------------------
/2021-08-04/Kimsuky/APT_Kimsuky_PDF_Enc_Shellcode_Aug_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APT_Kimsuky_PDF_Enc_Shellcode_Aug_2021_1
2 | {
3 | meta:
4 | description = "Detect encoded Kimsuky shellcode used in fake PDF against South Korea"
5 | author = "Arkbird_SOLG"
6 | date = "2021-08-03"
7 | reference = "Internal Research"
8 | hash1 = "83292ba7a1ddda6acf32181c693aa85b9e433fcb908a94ebccbed0f407a1a021"
9 | hash2 = "512ad244c58064dfe102f27c9ec8814f3e3720593fe1e3ed48a8cb385d52ff84"
10 | level = "Experimental"
11 | tlp = "white"
12 | adversary = "Kimsuky"
13 | strings:
14 | $x1 = { 52 2f 53 2f 4a 61 76 61 53 63 72 69 70 74 3e 3e 0d 65 6e 64 6f 62 6a 0d }
15 | $s1= { 78 9c ec bd 6b 97 eb 4a 72 25 f6 57 8e b5 96 67 75 4f 6b 24 f0 25 8f a6 d5 b3 16 59 00 6a c8 19 80 06 86 28 9b 65 d9 b3 7a 58 b7 59 97 3c ea 96 fb 21 92 90 fb bf 3b 76 64 c6 23 93 f5 38 47 6a 8f f5 41 1f ee ba c5 03 12 40 66 46 46 c6 63 c7 8e 7f f8 }
16 | $s2 = { 94 fe 9b f1 c7 1f e8 e3 0f f4 f1 87 19 fd 37 ff f9 17 fc db 8f f4 ed e2 e7 5f fe 1b fe ff df 7e fc 8b df fe f0 f7 5f 7f 79 f8 e1 27 7f f9 7f fc 5f cb 7f f7 fc cb 7f 37 16 ff ee af ff f6 67 7f fb 97 7f fb b7 bf f8 3f ff f2 f8 e7 74 e3 9f fe fc cb e5 f5 c7 af 3f 7c f9 c9 8f 5f fe 06 3f f9 fa c3 af 8f bf 7f a5 87 d3 fd e9 26 bf 7f fd f1 }
17 | $s3 = { b6 7c 2a db e2 39 ae 67 75 d9 ee 56 ab 7e 27 f2 b5 2e ba 61 3d a5 f5 88 f3 5b 3f f6 b4 b6 6d d1 c9 fb ae 9a 20 93 63 5c cf 69 73 6e a6 dd 4e d6 6b 98 f4 67 92 01 fa 9e 3d 6f 98 f7 95 3c ef eb aa 3f 37 85 bd ef 70 69 c6 ba ea 77 4f }
18 | $s4 = { 4d 51 d7 5b 7d de f2 96 c8 0b dd bf d9 2d e9 7d 87 85 ec 87 b6 a4 cf 43 dc 1f 55 37 d2 fd 2b 95 df 20 6f 45 ab e3 e1 eb 24 df 71 ff 40 fe 69 3f }
19 | $s5 = { 0f 35 fc 43 53 cf 03 67 d3 85 fb 51 b6 49 5f 40 fa 5d a2 3f 7d 31 fb 0b 3d 6f 53 69 ff 78 aa 37 e8 f3 12 fe 35 3e 43 90 7c 9c e3 73 a6 78 1c 9c 21 ec bf 20 df eb f0 5a b7 76 6f fb ad 96 53 57 0f a4 fc c3 6a f5 6d fe 41 fc 19 ed f7 4f 78 3a e9 1f f8 23 3d 2b 8d 2f 86 79 d6 7b b2 f8 e0 85 f2 51 25 fc 70 8c }
20 | condition:
21 | uint32(0) == 0x46445025 and filesize > 25KB and $x1 and 4 of ($s*)
22 | }
23 |
24 |
--------------------------------------------------------------------------------
/2021-08-07/BreakWin/Infos.csv:
--------------------------------------------------------------------------------
1 | Time,Hash,filename,VTime,VHash,Size
2 | "2019-09-09 11:41:21","9b0f724459637cec5e9576c8332bca16abda6ac3fbbde6f7956bc3a97a423473","install.exe","2020-01-14 13:24:42","075046655d156098z861z6jz24z137z","695.50 KB"
3 | "2020-02-02 15:15:40","6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4","asas.exe","2020-04-12 10:44:31","075046655d1560a3z12z891z4jz24z117z","702.50 KB"
4 | "2020-02-04 15:51:41","d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e","tmp7S1D.exe","2020-02-15 12:24:49","075046655d1560a3z12z891z4jz24z117z","703.00 KB"
5 | "2021-01-17 18:59:25","2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b","669194-env.exe","2021-07-12 06:01:11","065046655d1560c3z12z721z4jz24z117z","587.00 KB"
6 | "2021-01-17 18:59:28","074bcc51b77d8e35b96ed444dc479b2878bf61bf7b07e4d7bd4cf136cc3c0dce","653417-mssetup.exe","2021-07-12 06:04:15","084046655d1567z70041mz16fz","85.00 KB"
7 |
--------------------------------------------------------------------------------
/2021-08-13/Nitro/RAN_Nitro_Aug_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule RAN_Nitro_Aug_2021_1
2 | {
3 | meta:
4 | description = "Detect Nitro ransomware"
5 | author = "Arkbird_SOLG"
6 | date = "2021-08-12"
7 | reference = "https://bazaar.abuse.ch/browse/tag/NitroRansomware/"
8 | hash1 = "1194aebc9a0016084f6966b07a171e4c62ce1b21580d177a876873641692ee13"
9 | hash2 = "6546f0638160cb590b4ead2401fb55d48e10b2ee1808ff0354fff52c9e2f62bf"
10 | hash3 = "89dbea1e4b387325f21c784dc72fcf52599f69e1ded27d1b830ff57ae4831559"
11 | hash4 = "d8e9561612c6e06160d79abde41c7b66e4921a1c041ad5c2658d43050b4fd2d0"
12 | hash5 = "dbed3399932fabe6f7f863403279ac9a6b075aa307dd445df2c7060157d3063b"
13 | tlp = "white"
14 | adversary = "-"
15 | strings:
16 | $s1 = { 1f 1a 28 ?? 00 00 0a [0-2] 72 ?? 14 00 70 28 15 00 00 0a 80 32 00 00 04 28 ?? 00 00 06 7e 32 00 00 04 6f ?? 00 00 0a [0-1] 7e 2f 00 00 04 16 7e 32 00 00 04 7e 30 00 00 04 7e 31 00 00 04 60 28 ?? 00 00 06 26 2a }
17 | $s2 = { 02 [0-5] 72 df 00 00 70 28 1b 00 00 }
18 | $s3 = { 1f 1a 28 ?? 00 00 0a 0a 1f 1c 28 ?? 00 00 0a 0b 7e 21 00 00 04 06 72 ?? 0c 00 70 28 15 00 00 0a 6f 16 00 00 0a [2] ?? 00 }
19 | $s4 = { 7e 4e 00 00 0a 0a [0-1] 72 [2] 00 70 73 ?? 00 00 06 0b [0-1] 07 72 [2] 00 70 6f ?? 00 00 06 [1-3] 8d 7f 00 00 01 25 16 1f 0a 9d 6f ?? 00 00 0a 1c 9a 0a [0-1] de ?? 07 2c ?? 07 6f 42 00 00 0a }
20 | $s5 = { 7e 4e 00 00 0a 0a [0-1] 73 ?? 00 00 0a 0b [0-1] 07 72 ?? 14 00 70 6f ?? 00 00 0a [0-2] 6f ?? 00 00 0a 6f ?? 00 00 0a 6f ?? 00 00 0a [0-2] 6f ?? 00 00 0a 0a }
21 | condition:
22 | uint16(0) == 0x5A4D and filesize > 25KB and all of ($s*)
23 | }
24 |
--------------------------------------------------------------------------------
/2021-08-19/Hexane/MAL_Shark_Aug_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_Shark_Aug_2021_1
2 | {
3 | meta:
4 | description = "Detect Shark backdoor used by Hexane group (aka Siamesekitten)"
5 | author = "Arkbird_SOLG"
6 | reference = "https://www.clearskysec.com/siamesekitten/"
7 | date = "2021-08-18"
8 | hash1 = "89ab99f5721b691e5513f4192e7c96eb0981ddb6c2d2b94c1a32e2df896397b8"
9 | hash2 = "f6ae4f4373510c4e096fab84383b547c8997ccf3673c00660df8a3dc9ed1f3ca"
10 | hash3 = "44faf11719b3a679e7a6dd5db40033ec4dd6e1b0361c145b81586cb735a64112"
11 | hash4 = "2f2ef9e3f6db2146bd277d3c4e94c002ecaf7deaabafe6195fddabc81a8ee76c"
12 | tlp = "White"
13 | adversary = "Hexane"
14 | strings:
15 | $s1 = { 7b 00 22 00 44 00 61 00 74 00 61 00 22 00 3a 00 5b 00 22 00 00 07 22 00 [0-8] 5d 00 7d }
16 | $s2 = "application/json" fullword wide
17 | $s3 = { 40 00 45 00 43 00 48 00 4f 00 20 00 4f 00 46 00 46 00 0a 00 00 1d 74 00 61 00 73 00 6b 00 6b 00 69 00 6c 00 6c 00 20 00 2f 00 49 00 4d 00 20 00 22 00 00 17 22 00 20 00 2f 00 46 00 20 00 3e 00 20 00 6e 00 75 00 6c 00 0a 00 00 2b 70 00 69 00 6e 00 67 00 20 00 [12-28] 00 20 00 6e 00 75 00 6c }
18 | $s4 = { 2a 00 65 00 78 00 65 00 00 0b 2a 00 70 00 72 00 6f 00 63 00 00 07 2a 00 6b 00 6c 00 00 07 64 00 69 00 72 00 00 11 66 00 69 00 6c 00 65 00 3a 00 2f 00 2f 00 2f }
19 | $s5 = { 16 0a 2b 13 02 06 02 06 91 1f 2a 28 ?? 00 00 0a 61 d2 9c 06 17 58 0a 06 02 8e 69 }
20 | $s6 = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography" fullword wide
21 | $s7 = { 65 00 63 00 68 00 6f 00 20 00 [2-10] 20 00 7c 00 20 00 64 00 65 00 6c 00 20 00 [2-10] 2e 00 62 00 61 00 74 00 00 0f [2-10] 00 2e 00 62 00 61 00 74 }
22 | condition:
23 | uint16(0) == 0x5A4D and filesize > 15KB and 6 of ($s*)
24 | }
25 |
--------------------------------------------------------------------------------
/2021-08-29/Lockfile/MAL_Kernel_Driver_Aug_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_Kernel_Driver_Aug_2021_1 {
2 | meta:
3 | description = "Detect kernel driver used by lockfile group"
4 | author = "Arkbird_SOLG"
5 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows"
6 | date = "2021-08-28"
7 | hash1 = "5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f"
8 | hash2 = "0d18c704049700efd1353055b604072d94bcc3e5f4aa558adf8b8f8848330644"
9 | hash3 = "2b7ffe47b3fabf81a76386ee953d281aeaa158f4926896fcc1425c3844e73597"
10 | hash4 = "61423a95146d5fca47859e43d037944edb32f2004d86e14c7a522270bde6e2a8f"
11 | adversary = "Lockfile"
12 | strings:
13 | $s1 = "\\BaseNamedObjects\\{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}" fullword wide
14 | $s2 = "\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%ws" fullword wide
15 | $s3 = "\\DosDevices\\%wS" fullword wide
16 | $s4 = "%temp%\\" fullword wide
17 | $s5 = { 5b 2b 5d 20 50 72 6f 63 65 73 73 20 6f 62 6a 65 63 74 20 28 45 50 52 4f 43 45 53 53 29 20 66 6f 75 6e 64 2c 20 30 78 25 6c 6c 58 0d 0a 00 00 00 5b 2b 5d 20 45 50 52 4f 43 45 53 53 2d 3e 50 53 5f 50 52 4f 54 45 43 54 49 4f 4e 2c 20 30 78 25 6c 6c 58 }
18 | $s6 = { 48 8b 4e 20 41 b9 00 08 00 00 4d 8b c7 49 8b d5 41 ff 54 24 70 85 c0 75 09 48 8d 15 [2] 02 00 eb 49 48 8d 0d [2] 02 00 e8 b9 ef ff ff 48 8d 0d [2] 02 00 e8 ad ef ff ff 4c 8d 85 f0 02 00 00 ba 00 00 00 c0 48 8d 0d [2] 02 00 e8 [2] 00 00 ba d0 07 00 00 49 8b ce ff 15 [2] 01 00 85 c0 74 15 48 8d 15 [2] 02 00 b9 01 00 00 00 e8 [2] 00 00 33 db eb 0b 48 8b d7 48 8b ce e8 4b f3 ff ff 49 8b ce ff 15 }
19 | condition:
20 | uint16(0) == 0x5a4d and filesize > 10KB and all of ($s*)
21 | }
22 |
--------------------------------------------------------------------------------
/2021-08-29/Lockfile/MAL_KillProc_Aug_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_KillProc_Aug_2021_1 {
2 | meta:
3 | description = "Detect KillProc driver used by Night Dragon for kill process before encryption"
4 | author = "Arkbird_SOLG"
5 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows"
6 | date = "2021-08-27"
7 | hash1 = "36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9"
8 | adversary = "Lockfile"
9 | strings:
10 | $s1 = "find %s!\n" fullword ascii
11 | $s2 = "killed %s!\n" fullword ascii
12 | $s3 = "DbgPrint" fullword ascii
13 | $s4 = "ntoskrnl.exe" fullword ascii
14 | $s5 = "SBPIMSvc.exe" fullword ascii
15 | $s6 = "MsMpEng.exe" fullword ascii
16 | $s7 = { 48 8b ce ff 15 92 cf ff ff 48 8b d0 48 8b cb ff 15 8e cf ff ff 48 8d 7f 08 85 c0 74 0d 48 8b 1f 44 38 23 75 db e9 a7 00 00 00 48 8b ce ff 15 68 cf ff ff 48 8b d0 48 8d 0d 6e bf ff ff ff 15 70 cf ff ff 48 8b ce ff 15 37 cf ff ff 8b c8 48 8d 54 24 40 ff 15 3a cf ff ff 85 c0 78 56 48 8b 4c 24 40 48 8d 84 24 a8 00 00 00 48 89 44 24 30 45 33 c9 44 88 64 24 28 45 33 c0 33 d2 4c 89 64 24 20 ff 15 04 cf ff ff 85 c0 74 05 45 32 f6 eb 41 48 8b 8c 24 a8 00 00 00 33 d2 ff 15 0b cf ff ff 48 8b 8c 24 a8 00 00 00 ff 15 0d cf ff ff 41 b6 01 eb 05 45 84 f6 74 19 48 8b ce ff 15 da ce ff ff 48 8b d0 48 8d 0d f0 be ff ff ff 15 e2 ce ff ff 48 8b ce ff 15 a1 ce ff ff 48 83 }
17 | $s8 = "UpdaterUI.exe" fullword ascii
18 | $s9 = "VipreNis.exe" fullword ascii
19 | condition:
20 | uint16(0) == 0x5a4d and filesize > 3KB and 6 of ($s*)
21 | }
22 |
--------------------------------------------------------------------------------
/2021-08-29/Lockfile/MAL_loader_Lockfile_Aug_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_loader_Lockfile_Aug_2021_1 {
2 | meta:
3 | description = "Detect loader used by lockerfile group"
4 | author = "Arkbird_SOLG"
5 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows"
6 | date = "2021-08-28"
7 | hash1 = "ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291"
8 | adversary = "Lockfile"
9 | strings:
10 | $s1 = "c:\\windows\\system32\\calc.exe" fullword ascii
11 | $s2 = { 49 48 85 c0 7f ec eb 0a 33 c9 66 89 0c 45 [2] 01 10 68 [2] 00 10 68 [2] 01 10 ff 15 [2] 00 10 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 68 00 00 00 80 68 [2] 01 10 ff 15 [2] 00 10 83 f8 ff 75 08 6a 00 ff 15 [2] 00 10 50 ff 15 [2] 00 10 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc }
12 | $s3 = "/proc/123/stat" fullword ascii
13 | $s4 = { 33 c5 89 45 fc a1 [2] 00 10 8b 15 [2] 00 10 8b 0d [2] 00 10 56 89 45 dc 66 a1 [2] 00 10 57 89 55 e4 89 4d e0 8a 0d [2] 00 10 66 89 45 e8 33 c0 8d 55 dc 68 [2] 00 10 52 bf [2] 00 10 88 4d ea 89 45 eb 89 45 ef 89 45 f3 89 45 f7 88 45 fb e8 [2] 00 00 8b f0 83 c4 08 85 f6 74 44 8d 64 24 00 56 e8 [2] 00 00 83 c4 04 83 f8 ff 74 29 83 f8 28 75 ed 56 e8 [2] 00 00 83 c4 04 83 f8 ff 74 16 0f be 0f 3b c1 75 0f 56 47 e8 [2] 00 00 83 c4 04 83 f8 ff 75 ea 56 e8 [2] 00 00 83 c4 04 6a 00 ff 15 }
14 | condition:
15 | uint16(0) == 0x5a4d and filesize > 10KB and 3 of ($s*)
16 | }
17 |
--------------------------------------------------------------------------------
/2021-08-29/Lockfile/RAN_Lockfile_Packed_Aug_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule RAN_Lockfile_Packed_Aug_2021_1 {
2 | meta:
3 | description = "Detect lockfile ransomware (Packed version)"
4 | author = "Arkbird_SOLG"
5 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows"
6 | date = "2021-08-28"
7 | hash1 = "2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a"
8 | hash2 = "bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce"
9 | level = "Experimental"
10 | adversary = "Lockfile"
11 | strings:
12 | $s1 = { 90 03 ?? 40 58 4a bc 3c 64 e4 5d 2e 44 45 45 45 ?? 72 48 8e 45 45 43 45 [6] 08 f6 33 45 [5] 01 e9 e3 }
13 | $s2 = { 5b 22 48 0f 5b 22 48 0f 5b 22 48 bb c7 d3 48 03 5b 22 48 bb c7 d1 48 97 5b 22 48 bb c7 d0 48 16 5b 22 48 69 34 df 48 0e 5b 22 48 5d 2e 26 49 1d 5b 22 48 5d 2e 21 49 05 5b 22 48 59 2e 27 49 28 5b 22 48 59 2e 21 49 0e 5b 22 48 5d 2e 27 49 58 5b 22 48 06 23 b1 48 02 5b 22 48 0f 5b 23 48 bf 5b 22 48 59 2e 2b 49 0d 5b 22 48 59 2e dd 48 0e 5b 22 48 59 2e 20 49 0e 5b 22 48 52 69 63 68 0f 5b 22 48 }
14 | $s3 = { 44 fc 90 a9 [0-4] 1c 79 38 10 [0-4] 18 20 72 0e [2-5] 3f [0-4] 24 34 6c 05 fc [0-4] 23 40 }
15 | $s4 = { c3 df [0-4] 10 4c c8 20 d3 55 56 57 41 54 41 55 }
16 | condition:
17 | uint16(0) == 0x5a4d and filesize > 10KB and all of ($s*)
18 | }
19 |
--------------------------------------------------------------------------------
/2021-08-29/Lockfile/Tool_EFSPotatoe_Aug_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule Tool_EFSPotatoe_Aug_2021_1 {
2 | meta:
3 | description = "Detect custom .NET variant EFSPotatoe tool"
4 | author = "Arkbird_SOLG"
5 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows"
6 | date = "2021-08-27"
7 | hash1 = "c372c54b11465688201e2d48ffd5fd5b0ca49360858a70ce8413f5c9e24c8050"
8 | hash2 = "441cb0576151b2e5b5127be72a5bcdf3577a596f0a4e1f2c6836248fe07eb818"
9 | adversary = "Lockfile"
10 | strings:
11 | $s1 = { 5c 00 70 00 69 00 70 00 65 00 5c 00 6c 00 73 00 61 00 72 00 70 00 63 }
12 | $s2 = "ncacn_np" fullword wide
13 | $s3 = "WinSta0\\Default" fullword wide
14 | $s4 = { 11 00 72 cc 01 00 70 28 06 00 00 0a 00 dd de 02 00 00 00 de 12 07 14 fe 01 13 0f 11 0f 2d 07 07 6f 0f 00 00 0a 00 dc 00 28 10 00 00 0a 13 10 12 10 72 16 02 00 70 28 11 00 00 0a 0d 72 1a 02 00 70 09 72 2e 02 00 70 28 12 00 00 0a 13 04 11 04 19 16 1f 0a 20 00 08 00 00 20 00 08 00 00 16 7e 0d 00 00 0a 28 06 00 00 06 13 05 11 05 15 73 13 00 00 0a 28 14 00 00 0a 16 fe 01 13 0f 11 0f 2d 25 00 72 48 02 00 70 28 0e 00 00 0a 73 15 00 00 0a 6f 16 00 00 0a 28 0a 00 00 0a 28 06 00 00 0a 00 38 4a 02 00 00 16 73 17 00 00 0a 13 06 14 fe 06 04 00 00 06 73 18 00 00 0a 73 19 00 00 0a 13 07 11 07 17 6f 1a 00 00 0a 00 11 07 18 8d 01 00 00 01 13 11 11 11 16 11 05 8c 15 00 00 01 a2 11 11 17 11 06 a2 11 11 6f 1b 00 00 0a 00 14 fe 06 03 00 00 06 73 18 00 00 0a 73 19 00 00 0a 13 08 11 08 17 6f 1a 00 00 0a 00 11 08 09 6f 1b 00 00 0a 00 11 06 20 e8 03 00 00 6f 1c 00 00 0a 16 fe 01 13 0f 11 0f 3a 93 01 00 00 00 11 05 28 08 00 00 06 16 fe 01 13 0f 11 0f 3a 7c 01 00 00 00 28 08 00 00 0a 6f 0b 00 00 0a 13 09 72 7c 02 00 70 11 09 8c 15 00 00 01 28 1d 00 00 0a 28 06 00 00 0a 00 12 0a fe 15 08 00 00 02 12 0a 11 0a 28 02 00 00 2b 7d 1d 00 00 04 12 0a 7e 0d 00 00 0a 7d 1e 00 00 04 12 0a 17 7d 1f 00 00 04 12 0b 12 0c 12 0a 20 00 04 00 00 28 0b 00 00 06 26 12 0d fe 15 06 00 00 02 12 0e fe 15 07 00 00 02 12 0e 11 0e 28 03 00 00 2b 7d 0b 00 00 04 12 0e 11 0c 7d 1c 00 00 04 12 0e 11 0c 7d 1b 00 00 04 12 0e 72 9c 02 00 70 7d 0d 00 00 04 12 0e 20 01 01 00 00 7d 16 00 00 04 12 0e 16 7d 17 00 00 04 }
15 | $s5 = "EfsPotato " wide
16 | $s6 = "\\\\.\\pipe\\" wide
17 | condition:
18 | uint16(0) == 0x5a4d and filesize > 10KB and 5 of ($s*)
19 | }
20 |
--------------------------------------------------------------------------------
/2021-08-29/Lockfile/Tool_EFSPotatoe_Aug_2021_2.yara:
--------------------------------------------------------------------------------
1 | rule Tool_EFSPotatoe_Aug_2021_2 {
2 | meta:
3 | description = "Detect EFSPotatoe tool (Generic rule)"
4 | author = "Arkbird_SOLG"
5 | reference = "Internal Research"
6 | date = "2021-08-27"
7 | hash1 = "c372c54b11465688201e2d48ffd5fd5b0ca49360858a70ce8413f5c9e24c8050"
8 | hash2 = "441cb0576151b2e5b5127be72a5bcdf3577a596f0a4e1f2c6836248fe07eb818"
9 | hash3 = "47b85abee8a07e79ad95f48a3e3addf7235144b67b0350e2f9ac80e66f97e583"
10 | hash4 = "7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd"
11 | adversary = "-"
12 | strings:
13 | $s1 = { 5c 00 70 00 69 00 70 00 65 00 5c 00 6c 00 73 00 61 00 72 00 70 00 63 }
14 | $s2 = "ncacn_np" fullword wide
15 | $s3 = { 5c 00 5c 00 25 00 73 00 5c 00 [1-20] 00 5c 00 [1-20] 00 }
16 | $s4 = { 63 00 36 00 38 00 31 00 64 00 34 00 38 00 38 00 2d 00 64 00 38 00 35 00 30 00 2d 00 31 00 31 00 64 00 30 00 2d 00 38 00 63 00 35 00 32 00 2d 00 30 00 30 00 63 00 30 00 34 00 66 00 64 00 39 00 30 00 66 00 37 00 65 }
17 | $s5 = { 00 72 48 02 00 70 28 0e 00 00 0a 73 15 00 00 0a 6f 16 00 00 0a 28 0a 00 00 0a 28 06 00 00 0a 00 38 4a 02 00 00 }
18 | condition:
19 | uint16(0) == 0x5a4d and filesize > 10KB and 4 of ($s*)
20 | }
21 |
--------------------------------------------------------------------------------
/2021-09-09/Exp_CVE_2021_40444_Sep_2021_1.yara:
--------------------------------------------------------------------------------
1 | // Checked with malquery, nothing but the files are present in Hybrid Analysis, impossible to confirm, rest experimental
2 | rule Exp_CVE_2021_40444_Sep_2021_1 {
3 | meta:
4 | description = "Detect the maldocs with a structure like used for CVE_2021_40444 exploit"
5 | author = "Arkbird_SOLG"
6 | reference1 = "-"
7 | date = "2021-09-09"
8 | hash1 = "199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455"
9 | hash2 = "3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf"
10 | hash3 = "5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185"
11 | hash4 = "938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52"
12 | tlp = "White"
13 | level = "experimental"
14 | adversary = "-"
15 | strings:
16 | $x1 = { 2f 5f 72 65 6c 73 2f 64 6f 63 75 6d 65 6e 74 2e 78 6d 6c 2e 72 65 6c 73 55 54 09 00 03 [3] 61 [3] 61 75 78 0b 00 01 04 00 00 00 00 04 00 00 00 00 ?? 94 ?? 4e c2 [3] ef 4d 7c 87 }
17 | $x2 = { 77 6d 66 55 54 09 00 03 00 a6 ce 12 00 a6 ce 12 75 78 0b 00 01 04 00 00 00 00 04 00 00 00 00 bb 7e f6 d8 2c 06 38 48 00 93 85 e1 8c 0c 9c 0c 0c cc 52 60 1e 2b 98 64 01 62 66 46 0e 30 8f 9b 09 26 ce 03 66 31 83 55 00 00 50 4b 03 04 ?? 00 00 00 ?? 00 [10] 00 00 [2] 00 00 ?? 00 1c 00 }
18 | condition:
19 | uint16(0) == 0x4B50 and filesize > 5KB and all of ($x*)
20 | }
21 |
--------------------------------------------------------------------------------
/2021-09-15/Vermilion_Strike/MAL_Stager_Vermilion_Strike_Sep_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_Stager_Vermilion_Strike_Sep_2021_1 {
2 | meta:
3 | description = "Detect the windows version of the stager of Vermilion Strike implant"
4 | author = "Arkbird_SOLG"
5 | reference1 = "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/"
6 | date = "2021-09-14"
7 | hash1 = "3ad119d4f2f1d8ce3851181120a292f41189e4417ad20a6c86b6f45f6a9fbcfc"
8 | level = "experimental"
9 | tlp = "White"
10 | adversary = "Vermilion Strike"
11 | strings:
12 | $s1 = { a1 b0 62 41 00 33 c4 50 8d 84 24 d0 00 00 00 64 a3 00 00 00 00 8b da 8b 84 24 ec 00 00 00 8b b4 24 e0 00 00 00 8b bc 24 e4 00 00 00 8b ac 24 e8 00 00 00 8d 54 24 2c 52 89 44 24 28 89 4c 24 2c e8 95 f0 ff ff 33 c0 89 84 24 d8 00 00 00 c7 84 24 88 00 00 00 0f 00 00 00 89 84 24 84 00 00 00 88 44 24 74 6a 17 68 fc 3b 41 00 8d 44 24 78 c6 84 24 e0 00 00 00 01 e8 9e 0b 00 00 6a 02 68 14 3c 41 00 8d 44 24 78 e8 8e 0b 00 00 6a 00 6a 00 6a 00 6a 01 55 ff 15 44 21 41 00 8b e8 55 6a 02 57 53 8b ce 89 6c 24 2c e8 8d fc ff ff 83 c4 10 6a 00 6a 00 6a 03 6a 00 6a 00 53 56 55 ff 15 58 21 41 00 6a 00 68 00 82 80 80 6a 00 6a 00 6a 00 57 68 f8 3b 41 00 50 89 44 24 40 ff 15 4c 21 41 00 }
13 | $s2 = { 64 a1 00 00 00 00 50 83 ec 60 a1 b0 62 41 00 33 c4 89 44 24 58 53 55 56 57 a1 b0 62 41 00 33 c4 50 8d 44 24 74 64 a3 00 00 00 00 8b 84 24 88 00 00 00 8b ac 24 84 00 00 00 8b f9 89 44 24 18 33 c0 8d 4c 24 1c 51 8b f2 33 db 89 44 24 30 89 44 24 34 89 44 24 38 89 44 24 3c 89 44 24 40 89 44 24 44 89 44 24 48 89 44 24 4c 89 44 24 50 89 44 24 20 89 44 24 24 89 44 24 28 89 44 24 2c ff 15 2c 21 41 00 85 c0 74 21 39 5c 24 1c 74 05 bb 01 00 00 00 8b 44 24 20 }
14 | $s3 = { 50 56 8d 4c 24 58 e8 fc f2 ff ff 6a 01 8d 54 24 18 52 8d 44 24 58 50 89 9c 24 88 00 00 00 33 c0 c6 44 24 20 3d e8 0d 01 00 00 83 f8 ff 74 4f 80 bc 24 8c 00 00 00 00 74 16 56 bb 18 3c 41 00 8d 7c 24 54 e8 8f fd ff ff 83 c4 04 84 c0 75 2f 56 bb 20 3c 41 00 8d 7c 24 54 e8 79 fd ff ff 83 c4 04 84 c0 75 19 56 bb 28 3c 41 00 e8 67 fd ff ff 83 c4 04 84 c0 74 07 c7 45 00 04 00 00 00 83 7c 24 68 10 72 19 }
15 | $s4 = { 8d 44 24 18 50 8d 4c 24 18 51 6a 1f 53 c7 44 24 28 04 00 00 00 ff 15 3c 21 41 00 81 4c 24 14 00 01 00 00 6a 04 8d 54 24 18 52 6a 1f 53 }
16 | condition:
17 | uint16(0) == 0x5A4D and filesize > 30KB and 3 of them
18 | }
19 |
--------------------------------------------------------------------------------
/2021-10-23/WizardUpdate/MAL_OSX_WizardUpdate_Oct_2021_2.yara:
--------------------------------------------------------------------------------
1 | rule MAL_OSX_WizardUpdate_Oct_2021_2 {
2 | meta:
3 | description = "Detect a structure like the bash of WizardUpdate installer on OSX system"
4 | author = "Arkbird_SOLG"
5 | reference1 = "https://twitter.com/MsftSecIntel/status/1451279679059488773"
6 | date = "2021-10-22"
7 | hash1 = "eafacc44666901a5ea3c81a128e5dd88d0968a400d74ef1da5c2c05dc6dd7a39"
8 | tlp = "White"
9 | adversary = "-"
10 | strings:
11 | $s1 = { 24 28 65 76 61 6c 20 65 63 68 6f 20 7e 24 28 65 63 68 6f 20 24 55 53 45 52 29 29 }
12 | $s2 = { 69 66 20 5b 20 21 20 2d 66 20 22 24 [5-15] 22 20 5d 3b 20 74 68 65 6e }
13 | $s3 = { 63 75 72 6c 20 2d 2d 72 65 74 72 79 20 [2-3] 2d 66 20 22 }
14 | $s4 = { 78 61 74 74 72 20 2d 72 20 2d 64 20 63 6f 6d 2e 61 70 70 6c 65 2e 71 75 61 72 61 6e 74 69 6e 65 }
15 | $s5 = { 6c 61 75 6e 63 68 63 74 6c 20 6c 6f 61 64 20 2d 77 }
16 | $s6 = { 63 68 6f 77 6e 20 2d 52 20 24 55 53 45 52 }
17 | $s7 = { 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 5c 22 31 2e 30 5c 22 20 65 6e 63 6f 64 69 6e 67 3d 5c 22 55 54 46 2d 38 5c 22 3f 3e 0a 09 3c 21 44 4f 43 54 59 50 45 20 70 6c 69 73 74 20 50 55 42 4c 49 43 20 5c 22 2d 2f 2f 41 70 70 6c 65 2f 2f 44 54 44 20 50 4c 49 53 54 20 31 2e 30 2f 2f 45 4e 5c 22 20 5c 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 70 70 6c 65 2e 63 6f 6d 2f 44 54 44 73 2f 50 72 6f 70 65 72 74 79 4c 69 73 74 2d 31 2e 30 2e 64 74 64 5c 22 3e 0a 09 3c 70 6c 69 73 74 20 76 65 72 73 69 6f 6e 3d 5c 22 31 2e 30 5c 22 3e }
18 | condition:
19 | filesize > 2KB and 6 of ($s*)
20 | }
21 |
--------------------------------------------------------------------------------
/2021-10-29/Hive/MAL_CobaltStrike_Oct_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_CobaltStrike_Oct_2021_1 {
2 | meta:
3 | description = "Detect Cobalt Strike implant"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/malwrhunterteam/status/1454154412902002692"
6 | date = "2021-10-30"
7 | hash1 = "f520f97e3aa065efc4b7633735530a7ea341f3b332122921cb9257bf55147fb7"
8 | hash2 = "7370c09d07b4695aa11e299a9c17007e9267e1578ce2753259c02a8cf27b18b6"
9 | hash3 = "bfbc1c27a73c33e375eeea164dc876c23bca1fbc0051bb48d3ed3e50df6fa0e8"
10 | tlp = "white"
11 | adversary = "-"
12 | strings:
13 | $s1 = { 48 83 ec 10 4c 89 14 24 4c 89 5c 24 08 4d 33 db 4c 8d 54 24 18 4c 2b d0 4d 0f 42 d3 65 4c 8b 1c 25 10 00 00 00 4d 3b d3 f2 73 17 66 41 81 e2 00 f0 4d 8d 9b 00 f0 ff ff 41 c6 03 00 4d 3b d3 f2 75 ef 4c 8b 14 24 4c 8b 5c 24 08 48 83 c4 10 f2 c3 }
14 | $s2 = { 89 ?? 24 ?? 8b ?? 24 0c 89 ?? 24 ?? 8b ?? 24 ?? c1 ?? 0d 89 ?? 24 0c 48 8b ?? 24 10 89 ?? 24 [2] 8b ?? 24 10 }
15 | $s3 = { b8 10 00 00 00 48 89 45 ?? e8 [3] 00 48 29 c4 48 89 e0 48 8b 4d ?? 48 89 45 ?? 48 89 c8 e8 [3] 00 48 29 c4 48 89 e0 48 8b 4d ?? 48 89 45 ?? 48 89 c8 e8 [3] 00 48 29 c4 48 89 e0 48 8b 4d ?? 48 89 45 ?? 48 89 c8 e8 [3] 00 48 29 c4 48 89 e0 48 8b 4d ?? 48 89 45 ?? 48 89 c8 e8 [3] 00 48 29 c4 48 89 e0 48 8b 4d ?? 8b 55 f8 89 11 4c 8b 45 ?? 4c 8b 4d f0 4d 89 08 4c 8b 55 ?? 4c 8b 5d e8 4d 89 1a 48 8b 75 ?? 48 8b 7d e0 48 89 3e c7 00 ?? 00 00 00 48 8b 05 [3] 00 48 05 [2] 00 00 8b 19 4d 8b 00 4d 8b 32 48 8b 0e 48 83 ec 20 4c 89 f2 41 89 d9 ff d0 48 83 c4 20 ?? 45 }
16 | $s4 = { 48 83 ec 48 44 89 4c 24 44 4c 89 44 24 38 48 89 54 24 30 48 89 4c 24 28 c7 44 24 24 ?? 00 00 00 48 8b 05 [3] 00 48 05 [2] 00 00 44 8b 4c 24 44 4c 8b 44 24 38 48 8b 54 24 30 48 8b 4c 24 28 ff d0 90 48 83 c4 }
17 | condition:
18 | uint16(0) == 0x5A4D and filesize > 20KB and 3 of ($s*)
19 | }
20 |
--------------------------------------------------------------------------------
/2021-10-29/Hive/RAN_ELF_Hive_Oct_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule RAN_ELF_Hive_Oct_2021_1 {
2 | meta:
3 | description = "Detect ELF version of Hive ransomware"
4 | author = "Arkbird_SOLG"
5 | reference = "https://twitter.com/ESETresearch/status/1454100591261667329"
6 | date = "2021-10-29"
7 | hash1 = "6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0"
8 | hash2 = "bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3"
9 | tlp = "white"
10 | adversary = "-"
11 | level = "experimental"
12 | strings:
13 | $s1 = { 49 3b 66 10 76 ?? 48 83 ec ?? 48 89 6c 24 ?? 48 8d 6c 24 ?? 48 8b [3] 48 }
14 | $s2 = { 48 89 f8 48 89 f3 48 83 ec 27 48 83 e4 f0 48 89 44 24 10 48 89 5c 24 18 48 8d 3d 41 [2] 00 48 8d 9c 24 68 00 ff ff 48 89 5f 10 48 89 5f 18 48 89 1f 48 89 67 08 b8 00 00 00 00 0f a2 89 c6 83 f8 00 74 33 81 fb 47 65 6e 75 75 1e 81 fa 69 6e 65 49 75 16 81 f9 6e 74 65 6c 75 0e c6 05 [3] 00 01 c6 05 [3] 00 01 b8 01 00 00 00 0f a2 89 05 [3] 00 48 8b 05 }
15 | $s3 = { 66 0f 38 dc ?? 66 0f 38 dc ?? 66 0f 38 dc ?? 66 0f 38 dc ?? 66 0f 38 dc ?? 66 0f 38 dc }
16 | $s4 = { 00 00 48 8b ac 24 68 02 00 00 48 81 c4 70 02 00 00 c3 ?? 80 ?? 0e [6] 48 8b [2] 48 }
17 | condition:
18 | uint32(0) == 0x464C457F and filesize > 20KB and all of ($s*)
19 | }
20 |
--------------------------------------------------------------------------------
/2021-10-30/WinDealer/MAL_WinDealer_Oct_2021_2.yara:
--------------------------------------------------------------------------------
1 | rule MAL_WinDealer_Oct_2021_2 {
2 | meta:
3 | description = "Detect modules from WinDealer implant"
4 | author = "Arkbird_SOLG"
5 | reference = "https://blogs.jpcert.or.jp/en/2021/10/windealer.html"
6 | date = "2021-10-30"
7 | hash1 = "0c365d9730a10f1a3680d24214682f79f88aa2a2a602d3d80ef4c1712210ab07"
8 | hash2 = "2eef273af0c768b514db6159d7772054d27a6fa8bc3d862df74de75741dbfb9c"
9 | tlp = "white"
10 | adversary = "LuoYu"
11 | strings:
12 | $s1 = { 81 ec f0 03 00 00 53 55 8b d9 56 8d 44 24 0c 57 8d 4c 24 18 50 51 c7 44 24 18 f4 01 00 00 ff 15 0c [2] 10 85 c0 0f 85 ?? 01 00 00 68 [3] 10 }
13 | $s2 = { 81 ec 24 03 00 00 53 56 8d 44 24 18 57 50 68 03 01 00 00 6a 00 68 [2] 03 10 68 01 00 00 80 c7 44 24 20 00 00 00 00 ff 15 10 [2] 10 85 c0 0f 85 ?? 01 00 00 8d 4c 24 0c 8d 54 24 20 51 52 8b 1d 00 [2] 10 50 68 3f 01 0f 00 50 50 50 8b 44 24 38 68 [2] 03 10 50 ff d3 85 c0 0f 85 ?? 01 00 00 8d 4c 24 0c 8d 54 24 10 51 52 50 68 3f 01 0f 00 50 50 50 8b 44 24 3c 68 [2] 03 10 50 ff d3 85 c0 0f 85 ?? 01 00 00 bf [2] 03 10 83 c9 ff f2 ae f7 d1 2b f9 8d ?? 24 }
14 | $s3 = "%s\\%s\\V5_History.dat" wide
15 | $s4 = { 8b 8c 24 2c 02 00 00 8b 94 24 28 02 00 00 55 57 51 52 8d 44 24 24 53 50 89 74 24 2c e8 05 fb ff ff b9 41 00 00 00 33 c0 8d bc 24 34 01 00 00 83 c4 18 f3 ab 8d 8c 24 1c 01 00 00 51 68 04 01 00 00 ff 15 [2] 03 10 b9 41 00 00 00 33 c0 8d 7c 24 18 50 f3 ab [3] 01 }
16 | $s5 = { 56 6a 10 e8 [3] 00 8b f0 85 f6 74 3a 8b 4c 24 0c 8d 46 04 85 c9 c7 06 [3] 10 c7 00 00 00 00 00 50 74 11 8b 44 24 0c 50 e8 [3] 00 89 46 08 8b c6 5e c3 8b 4c 24 0c 51 e8 [3] 00 89 46 08 8b c6 5e c3 33 }
17 | condition:
18 | uint16(0) == 0x5A4D and filesize > 80KB and 4 of ($s*)
19 | }
20 |
--------------------------------------------------------------------------------
/2021-11-01/Decaf/RAN_Decaf_Nov_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule RAN_Decaf_Nov_2021_1 {
2 | meta:
3 | description = "Detect Decaf ransomware (unpacked UPX)"
4 | author = "Arkbird_SOLG"
5 | reference ="https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance"
6 | date = "2021-11-01"
7 | hash1 = "088b4715bbe986deac972d551b88f178d43b191f5a71fbd4db3fb0810a233500"
8 | hash2 = "5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477"
9 | tlp = "white"
10 | adversary = "-"
11 | strings:
12 | $s1 = { 48 8b 05 [3] 00 48 8b 0d [3] 00 48 8d 54 24 ?? 8b 5c 24 ?? 48 8d 74 24 ?? 48 89 0c 24 48 89 44 24 08 48 89 54 24 10 48 89 5c 24 18 48 89 74 24 20 89 f8 48 89 44 24 28 48 c7 44 24 30 00 00 00 00 e8 [2] 00 00 45 0f 57 ff 65 4c 8b 34 25 28 00 00 00 4d 8b b6 00 00 00 00 48 83 7c 24 38 00 74 ?? 48 8b 54 24 ?? c6 82 e5 00 00 00 00 48 8b 54 24 ?? 31 c0 }
13 | $s2 = { 48 8b 05 [3] 00 48 8b 0d [3] 00 48 89 0c 24 48 89 44 24 08 44 0f 11 7c 24 10 48 c7 44 24 20 00 00 00 00 e8 [2] 00 00 45 0f 57 ff 65 4c 8b 34 25 28 00 00 00 4d 8b b6 00 00 00 00 48 83 7c 24 28 00 74 0a 48 8b 6c 24 ?? 48 83 c4 ?? c3 e8 [3] 00 45 0f 57 ff 65 4c 8b 34 25 28 00 00 00 4d 8b b6 00 00 00 00 }
14 | $s3 = { 48 83 ec 48 48 89 6c 24 40 48 8d 6c 24 40 48 89 44 24 50 48 89 5c 24 58 48 83 3d [3] 00 00 75 73 48 8b 05 45 [2] 00 48 8d 0d 66 [2] 00 48 89 04 24 48 89 4c 24 08 48 c7 44 24 10 04 01 00 00 e8 [2] 00 00 45 0f 57 ff 65 4c 8b 34 25 28 00 00 00 4d 8b b6 00 00 00 00 48 8b 44 24 18 48 85 c0 0f 84 6a 01 00 00 48 3d 04 01 00 00 0f 87 5e 01 00 00 48 8d 1d 1a [2] 00 c6 04 03 5c 4c 8d 40 01 4c 89 05 [3] 00 48 8b 44 24 50 48 8b 5c }
15 | $s4 = { 48 89 44 24 40 c7 44 24 3c 00 00 00 00 48 8b 0d [3] 00 48 8d 54 24 3c 48 89 0c 24 48 89 44 24 08 48 89 54 24 10 e8 [2] 00 00 45 0f 57 ff 65 4c 8b 34 25 28 00 00 00 4d 8b b6 00 00 00 00 48 83 7c 24 18 00 75 10 48 8b 44 24 40 8b 4c 24 68 48 8b 5c 24 60 eb 1d 48 8b 44 24 40 48 8b 5c 24 60 8b 4c 24 68 e8 8f 00 00 00 48 8b 6c 24 48 48 83 c4 50 c3 c7 44 24 38 00 00 00 00 48 8b 15 [3] 00 48 8d 74 24 38 48 89 14 24 48 89 44 24 08 48 89 5c 24 10 48 63 c1 48 89 44 24 18 48 89 74 24 20 48 c7 44 24 28 00 00 00 00 e8 }
16 | $s5 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 55 42 4c 49 43 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 43 67 4b 43 41 51 45 41 }
17 | condition:
18 | uint16(0) == 0x5a4d and filesize > 400KB and 4 of them
19 | }
20 |
--------------------------------------------------------------------------------
/2021-11-09/DEV_0322/UNK_DEV_0322_Jul_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule UNK_DEV_0322_Jul_2021_1 {
2 | meta:
3 | description = "Detect the script used by DEV-0322 for create a new user after exploit the CVE-2021-35211"
4 | author = "Arkbird_SOLG"
5 | reference ="https://www.cadosecurity.com/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211/"
6 | date = "2021-07-16"
7 | hash1 = "fb101d9980ba2e22dceac7367c670b4894eaae9a8cef9de98ed85499a3b014ea"
8 | hash2 = "134a570f480536d04a056da99e58a3c982aa36f5b314f48a01420b66b759d35d"
9 | hash3 = "8785f1049eed4f837e634bf61468e6db921368b61ef5c8b4afa03f44465bd3e0"
10 | tlp = "white"
11 | adversary = "DEV-0322"
12 | strings:
13 | // ActiveX objects
14 | $obj1 = { 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 27 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 27 29 }
15 | $obj2 = { 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 }
16 | // Arguments for manage the service
17 | $arg1 = { 2d 73 74 6f 70 65 6e 67 69 6e 65 }
18 | $arg2 = { 2d 73 74 61 72 74 73 65 72 76 69 63 65 }
19 | //Strings on the command
20 | $s1 = { 3c 3c 2d 20 41 64 6d 69 6e 54 79 70 65 }
21 | $s2 = { 43 55 73 65 72 50 61 73 73 77 6f 72 64 41 74 74 72 5c 72 5c 6e 50 61 73 73 77 6f 72 64 }
22 | $s3 = { 3c 3c 2d 20 50 61 73 73 77 6f 72 64 43 68 61 6e 67 65 64 4f 6e 5c 72 5c 6e 43 52 68 69 6e 6f 55 69 6e 74 41 74 74 72 }
23 | $s4 = { 3c 3c 2d 20 49 6e 63 6c 75 64 65 52 65 73 70 43 6f 64 65 73 49 6e 4d 73 67 46 69 6c 65 73 }
24 | condition:
25 | filesize > 1KB and filesize < 15KB and all of ($obj*) and all of ($arg*) and 3 of ($s*)
26 | }
27 |
--------------------------------------------------------------------------------
/2021-11-10/MAL_ELF_Rekoobe_Nov_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_ELF_Rekoobe_Nov_2021_1 {
2 | meta:
3 | description = "Detect the Rekoobe rootkit"
4 | author = "Arkbird_SOLG"
5 | reference ="Internal Research"
6 | date = "2021-11-10"
7 | hash1 = "bf09a1a7896e05b18c033d2d62f70ea4cac85e2d72dbd8869e12b61571c0327e"
8 | hash2 = "e1999a3e5a611312e16bb65bb5a880dfedbab8d4d2c0a5d3ed1ed926a3f63e94"
9 | tlp = "white"
10 | adversary = "-"
11 | strings:
12 | $s1 = { 00 ?? 19 00 00 00 48 85 c0 [2-6] bf 0a 00 00 00 e8 [2] 01 00 ?? 24 00 00 00 48 85 c0 [2-6] c6 00 48 c6 40 05 49 c6 40 01 49 c6 40 06 4c c6 40 02 53 c6 40 07 45 c6 40 03 54 c6 40 08 3d c6 40 04 46 c6 40 09 00 48 89 c7 e8 [2] 00 00 48 8d 54 24 0c }
13 | $s2 = "GETCONF_DIR" ascii
14 | $s3 = "/var/run/nscd/so/dev/ptmx" ascii
15 | $s4 = { 45 78 65 63 53 74 61 72 74 3d 2f 62 69 6e 2f 62 61 73 68 20 2d 63 20 2f 75 73 72 2f 62 69 6e 2f 62 69 6f 73 65 74 64 }
16 | $s5 = { 48 89 df e8 [3] ff 31 f6 48 89 df e8 [3] ff 48 8d 58 01 48 }
17 | $s6 = { 2f 76 61 72 2f 74 6d 70 00 2f 76 61 72 2f 70 72 6f 66 69 6c 65 }
18 | condition:
19 | uint32(0) == 0x464C457F and filesize > 100KB and 5 of ($s*)
20 | }
21 |
--------------------------------------------------------------------------------
/2021-11-11/Void_Balaur/APK_DroidWatcher_Nov_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APK_DroidWatcher_Nov_2021_1 {
2 | meta:
3 | description = "Detect modified DroidWatcher stealer used by Void Balaur group"
4 | author = "Arkbird_SOLG"
5 | reference ="https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf"
6 | date = "2021-11-11"
7 | hash1 = "902c5f46ac101b6f30032d4c5c86ecec115add3605fb0d66057130b6e11c57e6"
8 | tlp = "white"
9 | level = "Experimental"
10 | adversary = "Void Balaur"
11 | strings:
12 | $s1 = { 38 50 F4 59 CC FF F3 37 65 28 4F 35 1A D2 83 C9 6C E0 20 27 38 C5 39 2E 72 95 5B 3C E0 29 D1 9E C7 0C A4 21 1B 55 09 A5 0B 83 99 C8 7C D6 F2 0F 47 B9 CE 43 82 5E C4 0C }
13 | $s2 = { 3C E2 39 81 D4 EA 82 1F F8 83 42 54 A0 2E 6D E8 C5 44 E6 B0 92 13 5C E6 21 EF 89 9D 26 28 90 8C 3C 94 A3 36 AD E9 CD 48 26 B2 92 1D 1C E4 34 57 B9 C7 2B A2 7D 1E 14 A8 4A 4D 5A D3 8E 2E F4 A4 1F 83 19 C1 58 A6 32 9B 05 2C 63 03 DB B9 42 }
14 | $s3 = { F0 96 6F 33 59 1B BA 32 82 8D 5C 22 28 B3 1E 4C 65 BA 31 99 4D 1C E0 2E 89 7E F3 1E 94 A7 13 13 08 E7 22 31 7E D7 EB 28 42 53 46 B0 81 73 7C 22 E3 1F 62 4E 17 66 B2 8F 47 A4 CA A2 D6 68 C9 44 36 72 9D 78 7F 7A 16 B5 18 CA 5A 4E F2 92 74 59 }
15 | $s4 = { 3D 57 89 56 4D 9E 51 9C CE 2C 20 92 B8 D5 C5 81 7A 8C 65 03 17 F9 C0 77 35 5C 4F 0B 26 B0 99 0B C4 A9 69 5D A9 44 0F 66 F2 2F F7 48 5C 4B 7E 50 9D 41 2C E0 34 AF 89 5F 5B 9E 50 92 C6 F4 65 3C 0B D8 CA 1E CE F3 80 CF EA B8 9E 94 A4 E5 37 72 51 88 0A 34 A3 2F 03 19 CE 41 22 B8 C9 5D 1E F2 82 77 44 AF AB }
16 | $s5 = { FA D6 A4 0F EB 79 42 D2 76 F6 54 BA B2 9A 27 FC D0 5E 9E 30 8D 2B 24 E9 A0 AE A8 41 33 06 32 84 51 8C 63 12 33 98 CF 72 36 B0 8B 83 1C E3 12 D7 B8 CD 63 5E 13 B3 A3 FE 45 06 8A D0 80 3E 0C 66 32 33 59 C6 66 0E 10 C1 39 AE F3 84 D7 C4 EF E4 EC C8 37 64 22 17 F9 28 42 45 3A 31 9E A5 EC E1 14 37 79 C0 DB FF FD B6 B3 E7 F3 3B 45 A9 45 28 E3 D9 }
17 | condition:
18 | uint32be(0) == 0x504B0304 and filesize > 300KB and 4 of them
19 | }
20 |
--------------------------------------------------------------------------------
/2021-11-21/EXP_CVE_2021_42321_Nov_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule EXP_CVE_2021_42321_Nov_2021_1 {
2 | meta:
3 | description = "Detect CVE-2021-42321 exploit tool"
4 | author = "Arkbird_SOLG"
5 | reference ="https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398"
6 | date = "2021-11-21"
7 | hash1 = "537744916ce2e78748d301901c679307e8159101f3b194add89f6e1dfbf62c32"
8 | tlp = "white"
9 | level = "Experimental"
10 | adversary = "-"
11 | strings:
12 | $s1 = { 41 41 45 41 41 41 44 2f 2f 2f 2f 2f 41 51 41 41 41 41 41 41 41 41 41 4d 41 67 41 41 41 46 35 4e 61 57 4e 79 62 }
13 | $s2 = "/ews/exchange.asmx" ascii
14 | $s3 = { 48 74 74 70 4e 74 6c 6d 41 75 74 68 28 27 25 73 27 20 25 20 28 55 53 45 52 29 }
15 | $s4 = { 22 55 73 65 72 2d 41 67 65 6e 74 22 3a 20 22 45 78 63 68 61 6e 67 65 53 65 72 76 69 63 65 73 43 6c 69 65 6e 74 }
16 | $s5 = { 6d 56 6a 64 45 52 68 64 47 46 51 63 6d 39 32 61 57 52 6c 63 6a 34 4e 43 69 41 67 49 43 41 38 54 32 4a 71 5a 57 4e 30 52 47 46 30 59 56 42 79 62 33 5a 70 5a 47 56 79 49 48 67 36 53 32 56 35 50 53 4a 7a 5a 58 52 4e 5a 58 52 6f 62 32 51 69 49 45 39 69 61 6d 56 6a 64 45 6c 75 63 33 52 68 62 6d 4e 6c 50 53 4a 37 65 44 70 54 64 47 46 30 61 57 4d 67 59 7a 70 44 62 32 35 6d 61 57 64 31 63 6d 46 30 61 57 }
17 | condition:
18 | filesize > 3KB and 4 of them
19 | }
20 |
--------------------------------------------------------------------------------
/2021-11-22/APT_Tardigrade_Nov_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APT_Tardigrade_Nov_2021_1 {
2 | meta:
3 | description = "Detect Tardigrade loader"
4 | author = "Arkbird_SOLG"
5 | reference ="https://www.isac.bio/post/tardigrade"
6 | date = "2021-11-22"
7 | hash1 = "1c7c1a28921d81f672320e81ad58642ef3b8e27abf8a8e51400b98b40f49568be"
8 | hash2 = "c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858"
9 | hash3 = "cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe"
10 | tlp = "white"
11 | adversary = "Tardigrade"
12 | strings:
13 | $s1 = { 63 6d 64 2e 65 78 65 20 2f 63 20 65 63 68 6f 20 [10-40] 3e 22 25 73 22 26 65 78 69 74 }
14 | $s2 = { 4c 89 44 24 38 89 54 24 34 48 89 4c 24 28 e8 [2] 01 00 e8 [2] 01 00 4c 8b 44 24 38 8b 54 24 34 48 8b 4c 24 28 48 83 c4 48 e9 71 fe ff ff 90 48 89 ca 48 8d 0d 76 ?? 02 00 }
15 | $s3 = { 41 57 41 56 41 55 41 54 55 57 56 53 48 ?? ec [1-4] 48 8b 84 24 ?? 00 00 00 48 89 44 24 60 48 8b 05 [2] 01 00 48 89 4c 24 40 ?? 38 }
16 | $s4 = { 45 31 c0 48 8d 8c 24 ?? 02 00 00 4c 8d 8c 24 ?? 01 00 00 48 8d 15 [2] 01 00 ff 15 [2] 02 00 }
17 | condition:
18 | uint16(0) == 0x5a4d and filesize > 50KB and all of them
19 | }
20 |
--------------------------------------------------------------------------------
/2021-12-09/RAN_ALPHV_Dec_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule RAN_ALPHV_Dec_2021_1
2 | {
3 | meta:
4 | description = "Detect AlphV ransomware (Nov and Dec 2021)"
5 | author = "Arkbird_SOLG"
6 | date = "2021-12-09"
7 | reference = "Internal Research"
8 | hash1 = "3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83"
9 | hash2 = "7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e"
10 | hash3 = "cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae"
11 | hash4 = "731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161"
12 | tlp = "white"
13 | adversary = "BlackCat"
14 | strings:
15 | $s1 = { ff b4 24 [2] 00 00 6a 00 ff 35 ?? e1 ?? 00 e8 [3] 00 8d 8c 24 [2] 00 00 ba [3] 00 68 c0 1f 00 00 e8 [3] ff 83 c4 04 ?? bc 24 [2] 00 00 }
16 | $s2 = { 85 f6 74 47 8b 3d ?? e1 ?? 00 85 ff 0f 85 81 00 00 00 eb 60 68 [3] 00 6a 00 6a 00 e8 [2] 04 00 85 c0 0f 84 99 01 00 00 89 c1 31 c0 f0 0f b1 0d ?? e1 ?? 00 0f 84 f0 fe ff ff 89 c6 51 e8 [2] 04 00 89 f1 e9 e1 fe ff ff 68 [3] 00 ff 35 ?? e1 ?? 00 e8 [2] 04 00 85 c0 0f 84 32 03 00 00 89 c6 a3 ?? e1 ?? 00 8b 3d ?? e1 ?? 00 85 ff 75 1f 68 [3] 00 ff 35 ?? e1 ?? 00 e8 [2] 04 00 85 c0 0f 84 09 03 00 00 89 c7 a3 ?? e1 ?? 00 89 74 24 18 e8 [2] 04 00 8b 35 ?? e1 ?? 00 89 44 24 14 85 f6 75 1f 68 [3] 00 ff 35 ?? e1 ?? 00 e8 [2] 04 00 85 c0 0f 84 b8 01 00 00 89 c6 a3 ?? e1 ?? 00 8d 44 24 70 c7 44 24 64 00 00 00 00 c7 44 24 60 00 00 00 00 68 0c 01 00 00 6a 00 50 e8 [2] 04 00 83 }
17 | $s3 = { 8b 38 89 4d ec 89 55 ?? 74 34 a1 ?? e1 ?? 00 85 c0 75 0e e8 [3] 00 85 c0 74 14 a3 ?? e1 ?? 00 53 6a 00 50 e8 [3] 00 89 c6 85 c0 75 13 89 d9 ba 01 00 00 00 e8 [3] ff 0f 0b be 01 00 00 00 53 57 56 e8 [3] 00 83 c4 0c 8d 04 1e 8d 4d }
18 | $s4 = { 83 c4 0c c7 45 ?? 00 00 00 00 c7 45 ?? 02 00 00 89 89 75 ?? 8d 45 ?? c7 45 ?? 00 00 00 00 c7 45 ?? 00 00 00 00 6a 10 50 57 e8 [3] 00 83 f8 ff 0f 84 ?? 02 00 00 f6 45 9c ff }
19 | condition:
20 | uint16(0) == 0x5A4D and filesize > 300KB and all of ($s*)
21 | }
22 |
--------------------------------------------------------------------------------
/2021-12-13/APT_APT_C_61_Dec_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule APT_APT_C_61_Dec_2021_1
2 | {
3 | meta:
4 | description = "Detect similiar structures used in the APT-C-61 maldocs"
5 | author = "Arkbird_SOLG"
6 | date = "2021-12-13"
7 | reference = "Internal Research"
8 | hash1 = "2cc0f8a85df2b2b0dd4c6942125bf82e647e9ac7bb91467ac5c480cf5e1dd4ff"
9 | hash2 = "193c921f7ab12c0066014ffad37a98ee57ecd5101dae2ddeb5e39200eb704431"
10 | hash3 = "4ec021cc3dbb2b0de7313e41063026e3ef4777baf4dec2bdad7cd2d515bf0fe2"
11 | tlp = "white"
12 | adversary = "APT-C-61"
13 | strings:
14 | $s1 = { 3e 3c 77 3a 69 6e 73 74 72 54 65 78 74 3e 53 45 54 20 [1-4] 3c 2f 77 3a 69 6e 73 74 72 54 65 78 74 3e }
15 | $s2 = { 3c 2f 77 3a 72 3e 3c 77 3a 66 6c 64 53 69 6d 70 6c 65 20 77 3a 69 6e 73 74 72 3d 22 20 20 51 55 4f 54 45 20 20 }
16 | $s3 = { 3c 77 3a 69 6e 73 74 72 54 65 78 74 20 78 6d 6c 3a 73 70 61 63 65 3d 22 70 72 65 73 65 72 76 65 22 3e 20 3c 2f 77 3a 69 6e 73 74 72 54 65 78 74 3e }
17 | $s4 = { 3c 77 3a 72 3e 3c 77 3a 69 6e 73 74 72 54 65 78 74 20 78 6d 6c 3a 73 70 61 63 65 3d 22 70 72 65 73 65 72 76 65 22 3e 20 44 44 45 3c 2f 77 3a 69 6e 73 74 72 54 65 78 74 3e 3c 2f 77 3a 72 3e }
18 | condition:
19 | uint16(0) == 0x4b50 and filesize > 20KB and all of ($s*)
20 | }
21 |
--------------------------------------------------------------------------------
/2021-12-16/MAL_PseudoManuscrypt_Dec_2021_1.yara:
--------------------------------------------------------------------------------
1 | rule MAL_PseudoManuscrypt_Dec_2021_1
2 | {
3 | meta:
4 | description = "Detect PseudoManuscrypt loader dropped by the installer"
5 | author = "Arkbird_SOLG"
6 | date = "2021-12-16"
7 | reference = "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-PseudoManuscrypt-a-mass-scale-spyware-attack-campaign-En.pdf"
8 | hash1 = "19627bcee38a4ca5ae9a60c71ee7a2e388ba99fb8b229700a964a084db236e1f"
9 | hash2 = "be94df270acfc8e5470fa161b808d0de1c9e85efeeff4a5d82f5fd09629afa8e"
10 | hash3 = "de965e33dff58cf011106feacef2f804d9e35d00b8b5ff7064e5b7afee46d72c"
11 | hash4 = "e32899bef78f6af4a155f738298e042f72fe5e643ec934f8778180f71e511727"
12 | tlp = "white"
13 | adversary = "-"
14 | strings:
15 | $s1 = { 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 43 72 79 70 74 6f 67 72 61 70 68 79 00 7b 47 36 35 37 59 53 30 36 2d 30 31 36 44 2d 34 43 30 52 2d 36 30 32 32 2d 46 47 45 32 43 33 32 32 36 36 37 46 7d 00 00 4d 61 63 68 69 6e 65 47 75 69 64 }
16 | $s2 = { 45 ?? 5c 43 4c 53 c7 45 ?? 49 44 5c 25 c7 45 ?? 73 00 00 00 c7 45 ?? 47 6c 6f 62 c7 45 ?? 61 6c }
17 | $s3 = { 56 69 72 74 c7 [2-4] 75 61 6c 41 c7 [2-4] 6c 6c 6f 63 ff 15 }
18 | $s4 = { 4c 6f 61 64 65 72 2e 64 6c 6c 00 53 65 72 76 69 63 65 4d 61 69 6e }
19 | $s5 = { 2e 72 73 72 63 24 30 31 00 00 00 00 a0 ?? 00 00 ?? 04 00 00 2e 72 73 72 63 24 30 32 }
20 | condition:
21 | uint16(0) == 0x5A4D and filesize > 3KB and filesize < 30KB and all of ($s*)
22 | }
23 |
--------------------------------------------------------------------------------
/29-01-20/IOC.csv:
--------------------------------------------------------------------------------
1 | Group/APT/Malware,Type,Indicator,Name
2 | KasperAgent,SHA256,80fb33854bf54ceac731aed91c677d8fb933d1593eb95447b06bd9b80f562ed2,80fb33854bf54ceac731aed91c677d8fb933d1593eb95447b06bd9b80f562ed2.sample
3 | KasperAgent,SHA256,d8dc553fbb4569045a298759af75a3a108f82cf883ae986214d3075cc738836e,dttcodexgigas.exe
4 | Kimsuky,SHA256,d70ba9d36526f1aa1b8dbb58a49d974cc5d24cc19b688247a0ff4bbbe74ba358,071d5c44d21c365c13133d46b93a94bc.js
5 | Kimsuky,SHA256,f30e6443b408ea8f1ffb03117a0b9c1469fac1318ae3eccddc2da1db6dfa56f8,071d5c44d21c365c13133d46b93a94bc.js
6 | Kimsuky,SHA256,64fe771edda328fec567e51e0eb3a69fbc9df1621bb83c7d86e1d0c3f5cce6dd,a.txt
7 | Kimsuky,SHA256,4011bb37b49090f525fe8bd643dbd2e9f57f946b4acea335688a24be8930df1f,b.txt
8 | Kimsuky,SHA256,d8dc553fbb4569045a298759af75a3a108f82cf883ae986214d3075cc738836e,pay.exe
9 | Kimsuky,SHA256,80fb33854bf54ceac731aed91c677d8fb933d1593eb95447b06bd9b80f562ed2,integratedoffice.exe
10 | Kimsuky,SHA256,7d48ca8d13970508123e4a47fb0f48546be503089c6f0f9097384d8a8727391f,071d5c44d21c365c13133d46b93a94bc.js
11 | Kimsuky,SHA256,aae346dc3dbdf8736b695d8c90fff0d3093d16978a1b55ae4f1167709ea9bd02,071d5c44d21c365c13133d46b93a94bc.js
12 | Kimsuky,SHA256,70864ce071464d6e650528a038dacf86b05ded61662ccdb51b91d1ca068b5b11,071d5c44d21c365c13133d46b93a94bc.js
13 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## DailyIOC
2 | ### IOC from articles, tweets for archives
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/TA551/TA551_Decoder.js:
--------------------------------------------------------------------------------
1 | function Decode(arg)
2 | {
3 | var r = "";
4 | for(var i = 0;i < arg.length;i += 2){r += String.fromCharCode(parseInt(arg.substr(i, 2), 16));}
5 | return(r);
6 | }
7 | function Rebuild(r)
8 | {
9 | return(r.split("").reverse().join(""));
10 | }
11 | var d ="Push HexData";
12 | u = Rebuild(d);
13 | Data = Decode(u);
14 | console.log(Data);
15 |
--------------------------------------------------------------------------------