├── APT ├── APT_APT15_Graphican_Jun_2023_1.yara ├── APT_APT15_Ketrican_Jun_2023_1.yara ├── APT_APT23_ChiserClient_Dec_2021_1.yara ├── APT_APT23_Gh0stRAT_Dec_2021_1.yara ├── APT_APT23_NeraPack_Dec_2021_1.yara ├── APT_APT23_Smilesvr_Dec_2021_1.yara ├── APT_APT23_Smilesvrdrp_Dec_2021_1.yara ├── APT_APT23_USBFerry_May_2020_1.yara ├── APT_APT23_USBFerry_May_2020_2.yara ├── APT_APT23_USBFerry_May_2020_3.yara ├── APT_APT23_USBFerry_May_2020_4.yara ├── APT_APT28_CredoMap_Jun_2022_1.yara ├── APT_APT37_Bluelight_Dec_2022_1.yara ├── APT_Actor210426_loader_Aug_2022_1.yara ├── APT_Antlion_EHAGBPSL_Feb_2022_1.yara ├── APT_Antlion_NetSessionEnum_Feb_2022_1.yara ├── APT_Antlion_xPack_Feb_2022_1.yara ├── APT_BlackTech_Flagpro_Dec_2021_1.yara ├── APT_Downloader_SharpPanda_Jul_2022_1.yara ├── APT_Earth_Berberoka_Korplug_Oct_2022_1.yara ├── APT_Earth_Berberoka_Tifa_Oct_2022_1.yara ├── APT_Earth_Berberoka_Yuma_Oct_2022_1.yara ├── APT_Gallium_PingPull_Jun_2022_1.yara ├── APT_InvisiMole_rc2fm_Mar_2022_1.yara ├── APT_Knotweed_Jumplump_Jul_2022_1.yara ├── APT_Knotweed_Jumplump_Jul_2022_2.yara ├── APT_Knotweed_Jumplump_Jul_2022_3.yara ├── APT_Knotweed_Jumplump_Jul_2022_4.yara ├── APT_Knotweed_Mex_Jul_2022_1.yara ├── APT_Knotweed_Passlib_Jul_2022_1.yara ├── APT_Molerats_NimbleMamba_Jan_2022_1.yara ├── APT_MoustachedBouncer_NightClub_Aug_2023_1.yara ├── APT_Nobelium_Beatdrop_Feb_2022_1.yara ├── APT_Nobelium_Downloader_May_2022_1.yara ├── APT_Nobelium_GraphicalNeutrino_Feb_2023_1.yara ├── APT_Sandworm_ArguePatch_Apr_2022_1.yara ├── APT_Sandworm_Cyclops_Blink_Mar_2022_1.yara ├── APT_SideWinder_WarHawk_Oct_2022_1.yara └── APT_Worok_PNGLoad_Sept_2022_1.yara ├── Crimeware ├── CRIM_FIN13_CMD_Jan_2022_1.yara └── CRIM_FIN13_IPScanner_Jan_2022_1.yara ├── Exfiltration └── EXF_StealBit_Lockbit_Dec_2021_1.yara ├── Hunting ├── HUN_APT29_EnvyScout_Jul_2023_1.yara └── HUN_Exchange_Gold_Mystic_Oct_2022_1.yara ├── LICENSE.md ├── Malware ├── MAL_44Caliber_Feb_2022_1.yara ├── MAL_Allcome_Feb_2022_1.yara ├── MAL_BPFDoor_May_2022_1.yara ├── MAL_BPFDoor_May_2022_2.yara ├── MAL_BPFDoor_May_2022_3.yara ├── MAL_Daxin_Feb_2022_1.yara ├── MAL_Daxin_Feb_2022_2.yara ├── MAL_DeimosC2_Beacon_Nov_2022_1.yara ├── MAL_DeimosC2_Beacon_Nov_2022_2.yara ├── MAL_Denonia_Apr_2022_1.yara ├── MAL_ELF_Cloudmensis_Jul_2022_1.yara ├── MAL_ELF_DeimosC2_Beacon_Nov_2022_1.yara ├── MAL_ELF_DeimosC2_Beacon_Nov_2022_2.yara ├── MAL_ELF_Symbiote_Jun_2022_1.yara ├── MAL_ELF_SysJoker_Jan_2022_1.yara ├── MAL_Grandoreiro_Feb_2022_1.yara ├── MAL_HeaderTip_Mar_2022_1.yara ├── MAL_HttpService_Feb_2022_1.yara ├── MAL_IceXLoader_Downloader_Jun_2021_1.yara ├── MAL_IceXLoader_Jun_2022_1.yara ├── MAL_IceXLoader_Nov_2022_1.yara ├── MAL_JLORAT_Apr_2023_1.yara ├── MAL_MACH_SysJoker_Jan_2022_1.yara ├── MAL_Mars_Stealer_Apr_2022_1.yara ├── MAL_Nighthawk_Nov_2022_1.yara ├── MAL_Reptile_Aug_2023_1.yara ├── MAL_Reptile_Aug_2023_2.yara ├── MAL_Roopy_Apr_2023_1.yara ├── MAL_SiMayRAT_Mar_2022_1.yara ├── MAL_SiMayRAT_Mar_2022_2.yara ├── MAL_SysJoker_Jan_2022_1.yara ├── MAL_SysJoker_Jan_2022_2.yara ├── MAL_Telemiris_Apr_2023_1.yara ├── MAL_Tomiris_Apr_2023_1.yara ├── MAL_TunnusSched_Apr_2023_1.yara ├── MAL_Unknown_Wiper_Feb_2022_1.yara ├── MAL_Winscreeny_Feb_2022_1.yara ├── MAL_WoodyRAT_Aug_2022_1.yara ├── MAL_WoodyRAT_Aug_2022_2.yara ├── MAL_Wslink_Nov_2021_1.yara └── MAL_Zanubis_Sept_2022_1.yara ├── README.md ├── Ransomware ├── RAN_ALPHV_Apr_2022_1.yara ├── RAN_ALPHV_Dec_2021_1.yara ├── RAN_ALPHV_Feb_2022_1.yara ├── RAN_ALPHV_Mar_2023_1.yara ├── RAN_ARCrypter_Nov_2022_1.yara ├── RAN_ARCrypter_Nov_2022_2.yara ├── RAN_AVOSLocker_Dec_2021_1.yara ├── RAN_AtomSilo_Dec_2021_1.yara ├── RAN_Babuk_Leaks_Dec_2021_1.yara ├── RAN_Babuk_Loader_Dec_2021_1.yara ├── RAN_BlackBasta_Dec_2022_1.yara ├── RAN_BlackBasta_Dec_2022_2.yara ├── RAN_BlackMatter_Dec_2021_1.yara ├── RAN_Black_Basta_Apr_2022_1.yara ├── RAN_Blacksuit_May_2023_1.yara ├── RAN_BlueSky_Aug_2022_1.yara ├── RAN_Cerber2021_Jan_2022_1.yara ├── RAN_Conti_Dec_2021_1.yara ├── RAN_Conti_Feb_2022_1.yara ├── RAN_Conti_Jan_2023_1.yara ├── RAN_Cuba_Dec_2021_1.yara ├── RAN_Darky_Lock_Jun_2022_1.yara ├── RAN_Diavol_Dec_2021_1.yara ├── RAN_Diavol_Dec_2021_2.yara ├── RAN_Diavol_Sept_2022_1.yara ├── RAN_Driver_P2P_Clop_Dec_2021_1.yara ├── RAN_ELF_ALPHV_Dec_2021_1.yara ├── RAN_ELF_AvosLocker_Jan_2022_1.yara ├── RAN_ELF_Conti_Dec_2022_1.yara ├── RAN_ELF_EXX_Dec_2021_1.yara ├── RAN_ELF_HelloKitty_Dec_2021_1.yara ├── RAN_ELF_Hive_Dec_2021_1.yara ├── RAN_ELF_Hive_March_2022_1.yara ├── RAN_ELF_Lockbit_Jan_2022_1.yara ├── RAN_ELF_Revil_Dec_2021_1.yara ├── RAN_ELF_Royal_Feb_2022_1.yara ├── RAN_ELF_TellYouThePass_Dec_2021_1.yara ├── RAN_ESXI_Hive_Oct_2022_1.yara ├── RAN_EXX_Dec_2021_1.yara ├── RAN_GlobeImposter_Dec_2021_1.yara ├── RAN_Grief_Dec_2021_1.yara ├── RAN_Hades_Dec_2021_1.yara ├── RAN_HelloKitty_Dec_2021_1.yara ├── RAN_Hive_Dec_2021_1.yara ├── RAN_Hive_March_2022_1.yara ├── RAN_Hive_March_2022_2.yara ├── RAN_Hive_Sept_2022_1.yara ├── RAN_Intercobros_Dec_2021_1.yara ├── RAN_Karma_Dec_2021_1.yara ├── RAN_Khonsari_Dec_2021_1.yara ├── RAN_Koxic_Jan_2022_1.yara ├── RAN_LikeAHorse_Dec_2021_1.yara ├── RAN_Loader_Clop_Dec_2021_1.yara ├── RAN_Lockbit_Dec_2021_1.yara ├── RAN_Lockbit_Green_Jan_2023_1.yara ├── RAN_Lockbit_Green_Jan_2023_2.yara ├── RAN_Lockbit_v3_Jun_2022_1.yara ├── RAN_Lorenz_Dec_2021_1.yara ├── RAN_Maui_Jul_2022_1.yara ├── RAN_Memento_Dec_2021_1.yara ├── RAN_Money_Message_Mar_2023_1.yara ├── RAN_MountLocker_Nov_2021_1.yara ├── RAN_NightSky_Jan_2022_1.yara ├── RAN_Nokoyawa_Dec_2022_1.yara ├── RAN_Nokoyawa_Mar_2022_1.yara ├── RAN_Octocrypt_Nov_2022_1.yara ├── RAN_Pay2Key_Dec_2021_1.yara ├── RAN_Qilim_Nov_2023_1.yara ├── RAN_Quantum_Apr_2022_1.yara ├── RAN_Revil_Dec_2021_1.yara ├── RAN_Rook_Dec_2021_1.yara ├── RAN_Royal_Rumble_Dec_2022_1.yara ├── RAN_Royal_Rumble_Dec_2022_2.yara ├── RAN_SafeSound_Jul_2022_1.yara ├── RAN_Solidbit_Jun_2022_1.yara ├── RAN_Sugar_Jan_2022_1.yara ├── RAN_Sugar_Jan_2022_2.yara ├── RAN_Surtr_Jan_2022_1.yara ├── RAN_TellYouThePass_Dec_2021_1.yara ├── RAN_Venus_Oct_2022_1.yara ├── RAN_Vovabol_Apr_2022_1.yara ├── RAN_Wannahusky_Nov_2021_1.yara ├── RAN_XYZconfig_Jan_2022_1.yara └── RAN_Yanluowang_Dec_2021_1.yara ├── TA └── TA_Lorec53_OutSteel_Feb_2022_1.yara ├── Tools ├── TOOL_JspFileBrowser_Jan_2022_1.yara └── TOOL_MiniWebCmdShell_Jan_2022_1.yara └── Wipers ├── WIP_DoubleZero_Mar_2022_1.yara ├── WIP_IsaacWiper_Mar_2022_1.yara ├── WIP_RuRansom_Mar_2022_1.yara └── WIP_Unk_Ukr_Feb_2022_1.yara /APT/APT_APT15_Graphican_Jun_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT15_Graphican_Jun_2023_1 : apt apt15 backdoor graphican 2 | { 3 | meta: 4 | description = "Detect the Graphican backdoor used by the apt15 group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15" 7 | date = "2023-06-21" 8 | hash1 = "4b78b1a3c162023f0c14498541cb6ae143fb01d8b50d6aa13ac302a84553e2d5" 9 | hash2 = "a78cc475c1875186dcd1908b55c2eeaf1bcd59dedaff920f262f12a3a9e9bfa8" 10 | hash3 = "02e8ea9a58c13f216bdae478f9f007e20b45217742d0fbe47f66173f1b195ef5" 11 | tlp = "Clear" 12 | adversary = "APT15" 13 | strings: 14 | $s1 = { 33 db bf 0a 02 00 00 b8 [3] 00 8d 75 90 c7 45 a4 0f 00 00 00 89 5d a0 88 5d 90 e8 e8 ?? ff ff 89 5d fc 8b 4d 90 bf 10 00 00 00 39 7d a4 73 02 8b ce 8b 55 a0 52 68 [3] 00 be [3] 00 e8 [2] 00 00 e8 } 15 | $s2 = { c1 ea 08 8b 35 04 ?? 41 00 88 55 f9 8b d0 c1 ea 10 88 45 f4 88 55 f6 8b d1 c1 e8 18 88 4d f8 c1 e9 18 88 45 f7 8d 45 dc 50 88 4d fb 8d 4d e0 51 6a 00 68 06 00 02 00 6a 00 6a 00 6a 00 68 [3] 00 c1 ea 10 68 01 00 00 80 c7 45 ?? 01 00 00 00 88 55 fa ff d6 8b ?? 00 ?? 41 00 } 16 | $s3 = { ff 15 [2] 41 00 8d 85 f8 fe ff ff 8d 50 01 [0-2] 8a 08 40 84 c9 75 f9 2b c2 50 8d 95 f8 fe ff ff 52 68 [2] 42 00 e8 [2] 00 00 83 c4 0c 8d 85 f8 fe ff ff 50 ff 15 [2] 41 00 85 } 17 | $s4 = { 83 c4 0c 8d ?? e0 ?? ff ff ?? 8d ?? e0 ?? ff ff ?? ff 15 [2] 41 00 68 60 ?? 42 00 8d ?? e0 ?? ff ff ?? ff 15 [2] 41 00 6a 44 8d ?? f8 ?? ff ff 56 ?? e8 [2] 00 00 83 c4 0c 33 ?? 8d ?? 44 ?? ff ff ?? 89 ?? 28 ?? ff ff 8d ?? f8 ?? ff ff ?? 56 56 56 6a 01 56 56 8d ?? e0 ?? ff ff ?? 56 c7 85 f8 ?? ff ff 44 00 00 00 89 b5 fc ?? ff ff 89 b5 00 ?? ff ff 89 b5 04 ?? ff ff c7 85 24 ?? ff ff 01 01 00 00 89 b5 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 70KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_APT15_Ketrican_Jun_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT15_Ketrican_Jun_2023_1 : apt apt15 backdoor ketrican 2 | { 3 | meta: 4 | description = "Detect the Ketrican backdoor used by the apt15 group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15" 7 | date = "2023-06-21" 8 | hash1 = "858818cd739a439ac6795ff2a7c620d4d3f1e5c006913daf89026d3c2732c253" 9 | hash2 = "fd21a339bf3655fcf55fc8ee165bb386fc3c0b34e61a87eb1aff5d094b1f1476" 10 | tlp = "Clear" 11 | adversary = "APT15" 12 | strings: 13 | $s1 = { ff 76 10 b9 [2] 42 00 50 e8 [2] 00 00 6a 15 68 [2] 42 00 8d 8d 7c ef ff ff e8 [2] 00 00 51 8d 85 94 ef ff ff 50 68 [2] 42 00 51 8d 8d 7c ef ff ff e8 [2] ff ff 83 c4 10 84 c0 0f 84 ?? 03 00 00 8b 8d 98 ef ff ff b8 ab aa aa 2a 2b 8d 94 ef ff ff f7 e9 c1 fa 02 8b c2 c1 e8 1f } 14 | $s2 = { 83 c4 0c 8d 85 ?? fe ff ff 68 00 01 00 00 6a 00 50 e8 [2] 00 00 83 c4 0c 8d 85 ?? fe ff ff 68 00 01 00 00 50 ff 15 ?? f1 41 00 8d 85 ?? fe ff ff 8d 50 01 8a 08 40 84 c9 75 f9 2b c2 50 8d 85 ?? fe ff ff 50 56 e8 [2] 00 00 83 c4 0c 8d 85 ?? fe ff ff 50 ff 15 } 15 | $s3 = { 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 56 c6 85 c8 ee ff ff 00 ff 15 ?? f1 41 00 85 c0 0f 85 6c 02 00 00 8d 85 84 ef ff ff 0f 57 c0 50 0f 11 85 84 ef ff ff ff 15 ?? f1 41 00 85 c0 0f 84 [2] 00 00 8b 85 88 ef ff ff 85 c0 0f 84 38 01 00 00 83 3d [2] 42 00 08 8d 8d 48 ef ff ff 51 89 85 20 ef ff ff 8d 8d 18 ef ff ff b8 [2] 42 00 c7 85 18 ef ff ff 03 00 00 00 0f 43 05 [2] 42 00 0f 57 c0 51 50 ff 35 [2] 42 00 c7 85 1c ef ff ff 01 00 00 00 c7 85 2c ef ff ff 01 00 00 00 c7 85 28 ef ff ff 00 00 00 00 c7 85 24 ef ff ff 00 00 00 00 66 0f d6 85 48 ef ff ff c7 85 50 ef ff } 16 | condition: 17 | uint16(0) == 0x5A4D and filesize > 60KB and all of ($s*) 18 | } 19 | -------------------------------------------------------------------------------- /APT/APT_APT23_Gh0stRAT_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT23_Gh0stRAT_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the Gh0st RAT version of APT23" 5 | author = "Arkbird_SOLG" 6 | reference = "https://cyberworkx.in/2021/12/22/cyber-espionage-hackers-from-tropic-trooper-are-targeting-the-transportation-sector/" 7 | date = "2021-12-26" 8 | hash1 = "996aa9c937b610efd1ab5c0ab173fc9fa78a70b423a193c3e2b505519bde7807" 9 | hash2 = "7e72ee1052b018250810e41ac01065ebd833293ecfc363415b7d19dd31734d49" 10 | tlp = "Clear" 11 | adversary = "APT23" 12 | strings: 13 | $s1 = { b9 3f 00 00 00 33 c0 8d bc 24 c5 00 00 00 c6 84 24 c4 00 00 00 00 f3 ab 8d 8c 24 ec 02 00 00 8d 94 24 c4 00 00 00 66 ab 51 68 c4 69 41 00 52 aa ff d5 8b 35 f0 f0 40 00 83 c4 0c 8d 84 24 c4 00 00 00 6a 00 50 ff d6 68 b8 0b 00 00 ff d3 b9 40 00 00 00 33 c0 8d bc 24 c4 00 00 00 68 94 69 41 00 f3 ab 8d 8c 24 c8 00 00 00 51 ff d5 83 c4 08 33 db 8d 94 24 c4 00 00 00 53 52 ff d6 b9 40 00 00 00 33 c0 8d bc 24 c4 00 00 00 68 1c 69 41 00 f3 ab 8d 84 24 } 14 | $s2 = { 83 ec 08 33 c0 56 89 44 24 05 8d 4c 24 04 66 89 44 24 09 c6 44 24 04 00 50 50 50 51 6a 04 68 ?? 6a 41 00 68 ?? 6a 41 00 68 02 00 00 80 88 44 24 2b e8 [2] ff ff 8d 54 24 24 52 ff 15 f8 f1 40 00 83 c4 24 8b f0 8d 44 24 04 50 } 15 | $s3 = { 8b 15 6c 5f 41 00 52 68 4c 5f 41 00 68 30 6a 41 00 ff 15 e8 f1 40 00 bf 28 6a 41 00 83 c9 ff 33 c0 83 c4 0c f2 ae f7 d1 2b f9 68 18 6a 41 00 8b c1 8b f7 bf 24 5f 41 00 53 c1 e9 02 f3 a5 8b c8 33 c0 83 e1 03 50 f3 a4 bf 10 6a 41 00 83 c9 ff f2 ae f7 d1 2b f9 8b d1 8b f7 bf 34 5f 41 00 c1 e9 02 f3 a5 8b ca 83 e1 03 f3 a4 8b 35 e4 f0 40 00 ff d6 8b 3d 9c f0 40 00 } 16 | $s4 = { 8d 4c 24 14 e8 ?? 7b 00 00 8d 44 24 14 50 51 8b cc 89 64 24 20 68 04 6a 41 00 e8 ?? 7b 00 00 e8 ?? 15 00 00 83 c4 08 85 c0 75 3c b9 3f 00 00 00 8d bc 24 c5 00 00 00 88 84 24 c4 00 00 00 f3 ab 66 ab 8d 8c 24 c4 00 00 00 51 68 00 01 00 00 aa ff 15 e8 f0 40 00 8d 94 24 c4 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /APT/APT_APT23_NeraPack_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT23_NeraPack_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the NeraPack loader" 5 | author = "Arkbird_SOLG" 6 | reference = "https://cyberworkx.in/2021/12/22/cyber-espionage-hackers-from-tropic-trooper-are-targeting-the-transportation-sector/" 7 | date = "2021-12-26" 8 | hash1 = "3ad24a438b9a67e4eff7ca7d34b06d5efc24b824e3e346488d534532faa619da" 9 | hash2 = "a64e0c21494811ededf5d8af41b00937c1d5787d63dfcc399a7f32c19a553c99" 10 | hash3 = "321febf2bc5603b58628e3a82fb063027bf175252a3b30869eccb90a78e59582" 11 | tlp = "Clear" 12 | adversary = "APT23" 13 | strings: 14 | $s1 = { 00 00 0a 72 ?? 00 00 70 28 ?? 00 00 0a [6] 00 } 15 | $s2 = { 00 00 0a [2] 11 [1-6] 11 ?? 6f ?? 00 00 0a 6f ?? 00 00 0a [1-3] 11 ?? 16 8c ?? 00 00 01 17 8d ?? 00 00 01 25 16 16 8d ?? 00 00 01 a2 6f ?? 00 00 0a 26 [2-8] 6f ?? 00 00 0a 28 ?? 00 00 0a [0-2] de 00 } 16 | $s3 = { 00 00 0a 0a [0-1] 06 6f ?? 00 00 0a [1-2] 20 00 00 02 00 8d ?? 00 00 01 ?? 15 [0-2] 0d 16 13 04 [0-3] 1f 10 8d ?? 00 00 01 13 ?? 06 11 ?? 16 1f 10 6f ?? 00 00 0a 26 1f 10 8d ?? 00 00 01 13 ?? 06 11 ?? 16 1f 10 6f } 17 | $s4 = { 72 ?? 00 00 70 20 e8 03 00 00 73 ?? 00 00 0a 0a 28 ?? 00 00 0a } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 5KB and 3 of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_APT23_Smilesvr_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT23_Smilesvr_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the Smilesvr backdoor" 5 | author = "Arkbird_SOLG" 6 | reference = "https://cyberworkx.in/2021/12/22/cyber-espionage-hackers-from-tropic-trooper-are-targeting-the-transportation-sector/" 7 | date = "2021-12-26" 8 | hash1 = "507b0280105da31739159703e418e3d1b1e6e6817362bf69e2da3c0b305af605" 9 | hash2 = "97e9bf8032e11bb618a77fbe92489e972b0c92e2e30b26f594f6129ee1cec987" 10 | hash3 = "c6f17d39905d2006020c326c13bb514a66bccc5a42d533aade00e09456ca5dec" 11 | tlp = "Clear" 12 | adversary = "APT23" 13 | strings: 14 | $s1 = { 81 ec 98 01 00 00 a1 [2] 01 10 33 c5 89 45 fc 8d 85 68 fe ff ff 50 68 02 01 00 00 ff 15 [3] 10 85 c0 75 55 6a 14 68 [2] 01 10 ff 15 [3] 10 85 c0 75 3e 68 [2] 01 10 ff 15 [3] 10 8b 40 0c 8b 00 ff 30 ff 15 [3] 10 50 6a 10 68 [2] 01 10 e8 [2] 00 00 83 c4 0c ff 15 [3] 10 33 c0 8b 4d fc } 15 | $s2 = { a1 10 e8 [3] 00 83 c4 0c 0f b7 [3] a1 10 [3] a1 10 0f b7 } 16 | $s3 = { 57 e8 [4] 59 50 ff 15 [3] 10 85 c0 75 } 17 | $s4 = { 43 4d 44 20 ( 72 65 61 64 79 | 63 6c 6f 73 65 ) 20 5e 5f 5e } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and 3 of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_APT23_Smilesvrdrp_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT23_Smilesvrdrp_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the Smilesvrdrp backdoor" 5 | author = "Arkbird_SOLG" 6 | reference = "https://cyberworkx.in/2021/12/22/cyber-espionage-hackers-from-tropic-trooper-are-targeting-the-transportation-sector/" 7 | date = "2021-12-26" 8 | hash1 = "c6cac51035ef7df22c8ff3b5ba204721cdae97bc4728b0de68db1358c0c04035" 9 | tlp = "Clear" 10 | adversary = "APT23" 11 | strings: 12 | $s1 = { 83 c4 0c 8d 84 24 10 14 00 00 68 78 a3 41 00 68 58 17 43 00 68 d0 76 41 00 50 ff 15 7c 21 41 00 83 c4 10 8d 94 24 10 04 00 00 8d 8c 24 10 14 00 00 e8 30 ef ff ff 85 c0 0f 84 db 00 00 00 8d 8c 24 10 04 00 00 e8 ac ef ff ff 85 c0 0f 84 c7 00 00 00 68 ff 03 00 00 8d 84 24 15 0c 00 00 c6 84 24 14 0c 00 00 00 6a 00 50 e8 48 97 00 00 83 c4 0c 8d 84 24 10 0c 00 00 68 38 a3 41 00 68 58 1f 43 00 68 dc 76 41 00 68 00 04 00 00 50 e8 d4 10 00 00 83 c4 14 8d 84 24 10 0c 00 00 6a 00 50 8d 84 24 18 04 00 00 50 ff 15 54 20 41 00 83 } 13 | $s2 = { 25 25 53 79 73 74 65 6d 52 6f 6f 74 25 25 5c 53 79 73 74 65 6d 33 32 5c 73 76 63 68 6f 73 74 2e 65 78 65 20 2d 6b 20 25 73 } 14 | $s3 = { 8d 85 f8 ef ff ff 68 00 08 00 00 50 6a 00 ff 15 30 20 41 00 6a 00 68 80 00 00 10 6a 02 6a 00 6a 01 68 00 00 00 c0 8d 85 f8 f7 ff ff 50 ff 15 80 20 41 00 8b f0 83 fe ff 74 7c 68 ff 0f 00 00 8d 85 f9 df ff ff c6 85 f8 df ff ff 00 6a 00 50 e8 8f 9c 00 00 83 c4 0c 8d 85 f8 df ff ff 57 68 48 76 41 00 50 e8 a6 15 00 00 8d 8d f8 df ff ff c7 85 f4 df ff ff 00 00 00 00 83 c4 0c 8d 51 01 8d 64 } 15 | $s4 = { 68 78 76 41 00 33 c9 68 00 08 00 00 68 58 17 43 00 66 89 08 e8 7f 16 00 00 83 c4 0c c6 84 24 10 10 00 00 00 8d 84 24 11 10 00 00 68 ff 03 00 00 6a 00 50 e8 45 99 00 00 83 c4 0c 8d 84 24 10 10 00 00 68 24 a3 41 00 68 58 17 43 00 68 bc 76 41 00 68 00 04 00 00 50 e8 d1 12 00 00 8b 35 6c 21 41 } 16 | condition: 17 | uint16(0) == 0x5A4D and filesize > 30KB and 3 of ($s*) 18 | } 19 | -------------------------------------------------------------------------------- /APT/APT_APT23_USBFerry_May_2020_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT23_USBFerry_May_2020_1 2 | { 3 | meta: 4 | description = "Detect the USBFerry implant (Unpacked x64)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" 7 | date = "2020-05-14" 8 | hash1 = "32299feded258d78323a7a23acd5463d908c3fbbd46842817b53ab9116587d64" 9 | hash2 = "a0e8c1ece844f18876c951b4360cef1c8e63d270ab5a8346e4a81cba36795838" 10 | hash3 = "90496241ffdbdd1592d0b8aba76d6f8616fc1093623c0d2c2a4fecc4199293cb" 11 | tlp = "Clear" 12 | adversary = "APT23" 13 | strings: 14 | $s1 = { 00 00 48 8d 48 01 48 8d 15 [3] 00 e8 ?? 08 00 00 85 c0 75 e5 4c 8d 05 [3] 00 33 d2 33 c9 ff 15 [2] 00 00 48 89 05 [3] 00 ff 15 [2] 00 00 3d b7 00 00 00 0f 84 [2] 00 00 83 f8 } 15 | $s2 = { 8b c8 8b d8 e8 [2] 00 00 44 8b c3 33 d2 48 8b c8 48 8b f8 e8 [2] 00 00 44 8b 44 24 78 4c 8d 8c 24 80 00 00 00 48 8b d7 48 8b cd ff 15 [3] 00 85 c0 74 4f 44 8b 84 24 80 00 00 00 4c 8d 8c 24 88 00 00 00 48 8b d7 48 8b ce 44 89 a4 24 88 00 00 00 4c 89 64 24 20 ff 15 [3] 00 48 8b cf e8 [2] 00 00 48 8d 54 24 78 45 33 c9 45 33 c0 48 8b cd ff 15 [3] 00 85 c0 0f 85 71 ff ff ff eb 08 48 8b cf e8 [2] 00 00 48 8b 5c 24 50 48 8b 7c 24 40 48 8b ce ff 15 [3] 00 48 8b ce ff 15 [3] 00 48 8b 74 24 48 b8 01 00 00 00 48 83 c4 } 16 | $s3 = { 48 8d 8d 50 1b 00 00 89 5c 24 40 ff 15 [2] 00 00 4c 8d 4c 24 40 48 8d 95 50 1b 00 00 48 8b cf 44 8b c0 48 89 5c 24 20 ff 15 [3] 00 48 8b cf ff 15 [3] 00 48 8d 4c 24 50 e8 [2] ff ff 85 c0 74 0f 48 8d 8d 50 13 00 00 33 d2 ff 15 [3] 00 b9 a0 0f 00 00 ff 15 [3] 00 48 8d 4c 24 50 ff 15 [3] 00 48 8d 8d 50 13 00 00 ff 15 [3] 00 b8 01 00 00 00 48 8b 8d 50 2b } 17 | $s4 = { 41 b8 ff 07 00 00 48 8d 8c 24 81 09 00 00 e8 [2] 00 00 45 33 c9 45 8d 46 1a 48 8d 94 24 80 09 00 00 33 c9 ff 15 [2] 00 00 48 8d bc 24 80 09 00 00 33 c0 48 83 c9 ff f2 ae 48 8b 05 [3] 00 48 89 47 ff 33 d2 48 8d 8c 24 80 09 00 00 ff 15 [2] 00 00 44 88 b4 24 80 25 00 00 33 d2 41 b8 ff 07 00 00 48 8d 8c 24 81 25 00 00 e8 [2] 00 00 48 8d bc 24 80 25 00 00 33 c0 48 83 c9 ff f2 ae 48 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 20 | } 21 | 22 | -------------------------------------------------------------------------------- /APT/APT_APT23_USBFerry_May_2020_2.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT23_USBFerry_May_2020_2 2 | { 3 | meta: 4 | description = "Detect the USBFerry implant (Packed x64)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" 7 | date = "2020-05-14" 8 | hash1 = "905fcf0f574bf104a62c7a5c91cd95fbacb06bf3fbcdcb38320113394c7386d7" 9 | tlp = "Clear" 10 | adversary = "APT23" 11 | strings: 12 | $s1 = { b9 45 29 e5 35 81 f1 ef 21 e5 35 4c 03 c1 49 ff c8 41 80 30 45 41 80 00 88 41 80 30 31 41 80 28 ab 48 ff c9 9c 48 c1 2c 24 06 48 f7 14 24 48 83 24 24 01 50 52 48 b8 7a ff ff ff ff ff ff ff 48 f7 64 24 10 48 8d 15 66 0b b5 47 48 8d 94 02 e3 f4 4a b8 48 89 54 24 10 5a 58 48 8d 64 24 08 ff } 13 | $s2 = { bd e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 cb e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 e0 02 00 00 00 00 00 ef e0 02 00 00 00 00 00 00 e1 02 00 00 00 00 00 0f e1 02 00 00 00 00 00 00 00 00 00 00 00 00 00 55 53 45 52 33 32 2e 44 4c 4c } 14 | $s3 = { 26 74 99 ae 8b c1 c1 74 db 3c ef 1d 27 27 eb 7b 33 f7 2d 7c 84 b8 f6 dc 65 46 ac e0 d3 7a 80 94 97 ed 8b 94 11 e5 31 14 38 7a a9 45 15 7f 34 c3 9a 11 db 5c e4 ec df f0 2e 8b 76 f4 11 28 09 d1 bf 18 54 5e d0 f7 2b 20 7b bb 05 32 b4 79 c4 72 74 5f 96 64 f4 6b b0 73 f4 8b 75 07 f2 8b d4 86 1e 84 8b 42 } 15 | $s4 = { da 94 29 5a d3 eb a3 8c 43 8b a7 6b aa 15 33 87 5a b7 5f 88 76 32 b7 f0 05 8a 93 dd 66 55 98 13 2a 45 96 62 35 ae e4 60 2a 84 72 d1 35 ab b4 b6 6b 33 b4 e4 a8 35 fc c6 0c 41 8c 74 c7 bd 05 d0 6c 5f 83 7c a4 3b c6 41 f0 e0 1d 5b 65 a4 fd a5 7b 42 b9 79 f3 70 00 8c db e4 8b b0 9f a4 56 32 b4 00 3b 95 } 16 | condition: 17 | uint16(0) == 0x5A4D and filesize > 30KB and 3 of ($s*) 18 | } 19 | -------------------------------------------------------------------------------- /APT/APT_APT23_USBFerry_May_2020_3.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT23_USBFerry_May_2020_3 2 | { 3 | meta: 4 | description = "Detect the USBFerry implant (unpacked x86)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" 7 | date = "2020-05-14" 8 | hash1 = "5f0e14bbb0700318a11e43cb6b3e6ef82e8d0cc01cf89660a3e9bab20af033fa" 9 | hash2 = "872b39f0a673183dee8461b3592f3c4ab7f0e10ed3e00eed59112b517f9e6b89" 10 | hash3 = "d283cbeee4c21ff2d5983af7fdbd097c84c56e9252cbd5fb33cb73f8e0bbf323" 11 | tlp = "Clear" 12 | adversary = "APT23" 13 | strings: 14 | $s1 = { 57 8d [6-7] 00 10 00 00 51 e8 [2] 00 00 68 ff 03 00 00 8d [3-5] 53 52 88 [3-5] e8 [2] 00 00 8d [5-6] 50 56 8d } 15 | $s2 = { 83 c4 0c 68 [4] 8d ?? 24 [2] 00 00 } 16 | $s3 = { 53 e8 [2] ff ff 59 50 ff 15 [3] 10 85 c0 75 0b ff 15 [3] 10 89 45 e4 eb 04 83 65 e4 00 83 7d e4 00 74 19 e8 [2] ff ff 8b 4d e4 89 08 e8 [2] ff ff c7 00 09 00 00 00 83 4d e4 ff c7 45 fc fe ff ff ff e8 0c 00 00 00 8b 45 e4 e8 } 17 | $s4 = { 53 8d 95 f8 db ff ff 52 8d 85 fc fb ff ff 50 89 9d f8 db ff ff ff 15 14 [2] 10 50 8d 8d fc fb ff ff 51 56 ff 15 [3] 10 56 ff 15 [3] 10 68 ff 07 00 00 8d 95 fd eb ff ff 53 52 88 9d fc eb ff ff e8 [2] 00 00 83 c4 0c 68 00 08 00 00 8d 85 fc eb ff ff 50 ff 15 [3] 10 8d 85 fc eb ff ff 48 8a 48 01 40 3a cb 75 f8 8b 0d [3] 10 8b 15 [3] 10 89 08 8b 0d [3] 10 89 50 04 68 00 10 00 00 8d 95 fc db ff ff 53 52 89 48 08 e8 [2] 00 00 8d 85 fc f3 ff ff 50 8d 8d fc eb ff ff 51 8d 95 fc db ff ff 68 [3] 10 52 e8 [2] 00 00 83 c4 1c 53 8d 85 fc db ff ff 50 ff 15 [3] 10 68 a0 0f 00 00 ff 15 [3] 10 8d 8d fc f3 ff ff 51 ff 15 [3] 10 8b 4d fc 5f 5e } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_APT23_USBFerry_May_2020_4.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT23_USBFerry_May_2020_4 2 | { 3 | meta: 4 | description = "Detect a variant of USBFerry implant (unpacked x86)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" 7 | date = "2020-05-14" 8 | hash1 = "1f383eb5f614669404ef00d693510f40ca87c30204ef269a0a19aa4564942444." 9 | tlp = "Clear" 10 | adversary = "APT23" 11 | strings: 12 | $s1 = { 57 8d [6-7] 00 10 00 00 51 e8 [2] 00 00 68 ff 03 00 00 8d [3-5] 53 52 88 [3-5] e8 [2] 00 00 8d [5-6] 50 56 8d } 13 | $s2 = { 83 c4 0c 68 [4] 8d ?? 24 [2] 00 00 } 14 | $s3 = { e8 [2] ff ff 59 50 ff 15 [3] 10 85 c0 75 0b ff 15 [3] 10 89 45 e4 eb [3] e4 } 15 | $s4 = { 53 8d 54 24 10 52 8d 44 24 18 50 89 5c 24 18 ff 15 14 20 01 10 50 8d 4c 24 1c 51 56 ff 15 48 20 01 10 56 ff 15 c8 20 01 10 68 ff 07 00 00 8d 94 24 15 0c 00 00 53 52 88 9c 24 1c 0c 00 00 e8 a6 89 00 00 83 c4 0c 68 00 08 00 00 8d 84 24 14 0c 00 00 50 ff 15 64 20 01 10 8d 84 24 10 0c 00 00 48 8a 48 01 40 3a cb 75 f8 8b 0d dc 36 01 10 8b 15 e0 36 01 10 89 08 8b 0d e4 36 01 10 89 50 04 68 00 10 00 00 8d 94 24 14 14 00 00 53 52 89 48 08 e8 53 89 00 00 8d 84 24 1c 04 00 00 50 8d 8c 24 20 0c 00 00 51 8d 94 24 24 14 00 00 68 e8 36 01 10 52 e8 03 25 00 00 83 c4 1c 53 8d 84 24 14 14 00 00 50 ff 15 c4 20 01 10 68 a0 0f 00 00 ff 15 58 20 01 10 8d 8c 24 10 04 00 00 51 ff 15 d0 20 01 10 8b 8c 24 10 24 00 00 5f 5e 5b 33 cc b8 01 00 00 00 } 16 | condition: 17 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 18 | } 19 | -------------------------------------------------------------------------------- /APT/APT_APT37_Bluelight_Dec_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_APT37_Bluelight_Dec_2022_1 : apt37 bluelight 2 | { 3 | meta: 4 | description = "Detect the downloader agent Bluelight used by APT37 group" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-12-01" 8 | hash1 = "6f0feaba669466640fc87b77b7e64cf719644fed348b4faa015a2ffd467e8c41" 9 | hash2 = "ceed3bfc1f8ab82bebee93db7300cfed5bdc17fddd0401b8addbb55f48bedff3" 10 | hash3 = "e32c5d851cf23a6d3ecd224055619996d32210cc198ccd770494a902c788b481" 11 | tlp = "clear" 12 | adversary = "APT37" 13 | strings: 14 | $s1 = { ff 75 f0 68 34 c4 ?? 00 53 56 e8 71 fd ff ff 8b f8 83 c4 10 85 ff 0f 85 d7 00 00 00 ff 75 f0 88 86 9c 00 00 00 68 70 c4 ?? 00 53 56 e8 4f fd ff ff 83 66 18 fb 8b f8 83 c4 10 85 ff 0f 85 b1 00 00 00 ff 75 f0 68 08 c5 ?? 00 53 56 e8 2f fd ff ff 8b f8 83 c4 10 85 ff 0f 85 95 00 00 00 8b 5d f4 89 } 15 | $s2 = { 8b ec 81 ec 08 02 00 00 a1 5c a2 ?? 00 33 c5 89 45 fc 56 8d 85 f8 fd ff ff c7 85 f8 fd ff ff 00 02 00 00 50 8d 85 fc fd ff ff 8b f1 50 ff 15 [3] 00 8d 85 fc fd ff ff 8b ce 50 e8 ?? 46 06 00 8b 4d fc 8b c6 33 cd 5e e8 ?? a7 09 00 } 16 | $s3 = { 83 c4 10 8d 45 fc bb 01 00 00 80 50 56 8d 45 f8 50 6a 02 68 e4 2b ?? 00 68 00 2c ?? 00 53 ff 15 20 30 ?? 00 85 c0 75 0d 56 68 58 2c ?? 00 53 ff 15 1c 30 ?? 00 56 e8 f4 a4 0a 00 59 8b 4f 14 85 c9 74 05 } 17 | $s4 = { 83 e4 f8 81 ec 58 01 00 00 a1 5c a2 ?? 00 33 c4 89 84 24 54 01 00 00 56 57 8b 7d 08 8b f1 6a 00 6a 00 6a 00 6a 00 68 bc d7 ?? 00 ff 15 48 33 ?? 00 89 46 30 } 18 | $s5 = { 8b c2 be 00 c0 00 00 23 c6 33 c9 3b c6 0f 95 c1 85 c9 74 d0 c7 45 c8 0c 00 00 00 33 db 89 5d cc 8b c2 c1 e8 07 f7 d0 83 e0 01 89 45 d0 ff 75 0c 8d 45 c8 50 8d 45 e0 50 8d 45 e4 50 ff 15 70 32 ?? 00 85 c0 75 0f ff 15 44 32 ?? 00 50 e8 e3 } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 300KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /APT/APT_Antlion_EHAGBPSL_Feb_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Antlion_EHAGBPSL_Feb_2022_1 2 | { 3 | meta: 4 | description = "Detect the EHAGBPSL implant" 5 | author = "Arkbird_SOLG" 6 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks" 7 | date = "2022-02-04" 8 | hash1 = "e968e0d7e62fbc36ad95bc7b140cf7c32cd0f02fd6f4f914eeb7c7b87528cfe2" 9 | hash2 = "55636c8a0baa9b57e52728c12dd969817815ba88ec8c8985bd20f23acd7f0537" 10 | tlp = "Clear" 11 | adversary = "Antlion" 12 | strings: 13 | $s1 = { 66 89 0a 48 8d 54 24 30 48 2b d7 48 03 d7 40 38 32 75 f8 0f b7 0d [2] 01 00 66 89 0a 48 8d 4c 24 30 48 2b cf 48 03 cf 40 38 31 75 f8 48 8d 54 24 30 66 89 01 48 2b d7 48 03 d7 40 38 32 75 f8 0f b7 0d [2] 01 00 66 89 0a 48 8d 4c 24 30 48 2b cf 48 03 cf 40 38 31 75 f8 66 89 01 3b df 75 32 48 8d 54 24 30 48 8d 8d 30 05 00 00 e8 [2] 00 00 85 c0 75 1d 48 89 74 24 28 4c 8d 05 ?? f9 ff ff 4c 8b cf 89 74 24 20 33 d2 33 c9 ff 15 [2] 01 00 8b c7 48 8b 8d 30 07 00 00 48 33 } 14 | $s2 = { 48 8b 03 48 63 08 48 8b d1 48 8b c1 48 c1 f8 06 4c 8d 05 08 ?? 01 00 83 e2 3f 48 c1 e2 06 49 8b 04 c0 f6 44 10 38 01 74 24 e8 3d ff ff ff 48 8b c8 ff 15 [2] 00 00 33 db 85 c0 75 1e e8 c9 ac ff ff 48 8b d8 ff 15 [2] 00 00 89 03 e8 d9 ac ff ff c7 00 09 00 00 00 83 cb ff 8b 0f e8 29 fe ff ff 8b c3 48 } 15 | $s3 = { 48 83 ec 28 e8 cb 03 00 00 b0 01 48 83 c4 28 c3 40 53 48 83 ec 20 ff 15 [2] 00 00 48 85 c0 74 13 48 8b 18 48 8b c8 e8 9c 34 00 00 48 8b c3 48 85 db 75 ed 48 83 } 16 | $s4 = { 0f b7 06 48 83 c6 02 66 83 f8 0a 75 10 83 47 08 02 b9 0d 00 00 00 66 89 0b 48 83 c3 02 66 89 03 48 83 c3 02 48 8d 84 24 3e 14 00 00 48 3b d8 72 ca 48 83 64 24 20 00 48 8d 44 24 40 48 2b d8 4c 8d 4c 24 30 48 d1 fb 48 8d 54 24 40 03 db 49 8b ce 44 8b c3 ff 15 [2] 00 00 85 c0 74 12 8b 44 24 30 01 47 04 3b c3 72 0f } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /APT/APT_Antlion_NetSessionEnum_Feb_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Antlion_NetSessionEnum_Feb_2022_1 2 | { 3 | meta: 4 | description = "Detect the NetSessionEnum tool" 5 | author = "Arkbird_SOLG" 6 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks" 7 | date = "2022-02-05" 8 | hash1 = "48d41507f5fc40a310fcd9148b790c29aeb9458ff45f789d091a9af114f26f43" 9 | hash2 = "-" 10 | tlp = "Clear" 11 | adversary = "Antlion" 12 | strings: 13 | $s1 = { 8d 7c 24 0d c6 44 24 0c 00 f3 ab 8b 8c 24 98 13 00 00 8d 54 24 0c 66 ab aa 8d 84 24 9c 13 00 00 50 51 52 ff 15 3c 20 40 00 83 c4 0c 6a 00 68 80 00 00 00 6a 04 6a 00 6a 01 68 00 00 00 c0 68 10 30 40 00 ff 15 0c 20 40 00 8b f0 85 f6 74 3e 6a 02 6a 00 6a 00 56 ff 15 08 20 40 00 8d 44 24 08 6a 00 50 8d 7c 24 14 83 c9 ff 33 c0 f2 ae f7 d1 49 c7 44 24 10 00 00 00 00 51 8d 4c 24 18 51 56 ff 15 04 20 40 00 56 ff 15 } 14 | $s2 = { 8b 8c 24 3c 08 00 00 8b 11 52 68 7c 30 40 00 ff 15 40 20 40 00 83 c4 08 83 c8 ff 5f 5e 5d 5b } 15 | $s3 = { 8d 44 24 20 8d 4c 24 24 50 8d 54 24 18 51 8b 8c 24 a8 1b 00 00 52 8b 94 24 a8 1b 00 00 8d 44 24 1c 6a ff 50 6a 0a 51 52 55 e8 5d 05 00 00 8b f8 3b fb 89 7c 24 28 74 0c 81 ff ea 00 00 00 0f 85 31 01 00 00 8b 74 24 10 3b f3 0f 84 39 01 00 00 8b 44 24 14 89 5c 24 1c 3b } 16 | $s4 = { 8b 43 08 8b 4b 04 8b 13 50 51 52 8d 44 24 70 68 f4 30 40 00 50 ff 15 8c 20 40 00 83 c4 14 8d 4c 24 10 8d 54 24 20 51 52 55 55 6a 10 55 55 8d 84 24 80 00 00 00 55 50 55 ff 15 24 20 40 00 f7 d8 } 17 | $s5 = "Usage: %s ServerFile [UserFile] [/e]\n" wide 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 3KB and filesize < 30KB and 4 of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_Antlion_xPack_Feb_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Antlion_xPack_Feb_2022_1 2 | { 3 | meta: 4 | description = "Detect the XPack loader" 5 | author = "Arkbird_SOLG" 6 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks" 7 | date = "2022-02-04" 8 | hash1 = "390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66" 9 | hash2 = "12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2" 10 | tlp = "Clear" 11 | adversary = "Antlion" 12 | strings: 13 | $s1 = { 1f 40 8d ?? 00 00 01 25 d0 ?? 00 00 04 28 ?? 00 00 0a 0a 03 1f 3d } 14 | $s2 = { 00 00 0a [2] 11 [1-6] 11 ?? 6f ?? 00 00 0a 6f ?? 00 00 0a [1-3] 11 ?? 16 8c ?? 00 00 01 17 8d ?? 00 00 01 25 16 16 8d ?? 00 00 01 a2 6f ?? 00 00 0a 26 [2-8] 6f ?? 00 00 0a 28 ?? 00 00 0a [0-2] de 00 } 15 | $s3 = { 00 00 0a 0a [0-1] 06 6f ?? 00 00 0a [1-2] 20 00 00 02 00 8d ?? 00 00 01 ?? 15 [0-2] 0d 16 13 04 [0-3] 1f 10 8d ?? 00 00 01 13 ?? 06 11 ?? 16 1f 10 6f ?? 00 00 0a 26 1f 10 8d ?? 00 00 01 13 ?? 06 11 ?? 16 1f 10 6f } 16 | $s4 = { 02 7b 02 00 00 04 8d ?? 00 00 01 0a 02 7b 03 00 00 04 8d ?? 00 00 01 0b 16 13 ?? 2b } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 5KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /APT/APT_BlackTech_Flagpro_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_BlackTech_Flagpro_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect Flagpro implant used by BlackTech group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" 7 | hash1 = "54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b" 8 | hash2 = "77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9" 9 | hash3 = "e81255ff6e0ed937603748c1442ce9d6588decf6922537037cf3f1a7369a8876" 10 | hash4 = "bd431a53c65170dee9ff174ea2865b49edf395023bd5d69f61150d83babba52d" 11 | date = "2021-12-30" 12 | tlp = "Clear" 13 | adversary = "BlackTech" 14 | strings: 15 | $s1 = { 8d 44 24 10 50 8d 4c 24 18 51 6a 00 8d 94 24 3c 0c 00 00 6a 00 89 54 24 2c c7 44 24 28 4a 00 00 00 ff 15 [3] 00 85 c0 0f 84 [2] 00 00 33 db 39 5c 24 14 0f 86 [2] 00 00 8b } 16 | $s2 = { 64 a1 00 00 00 00 50 81 ec 98 04 00 00 a1 [3] 00 33 c4 89 84 24 94 04 00 00 53 55 57 a1 [3] 00 33 c4 50 8d 84 24 a8 04 00 00 64 a3 00 00 00 00 33 db 53 8d 44 24 24 } 17 | $s3 = { 8d ?? 24 ?? 03 00 00 ?? 68 04 01 00 00 } 18 | $s4 = "~MYTEMP" wide 19 | $s5 = { 6a 40 8d 44 24 ?? 53 50 c7 44 24 ?? 44 00 00 00 e8 [3] 00 83 c4 0c 8d 4c 24 ?? 51 ff 15 [3] 00 8b 44 24 1c 89 44 24 ?? 89 44 24 ?? 8d 44 24 ?? 50 8d 4c 24 ?? 51 53 53 53 6a 01 53 53 [13] 00 00 } 20 | condition: 21 | uint16(0) == 0x5A4D and filesize > 200KB and all of ($s*) 22 | } 23 | -------------------------------------------------------------------------------- /APT/APT_Earth_Berberoka_Korplug_Oct_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Earth_Berberoka_Korplug_Oct_2022_1 : diceyf korplug 2 | { 3 | meta: 4 | description = "Detects Korplug implant used by the Earth Berberoka" 5 | author = "Arkbird_SOLG" 6 | reference = "https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/" 7 | date = "2022-10-20" 8 | hash1 = "5a9468a87997f2363995e264505105f6a235b66543bb28635fb74f78704e9111" 9 | hash2 = "9aff1e12a1b447ca8ab3076f684716a859c906f9b2d0e870d59d0f06fc548d0d" 10 | hash3 = "a2a0ce67c239385c1ec1d5d29ff91a7daf91cf2b4368dc91d84dbb598becdc5d" 11 | tlp = "Clear" 12 | adversary = "Earth Berberoka" 13 | strings: 14 | $s1 = { 68 9c 78 42 00 52 ff d3 a1 ?? 75 43 00 83 c4 10 85 c0 75 31 68 ?? 85 42 00 ff 15 ?? 52 42 00 a3 ?? 75 43 00 85 c0 75 10 68 ?? 85 42 00 ff 15 44 53 42 00 a3 ?? 75 43 00 68 ?? 85 42 00 50 ff d7 a3 ?? 75 43 00 68 50 02 00 00 8d 8c 24 ec 04 00 00 6a 00 51 ff d0 83 c4 0c 8d 94 24 e8 04 00 00 52 8d 84 24 9c 00 00 00 50 ff 15 ?? 51 42 00 8b f0 83 fe ff 75 31 8b 94 24 90 00 00 00 8d 8c 24 98 02 00 00 51 52 ff 15 ?? 51 42 00 85 c0 0f 85 16 ff ff ff 8b 8c 24 90 00 00 00 51 ff 15 ?? 51 42 00 e9 c2 fd ff ff 68 d0 78 42 00 8d 84 24 9c 00 00 00 50 8d 8c 24 40 07 00 00 68 ec 78 42 00 51 ff d3 a1 ?? 75 43 00 83 c4 10 85 c0 } 15 | $s2 = { 8d 45 cc 68 ?? 69 43 00 50 e8 ?? cb 00 00 8d 8e 08 1a 00 00 83 c4 08 83 c6 04 89 7d f8 89 4d f4 89 75 fc eb 02 33 ff 8b 55 f8 8b 45 d8 52 50 68 10 73 42 00 53 ff 15 b0 53 42 00 83 c4 10 53 ff 15 ?? 52 42 00 8b 4d f4 51 8b f0 c7 45 f0 00 00 00 00 ff 15 ?? 52 42 00 83 fe } 16 | $s3 = { 8b 45 08 8b 48 04 68 10 f0 00 00 57 89 4e 18 ff d3 68 44 72 42 00 8b d8 89 7c 24 24 89 7c 24 2c 89 7c 24 28 89 7c 24 20 ff 15 ?? 52 42 00 8b f8 03 ff 68 44 72 42 00 8d 44 24 20 e8 [2] ff ff 8b 44 24 1c 99 2b c2 8b 54 24 28 d1 f8 66 83 7c 42 fe 5c 74 10 6a 02 68 ?? 6f 42 00 8d 44 24 24 e8 [2] ff ff 68 58 72 42 00 ff 15 ?? 52 42 00 03 c0 50 68 58 72 42 00 } 17 | $s4 = { 8b 45 08 53 8b 1d ac 53 42 00 56 57 8b 7d 0c 50 8d 4d ac 33 f6 68 ?? 82 42 00 51 89 75 f8 c7 45 cc ?? 82 42 00 89 75 d0 ff d3 a1 ?? 77 43 00 83 c4 0c 3b c6 75 2a a1 ?? 76 43 00 3b c6 75 10 68 ?? 80 42 00 ff 15 44 53 42 00 a3 ?? 76 43 00 68 ?? 85 42 00 50 ff } 18 | condition: 19 | uint16(0) == 0x5a4d and filesize > 80KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_Earth_Berberoka_Tifa_Oct_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Earth_Berberoka_Tifa_Oct_2022_1 : diceyf tifa downloader 2 | { 3 | meta: 4 | description = "Detects the tifa version of the downloader used by the Earth Berberoka" 5 | author = "Arkbird_SOLG" 6 | reference = "https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/" 7 | date = "2022-10-20" 8 | hash1 = "8aacb0fd6ea3143d0e7a6b56f7b90c3be760bcc8abbbb29c4334b50f06e822f" 9 | level = "experimental" 10 | tlp = "Clear" 11 | adversary = "Earth Berberoka" 12 | strings: 13 | $s1 = { 7b 00 7b 00 22 00 43 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 4e 00 61 00 6d 00 65 00 22 00 3a 00 22 00 7b 00 30 00 7d 00 22 00 2c 00 22 00 47 00 75 00 69 00 64 00 22 00 3a 00 22 00 7b 00 31 00 7d } 14 | $s2 = { 7b 00 30 00 3a 00 58 00 38 00 7d 00 2d 00 7b 00 31 00 3a 00 58 00 34 00 7d 00 2d 00 7b 00 32 00 3a 00 58 00 34 00 7d } 15 | $s3 = { 20 3c 21 2d 2d 20 57 69 6e 64 6f 77 73 20 38 2e 31 20 2d 2d 3e 0d 0a 20 20 20 20 20 20 3c 21 2d 2d 3c 73 75 70 70 6f 72 74 65 64 4f 53 20 49 64 3d 22 7b } 16 | $s4 = { 73 1b 00 00 06 0a 06 72 01 00 00 70 20 37 33 00 00 6f 13 00 00 06 2c 3a 06 02 72 25 00 00 70 6f 15 00 00 06 2c 2c 16 0b 2b 1d 06 6f 16 00 00 06 0c 08 2c 0f 06 6f 1a 00 00 06 08 03 28 0a 00 00 06 de 1e 07 17 58 0b 07 1f 1e 32 de 06 6f 1a 00 00 06 20 88 13 00 00 28 13 00 00 0a } 17 | $s5 = { 28 06 00 00 06 2d 0b 72 27 00 00 70 28 05 00 00 06 2a 72 27 00 00 70 72 25 00 00 70 28 01 00 00 06 2a 02 16 9a 16 6f 2a } 18 | condition: 19 | uint16(0) == 0x5a4d and filesize > 10KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_Earth_Berberoka_Yuma_Oct_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Earth_Berberoka_Yuma_Oct_2022_1 : diceyf yuma downloader 2 | { 3 | meta: 4 | description = "Detects the yuma version of the downloader used by the Earth Berberoka" 5 | author = "Arkbird_SOLG" 6 | reference = "https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/" 7 | date = "2022-10-20" 8 | hash1 = "0c808ffffa946931b0e6c90346690392e01aee9b610d83385af2290f8df71001" 9 | hash2 = "18bc154c0fe1399f6e1fce92c1ec3debd3a59fde09d9c33398ae097eee311f67" 10 | hash3 = "9ba967dd0fc99efb64d5074d6491834f5b514340446734a07e46a1cf846d3de5" 11 | tlp = "Clear" 12 | adversary = "Earth Berberoka" 13 | strings: 14 | $s1 = { 00 00 0a 26 2a 06 7b ?? 00 00 04 72 [2] 00 70 6f ?? 00 00 0a [4-7] 00 00 0a 6f ?? 00 00 0a 0d 06 7b ?? 00 00 04 72 [2] 00 70 6f ?? 00 00 0a 26 00 [2] ?? 00 00 } 15 | $s2 = { 28 ?? 00 00 0a 6f ?? 00 00 0a 25 2d 04 26 14 2b 05 28 ?? 00 00 0a 0b 12 00 02 28 08 00 00 2b 7d ?? 00 00 04 06 7b ?? 00 00 04 6f ?? 00 00 0a 2d ?? 72 [2] 00 70 73 ?? 00 00 0a 25 16 28 ?? 00 00 0a 16 6f ?? 00 00 0a 6f ?? 00 00 0a 6f ?? 00 00 0a 0c 08 28 ?? 00 00 0a 2d 0b 08 28 ?? 00 00 06 28 ?? 00 00 0a } 16 | $s3 = { 10 00 45 25 00 00 00 00 00 00 c9 00 8d 05 29 0e 03 01 10 00 57 15 00 00 00 00 00 00 c9 00 92 05 2b 0e 03 01 10 00 c1 1d 00 00 00 00 00 00 c9 00 99 05 2d 0e 03 01 10 00 82 1b 00 00 00 00 00 00 c9 00 a0 05 2f 0e 03 01 10 } 17 | $s4 = { 23 7b 00 22 00 43 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 4e 00 61 00 6d 00 65 00 22 00 3a 00 22 00 00 23 22 00 2c 00 22 00 52 00 65 00 71 00 75 00 65 00 73 00 74 00 4e 00 61 00 6d 00 65 00 22 00 3a 00 22 } 18 | condition: 19 | uint16(0) == 0x5a4d and filesize > 120KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_InvisiMole_rc2fm_Mar_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_InvisiMole_rc2fm_Mar_2022_1 : rc2fm backdoor invisimole 2 | { 3 | meta: 4 | description = "Detect rc2fm backdoor" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-03-19" 8 | hash1 = "43b62d57fbc04026e7d63239b5d3197e10b815410f84e178052091f4ce7d0ab0" 9 | hash2 = "5b072f897dbae2c85bf1debb0d4e9819c7f16a31d541ebdd4e111e7160d4324e" 10 | hash3 = "a16b3f8aa869aebb61ae770f9701d918c4a814a4502f46a93e904d38084d23b2" 11 | adversary = "-" 12 | tlp = "Clear" 13 | strings: 14 | $s1 = { 48 8d 05 [2] 00 00 41 b8 ff 00 00 00 48 ba 14 00 00 00 00 00 00 00 48 89 c1 e8 [2] 00 00 c6 85 ?? f9 ff ff 00 48 8d 8d [2] ff ff ba 00 01 00 00 [4] ff [0-2] 89 85 ?? fb ff ff 48 8d 8d [2] ff ff 8b 95 ?? fb ff ff e8 [2] ff ff 4c 8d [3] 00 00 [3-4] fb ff ff [0-1] d1 ?? 48 8d [3] ff ff } 15 | $s2 = { 48 89 fa 48 89 53 10 c7 45 f8 00 00 00 00 48 8d 45 f8 48 89 44 24 28 44 89 6c 24 20 4c 8d 05 1a ff ff ff 49 89 d9 48 89 f1 e8 [2] ff ff 48 89 c6 48 85 f6 75 08 48 89 d9 e8 5f e3 ff ff 8b 45 f8 49 89 04 24 48 89 f0 48 8b 5d c8 48 8b 7d d0 48 8b 75 d8 4c 8b 65 e0 4c 8b 6d e8 4c 8b 75 f0 48 8d 65 00 5d c3 00 00 00 00 00 00 00 53 48 8d 64 24 e0 89 cb e8 33 fa ff ff 89 d9 e8 [2] ff ff 90 48 8d 64 24 20 5b c3 00 00 00 00 48 8d 64 24 d8 b8 00 00 00 00 89 c1 e8 [2] ff ff 90 48 8d 64 24 28 c3 00 00 00 00 00 00 00 00 48 8d 64 24 d8 e8 [2] ff ff 90 48 8d 64 24 28 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 8d 64 24 d8 e8 [2] ff ff 90 48 8d 64 24 28 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 8d 64 24 d8 48 8d 54 24 20 e8 [2] ff ff 84 c0 75 07 e8 [2] ff ff eb 05 b8 00 00 00 00 } 16 | $s3 = { 00 00 00 00 00 00 00 00 00 48 8d 64 24 d8 48 89 c8 48 8b 08 e8 [2] ff ff 90 48 8d 64 24 28 c3 00 00 00 00 00 00 00 00 00 [0-2] 48 8d 64 24 d8 [0-2] 48 89 } 17 | $s4 = { 48 8d 64 24 c8 48 c7 44 24 20 00 00 00 00 4c 8d 4c 24 28 e8 [2] ff ff 85 c0 75 11 e8 [2] ff ff 89 c1 83 f9 6d 74 05 e8 13 b6 ff ff 8b 44 24 28 90 48 8d 64 24 38 c3 00 00 00 00 00 00 00 00 48 8d 64 24 d8 c7 44 24 24 00 00 00 00 4c 8d 44 24 24 41 b9 02 00 00 00 48 ba 00 00 00 00 00 00 00 00 e8 [2] ff ff 89 44 24 20 81 7c 24 20 ff ff ff ff 75 15 e8 [2] ff ff 85 c0 74 0c e8 [2] ff ff 89 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_Knotweed_Jumplump_Jul_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Knotweed_Jumplump_Jul_2022_1 : jumplump knotweed loader 2 | { 3 | meta: 4 | description = "Detect the Jumplump loader used by the knotweed group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" 7 | date = "2022-07-28" 8 | hash1 = "4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431" 9 | hash2 = "cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b" 10 | hash3 = "5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206" 11 | tlp = "Clear" 12 | adversary = "Knotweed" 13 | strings: 14 | $s1 = { 48 8d ( 45 0b | 44 24 60 ) c7 ( 45 0f | 44 24 60 ) 04 00 00 00 48 89 44 24 [2] 8d (15 9f 7b 06 | 05 20 4e 01 ) 00 48 8d } 15 | $s2 = { 8b [2] 89 ?? 24 ?? 4c [2] 24 ?? 4d 8b ?? 4c 8d 05 ( d0 38 05 | 09 74 04 ) 00 ba 04 01 00 00 48 8d 8c 24 [2] 00 00 e8 ?? 01 00 00 85 c0 78 ?? 48 89 ?? 24 40 48 ?? 44 24 40 48 } 16 | $s3 = { 48 83 ec 48 48 8b 44 24 48 4c 8d 05 [2] 02 00 c7 44 24 38 ff ff 00 80 45 33 c9 c7 44 24 30 03 00 00 00 ba [2] 00 00 48 89 44 24 28 48 83 64 24 20 00 e8 [3] ff 48 83 } 17 | $s4 = { 4c 00 6f 00 63 00 61 00 6c 00 5c 00 53 00 4d 00 30 00 3a 00 25 00 64 00 3a 00 25 00 64 00 3a 00 25 00 68 00 73 } 18 | $s5 = { 4c 8d 05 [2] 02 00 48 8b ?? 48 8b c8 e8 [2] 00 00 4c 8b ?? 10 4d 85 c9 74 12 4c 8d 05 [2] 02 00 48 8b ?? 48 8b c8 e8 [2] 00 00 4c 8b ?? 40 4d 85 c9 74 12 4c 8d 05 [2] 02 00 48 8b ?? 48 8b c8 e8 } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /APT/APT_Knotweed_Jumplump_Jul_2022_2.yara: -------------------------------------------------------------------------------- 1 | rule APT_Knotweed_Jumplump_Jul_2022_2 : jumplump knotweed loader 2 | { 3 | meta: 4 | description = "Detect the Jumplump loader used by the knotweed group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" 7 | date = "2022-07-29" 8 | hash1 = "02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d" 9 | hash2 = "894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53" 10 | hash3 = "afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec" 11 | tlp = "Clear" 12 | adversary = "Knotweed" 13 | strings: 14 | $s1 = { 48 83 ec 20 33 db ?? 8b ?? 48 85 c9 74 3a 4c 8d 44 24 30 48 89 5c 24 30 ba ff ff ff 7f 48 8d 0d ?? ?? 02 00 e8 ?? ?? ?? ff 85 c0 78 1b 44 8b 44 24 30 48 8d 15 ?? ?? 02 00 ?? 8b ?? e8 ?? ?? ff ff 83 f8 02 75 02 b3 01 8a c3 } 15 | $s2 = { 48 83 ec 40 33 db 89 91 88 00 00 00 21 99 8c 00 00 00 48 8b f9 85 d2 75 06 48 21 59 38 eb 04 4c 89 49 78 48 21 99 80 00 00 00 48 8d 05 ?? ?? 00 00 48 8b 51 30 4c 8d 05 ?? ?? ?? 00 48 8b 49 28 45 33 c9 48 89 7c 24 30 48 21 5c 24 28 48 89 44 24 20 [0-1] ff 15 ?? ?? 04 00 [0-5] 85 c0 75 57 48 8b cf e8 ?? 00 00 00 8b d8 3d 04 40 00 80 75 17 8b 87 a8 00 00 00 85 c0 79 11 3d 0c 00 24 80 75 04 33 db eb 31 8b d8 85 db 79 2b 41 b9 03 00 00 00 48 8d 05 ?? ?? 01 00 48 89 44 24 28 48 8d 0d ?? ?? 02 00 ba ?? 02 00 00 89 5c 24 20 45 8d 41 1d e8 } 16 | $s3 = { 00 00 48 89 ?? 24 38 48 89 44 24 30 48 8d 05 [3] 00 48 89 44 24 28 48 [2] 24 20 [0-1] 41 b9 04 00 00 00 [0-6] 45 8b c7 33 d2 33 c9 e8 [3] ff 48 8b [2] 02 } 17 | $s4 = { 48 89 84 24 30 02 00 00 48 8b da 48 85 d2 [2-9] 48 83 22 00 4c 8d 05 [3] 00 48 8d 4c 24 20 e8 [4] 85 c0 78 0d 48 8b d3 48 8d 4c 24 20 e8 [4] 48 8b 8c 24 30 02 00 00 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_Knotweed_Jumplump_Jul_2022_3.yara: -------------------------------------------------------------------------------- 1 | rule APT_Knotweed_Jumplump_Jul_2022_3 : jumplump knotweed loader 2 | { 3 | meta: 4 | description = "Detect the Jumplump loader used by the knotweed group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" 7 | date = "2022-07-29" 8 | hash1 = "7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d" 9 | hash2 = "fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc" 10 | tlp = "Clear" 11 | adversary = "Knotweed" 12 | strings: 13 | $s1 = { 48 83 ec 50 48 8b 05 [2] 04 00 48 33 c4 48 89 44 24 48 33 f6 66 3b 35 [2] 04 00 0f 85 ?? 00 00 00 49 8d 43 e0 } 14 | $s2 = { 48 ?? ec [1-4] 48 8b 05 [3] 00 48 33 c4 48 89 ?? 24 [3-7] 48 8d 44 24 } 15 | $s3 = "\\system32\\propsys.dll" wide 16 | $s4 = { 4c 89 4c 24 20 4d 8b c8 4c 8b c2 48 8d 15 [3] 00 e8 [4] eb ?? 4c 8b c2 48 8d 15 [3] 00 (e8 d8 fe ff ff eb 21 | 48 83 c4 38 e9 98 03 00 00 ) 4d 85 c0 74 09 48 8d 15 [3] 00 eb } 17 | $s5 = "%s.%1d.ver0x%08x%08x.db" wide 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_Knotweed_Jumplump_Jul_2022_4.yara: -------------------------------------------------------------------------------- 1 | rule APT_Knotweed_Jumplump_Jul_2022_4 : jumplump knotweed loader 2 | { 3 | meta: 4 | description = "Detect the Jumplump loader used by the knotweed group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" 7 | date = "2022-07-29" 8 | hash1 = "7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc" 9 | hash2 = "-" 10 | tlp = "Clear" 11 | adversary = "Knotweed" 12 | strings: 13 | $s1 = "\\system32\\wbem\\wmiprvsd.dll" wide 14 | $s2 = "SOFTWARE\\Microsoft\\WBEM\\CIMOM\\SecuredHostProviders" wide 15 | // Microsoft WBEM Log File Event Consumer Provider (COM) 16 | $s3 = "{266c72d4-62e8-11d1-ad89-00c04fd8fdff}" wide 17 | $s4 = "Provider::ExecQuery" wide 18 | $s5 = "root\\cimv2" wide 19 | // KernelTraceProvider Class (COM) 20 | $s6 = "{9877D8A7-FDA1-43F9-AEEA-F90747EA66B0}" wide 21 | condition: 22 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 23 | } 24 | -------------------------------------------------------------------------------- /APT/APT_Knotweed_Mex_Jul_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Knotweed_Mex_Jul_2022_1 : mex knotweed toolkit 2 | { 3 | meta: 4 | description = "Detect the mex toolkit used by the knotweed group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" 7 | date = "2022-07-28" 8 | hash1 = "fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca" 9 | hash2 = "-" 10 | tlp = "Clear" 11 | adversary = "Knotweed" 12 | strings: 13 | $s1 = "mex.exe -mep sharphound -mec -arg1 -arg2 data2" wide 14 | $s2 = "System32\\" wide 15 | $s3 = "mex.exe -mep list_plugins" wide 16 | $s4 = "list_plugins" wide 17 | $s5 = "mexecatz" wide 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_Knotweed_Passlib_Jul_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Knotweed_Passlib_Jul_2022_1 : passlib knotweed tool 2 | { 3 | meta: 4 | description = "Detect the passlib tool used by the knotweed group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" 7 | date = "2022-07-28" 8 | hash1 = "e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6" 9 | hash2 = "-" 10 | tlp = "Clear" 11 | adversary = "Knotweed" 12 | strings: 13 | $s1 = "------------------------> Browser: %s\n" wide 14 | $s2 = "------------------------> Extractor: %s\n" wide 15 | $s3 = "=========== New Extraction Event from LEX Server [%s] ================" wide 16 | $s4 = "Resource: [%s] - Username: [%s] - Password: [%s]" wide 17 | $s5 = "%s: [%s]:[%s] (http_only:%d)" wide 18 | $s6 = "ATTACH %Q AS vacuum_db" ascii 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /APT/APT_Molerats_NimbleMamba_Jan_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Molerats_NimbleMamba_Jan_2022_1 2 | { 3 | meta: 4 | description = "Detect the NimbleMamba backdoor used by Molerats group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage" 7 | date = "2022-02-09" 8 | hash1 = "430c12393a1714e3f5087e1338a3e3846ab62b18d816cc4916749a935f8dab44" 9 | hash2 = "2a559a5178e0803c0a4067376cf279d00cade84b37158f03b709e718d34f65f9" 10 | hash2 = "c61fcd8bed15414529959e8b5484b2c559ac597143c1775b1cec7d493a40369d" 11 | tlp = "Clear" 12 | adversary = "Molerats" 13 | strings: 14 | $s1 = { 72 f3 00 00 70 38 [2] 00 00 [3] 00 [4] 00 [3] 01 00 [4] 00 ?? 38 [2] 00 00 [2] 01 00 [3] 00 00 ?? 72 ?? 01 00 70 38 [2] 00 00 [3] 00 ?? 38 [2] 00 00 [3] 00 00 } 15 | $s2 = { 72 1d 02 00 70 7e 0a 00 00 04 72 1d 02 00 70 38 [2] 00 00 38 [2] 00 00 38 [2] 00 00 [3] 00 [4] 00 [4] 00 [3] 00 00 ?? 72 [2] 00 70 38 [2] 00 00 [3] 00 [3] 01 00 ?? 38 [2] 00 00 [3] 00 } 16 | $s3 = { 38 2f 01 00 00 38 34 01 00 00 72 6e 04 00 70 38 fd 00 00 00 38 02 01 00 00 38 07 01 00 00 38 bf 00 00 00 38 c0 00 00 00 38 c5 00 00 00 38 ca 00 00 00 38 86 00 00 00 08 6f [2] 00 0a 74 ?? 00 00 01 0d 09 6f [2] 00 0a 09 72 b4 04 00 70 6f [2] 00 0a 6f ?? 00 00 0a 6f [2] 00 0a 72 01 00 00 70 28 [2] 00 0a 15 2c 58 2c 19 16 2d d3 06 09 72 b4 04 00 70 6f [2] 00 0a 6f ?? 00 00 0a 6f [2] 00 0a 09 72 ce 04 00 70 6f [2] 00 0a 6f ?? 00 00 0a 6f [2] 00 0a 72 01 00 00 70 28 [2] 00 0a 2c 16 06 09 72 ce 04 00 70 6f [2] 00 0a 6f ?? 00 00 0a 6f [2] 00 0a 08 6f [2] 00 0a 3a 6f ff ff ff de 16 16 2d 03 08 2c 06 08 6f ?? 00 00 0a 18 2c f1 16 2d f4 16 2d f1 dc de 2a 07 38 3b ff ff ff 6f [2] 00 0a 38 36 ff ff ff 6f [2] 00 0a 38 31 ff ff ff 0c 38 30 ff ff ff 07 2c 06 07 6f ?? 00 00 0a dc 06 13 04 de 20 73 [2] 00 0a 38 f9 fe ff ff 73 [2] 00 0a 38 f4 fe ff ff 0b 38 f3 fe ff ff 26 06 13 04 de 00 11 04 2a 73 [2] 00 0a 38 c7 fe ff ff 0a 38 c6 fe ff } 17 | $s4 = { 7e [2] 00 0a 72 ?? 07 00 70 38 ?? 00 00 00 14 38 ?? 00 00 00 74 ?? 00 00 01 38 ?? 00 00 00 38 ?? 00 00 00 [4] 00 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 50KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/APT_MoustachedBouncer_NightClub_Aug_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_MoustachedBouncer_NightClub_Aug_2023_1 : apt moustachedbouncer nightclub backdoor 2 | { 3 | meta: 4 | description = "Detect the NightClub backdoor used by MoustachedBouncer group (implant and Dropper)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" 7 | date = "2023-08-10" 8 | hash1 = "39d534148fe7ac7f3e03da1ceeee556b2e1db9cf466f7e03c24c4f899aa0c407" 9 | hash2 = "ee2c61216ed691f8bf1f080fb9c7d7cfc6f370e6f5c0d493db523b48e699a2ec" 10 | hash3 = "25412a1a41069d7c09a0b4968bdbc818155bfa02db696ea3c34350ef50fad933" 11 | hash4 = "daa02008b2b7c325d6169c7dc37658f9ac19f744569a685b3f8b78e6622bfa22" 12 | tlp = "Clear" 13 | adversary = "MoustachedBouncer" 14 | strings: 15 | $s1 = { 8b 43 18 3b c7 75 05 a1 7c 41 01 10 8b 93 ac 00 00 00 50 68 ?? 4a 01 10 52 ff 15 e8 41 01 10 83 c4 0c 8b d6 8b cb e8 3a 34 00 00 3b c7 0f 85 c0 07 00 00 56 53 e8 5b 39 00 00 3b c7 0f 85 b1 07 00 00 8b 8b c0 00 00 00 3b cf 74 0f 8b 83 c4 00 00 00 2b c1 c1 f8 05 3b } 16 | $s2 = { 8b 93 ac 00 00 00 68 70 46 01 10 68 ?? 4a 01 10 52 ff 15 e8 41 01 10 8b bb ac 00 00 00 83 c4 0c 4f 8a 47 01 47 84 c0 75 f8 8b 15 4c 41 01 10 8b 45 e0 b9 0b 00 00 00 be ?? 4a 01 10 f3 a5 66 a5 a4 8b 12 8b 8b f0 00 00 00 c1 e0 04 52 68 ?? 48 01 10 03 c8 89 45 cc ff 15 5c 41 01 10 8b 4d dc } 17 | $s3 = { 09 00 00 00 be ?? 4a 01 10 f3 a5 8b bb ac 00 00 00 4f eb 03 8d 49 00 8a 47 01 47 84 c0 75 f8 b9 0b 00 00 00 be ?? 4a 01 10 f3 a5 8b 0d 4c 41 01 10 8b 11 8b 4d cc 03 8b f0 00 00 00 52 68 ?? 48 01 10 ff 15 5c 41 01 10 8b 55 dc 8d 44 10 01 8b f0 8d 9b 00 00 00 00 8a 08 } 18 | $s4 = { 64 a1 00 00 00 00 50 83 ec 5c 53 56 a1 00 a0 01 10 33 c4 50 8d 44 24 68 64 a3 00 00 00 00 c7 44 24 14 00 00 00 00 e8 48 28 00 00 b9 10 47 01 10 8d 5c 24 18 8b f0 e8 e8 aa ff ff 8d 44 24 18 50 8d 4c 24 34 33 db 51 89 5c 24 78 e8 63 08 00 00 83 c4 08 c6 44 24 70 02 8b } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 40KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /APT/APT_Nobelium_Downloader_May_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Nobelium_Downloader_May_2022_1 : apt nobelium downloader 2 | { 3 | meta: 4 | description = "Detect the new downloader used by Nobelium group" 5 | author = "Arkbird_SOLG" 6 | reference1 = "https://twitter.com/ShadowChasing1/status/1522180445789573124" 7 | reference2 = "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md" 8 | date = "2022-05-16" 9 | hash1 = "6618a8b55181b1309dc897d57f9c7264e0c07398615a46c2d901dd1aa6b9a6d6" 10 | hash2 = "23a09b74498aea166470ea2b569d42fd661c440f3f3014636879bd012600ed68" 11 | hash3 = "6fc54151607a82d5f4fae661ef0b7b0767d325f5935ed6139f8932bc27309202" 12 | tlp = "Clear" 13 | adversary = "Nobelium" 14 | strings: 15 | $s1 = { 8b 00 ba 5c 00 00 00 89 01 48 8d 8d 10 02 00 00 e8 ?? 26 00 00 48 8b f8 48 85 c0 75 05 48 8b cb eb 10 ba 04 01 00 00 48 8b cf e8 ?? 51 00 00 48 8b c8 33 c0 4c 8d 85 10 02 00 00 f3 aa 48 8d 8d 10 02 00 00 48 8d 15 [2] 01 00 e8 ?? f6 ff ff 48 8d 8d 10 02 00 00 ff 15 [2] 01 00 83 f8 ff 0f 84 b6 00 00 00 b9 10 00 00 00 e8 ?? 13 00 00 4c 8b c8 48 8b f8 33 c0 b9 10 00 00 00 f3 aa 49 8b f9 48 8b d3 0f 1f 84 00 00 00 00 00 42 0f b6 8c 32 [3] 00 48 83 c2 03 88 0f 48 8d 7f 01 48 } 16 | $s2 = { 48 89 5c 24 38 [3-7] c7 44 24 30 00 00 80 00 [3] 48 89 5c 24 28 49 8b [0-3] cf 48 89 5c 24 20 ff 15 [2] 01 00 48 8b f0 48 85 c0 0f 84 ?? 02 00 00 } 17 | $s3 = { 48 8d 44 24 50 41 b9 06 00 02 00 45 33 c0 48 89 44 24 20 49 8b d2 48 c7 c1 01 00 00 80 ff 15 [2] 01 00 85 c0 75 40 48 8d 4d f0 ff 15 [2] 01 00 48 8b 4c 24 50 41 b9 01 00 00 00 45 33 c0 48 8b d6 8d 04 45 02 00 00 00 89 44 24 28 48 8d 45 f0 48 89 44 24 20 ff 15 [2] 01 00 48 8b 4c 24 50 ff 15 [2] 01 00 48 8b b4 24 60 06 00 00 4c 8b b4 24 } 18 | $s4 = { 8d 54 24 48 49 8b cf ff 15 [3] 00 48 8d 54 24 48 49 8b cf ff 15 [3] 00 85 c0 0f 84 f5 00 00 00 48 8d 35 [2] ff ff ff 15 [3] 00 39 44 24 54 0f 85 ba 00 00 00 48 8d 0d } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 50KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /APT/APT_Sandworm_ArguePatch_Apr_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Sandworm_ArguePatch_Apr_2022_1 : apt arguepatch loader sandworm 2 | { 3 | meta: 4 | description = "Detect ArguePatch loader used by Sandworm group for load CaddyWiper" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" 7 | date = "2022-04-30" 8 | updated = "2022-05-20" 9 | // -> https://twitter.com/ESETresearch/status/152753172690540953 10 | hash1 = "8f096e3b5ecd2aca35794a85f8b76093b3968a8737e87e8008710b4014c779e3" 11 | hash2 = "cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327" 12 | hash3 = "750cbba9a36859b978bfe5f082be44815027bc74dc2728210abbcba828ce6f56" 13 | tlp = "Clear" 14 | adversary = "Sandworm" 15 | level = "Fully Experimental" // not tested in HA, some trouble are reported in the Yara submission 16 | strings: 17 | $s1 = { 8b 41 ?? 83 f8 09 77 41 ff 24 85 [3] 00 6a 00 e8 ?? 01 00 00 c3 6a 01 eb f6 6a 08 eb f2 6a 01 6a 00 e8 7c 00 00 00 c3 6a 01 6a 0a eb f4 6a 00 6a 08 eb ee 6a 00 eb f2 6a 00 6a 10 eb e4 e9 30 00 00 00 e9 ?? ff ff ff } 18 | $s2 = { 6a 14 68 [3] 00 e8 [2] 00 00 6a 01 e8 [4] 59 84 c0 0f 84 ?? 01 00 00 32 db 88 5d e7 83 65 fc 00 e8 [4] 88 45 dc a1 [3] 00 33 c9 41 3b c1 0f 84 ?? 01 00 00 85 c0 75 49 89 0d [3] 00 68 [3] 00 68 [3] 00 e8 [3] 00 59 59 85 c0 74 11 c7 45 fc fe ff ff ff b8 ff 00 00 00 e9 ?? 00 00 00 68 [3] 00 68 [3] 00 e8 [3] 00 59 59 c7 05 [3] 00 02 } 19 | $s3 = { 83 ec 08 0f ae 5c 24 04 8b 44 24 04 25 80 7f 00 00 3d 80 1f 00 00 75 0f d9 3c 24 66 8b 04 24 66 83 e0 7f 66 83 f8 7f 8d 64 24 08 0f 85 [2] 00 00 eb 00 f3 0f 7e 44 24 04 66 0f 28 15 [3] 00 66 0f 28 c8 66 0f 28 f8 66 0f 73 d0 34 66 0f 7e c0 66 0f 54 05 [3] 00 66 0f fa d0 66 0f d3 ca a9 00 08 00 00 74 4c 3d ff 0b 00 00 7c 7d 66 0f f3 ca 3d 32 0c 00 00 7f 0b 66 0f d6 4c 24 04 dd } 20 | $s4 = { 8d a4 24 00 00 00 00 8d a4 24 00 00 00 00 90 c6 85 70 ff ff ff fe 32 ed d9 ea de c9 e8 2b 01 00 00 d9 e8 de c1 f6 85 61 ff ff ff 01 74 04 d9 e8 de f1 f6 c2 40 75 02 d9 fd 0a ed 74 02 d9 e0 e9 cf 02 00 00 e8 46 01 00 00 0b c0 74 14 32 ed 83 f8 02 74 02 f6 d5 d9 c9 d9 e1 eb a0 e9 eb 02 00 00 e9 a9 03 00 00 dd d8 dd d8 db 2d [3] 00 c6 85 70 ff ff ff } 21 | condition: 22 | uint16(0) == 0x5a4d and filesize > 60KB and all of ($s*) 23 | } 24 | -------------------------------------------------------------------------------- /APT/APT_Sandworm_Cyclops_Blink_Mar_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_Sandworm_Cyclops_Blink_Mar_2022_1 : backdoor cyclopsblink x86 2 | { 3 | meta: 4 | description = "Detect Cyclops Blink backdoor used by Sandworm group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/nicastronaut/status/1503772915711496198?s=21" 7 | date = "2022-03-15" 8 | hash1 = "145bf0e879d544a17364c53e1e695adab8e927fe196cc0d21ad14be3e2cb469f" 9 | hash2 = "3830213049d64b09f637563faa470b0f2edd0034aa9e92f7908374bd1d6df116" 10 | hash3 = "cc3d51578a9dcc7e955061881490e54883904956f5ca5ee2918cd3b249415e59" 11 | adversary = "SandWorm" 12 | strings: 13 | $s1 = { 69 70 74 61 62 6c 65 73 20 2d ?? 20 25 73 20 2d 70 20 74 63 70 20 2d 2d 64 70 6f 72 74 20 25 64 20 2d 6a 20 41 43 43 45 50 54 20 26 3e 2f 64 65 76 2f 6e 75 6c 6c } 14 | $s2 = { 7c 08 03 a6 83 61 00 2c 83 81 00 30 83 a1 00 34 83 c1 00 38 83 e1 00 3c 38 21 00 40 4e 80 00 20 80 01 00 44 3b 60 00 00 7f 63 db 78 83 21 00 24 83 41 00 28 7c 08 03 a6 83 61 00 2c 83 81 00 30 83 a1 00 34 83 c1 00 38 83 e1 00 3c 38 21 00 40 4e 80 00 20 80 1f 00 20 2f 80 00 00 41 9e 00 24 7f a3 eb 78 38 9f } 15 | $s3 = { 93 bf 00 20 91 7f 00 14 7c 08 03 a6 91 7d 00 30 91 7d 00 00 83 e1 00 1c 83 a1 00 14 38 21 00 20 4e 80 00 20 80 01 00 24 39 40 00 00 7d 43 53 78 83 a1 00 14 83 } 16 | $s4 = { 43 6f 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 25 73 } 17 | $s5 = { 50 52 45 52 4f 55 54 49 4e 47 00 [0-1] 49 4e 50 55 54 00 [0-2] 46 4f 52 57 41 52 44 00 4f 55 54 50 55 54 00 [0-1] 50 4f 53 54 52 4f 55 54 49 4e 47 } 18 | $s6 = { 63 6f 6e 66 69 67 ( 64 2d 68 61 73 68 2e 78 6d 6c | 2d 20 3c 63 6d 64 3e 20 3c 61 72 67 3e ) } 19 | condition: 20 | uint32(0) == 0x464C457F and filesize > 30KB and 4 of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /APT/APT_SideWinder_WarHawk_Oct_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule APT_SideWinder_WarHawk_Oct_2022_1 : sidewinder apt warhawk 2 | { 3 | meta: 4 | description = "Detects the warhawk implant used by the Sidewinder group" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0" 7 | date = "2022-10-22" 8 | hash1 = "624c6b56ee3865f4a5792ad1946a8e86b876440a5af3bac22ac1dee92f1b7372" 9 | hash2 = "7d3574c62df44b74337fc74ec7877792b4ffa1486a49bb19668433c3ca8836b5" 10 | tlp = "Clear" 11 | adversary = "SideWinder" 12 | strings: 13 | $s1 = { a1 04 ?? 42 00 33 c5 89 45 fc 8b 45 08 53 56 57 33 db 89 [2-5] 53 53 53 6a 01 68 [2] 42 00 8b f2 c7 ?? f8 [0-3] 00 00 00 00 8b f9 ff 15 [2] 41 00 53 53 6a 03 53 53 6a 50 68 80 ?? 42 00 50 89 ?? e8 [0-3] ff 15 [2] 41 00 } 14 | $s2 = { 7b 20 5c 22 6e 61 6d 65 5c 22 3a 20 5c 22 25 73 5c 22 2c 20 5c 22 73 69 7a 65 5c 22 3a 20 5c 22 5c 22 2c 20 5c 22 6d 6f 64 5c 22 3a 20 5c 22 25 73 5c 22 2c 20 5c 22 74 79 70 65 5c 22 3a 20 5c 22 46 69 6c 65 20 66 6f 6c 64 65 72 5c 22 20 7d } 15 | $s3 = { 50 6a 40 ff 15 [2] 41 00 [3-4] 42 00 [3-5] 42 00 68 [2] 42 00 68 [2] 42 00 [3-5] 42 00 56 ff 15 } 16 | $s4 = { 7b 20 22 5f 68 77 69 64 22 3a 20 22 25 73 22 2c 20 22 5f 63 6d 64 22 3a 20 22 74 72 75 65 22 20 7d } 17 | condition: 18 | uint16(0) == 0x5a4d and filesize > 200KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Crimeware/CRIM_FIN13_CMD_Jan_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule CRIM_FIN13_CMD_Jan_2022_1 : fin13 command execution 2 | { 3 | meta: 4 | description = "Detect similiar command execution used by the fin13 group" 5 | author = "Arkbird_SOLG" 6 | date = "2022-01-06" 7 | reference = "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf" 8 | hash1 = "34ab574e2ec73dbd4e0345275002852fe7397f7ab84505612b7a8f1780621388" 9 | hash2 = "a54b3b03910ed298fa644c495937d5fd9dfe46b8b05404440b572394c5ba5a6c" 10 | hash3 = "7d82a56cacebf8331f335dfbbbc76bc68033489037ae16e862bc56bf2088de77" 11 | hash4 = "ffc85e5a01780455adcf5762df7452d27c05da75b9162870431ebc470608b73b" 12 | tlp = "Clear" 13 | adversary = "fin13" 14 | strings: 15 | $s1 = { 6e 65 77 20 50 72 6f 63 65 73 73 42 75 69 6c 64 65 72 28 20 63 6f 6d 6d 61 6e 64 20 29 3b } 16 | $s2 = { 70 72 6f 62 75 69 6c 64 65 72 2e 73 74 61 72 74 28 29 } 17 | $s3 = { 70 72 6f 63 65 73 73 2e 67 65 74 49 6e 70 75 74 53 74 72 65 61 6d 28 29 } 18 | $s4 = { 6e 65 77 20 49 6e 70 75 74 53 74 72 65 61 6d 52 65 61 64 65 72 } 19 | $x1 = { 53 74 72 69 6e 67 5b 5d 20 63 6f 6d 6d 61 6e 64 20 3d 20 7b 22 73 68 22 2c 20 22 2d 63 22 2c 20 72 65 71 75 65 73 74 2e 67 65 74 50 61 72 61 6d 65 74 65 72 28 22 [1-10] 22 29 } 20 | $x2 = { 53 74 72 69 6e 67 5b 5d 20 63 6f 6d 6d 61 6e 64 20 3d 20 7b ( 22 43 3a 5c 5c 77 69 6e 64 6f 77 73 5c 5c 73 79 73 74 65 6d 33 32 5c 5c 63 | 22 63 ) 6d 64 2e 65 78 65 22 2c 20 22 2f 63 22 2c 20 72 65 71 75 65 73 74 2e 67 65 74 50 61 72 61 6d 65 74 65 72 28 22 [1-10] 22 29 } 21 | condition: 22 | filesize < 5KB and all of ($s*) and 1 of ($x*) 23 | } -------------------------------------------------------------------------------- /Hunting/HUN_APT29_EnvyScout_Jul_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule HUN_APT29_EnvyScout_Jul_2023_1 : envyscout apt29 hunting 2 | { 3 | meta: 4 | description = "Hunting rule for detect possible Envyscout malware used by the APT29 group by patterns already used in the past" 5 | author = "Arkbird_SOLG" 6 | reference1 = "https://twitter.com/malwrhunterteam/status/1677023534294487049" 7 | reference2 = "https://twitter.com/StopMalvertisin/status/1677192614985228288" 8 | date = "2023-07-07" 9 | hash1 = "4875a9c4af3044db281c5dc02e5386c77f331e3b92e5ae79ff9961d8cd1f7c4f" 10 | tlp = "Clear" 11 | adversary = "APT29" 12 | strings: 13 | // tags used as initial vector 14 | $tag1 = " 50KB and all of ($st*) and 1 of ($s*) 30 | } 31 | -------------------------------------------------------------------------------- /Hunting/HUN_Exchange_Gold_Mystic_Oct_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule HUN_Exchange_Gold_Mystic_Oct_2022_1 : gold_mystic exchange 2 | { 3 | meta: 4 | description = "Detect the implant used against vulnerable Exchange servers by the Gold Mystic group (Lockbit)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://asec.ahnlab.com/ko/39682/" 7 | date = "2022-10-22" 8 | hash1 = "baf8397ba06ebbc8c5489f1dc417bab5abe6095efd3d992a7f4a9f02726d55b7" 9 | hash2 = "c597c75c6b6b283e3b5c8caeee095d60902e7396536444b59513677a94667ff8" 10 | tlp = "Clear" 11 | adversary = "Gold Mystic" 12 | strings: 13 | $s1 = /-match \"\(\?[0-z]{1,8}\)\^[0-z]{1,15}\(.\+\)[0-z]{1,15}\$\"/ 14 | $s2 = /foreach \(\$[0-z]{1,12} in @\(\"/ 15 | $s3 = /-\$[0-z]{1,12}.Length\] -join ''/ 16 | $s4 = /\| % \{\$[0-z]{1,12}\+=\$_\}/ 17 | $s5 = { 24 70 73 46 69 6c 65 3d 24 50 53 43 6f 6d 6d 61 6e 64 50 61 74 68 } 18 | $s6 = /iex[ ]{1,4}\$[0-z]{1,12}/ 19 | condition: 20 | filesize > 100KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | # Detection Rule License (DRL) 1.1 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions: 4 | 5 | If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules: 6 | 7 | 1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). 8 | 9 | 2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable 10 | 11 | 3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable 12 | 13 | If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules: 14 | 15 | 1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). 16 | 17 | THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES. 18 | -------------------------------------------------------------------------------- /Malware/MAL_44Caliber_Feb_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_44Caliber_Feb_2022_1 : stealer 2 | { 3 | meta: 4 | description = "Detect the 44caliber stealer" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-02-26" 8 | hash1 = "d986ff4dd8ec61ab72ded8a8f55da573a908454d812c20277f5e5857077a40d5" 9 | hash2 = "1e6906199e0133c35d7d891639129b1fdbaa5ccfd6495be821a19833b665089c" 10 | hash3 = "4b8d1d8710031235a7b7a7fb508fef60d75788d17a1234de27f6d94a544e9991" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 02 20 80 00 00 00 7d ?? 00 00 04 [0-1] 03 6f ?? 00 00 0a 0a 16 0b 38 ?? 01 00 00 06 07 6f ?? 00 00 0a 0c } 15 | $s2 = { 73 ?? 02 00 0a 0a [0-1] 02 72 [2] 00 70 28 [2] 00 06 0b 07 [0-6] 07 06 ?? dd ?? 00 00 00 16 } 16 | $s3 = { 7e ?? 03 00 04 0a 16 0b 38 ?? 00 00 00 06 07 9a 0c [0-2] 08 73 ?? 01 00 0a 6f ?? 01 00 0a 0d 02 72 [2] 00 70 09 28 ?? 00 00 0a 13 04 7e ?? 03 00 04 72 [2] 00 70 08 28 ?? 00 00 0a 13 05 11 05 72 [2] 00 70 28 ?? 00 00 0a 28 ?? 00 00 0a } 17 | $s4 = { 13 ?? 11 ?? 18 8d ?? 00 00 01 25 16 72 [2] 00 70 a2 25 17 72 [2] 00 70 a2 6f [2] 00 06 [0-1] 11 ?? 72 [0-1] 8f [0-1] 00 70 6f [2] 00 06 13 ?? 08 28 [2] 00 06 [2-7] 00 00 00 09 28 [2] 00 06 } 18 | $s5 = { 17 80 ?? 03 00 04 72 [2] 00 70 80 ?? 03 00 04 72 [2] 00 70 80 ?? 03 00 04 17 8d ?? 00 00 01 25 16 72 [2] 00 70 a2 80 ?? 03 00 04 20 d0 12 13 00 80 ?? 03 00 04 2a } 19 | $s6 = { 7e ?? 01 00 0a 72 [2] 00 70 6f ?? 01 00 0a 72 [2] 00 70 6f ?? 01 00 0a 72 [2] 00 70 6f ?? 01 00 0a [0-1] 02 72 [2] 00 70 28 ?? 00 00 0a 28 ?? 00 00 0a 26 [0-1] 72 [2] 00 70 6f ?? 01 00 0a 6f ?? 00 00 0a 72 [2] 00 70 28 ?? 00 00 0a 02 72 [2] 00 70 28 ?? 00 00 0a 28 ?? 01 00 0a [0-1] 7e ?? 03 00 04 17 58 80 ?? 03 00 04 7e [2] 00 04 17 58 80 [2] 00 04 [0-1] de ?? 26 [0-1] de 00 2a } 20 | condition: 21 | uint16(0) == 0x5A4D and filesize > 200KB and all of ($s*) 22 | } 23 | -------------------------------------------------------------------------------- /Malware/MAL_Allcome_Feb_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Allcome_Feb_2022_1 2 | { 3 | meta: 4 | description = "Detect the Allcome clipper" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums" 7 | date = "2022-02-16" 8 | hash1 = "b742bd51b1727c6252b4abd2373aac0e477a96d89ecd5ab8afc16192677f6210" 9 | hash2 = "f294dbf9e74d865423a0bb1299678df8c73a67f2e530bce89c1535046702adae" 10 | tlp = "Clear" 11 | adversary = "-" 12 | strings: 13 | $s1 = "https://steamcommunity.com/tradeoffer" ascii 14 | $s2 = { 73 63 68 74 61 73 6b 73 00 00 00 00 6f 70 65 6e 00 00 00 00 2f 43 72 65 61 74 65 20 2f 74 6e 20 4e 76 54 6d 52 65 70 5f 43 72 61 73 68 52 65 70 6f 72 74 33 5f 7b [4-16] 7d 20 2f 73 63 20 4d 49 4e 55 54 45 20 2f 74 72 20 25 73 00 00 25 73 25 73 } 15 | $s3 = { 8b 44 24 18 68 [3] 00 ff 74 06 [5-6] 00 83 c4 08 85 c0 74 ?? 8b 44 24 18 68 [3] 00 ff 74 06 08 [4-5] 00 83 c4 08 85 c0 75 02 b3 01 47 83 c6 10 3b 7c 24 1c 72 ?? 8b 44 24 18 85 c0 74 07 50 ff 15 [3] 00 80 fb 01 0f 84 ?? 01 00 00 } 16 | $s4 = { 6a 00 e8 84 fd ff ff 6a 00 6a 00 6a 00 6a 01 68 [3] 00 8b f0 ff 15 [3] 00 8b d8 85 db 0f 84 ?? 02 00 00 6a 00 6a 00 6a 00 6a 00 56 53 ff 15 [3] 00 8b f0 85 f6 0f 84 ?? 02 00 00 8b 3d ?? 41 ?? 00 0f 1f 44 00 00 8d 44 24 1c 50 68 00 04 00 00 8d 84 24 38 02 00 00 50 56 ff d7 83 7c 24 1c 00 75 e4 56 8b 35 [3] 00 ff d6 53 ff d6 80 bc 24 30 02 00 00 2d 0f 84 ?? 01 00 00 6a 04 e8 ?? 0c 00 00 } 17 | $s5 = { 8d 44 24 20 50 6a 00 6a 00 6a 1c 6a 00 ff 15 [3] 00 85 c0 0f 88 c1 00 00 00 68 [3] 00 8d 44 24 24 50 68 [3] 00 68 04 01 00 00 50 e8 ?? fd ff ff 83 c4 14 85 c0 0f 84 9c 00 00 00 6a 00 8d 44 24 24 50 ff 15 1c 40 ?? 00 8b 35 18 40 ?? 00 8d 44 24 20 6a 02 50 ff d6 68 [3] 00 8d 44 24 24 50 68 [3] 00 68 04 01 00 00 50 e8 ?? fd ff ff 83 c4 14 85 c0 74 5f 6a 00 8d 44 24 24 50 8d 84 24 30 01 00 00 50 ff 15 14 40 ?? 00 6a 02 8d 44 24 24 50 ff d6 8d 44 24 20 50 68 [3] 00 8d 84 24 38 02 00 00 68 04 01 00 00 50 e8 [2] ff ff 83 c4 10 85 c0 74 1e 6a 00 6a 00 8d 84 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 10KB and 4 of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_BPFDoor_May_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_BPFDoor_May_2022_1 : apt bpfdoor controller redmenshen x64 2 | { 3 | meta: 4 | description = "Detect BPFDoor used by Red Menshen" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/jcksnsec/status/1522163033585467393" 7 | date = "2022-05-06" 8 | hash1 = "591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78" 9 | hash2 = "1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345" 10 | hash3 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c" 11 | tlp = "Clear" 12 | adversary = "Red Menshen" 13 | strings: 14 | $s1 = { 48 [2-5] 48 [2-3] e8 [2] ff ff 89 45 ?? 83 ( 7d ?? ff 75 1c 48 8b 75 98 bf 17 35 40 00 | ( 7d ?? ff 75 23 b8 98 32 40 00 48 8b 55 88 48 89 d6 48 | 7d e8 00 74 5d bf 06 36 40 00 e8 fd ec ff ff 8b 45 e8 be 03 00 00 00 ) 89 c7 ) b8 00 00 00 00 e8 [2] ff ff } 15 | $s2 = { e8 [2] ff ff [1-3] 00 00 00 00 e9 [2] 00 00 48 8d 45 ?? 0f b6 00 84 c0 75 } 16 | $s3 = { 0f b7 4d ?? 8b 55 ?? 8b [2] 48 8d [4-7] e8 [0-2] ff ff eb ?? 0f b7 4d ?? 8b 55 ?? 8b [2] 48 8d [2-7] e8 [2] ff ff eb ?? 0f b7 4d ?? 8b 55 ?? 8b } 17 | $s4 = { 8b [2] bf ff ff [2-4] fd ff ff 48 8d [2-5] bf 00 00 00 00 e8 [2] ff ff 48 8b 45 ?? 48 89 85 ?? ff ff ff 48 8b 45 ?? 48 89 85 ?? ff ff ff 48 8b 45 ?? 48 89 } 18 | condition: 19 | uint32(0) == 0x464C457F and filesize > 10KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_BPFDoor_May_2022_3.yara: -------------------------------------------------------------------------------- 1 | rule MAL_BPFDoor_May_2022_3 : apt bpfdoor controller redmenshen x86 2 | { 3 | meta: 4 | description = "Detect BPFDoor used by Red Menshen" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/jcksnsec/status/1522163033585467393" 7 | date = "2022-05-07" 8 | hash1 = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3" 9 | hash2 = "54a4b3c2ac34f1913634ab9be5f85cde19445d01260bb15bcd1d52ebcc85af2c" 10 | tlp = "Clear" 11 | adversary = "Red Menshen" 12 | strings: 13 | $s1 = { c6 85 ?? 7b ff ff 2f c6 85 ?? 7b ff ff 62 c6 85 ?? 7b ff ff 69 c6 85 ?? 7b ff ff 6e c6 85 ?? 7b ff ff 2f c6 85 ?? 7b ff ff 73 c6 85 ?? 7b ff ff 68 c6 85 ?? 7b ff ff 00 c6 85 ?? 7b ff ff 48 c6 85 ?? 7b ff ff 4f c6 85 ?? 7b ff ff 4d c6 85 ?? 7b ff ff 45 c6 85 ?? 7b ff ff 3d c6 85 ?? 7b ff ff 2f c6 85 ?? 7b ff ff 74 c6 85 ?? 7b ff ff 6d c6 85 ?? 7b ff ff 70 c6 85 ?? 7b ff ff 00 } 14 | $s2 = { ff ff [0-3] c7 45 ?? fe ff ff ff eb (6e 83 ec 0c ff 75 f8 | 63 8b 45 fc 89 04 24 ) e8 [2] ff ff } 15 | $s3 = { 02 53 00 00 [2] fc ( e8 b9 f2 | 89 04 24 e8 fd e8 ) ff ff [0-3] 85 c0 79 08 8b 45 fc 89 45 ?? eb ( 4e 83 ec 04 68 9d ae | 54 c7 44 24 08 aa c4 ) 04 08 } 16 | $s4 = { ff ff [0-3] 89 45 ?? 83 7d ?? ff 75 09 c7 45 ?? ff ff ff ff eb ?? 66 c7 45 ?? 02 00 [2] 45 ?? 66 89 45 [2-3] ec } 17 | condition: 18 | uint32(0) == 0x464C457F and filesize > 10KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Malware/MAL_Daxin_Feb_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Daxin_Feb_2022_1 : rootkit daxin x64 core 2 | { 3 | meta: 4 | description = "Detect the Daxin rootkit" 5 | author = "Arkbird_SOLG" 6 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage" 7 | date = "2022-02-28" 8 | hash1 = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" 9 | hash2 = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" 10 | hash3 = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" 11 | tlp = "Clear" 12 | adversary = "Chinese espionage APT" 13 | strings: 14 | $s1 = { 48 8d 15 [4-7] 48 8d 4c 24 40 ff 15 [5] 8d [5] 4c 8d 44 24 40 ?? 89 ?? 24 30 41 b9 09 00 00 00 [0-2] 48 8b [1-3] c6 44 24 28 00 83 64 24 20 00 ff 15 } 15 | $s2 = { c7 44 24 50 30 00 00 00 ?? 89 ?? 24 58 } 16 | $s3 = { 48 83 ec 28 83 62 30 00 48 8b ca 33 d2 ff 15 [2] 00 00 33 c0 48 83 c4 28 c3 cc cc cc cc cc cc } 17 | $s4 = { 8b ?? 49 8b c9 ff 15 [2] 00 00 85 c0 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and 3 of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_Daxin_Feb_2022_2.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Daxin_Feb_2022_2 : rootkit daxin x32 core 2 | { 3 | meta: 4 | description = "Detect the Daxin rootkit" 5 | author = "Arkbird_SOLG" 6 | reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage" 7 | date = "2022-03-02" 8 | hash1 = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" 9 | tlp = "Clear" 10 | adversary = "Chinese espionage APT" 11 | strings: 12 | $s1 = "\\registry\\machine\\system\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\" wide 13 | $s2 = { ( 5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 | 5c 00 44 00 65 00 76 00 69 00 63 00 65 00 ) 5c 00 54 00 63 00 70 00 34 } 14 | $s3 = { 5c 00 3f 00 3f 00 5c 00 70 00 69 00 70 00 65 00 5c 00 ( 72 00 74 00 6f 00 73 00 76 00 63 | 72 00 74 00 69 00 73 00 76 00 63 ) } 15 | $s4 = { 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 68 74 70 6d 67 63 69 64 3d 25 73 } 16 | condition: 17 | // move to "all of them" for hunting x86 version of Daxin ($s4 ref) 18 | uint16(0) == 0x5A4D and filesize > 25KB and 3 of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Malware/MAL_ELF_DeimosC2_Beacon_Nov_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_ELF_DeimosC2_Beacon_Nov_2022_1 : deimosc2 beacon x64 2 | { 3 | meta: 4 | description = "Detect the linux beacon used in the DeimosC2 framework (x64 version)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html" 7 | date = "2022-11-08" 8 | hash1 = "05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d" 9 | hash2 = "23ec389d12c912ee895ec039891769d4be39a575caeca90615be7d4143b653c4" 10 | hash3 = "036947a130d99d024912ad8d6632ba6a32d5eb3649e2d605a0a6de5c6f35a63a" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 48 8d 84 24 ?? 00 00 00 48 89 44 24 18 48 c7 44 24 20 10 00 00 00 48 c7 44 24 28 10 00 00 00 [1-9] 89 44 24 30 48 89 ?? 24 38 48 8b 84 24 [2] 00 00 48 89 44 24 40 48 8b 84 24 [2] 00 00 48 89 44 24 48 48 8b 84 24 ?? 01 00 00 48 89 44 24 50 48 8b 84 24 ?? 01 00 00 48 89 44 24 58 e8 } 15 | $s2 = { 48 81 ec 20 02 00 00 48 89 ac 24 18 02 00 00 48 8d ac 24 18 02 00 00 80 3d [3] 00 01 0f 84 79 27 00 00 48 8b b4 24 30 02 00 00 48 8b 94 24 38 02 00 00 48 c1 ea 06 48 c1 e2 06 48 8d 3c 16 48 89 bc 24 00 01 00 00 48 39 fe 0f 84 3c 27 00 00 48 8b ac 24 28 02 00 00 44 8b 45 00 44 8b 4d 04 44 8b 55 08 44 8b 5d 0c 44 8b 65 10 44 8b 6d 14 44 8b 75 18 44 8b 7d 1c 48 89 e5 8b 06 0f c8 89 45 00 41 01 c7 44 89 e0 41 81 c7 98 2f 8a 42 44 89 e1 c1 c8 06 44 89 e2 c1 } 16 | $s3 = { 48 81 ec [2] 00 00 48 89 ac 24 [2] 00 00 48 8d ac 24 [2] 00 00 ?? c7 ?? 00 00 00 00 ?? 89 ?? 24 [2] 00 00 [6] 00 00 48 } 17 | $s4 = { 48 89 ac 24 00 01 00 00 48 8d ac 24 00 01 00 00 48 8b bc 24 10 01 00 00 48 8b 94 24 18 01 00 00 48 8b b4 24 30 01 00 00 4c 8b 8c 24 38 01 00 00 48 8b 8c 24 48 01 00 00 4c 8b 84 24 50 01 00 00 48 8b 84 24 58 01 00 00 4c 8b ac 24 60 01 00 00 49 c1 ed 02 49 ff cd f3 44 0f 6f 3d [3] 00 f3 44 0f 6f 35 [3] 00 f3 45 0f 6f 00 66 45 0f ef c9 66 45 0f ef d2 f3 0f 6f 01 44 8b 51 0c f3 44 0f 6f 18 44 8b 60 0c 41 0f ca 41 0f cc 66 44 0f ef d8 f3 44 0f 7f 9c 24 80 00 00 00 41 83 c2 01 45 89 d3 45 31 e3 41 0f cb 44 89 9c 24 8c 00 00 00 49 81 f9 80 00 00 00 0f 82 1e 10 00 00 49 81 } 18 | condition: 19 | uint32(0) == 0x464C457F and filesize > 300KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_HeaderTip_Mar_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_HeaderTip_Mar_2022_1 : headerTip uac0026 2 | { 3 | meta: 4 | description = "Detect HeaderTip used uac0026 group (detect also the installers)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://cert.gov.ua/article/38097" 7 | date = "2022-03-22" 8 | hash1 = "b1ba84107958ac79181ad1089096bb134d069d9842440327d972797b959b9193" 9 | hash2 = "63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1" 10 | hash3 = "0a146f2f566f6130dfed9ee842fce3229efff8a751062cb3ad5dac137807b712" 11 | adversary = "UAC-0026" 12 | tlp = "Clear" 13 | strings: 14 | $s1 = { 8a 4d f0 8b 45 08 88 08 8b 45 0c 8a 4d f1 88 08 8b 45 f4 8b 4d 14 56 8b 75 10 89 01 83 26 00 85 c0 74 2a 50 ff 15 20 30 00 10 59 89 06 85 c0 74 18 ff 75 f4 50 e8 [4] 59 59 85 c0 75 0d ff 36 ff 15 1c 30 00 10 59 33 c0 eb 03 33 c0 40 } 15 | $s2 = { 57 83 c0 08 68 14 31 00 10 50 ff 15 40 30 00 10 8b f8 59 59 3b fb 0f 84 a3 00 00 00 53 56 57 ff 15 3c 30 00 10 83 c4 0c 85 c0 0f 85 8f 00 00 00 8d 45 10 50 8d 45 fc 50 8d 45 08 50 8d 45 0f 50 e8 [4] 83 c4 10 85 c0 74 51 8b 35 1c 30 00 } 16 | $s3 = { 8b ec 81 ec 1c 01 00 00 56 68 24 31 00 10 8d 85 e4 fe ff ff 50 c6 45 ec 00 c6 45 e8 00 c7 05 a4 42 01 10 01 00 00 00 c7 05 8c 42 00 10 50 46 00 00 ff 15 10 30 00 10 ff 35 8c 42 00 10 ff 15 0c 30 00 10 68 17 ca 2b 6e e8 15 ff ff ff 8b f0 89 35 94 42 00 10 83 fe ff 75 1e 68 3f d6 ec 8f e8 fe fe ff ff 8b f0 89 35 94 42 00 10 83 fe } 17 | $s4 = { 8b ec 81 ec 8c 00 00 00 56 57 6a 23 59 be 88 30 00 10 8d bd 74 ff ff ff f3 a5 33 ff 57 68 38 02 00 00 68 38 40 00 10 e8 [2] 00 00 e8 [2] 00 00 8d 85 74 ff ff ff 50 68 80 30 00 10 be 4c 40 00 10 56 c7 05 38 40 00 10 [2] 00 10 c7 05 3c 40 00 10 [2] 00 10 ff 15 18 40 00 10 83 c4 18 e8 [4] a3 60 42 00 10 89 15 64 42 00 10 ff 15 00 30 00 10 a3 68 42 00 10 33 c0 83 7d 10 01 57 0f 95 c0 57 57 50 56 ff 15 1c 40 00 10 a3 40 40 00 10 3b c7 74 21 8b 45 08 a3 4c 42 00 10 8b 45 0c a3 } 18 | $s5 = { 56 57 6a 58 33 f6 8d 45 a8 56 50 e8 [2] 00 00 a1 5c 42 00 10 89 45 b0 a1 60 42 00 10 89 45 a8 a1 64 42 00 10 6a 58 89 45 ac 8d 45 a8 50 56 ff 75 08 c7 45 bc 00 00 02 00 56 c7 45 c0 [3] 00 89 75 b4 c6 45 e6 03 e8 [4] 8b f8 83 c4 20 3b fe } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 5KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Malware/MAL_IceXLoader_Downloader_Jun_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_IceXLoader_Downloader_Jun_2021_1 : icexloader downloader nim v3 2 | { 3 | meta: 4 | description = "Detect the downloader that drops IceXLoader loader (nim version)" 5 | author = "Arkbird_SOLG" 6 | date = "2022-06-19" 7 | reference = "https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim" 8 | hash1 = "705e8d65983d6f6ecdce444dea17e33642b7bb3336f627698ac5d32637efcb18" 9 | hash2 = "ce830f802b7fdb4d42c18bd692690cfac0e2d03947c6b13f583af215a7039b54" 10 | hash3 = "11881702372ebdeb3b2386a3dd1a6e8f40374867317ffcd23b74c892502cc6af" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 00 20 00 0c 00 00 28 29 00 00 0a 00 00 de 05 26 00 00 de 00 03 28 2a 00 00 0a 74 17 00 00 01 0a 06 6f 2b 00 00 0a 74 18 00 00 01 0b 07 6f 2c 00 00 0a 0c 08 } 15 | $s2 = { 0a 73 1d 00 00 0a 0b 07 6f 1e 00 00 0a 72 0d 00 00 70 6f 1f 00 00 0a 00 07 6f 1e 00 00 0a 72 15 00 00 70 6f 20 00 00 0a 00 07 6f 1e 00 00 0a 17 6f 21 00 00 0a 00 07 6f 22 00 00 0a 26 2b 02 00 00 07 6f 23 00 00 0a 16 fe 01 0c 08 2d f1 06 16 06 8e 69 28 24 00 00 0a 00 06 } 16 | $s3 = { 00 73 25 00 00 0a 0a 02 03 28 08 00 00 06 06 6f 26 00 00 0a 00 06 6f 27 00 00 0a 0b 06 6f 28 00 00 0a 00 07 0c 2b 00 08 2a } 17 | $s4 = { 00 02 02 72 49 00 00 70 28 07 00 00 06 28 06 00 00 06 28 2d 00 00 0a 0a 2b 00 06 2a } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 20KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_IceXLoader_Jun_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_IceXLoader_Jun_2022_1 : icexloader loader nim v3 2 | { 3 | meta: 4 | description = "Detect IceXLoader loader (nim version)" 5 | author = "Arkbird_SOLG" 6 | date = "2022-06-18" 7 | reference = "https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim" 8 | hash1 = "4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60" 9 | hash2 = "4fe56d88c1170a3d0e025b9d8f7939139a7618b3868eb993037c6e3b52d9d501" 10 | hash3 = "6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 89 cb b9 db 51 42 00 83 ec 1c 0f b6 45 08 8b 75 0c 8b 04 85 18 52 42 00 85 d2 74 08 83 3a 00 74 03 8d 4a 08 89 c2 31 ff e8 a1 ff ff ff 85 c0 74 50 89 03 85 f6 7f 29 bf 01 00 00 00 75 43 c7 44 24 0c 00 00 00 00 c7 44 24 08 04 00 00 00 c7 44 24 04 00 00 00 00 89 04 24 e8 b5 0b 02 00 eb 21 89 74 24 0c bf 01 00 00 00 c7 44 24 08 00 00 00 00 c7 44 24 04 00 00 00 00 89 04 24 e8 92 0b 02 00 83 c4 1c 89 } 15 | $s2 = { b9 1c ab 42 00 89 e5 83 ec 08 c6 05 08 f4 43 00 18 c7 05 00 f4 43 00 04 00 00 00 c7 05 04 f4 43 00 04 00 00 00 c7 05 0c f4 43 00 40 d5 43 00 c7 05 18 f4 43 00 ab 55 41 00 e8 73 c2 fe ff a3 24 f4 43 00 85 c0 75 0a b9 08 ab 42 00 e8 79 c2 fe ff 8b 0d 24 f4 43 00 ba 23 a0 42 00 e8 09 c4 fe ff b9 34 a9 42 00 a3 b0 f3 43 00 e8 41 c2 fe ff a3 20 } 16 | $s3 = { b9 5c a8 42 00 e8 57 ed fe ff 89 c3 e8 75 34 ff ff c7 04 24 ff ff ff ff ba 50 a8 42 00 89 c1 e8 1b 16 ff ff b9 2c a8 42 00 52 ba ?? b0 42 00 89 c7 e8 df 30 ff ff 89 c6 31 c0 85 db 74 02 8b 03 8b 4f 10 31 d2 85 c9 74 02 8b 11 01 d0 31 d2 85 f6 74 } 17 | $s4 = { e8 c2 fa fe ff ba 9c 9f 42 00 e8 ce fe ff ff 89 f2 e8 e8 fe ff ff 89 c1 e8 d0 d4 fe ff 8b 4d 10 89 c7 e8 fc cf fe ff b9 0e 00 00 00 89 c6 85 c0 74 05 8b 00 8d 48 0e e8 8b fa fe ff ba 84 9f 42 00 e8 97 fe ff ff 89 f2 e8 b1 fe ff ff 89 c1 e8 99 d4 fe ff c7 44 24 18 00 00 00 00 89 c6 8d 45 dc c7 44 24 14 00 04 00 00 89 44 24 1c c7 44 24 10 00 04 00 00 c7 44 24 0c 01 00 00 00 c7 44 24 08 01 00 00 00 c7 44 24 04 01 00 00 80 89 3c 24 ff 15 40 ca 43 00 89 45 d4 83 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 25KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_IceXLoader_Nov_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_IceXLoader_Nov_2022_1 : icexloader loader nim v3 2 | { 3 | meta: 4 | description = "Detect IceXLoader loader (nim version) v3.3.3" 5 | author = "Arkbird_SOLG" 6 | date = "2022-11-10" 7 | reference = "https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world/" 8 | hash1 = "0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9" 9 | hash2 = "0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c" 10 | hash3 = "29c7d7d36a0c8acec88ff7aa34adc0f9240270a85e330fd2336408e1f0d52c21" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 70 6f 77 65 72 73 68 65 6c 6c 20 2d 43 6f 6d 6d 61 6e 64 20 53 65 74 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 44 69 73 61 62 6c 65 52 65 61 6c 74 69 6d 65 4d 6f 6e 69 74 6f 72 69 6e 67 20 24 74 72 75 65 } 15 | $s2 = { 40 5c 5c 2e 5c 70 69 70 65 5c 73 74 64 69 6e 00 00 0f 00 00 00 0f 00 00 40 5c 5c 2e 5c 70 69 70 65 5c 73 74 64 6f 75 74 } 16 | $s3 = { 40 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 53 74 61 72 74 20 4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 } 17 | $s4 = { 40 4d 75 74 65 78 5f 49 43 45 5f 58 } 18 | $s5 = { 89 e5 83 ec ( 28 e8 5e ff ff ff 8d 45 f4 c7 45 | 18 c7 45 f4 ff 00 00 00 c7 05 60 ) f4 ( 23 8d 41 00 89 04 24 e8 c6 97 fe ff 8b 45 f4 ff d0 | 43 00 01 00 00 00 e8 2c 00 00 00 89 45 f4 8b 45 f4 ) c9 c3 55 89 e5 83 ec } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 50KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Malware/MAL_JLORAT_Apr_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_JLORAT_Apr_2023_1 : apt jlorat backdoor 2 | { 3 | meta: 4 | description = "Detect JLORAT backdoor" 5 | author = "Arkbird_SOLG" 6 | date = "2023-04-24" 7 | reference = "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" 8 | hash1 = "296599df29f4ffa9bf753ff9440032d912969d0bab6e3208ab88b350f9a83605" 9 | hash2 = "69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29" 10 | tlp = "Clear" 11 | adversary = "-" 12 | strings: 13 | $s1 = { 8b 8d 28 ff ff ff 8b 95 24 ff ff ff 89 e0 89 50 04 89 08 e8 [2] 00 00 89 85 20 ff ff ff eb 00 8b 8d 2c ff ff ff 8b 95 20 ff ff ff 89 e0 89 50 08 89 08 c7 40 04 00 00 00 00 e8 [2] 2e 00 83 } 14 | $s2 = { 8b 8d 74 ff ff ff 8b 95 70 ff ff ff 89 e0 89 85 60 ff ff ff 8d 75 80 89 70 1c 8d b5 7c ff ff ff 89 70 18 8d b5 78 ff ff ff 89 70 10 89 50 04 89 08 c7 40 14 ff ff ff ff c7 40 0c 01 00 00 00 c7 40 08 00 00 00 00 e8 [3] 00 83 ec 20 89 85 64 ff ff ff eb 00 8b 85 64 ff ff ff 89 45 c4 83 } 15 | $s3 = { 53 68 7e 66 04 80 57 ff 15 [3] 00 83 f8 ff 0f 84 59 01 00 00 8b 45 10 b9 10 00 00 00 ba 1c 00 00 00 83 38 00 0f 44 d1 83 c0 04 52 50 57 ff 15 [3] 00 83 f8 ff 74 22 c6 45 dc 04 c7 85 bc fe ff ff 00 00 00 00 53 68 7e 66 04 80 57 ff 15 [3] 00 83 f8 } 16 | $s4 = { 5c 50 72 6f 63 65 73 73 6f 72 28 5f 54 6f 74 61 6c 29 5c 25 20 50 72 6f 63 65 73 73 6f 72 20 54 69 6d 65 74 6f 74 5f 30 5c 50 72 6f 63 65 73 73 6f 72 28 29 5c 25 20 50 72 6f 63 65 73 73 6f 72 20 54 69 6d 65 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 900KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Malware/MAL_Mars_Stealer_Apr_2022_1.yara: -------------------------------------------------------------------------------- 1 | import "pe" 2 | rule MAL_Mars_Stealer_Apr_2022_1 : infostealer mars 3 | { 4 | meta: 5 | description = "Detect Mars infostealer (possible cracked version)" 6 | author = "Arkbird_SOLG" 7 | reference = "https://cert.gov.ua/article/38606" 8 | date = "2022-04-03" 9 | hash1 = "afa0662aa8eac0e607a9ffc85aa0bdfc570198dcb82dccdb40d0a459e12769dc" 10 | hash2 = "f67ff70f862cdcb001763c69e88434d335b185a216e2944698f20807df28bdf2" 11 | tlp = "Clear" 12 | adversary = "MAAS" 13 | strings: 14 | $s1 = { 8d 83 d1 01 00 00 50 e8 c4 ff ff ff 83 c4 04 50 8d 83 d1 01 00 00 50 8d 83 d1 02 00 00 50 ff d6 83 c4 0c 89 87 00 a8 01 00 8d 83 51 02 00 00 50 e8 9b ff ff ff 83 c4 04 50 8d 83 51 02 00 00 50 8d 83 d1 02 00 00 50 ff d6 83 c4 0c } 15 | $s2 = { 94 a1 d8 09 36 67 94 c5 f3 24 51 82 af df 0e 3d 6a 9b ca fa 27 58 85 b6 e3 15 42 73 a0 d1 fe 2e df 10 3d 6e 9b cc fa 2b 58 87 b6 e5 13 44 71 a2 cf 00 2e 5f 8c bd ea 1a 47 7a a5 d6 03 35 62 93 c0 f1 1e 4e 7d ac db 0c 3a 69 96 c7 f4 25 53 82 b1 e2 0f 3e 6c 9d ca fb 28 59 87 b8 e5 16 43 73 a0 d1 fe 2f 5c 8e bb ec 19 4a 77 a7 d4 05 32 63 91 c0 ef 1e 4d 7e ac db 0a 39 68 97 c5 f6 23 54 } 16 | $s3 = { 51 31 c0 8b 4c 24 08 8d 40 01 8d 49 01 80 39 00 75 f5 59 c3 60 64 a1 30 00 00 00 8b 40 0c } 17 | $s4 = { 27 71 79 69 6d 36 34 25 3e 00 46 57 49 4a 44 50 38 4e 56 54 34 30 32 51 43 58 59 56 33 59 37 42 30 42 33 5a 4b 00 05 6d 15 1d 2d 3e 5c 21 21 27 68 63 4b 22 37 3d 34 65 01 05 54 2f 54 6c 56 22 2e 00 55 4e 4b 00 68 74 74 70 00 00 00 00 68 74 74 70 73 00 00 00 32 30 30 00 68 74 74 70 73 3a 2f 2f } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 40KB and all of ($s*) and 20 | for any section in pe.sections : ( section.name == "LLCPPC") //YARA 4.0 + 21 | // legacy version 22 | //for any i in (0..pe.number_of_sections-1) : ( pe.sections[i].name == "LLCPPC") 23 | } 24 | -------------------------------------------------------------------------------- /Malware/MAL_Nighthawk_Nov_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Nighthawk_Nov_2022_1 : nighthawk beacon 2 | { 3 | meta: 4 | description = "Detect the Nighthawk dropped beacon" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice" 7 | date = "2022-11-22" 8 | hash1 = "0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988" 9 | hash2 = "9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8" 10 | hash3 = "f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 44 8b ff 45 33 c0 48 8d 15 [2] 0a 00 48 8d 4d c0 e8 [2] ff ff 45 33 c0 48 8d 15 [2] 0a 00 48 8d 4d 20 e8 [2] ff ff 45 33 c0 48 8d 15 [2] 0a 00 48 8d 4d 00 e8 [2] ff ff 45 33 c0 48 8d 15 [2] 0a 00 48 8d 4d e0 e8 [2] ff ff 33 d2 e9 ee 04 00 00 48 8d 44 24 68 48 89 44 24 20 41 b9 01 00 00 00 45 33 c0 48 8d 95 a0 00 00 00 ff 15 [2] 09 00 85 c0 0f 85 74 04 00 00 48 89 7c 24 28 48 89 7c 24 20 45 33 c9 45 33 c0 48 8d 15 [2] 0a 00 48 8b 4c 24 68 ff 15 [2] 09 00 85 } 15 | $s2 = { 4d 85 c0 0f 84 83 00 00 00 49 21 18 33 d2 44 8d 43 01 33 c9 ff 15 [2] 08 00 48 8b f0 48 85 c0 74 6a 44 8d 43 04 48 8b d5 48 8b c8 ff 15 [2] 08 00 48 8b e8 48 85 c0 74 49 48 8d 44 24 70 33 d2 44 8d 4b 24 48 89 44 24 20 4c 8d 44 24 30 48 8b cd ff 15 [2] 08 00 8b } 16 | $s3 = { 48 85 c0 0f 84 [2] 00 00 4d 8b cc 49 83 7c 24 18 08 72 04 4d 8b 0c 24 4d 8b c5 49 83 7d 18 08 72 04 4d 8b 45 00 49 8b ?? 49 83 ?? 18 08 72 03 49 8b } 17 | $s4 = { 44 8b 44 24 44 4c 89 [2-3] 89 95 00 02 00 00 2b c7 8b d7 49 03 d0 48 03 d1 4c 8d 8d 00 02 00 00 44 8b c0 49 8b cf ff 15 [2] 04 00 33 d2 85 c0 0f 84 [2] ff ff 03 bd 00 02 00 00 8b 44 24 40 3b f8 48 8b 4d ?? 4c 8b } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 60KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_Reptile_Aug_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Reptile_Aug_2023_1 : opensource reptile X64 2 | { 3 | meta: 4 | description = "Detect the opensource rootkit Reptile (used by APT41 group)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://asec.ahnlab.com/en/55785/" 7 | date = "2023-08-05" 8 | hash1 = "15e4e936b2f47eb3fa2455b7c22b2714bebe9f8c01b24bbf7cb5f9559999d292" 9 | hash2 = "7ce7b914bd434f8a45db1cb3ec783237a5485b7abcee4df06275ea274e095295" 10 | hash2 = "d182239d408da23306ea6b0f5f129ef401565a4d7ab4fe33506f8ac0a08d37ba" 11 | tlp = "Clear" 12 | adversary = "APT41" 13 | strings: 14 | $s1 = { 48 85 d2 75 26 4c 8b 0f 31 c0 48 63 d0 46 8a 04 0a 44 3a 04 16 75 14 ff c0 45 84 c0 75 ec 31 c0 48 85 c9 48 89 4f 08 0f 95 c0 c3 31 c0 c3 31 f6 41 b9 [3] 00 41 b8 0d 00 00 00 44 89 c8 31 d2 29 f0 89 c7 41 f7 f0 81 f7 [4] 88 d1 d3 c7 31 be [4] 48 83 c6 04 48 81 fe } 15 | $s2 = "parasite_blob" ascii 16 | $s3 = { 48 83 ec 28 48 8d 75 e0 48 c7 c7 ?? 00 00 ?? 48 8d 44 24 0f 48 c7 45 e8 00 00 00 00 48 83 e0 f0 c7 00 5f 5f 64 6f c7 40 04 5f 73 79 73 c7 40 08 5f 69 6e 69 c7 40 0c 74 5f 6d 6f c7 40 10 64 75 6c 65 c7 40 14 00 00 00 00 48 89 45 e0 e8 [3] 00 48 8b 45 e8 48 85 c0 74 } 17 | condition: 18 | uint32(0) == 0x464C457F and filesize > 40KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Malware/MAL_Reptile_Aug_2023_2.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Reptile_Aug_2023_2 : opensource reptile X64 2 | { 3 | meta: 4 | description = "Detect the opensource rootkit Reptile (used by APT41 group)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://asec.ahnlab.com/en/55785/" 7 | date = "2023-08-05" 8 | hash1 = "99ffc0099277bef59a37a4cfcf4cdd71df13ad33d1c7bf943dc87f803e75dd2c" 9 | hash2 = "cbe9107185c8e42140dbd1294d8c20849134dd122cc64348f1bfcc90401379ec" 10 | tlp = "Clear" 11 | adversary = "APT41" 12 | strings: 13 | $s1 = { 55 48 c7 c6 [4] 41 b8 0d 00 00 00 48 89 e5 41 54 53 bb [2] 06 00 48 83 ec 10 89 d8 31 d2 89 df 41 f7 f0 81 f7 [4] 83 eb 04 88 d1 d3 c7 31 3e 48 83 c6 04 83 fb 03 75 df 48 83 ec 20 48 8d 5d e0 48 c7 c7 [4] 48 8d 44 24 0f 48 89 de 48 83 e0 f0 c7 00 73 79 73 5f c7 40 04 69 6e 69 74 c7 40 08 } 14 | $s2 = "parasite_blob" ascii 15 | $s3 = { 65 48 8b 04 25 [4] 48 c7 c2 [2] 00 ?? 4c 8b a0 48 ?? ff ff eb 03 48 ff c2 80 3a 00 75 f8 48 c7 c0 [4] be [2] 06 00 48 c7 c7 [2] 00 ?? 48 25 00 f0 ff ff 65 48 8b 1c 25 [4] 48 89 83 48 ?? ff ff ff d1 48 83 f8 01 4c 89 a3 48 ?? ff ff 19 } 16 | condition: 17 | uint32(0) == 0x464C457F and filesize > 40KB and all of ($s*) 18 | } 19 | -------------------------------------------------------------------------------- /Malware/MAL_Roopy_Apr_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Roopy_Apr_2023_1 : apt roopy stealer 2 | { 3 | meta: 4 | description = "Detect Roopy stealer" 5 | author = "Arkbird_SOLG" 6 | date = "2023-04-24" 7 | reference = "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" 8 | hash1 = "0dfbc54a5a88f27e52807873c20872bc6bf92b822de90545492081c4e4f96778" 9 | hash2 = "9c086f242120be7a9e57e06b75d8ef6f051a77c6339deaeb574e80ee69590111" 10 | hash3 = "a4ea3462bd5aedccc783d18d24589018c257b2a6e092164c01de067a8e3cd649" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 31 c0 68 [2] 40 00 55 68 [2] 41 00 64 ff 30 64 89 20 80 7d f4 00 74 4f 8d 85 ?? ef ff ff e8 [2] 00 00 6a 00 b8 [2] 43 00 89 85 ?? ef ff ff 8b 45 f8 89 85 ?? ef ff ff b8 [2] 43 00 89 85 ?? ef ff ff 8d 95 ?? ef ff ff b9 02 00 00 00 8d 85 ?? ef ff ff e8 [2] 00 00 8b 85 ?? ef ff ff 30 d2 e8 [2] ff ff c6 45 d4 00 8d 85 c4 ef ff ff ba [2] 43 00 e8 [2] 00 00 31 c0 68 [2] 40 00 55 68 [2] 41 00 64 ff 30 64 89 20 8d 55 e0 8b 45 fc e8 ?? fd ff } 15 | $s2 = { c7 45 f4 00 00 00 00 8d 45 f0 50 8d 45 f4 50 53 8b 45 dc ff 70 10 6a 00 b8 [2] 44 00 50 6a 00 8b 45 fc 85 c0 75 05 b8 [2] 44 00 50 89 f0 e8 47 ff ff ff 88 c2 8b 45 dc e8 2d 04 00 00 50 e8 [2] fe ff 8b 55 dc 89 42 04 8b 45 dc 83 78 04 00 0f 94 c3 eb 40 8d 45 } 16 | $s3 = { 50 ff 75 e8 e8 [2] ff ff 89 45 ec 6a 00 ff b5 c0 ef ff ff 6a 00 6a 00 b8 [2] 43 00 50 8d 95 ?? ef ff ff b8 [2] 43 00 e8 [2] ff ff 8b 85 ?? ef ff ff 85 c0 75 05 b8 [2] 44 00 50 8d 95 ?? ef ff ff b8 [2] 43 00 e8 [2] ff ff 8b 85 ?? ef ff ff 85 c0 75 05 b8 [2] 44 00 50 ff 75 ec e8 [2] ff ff 89 45 e4 68 00 00 00 20 8d 95 ?? ef ff ff b8 [2] 43 00 e8 [2] ff ff 8b 85 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Malware/MAL_SiMayRAT_Mar_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_SiMayRAT_Mar_2022_1 : rat simayrat 2 | { 3 | meta: 4 | description = "Detect a variant of SiMayRAT" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/struppigel/status/1513811422148538369" 7 | date = "2022-04-24" 8 | hash1 = "41e571339b44a1f4178a9506595ca15b0b38494bf77487f4243c815fd27b7516" 9 | hash2 = "09a1d00d4d99f1c30377a5e83f40f78404b9b3f466aef19d6997dbb3ad895b63" 10 | hash3 = "209e00af0197f32a6b8762be5d862e18ba116bd69795bca18a102fef6ff53d04" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { c6 45 fc 04 e8 [3] ff 83 c4 ?? 89 85 [2] ff ff c6 45 fc 06 6a 00 8d [3-5] ff ff } 15 | $s2 = { 83 c4 08 c6 45 fc 01 8d [7-10] 00 8d [3] e8 [3] ff 83 c4 0c c6 45 fc 02 [0-2] 6a 00 68 [3] 00 ff 15 } 16 | $s3 = { c7 85 [2] ff ff [3] 00 8b 85 [2] ff ff 50 8d 8d [2] ff ff e8 [3] ff 50 e8 [3] ff 83 c4 08 } 17 | $s4 = { 83 c4 08 c6 45 fc ?? 68 [3] 00 8d 85 [2] ff ff 50 8d 8d [2] ff ff 51 e8 [3] ff 83 c4 0c 89 85 [2] ff ff 8b 95 [2] ff ff 89 95 [2] ff ff c6 45 fc ?? 8b 85 [2] ff ff 50 8d 8d e8 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_SiMayRAT_Mar_2022_2.yara: -------------------------------------------------------------------------------- 1 | rule MAL_SiMayRAT_Mar_2022_2 : rat simayrat 2 | { 3 | meta: 4 | description = "Detect a variant of SiMayRAT" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/struppigel/status/1513811422148538369" 7 | date = "2022-04-26" 8 | hash1 = "f1375500194e3ec6d0e045fa9973bb7c01f2e7d8a9ece5764819744bc786cfc1" 9 | hash2 = "12e20cf17a81cb58d115a7cc76f8416ace6bd261381e12a7128f945084102588" 10 | hash3 = "8ff9a7248f52119053c9535df111eba4f0289cdb0f78b1cb6a0471ccee5c046c" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 83 bd [2] ff ff 10 8d 85 [2] ff ff 8b b5 [2] ff ff 8d 4d ?? 0f 43 85 [2] ff ff [3] 45 } 15 | $s2 = { 83 7d 20 08 8d 4d 0c 8d 45 ?? 0f 43 4d 0c 83 7d ?? 08 51 0f 43 45 ?? 68 90 ?? 45 00 50 ff 15 d0 ?? 45 00 83 c4 0c 8d 45 ?? 83 7d ?? 08 0f 43 45 ?? 50 ff 15 8c ?? 45 00 8b } 16 | $s3 = { 8b 7d 0c 33 f6 56 ff 77 08 ff 77 0c ff 75 08 ff 15 84 ?? 45 00 85 c0 75 16 ff 15 18 ?? 45 00 50 e8 04 18 00 00 59 e8 34 18 00 00 8b 30 eb 2d 3b 47 0c 76 25 40 8b cf 50 e8 c2 c6 ff ff 85 c0 74 04 8b f0 eb 17 56 ff 77 08 ff 77 0c ff 75 08 ff 15 84 ?? 45 00 85 c0 74 c0 } 17 | $s4 = { 85 c0 75 05 33 c0 40 eb 30 83 c0 40 6a 3a 66 89 45 f4 58 66 89 45 f6 6a 5c 58 66 89 45 f8 33 c0 66 89 45 fa 8d 45 f4 50 ff 15 80 ?? 45 00 85 c0 74 05 83 f8 01 75 cd 33 c0 8b 4d fc 33 cd e8 } 18 | $s5 = { 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 44 6f 63 75 6d 65 6e 74 73 5c 65 66 65 6e 64 65 72 00 00 00 6c 61 6c 61 6c 61 31 32 33 40 00 00 74 65 6c 6e 65 74 2f } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Malware/MAL_SysJoker_Jan_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_SysJoker_Jan_2022_1 2 | { 3 | meta: 4 | description = "Detect dropper of SysJoker backdoor" 5 | author = "Arkbird_SOLG" 6 | date = "2022-01-11" 7 | reference = "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/" 8 | hash1 = "61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc" 9 | hash2 = "-" 10 | tlp = "Clear" 11 | adversary = "-" 12 | level = "Experimental" 13 | strings: 14 | $s1 = { 6a 00 ff 75 ec ff 15 00 f0 01 10 68 a8 a9 02 10 8d 8d ac fe ff ff c7 45 e8 00 00 00 00 e8 4c 1a 00 00 68 00 aa 02 10 8d 8d b0 fe ff ff c6 45 fc 0d e8 38 1a 00 00 68 10 aa 02 10 8d 8d b4 fe ff ff c6 45 fc 0e e8 24 1a 00 00 8d 45 cc c6 45 fc 0f 50 8d 95 b4 fe ff ff 8d 8d 84 fe ff ff e8 cb 18 00 00 8d 8d b0 fe ff ff c6 45 fc 10 51 8b d0 8d 8d } 15 | $s2 = { 68 40 a9 02 10 8d 4d cc c7 45 cc 00 00 00 00 e8 54 1c 00 00 c7 45 fc 00 00 00 00 8d 4d ec 68 64 a9 02 10 c7 45 ec 00 00 00 00 e8 39 1c 00 00 c6 45 fc 01 8d 8d bc fe ff ff 68 84 a9 02 10 c7 45 e4 00 00 00 00 e8 1e 1c 00 00 8d 85 bc fe ff ff c6 45 fc 02 50 8d 55 ec 8d 4d e4 e8 c8 1a 00 00 83 c4 04 c6 45 fc 04 83 ce ff 8b 95 bc fe ff ff 8b c6 83 c2 f0 f0 0f c1 42 0c 48 85 c0 7f 08 8b 0a 52 8b 01 ff 50 04 68 9c a9 02 10 8d 4d d0 c7 45 d0 00 00 00 00 e8 cd 1b 00 00 c6 45 fc 05 8d 8d b8 fe ff ff } 16 | $s3 = { 50 6a 00 6a 00 68 00 00 00 08 6a 00 6a 00 6a 00 ff 75 d4 6a 00 ff 15 54 f0 01 10 85 c0 74 1a 6a ff ff b5 78 ff ff ff ff d3 ff b5 78 ff ff ff ff d7 ff b5 7c ff ff ff ff d7 68 84 aa 02 10 8d 8d 98 fe ff ff c7 45 d8 00 00 00 00 e8 bb 16 00 00 68 90 aa 02 10 8d 8d 9c fe ff ff c6 45 fc 27 e8 a7 16 00 00 8d 45 e4 c6 45 fc 28 50 8d 95 9c fe ff ff 8d 8d 74 fe ff ff e8 4e 15 00 00 8d 8d 98 fe ff ff c6 45 fc 29 51 8b d0 8d 4d d8 e8 39 15 00 00 83 c4 08 c6 45 fc } 17 | $s4 = { 6a 00 6a 00 68 00 00 00 08 6a 00 6a 00 6a 00 ff 75 e8 6a 00 ff 15 54 f0 01 10 8b 1d 10 f0 01 10 8b 3d 2c f0 01 10 85 c0 74 1a 6a ff ff b5 78 ff ff ff ff d3 ff b5 78 ff ff ff ff d7 ff b5 7c ff ff ff ff d7 68 94 11 00 00 ff 15 1c f0 01 10 68 38 aa 02 10 8d 8d a0 fe ff ff c7 45 d4 00 00 00 00 e8 78 18 00 00 68 3c aa 02 10 8d 8d a4 fe ff ff c6 45 fc 1a e8 64 18 00 00 68 54 aa 02 10 8d 8d a8 fe ff ff c6 45 fc 1b e8 50 18 00 00 8d 45 e4 c6 45 fc 1c 50 8d 95 a8 fe ff } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_SysJoker_Jan_2022_2.yara: -------------------------------------------------------------------------------- 1 | rule MAL_SysJoker_Jan_2022_2 2 | { 3 | meta: 4 | description = "Detect implant of SysJoker backdoor" 5 | author = "Arkbird_SOLG" 6 | date = "2022-01-11" 7 | reference = "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/" 8 | hash1 = "1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c" 9 | hash2 = "-" 10 | tlp = "Clear" 11 | adversary = "-" 12 | level = "Experimental" 13 | strings: 14 | $s1 = { 26 69 70 3d 00 00 00 00 26 61 6e 74 69 3d 00 00 26 6f 73 3d 00 00 00 00 26 75 73 65 72 5f 74 6f 6b 65 6e 3d [6-14] 00 00 00 26 6e 61 6d 65 3d 00 00 73 65 72 69 61 6c 3d 00 2f 61 70 69 2f 61 74 74 61 63 68 00 74 6f 6b 65 6e } 15 | $s2 = { 8b 01 8b 40 0c ff d0 83 c0 10 89 45 ac 68 78 70 45 00 8d 4d ac c6 45 fc 0d e8 0d ae 00 00 84 c0 75 0d 68 78 70 45 00 8d 4d ac e8 0c 95 00 00 68 1c 01 46 00 8d 55 88 c6 45 fc 0e 8d 8d 74 ff ff ff e8 15 8d 00 00 83 c4 04 8d 4d ac c6 45 fc 0f 51 8b d0 8d 8d 78 ff ff } 16 | $s3 = { 8b 01 8b 40 0c ff d0 83 c0 10 89 45 b4 68 48 6f 45 00 8d 4d b4 c6 45 fc 0c e8 94 b9 00 00 84 c0 75 0d 68 48 6f 45 00 8d 4d b4 e8 93 a0 00 00 68 1c 01 46 00 8d 55 90 c6 45 fc 0d 8d 4d b0 e8 9f 98 00 00 83 c4 04 8d 4d b4 c6 45 fc 0e 51 8b d0 8d 4d 80 e8 8a 98 00 00 83 c4 04 68 1c 01 46 00 8b d0 c6 45 fc 0f 8d 4d 84 e8 74 98 00 00 83 c4 04 8d 4d b8 c6 45 fc 10 } 17 | $s4 = { 6a 4d 33 c0 c7 45 e4 00 00 00 00 68 a8 6c 45 00 8d 4d d4 c7 45 e8 07 00 00 00 66 89 45 d4 e8 72 03 01 00 c6 45 fc 06 8d 45 d4 83 7d e8 08 8d 8d 60 ff ff ff ff 75 e4 0f 43 45 d4 50 e8 54 03 01 00 c6 45 fc 05 8b 55 e8 83 fa 08 72 32 8b 4d d4 8d 14 55 02 00 00 00 8b c1 81 fa 00 10 00 00 72 14 8b } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_Telemiris_Apr_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Telemiris_Apr_2023_1 : apt telemiris backdoor 2 | { 3 | meta: 4 | description = "Detect Telemiris backdoor" 5 | author = "Arkbird_SOLG" 6 | date = "2023-04-24" 7 | reference = "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" 8 | hash1 = "fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d" 9 | hash2 = "df75defc7bde078faefcb2c1c32f16c141337a1583bd0bc14f6d93c135d34289" 10 | hash3 = "4b9811f1f8176ec9f2ee647a4c2f171854f296fbc18e47cc08eb82357a6eeec7" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 48 83 ec 20 83 b9 78 50 00 00 01 48 8b d9 74 40 48 8d 15 cf 65 02 00 e8 d2 af ff ff 48 8d 8b 78 30 00 00 48 8b d0 e8 33 00 00 00 85 c0 75 17 48 8d 0d c8 } 15 | $s2 = { 50 59 5a 00 6f 0d 0d 0a 00 1a ca ?? 00 00 00 00 00 78 9c 8d 91 bd 4b c5 30 10 c0 fb fd fa f5 7c 82 b8 77 d4 c1 b7 0b 22 ba 39 88 0e 6f 0b c2 51 9b f0 5e 20 d7 86 b4 55 ea 9f e3 d6 7f a9 ab 93 b3 9b 93 39 5a 17 27 03 f9 91 bb 1c bf cb 91 0f e7 cf f2 ec be b1 fb eb ce 82 3b } 16 | $s3 = { 40 00 21 df ?? 00 08 ab 40 00 18 9c 00 01 62 63 72 79 70 74 6f 67 72 61 70 68 79 5c 68 61 7a 6d 61 74 5c 62 69 6e 64 69 6e 67 73 5c 5f 72 75 73 74 2e 70 79 64 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 900KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Malware/MAL_Tomiris_Apr_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Tomiris_Apr_2023_1 : apt tomiris downloader dotnet 2 | { 3 | meta: 4 | description = "Detect .NET version of downloader Tomiris" 5 | author = "Arkbird_SOLG" 6 | date = "2023-04-24" 7 | reference = "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" 8 | hash1 = "358411a3b4a327805d629612b1b64357efe5389e56ddae9128ababbc8a2357a1" 9 | hash2 = "65da1696d36da254779a028b881a1890b0b037e7eee8ea0a9446c8bb0729c1cf" 10 | tlp = "Clear" 11 | adversary = "-" 12 | strings: 13 | $s1 = { 06 16 28 02 00 00 06 26 28 0f 00 00 0a 0a 72 01 00 00 70 0b 72 3f 00 00 70 0c 72 7d 00 00 70 0d 72 bb 00 00 70 13 04 1a 13 05 72 f3 00 00 70 13 06 72 09 01 00 70 13 07 72 1f 01 00 70 13 08 72 35 01 00 70 13 09 1f 13 8d 13 00 00 01 25 16 72 4d 01 00 70 a2 25 17 28 10 00 00 0a a2 25 18 72 79 01 00 70 a2 25 19 28 10 00 00 0a a2 25 1a 72 9f 01 00 70 a2 25 1b 28 10 00 00 0a a2 25 1c 72 d1 01 00 70 } 14 | $s2 = { 72 b4 04 00 70 28 1b 00 00 0a 26 73 17 00 00 0a 13 0f 11 05 28 16 00 00 0a 72 e6 04 00 70 11 09 28 14 00 00 0a 11 0a 28 15 00 00 0a 11 0f 09 72 e6 04 00 70 11 06 28 14 00 00 0a 6f 18 00 00 0a 11 0f 08 72 e6 04 00 70 11 08 28 14 00 00 0a 6f 18 00 00 0a 11 0f 07 72 e6 04 00 70 11 07 28 14 00 00 0a 6f 18 00 00 0a 11 0f 11 04 72 1a 05 00 70 6f 18 00 00 0a 11 05 28 16 00 00 0a 72 5c 05 00 70 1d 8d 13 00 00 01 25 16 72 6c 05 00 70 a2 25 17 11 06 a2 25 18 72 a8 05 00 70 a2 25 19 11 07 a2 25 1a 72 f6 05 00 70 a2 25 1b 11 09 a2 25 1c 72 3c 06 00 70 a2 28 11 00 00 0a 28 1a 00 00 } 15 | condition: 16 | uint16(0) == 0x5A4D and filesize > 5KB and all of ($s*) 17 | } 18 | -------------------------------------------------------------------------------- /Malware/MAL_TunnusSched_Apr_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_TunnusSched_Apr_2023_1 : apt tunnussched backdoor 2 | { 3 | meta: 4 | description = "Detect TunnusSched/QUIETCANARY backdoor" 5 | author = "Arkbird_SOLG" 6 | date = "2023-04-24" 7 | reference = "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" 8 | hash1 = "0fc624aa9656a8bc21731bfc47fd7780da38a7e8ad7baf1529ccd70a5bb07852" 9 | hash2 = "3f94b20cb7f4ff55207660649ebbb02679c991fe03efbcb0bd3840fc7f0bd527" 10 | hash3 = "29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 70 14 0a 72 ?? 00 00 70 0b 72 ?? 00 00 70 0c 73 ?? 00 00 06 28 ?? 00 00 0a 08 07 06 73 ?? 00 00 06 0d 16 13 08 2b 23 09 6f ?? 00 00 06 2d 20 11 08 17 33 06 16 28 ?? 00 00 0a 20 e0 93 04 00 28 ?? 00 00 0a 11 08 17 58 13 08 11 08 18 31 d8 73 ?? 00 00 06 13 04 11 04 6f ?? 00 00 06 73 ?? 00 00 06 13 05 11 04 11 05 73 ?? 00 00 06 13 06 09 11 06 11 04 73 ?? 00 00 06 13 07 11 07 6f ?? 00 00 06 28 ?? 00 00 0a 11 05 } 15 | $s2 = { 06 0a 7e ?? 00 00 0a 0b 03 6f ?? 00 00 0a 0c 2b 62 12 02 28 ?? 00 00 0a 0d 1d 8d ?? 00 00 01 25 16 07 a2 25 17 72 ?? 01 00 70 a2 25 18 09 6f ?? 00 00 06 13 04 12 04 28 ?? 00 00 0a a2 25 19 72 ?? 01 00 70 a2 25 1a 09 6f ?? 00 00 06 6f ?? 00 00 0a 13 04 12 04 28 ?? 00 00 0a a2 25 1b 72 ?? 01 00 70 a2 25 1c 09 6f ?? 00 00 06 a2 28 ?? 00 00 0a 0b 12 02 28 ?? 00 00 0a 2d 95 de 0e 12 02 fe 16 05 00 00 1b 6f ?? 00 00 0a dc 07 7e ?? 00 00 0a 28 ?? 00 00 0a 2c 06 } 16 | $s3 = { 03 28 ?? 00 00 0a 2d 07 72 [2] 00 70 2b 15 72 [2] 00 70 03 28 ?? 00 00 0a 28 ?? 00 00 0a 28 ?? 00 00 0a 0a de [2] 72 [2] 00 70 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 8KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Malware/MAL_Winscreeny_Feb_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Winscreeny_Feb_2022_1 : Winscreeny Backdoor 2 | { 3 | meta: 4 | description = "Detect the Winscreeny inplant against Iranian infrastructures" 5 | author = "Arkbird_SOLG" 6 | reference = "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/" 7 | date = "2022-02-17" 8 | hash1 = "41e0c19cd6a66b4c48cc693fd4be96733bc8ccbe91f7d92031d08ed7ff69759a" 9 | hash2 = "e9e4a8650094e4de6e5d748f7bc6f605c23090d076338f437a9a70ced4a9382d" 10 | tlp = "Clear" 11 | adversary = "-" 12 | strings: 13 | $s1 = { 02 8e 69 ?? 12 ?? 28 ?? 00 00 0a 28 13 00 00 06 [0-1] 02 8e [2-8] 00 00 00 02 16 9a 28 13 00 00 06 [0-1] 02 16 9a 72 ?? 01 00 70 28 ?? 00 00 0a } 14 | $s2 = { 03 6f ?? 00 00 0a 0a 06 15 15 15 28 ?? 00 00 06 0b 72 ?? ?? 00 70 0c 07 72 ?? 05 00 70 6f ?? 00 00 0a 72 ?? 05 00 70 28 ?? 00 00 0a } 15 | $s3 = { 03 16 32 09 02 03 73 ?? 00 00 06 2b 01 02 0a 73 ?? 00 00 0a 0b 06 12 02 12 03 28 ?? 00 00 06 } 16 | $s4 = { 02 03 28 ?? 00 00 06 0a 02 06 12 01 28 ?? 00 00 06 0c 02 03 08 07 28 ?? 00 00 06 } 17 | $s5 = { 00 70 0a 72 ?? ?? 00 70 0b [0-1] 72 ?? 01 00 70 73 ?? 00 00 0a [1-2] 16 6f ?? 00 00 0a [1-2] 17 6f ?? 00 00 0a } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 10KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Malware/MAL_WoodyRAT_Aug_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_WoodyRAT_Aug_2022_1 : woodyrat x64 2 | { 3 | meta: 4 | description = "Detect WoodyRAT implant" 5 | author = "Arkbird_SOLG" 6 | date = "2022-08-04" 7 | reference = "https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/" 8 | hash1 = "408f3l14b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e" 9 | hash2 = "6637871c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b" 10 | hash3 = "43b1518071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce" 11 | tlp = "Clear" 12 | adversary = "Woody" // internal name reference [WoodyRAT - WoodyPowerSession - WoodySharpExecutor] 13 | strings: 14 | $s1 = { 00 0f b7 08 66 89 0c 02 48 8d 40 02 66 85 c9 75 f0 c7 45 d8 18 00 00 00 ?? 89 ?? e0 c7 45 e8 01 00 00 00 45 33 c9 4c 8d 45 d8 48 8d 55 d0 48 8d 4d c8 ff 15 [2] 05 00 85 c0 0f 84 38 03 00 00 45 33 c9 4c 8d 45 d8 48 8d 55 c0 48 8d 4d b8 ff 15 [2] 05 00 85 c0 0f 84 07 03 00 00 c7 45 f0 68 00 00 00 c7 45 2c 01 01 00 00 48 8b 45 c0 48 89 45 50 48 89 45 48 48 8b 45 c8 48 89 45 40 66 [8] 00 00 [5] 48 } 15 | $s2 = { 48 8d ac 24 70 ff ff ff 48 81 ec 90 01 00 00 48 8b 05 [2] 06 00 48 33 c4 48 89 85 80 00 00 00 48 8b f9 48 89 4d b8 45 33 e4 44 89 64 24 40 4c 89 21 4c 89 61 08 4c 89 61 10 41 be 01 00 00 00 44 89 74 24 40 4c 89 65 60 4c 89 65 70 48 c7 45 78 07 00 00 00 66 44 89 65 60 ?? 8d } 16 | $s3 = { 0f 57 c0 0f 11 01 48 89 31 48 89 71 08 48 89 71 10 c7 44 24 40 01 00 00 00 33 c0 0f 11 45 68 48 89 45 78 48 89 74 24 70 } 17 | $s4 = { 8b d0 b9 40 00 00 00 ff 15 [2] 04 00 4c 8b f0 48 8d 45 ?? 48 89 44 24 20 44 8b 4d ?? 4d 8b c6 ba 02 00 00 00 48 c7 c1 fc ff ff ff ff 15 [2] 04 00 } 18 | $s5 = "S-1-5-32-544" wide // intergated administrators group 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Malware/MAL_Zanubis_Sept_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule MAL_Zanubis_Sept_2022_1 : zanubis android banker 2 | { 3 | meta: 4 | description = "Detect configuration on the dex class of new variants of Zanubis banker malware" 5 | author = "Arkbird_SOLG" 6 | reference = "https://blog.cyble.com/2022/09/02/zanubis-new-android-banking-trojan/" 7 | date = "2022-09-07" 8 | hash1 = "675311bc99ec432a7c4bfe39fa27903f082dac3f565244ff42157f8ce2019429" 9 | hash2 = "f57db447aeb108c2072f81db7905fae009bf2122001ee2ff617d8987c283f95f" 10 | hash3 = "f502ad28bd2d2cb9003c5bd2440f8401d723a30fc5b10a2d67130b63f4258e33" 11 | // dex class from 4560c27d6656bcf5f5f4d101daab3ccdd5f0edd4f5b279b66464019a7cbe9aba 12 | hash4 = "3ece5fcf7a379698f76fa5cbb4b037debe3132381b3d48c48edbb6f0cf35a522" 13 | tlp = "Clear" 14 | adversary = "Unknown" 15 | strings: 16 | $x1 = { 64 65 78 0a 30 33 35 } 17 | $s1 = { 70 00 00 00 78 56 34 12 00 00 00 00 00 00 00 00 [2] 00 00 ?? 00 00 00 70 } 18 | $s2 = { 4b 45 59 5f 53 54 52 } 19 | $s3 = { 53 4f 43 4b 45 54 5f 53 45 52 56 45 52 } 20 | $s4 = { 55 52 4c 5f 49 4e 49 43 49 41 4c } 21 | $s5 = { 73 74 72 5f 64 65 63 72 79 70 74 } 22 | $s6 = { 70 72 65 66 5f 63 6f 6e 66 69 67 5f 75 72 6c 73 } 23 | $s7 = { 73 74 72 5f 65 6e 63 72 69 70 74 } 24 | condition: 25 | filesize > 5KB and $x1 at 0 and all of ($s*) 26 | } 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Orion 2 | A YARA rules repository continuously updated for monitoring the old and new threats from articles, incidents responses ... 3 | -------------------------------------------------------------------------------- /Ransomware/RAN_ALPHV_Apr_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ALPHV_Apr_2022_1 : alphav blackcat ransomware 2 | { 3 | meta: 4 | description = "Detect AlphV ransomware (Rust version)" 5 | author = "Arkbird_SOLG" 6 | date = "2022-04-03" 7 | reference = "Internal Research" 8 | hash1 = "6229f6de17bf83d824249a779b3f2a030cb476133ab8879c0853bab4fdf9c079" 9 | hash2 = "847fb7609f53ed334d5affbb07256c21cb5e6f68b1cc14004f5502d714d2a456" 10 | tlp = "Clear" 11 | adversary = "BlackCat" 12 | strings: 13 | $s1 = { 68 [3] 00 6a 00 6a 00 e8 [3] 00 85 c0 0f 84 [2] 00 00 89 ?? 31 c0 f0 0f b1 [5] 0f 84 ?? fe ff ff 89 c6 ?? e8 [3] 00 89 ?? e9 ?? fe ff ff 68 [3] 00 ff 35 [4] e8 [3] 00 85 c0 0f 84 [2] 00 00 } 14 | $s2 = { 5c 00 5c 00 3f 00 5c 00 [0-2] 5c 00 5c 00 3f 00 5c 00 55 00 4e 00 43 00 5c 00 5c 5c 2e 5c 70 69 70 65 5c 5f 5f 72 75 73 74 5f 61 6e 6f 6e 79 6d 6f 75 73 5f 70 69 70 65 31 5f 5f 2e } 15 | $s3 = { 00 00 8d ?? 24 [2] 00 00 [1-4] 00 02 00 00 89 ?? 24 ?? 6a 00 e8 [3] 00 [0-1] 57 [0-1] e8 [3] 00 89 ?? 85 c0 75 0d e8 [3] 00 85 c0 0f 85 ?? 00 00 00 39 ?? 0f 85 ?? ff ff ff e8 [3] 00 83 f8 7a 0f 85 ?? ff ff ff 01 ?? 81 ?? 01 02 00 00 72 } 16 | $s4 = { 65 74 53 65 72 76 65 72 45 6e 75 6d 00 ?? 00 4e 65 74 53 68 61 72 65 45 6e 75 6d } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_ALPHV_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ALPHV_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect AlphV ransomware (November 2021)" 5 | author = "Arkbird_SOLG" 6 | date = "2021-12-09" 7 | reference = "Internal Research" 8 | hash1 = "3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83" 9 | hash2 = "cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae" 10 | hash3 = "7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e" 11 | tlp = "Clear" 12 | adversary = "BlackCat" 13 | strings: 14 | $s1 = { ff b4 24 [2] 00 00 6a 00 ff 35 ?? e1 ?? 00 e8 [3] 00 8d 8c 24 [2] 00 00 ba [3] 00 68 c0 1f 00 00 e8 [3] ff 83 c4 04 ?? bc 24 [2] 00 00 } 15 | $s2 = { 85 f6 74 47 8b 3d ?? e1 ?? 00 85 ff 0f 85 81 00 00 00 eb 60 68 [3] 00 6a 00 6a 00 e8 [2] 04 00 85 c0 0f 84 99 01 00 00 89 c1 31 c0 f0 0f b1 0d ?? e1 ?? 00 0f 84 f0 fe ff ff 89 c6 51 e8 [2] 04 00 89 f1 e9 e1 fe ff ff 68 [3] 00 ff 35 ?? e1 ?? 00 e8 [2] 04 00 85 c0 0f 84 32 03 00 00 89 c6 a3 ?? e1 ?? 00 8b 3d ?? e1 ?? 00 85 ff 75 1f 68 [3] 00 ff 35 ?? e1 ?? 00 e8 [2] 04 00 85 c0 0f 84 09 03 00 00 89 c7 a3 ?? e1 ?? 00 89 74 24 18 e8 [2] 04 00 8b 35 ?? e1 ?? 00 89 44 24 14 85 f6 75 1f 68 [3] 00 ff 35 ?? e1 ?? 00 e8 [2] 04 00 85 c0 0f 84 b8 01 00 00 89 c6 a3 ?? e1 ?? 00 8d 44 24 70 c7 44 24 64 00 00 00 00 c7 44 24 60 00 00 00 00 68 0c 01 00 00 6a 00 50 e8 [2] 04 00 83 } 16 | $s3 = { 8b 38 89 4d ec 89 55 ?? 74 34 a1 ?? e1 ?? 00 85 c0 75 0e e8 [3] 00 85 c0 74 14 a3 ?? e1 ?? 00 53 6a 00 50 e8 [3] 00 89 c6 85 c0 75 13 89 d9 ba 01 00 00 00 e8 [3] ff 0f 0b be 01 00 00 00 53 57 56 e8 [3] 00 83 c4 0c 8d 04 1e 8d 4d } 17 | $s4 = { 83 c4 0c c7 45 ?? 00 00 00 00 c7 45 ?? 02 00 00 89 89 75 ?? 8d 45 ?? c7 45 ?? 00 00 00 00 c7 45 ?? 00 00 00 00 6a 10 50 57 e8 [3] 00 83 f8 ff 0f 84 ?? 02 00 00 f6 45 9c ff } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 300KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_ALPHV_Mar_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ALPHV_Mar_2023_1 : alphav blackcat ransomware 2 | { 3 | meta: 4 | description = "Detect new variant of AlphV ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2023-03-19" 7 | // Updated with "ALPHV MORPH" variant 2 8 | reference = "https://twitter.com/rivitna2/status/1636891502562385920" 9 | hash1 = "62ae5ad22213d2adaf0e7cf1ce23ff47b996f60065244b63f361a22daed2bdda" 10 | hash2 = "1d6d47bf20d21b860d232a358481c477c36491134ea976372c69a0483e05a556" 11 | hash3 = "38d5f4f37686dab8b082b591224e272883644caab6a814e7751981da00523c51" 12 | hash4 = "aba1639c22467782c13a6dbe25c7b79e75b40ab440b7b54454ae9bc54dd6ae51" 13 | tlp = "Clear" 14 | adversary = "BlackCat" 15 | strings: 16 | $s1 = { 55 89 e5 53 57 56 81 ec 2c 04 00 00 8d 85 c8 fb ff ff 6a 04 68 [3] 00 50 e8 71 f8 ff ff 83 c4 0c 83 bd c8 fb ff ff 00 74 33 8b 85 d0 fb ff ff f2 0f 10 85 c8 fb ff ff 89 45 ec f2 0f 11 45 e4 8b 45 e4 8b 5d 08 85 c0 74 30 8b 4d e8 8b 55 ec 89 03 89 53 08 89 4b 04 e9 3b 02 00 00 8d 45 e4 6a 0b 68 [3] 00 50 e8 22 f8 ff ff 83 c4 0c 8b 45 e4 8b 5d 08 85 c0 75 d0 e8 ?? 1a 08 00 c7 45 d4 } 17 | $s2 = { 53 57 56 83 ec 60 8b 5d 14 8b 75 18 e8 [3] 00 89 45 e8 8d 7d cc 56 53 57 e8 [2] 03 00 83 c4 0c 8d 5d b0 ff 75 20 ff 75 1c 53 e8 [2] 03 00 83 c4 0c 8d 75 94 ff 75 28 ff 75 24 56 e8 [2] 03 00 83 c4 0c 57 e8 [2] 03 00 83 c4 04 8b 38 89 55 ec 53 e8 [2] 03 00 83 c4 04 8b 18 89 55 f0 56 e8 [2] 03 00 83 c4 04 89 d6 8d 4d e8 51 ff 75 10 ff 75 0c ff 30 53 57 e8 [3] 00 85 c0 } 18 | $s3 = { 68 [3] 00 6a 00 6a 00 e8 ?? 79 06 00 85 c0 74 21 89 c6 31 c0 f0 0f b1 35 [3] 00 0f 84 0e ff ff ff 89 c7 56 e8 ?? 79 06 00 89 fe e9 ff fe ff ff } 19 | $s4 = { 5c 5c 2e 5c 70 69 70 65 5c 5f 5f 72 75 73 74 5f 61 6e 6f 6e 79 6d 6f 75 73 5f 70 69 70 65 31 5f 5f } 20 | condition: 21 | uint16(0) == 0x5A4D and filesize > 300KB and all of ($s*) 22 | } 23 | -------------------------------------------------------------------------------- /Ransomware/RAN_ARCrypter_Nov_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ARCrypter_Nov_2022_1 : arcrypter ransomware 2 | { 3 | meta: 4 | description = "Detect ARCrypter ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world" 7 | date = "2022-11-16" 8 | hash1 = "e1f01b2c624f705cb34c5c1b6d84f11b1d9196c610f6f4dd801a287f3192bf76" 9 | hash2 = "dacce1811b69469f4fd22ca7304ab01d57f4861574d5eeb2c35c0931318582ae" 10 | hash3 = "39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 72 65 67 20 61 64 64 20 22 68 6b 63 75 5c 43 6f 6e 74 72 6f 6c 20 50 61 6e 65 6c 5c 49 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 22 20 2f 76 20 73 53 68 6f 72 74 44 61 74 65 20 2f 74 20 52 45 47 5f 53 5a 20 2f 64 20 22 41 4c 4c 20 59 4f 55 52 20 46 49 4c 45 53 20 48 41 53 20 42 45 45 4e 20 45 4e 43 52 59 50 54 45 44 22 20 2f 66 00 00 00 00 72 65 67 20 61 64 64 20 22 68 6b 6c 6d 5c 53 59 53 54 45 4d 5c 43 6f 6e 74 72 6f 6c 53 65 74 30 30 31 5c 43 6f 6e 74 72 6f 6c 5c 43 6f 6d 6d 6f 6e 47 6c 6f 62 55 73 65 72 53 65 74 74 69 6e 67 73 5c 43 6f 6e 74 72 6f 6c 20 50 61 6e 65 6c 5c 49 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 22 20 2f 76 20 73 53 68 6f 72 74 44 61 74 65 20 2f 74 20 52 45 47 5f 53 5a 20 2f 64 20 22 41 4c 4c 20 59 4f 55 52 20 46 49 4c 45 53 20 48 41 53 20 42 45 45 4e 20 45 4e 43 52 59 50 54 45 44 22 20 2f 66 } 15 | $s2 = { 7c 7c 20 53 54 41 52 54 20 22 22 20 22 00 00 54 41 53 4b 4c 49 53 54 20 7c 3e 4e 55 4c 20 46 49 4e 44 53 54 52 20 2f 42 20 2f 4c 20 2f 49 20 2f 43 3a 00 00 00 00 00 54 49 4d 45 4f 55 54 20 2f 54 20 31 20 2f 4e 4f 42 52 45 41 4b 3e 4e 55 4c } 16 | $s3 = { 65 78 70 6c 6f 72 65 72 2e 65 78 65 20 2e 5c 72 65 61 64 6d 65 5f 66 6f 72 5f 75 6e 6c 6f 63 6b 2e 74 78 74 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 60KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_ARCrypter_Nov_2022_2.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ARCrypter_Nov_2022_2 : arcrypter ransomware dropper 2 | { 3 | meta: 4 | description = "Detect the dropper of ARCrypter ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world" 7 | date = "2022-11-16" 8 | hash1 = "e1f01b2c624f705cb34c5c1b6d84f11b1d9196c610f6f4dd801a287f3192bf76" 9 | hash2 = "dacce1811b69469f4fd22ca7304ab01d57f4861574d5eeb2c35c0931318582ae" 10 | hash3 = "39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 48 89 58 08 48 89 70 10 48 89 78 20 44 89 40 18 55 41 54 41 55 41 56 41 57 48 8d 68 88 48 81 ec 50 01 00 00 48 8b 05 [2] 04 00 4c 8b fa 33 d2 4d 8b f1 48 8b d9 48 89 55 88 89 55 90 88 54 24 21 38 10 0f 84 c3 07 00 00 80 38 24 44 8b ad a0 00 00 00 75 34 45 8b cd 4c 8d 44 24 21 48 8d 95 } 15 | $s2 = { 48 8b 03 49 8b ce 48 2b 43 08 83 e1 3f 48 99 49 8b de 48 2b c2 48 c1 fb 06 48 d1 f8 4d 8b cf 4c 8d 24 c9 48 8b f0 48 8d 05 [2] fb ff 45 33 c0 48 8b 94 d8 00 ?? 08 00 41 8b ce 4a 8b 54 e2 30 e8 b8 0e 00 00 4c 8b e8 48 8d 05 [2] fb ff 48 8b 8c d8 00 ?? 08 00 4e 3b 6c e1 30 0f 85 a2 00 00 00 4a 8b 4c e1 28 4c 8d 4c 24 30 41 b8 00 10 00 00 48 89 7c 24 20 48 8d 54 24 40 ff 15 [2] 01 00 85 } 16 | $s3 = { ( 40 65 63 68 6f 20 6f 66 66 0a 00 00 0a 00 00 00 74 61 73 6b 6b 69 6c 6c 20 2f 46 20 2f 49 4d | 54 49 4d 45 4f 55 54 20 2f 54 20 31 20 2f 4e 4f 42 52 45 41 4b 3e 4e 55 4c ) } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 60KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_BlackBasta_Dec_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_BlackBasta_Dec_2022_1 : blackbasta ransomware 2 | { 3 | meta: 4 | description = "Detect the BlackBasta ransomware (DLL v2)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.zscaler.com/blogs/security-research/back-black-basta" 7 | date = "2022-12-01" 8 | hash1 = "51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e" 9 | hash2 = "ab24df3877345cfab2c946d8a714f1ef17fe18c6744034b44ec0c83a3b613195" 10 | hash3 = "07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799" 11 | tlp = "clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { 8b ec 6a ff 68 [2] 09 10 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 83 ec 1c c7 45 d8 00 00 00 00 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 68 [3] 10 c7 45 e8 00 00 00 00 c7 45 ec 0f 00 00 00 c6 45 d8 00 e8 a4 ?? 07 00 83 c4 04 8d 4d d8 50 68 [3] 10 e8 [2] 00 00 c7 45 fc 00 00 00 00 8d 45 f3 50 8d 4d f0 51 8d 55 d8 b9 [2] 0c 10 52 e8 [2] 00 00 c7 45 fc ff ff ff ff 8d 45 d8 68 [2] 00 10 6a 01 6a 18 50 e8 [2] 06 00 68 [2] 09 10 e8 [2] 06 00 8b 4d f4 83 c4 04 64 89 0d 00 00 00 00 } 15 | $s2 = { 51 52 e8 ?? ba 05 00 83 c4 08 6a 00 68 80 00 00 00 6a 02 33 c0 c7 45 dc 00 00 00 00 83 7d c8 08 6a 00 66 89 45 cc 8d 45 b4 0f 43 45 b4 6a 00 68 00 00 00 c0 50 c7 45 e0 07 00 00 00 ff 15 [3] 10 8b f8 83 ff ff 74 15 6a 00 6a 00 68 43 04 00 00 68 [2] 0c 10 57 ff 15 [3] 10 57 ff 15 [3] 10 83 e6 fd 89 75 f0 c6 45 fc 00 8b 4d c8 5f 5e 5b 83 f9 08 72 2e 8b 55 b4 8d 0c 4d 02 00 00 00 8b } 16 | $s3 = { c6 45 fc ?? c7 [2-5] 00 00 00 00 c7 [2-5] 00 00 00 00 c7 [2-5] 00 00 00 00 68 [7-10] 00 00 00 00 c7 } 17 | $s4 = { c7 45 ?? 00 00 00 00 [0-3] c7 45 ?? 00 00 00 00 c7 45 ?? 00 00 00 00 68 [3] 10 c7 45 ?? 00 00 00 00 c7 45 ?? 0f 00 00 00 c6 45 ?? 00 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 200KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_BlackBasta_Dec_2022_2.yara: -------------------------------------------------------------------------------- 1 | rule RAN_BlackBasta_Dec_2022_2 : blackbasta ransomware 2 | { 3 | meta: 4 | description = "Detect the BlackBasta ransomware (EXE v2)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.zscaler.com/blogs/security-research/back-black-basta" 7 | date = "2022-12-01" 8 | hash1 = "350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd" 9 | hash2 = "c4c8be0c939e4c24e11bad90549e3951b7969e78056d819425ca53e87af8d8ed" 10 | hash3 = "e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757" 11 | tlp = "clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { 80 f9 40 73 15 80 f9 20 73 06 0f a5 c2 d3 e0 c3 8b d0 33 c0 80 e1 1f d3 e2 c3 33 c0 33 d2 c3 cc 80 f9 40 73 16 80 f9 20 73 06 0f ad d0 d3 fa c3 8b c2 c1 fa 1f 80 e1 1f d3 f8 c3 c1 fa 1f 8b } 15 | $s2 = { ( 41 00 a3 [2] 44 00 5d c3 cc 55 8b ec a1 [2] 41 00 a3 [2] 44 00 8b 0d [2] 41 00 89 0d ( 14 31 | 4c 19 ) | d0 d1 40 00 a3 c4 40 44 00 5d c3 cc 55 8b ec a1 b8 d0 40 00 a3 f8 43 44 00 8b 0d 9c d0 40 00 89 0d fc 43 ) 44 00 8b 15 } 16 | $s3 = { 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 10 00 00 00 10 08 02 00 00 00 90 91 68 36 00 00 01 d7 49 44 41 54 78 9c a5 52 3d 4c 53 51 18 3d f7 dd db 27 85 56 c1 0a 83 d1 a4 29 21 86 c1 9f 4e 76 d2 68 88 31 b1 a3 0e } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 200KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_Black_Basta_Apr_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Black_Basta_Apr_2022_1 : ransomware blackbasta 2 | { 3 | meta: 4 | description = "Detect black basta ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/MarceloRivero/status/1519398885193654273" 7 | date = "2022-04-27" 8 | hash1 = "7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a" 9 | hash2 = "5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa" 10 | tlp = "Clear" 11 | adversary = "RAAS" 12 | strings: 13 | $s1 = { 81 ec ?? 00 00 00 a1 [2] 48 00 33 c5 89 45 f0 [0-2] 50 8d 45 f4 64 a3 00 00 00 00 [0-3] c7 45 fc 00 00 00 00 8d [2] ff ff ff } 14 | $s2 = { 6a 00 68 00 00 20 02 6a 03 6a 00 6a 07 6a 00 50 ff 15 [2] 46 00 8b f8 89 7d 0c c7 45 fc 01 00 00 00 83 ff ff 75 3b ff 15 [2] 46 00 8b 4d 10 89 01 8b 45 08 c7 41 04 [2] 48 00 c7 00 00 00 00 00 c7 45 f0 01 00 00 00 c6 45 fc 00 89 7d 0c 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 68 00 40 00 00 6a 01 e8 [2] 02 00 8b d8 83 c4 08 89 5d ec c6 45 fc 02 8d 45 e8 6a 00 50 68 00 40 00 00 53 6a 00 6a 00 68 a8 00 09 00 57 ff 15 [2] 46 00 85 c0 74 15 8b 75 08 c7 45 ec 00 00 00 00 c7 45 f0 01 00 00 00 89 1e eb 33 ff 15 [2] 46 00 8b 4d 10 8b 75 08 c7 45 f0 01 00 00 00 89 01 c7 41 04 [2] 48 00 c7 06 00 00 00 00 c6 45 } 15 | $s3 = { 6a 02 8d 45 08 50 8d 4d ?? e8 [2] ff ff c6 45 fc 06 50 8d 8d [2] ff ff e8 [2] 00 00 c6 45 fc 07 c6 45 fc 03 8d 4d ?? e8 [2] 00 00 6a 02 8d 45 08 50 8d 4d ?? e8 [2] ff ff c6 45 fc 08 83 ec 18 8b cc 89 a5 [2] ff ff 51 8b c8 e8 [2] ff ff c6 45 fc 09 c6 45 fc 08 e8 [2] ff ff 83 c4 18 c6 45 fc 0a c6 45 fc 03 8d 4d ?? e8 [2] 00 00 e8 [2] 01 00 8d 3c 40 3b 3d [2] 48 00 0f 42 3d [2] 48 00 89 } 16 | $s4 = { 57 68 a0 0f 00 00 68 [2] 48 00 ff 15 [2] 46 00 68 [3] 00 ff 15 [2] 46 00 8b f0 85 f6 75 11 68 [3] 00 ff 15 [2] 46 00 8b f0 85 f6 74 46 68 [3] 00 56 ff 15 [2] 46 00 68 [3] 00 56 8b f8 ff 15 [2] 46 00 85 ff 74 12 85 c0 74 0e 89 3d [2] 48 00 a3 [2] 48 00 5f 5e c3 33 c0 50 50 6a 01 50 ff 15 [2] 46 00 a3 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 25KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_Blacksuit_May_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Blacksuit_May_2023_1 : ransomware blacksuit esxi 2 | { 3 | meta: 4 | description = "Detect the ESXI variant of Blacksuit ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2023-05-03" 7 | reference1 = "https://twitter.com/malwrhunterteam/status/1653743100605394947" 8 | reference2 = "https://twitter.com/Unit42_Intel/status/1653760405792014336" 9 | hash1 = "1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e" 10 | // ref royal ransomware group ? 11 | //hash2 = "09a79e5e20fa4f5aae610c8ce3fe954029a91972b56c6576035ff7e0ec4c1d14" 12 | //hash3 = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" 13 | //hash4 = "b64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4" 14 | //hash5 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c" 15 | tlp = "Clear" 16 | adversary = "-" 17 | strings: 18 | $s1 = { 48 8d 4c 24 0c 41 b8 04 00 00 00 ba 01 00 00 00 be 06 00 00 00 89 df e8 [3] ff 85 c0 0f 85 01 01 00 00 4c 89 e7 e8 59 c3 ff ff 4c 89 e7 89 c5 e8 2f c3 ff ff 89 df 89 ea 48 89 c6 e8 [3] ff 89 c7 b8 01 00 00 00 } 19 | $s2 = { 48 8b 7f 28 e8 [2] f4 ff 48 8d 35 [2] 0b 00 48 8d 3d [2] 0b 00 c7 05 [3] 00 01 00 00 00 e8 [3] ff 48 85 c0 48 89 05 [3] 00 0f 84 ed 00 00 00 48 8d 35 [2] 0b 00 48 8d 3d [2] 0b 00 e8 [3] ff 48 85 c0 48 89 05 [3] 00 0f 84 e2 00 00 00 48 8b 3d [3] 00 e8 [3] ff 48 8d 35 [3] 00 89 c7 e8 [3] ff 89 c2 b8 01 00 } 20 | $s3 = { 48 8d 85 30 fa ff ff ba 00 04 00 00 be 00 00 00 00 48 89 c7 e8 [2] ff ff 48 8d 95 30 fe ff ff 48 8d 85 30 fa ff ff be [2] 58 00 48 89 c7 b8 00 00 00 00 e8 [2] ff ff e8 [2] ff ff 89 45 c8 83 7d c8 00 75 } 21 | $s4 = { 89 ce 48 83 ec 18 48 89 d3 e8 20 ff ff ff 48 85 c0 49 89 c4 74 2a 48 8d 35 [3] 00 48 89 ea 48 89 c7 e8 26 fd ff ff 85 c0 74 32 48 85 db 74 0f 48 89 de 4c 89 e7 e8 92 fe ff ff 85 c0 74 1e 4c 89 e0 48 8b 1c 24 48 8b 6c 24 08 4c 8b 64 24 10 } 22 | // Remove it if you want a global esxi rule for Royal/Icefire/BlackSuit 23 | $s5 = { 70 73 20 2d 43 63 7c 67 72 65 70 20 76 6d 73 79 73 6c 6f 67 64 } 24 | condition: 25 | uint32(0) == 0x464C457F and filesize > 300KB and all of ($s*) 26 | } 27 | -------------------------------------------------------------------------------- /Ransomware/RAN_BlueSky_Aug_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_BlueSky_Aug_2022_1 : bluesky ransomware 2 | { 3 | meta: 4 | description = "Detect the BlueSky ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2022-08-11" 7 | reference = "https://unit42.paloaltonetworks.com/bluesky-ransomware/" 8 | hash1 = "b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec" 9 | hash2 = "e75717be1633b5e3602827dc3b5788ff691dd325b0eddd2d0d9ddcee29de364f" 10 | hash3 = "2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef" 11 | hash4 = "c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df" 12 | tlp = "Clear" 13 | adversary = "RAAS" 14 | strings: 15 | $s1 = { 83 ec 0c e8 95 98 ff ff 83 3d b0 31 41 00 00 74 23 e8 a7 38 ff ff 84 c0 0f 85 d6 00 00 00 83 3d b0 31 41 00 00 74 0d e8 b1 36 ff ff 85 c0 0f 85 c0 00 00 00 e8 94 99 ff ff 85 c0 0f 84 b3 00 00 00 c6 45 f5 00 8d 4d f5 c6 45 f6 5a c6 45 f7 70 c6 45 f8 42 c6 45 f9 08 c6 45 fa 2b c6 45 fb 09 c6 45 fc 64 c6 45 fd 09 c6 45 fe 71 c6 45 ff 63 8a 45 f6 e8 85 00 00 00 50 ff 35 88 31 41 00 68 01 00 00 80 e8 84 2e 00 00 83 c4 0c 83 f8 01 74 63 83 3d b4 31 41 00 00 74 05 e8 0e 9a ff ff e8 19 84 ff ff e8 84 9e ff ff e8 4f a7 ff ff 85 c0 74 42 e8 96 9d ff ff e8 81 96 ff ff e8 4c 9e ff ff e8 77 fa ff ff 83 3d b8 31 41 00 00 74 05 e8 29 0e 00 00 68 ff 00 00 00 68 9e 33 69 b7 68 26 57 7f 0b e8 } 16 | $s2 = { 51 56 8b f1 89 75 fc 80 3e 00 75 3f 53 bb 0a 00 00 00 57 8d 7e 01 8d 73 75 0f 1f 40 00 8a 07 8d 7f 01 0f b6 c0 b9 63 00 00 00 2b c8 6b c1 0b 99 f7 fe 8d 42 7f 99 f7 fe 88 57 ff 83 eb 01 75 dd 8b 45 fc 5f 5b 40 5e } 17 | $s3 = { 83 ec 08 6a 04 8d 45 fc c7 45 fc 00 00 00 00 50 8d 45 f8 50 ff 75 10 ff 75 0c ff 75 08 e8 3b fe ff ff 83 c4 18 83 f8 04 75 0c 39 45 f8 75 07 8b 45 fc 8b e5 5d c3 33 c0 8b } 18 | $s4 = { f6 80 3d 94 31 41 00 03 74 63 81 3d 9c 31 41 00 b0 1d 00 00 72 57 e8 a3 fa ff ff 84 c0 74 4e e8 fa d5 ff ff 85 c0 74 45 e8 61 fc ff ff 85 c0 74 3c e8 58 6f 00 00 50 e8 b2 d6 ff ff 83 c4 04 b9 01 00 00 00 85 c0 0f 45 f1 e8 d0 dc ff ff 85 f6 74 1b 68 ff 00 00 00 68 9e 33 69 b7 68 26 57 7f 0b e8 98 c5 ff ff 83 c4 0c 6a } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Ransomware/RAN_Conti_Jan_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Conti_Jan_2023_1 : ransomware conti x86 windows 2 | { 3 | meta: 4 | description = "Detect Windows x86 version of Conti ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2023-01-23" 7 | reference = "Internal Research" 8 | hash1 = "746ac121ae024e51aa3129699cae278990cf392a661b40361d9d15b86635da94" 9 | hash2 = "8f11bb9536cb885bc57144392bc35e19dbc0f683d57c2c423c87a9d1c6d9d0ae" 10 | hash3 = "fbe45ed19fa942cc5e767acc0ef638447c4aa4b52d4900627a0a0ae71d543bee" 11 | hash4 = "c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb" 12 | tlp = "Clear" 13 | adversary = "RAAS" 14 | strings: 15 | $s1 = { 51 8d 45 c9 8b ca 50 e8 ?? e9 ff ff 83 ec 18 33 c0 8b cc 6a ff c7 41 14 07 00 00 00 c7 41 10 00 00 00 00 50 66 89 01 8d 45 08 50 e8 [2] ff ff 8d 4d e4 e8 [2] ff ff 83 7d f8 08 8d 75 e4 6a 61 0f 43 75 e4 ba 0f 00 00 00 68 e8 10 76 01 e8 [2] fe ff 83 c4 38 6a 00 6a 00 6a 02 6a 00 6a 00 68 00 00 00 40 56 ff d0 8b f8 83 ff ff 74 57 6a 6a 68 dd 3e 7d 16 ba 0f 00 00 00 e8 [2] fe ff 83 c4 08 68 88 37 43 00 ff d0 6a 66 68 18 1e 8f 08 ba 0f 00 00 00 8b f0 e8 [2] fe ff 83 c4 08 8d 4d e0 6a 00 51 56 68 88 37 43 00 57 ff d0 6a 5b 68 72 88 52 ca ba 0f 00 00 00 e8 [2] fe ff 83 c4 08 57 ff d0 8b 45 f8 83 f8 08 72 0a 40 50 ff 75 e4 e8 ?? e9 ff ff 33 c0 c7 45 f8 07 00 } 16 | $s2 = { 8b d7 c1 fa 06 8b c7 83 e0 3f 6b c8 30 8b 04 95 68 48 43 00 f6 44 08 28 01 74 21 57 e8 ?? e2 ff ff 59 50 ff 15 f8 c0 42 00 85 c0 75 1d e8 ?? cb ff ff 8b f0 ff 15 54 c0 42 00 89 06 e8 ?? cb ff ff c7 00 09 00 00 00 83 ce } 17 | $s3 = { 0f b6 c0 2b cb 41 f7 d8 68 40 01 00 00 1b c0 23 c1 89 85 b4 fe ff ff 8d 85 bc fe ff ff 57 50 e8 ?? d3 ff ff 83 c4 0c 8d 85 bc fe ff ff 57 57 57 50 57 53 ff 15 bc c0 42 00 8b f0 8b 85 b8 fe ff ff 83 fe ff 75 2d 50 57 57 53 e8 9f fe ff ff 83 c4 10 8b f8 83 fe ff 74 07 56 ff 15 b8 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 80KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_Cuba_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Cuba_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the Cuba ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2021-12-20" 7 | reference = "Internal Research" 8 | hash1 = "482b160ee2e8d94fa6e4749f77e87da89c9658e7567459bc633d697430e3ad9a" 9 | hash2 = "936119bc1811aeef01299a0150141787865a0dbe2667288f018ad24db5a7bc27" 10 | tlp = "Clear" 11 | adversary = "Cuba" 12 | strings: 13 | $s1 = { 50 8d 84 24 88 02 00 00 68 60 9f 41 00 50 ff 15 ?? 51 41 00 83 c4 18 8d 44 24 20 50 8d 44 24 28 50 8d 44 24 24 50 6a ff 8d 44 24 28 50 6a 01 8d 84 24 90 02 00 00 50 ff 15 b4 51 41 00 8b d8 89 5c 24 14 85 db 74 0c 81 fb ea 00 00 00 0f 85 b9 00 00 00 8b 74 24 18 33 ff 47 39 7c 24 1c 0f 82 95 00 00 00 8b 5c 24 0c ff 36 8d 84 24 7c 02 00 00 50 8d 84 24 80 0a 00 00 68 7c 9f 41 00 50 ff 15 ?? 51 41 00 83 c4 10 83 7e 04 00 7c 55 8d 44 24 28 50 8d 84 24 7c 0a 00 00 50 ff 15 ?? 50 41 00 89 44 24 10 83 f8 ff 74 39 ff 36 8d 84 24 7c 02 00 00 50 8d 84 24 80 0a 00 00 68 8c 9f 41 00 50 ff 15 ?? 51 41 00 83 c4 10 8d 84 24 78 0a 00 00 8b cb 50 e8 ef f7 ff ff ff 74 24 10 ff 15 ?? 50 41 00 47 83 c6 0c 3b 7c 24 } 14 | $s2 = { 8d 85 fc f7 ff ff 50 8d 86 00 08 00 00 50 ff 15 ?? 50 41 00 8d 85 f8 f7 ff ff b9 00 04 00 00 50 51 56 8d 85 fc f7 ff ff 89 8d f8 f7 ff ff 50 ff 15 ?? 50 41 00 85 c0 75 07 66 89 06 8b de eb 06 03 9d e8 f7 ff ff 6a 00 8d 85 f0 f7 ff ff 50 6a 00 8d 85 fc f7 ff ff 50 ff 15 bc 50 41 00 85 c0 74 18 8b 85 f0 f7 ff ff 89 83 00 10 00 00 8b 85 f4 f7 ff ff 89 83 04 10 00 00 8b 9d ec f7 ff ff b8 08 10 00 00 03 d8 03 f0 68 00 04 00 00 8d 85 fc f7 ff ff 89 9d ec f7 ff ff 50 ff b5 e4 f7 ff ff 47 ff 15 ?? 50 41 00 85 } 15 | $s3 = { 6a 01 6a 00 8b f1 8b fa 6a 00 56 ff 15 04 50 41 00 85 c0 75 09 5f b8 99 ff ff ff 5e 5d c3 57 ff 75 08 ff 36 ff 15 08 50 41 00 85 c0 75 09 5f b8 98 ff ff ff 5e 5d c3 6a 00 ff 36 ff 15 0c 50 41 00 5f 33 c0 5e } 16 | $s4 = { 68 3f 00 0f 00 53 53 88 5d d3 ff 15 18 50 41 00 8b f8 85 ff 75 04 32 c0 eb 64 6a 2c 56 57 ff 15 ?? 50 41 00 8b f0 85 f6 74 4b 83 7d 08 ff 74 1b 53 53 53 53 53 53 53 6a ff ff 75 08 6a ff 56 ff 15 ?? 50 41 00 85 c0 0f 95 45 d3 8d 45 f8 50 6a 24 8d 45 d4 50 53 56 ff 15 ?? 50 41 00 85 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 19 | } -------------------------------------------------------------------------------- /Ransomware/RAN_Darky_Lock_Jun_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Darky_Lock_Jun_2022_1 : darkylock ransomware 2 | { 3 | meta: 4 | description = "Detect the Darky Lock ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-07-15" 8 | hash1 = "9e67a1c67e3768e7f1f5fc4509119d1999722c6fc349a6398c9b72819e6ebe8d" 9 | hash2 = "393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c" 10 | hash3 = "fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6" 11 | tlp = "Clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { 81 ec 90 00 00 00 56 57 c7 45 f8 00 00 00 00 ff 15 2c 50 41 00 89 45 e4 c7 45 e0 30 75 00 00 68 3f 00 0f 00 6a 00 6a 00 ff 15 04 50 41 00 89 45 e8 83 7d e8 00 0f 84 f5 01 00 00 c7 45 f0 00 00 00 00 eb 09 8b 45 f0 83 c0 01 89 45 f0 83 7d f0 2c 0f 83 cf 01 00 00 6a 2c 8b 4d f0 8b 14 8d 00 40 41 00 52 8b 45 e8 50 ff 15 20 50 41 00 89 45 fc } 15 | $s2 = { 83 7d f8 00 0f 85 e6 00 00 00 83 7d f4 00 0f 85 dc 00 00 00 68 1c 3c 40 00 6a 00 68 01 00 1f 00 ff 15 c4 50 41 00 85 c0 75 11 68 40 3c 40 00 6a 00 6a 00 ff 15 98 50 41 00 } 16 | $s3 = { ff 15 04 51 41 00 89 45 c0 83 7d c0 00 74 3f b8 41 00 00 00 66 89 45 f0 eb 0c 66 8b 4d f0 66 83 c1 01 66 89 4d f0 0f b7 55 f0 83 fa 5a 7f 1f 8b 45 c0 83 e0 01 74 0d 0f b7 4d f0 51 e8 b9 fa ff ff 83 } 17 | $s4 = { 83 ec 10 c7 45 f4 ff ff ff ff c7 45 f8 00 40 00 00 8d 45 f0 50 8b 4d 08 51 6a 13 6a 00 6a 02 e8 1e 89 00 00 85 c0 0f 85 9d 00 00 00 8b 55 f8 52 e8 f8 84 00 00 83 c4 04 89 45 08 83 7d 08 00 74 7f 8d 45 f8 50 8b 4d 08 51 8d 55 f4 52 8b 45 f0 50 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 50KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_ELF_ALPHV_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ELF_ALPHV_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the ELF version of ALPHV ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2021-12-20" 7 | reference = "Internal Research" 8 | hash1 = "5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42" 9 | hash2 = "f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6" 10 | tlp = "Clear" 11 | adversary = "BlackCat" 12 | strings: 13 | $s1 = { 5b 89 ce c7 44 24 14 00 00 00 00 c7 44 24 10 00 00 00 00 81 c3 f5 bd 06 00 83 ec 08 8d 44 24 18 68 00 00 08 00 50 e8 d6 28 ea ff 83 c4 10 83 f8 ff 74 28 8b 44 24 10 83 f8 ff 89 44 24 0c 74 39 8b 4c 24 14 83 f9 ff 89 4c 24 0c 74 2c 89 46 04 89 4e 08 c7 06 00 00 00 00 eb 17 e8 81 28 ea ff 8b 00 c7 46 04 00 00 00 00 89 46 08 c7 06 01 00 00 00 83 c4 30 5e 5f 5b c3 c7 44 24 18 00 00 00 00 83 ec 04 8d 83 5c f1 ff ff 8d 74 24 1c 8d bb d8 ee fa ff 8d 54 24 10 b9 01 } 14 | $s2 = { 83 3e 01 8b 39 b8 1c 00 00 00 bd 10 00 00 00 0f 44 e8 83 c6 04 83 ec 04 55 56 57 e8 27 ad e9 ff 83 c4 10 83 f8 ff 74 02 eb 39 89 7c 24 08 66 2e 0f 1f 84 00 00 00 00 00 0f 1f } 15 | $s3 = { 80 3d d0 07 3c 00 00 48 89 e5 41 54 53 75 62 48 83 3d c8 03 3c 00 00 74 0c 48 8b 3d 8f 06 3c 00 e8 52 ff ff ff 48 8d 1d b3 54 3b 00 4c 8d 25 a4 54 3b 00 48 8b 05 a5 07 3c 00 4c 29 e3 48 c1 fb 03 48 83 eb 01 48 39 d8 73 20 0f 1f 44 00 00 48 83 c0 01 48 89 05 85 07 3c 00 41 ff 14 c4 48 8b 05 7a 07 3c 00 48 39 d8 72 e5 c6 05 66 07 3c 00 01 5b } 16 | $s4 = { 49 89 ff 48 8b 46 10 48 8d 48 ff 48 83 e1 f7 48 83 c1 09 48 83 f8 01 ba 01 00 00 00 48 0f 43 d0 41 bc 09 00 00 00 4c 0f 43 e1 48 83 fa 09 bb 08 00 00 00 48 0f 43 da 48 83 c3 0f 48 83 e3 f0 48 8b 3c 1f 4d 01 fc 49 01 dc ff 15 96 e5 3b 00 49 8b 3c 1f ff 15 f4 e2 3b 00 4c 89 e7 41 ff 16 49 83 ff ff 74 69 f0 49 83 6f 08 01 75 61 49 8b 46 08 49 8b 4e 10 48 85 c9 ba 01 00 00 00 48 0f 45 d1 48 01 d0 48 83 c0 ff 48 89 d1 48 f7 d9 48 21 c1 48 83 fa 09 b8 08 00 00 00 48 0f 43 c2 48 01 c1 48 83 c1 08 48 89 c2 48 f7 da 48 21 d1 48 01 c8 } 17 | $s5 = { 3f 61 63 63 65 73 73 2d 6b 65 79 3d 24 7b 41 43 43 45 53 53 5f 4b 45 59 7d 22 2c 22 6e 6f 74 65 5f 73 68 6f 72 74 5f 74 65 78 74 22 } 18 | condition: 19 | uint32(0) == 0x464C457F and filesize > 90KB and 3 of ($s*) 20 | } -------------------------------------------------------------------------------- /Ransomware/RAN_ELF_AvosLocker_Jan_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ELF_AvosLocker_Jan_2022_1 2 | { 3 | meta: 4 | description = "Detect the ELF version of AvosLocker ransomware (aka AvosLinux)" 5 | author = "Arkbird_SOLG" 6 | date = "2022-01-18" 7 | // Last Update = "2022-03-20" 8 | reference = "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/" 9 | // new variant, few improvements 10 | hash1 = "d7112a1e1c68c366c05bbede9dbe782bb434231f84e5a72a724cc8345d8d9d13" 11 | // old from January 2021 12 | hash2 = "0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6" 13 | hash3 = "7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1" 14 | tlp = "Clear" 15 | adversary = "RAAS" 16 | strings: 17 | $s1 = { bf [2] 4f 00 31 c0 e8 [2] ff ff bf [2] 4f 00 e8 [2] ff ff bf [3] 00 e8 [2] ff ff bf [3] 00 e8 [2] ff ff [20-26] 89 [3] ff ff [0-8] 48 83 e0 f0 48 29 c4 ?? 8d ?? 24 0f ?? 83 ?? f0 } 18 | $s2 = { 48 8d 54 24 0f 48 8d 35 [2] 03 00 48 89 e7 e8 [2] f3 ff bf 18 00 00 00 e8 [2] f3 ff 48 89 e6 48 89 c7 49 89 c4 e8 ac fa ff ff 48 8b 3c 24 48 83 ef 18 48 3b 3d [2] 2b 00 75 16 48 8b 15 [2] 2b 00 48 8b 35 [2] 2b 00 } 19 | $s3 = { bf [2] 78 00 48 83 ec 10 e8 [2] ff ff ba [2] 4f 00 be [2] 78 00 bf [2] 41 00 e8 [2] ff ff 48 8d 54 24 0f be [2] 4f 00 bf [2] 78 00 e8 [2] ff ff ba [2] 4f 00 be [2] 78 00 bf [2] 41 00 e8 [2] ff ff 48 8d 54 24 0e be [2] 4f 00 bf [2] 78 00 e8 [2] ff ff ba [2] 4f 00 be [2] 78 00 bf [2] 41 00 e8 [2] ff ff 48 8d 54 24 0d be [2] 4f 00 bf [2] 78 00 e8 [2] ff ff ba [2] 4f 00 be [2] 78 00 bf [2] 41 00 e8 [2] ff ff 48 8d 54 24 0c be [2] 4f 00 bf [2] 78 00 e8 [2] ff ff ba [2] 4f 00 be [2] 78 00 bf [2] 41 00 e8 [2] ff ff bf [2] 78 00 e8 [2] 00 00 ba } 20 | $s4 = { 49 83 ?? 08 4c 3b [3] ff ff 74 [2] 8b [2] 10 48 [8-16] ff e8 [2] ff ff 48 85 c0 75 ?? 48 [1-8] 75 c0 [0-3] e8 [2] ff ff 48 85 c0 75 ?? eb } 21 | condition: 22 | uint32(0) == 0x464C457F and filesize > 90KB and all of ($s*) 23 | } 24 | -------------------------------------------------------------------------------- /Ransomware/RAN_ELF_Conti_Dec_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ELF_Conti_Dec_2022_1 : ransomware conti elf 2 | { 3 | meta: 4 | description = "Detect ELF version of Conti ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2022-12-10" 7 | reference = "Internal Research" 8 | hash1 = "13fa3e25f69c4e0c8f79208b8ab227d8a43df72b458b4825190d05697656d907" 9 | hash2 = "35ea625eb99697efdeb016192b25c5323ec10b0b33642cd9b2641e058e5e8dc6" 10 | hash3 = "67b96ba4d6d603ae7dee2882f605dd4e1fe38be1e46d9c8a8097af410fe34aa4" 11 | tlp = "Clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { 48 83 ec 30 48 89 7d d8 c7 45 fc 00 00 00 00 c7 45 f8 00 00 00 00 48 8b 45 d8 8b 40 0c 89 45 f4 48 8b 45 d8 8b 40 0c 89 45 fc 8b 45 fc 48 98 48 89 c7 e8 [2] ff ff 48 89 45 e8 48 8b 45 d8 8b 40 08 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 [2] ff ff 8b 45 fc 48 63 d0 48 8b 45 d8 8b 40 08 48 8b 4d e8 48 89 ce 89 c7 e8 [2] ff ff 48 85 c0 0f 94 c0 84 c0 74 19 48 8d 05 [2] 00 00 48 89 c7 e8 [2] ff ff b8 00 00 00 00 } 15 | $s2 = { 48 83 ec 10 48 89 7d f8 48 8b 45 f8 48 83 c0 58 be 20 00 00 00 48 89 c7 e8 [2] ff ff 83 f8 ff 74 1a 48 8b 45 f8 48 83 c0 50 be 08 00 00 00 48 89 c7 e8 [2] ff ff 83 f8 ff 75 07 b8 01 00 00 00 eb 05 b8 00 00 00 00 84 c0 74 1b 48 8d 05 [2] 00 00 48 89 c7 b8 00 00 00 00 e8 [2] ff ff } 16 | $s3 = { 48 8b 45 e0 0f b6 00 0f b6 d0 48 8b 45 e0 48 83 c0 01 0f b6 00 0f b6 c0 c1 e0 08 09 c2 48 8b 45 e0 48 83 c0 02 0f b6 00 0f b6 c0 c1 e0 10 09 c2 48 8b 45 e0 48 83 c0 03 0f b6 00 0f b6 c0 c1 e0 18 09 c2 48 8b 45 e8 89 50 20 48 8b 45 e0 48 83 c0 04 0f b6 00 0f b6 d0 48 8b 45 e0 48 83 c0 05 0f } 17 | $s4 = { 55 48 89 e5 48 81 ec 20 03 00 00 48 8d 85 e0 fc ff ff 48 8d 15 [2] 00 00 b9 ?? 00 00 00 48 89 c7 48 89 d6 f3 48 a5 48 } 18 | condition: 19 | uint32(0) == 0x464C457F and filesize > 10KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_ELF_HelloKitty_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ELF_HelloKitty_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the ELF version of HelloKitty ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2021-12-20" 7 | reference = "Internal Research" 8 | hash1 = "754f2022b72da704eb8636610c6d2ffcbdae9e8740555030a07c8c147387a537" 9 | hash2 = "8f3db63f70fad912a3d5994e80ad9a6d1db6c38d119b38bc04890dfba4c4a2b2" 10 | hash3 = "ca607e431062ee49a21d69d722750e5edbd8ffabcb54fa92b231814101756041" 11 | hash4 = "b4f90cff1e3900a3906c3b74f307498760462d719c31d008fc01937f5400fb85" 12 | tlp = "Clear" 13 | adversary = "RAAS" 14 | strings: 15 | $s1 = { 55 73 61 67 65 3a 25 73 20 5b 2d 6d 20 28 [0-2] 31 30 2d 32 30 2d 32 35 2d 33 33 2d 35 30 29 20 [0-5] 5d 20 53 74 61 72 74 20 50 61 74 68 20 0a 00 77 6f 72 6b } 16 | $s2 = "esxcli vm process kill -t=force -w=%d" ascii 17 | $s3 = { 25 6c 64 20 2d 20 46 69 6c 65 73 20 46 6f 75 6e 64 20 20 0a 00 6d 61 69 6e 3a 25 64 0a 00 54 6f 74 61 6c 20 45 6c 61 70 73 65 64 3a 20 25 66 20 73 65 63 6f 6e 64 73 0a 00 54 6f 74 61 6c 20 43 72 79 70 74 65 64 3a 20 25 64 09 45 72 72 6f 72 3a 20 25 64 } 18 | $s4 = { 46 69 6c 65 20 4c 6f 63 6b 65 64 3a 25 73 20 50 49 44 3a 25 64 0a 00 6b 69 6c 6c 20 2d 39 20 25 64 00 65 78 65 63 5f 70 69 70 65 3a 25 73 20 0a 00 65 72 72 6f 72 20 4c 6f 63 6b 20 66 69 6c 65 3a 25 73 0a 00 } 19 | $s5 = { 65 72 72 6f 72 20 6c 6f 63 6b 5f 65 78 63 6c 75 73 69 76 65 6c 79 3a 25 73 20 6f 77 6e 65 72 20 70 69 64 3a 25 64 0a 00 63 72 3a 25 64 20 66 3a 25 73 0a 00 [2-5] 3a 25 64 20 6c 3a 25 64 20 66 3a 25 73 } 20 | condition: 21 | uint32(0) == 0x464C457F and filesize > 30KB and 4 of ($s*) 22 | } 23 | 24 | -------------------------------------------------------------------------------- /Ransomware/RAN_ELF_Hive_March_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ELF_Hive_March_2022_1 : elf hive v5 x64 2 | { 3 | meta: 4 | description = "Detect ELF version of Hive ransomware (x64 version)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/rivitna2/status/1514552342519107584" 7 | date = "2022-03-26" 8 | // updated 2022-03-14 9 | hash1 = "597537addd7325e32b5da06c67f925daeeb8ed57e9bf46a9037781d636dac909" 10 | hash2 = "058aabdef6b04620902c4354ce40c2e2d8ff2c0151649535c66d870f45318516" 11 | hash3 = "2e52494e776be6433c89d5853f02b536f7da56e94bbe86ae4cc782f85bed2c4b" 12 | tlp = "Clear" 13 | adversary = "RAAS" 14 | strings: 15 | $s1 = { ff 54 1d 00 84 c0 75 43 48 83 c3 10 49 83 c7 ff 75 c6 48 8b 54 24 40 eb 02 31 d2 48 89 d1 48 c1 e1 04 49 03 0c 24 31 c0 49 3b 54 24 08 48 0f 42 c1 73 1c 48 8b } 16 | $s2 = { 48 8d 1d [2] 23 00 49 89 de 49 c1 ee 08 48 c1 e3 38 48 83 cb 28 41 b7 04 80 f9 03 75 54 48 8b 6c 24 18 48 8b 7d 00 48 8b 45 08 ff 10 48 8b 45 08 48 83 78 08 00 74 0a 48 8b 7d 00 ff 15 [2] 23 00 48 8b 7c 24 18 ff 15 [2] 23 00 eb } 17 | $s3 = { 48 8d 05 [2] 23 00 48 89 44 24 10 48 c7 44 24 18 01 00 00 00 48 c7 44 24 20 00 00 00 00 48 8d 05 [3] 00 48 89 44 24 30 48 c7 44 24 38 00 00 00 00 48 8d 74 24 10 4c 89 ff 41 ff d5 3c 03 0f 85 a1 00 00 00 48 89 d3 eb 76 4c 8d 25 [2] 23 00 4c 89 e7 ff 15 [2] 23 00 88 5c 24 0f 48 8d 44 24 0f 48 89 44 24 40 48 8d 05 1e 0c 00 00 48 89 44 24 48 48 8d 05 [2] 23 00 48 89 44 24 10 48 c7 44 24 18 01 00 00 00 48 c7 44 24 20 00 00 00 00 4c 89 74 24 30 48 c7 44 24 38 01 00 00 00 48 8d 74 24 10 4c 89 ff 41 ff d5 49 89 c6 48 89 d3 4c 89 e7 ff 15 [2] 23 00 41 80 fe 03 75 26 48 8b 3b 48 8b 43 08 ff 10 48 8b 43 08 48 83 78 08 00 74 09 48 8b 3b ff 15 } 18 | $s4 = { 49 8b 1f 49 8b 6f 08 48 89 df ff 55 00 48 83 7d 08 00 74 09 48 89 df ff 15 ?? 40 21 00 4c 89 ff ff 15 ?? 40 21 00 48 8b 44 24 18 f0 48 ff 08 75 0a 48 8d 7c 24 18 e8 cc 00 00 00 49 c1 e6 20 48 8b 44 24 10 f0 48 ff 08 75 0a 48 8d 7c 24 10 e8 ?? f9 ff ff 48 8d 54 24 ?? 4c 89 32 48 c7 42 08 00 00 00 00 48 8d 3d [2] 00 00 48 8d 0d ?? 3b 21 00 4c 8d 05 [2] 21 00 be 2b 00 00 00 eb } 19 | condition: 20 | uint32(0) == 0x464C457F and filesize > 60KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Ransomware/RAN_ELF_Lockbit_Jan_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ELF_Lockbit_Jan_2022_1 2 | { 3 | meta: 4 | description = " Detected ELF version of Lockbit ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html" 7 | date = "2022-01-27" 8 | hash1 = "67df6effa1d1d0690c0a7580598f6d05057c99014fcbfe9c225faae59b9a3224" 9 | hash2 = "ee3e03f4510a1a325a06a17060a89da7ae5f9b805e4fe3a8c78327b9ecae84df" 10 | hash3 = "f3a1576837ed56bcf79ff486aadf36e78d624853e9409ec1823a6f46fd0143ea" 11 | tlp = "Clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { be b0 00 00 00 bf 01 00 00 00 e8 [2] ff ff 48 85 c0 48 89 c3 74 ba 48 8d 78 10 31 f6 4c 89 a0 a0 00 00 00 4c 8d ac 24 88 00 00 00 31 ed e8 [2] ff ff 48 8d 7b 38 31 f6 e8 [2] ff ff 48 8d 7b 68 31 f6 e8 [2] ff ff 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 90 31 f6 48 89 d9 ba [2] 40 00 4c 89 ef 48 83 c5 01 e8 [2] ff ff 48 8b bc 24 88 00 00 00 e8 [2] ff ff } 15 | $s2 = { 48 81 ec 58 08 00 00 48 8d 5c 24 30 4c 8d ?? 24 30 04 00 00 4c 8d bc 24 48 08 00 00 e8 [2] ff ff 89 c7 4c 8d ?? 24 30 08 00 00 e8 } 16 | $s3 = { 49 8b 75 00 31 ff 4d 89 f9 45 89 f0 b9 02 00 00 00 ba 03 00 00 00 e8 [2] ff ff 48 83 f8 ff 49 89 c4 0f 84 ?? ff ff ff 48 83 c4 38 4c 89 } 17 | $s4 = { 48 8d b4 24 c8 07 00 00 48 89 d7 e8 ?? ee ff ff 4c 8b 8c 24 e8 06 00 00 4c 8b 84 24 c8 07 00 00 48 89 c1 48 8b 94 24 c0 06 00 00 44 89 ?? 48 89 df e8 ?? f7 ff ff e9 ?? ff ff ff 0f 1f ?? 00 } 18 | condition: 19 | uint32(0) == 0x464C457F and filesize > 120KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_ELF_Royal_Feb_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ELF_Royal_Feb_2022_1 : royal ransomware x64 elf 2 | { 3 | meta: 4 | description = "Detect ELF version of Royal ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/BushidoToken/status/1621087221905514496" 7 | date = "2022-02-04" 8 | hash1 = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" 9 | hash2 = "b64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4" 10 | hash3 = "b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c" 11 | tlp = "clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { 48 83 ec 60 48 89 7d 98 bf 20 0c 82 00 e8 06 f6 ff ff 48 89 45 d8 48 83 7d d8 00 75 0a b8 00 00 00 00 e9 5c 02 00 00 bf 00 a0 0f 00 e8 cf d5 ff ff 48 89 45 e0 48 83 7d e0 00 75 0b b8 00 00 00 00 e9 3d 02 00 00 90 bf 60 36 82 00 e8 2f dd ff ff bf 40 36 82 00 e8 43 07 00 00 48 85 c0 0f 94 c0 84 c0 74 1c be 60 36 82 00 bf a0 36 82 00 e8 6c db ff ff bf 60 36 82 00 e8 e2 dd ff ff } 15 | $s2 = { ba 00 01 00 00 be 00 00 00 00 48 89 c7 e8 17 e8 ff ff 8b 45 ec 48 63 d0 48 8b 4d d8 48 8d 85 30 fe ff ff 48 89 ce 48 89 c7 e8 8b ed ff ff 48 8d 85 30 fa ff ff ba 00 04 00 00 be 00 00 00 00 48 89 c7 e8 e2 e7 ff ff 48 8d 95 30 fe ff ff 48 8d 85 30 fa ff ff be f0 0d 58 00 48 89 c7 b8 00 00 00 00 e8 f2 eb ff ff e8 cd ef ff ff 89 45 c8 83 7d c8 00 75 33 48 8d 85 30 fa ff ff 41 b8 00 00 00 00 48 89 c1 ba dd 0d 58 00 be e0 0d 58 00 bf e0 0d 58 00 b8 00 00 00 00 e8 eb e9 ff ff bf } 16 | $s3 = { 48 81 ec c8 05 00 00 e8 ae f1 ff ff 89 45 c8 83 7d c8 00 75 2e 41 b8 00 00 00 00 b9 bf 0d 58 00 ba dd 0d 58 00 be e0 0d 58 00 bf e0 0d 58 00 b8 00 00 00 00 e8 d1 eb ff ff bf 00 } 17 | $s4 = { 48 8b 45 e8 48 83 c0 13 be 4e 0e 58 00 48 89 c7 e8 db e9 ff ff 48 85 c0 0f 85 28 01 00 00 48 8b 45 e8 48 83 c0 13 be 53 0e 58 00 48 89 c7 e8 bd e9 ff ff 48 85 c0 0f 85 0d 01 00 00 48 8b 45 e8 48 83 c0 13 be 5e 0e 58 00 48 89 c7 e8 4f eb ff ff } 18 | condition: 19 | uint32(0) == 0x464C457F and filesize > 30KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_ESXI_Hive_Oct_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_ESXI_Hive_Oct_2022_1 : esxii hive v5 x64 2 | { 3 | meta: 4 | description = "Detect Rust version of Hive v5.4 ransomware (x64 version) used against ESXI servers" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-10-30" 8 | hash1 = "a0a87db436f4dd580f730d7cbe7df9aa7d94a243aab1e600f01cde573c8d10b8" 9 | hash2 = "f78fdb894624b1388c1c3ec1600273d12d721da5171151d6606a625acf36ac30" 10 | tlp = "Clear" 11 | adversary = "RAAS" 12 | strings: 13 | $x1 = { 00 00 00 48 8d ?? 24 98 02 00 00 48 8d 35 [2] 04 00 e8 [2] 03 00 48 8b 84 24 a8 02 00 00 48 8d 4c 24 54 48 89 41 10 0f 10 84 24 98 02 00 00 0f 11 01 48 8b b4 24 60 02 00 00 48 3b b4 24 58 02 00 00 75 15 48 8d bc 24 50 02 00 00 e8 [2] ff ff 48 8b b4 24 60 02 00 00 48 8b 84 24 50 02 00 00 48 89 f1 48 c1 e1 05 44 89 24 08 0f 10 44 24 50 0f 10 4c 24 5c 0f 11 44 08 04 } 14 | $x2 = { bf fd 02 00 00 41 b8 06 00 00 00 be 01 00 00 00 ba 01 00 00 00 [14-24] ff ff 84 c0 0f 85 [2] 00 00 48 89 ?? 48 8d 35 [3] 00 48 8d 15 } 15 | $s1 = { 2f 70 72 6f 63 2f 73 65 6c 66 2f 65 78 65 6e 6f 20 2f 70 72 6f 63 2f 73 65 6c 66 2f 65 78 65 20 61 76 61 69 6c 61 62 6c 65 2e 20 49 73 20 2f 70 72 6f 63 20 6d 6f 75 6e 74 65 64 3f 5c 78 } 16 | $s2 = { 2f 75 73 72 2f 6c 69 62 2f 64 65 62 75 67 2f 75 73 72 2f 6c 69 62 2f 64 65 62 75 67 2f 2e 62 75 69 6c 64 2d 69 64 2f 2e 64 65 62 75 67 5f 5f 70 74 68 72 65 61 64 5f 67 65 74 5f 6d 69 6e 73 74 61 63 6b } 17 | condition: 18 | uint32(0) == 0x464C457F and filesize > 60KB and all of ($s*) and 1 of ($x*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_EXX_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_EXX_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect EXX ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2021-12-23" 8 | hash1 = "c0f07b493cc32ffcbb4ca1ca92f5752c4040b1d0be7b69981c22a27f69cfb890" 9 | hash2 = "fa28436aaf459d16215dd2d96ea5756c09198216c52d90a7a20abde4e826909b" 10 | tlp = "Clear" 11 | adversary = "EXX" 12 | strings: 13 | $s1 = { 68 00 00 00 f0 6a 01 53 53 8d 45 f8 50 ff 15 04 60 ?? 00 85 c0 74 6a 8b 45 f8 85 c0 74 63 8d 4d fc 51 53 53 68 03 80 00 00 50 ff 15 08 60 ?? 00 85 c0 74 4d 8b 45 fc 85 c0 74 54 8b 55 08 53 52 56 50 ff 15 10 60 ?? 00 85 c0 74 35 8b 55 fc 8b 35 00 60 ?? 00 53 8d 45 f0 50 8d 4d f4 51 6a 04 52 ff d6 85 } 14 | $s2 = { e8 6f 32 00 00 8b 3d 44 61 ?? 00 68 84 01 00 00 6a 08 c7 45 fc 04 01 00 00 ff d7 50 ff 15 3c 61 ?? 00 8b f0 85 f6 74 51 53 8b 1d 18 61 ?? 00 8d 45 fc 50 56 ff d3 85 c0 75 3e ff 15 d4 60 ?? 00 83 f8 6f 75 33 8b 45 fc 85 c0 75 0f 56 50 ff d7 50 ff } 15 | $s3 = { 68 0c 04 00 00 8d 8d e8 fb ff ff 57 51 c7 05 f0 4b ?? 00 50 31 ?? 00 89 bd e4 fb ff ff e8 d5 f5 00 00 83 c4 0c 68 d8 39 ?? 00 68 04 01 00 00 89 7d f8 ff 15 ac 60 ?? 00 85 c0 0f 84 41 01 00 00 33 c0 b9 5c 00 00 00 66 39 88 d8 39 ?? 00 75 09 33 d2 66 89 90 d8 39 ?? 00 83 c0 02 3d 08 02 00 00 72 e4 66 39 3d d8 39 ?? 00 8b 3d 34 61 ?? 00 53 8b 1d d8 60 ?? 00 56 be d8 39 ?? 00 74 67 8d 45 fc 50 6a 00 56 68 f0 1c ?? 00 6a 00 6a 00 c7 45 fc 00 00 00 00 ff d7 85 c0 75 1d 68 e8 03 00 00 ff d3 8d 4d fc 51 6a 00 56 68 f0 1c ?? 00 6a 00 6a 00 ff } 16 | $s4 = { 56 ff 15 00 62 ?? 00 a1 fc 0e ?? 00 8b 1d 28 62 ?? 00 50 56 ff d3 0f 31 50 8d 4d ac 68 88 9b ?? 00 51 ff 15 44 62 ?? 00 83 c4 0c 8d 55 ac 52 56 ff d3 68 80 00 00 00 57 ff 15 ec 60 ?? 00 6a 00 68 80 00 00 08 6a 03 6a 00 6a 00 68 00 00 00 c0 57 ff 15 60 60 ?? 00 8b d8 83 fb ff 0f 84 c2 01 00 00 33 c0 89 45 f0 89 45 f4 8d 45 f0 50 53 ff 15 54 61 ?? 00 8b 4d f0 8b 45 f4 8b d1 0b d0 0f 84 78 01 00 00 85 c0 0f 8c 70 01 00 00 7f 09 83 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 80KB and all of ($s*) 19 | } -------------------------------------------------------------------------------- /Ransomware/RAN_GlobeImposter_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_GlobeImposter_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect GlobeImposter ransomware (reuse old build)" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2021-12-22" 8 | hash1 = "70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d" 9 | hash2 = "39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde" 10 | tlp = "Clear" 11 | adversary = "GlobeImposter" 12 | strings: 13 | $s1 = { b8 08 10 00 00 e8 c0 0d 00 00 53 56 57 8d 44 24 0c 33 f6 50 68 19 00 02 00 56 bf 48 20 40 00 bb 01 00 00 80 57 53 ff 15 04 10 40 00 85 c0 0f 85 87 00 00 00 55 8d 44 24 14 c7 44 24 14 00 08 00 00 50 8d 44 24 1c bd ac 20 40 00 50 56 56 55 ff 74 24 24 ff 15 00 10 40 00 ff b4 24 1c 10 00 00 8d 44 24 1c 50 ff 15 64 10 40 00 85 c0 74 41 56 8d 44 24 14 50 56 68 06 00 02 00 6a 01 56 56 57 53 ff 15 08 10 40 00 85 c0 75 25 ff b4 24 1c 10 00 00 ff 15 2c 10 40 00 03 c0 50 ff b4 24 20 10 00 00 6a 01 56 55 ff 74 24 24 ff 15 1c 10 40 00 ff 74 24 10 ff 15 0c 10 40 00 5d 5f 5e 5b 81 c4 08 10 00 00 } 14 | $s2 = { eb 2f 56 ff 75 0c 8b 75 10 56 ff 75 14 ff 15 10 10 40 00 53 ff 75 14 85 c0 75 0b ff 15 14 10 40 00 6a c4 58 eb 0a ff 15 14 10 40 00 89 37 33 c0 } 15 | $s3 = { 8d 85 c4 ef ff ff 50 ff d6 8d 85 c4 cf ff ff c7 45 c4 3c 00 00 00 89 45 d4 8d 85 c4 ef ff ff 6a 40 89 45 d8 8d 45 c4 5e 50 89 7d cc c7 45 d0 38 20 40 00 89 7d dc 89 7d e0 89 75 c8 ff 15 e0 10 40 00 85 c0 74 40 56 ff 75 fc 8b 35 a4 10 40 00 ff d6 68 00 01 00 00 57 ff 15 38 10 40 00 50 ff d6 6a 0f 57 ff 15 44 10 40 00 50 ff 15 48 10 40 00 57 8d 85 c4 df ff ff 50 6a 05 6a 04 ff 15 dc 10 } 16 | $s4 = { 8b f0 56 68 00 08 00 00 ff 15 84 10 40 00 57 33 db 53 68 f4 1f 40 00 56 ff 15 88 10 40 00 68 fc 1f 40 00 57 ff 15 70 10 40 00 53 68 80 00 00 00 6a 02 53 53 68 00 00 00 40 57 ff 15 30 10 40 00 83 f8 ff 74 1d 50 6a 20 68 24 11 40 00 68 d0 01 00 00 68 58 13 40 00 e8 5c f6 ff ff 57 e8 42 fe } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 19 | } 20 | 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_Grief_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Grief_Dec_2021_1 { 2 | meta: 3 | description = "Detect Grief ransomware" 4 | author = "Arkbird_SOLG" 5 | reference = "Internal Research" 6 | date = "2021-12-22" 7 | hash1 = "b21ad8622623ce4bcdbf8c5794ef93e2fb6c46cd202d70dbeb088ea6ca4ff9c8" 8 | hash2 = "dda4598f29a033d2ec4f89f4ae687e12b927272462d25ca1b8dec4dc0acb1bec" 9 | hash3 = "c984451734c5ce00b12ac43741a59e52cb2e2949c703373e817275b85b8b2f61" 10 | tlp = "Clear" 11 | adversary = "Grief" 12 | level = "Experimental" 13 | strings: 14 | $s1 = { 83 e4 f8 81 ec ?? 00 00 00 8b 45 0c 8b 4d 08 c7 84 24 ?? 00 00 00 [4] c7 ?? 24 ?? 00 00 00 00 } 15 | $s2 = { e8 [3] 00 c7 44 24 ?? 1b 09 00 00 8b 44 24 2c 89 04 24 c7 44 24 04 00 00 00 00 c7 44 24 08 08 00 00 00 e8 [3] 00 } 16 | $s3 = { 31 c9 ba 08 00 00 00 be 14 00 00 00 8d 7c 24 ?? 89 3c 24 c7 44 24 04 00 00 00 00 c7 44 24 08 14 00 00 00 89 44 24 ?? 89 4c 24 ?? 89 54 24 ?? 89 74 24 [5] 00 c7 84 24 8c 00 00 00 1b 09 00 00 } 17 | $s4 = { 31 d2 89 e8 42 01 05 [3] 10 89 d8 42 01 05 [3] 10 89 f0 01 05 [3] 10 e8 [3] ff b8 00 00 00 00 b8 00 00 00 00 40 40 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 b8 00 00 00 00 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 80KB and all of ($s*) 20 | } 21 | 22 | -------------------------------------------------------------------------------- /Ransomware/RAN_Hades_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Hades_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the Hades ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2021-12-21" 7 | reference = "Internal Research" 8 | hash1 = "5eea7bdaad184396c6fc37909eaca623d79aa960b4e06078bdcbe0e904685a9d" 9 | hash2 = "fbb3316fa6994fd3c19dd45b98ffa5ff2c6249c08fcd832fa912bc305dcd8ffc" 10 | tlp = "Clear" 11 | adversary = "Hades" 12 | strings: 13 | $s1 = { 48 83 ec 58 8b 0d [3] 00 ba 01 14 00 00 ff 15 [3] 00 48 85 c0 74 07 33 c0 e9 c1 3b 00 00 48 8b 05 [3] 00 48 89 44 24 30 c7 44 24 3c 2c 01 00 00 c7 44 24 38 01 00 00 00 33 c9 ff 15 [3] 00 48 89 05 [3] 00 48 8b 05 [3] 00 48 63 48 3c 48 8b 05 [3] 00 48 03 c1 48 89 05 [3] 00 48 8d 44 24 3c 48 89 44 24 28 48 8d 05 [3] 00 48 89 44 24 20 4c 8d 4c 24 38 45 33 c0 48 8d 15 [3] 00 48 8b 0d [3] 00 ff 54 24 30 48 85 c0 74 05 e8 5e ff ff ff 48 8d 05 [2] 00 00 48 89 05 [3] 00 48 8b 05 [3] 00 48 83 c0 04 48 89 05 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 [3] 00 48 c7 44 24 48 } 14 | $s2 = { 48 83 ec 58 48 c7 44 24 38 ff ff ff ff c7 44 24 30 [2] 00 00 8b 05 [3] 00 89 44 24 4c 48 } 15 | $s3 = { 48 89 05 [3] 00 b9 02 00 00 00 e8 [2] ff ff 89 05 [3] 00 48 8d 0d [3] 00 ff 15 [3] 00 48 8d 15 [3] 00 48 8b c8 ff 15 [3] 00 48 89 05 [3] 00 b9 01 00 00 00 e8 [3] ?? c7 05 [3] 00 00 00 00 00 8b 05 [3] 00 89 05 [3] 00 c7 05 [3] 00 ?? 00 00 00 c7 44 24 ?? 00 00 00 00 } 16 | $s4 = { cc cc cc cc cc cc cc 48 8b 05 [3] 00 48 89 05 [3] 00 c3 cc } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 19 | } -------------------------------------------------------------------------------- /Ransomware/RAN_HelloKitty_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_HelloKitty_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the HelloKitty ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2021-12-20" 7 | reference = "Internal Research" 8 | hash1 = "c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e" 9 | hash2 = "947e357bfdfe411be6c97af6559fd1cdc5c9d6f5cea122bf174d124ee03d2de8" 10 | hash3 = "9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0" 11 | tlp = "Clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { 68 00 00 00 f0 6a 01 6a 00 6a 00 50 c7 06 00 00 00 00 ff 15 08 20 ?? 00 85 c0 75 08 b8 c4 ff ff ff 5e 5d c3 57 ff 75 0c 8b 7d 10 57 ff 75 14 ff 15 00 20 ?? 00 6a 00 ff 75 14 85 c0 75 0f ff 15 04 20 ?? 00 5f b8 c4 ff ff ff 5e 5d c3 ff 15 04 20 ?? 00 89 3e 33 c0 5f } 15 | $s2 = { 56 68 [3] 00 68 [3] 00 68 [3] 00 6a 14 e8 [2] ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 [3] 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 [3] 00 8b 4d fc 33 cd 5e e8 [2] ff ff 8b e5 } 16 | $s3 = { 0f b6 c0 2b cb 41 f7 d8 68 40 01 00 00 1b c0 23 c1 89 85 b4 fe ff ff 8d 85 bc fe ff ff 57 50 e8 [2] ff ff 83 c4 0c 8d 85 bc fe ff ff 57 57 57 50 57 53 ff 15 ?? 21 ?? 00 8b f0 8b 85 b8 fe ff ff 83 fe ff 75 2d 50 57 57 53 e8 9f fe ff ff 83 c4 10 8b f8 83 fe ff 74 07 56 ff 15 [3] 00 8b c7 8b 4d fc 5f 5e 33 cd 5b e8 [2] ff ff 8b e5 5d c3 8b 48 04 2b 08 c1 f9 02 89 8d b0 fe ff ff 80 bd e8 fe ff ff 2e 75 18 8a 8d e9 fe ff ff 84 c9 74 29 80 f9 2e 75 09 80 bd ea fe ff ff 00 74 1b 50 ff b5 b4 fe ff ff 8d 85 e8 fe ff ff 53 50 e8 38 fe ff ff 83 c4 10 85 c0 75 95 8d 85 bc fe ff ff 50 56 ff 15 ?? 21 ?? 00 85 c0 8b 85 b8 fe ff ff 75 ac 8b 10 8b 40 04 8b 8d b0 fe ff ff 2b c2 c1 f8 02 3b c8 0f 84 67 ff ff ff 68 [3] 00 2b c1 6a 04 50 8d 04 8a 50 e8 [2] 00 00 83 c4 } 17 | $s4 = { 56 e8 ac ff ff ff 59 57 57 57 8b d8 57 2b de d1 fb 53 56 57 57 ff 15 [3] 00 89 45 fc 85 c0 74 34 50 e8 [2] ff ff 8b f8 59 85 ff 74 1c 33 c0 50 50 ff 75 fc 57 53 56 50 50 ff 15 [3] 00 85 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 20 | } 21 | 22 | -------------------------------------------------------------------------------- /Ransomware/RAN_Hive_March_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN__Hive_March_2022_1 : hive v5 x64 2 | { 3 | meta: 4 | description = "Detect Rust version of Hive ransomware (x64 version)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/rivitna2/status/1514552342519107584" 7 | date = "2022-03-26" 8 | //updated 2022-04-14 9 | hash1 = "4587e7d8e56a7694aa1881443312c1774da551459d3a48315acd0c694bcf87a" 10 | hash2 = "1841ca56006417e6220a857f66c8e6539502d5e9f539cf337b83a25c15d17a50" 11 | hash3 = "efdbfcb717b109b816e2d2f99c0d923803c70dd08fb9feb747eb90774e86116e" 12 | tlp = "Clear" 13 | adversary = "RAAS" 14 | strings: 15 | $s1 = { 48 83 ec 38 48 89 cf 48 8d 71 38 48 89 f1 e8 [2] 04 00 48 8b 05 [2] 05 00 48 c1 e0 01 48 85 c0 75 13 31 d2 8a 47 40 84 c0 75 16 48 89 f0 48 83 c4 38 5f 5e c3 e8 [3] 00 89 c2 80 f2 01 eb e3 4c 8d 44 24 28 49 89 30 41 88 50 08 48 8d 05 [3] 00 48 89 44 24 20 48 8d 0d [3] 00 4c 8d 0d [3] 00 ba 2b 00 00 00 } 16 | $s2 = { 48 8b 0d [3] 00 31 d2 e8 [3] 00 b0 01 48 81 c4 f8 06 00 00 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 4c 8d 05 [3] 00 31 c9 31 d2 e8 [3] 00 48 85 c0 74 a8 48 89 c7 31 c0 f0 48 0f b1 3d } 17 | $s3 = { 48 c7 44 24 38 00 00 00 00 c7 44 24 30 00 00 00 00 c7 44 24 28 00 10 00 00 c7 44 24 20 00 10 00 00 ?? 89 ?? 8b 94 24 ?? 00 00 00 [0-1] 8b ?? 24 [2-5] 89 ?? 41 b9 01 00 00 00 e8 [2] 00 00 [0-3] 48 83 } 18 | $s4 = { 48 8d 6c 24 40 48 89 45 00 48 89 55 08 66 c7 45 10 00 00 c7 45 18 01 00 00 00 ?? 8d ?? 24 [2-5] 89 ?? 48 89 ea e8 [3] 00 ?? 8b ?? 48 89 ?? 24 30 ?? 89 ?? 24 28 4c 89 64 24 20 48 89 f1 31 d2 4d 89 f0 41 b9 ff ff ff ff e8 } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 60KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Ransomware/RAN_Hive_March_2022_2.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Hive_March_2022_2 : hive v5 x86 2 | { 3 | meta: 4 | description = "Detect Rust version of Hive ransomware (x86 version)" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-03-27" 8 | hash1 = "206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc" 9 | hash2 = "a464ae4b0a75d8673cc95ea93c56f0ee11120f71726cc891f9c7e8d4bec53625" 10 | hash3 = "8b8814921dc2b2cb6ea3cfc7295803c72088092418527c09b680332c92c33f1f" 11 | hash4 = "bd7f4d6a3f224536879cca70b940b16251c56707124d52fb09ad828a889648cd" 12 | tlp = "Clear" 13 | adversary = "RAAS" 14 | strings: 15 | $s1 = { 5c 00 5c 00 3f 00 5c 00 00 00 5c 00 5c 00 3f 00 5c 00 55 00 4e 00 43 00 5c 00 5c 5c 2e 5c 70 69 70 65 5c 5f 5f [4] 5f 61 6e 6f 6e 79 6d 6f 75 73 5f 70 69 70 65 31 5f 5f 2e [3] 00 [3] 00 } 16 | $s2 = { b0 01 8d 65 f4 5e 5f 5b 5d c3 68 [3] 00 6a 00 6a 00 e8 [2] 00 00 85 c0 74 ?? 89 c1 31 c0 f0 0f b1 0d [3] 00 0f 84 ?? fd ff ff 89 c6 51 e8 [2] 00 00 89 f1 e9 ?? fd ff ff 80 7c 24 0e 00 75 4e 8b 4f 18 8b 57 1c c7 84 24 80 01 00 00 [3] 00 c7 84 24 84 01 00 00 01 00 00 00 c7 84 24 88 01 00 00 00 00 00 00 c7 84 24 90 01 00 00 } 17 | $s3 = { a1 [3] 00 85 c0 75 37 0f 57 c0 0f 29 44 24 40 6a 02 6a 10 8d 44 24 48 50 6a 00 e8 [2] 00 00 85 c0 0f 85 ?? 07 00 00 8b 44 24 40 87 05 [3] 00 eb cb 66 2e 0f 1f 84 00 00 00 00 00 90 b8 01 00 00 00 8d 8c 24 ?? 00 00 00 8d } 18 | $s4 = { a1 [3] 00 89 45 d4 c7 45 d8 00 00 00 00 89 45 cc c7 45 dc 00 00 00 00 6a 00 6a 08 e8 [2] 00 00 83 f8 ff 0f 84 ?? 02 00 00 89 ?? 8d 85 ?? fb ff ff 68 24 04 00 00 6a 00 50 e8 [2] 00 00 83 c4 0c 8d 85 ?? fb ff ff c7 85 ?? fb ff ff 28 04 00 00 50 ?? e8 [2] 00 00 83 f8 01 0f 85 ?? 02 00 00 c7 45 d0 00 00 00 00 89 ?? c0 [13] 8b [2] 8b } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 60KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Ransomware/RAN_Hive_Sept_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Hive_Sept_2022_1 : hive v5 x64 2 | { 3 | meta: 4 | description = "Detect Rust version of Hive v5.4 ransomware (x64 version)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/rivitna2/status/1570457232088637441" 7 | date = "2022-09-18" 8 | // updated 2022-10-29 9 | // -> https://twitter.com/rivitna2/status/1586366397156065280 10 | hash1 = "985c20ab57daa2d8135833f83bb48aebbaee96082dabed5e78329b9fe0b902d7" 11 | hash2 = "f0e8eeb7582943e3dbb78f3d39e265998e7c82f0ff368603e09382b8f2aa0f80" 12 | hash3 = "3d984c6d23e6b1440dbc5a3c717ce6b068318e625cedc61b3efdcada82d6861f" 13 | tlp = "Clear" 14 | adversary = "RAAS" 15 | strings: 16 | $s1 = { b9 0c 00 00 00 48 89 8b 40 03 00 00 48 8b ac 24 ?? 08 00 00 48 89 ab 48 03 00 00 48 8b ac 24 ?? 08 00 00 48 89 ab 50 03 00 00 48 89 8b 58 03 00 00 [6] 00 [6] 00 00 48 } 17 | $s2 = { 48 89 84 24 [2] 00 00 48 89 94 24 [2] 00 00 66 c7 84 24 [2] 00 00 00 00 c7 84 24 [2] 00 00 01 00 00 00 4c 89 f9 48 8d 94 24 [2] 00 00 e8 [3] ff 48 83 bc 24 [2] 00 00 00 74 16 4c 8b 84 24 [2] 00 00 48 8b 0d [3] 00 31 d2 e8 [3] 00 48 8b 8c 24 [2] 00 00 48 89 f2 e8 [3] 00 4c 89 f9 e8 [3] ff 4d 85 e4 74 11 48 8b 0d [3] 00 31 d2 49 89 e8 e8 [3] 00 48 89 d9 48 89 f2 41 b8 00 7d 00 00 e8 [3] 00 85 c0 0f 85 d8 fe ff ff 48 89 d9 e8 [3] 00 48 8d 8c 24 ?? 00 00 00 e8 [3] ff 48 8d 8c 24 [2] 00 00 e8 [3] ff 48 8d b4 24 [2] 00 00 48 8b 0e 48 8b 56 10 e8 [3] ff } 18 | $s3 = { 48 01 c2 48 8d 6c 24 40 48 89 45 00 48 89 55 08 66 c7 45 10 00 00 c7 45 18 01 00 00 00 48 8d bc 24 48 01 00 00 48 89 f9 48 89 ea e8 [2] 00 00 48 8b 0f 48 89 5c 24 30 4c 89 64 24 28 4c 89 7c 24 20 31 d2 4d 89 f0 41 b9 ff ff ff ff e8 [2] 0a 00 85 c0 0f 85 ?? 06 00 00 48 8b 8c 24 98 00 00 00 8b 84 24 8c 00 00 00 48 85 c0 0f 84 ?? 06 00 00 48 89 b4 24 d0 00 00 00 48 8d 04 c1 48 89 84 24 d8 00 00 00 0f 57 f6 41 ?? ff ff 00 00 49 ?? 00 00 00 00 00 00 01 00 48 8d 6c 24 70 } 19 | $s4 = { 48 8b b4 24 b0 00 00 00 48 8b 9c 24 b8 00 00 00 c7 44 24 28 03 00 00 00 48 c7 44 24 20 00 00 00 00 31 c9 31 d2 } 20 | condition: 21 | uint16(0) == 0x5A4D and filesize > 60KB and all of ($s*) 22 | } 23 | -------------------------------------------------------------------------------- /Ransomware/RAN_LikeAHorse_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_LikeAHorse_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect LikeAHorse ransomware (variant of GarrantDecrypt)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/fbgwls245/status/1475677726988447746" 7 | hash1 = "6d2efda037fe23b1fe3a5bae44f5b9f7ddfdf621c5df6cb6999d801bbdf79b0f" 8 | hash2 = "5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d" 9 | hash3 = "6b0c2165483426a7ca50fbdc7b9403f75e03bc0e1117837054a36c0a98a400cf" 10 | hash4 = "7f4dba54da91c99423b5862088da784363c7edc76d63e26d72270cd1fdf6dbec" 11 | date = "2021-12-28" 12 | tlp = "Clear" 13 | adversary = "-" 14 | strings: 15 | $s1 = { 42 67 49 41 41 41 43 6b 41 41 42 53 55 30 45 78 41 43 } 16 | $s2 = "C:\\Windows\\sysnative\\vssadmin.exe" wide 17 | $s3 = "netsh advfirewall set allprofiles state off" wide 18 | $s4 = "%appdata%\\_uninstalling_.png" wide 19 | $s5 = { 00 00 68 3c ?? 40 00 6a 00 6a 00 ff 77 08 ff 37 ff 35 44 ?? 40 00 ff 15 08 ?? 40 00 e8 [2] ff ff 8b f0 89 75 f4 85 f6 0f 84 d6 00 00 00 b9 00 04 00 00 e8 [2] ff ff 8b d8 85 db 75 08 6a 00 ff 15 [2] 40 00 ff 77 0c 8b 57 04 8b cb e8 ?? f3 ff ff 8b 47 0c c7 04 24 00 04 00 00 89 45 fc 8d 45 fc 50 53 6a 00 6a 01 6a 00 56 ff 15 0c ?? 40 00 85 c0 74 76 8b 55 fc 51 8b cb e8 ?? eb ff ff 59 6a 00 6a 06 6a 02 6a 00 6a 01 a3 40 ?? 40 00 8d 85 e8 fd ff ff 68 00 00 00 40 50 ff 15 [2] 40 00 89 45 f8 83 f8 ff 74 41 6a 00 8d 45 f0 50 ff 35 40 ?? 40 00 ff 15 [2] 40 00 8b 35 4c ?? 40 00 40 50 ff 35 40 ?? 40 00 ff 75 f8 ff d6 6a 00 8d 45 f0 50 ff 77 08 ff 37 ff 75 f8 ff d6 ff 75 f8 ff 15 [2] 40 00 8b 75 f4 ba 00 04 00 00 8b cb e8 ?? f2 ff ff e8 ?? f2 ff ff 56 ff 15 28 ?? 40 00 8b 57 0c 8b 4f 04 e8 ?? f2 ff ff 8b cf e8 [2] ff ff e8 ?? fb ff ff 6a 00 ff 35 44 ?? 40 00 ff 15 18 ?? 40 00 e8 [2] ff ff e9 0b } 20 | condition: 21 | uint16(0) == 0x5A4D and filesize > 6KB and all of ($s*) 22 | } 23 | -------------------------------------------------------------------------------- /Ransomware/RAN_Loader_Clop_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Loader_Clop_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the loader used by TA505 group for inject Clop ransomware (unpacked file) " 5 | author = "Arkbird_SOLG" 6 | date = "2021-12-20" 7 | reference = "Internal Research" 8 | hash1 = "e805dd0124b9f062f6b5bc9de627eabc601b9d6e8ffe1d90ee552a1ece598a89" 9 | tlp = "Clear" 10 | adversary = "TA505" 11 | level = "Experimental" 12 | strings: 13 | $s1 = { 00 6a 00 68 9c 58 41 00 68 d0 58 41 00 6a 00 6a 00 ff 15 84 53 41 00 6a 00 6a 00 68 d8 58 41 00 68 0c 59 41 00 6a 00 6a 00 ff 15 84 53 41 00 6a 00 6a 00 68 14 59 41 00 68 48 59 41 00 6a 00 6a 00 ff 15 84 53 41 00 6a 00 6a 00 68 50 59 41 00 68 84 59 41 00 6a 00 6a 00 ff 15 84 53 41 00 6a 00 6a 00 68 8c 59 41 00 68 bc 59 41 00 6a 00 6a 00 ff 15 84 53 41 00 6a 00 6a 00 68 c4 59 41 00 68 f0 59 41 00 6a 00 6a 00 ff 15 84 53 41 00 e8 7e 0e 00 00 0f b6 d0 85 d2 74 0c c7 85 44 ec ff ff f8 59 41 00 eb 0a c7 85 44 ec ff ff 10 5a 41 00 8b 85 44 ec ff ff 89 85 38 ec ff ff 8b 8d 38 ec ff ff 51 8d 95 90 f4 ff ff 52 68 28 5a 41 00 68 04 01 00 00 68 04 01 00 00 8d 85 78 ee ff ff } 14 | $s2 = { 89 45 fc c6 85 e3 f9 ff ff 00 c6 85 e2 f9 ff ff 00 c7 85 dc f9 ff ff 00 00 00 00 68 04 01 00 00 8d 85 ec fb ff ff 50 ff 15 24 52 41 00 85 c0 0f 84 8b 00 00 00 83 bd dc f9 ff ff 00 74 16 8b 8d dc f9 ff ff 51 6a 00 ff 15 6c 52 41 00 50 ff 15 70 52 41 00 e8 37 fa ff ff 89 85 dc f9 ff ff 83 bd dc f9 ff ff 00 74 49 8b 95 dc f9 ff ff 52 8d 85 ec fb ff ff 50 68 1c d0 41 00 68 04 01 00 00 68 04 01 00 00 8d 8d f4 fd ff ff 51 e8 af f3 ff ff 83 c4 18 8b 55 0c 52 8b 45 08 50 8d 8d f4 fd ff ff 51 e8 48 f9 ff ff 83 c4 0c 88 85 e2 f9 ff ff 0f b6 95 } 15 | $s3 = "%s\\drivers\\%s.sys" wide 16 | $s4 = { 62 00 6c 00 61 00 63 00 6b 00 ( 6e 00 61 00 6d 00 65 00 73 | 73 00 69 00 67 00 6e 00 73 | 76 00 65 00 72 00 73 ) 00 2e 00 74 00 78 00 74 } 17 | $s5 = { 51 6a 00 6a 00 6a 25 6a 00 ff 15 80 53 41 00 e8 aa 0d 00 00 0f b6 d0 85 d2 74 0c c7 85 48 ec ff ff 34 5a 41 00 eb 0a c7 85 48 ec ff ff 50 5a 41 00 8b 85 48 ec ff ff 50 8d 8d 90 f4 ff ff 51 68 6c 5a 41 00 68 04 01 00 00 68 04 01 00 00 8d 95 88 f2 ff ff 52 e8 a4 08 00 00 83 c4 18 68 78 5a 41 00 8d 85 88 f2 ff ff } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and 4 of ($s*) 20 | } -------------------------------------------------------------------------------- /Ransomware/RAN_Lockbit_Green_Jan_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Lockbit_Green_Jan_2023_1 : ransomware green lockbit x86 2 | { 3 | meta: 4 | description = "Detect the green variant used by lockbit group (x86)" 5 | author = "Arkbird_SOLG" 6 | date = "2023-01-30" 7 | reference = "https://github.com/prodaft/malware-ioc/blob/master/LockBit/green.md" 8 | hash1 = "45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315" 9 | hash2 = "27b8ee04d9d59da8e07203c0ab1fc671215fb14edb35cb2e3122c1c0df83bff8" 10 | tlp = "Clear" 11 | adversary = "RAAS" 12 | strings: 13 | $s1 = { 8b 3d [4] 66 90 8b 01 8d 95 f4 f7 ff ff 52 8d 95 a8 f7 ff ff 52 6a 01 6a ff 51 ff 50 10 8b f0 c7 85 8c f7 ff ff [3] 00 8b 85 8c f7 ff ff 99 f7 fb 8b 85 8c f7 ff ff 85 d2 74 51 83 c0 02 03 c6 89 85 8c f7 ff ff 8b 85 8c f7 ff ff 25 03 00 00 80 79 07 48 83 c8 fc 83 c0 01 0f 85 6e 01 00 00 0f 1f 40 00 8b 85 8c f7 ff ff 40 89 85 8c f7 ff ff 8b 85 8c f7 ff ff 25 03 00 00 80 79 07 48 83 c8 fc 83 c0 } 14 | $s2 = { 8b 75 08 33 c0 57 8b 7d 0c 89 06 89 46 04 89 46 08 8b 45 10 03 c7 89 45 fc 3b f8 73 3f 0f b7 1f 53 e8 ?? 0b 00 00 59 66 3b c3 75 28 83 46 04 02 83 fb 0a 75 15 6a 0d 5b 53 e8 ?? 0a 00 00 59 66 3b } 15 | $s3 = { 0f b6 c0 2b cb 41 f7 d8 68 40 01 00 00 1b c0 23 c1 89 85 b4 fe ff ff 8d 85 bc fe ff ff 57 50 e8 ?? be ff ff 83 c4 0c 8d 85 bc fe ff ff 57 57 57 50 57 53 ff 15 [4] 8b f0 8b 85 b8 fe ff ff 83 fe ff 75 2d 50 57 57 53 e8 9f } 16 | $s4 = { 33 c9 8d 45 ec 51 51 6a 05 50 6a 01 8d 45 e8 47 50 51 ff 75 c8 ff 15 [4] 89 45 cc 85 c0 0f 84 91 00 00 00 6a 00 8d 4d e0 51 50 8d 45 ec 50 ff 75 d8 ff 15 [4] 85 c0 74 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 80KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_Lockbit_Green_Jan_2023_2.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Lockbit_Green_Jan_2023_2 : ransomware green lockbit x64 2 | { 3 | meta: 4 | description = "Detect the green variant used by lockbit group (x64)" 5 | author = "Arkbird_SOLG" 6 | date = "2023-01-30" 7 | reference = "https://github.com/prodaft/malware-ioc/blob/master/LockBit/green.md" 8 | hash1 = "b3ea0f4f442da3106c0d4f97cf20e244b84d719232ca90b3b7fc6e59e37e1ca1" 9 | hash2 = "fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3" 10 | tlp = "Clear" 11 | adversary = "RAAS" 12 | strings: 13 | $s1 = { 48 8d 4d fd 0f b6 45 fe e8 [2] 01 00 4c 8b 85 d0 00 00 00 48 8d 8d 10 01 00 00 48 8b d0 ff 15 [2] 02 00 ba 0f 00 00 00 c7 85 50 09 00 00 [3] 00 33 c9 41 b8 09 a2 26 51 44 8d 4a 56 e8 [2] ff ff 48 8d 4c 24 58 ff d0 b8 56 55 55 55 c7 85 50 09 00 00 [3] 00 8b 8d 50 09 00 00 f7 e9 8b c2 c1 e8 1f 03 d0 8d 04 52 3b c8 74 ?? 8b 8d 50 09 00 00 8b 44 24 58 83 c0 02 03 c8 89 8d 50 09 00 00 8b 85 50 09 00 00 25 } 14 | $s2 = { 48 2b d6 48 8d 4c 24 30 48 ff c2 41 b8 40 01 00 00 f6 d8 4d 1b ff 4c 23 fa 33 d2 e8 [2] ff ff 45 33 c9 89 7c 24 28 4c 8d 44 24 30 48 89 7c 24 20 33 d2 48 8b ce ff 15 [2] 00 00 48 8b d8 48 83 f8 ff 75 4a 4d 8b ce 45 33 c0 33 } 15 | $s3 = { 48 83 64 24 38 00 48 8d 45 e8 48 83 64 24 30 00 4c 8d 45 c0 8b 4d cc 41 b9 01 00 00 00 c7 44 24 28 05 00 00 00 33 d2 48 89 44 24 20 48 ff c7 ff 15 [2] 00 00 44 8b f0 85 c0 0f 84 94 00 00 00 48 8b 4d d0 4c 8d 4d c8 48 83 64 24 20 00 48 8d 55 e8 44 8b c0 ff 15 [2] 00 00 33 d2 85 c0 74 6b 8b 4b 08 2b 4d d8 03 cf 89 4b 04 44 39 75 c8 72 62 41 80 fd 0a 75 34 48 8b 4d d0 8d 42 0d 48 89 54 24 20 44 8d 42 01 48 8d 55 c4 66 89 45 c4 4c 8d 4d c8 ff 15 [2] 00 00 33 d2 85 c0 74 2c 83 7d c8 01 } 16 | condition: 17 | uint16(0) == 0x5A4D and filesize > 80KB and all of ($s*) 18 | } 19 | -------------------------------------------------------------------------------- /Ransomware/RAN_Lockbit_v3_Jun_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Lockbit_v3_Jun_2022_1 : lockbit ransomware 2 | { 3 | meta: 4 | description = "Detect the lockbit ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/vxunderground/status/1543661557883740161" 7 | date = "2022-07-04" 8 | hash1 = "80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce" 9 | hash2 = "a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e" 10 | hash3 = "391a97a2fe6beb675fe350eb3ca0bc3a995fda43d02a7a6046cd48f042052de5" 11 | tlp = "Clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { b8 fc fd fe ff b9 40 00 00 00 8b 5d 10 89 44 8b fc 2d 04 04 04 04 49 75 f4 8b 7d 0c be 40 00 00 00 33 db 55 8b 6d 10 8b c1 33 d2 f7 f6 8a c1 8a 14 17 02 54 05 00 02 d3 8a 5c 15 00 8a 54 1d 00 86 54 05 00 88 54 1d 00 41 81 f9 00 03 00 00 75 d6 5d 33 c9 8b 7d 08 be 20 00 00 00 55 8b 6d 10 8b c1 33 d2 f7 f6 8a c1 8a 14 17 02 54 05 00 02 d3 8a 5c 15 00 8a 54 1d 00 86 54 05 00 88 54 1d 00 41 81 f9 00 03 00 00 75 d6 5d 33 c9 8b 7d 0c be 40 00 00 00 55 8b 6d 10 8b c1 33 d2 f7 f6 8a c1 8a 14 17 02 54 05 00 02 d3 8a 5c 15 00 8a 54 1d 00 86 54 05 00 88 54 1d 00 41 81 f9 00 03 } 15 | $s2 = { 81 ec 7c 03 00 00 53 56 57 8d 9d 84 fc ff ff b9 00 c2 eb 0b e2 fe e8 c6 02 00 00 53 50 e8 23 02 00 00 85 c0 74 79 53 8d 45 a0 50 e8 c1 02 00 00 8d 85 8c fe ff ff 50 8d 45 c0 50 8d 45 a0 50 e8 01 03 00 00 89 45 9c e8 85 02 00 00 8b d8 8b 5b 08 8b 73 3c 03 f3 0f b7 7e 06 8d b6 f8 00 00 00 6a 00 8d 06 50 e8 7f 00 00 00 3d 75 80 91 76 74 0e 3d 1b a4 04 00 74 07 3d 9b b4 84 0b 75 18 8b 4e 0c 03 cb ff 75 9c 8d 85 8c fe ff ff 50 ff 76 10 51 e8 82 03 00 00 83 } 16 | $s3 = { 66 ad 66 85 c0 75 05 e9 8a 00 00 00 66 83 f8 41 72 0c 66 83 f8 46 77 06 66 83 e8 37 eb 26 66 83 f8 61 72 0c 66 83 f8 66 77 06 66 83 e8 57 eb 14 66 83 f8 30 72 0c 66 83 f8 39 77 06 66 83 e8 30 eb 02 eb bc 0f b6 c8 c1 e1 04 66 ad 66 85 c0 75 02 eb 43 66 83 f8 41 72 0c 66 83 f8 46 77 06 66 83 e8 37 eb 29 66 83 f8 61 72 0c 66 83 f8 66 77 06 66 83 e8 57 eb 17 66 83 f8 30 72 0c 66 83 f8 39 77 06 66 83 e8 30 eb 05 e9 72 ff ff ff 32 c1 aa e9 6a } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 80KB and all of ($s*) 19 | } 20 | 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_Lorenz_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Lorenz_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect Lorenz ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2021-12-22" 8 | hash1 = "1264b40feaa824d5ba31cef3c8a4ede230c61ef71c8a7994875deefe32bd8b3d" 9 | hash2 = "edc2070fd8116f1df5c8d419189331ec606d10062818c5f3de865cd0f7d6db84" 10 | hash3 = "a0ccb9019b90716c8ee1bc0829e0e04cf7166be2f25987abbc8987e65cef2e6f" 11 | hash4 = "0f863d6c906f4154da19033da1b4374d6000525031c215fb7b3880182a554185" 12 | tlp = "Clear" 13 | adversary = "Lorenz" 14 | strings: 15 | $s1 = { 8d 8d [3] ff e8 ?? 02 00 00 e8 [2] ff ff 8b d8 8d 85 ?? fc ff ff 68 00 01 00 00 50 68 [3] 00 ff 15 [3] 00 33 c9 [0-5] 8a 84 0d ?? fc ff ff 8d 49 01 88 84 0d ?? fd ff ff 84 c0 75 eb 8d bd ?? fd ff ff 4f [0-4] 8a 47 01 8d 7f 01 84 c0 75 f6 66 a1 [3] 00 8b f3 66 89 07 8a 03 43 84 c0 75 f9 8d bd ?? fd ff ff 2b de 4f 8a 47 01 47 84 c0 75 f8 8b cb c1 e9 02 f3 a5 8b cb 83 e1 03 f3 a4 8d 8d ?? fd ff ff 49 8a 41 01 8d 49 01 84 c0 75 f6 a1 } 16 | $s2 = { 81 ec e8 01 00 00 a1 [2] 50 00 33 c5 89 45 fc 8d 85 28 fe ff ff 50 68 02 02 00 00 ff 15 [2] 4c 00 85 c0 75 51 6a 40 8d 45 b8 50 ff 15 [2] 4c 00 85 c0 75 41 8d 45 b8 50 ff 15 [2] 4c 00 85 c0 74 33 0f bf 48 0a 8b 40 0c 51 ff 30 8d 85 1c fe ff ff 50 e8 [3] 00 83 c4 0c ff b5 1c fe ff ff ff 15 [2] 4c 00 8b 4d fc 33 cd e8 [3] 00 8b e5 5d c3 ff 15 [2] 4c 00 8b 4d fc 33 cd e8 [3] 00 8b } 17 | $s3 = "#File Error#(%d) :" ascii 18 | $s4 = " Data: <%s> %s" ascii 19 | $s5 = "%ls(%d) : %ls" wide 20 | condition: 21 | uint16(0) == 0x5A4D and filesize > 80KB and 4 of ($s*) 22 | } -------------------------------------------------------------------------------- /Ransomware/RAN_Maui_Jul_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Maui_Jul_2022_1 : ransomware maui 2 | { 3 | meta: 4 | description = "Detect Maui ransomware" 5 | author = "Arkbird_SOLG" 6 | reference1 = "https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf" 7 | date = "2022-07-07" 8 | hash1 = "5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e" 9 | hash2 = "45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78" 10 | hash3 = "830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570" 11 | adversary = "-" 12 | strings: 13 | $s1 = { 50 e8 98 42 00 00 83 c4 04 a3 74 9a 4b 00 85 c0 75 01 c3 56 33 f6 e8 4c 87 01 00 85 c0 7e 24 57 8b 3d a4 e1 47 00 90 6a 00 6a 00 6a 00 ff d7 8b 0d 74 9a 4b 00 89 04 b1 46 e8 29 87 01 00 3b f0 7c e5 5f 68 90 23 40 00 e8 7a 89 01 00 68 60 23 40 00 e8 } 14 | $s2 = { 6a 00 8b f7 8b 56 24 8b 46 20 8b 7c 24 2c 6a 00 52 50 e8 7b 0e 00 00 8b fe 8d 8c 24 48 09 00 00 51 6a 00 68 7c f2 4a 00 8d 94 24 54 0d 00 00 52 ff 15 28 e0 47 00 85 c0 75 41 8b 74 24 20 8b 7c 24 0c 50 e8 ba 0d 00 00 8d 5f 20 8d a4 24 00 00 00 00 8b 33 8b 7b 04 57 8b c6 03 44 24 14 56 8b cf 13 4c 24 1c 51 50 53 ff 15 24 e0 47 00 3b c6 75 e0 3b d7 75 dc e9 1c 05 00 00 8d 94 24 48 09 00 00 68 18 ef 4a } 15 | $s3 = { ff 15 4c e0 47 00 83 f8 7a 0f 85 89 00 00 00 8b 45 f8 3d 00 02 00 00 77 7f 8d 70 01 83 e6 fe 8d 46 02 89 75 f8 e8 91 02 ff ff 8b fc 8d 4d f8 51 56 57 6a 02 53 ff 15 d4 e1 47 00 85 c0 74 59 8b 45 f8 40 83 e0 fe 89 45 f8 d1 e8 33 d2 68 50 ff 47 00 57 66 89 14 47 e8 4d e8 05 00 83 c4 08 f7 d8 1b c0 f7 d8 8d 65 ec 5f 5e 5b 8b 4d fc } 16 | $s4 = { 6a 00 6a 00 53 68 b0 27 40 00 6a 00 6a 00 ff 15 1c e0 47 00 8b 4c 24 10 8b 97 30 04 00 00 89 04 8a 41 3b 4d 10 89 4c 24 10 0f 8c 36 ff ff ff 33 c0 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_Money_Message_Mar_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Money_Message_Mar_2023_1 : money_message ransomware 2 | { 3 | meta: 4 | description = "Detect Money Message ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2023-03-29" 7 | reference = "https://twitter.com/Threatlabz/status/1641113991824158720" 8 | hash1 = "bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b" 9 | hash2 = "97abcf01deea74eb3771ddcef8bfc0906b46a55172588de8e2ad20f8d92b2de7" 10 | hash3 = "dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac" 11 | tlp = "Clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = /"mutex_name":\s"[0-z]{5}-[0-z]{5}-[0-z]{5}-[0-z]{5}",/ 15 | $s2 = /"extensions":\s(\[]|\["\w+"]),/ 16 | $s3 = /skip_directories":\s\[/ 17 | $s4 = /"domain_password":\s\["(.)+","/ 18 | $s5 = { 83 bd 30 ff ff ff 10 8d 85 1c ff ff ff c6 45 fc ?? 0f 43 85 1c ff ff ff 50 6a 00 6a 00 ff 15 } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Ransomware/RAN_NightSky_Jan_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_NightSky_Jan_2022_1 2 | { 3 | meta: 4 | description = "Detect NightSky ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2022-01-07" 7 | reference = "Internal Research" 8 | hash1 = "8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0" 9 | hash2 = "-" 10 | tlp = "Clear" 11 | adversary = "-" 12 | level = "Experimental" 13 | strings: 14 | $s1 = { 8b 01 e3 48 5c b3 16 73 8c d2 0d c3 8a 88 13 7d ba 19 37 ab e4 75 12 1d c7 5a 29 3a df 8a d8 c7 b1 d6 e5 33 f0 0f 4c 5c 6a 30 9b b6 94 2d 42 88 56 a9 8e 54 6a 5a 14 87 22 d6 d7 a8 6c 31 44 7c c4 7e 72 96 56 c8 77 72 6d 91 56 13 d6 2b 1e 27 19 ca 05 0a 42 fc 59 30 b8 ff d1 58 c8 75 6b 37 7c 36 d5 d0 25 ae 00 58 01 b0 ef 2e 2b bc 1d e6 92 31 0f c7 98 c7 d6 15 12 67 76 4b ad 88 51 b8 9d 68 06 } 15 | $s2 = { b8 4d 5a 00 00 41 f6 c5 75 48 81 fa 9f 4f b2 16 66 39 01 0f 84 13 00 00 00 2b c0 d3 fe 48 81 c4 78 01 00 00 66 41 0f be e9 5e 5d c3 48 63 41 3c 48 f7 c5 06 07 fa 4a f5 81 3c 08 50 45 00 00 e9 00 00 00 00 0f 85 cf ff ff ff 44 8b 84 08 88 00 00 00 44 84 e7 f5 44 89 44 24 30 45 85 c0 e9 00 00 00 00 0f 84 b0 ff ff ff 44 8b 8c 08 8c 00 00 00 66 } 16 | $s3 = { 48 8b c4 48 d3 db 4c 0f a4 f6 f3 40 86 f3 48 b9 00 01 00 00 00 00 00 00 66 41 0f bd dd d3 e6 48 8d 5c 25 80 49 0f bf f6 66 2b f0 48 81 e3 f0 ff ff ff 66 d3 f6 48 2b d9 48 0f 4f f3 66 87 f6 48 8b e3 49 63 f0 57 9c 49 0f b7 fd 66 8b f6 48 8b f0 } 17 | $s4 = { 48 8d 44 24 50 48 2b e8 86 c1 48 99 90 66 d3 c2 66 44 0f ab c2 e9 00 00 00 00 48 8d 54 3c 50 66 0f b3 d9 66 0f c8 66 d3 d9 8b cf 48 f7 d0 b8 f4 40 06 25 f8 d3 c0 40 02 c7 32 04 2a e9 00 00 00 00 88 02 e9 00 00 00 00 0f 84 15 00 00 00 48 ff c7 41 f6 c5 3d f8 48 81 ff 04 01 00 00 0f 82 b7 ff ff ff 48 8d 6c 24 50 48 8b d5 9f 41 0f bf cc 48 8b ce 9f f7 d0 49 63 c0 48 8b 05 b7 4f ba ff e9 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 300KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_Nokoyawa_Dec_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Nokoyawa_Dec_2022_1 2 | { 3 | meta: 4 | description = "Detect the rust variant of Nokoyawa ransomware (x64)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust" 7 | date = "2022-12-20" 8 | hash1 = "259f9ec10642442667a40bf78f03af2fc6d653443cce7062636eb750331657c4" 9 | hash2 = "7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6" 10 | hash3 = "47c00ac29bbaee921496ef957adaf5f8b031121ef0607937b003b6ab2a895a12" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 56 57 55 53 48 81 ec d8 00 00 00 49 89 d6 48 89 8c 24 b8 00 00 00 48 c7 44 24 20 06 00 00 00 4c 8d 0d [3] 00 48 8d 4c 24 48 4c 89 44 24 28 e8 [2] 00 00 48 83 7c 24 68 00 0f 84 41 01 00 00 4c 89 b4 24 b0 00 00 00 48 8b b4 24 a0 00 00 00 4c 8b 64 24 48 48 8b 54 24 50 4c 8b 7c 24 58 4c 8b 74 24 60 48 83 fe ff 0f 84 6a 01 00 00 4c 8b ac 24 90 00 00 00 4b 8d 0c 2e 48 83 c1 ff 48 39 } 15 | $s2 = { 48 83 ec 38 48 8d 6c 24 30 48 c7 45 00 fe ff ff ff 48 8b 1d [2] 04 00 48 85 db 74 48 48 89 d9 ba ff ff ff ff 45 31 c0 e8 [2] 01 00 48 8b 05 [2] 04 00 48 85 c0 75 1c 48 8d 0d [3] 00 e8 [2] 01 00 48 89 05 [2] 04 00 48 85 c0 0f 84 12 01 00 00 80 3d [2] 04 00 00 74 44 31 ff e9 0f 01 00 00 4c 8d 05 [3] 00 31 c9 31 d2 e8 [2] 01 00 } 16 | $s3 = { 48 8b 45 20 c7 04 10 2e 74 78 74 48 83 c2 04 48 89 55 e0 0f 28 45 20 0f 29 45 d0 c6 45 3f 01 48 8d 0d [3] 00 4c 8d 05 [3] 00 ba 0c 00 00 00 e8 [2] 00 00 48 85 c0 75 07 48 8b 05 [3] 00 c6 45 3f 01 48 89 c1 e8 [2] 00 00 48 85 c0 0f 84 02 01 00 00 49 89 d0 c6 45 3f 01 48 8d 4d f0 48 89 c2 e8 [2] 00 00 48 83 7d f0 } 17 | $s4 = { 48 81 ec c8 00 00 00 48 8d ac 24 80 00 00 00 48 c7 45 40 fe ff ff ff 48 89 ca 48 8d 4d f0 e8 [2] 02 00 c6 45 3e 01 48 8d 0d [3] 00 4c 8d 05 [3] 00 ba 09 00 00 00 e8 [2] 00 00 48 85 c0 75 07 48 8b 05 [3] 00 c6 45 3e 01 48 89 c1 e8 [2] 00 00 48 89 c7 48 85 c0 0f 84 a4 01 00 00 48 89 d6 48 8b 45 f8 48 8b 5d 00 48 29 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 80KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_Nokoyawa_Mar_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Nokoyawa_Mar_2022_1 : nokoyawa ransomware 2 | { 3 | meta: 4 | description = "Detect nokoyawa ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html" 7 | date = "2022-03-12" 8 | hash1 = "e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4" 9 | hash2 = "fefd1117c2f0ab88d8090bc3bdcb8213daf8065f12de1ee6a6c641e888a27eab" 10 | adversary = "-" 11 | strings: 12 | $s1 = { b9 f5 ff ff ff ff 15 1a 6e 00 00 48 c7 44 24 20 00 00 00 00 45 33 c9 8b 4c 24 38 44 8b c1 48 8d 15 18 71 00 00 48 8b c8 ff 15 ff 6d 00 00 48 8d 0d 58 71 00 00 e8 a3 62 00 00 89 44 24 3c b9 f5 ff ff ff ff 15 dc 6d 00 00 48 c7 44 24 20 00 00 00 00 45 33 c9 8b 4c 24 3c 44 8b c1 48 8d 15 8a 71 00 00 48 8b c8 ff 15 c1 6d 00 00 48 8d 0d d2 71 00 00 e8 65 62 00 00 89 44 24 40 b9 f5 ff ff ff ff 15 9e 6d 00 00 48 c7 44 24 20 00 00 00 00 45 33 c9 8b 4c 24 40 44 8b c1 48 8d 15 e4 71 00 00 48 8b c8 ff 15 83 6d 00 00 48 8d 0d 2c 72 00 00 e8 27 62 00 00 89 44 24 44 b9 f5 ff ff ff ff 15 60 6d 00 00 48 c7 44 24 20 00 00 00 00 45 33 c9 8b 4c 24 44 44 8b c1 48 8d 15 4e 72 00 00 48 8b c8 ff 15 45 6d 00 00 e9 8a } 13 | $s2 = { 48 6b c0 00 0f b7 4c 24 20 66 89 4c 04 28 b8 02 00 00 00 48 6b c0 01 b9 3a 00 00 00 66 89 4c 04 28 b8 02 00 00 00 48 6b c0 02 b9 5c 00 00 00 66 89 4c 04 28 b8 02 00 00 00 48 6b c0 03 33 c9 66 89 4c 04 28 48 8d 4c 24 28 ff 15 a9 5c 00 00 89 44 24 24 83 7c } 14 | $s3 = { 48 81 ec 78 02 00 00 c7 44 24 40 00 40 00 00 c7 44 24 4c ff ff ff ff 48 8d 44 24 50 48 89 44 24 20 4c 8b 8c 24 80 02 00 00 45 33 c0 33 d2 b9 02 00 00 00 ff 15 ca 5e 00 00 89 44 24 48 83 7c 24 48 00 74 07 33 c0 e9 40 01 00 00 8b 44 24 40 8b d0 b9 40 00 00 00 ff 15 57 5e 00 00 48 89 44 24 38 } 15 | $s4 = { 48 83 ec 28 45 33 c9 45 33 c0 33 d2 48 c7 c1 ff ff ff ff ff 15 47 69 00 00 48 } 16 | $s5 = { 48 48 8d 0d 45 7e 00 00 ff 15 af 6a 00 00 8b 05 59 7e 00 00 89 44 24 34 e8 50 01 00 00 48 89 05 19 7e 00 00 8b 44 24 34 d1 e0 48 98 48 c1 e0 03 48 8b c8 e8 85 5c 00 00 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 15KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_Octocrypt_Nov_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Octocrypt_Nov_2022_1 : octocrypt ransomware 2 | { 3 | meta: 4 | description = "Detect the Octocypt ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/" 7 | date = "2022-11-21" 8 | hash1 = "65ad38f05ec60cabdbac516d8b0e6447951a65ca698ca2046c50758c3fd0608b" 9 | hash2 = "9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344" 10 | tlp = "Clear" 11 | adversary = "-" 12 | strings: 13 | $s1 = { 83 ec 40 48 89 6c 24 38 48 8d 6c 24 38 48 89 5c 24 30 48 8b 0d 8c 67 47 00 48 89 0c 24 48 89 44 24 08 48 89 5c 24 10 48 c7 44 24 18 00 20 00 00 48 c7 44 24 20 04 00 00 00 e8 d7 94 01 00 45 0f 57 ff 65 4c 8b 34 25 28 00 00 00 4d 8b b6 00 00 00 00 48 8b 44 24 28 48 85 c0 74 0a 48 8b 6c 24 38 48 83 c4 40 c3 48 8b 05 38 67 47 00 48 89 04 24 48 c7 44 24 08 00 00 00 00 48 8b 44 24 30 48 89 44 24 10 48 c7 44 24 18 00 20 00 00 48 c7 44 24 20 04 00 00 00 e8 7a 94 01 00 45 0f 57 ff 65 4c 8b 34 25 28 00 00 00 4d 8b } 14 | $s2 = { 48 83 ec 48 48 89 6c 24 40 48 8d 6c 24 40 48 89 44 24 50 48 89 5c 24 58 48 83 3d be 3d 4f 00 00 75 73 48 8b 05 dd 00 46 00 48 8d 0d 66 4a 4f 00 48 89 04 24 48 89 4c 24 08 48 c7 44 24 10 04 01 00 00 e8 af 2c 00 00 45 0f 57 ff 65 4c 8b 34 25 28 00 00 00 4d 8b b6 00 00 00 00 48 8b 44 24 18 48 85 c0 0f 84 72 01 00 00 } 15 | $s3 = { 83 ec 30 48 c7 c1 f4 ff ff ff 48 89 0c 24 48 8b 05 82 26 43 00 ff d0 48 89 c1 48 89 0c 24 48 8d 15 3a 69 4c 00 48 89 54 24 08 44 8d 05 56 61 4c 00 4c 89 44 24 10 4c 8d 4c 24 28 49 c7 01 00 00 00 00 4c 89 4c 24 18 48 c7 44 24 20 00 00 00 00 48 8b 05 88 25 43 00 ff d0 e8 a1 e4 ff ff } 16 | $s4 = { 48 48 89 6c 24 40 48 8d 6c 24 40 48 8b 0d b3 db 45 00 48 8d 15 44 b7 02 00 48 89 0c 24 44 0f 11 7c 24 08 48 89 54 24 18 48 89 44 24 20 44 0f 11 7c 24 28 e8 25 09 00 00 45 0f 57 ff 65 4c 8b 34 25 28 00 00 00 4d 8b b6 00 00 00 00 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 60KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_Pay2Key_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Pay2Key_Dec_2021_1 2 | { 3 | meta: 4 | description = "Detect the Pay2Key ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2021-12-21" 7 | reference = "Internal Research" 8 | hash1 = "f7130464821513644ab5aa4b495126f7ae62e56f10d300d7ca73fb9561211695" 9 | hash2 = "83c705e9696ea77e763ec44bfcb6a635935148ab4a36c4f04b394cd758456190" 10 | tlp = "Clear" 11 | adversary = "Pay2Key" 12 | strings: 13 | $s1 = { 6a ff 68 e8 55 4b 00 64 a1 00 00 00 00 50 83 ec 14 53 56 57 a1 70 60 4e 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f9 8d 5f 10 c7 45 ec 00 00 00 00 53 6a 01 68 01 68 00 00 ff 77 04 ff 15 14 b0 4b 00 c7 45 e0 00 00 00 00 c7 45 e4 00 00 00 00 c7 45 e8 00 00 00 00 8d 45 f0 c7 45 fc 00 00 00 00 50 6a 00 6a 00 6a 01 ff 77 0c ff 33 ff 15 0c b0 4b 00 85 c0 74 39 ff 75 f0 e8 9d 0f 03 00 ff 75 f0 8b f0 6a 00 56 e8 d1 d7 04 00 83 c4 10 8d 45 f0 50 56 6a 00 6a 01 ff 77 0c ff 33 ff 15 0c b0 4b 00 85 } 14 | $s2 = { 8d 7b 18 57 6a 00 6a 00 68 0c 80 00 00 ff 36 ff 15 30 b0 4b 00 85 c0 75 0e ff 15 84 b1 4b 00 50 68 c4 a5 4c 00 eb 53 8b 43 08 2b 43 04 6a 00 50 ff 73 04 ff 37 ff 15 38 b0 4b 00 85 c0 75 16 ff 15 84 b1 4b 00 50 68 e0 a5 4c 00 e8 13 fa ff ff 83 c4 08 eb 37 8d 43 10 50 6a 00 ff 37 68 10 66 00 00 ff 36 ff 15 34 b0 4b 00 85 c0 75 1e ff 15 84 b1 4b 00 50 68 fc a5 4c 00 e8 e4 f9 ff ff 83 c4 08 6a 00 ff 36 ff 15 1c b0 4b 00 8d 4d 08 e8 df 06 00 00 8b c3 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d f0 33 cd e8 5b a0 06 00 } 15 | $s3 = { 50 8d 85 28 ff ff ff 68 18 a6 4c 00 50 ff 15 40 b3 4b 00 68 20 a6 4c 00 e8 e0 f6 ff ff 8b b5 1c e6 ff ff 83 c4 10 8d 4d 0c e8 df 03 00 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d f0 33 cd e8 5b 9d 06 00 8b e5 } 16 | $s4 = { 6a 00 ff 15 bc b3 4b 00 ff 75 c4 8d 45 dc 50 57 ff 15 ac b3 4b 00 8d 55 d0 8b c8 e8 82 5f 00 00 85 c0 75 47 8d 4d a8 e8 36 fe fc ff f3 0f 7e 00 8b 40 08 66 0f d6 45 d0 89 45 d8 8d 45 d0 50 51 8b ce e8 cb ec ff ff 8b f0 83 c4 08 89 75 c4 c6 45 fc 02 83 fe } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 600KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_Qilim_Nov_2023_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Qilim_Nov_2023_1 : qilim ransomware 2 | { 3 | meta: 4 | description = "Detect both versions of Qilim ransomware (ELF+Win)" 5 | author = "Arkbird_SOLG" 6 | date = "2023-11-18" 7 | reference = "https://twitter.com/cyb3rops/status/1725849024731771022" 8 | // ELF version 9 | hash1 = "555964b2fed3cced4c75a383dd4b3cf02776dae224f4848dcc03510b1de4dbf4" 10 | hash2 = "0629cd5e187174cb69f3489675f8c84cc0236f11f200be384ed6c1a9aa1ce7a1" 11 | // Win version 12 | hash3 = "ee24110ddb4121b31561f86692650b63215a93fb2357b2bd3301fabc419290a3" 13 | tlp = "Clear" 14 | adversary = "Qilim" 15 | strings: 16 | $s1 = { 2d 2d 20 51 69 6c 69 6e 20 [0-3] 0a 59 6f 75 72 20 6e 65 74 77 6f 72 6b 2f 73 79 73 74 65 6d 20 77 61 73 20 65 6e 63 72 79 70 74 65 64 2e 20 [0-2] 45 6e 63 72 79 70 74 65 64 20 66 69 6c 65 73 20 68 61 76 65 20 6e 65 77 20 65 78 74 65 6e 73 69 6f 6e 2e 20 [2-4] 2d 2d 20 43 6f 6d 70 72 6f 6d 69 73 69 6e 67 20 61 6e 64 20 73 65 6e 73 69 74 69 76 65 20 64 61 74 61 } 17 | $s2 = { ( 25 73 5f | 52 45 41 44 4d 45 2d ) 52 45 43 4f 56 45 52 [0-1] 2e 74 78 74 } 18 | // For Win version 19 | $x1 = { 2f 76 6d 66 73 2f 76 6f 6c 75 6d 65 73 2f 5b 49 4e 46 4f 7c 53 50 52 45 41 44 5d 20 56 65 72 69 66 79 69 6e 67 20 73 75 70 70 6c 69 65 64 20 64 61 74 61 } 20 | $x2 = { 24 65 73 78 63 6c 69 20 3d 20 47 65 74 2d 45 73 78 43 6c 69 20 2d 56 4d 48 6f 73 74 20 24 65 73 78 69 48 6f 73 74 20 2d 56 32 20 2d 45 72 72 6f 72 41 63 74 69 6f 6e 20 53 74 6f 70 } 21 | // For ELF version 22 | $x3 = { 65 73 78 63 6c 69 20 76 6d 20 70 72 6f 63 65 73 73 20 6b 69 6c 6c 20 2d 74 20 66 6f 72 63 65 20 2d 77 20 25 6c 6c 75 00 } 23 | $x4 = { 65 73 78 63 6c 69 20 76 6d 20 70 72 6f 63 65 73 73 20 6b 69 6c 6c 20 2d 74 20 66 6f 72 63 65 20 2d 77 20 25 6c 6c 75 } 24 | condition: 25 | (uint32(0) == 0x464C457F or uint16(0) == 0x5A4D) and filesize > 900KB and all of ($s*) and 2 of ($x*) 26 | } 27 | -------------------------------------------------------------------------------- /Ransomware/RAN_Quantum_Apr_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Quantum_Apr_2022_1 : ransomware quantum x64 2 | { 3 | meta: 4 | description = "Detect the quantum ransomware (x64)" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-04-10" 8 | hash1 = "1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58" 9 | hash2 = "6143d920ebdd5e9b1db7425916417c0896139f425493a8fcd63d62dac80779f1" 10 | hash3 = "0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f" 11 | hash4 = "5a9028518866ce9fc3847f4704060f71e1c572132ec3f1845f29023a659f9daf" 12 | tlp = "Clear" 13 | adversary = "RAAS" 14 | strings: 15 | $s1 = { 48 89 ?? 24 60 4c [2-4] 4c 89 74 24 58 48 [2-5] 24 ?? 48 [0-3] 89 5c 24 } 16 | $s2 = { 48 83 ec 40 4d 8b f1 c7 40 dc 00 40 00 00 4c 8b ca 48 8d 40 e0 33 d2 48 89 44 24 20 4d 8b f8 8b e9 8d 4a 02 44 8d 42 13 [5-6] 33 ff 85 c0 0f 85 ?? 00 00 00 83 4c 24 30 ff 8b 5c 24 34 48 85 db 0f 84 ?? 00 00 00 ff 15 [2] 00 00 4c 8d 43 01 ba 08 00 00 00 48 8b c8 ff 15 [2] 00 00 48 8b d8 48 85 c0 0f 84 ?? 00 00 00 48 8b 4c 24 38 4c 8d 4c 24 34 4c 8b c0 48 8d 54 24 30 [5-6] 8b f0 85 c0 74 1d 3d ea 00 00 00 75 6d ff 15 [2] 00 00 4c 8b c3 33 d2 48 8b c8 ff 15 } 17 | $s3 = { 45 33 c9 48 8d 54 24 30 45 8d 41 0c 41 8d 49 01 ff 15 [2] 00 00 85 c0 75 22 66 83 7c 24 30 09 48 8d 15 [2] 00 00 b8 40 00 00 00 41 8b ce 44 8d 40 e0 44 0f 44 c0 e8 [4] bb fa 00 00 00 48 8d 95 [2] 00 00 48 8d 8d d0 00 00 00 89 9d [2] 00 00 ff 15 [2] 00 00 85 c0 74 24 8b 85 [2] 00 00 4c 8d 85 d0 00 00 00 48 8d 15 [2] 00 00 41 8b ce 66 89 b4 45 d0 00 00 00 e8 [4] 48 8d 95 [2] 00 00 89 9d [2] 00 00 48 8d 8d d0 00 00 00 ff 15 [2] 00 00 85 c0 74 24 8b 85 [2] 00 00 4c 8d 85 d0 00 00 00 48 8d 15 [2] 00 00 41 8b ce 66 89 b4 45 d0 00 00 00 e8 } 18 | $s4 = { 48 83 ec 20 [0-3] 8b f2 48 8b f9 ff 15 [2] 00 00 83 f8 04 [2-5] 4c 8b c7 [0-5] 0f ba e6 13 73 ?? 48 8d 15 [2] 00 00 } 19 | condition: 20 | uint16(0) == 0x5A4D and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Ransomware/RAN_Rook_Dec_2021_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Rook_Dec_2021_1 { 2 | meta: 3 | description = "Detect Rook ransomware" 4 | author = "Arkbird_SOLG" 5 | reference = "Internal Research" 6 | date = "2021-12-21" 7 | hash1 = "15a67f118c982ff7d094d7290b4c34b37d877fe3f3299840021e53840b315804" 8 | hash2 = "f87be226e26e873275bde549539f70210ffe5e3a129448ae807a319cbdcf7789" 9 | hash3 = "c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac" 10 | tlp = "Clear" 11 | adversary = "Rook" 12 | strings: 13 | $s1 = { fc 41 5b eb 08 48 ff c6 88 17 48 ff c7 8a 16 01 db 75 0a 8b 1e 48 83 ee fc 11 db 8a 16 72 e6 8d 41 01 } 14 | $s2 = { 00 00 48 83 c4 28 48 83 c7 04 48 8d 5e fc 31 c0 8a 07 48 ff c7 09 c0 74 23 3c ef 77 11 48 01 c3 48 8b 03 48 0f c8 48 01 f0 48 89 03 eb e0 24 0f c1 e0 10 66 8b 07 48 83 c7 02 eb e1 48 8b 2d ?? ?? 00 00 48 8d be 00 f0 ff ff bb 00 10 00 00 50 49 89 e1 41 b8 04 00 00 00 48 89 da 48 89 f9 48 83 ec 20 ff d5 48 8d 87 ?? 02 00 00 80 20 7f 80 60 28 7f 4c 8d 4c 24 20 4d 8b 01 48 89 da 48 89 f9 ff d5 48 83 c4 28 5d 5f } 15 | $s3 = { 8a 16 f3 c3 48 8d 04 2f 83 f9 05 8a 10 76 21 48 83 fd fc 77 1b 83 e9 04 8b 10 48 83 c0 04 83 e9 04 89 17 48 8d 7f 04 73 ef 83 c1 04 8a 10 74 10 48 ff c0 88 17 83 e9 01 8a 10 48 8d 7f 01 } 16 | $s4 = { 09 c0 74 4a 8b 5f 04 48 8d 8c 30 ?? ?? ?? 00 48 01 f3 48 83 c7 08 ff 15 ?? ?? 00 00 48 95 8a 07 48 ff c7 08 c0 74 d7 48 89 f9 48 89 fa ff c8 f2 ae 48 89 e9 ff 15 ?? ?? 00 00 48 09 c0 74 09 48 89 03 48 83 c3 } 17 | $s5 = { 5e 48 89 f7 56 48 89 f7 48 c7 c6 00 ?? ?? 00 b2 0e 53 57 48 8d 4c 37 fd 5e 56 5b eb 2f 48 39 ce 73 32 56 5e ac 3c 80 72 0a 3c 8f 77 06 80 7e fe 0f 74 06 2c e8 3c 01 77 e4 48 39 ce 73 16 56 ad 28 d0 75 df 5f 0f c8 29 f8 01 d8 ab 48 39 ce 73 03 ac eb df 5b 5e 48 83 ec 28 48 8d be 00 ?? ?? 00 8b 07 09 c0 74 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 50KB and filesize < 800KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_Royal_Rumble_Dec_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Royal_Rumble_Dec_2022_1 : royal_rumble ransomware x86 2 | { 3 | meta: 4 | description = "Detect the Royal Rumble ransomware (x86)" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-12-20" 8 | hash1 = "250bcbfa58da3e713b4ca12edef4dc06358e8986cad15928aa30c44fe4596488" 9 | hash2 = "de025f921dd477c127fba971b9f90accfb58b117274ba1afb1aaf2222823b6ac" 10 | hash3 = "47c00ac29bbaee921496ef957adaf5f8b031121ef0607937b003b6ab2a895a12" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 83 c4 04 8d 85 ?? ef ff ff 83 bd ?? ef ff ff 08 0f 43 85 ?? ef ff ff 6a 00 6a 00 6a 02 6a 00 6a 00 68 00 00 00 40 50 ff 15 [2] 59 00 8b f0 83 fe ff 74 ?? 68 00 10 00 00 8d 85 ?? ef ff ff 6a 00 50 e8 [2] 12 00 } 15 | $s2 = { 68 00 02 00 00 8d 84 24 dc 47 00 00 6a 00 50 e8 [2] 12 00 83 c4 0c 8d 84 24 d8 47 00 00 68 [3] 00 50 ff 15 [2] 59 00 83 c4 08 c7 44 24 40 44 00 00 00 8d 44 24 20 0f 57 c0 66 0f 13 44 24 44 66 0f 13 44 24 4c 50 8d 44 24 44 66 0f 13 44 24 58 50 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 8d 84 24 f8 47 00 00 66 0f 13 44 24 7c 50 68 [3] 00 66 0f 13 84 24 8c 00 00 00 66 0f 13 84 24 94 00 00 00 66 0f 13 84 24 9c 00 00 00 66 0f 13 84 24 a4 00 00 00 0f 29 44 24 48 ff 15 44 } 16 | $s3 = { 68 [2] 60 00 ff 15 54 ?? 59 00 50 68 [2] 60 00 57 e8 [2] 00 00 [10-13] 00 00 8b d8 57 89 [5-6] 00 00 83 c4 ?? 85 db 0f 84 ?? 01 00 00 68 00 a0 0f 00 e8 [2] 12 00 8b d8 83 c4 04 89 } 17 | $s4 = { 50 68 [2] 59 00 57 68 [3] 00 56 b3 01 e8 [2] fb ff ff 74 24 2c c7 44 24 2c 00 00 00 00 e8 [2] f9 ff 8b 4c 24 2c 83 c4 1c 3b c8 7d 5e 8b 7c 24 14 84 db 75 14 68 [2] 5b 00 56 e8 [2] f9 ff 8b 4c 24 18 83 c4 08 eb 02 32 db 6a 00 51 57 e8 [2] f9 ff 83 c4 08 50 8d 44 24 28 6a 50 50 e8 [2] fb ff 8d 44 24 30 50 56 e8 [2] f9 ff ff 44 24 28 57 e8 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 150KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_Royal_Rumble_Dec_2022_2.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Royal_Rumble_Dec_2022_2 : royal_rumble ransomware x64 2 | { 3 | meta: 4 | description = "Detect the Royal Rumble ransomware (x64)" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-12-20" 8 | hash1 = "9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926" 9 | hash2 = "2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f" 10 | hash3 = "c24c59c8f4e7a581a5d45ee181151ec0a3f0b59af987eacf9b363577087c9746" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = { 33 d2 48 8d 8d c0 6b 00 00 41 b8 00 02 00 00 e8 d8 67 16 00 48 8d 15 a1 6c 23 00 48 8d 8d c0 6b 00 00 ff 15 8c e6 18 00 0f 57 c0 c7 44 24 70 68 00 00 00 33 c0 48 8d 95 c0 6b 00 00 89 45 d4 48 8d 0d b6 6c 23 00 48 89 44 24 60 45 33 c9 48 8d 44 24 50 45 33 c0 48 89 44 24 48 48 8d 44 24 70 48 89 44 24 40 4c 89 64 24 38 4c 89 64 24 30 44 89 64 24 28 44 89 64 24 20 0f 11 44 24 74 0f 11 45 84 0f 11 45 94 0f 11 45 a4 0f 11 45 b4 0f 11 45 c4 0f 11 44 24 50 ff 15 8f e3 18 00 4c 8b ac 24 d0 6e 00 00 4c 8b a4 24 d8 6e 00 00 48 8b b4 24 08 6f 00 00 48 8b 9c 24 00 6f 00 00 85 c0 74 26 48 8b 4c 24 50 ba 10 27 00 00 ff 15 73 e3 18 00 48 8b 4c 24 50 ff 15 b0 e3 18 00 48 8b 4c 24 58 ff 15 a5 e3 18 } 15 | $s2 = { b8 80 10 00 00 e8 8e 62 16 00 48 2b e0 48 8b 05 94 31 25 00 48 33 c4 48 89 84 24 70 10 00 00 48 8b da 48 8b f1 48 89 54 24 40 4c 8d 05 f7 71 23 00 48 8d 4c 24 50 e8 cd 03 00 00 48 8d 4c 24 50 48 83 7c 24 68 08 48 0f 43 4c 24 50 33 ed 48 89 6c 24 30 89 6c 24 28 c7 44 24 20 02 00 00 00 45 33 c9 45 33 c0 ba 00 00 00 40 ff 15 10 fc 18 00 48 8b f8 48 83 f8 ff 0f 85 c6 00 00 00 48 8b 54 24 68 48 83 fa 08 72 37 48 8d 14 55 02 00 00 00 48 8b 4c 24 50 48 8b c1 48 81 fa 00 10 00 00 72 19 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 } 16 | $s3 = { 33 d2 41 b8 00 10 00 00 48 8d 4c 24 70 e8 83 7d 16 00 4c 8b 86 10 03 00 00 48 8d 15 05 6b 23 00 48 8d 4c 24 70 e8 7b ef ff ff 89 6c 24 48 48 89 6c 24 20 4c 8d 4c 24 48 44 8b c0 48 8d 54 24 70 48 8b cf ff 15 0c fb 18 00 48 8b cf ff 15 e3 f9 18 00 48 8b 54 24 68 48 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 150KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_SafeSound_Jul_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_SafeSound_Jul_2022_1 : safeSound ransomware 2 | { 3 | meta: 4 | description = "Detect SafeSound ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2022-07-08" 7 | reference = "https://bbs.kafan.cn/thread-2238731-1-1.html" 8 | hash1 = "8f62d06bbcc5c2ef2db32f0079903759ed296b80ed6d2795abdf730346f05fde" 9 | hash2 = "90ed51fea616dedcb23c6dbd131f6f216ec507c0399c8aae4ee55c4501f77270" 10 | hash3 = "0a82b37e1a7cb6d8e8379796e929774b30fd93a7438782df2bd6b66cad0626a2" 11 | tlp = "Clear" 12 | adversary = "-" 13 | strings: 14 | $s1 = "\\SafeSound.hash" ascii 15 | $s2 = "%SystemRoot%\\System32\\svchost.exe -k" ascii 16 | $s3 = "\\Key.data" ascii 17 | $s4 = "SYSTEM\\CurrentControlSet\\Services\\" ascii 18 | $s5 = "Service Stop ServiceWorkerThread ...." ascii 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Ransomware/RAN_Solidbit_Jun_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Solidbit_Jun_2022_1 : solidbit ransomware 2 | { 3 | meta: 4 | description = "Detect the Solidbit ransomware" 5 | author = "Arkbird_SOLG" 6 | reference = "Internal Research" 7 | date = "2022-06-28" 8 | hash1 = "63c9e7ec3a191e9ffbfc388a3cf7375693b609f4fd223b3fbcc9d7d21759b1bc" 9 | hash2 = "0f73ddb9dba894298b468d162f7dd49ae6f49cdc71184b98339d5b1e3eccbb02" 10 | hash3 = "eeb0a884d4eabc4f8811ecaa3e37acc8156c52b60a89537c5498df4c0e0c21f7" 11 | tlp = "Clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { 08 45 08 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 d0 07 00 00 06 26 ?? 0c 2b d0 73 ?? 00 00 0a 0a 06 20 [5] 28 ?? 00 00 06 20 [2] 00 00 20 [2] 00 00 28 ?? 00 00 06 26 ?? 0c 2b aa 06 20 [5] 28 ?? 00 00 06 20 [2] 00 00 20 [2] 00 00 28 ?? 00 00 06 26 06 20 [5] 28 ?? 00 00 06 20 [2] 00 00 20 [2] 00 00 28 ?? 00 00 06 26 ?? 0c 38 6b ff ff ff 06 20 [5] 28 ?? 00 00 06 20 [2] 00 00 20 [2] 00 00 28 ?? 00 00 06 26 06 20 [5] 28 ?? 00 00 06 6f ?? 00 00 0a 26 ?? 0c 38 36 ff ff ff 06 6f ?? 00 00 0a 0b } 15 | $s2 = { 07 45 06 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 00 00 00 00 ?? 00 00 00 ?? 00 00 00 02 7b 0a 00 00 04 03 9a 73 ?? 00 00 0a 0a 06 25 20 [2] 00 00 20 [2] 00 00 28 ?? 00 00 06 20 7f ff ff ff 5f 20 [2] 00 00 20 [2] 00 00 28 ?? 00 00 06 ?? 0b 2b aa de 03 26 de 00 ?? 0c 08 45 05 00 00 00 ?? 00 00 00 18 00 00 00 ?? 00 00 00 00 00 00 00 ?? 00 00 00 02 7b 07 00 00 04 7b 05 00 00 04 02 7b 0a 00 00 04 03 9a 28 08 00 00 06 2a d0 24 00 00 06 } 16 | $s3 = { 13 0b 11 0b 45 0a 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 73 26 00 00 06 13 08 11 08 02 7d 0b 00 00 04 11 08 02 7b 07 00 00 04 7d 0c 00 00 04 ?? 13 0b 2b b0 11 08 02 7b 08 00 00 04 03 9a } 17 | $s4 = { 11 04 45 08 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 ?? 00 00 00 d0 ?? 00 00 06 26 ?? 13 04 2b ce 73 ?? 00 00 0a 0a 73 ?? 00 00 0a 0b ?? 13 04 2b bd 06 20 [5] 28 ?? 00 00 06 07 20 [5] 28 ?? 00 00 06 20 [2] 00 00 20 [2] 00 00 28 ?? 00 00 06 20 [2] 00 00 20 [2] 00 00 28 ?? 00 00 06 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 100KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_Sugar_Jan_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Sugar_Jan_2022_1 2 | { 3 | meta: 4 | description = "Detect the Sugar ransomware (Packed)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb" 7 | date = "2022-02-02" 8 | hash1 = "315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9" 9 | hash2 = "09ad72ac1eedef1ee80aa857e300161bc701a2d06105403fb7f3992cbf37c8b9" 10 | hash3 = "1d4f0f02e613ccbbc47e32967371aa00f8d3dfcf388c39f0c55a911b8256f654" 11 | tlp = "Clear" 12 | adversary = "RAAS" 13 | strings: 14 | $s1 = { 6a 40 68 00 30 00 00 8b 45 f8 ff 70 50 6a 00 ff 15 04 20 40 00 89 45 f4 83 7d f4 00 0f 84 13 02 00 00 8b 45 f8 ff 70 54 ff 75 08 ff 75 f4 e8 4a f8 ff ff 83 c4 0c 83 65 e4 00 eb 07 8b 45 e4 40 89 45 e4 8b 45 f8 0f b7 40 06 48 39 45 e4 7f 3b 8b 45 e0 8b 4d 08 03 48 3c 6b 45 e4 28 8d 84 01 f8 00 00 00 89 45 d8 8b 45 d8 ff 70 10 8b 45 d8 8b 4d 08 } 15 | $s2 = { 8b ec 6a 04 68 00 30 00 00 ff 75 08 6a 00 ff 15 04 20 40 00 5d c3 55 8b ec 68 00 80 00 00 6a 00 ff 75 08 ff 15 08 20 40 00 5d c3 55 8b ec 51 ff 75 10 e8 c8 ff ff ff 8b d0 59 85 d2 74 2e 8b 45 0c 57 33 ff 48 8b cf 89 45 fc 39 4d 10 76 1c 53 8b 5d 08 8a 04 1f 88 04 11 8d 47 01 33 ff 41 3b 45 fc } 16 | $s3 = { 8b 46 3c 05 f8 00 00 00 03 c2 03 c6 68 00 10 40 00 50 89 45 f8 ff 15 1c 20 40 00 85 c0 75 1d 8b 45 f8 6a 04 68 00 30 00 00 ff 70 10 57 ff 15 04 20 40 00 8b c8 89 4d f4 85 c9 75 1c 8b 4d 08 8b 55 fc 41 0f b7 44 33 06 83 c2 28 48 89 4d 08 89 55 fc 3b c8 7e aa eb 18 8b 45 f8 ff 70 10 8b 40 0c 03 c6 50 51 e8 e3 f8 } 17 | $s4 = { 8b ec 83 ec 1c 6a 1c 8d 45 e4 50 68 82 17 40 00 ff 15 0c 20 40 00 8b 45 e8 c9 c3 55 8b ec 83 ec 40 53 c6 45 ff 00 8b 45 08 89 45 e0 8b 45 e0 0f b7 00 3d 4d 5a 00 00 0f 85 50 02 00 00 8b 45 e0 8b 4d 08 03 48 3c 89 4d f8 8b 45 f8 81 38 50 45 00 00 0f 85 35 02 00 00 6a 40 68 } 18 | condition: 19 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 20 | } 21 | -------------------------------------------------------------------------------- /Ransomware/RAN_Sugar_Jan_2022_2.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Sugar_Jan_2022_2 2 | { 3 | meta: 4 | description = "Detect the Sugar ransomware (Unpacked)" 5 | author = "Arkbird_SOLG" 6 | reference = "https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb" 7 | date = "2022-02-02" 8 | hash1 = "4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058" 9 | hash2 = "43e4a6830f54f3bd039b90f0a27ad19a9f2bb673ab990f34dc201c3b102e056a" 10 | tlp = "Clear" 11 | adversary = "RAAS" 12 | strings: 13 | $s1 = { 68 00 00 00 f0 6a 01 a1 54 13 42 00 8b 00 50 6a 00 8d 45 fc 50 e8 ed bc ff ff 84 c0 75 1a 68 08 00 00 f0 6a 01 a1 54 13 42 00 8b 00 50 6a 00 8d 45 fc 50 e8 cf bc ff ff 83 7d fc 00 76 49 33 c0 55 68 35 47 41 00 64 ff 30 64 89 20 8b c3 8b d6 e8 da f3 fe ff 8b c3 e8 9f f2 fe ff 50 56 8b 45 fc 50 e8 b0 bc ff ff 33 c0 5a 59 59 64 89 10 68 3c } 14 | $s2 = { 56 57 89 45 fc 8d b5 e4 fd ff ff 33 c0 55 68 8b c5 41 00 64 ff 30 64 89 20 8b c6 ba f4 01 00 00 e8 23 8e fe ff 8d 45 f2 ba 0a 00 00 00 e8 16 8e fe ff 8b 45 fc 8b 15 1c 19 41 00 e8 80 86 fe ff 8d 45 ec 8b 15 1c 19 41 00 e8 72 86 fe ff 8d 45 e8 8b 15 1c 19 41 00 e8 64 86 fe ff 56 68 e8 03 00 00 e8 e9 8c fe ff 33 db 8d 45 f2 33 c9 ba 0a 00 00 00 e8 70 67 fe ff 33 c0 8a 14 1e 88 54 05 f2 40 43 80 3c 1e 00 74 05 83 f8 09 7e ec 8b 45 ec e8 4a 83 fe ff 40 50 8d 45 ec b9 01 00 00 00 8b 15 1c 19 41 } 15 | $s3 = { 89 03 33 c0 89 07 8d 45 f4 50 8b 45 fc 50 6a 00 56 6a 02 e8 9f 94 fe ff 85 c0 0f 85 87 00 00 00 c7 45 f0 00 40 00 00 8b 45 f0 e8 50 6c fe ff 89 03 83 3b 00 74 68 83 3b 00 74 39 c7 07 ff ff ff ff 8b 03 33 c9 8b 55 f0 e8 42 6e fe ff 8d 45 f0 50 8b 03 50 57 8b 45 f4 50 e8 49 94 fe ff 8b f0 81 fe ea 00 00 00 75 13 8b c3 8b 55 f0 e8 5d 6c fe ff eb 07 be ea 00 00 00 eb 08 81 fe ea 00 00 00 74 b3 85 f6 0f 94 45 fb 80 7d fb 00 75 0f 8b 03 e8 19 6c fe ff 33 c0 89 03 33 c0 89 07 8b 45 f4 50 e8 f8 93 fe ff } 16 | $s4 = { 6a 00 6a 00 6a 03 6a 00 6a 00 6a 50 8b 45 fc e8 2a 01 ff ff 50 8b 45 f4 50 e8 ac 25 ff ff 89 45 f0 83 7d f0 00 0f 84 f9 00 00 00 6a 00 68 00 07 00 84 6a 00 6a 00 68 78 3b 41 00 8b 45 e4 e8 fb 00 ff ff 50 68 84 3b 41 00 8b 45 f0 50 e8 60 25 ff ff 89 45 ec 83 7d ec 00 0f 84 bc 00 00 00 8b 45 f8 e8 d7 fe fe ff 50 8b 45 f8 e8 ce 00 ff ff 50 6a 2f 68 8c 3b 41 00 8b 45 ec 50 e8 39 25 ff ff } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Ransomware/RAN_Vovabol_Apr_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule RAN_Vovabol_Apr_2022_1 : vovabol ransomware 2 | { 3 | meta: 4 | description = "Detect vovabol ransomware" 5 | author = "Arkbird_SOLG" 6 | date = "2022-04-06" 7 | reference = "https://id-ransomware.blogspot.com/2022/03/vovabol-ransomware.html" 8 | hash1 = "32c5e5f424698791373a921e782e4e42a6838a68aac00d4584c16df428990e19" 9 | hash2 = "3e4828a46b84a5cc0e095cc017e79a512f5f7deeefe39ddf073e527be66fcf56" 10 | hash3 = "7d6d38f2cbe320aff29eb02998476e731d02ca27ca0e2f79063b207fc10229e8" 11 | hash4 = "e4defd8a187a513212cb19c9f2a800505395e66d9cd9eb3a96c291060224e7dd" 12 | tlp = "Clear" 13 | adversary = "-" 14 | strings: 15 | $s1 = { 68 [2] 43 00 ff 15 ?? 10 40 00 89 [5-11] 08 00 00 00 6a 00 8d [3-6] ff 15 ?? 10 40 00 dd 9d [1-2] ff ff [0-1] 8d 4d ?? ff 15 [2] 40 00 8d } 16 | $s2 = { 00 00 00 ?? 68 [2] 43 00 ff 15 ?? 10 40 00 8b d0 8d 4d ?? ff 15 ?? 11 40 00 8b d0 8b 4d 08 83 c1 ?? ff 15 ?? 11 40 00 8d 4d ?? ff 15 ?? 11 40 00 c7 45 fc ?? 00 00 00 c7 [2-5] 04 00 02 80 c7 [2-5] 0a 00 00 00 8d [3-6] ff 15 ?? 11 40 00 8b } 17 | $s3 = { ff 15 ?? 11 40 00 66 89 45 dc 8d [2-5] ff 15 18 10 40 00 c7 45 fc ?? 00 00 00 [5-14] 8d 4d ?? ff 15 ?? 11 40 00 } 18 | $s4 = { 47 65 74 4c 6f 67 69 63 61 6c 44 72 69 76 65 73 00 00 00 00 [2] 43 00 [2] 43 00 00 00 04 00 70 ?? 44 00 00 00 00 00 00 00 00 00 a1 78 ?? 44 00 0b c0 74 02 ff e0 68 [2] 43 00 b8 [2] 40 00 ff d0 ff e0 00 00 00 0f 00 00 00 46 69 6e 64 46 69 72 73 74 46 69 6c 65 41 } 19 | condition: 20 | uint16(0) == 0x5A4D and filesize > 90KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Tools/TOOL_JspFileBrowser_Jan_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule TOOL_JspFileBrowser_Jan_2022_1 : tool fin13 2 | { 3 | meta: 4 | description = "Detect a legitimate tool that allows remote web-based file access and manipulation used by the fin13 group" 5 | // -> https://www.vonloesch.de/filebrowser.html 6 | author = "Arkbird_SOLG" 7 | date = "2022-01-07" 8 | reference = "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf" 9 | hash1 = "cc07921318364e6f3258c3653c8b8c066f252c7c90a6c0e245890f96c2ec61b8" 10 | tlp = "Clear" 11 | adversary = "fin13" 12 | strings: 13 | $s1 = { 20 28 69 73 50 61 63 6b 65 64 28 6e 61 6d 65 2c 20 74 72 75 65 29 29 20 65 6c 69 6e 6b 20 3d 20 61 68 72 65 66 20 2b 20 22 75 6e 70 61 63 6b 66 69 6c 65 3d 22 } 14 | $s2 = { 6e 61 6d 65 3d 22 53 75 62 6d 69 74 22 20 76 61 6c 75 65 3d 22 3c 25 3d 53 41 56 45 5f 41 53 5f 5a 49 50 25 3e 22 3e } 15 | $s3 = { 76 61 6c 75 65 3d 22 3c 25 3d 55 50 4c 4f 41 44 5f 46 49 4c 45 53 25 3e 22 0a 09 09 6f 6e 43 6c 69 63 6b 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 70 6f 70 55 70 28 27 3c 25 3d 20 62 72 6f 77 73 65 72 5f 6e 61 6d 65 25 3e 27 29 } 16 | $s4 = { 6e 61 6d 65 3d 22 53 75 62 6d 69 74 22 20 76 61 6c 75 65 3d 22 3c 25 3d 4c 41 55 4e 43 48 5f 43 4f 4d 4d 41 4e 44 25 3e 22 } 17 | $s5 = { 65 6e 74 72 79 5b 69 5d 2e 67 65 74 41 62 73 6f 6c 75 74 65 50 61 74 68 28 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2e 65 71 75 61 6c 73 28 46 4f 52 42 49 44 44 45 4e 5f 44 52 49 56 45 53 5b 69 32 5d 29 } 18 | $s6 = { 6a 73 70 20 46 69 6c 65 20 42 72 6f 77 73 65 72 20 76 65 72 73 69 6f 6e 20 3c 25 3d 20 56 45 52 53 49 4f 4e 5f 4e 52 25 3e } 19 | condition: 20 | filesize > 5KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Tools/TOOL_MiniWebCmdShell_Jan_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule TOOL_MiniWebCmdShell_Jan_2022_1 : tool webshell fin13 2 | { 3 | meta: 4 | description = "Detect a remote webshell used by the fin13 group" 5 | // -> https://github.com/SecWiki/WebShell-2/blob/master/Php/ava%20Server%20Faces%20MiniWebCmdShell%200.2%20by%20HeartLESS.php 6 | author = "Arkbird_SOLG" 7 | date = "2022-01-07" 8 | reference = "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf" 9 | hash1 = "a73f75ab7a2408f490c721c233583316bd3eb901bd32f2a0bf04282fa6a4219c" 10 | tlp = "Clear" 11 | adversary = "fin13" 12 | strings: 13 | $s1 = { 3c 66 6f 72 6d 20 6f 6e 73 75 62 6d 69 74 3d 22 72 65 74 75 72 6e 20 73 74 61 72 74 4d 61 67 69 63 28 29 22 3e } 14 | $s2 = { 72 65 71 75 65 73 74 2e 67 65 74 50 61 72 61 6d 65 74 65 72 28 27 63 6d 64 27 29 } 15 | $s3 = { 77 69 6e 64 6f 77 2e 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74 } 16 | $s4 = { 22 47 45 54 22 2c 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 22 3f 63 6d 64 3d 22 } 17 | $s5 = { 78 6d 6c 68 74 74 70 2e 73 65 6e 64 28 29 } 18 | $s6 = { 4a 61 76 61 20 53 65 72 76 65 72 20 46 61 63 65 73 20 4d 69 6e 69 57 65 62 43 6d 64 53 68 65 6c 6c } 19 | condition: 20 | filesize < 10KB and all of ($s*) 21 | } 22 | -------------------------------------------------------------------------------- /Wipers/WIP_DoubleZero_Mar_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule WIP_DoubleZero_Mar_2022_1 : wiper doublezero 2 | { 3 | meta: 4 | description = "Detect .NET wiper used during Ukrainian crisis against Ukraine infrastructures" 5 | author = "Arkbird_SOLG" 6 | reference = "https://cert.gov.ua/article/38088" 7 | date = "2022-03-22" 8 | hash1 = "30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a" 9 | hash2 = "3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe" 10 | adversary = "UAC-0088" 11 | tlp = "Clear" 12 | strings: 13 | $s1 = { 28 78 00 00 0a 7e ?? 06 00 04 25 2d 17 26 7e ?? 06 00 04 fe 06 ?? 00 00 06 73 79 00 00 0a 25 80 ?? 06 00 04 28 04 00 00 2b 2a } 14 | $s2 = { 08 07 9a 74 01 00 00 1b 16 16 28 1b 00 00 06 0d 09 1f ?? 2e ?? 09 [2-5] 3b ?? 03 00 00 38 ?? 03 00 00 00 14 13 04 28 3b 00 00 0a 6f 3c 00 00 0a 13 05 16 13 06 1b 8d 0f 00 00 01 25 16 1f 0c 8d ?? 00 00 01 25 d0 [2] 00 04 28 10 00 00 0a a2 25 17 [1-2]8d ?? 00 00 01 25 d0 [2] 00 04 28 10 00 00 0a a2 25 18 1f ?? 8d ?? 00 00 01 25 d0 [2] 00 04 28 10 00 00 0a a2 25 19 [1-2] 8d ?? 00 00 01 25 d0 ?? 02 00 04 28 10 00 00 0a a2 25 1a 1f ?? 8d ?? 00 00 01 25 d0 [2] 00 04 28 10 00 00 0a a2 13 07 38 } 15 | $s3 = { 08 07 9a 74 01 00 00 1b 16 16 28 1f 00 00 06 0d 09 1f [9-10] 00 00 [2] 10 00 00 00 14 13 04 02 28 81 00 00 0a 13 05 16 13 06 1b 8d 0f 00 00 01 25 16 [1-2] 8d ?? 00 00 01 25 d0 ?? 05 00 04 28 10 00 00 0a a2 25 17 1f ?? 8d ?? 00 00 01 25 d0 [2] 00 04 28 10 00 00 0a a2 25 18 1c 8d ?? 00 00 01 25 d0 ?? 04 00 04 28 10 00 00 0a a2 25 19 1f ?? 8d ?? 00 00 01 25 d0 [2] 00 04 28 10 00 00 0a a2 25 1a 1f 0c 8d ?? 00 00 01 25 d0 [2] 00 04 28 10 00 00 0a a2 13 07 38 ?? 04 00 00 11 07 11 06 9a 74 01 00 00 1b 16 16 28 1f 00 00 06 13 0b 11 0b } 16 | $s4 = { 14 0a 16 0b 1f ?? 8d 0f 00 00 01 25 16 1f ?? 8d ?? 00 00 01 25 d0 ?? 02 00 04 28 10 00 00 0a a2 25 17 [4] 00 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Wipers/WIP_IsaacWiper_Mar_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule WIP_IsaacWiper_Mar_2022_1 : wiper isaacwiper 2 | { 3 | meta: 4 | description = "Detect the IsaacWiper wiper" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/" 7 | date = "2022-03-03" 8 | hash1 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" 9 | hash2 = "7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0" 10 | tlp = "Clear" 11 | adversary = "-" 12 | strings: 13 | $s1 = { 6b c2 68 8d 8c 24 98 01 00 00 42 89 94 24 28 0c 00 00 ba 68 00 00 00 6a 68 53 03 c8 e8 1f 5e 00 00 8b bc 24 30 0c 00 00 8d 8c 24 a0 01 00 00 83 c4 08 4f 6b c7 68 6a 00 6a 00 89 44 24 34 03 c1 50 68 20 35 00 10 6a 00 6a 00 ff 15 48 60 02 10 89 44 24 28 85 c0 74 36 8b 84 24 98 0c 00 00 8d 8c 24 30 0c 00 00 6a 04 ba 04 00 00 00 8d 0c 81 40 89 84 24 9c 0c 00 00 8d 44 24 2c 50 e8 be 5d 00 00 8b 94 24 30 0c 00 00 83 c4 08 eb 4c 8b 94 24 28 0c 00 00 8d 42 ff 3b f8 74 36 2b d7 8d 8c 24 98 01 00 00 8b 7c 24 2c 03 cf 6b c2 68 ba 90 0a 00 00 2b d7 83 e8 68 50 8d 84 24 04 02 00 00 03 c7 50 e8 78 5d 00 00 8b 94 24 30 0c 00 00 83 c4 08 4a 89 94 24 28 0c } 14 | $s2 = { 8b 43 10 6a 08 8b 40 04 c7 44 03 10 d8 27 03 10 8b 43 10 8b 48 04 8d 41 f8 89 44 0b 0c 8b 03 8b 40 04 c7 04 03 c0 27 03 10 8b 03 8b 48 04 8d 41 e0 89 44 19 fc 8b 03 8b 40 04 c7 04 03 d0 27 03 10 8b 03 8b 48 04 8d 41 88 89 44 19 fc c7 07 50 28 03 10 e8 35 4d 00 00 83 c4 04 8b f0 6a 01 e8 ac 41 00 00 89 46 04 8d 5f 24 89 77 34 8d 47 08 89 5f 2c 8d 4f 14 89 47 10 8d 57 18 c7 07 04 28 03 10 8d 77 04 c6 47 48 00 8d 5f 28 c6 47 3e 00 83 c4 04 89 77 0c 89 4f 1c 89 57 20 89 5f 30 c7 00 00 00 00 00 a1 44 6c 03 10 c7 02 00 00 00 00 c7 03 00 00 00 00 c7 06 00 00 00 00 c7 01 00 00 00 00 c7 47 24 00 00 00 00 6a 40 89 47 40 a1 48 6c 03 10 6a 02 68 60 24 03 10 c7 47 4c 00 00 00 00 89 47 44 c7 47 38 00 00 00 00 e8 c3 } 15 | $s3 = { ff 75 0c 8b ce ff 75 08 ff 15 6c 61 02 10 ff d6 eb 14 6a 00 ff 75 0c ff 75 08 ff 15 24 61 02 10 50 } 16 | $s4 = { 83 7e 24 07 0f 57 c0 66 0f 13 45 e4 66 0f 13 45 f4 75 16 6a 00 8d 45 e4 50 8d 45 f4 50 56 ff 15 0c 60 02 10 83 } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Wipers/WIP_RuRansom_Mar_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule WIP_RuRansom_Mar_2022_1 : wiper ruransom 2 | { 3 | meta: 4 | description = "Detect wiper implant used during Ukrainian crisis against Russia" 5 | author = "Arkbird_SOLG" 6 | reference = "https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html" 7 | date = "2022-03-10" 8 | hash1 = "8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae" 9 | hash2 = "696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473" 10 | hash3 = "107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f" 11 | adversary = "-" 12 | strings: 13 | $s1 = { 9a [3-5] 6f ?? 00 00 0a 18 2e [2-3] 6f ?? 00 00 0a 1a fe 01 2b 01 17 13 ?? 11 ?? 2c ?? 00 [1-2] 6f ?? 00 00 0a 6f ?? 00 00 0a 28 } 14 | $s2 = { 02 72 ?? 00 00 70 28 ?? 00 00 0a 72 [2] 00 70 28 ?? 00 00 0a 28 ?? 00 00 0a 0a 06 39 9f 00 00 00 00 02 28 ?? 00 00 0a 0b 16 0d 2b 4f 00 07 09 9a 73 ?? 00 00 0a 13 04 07 09 9a 28 ?? 00 00 0a 6f ?? 00 00 0a 72 [2] 00 70 28 ?? 00 00 0a 13 05 11 05 2c 0b 00 07 09 9a 28 ?? 00 00 0a 00 00 11 04 20 80 00 00 00 6f ?? 00 00 0a 00 07 09 9a 02 28 ?? 00 00 06 00 00 09 17 58 0d 09 07 8e 69 fe 04 13 06 11 06 2d a5 02 28 ?? 00 00 0a 0c 16 13 07 2b 1c 00 08 11 07 9a 72 [2] 00 70 28 ?? 00 00 0a 28 ?? 00 00 06 00 00 11 07 17 58 13 07 11 07 08 8e 69 fe 04 13 08 11 08 2d d7 00 2b 02 00 00 00 de 05 26 00 00 de } 15 | $s3 = { 73 ?? 00 00 0a 0a 73 ?? 00 00 0a 0b 16 0c 2b 20 00 06 02 07 16 02 6f ?? 00 00 0a 6f ?? 00 00 0a 6f ?? 00 00 0a 6f ?? 00 00 0a 26 00 08 17 58 0c 08 02 6f ?? 00 00 0a fe 04 0d 09 2d d3 06 6f ?? 00 00 0a 13 04 2b 00 11 04 } 16 | $s4 = { 73 ?? 00 00 0a 0d 00 73 ?? 00 00 0a 13 04 00 11 04 20 00 01 00 00 6f ?? 00 00 0a 00 11 04 20 80 00 00 00 6f ?? 00 00 0a 00 03 06 20 00 02 00 00 73 ?? 00 00 0a 13 05 11 04 11 05 11 04 6f ?? 00 00 0a 1e 5b 6f ?? 00 00 0a 6f ?? 00 00 0a 00 11 04 11 05 11 04 6f ?? 00 00 0a 1e 5b 6f ?? 00 00 0a 6f ?? 00 00 0a 00 11 04 17 6f ?? 00 00 0a 00 09 11 04 6f ?? 00 00 0a 17 73 ?? 00 00 0a 13 06 00 11 06 02 16 02 8e 69 6f ?? 00 00 0a 00 11 06 6f ?? 00 00 0a 00 00 de 0d 11 06 2c 08 11 06 6f ?? 00 00 0a 00 dc 09 6f ?? 00 00 0a 0c de 18 11 04 2c 08 11 04 6f ?? 00 00 0a 00 dc 09 2c 07 09 6f ?? 00 00 0a } 17 | condition: 18 | uint16(0) == 0x5A4D and filesize > 5KB and all of ($s*) 19 | } 20 | -------------------------------------------------------------------------------- /Wipers/WIP_Unk_Ukr_Feb_2022_1.yara: -------------------------------------------------------------------------------- 1 | rule WIP_Unk_Ukr_Feb_2022_1 : wiper 2 | { 3 | meta: 4 | description = "Detect wiper implant used during Ukrainian crisis" 5 | author = "Arkbird_SOLG" 6 | reference = "https://twitter.com/ESETresearch/status/1496581903205511181" 7 | date = "2022-02-24" 8 | hash1 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da" 9 | hash2 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591" 10 | adversary = "-" 11 | strings: 12 | $s1 = { 8d 45 fc c7 45 fc 00 00 00 00 50 68 ?? 56 40 00 68 02 00 00 80 ff 15 4c 50 40 00 85 c0 75 24 6a 04 89 45 f4 8d 45 f4 50 6a 04 6a 00 68 ?? 57 40 00 ff 75 fc ff 15 54 50 40 00 ff 75 fc ff 15 50 50 40 00 6a 00 68 d0 51 40 00 8d 85 60 f9 ff ff 68 04 01 00 00 50 ff 15 ?? 51 40 00 83 c4 10 8d 8d 60 f9 ff ff 33 d2 6a 00 e8 91 ec ff } 13 | $s2 = { 8b ec 81 ec 60 02 00 00 53 56 57 51 68 a8 51 40 00 0f 57 c0 89 55 e4 8d 85 a4 fd ff ff c7 45 f0 00 00 00 00 68 04 01 00 00 33 f6 66 0f d6 45 dc 33 ff 89 75 f4 50 0f 11 45 bc 89 7d e8 0f 11 45 cc ff 15 ?? 51 40 00 83 c4 10 8d 45 b0 8d 55 bc 8d 8d a4 fd ff ff 50 e8 b3 fa ff ff 8b d8 83 fb ff 0f 84 ab 01 00 00 85 db 0f 84 d8 01 00 00 bf c0 24 00 00 57 6a 08 ff 15 60 50 40 00 50 ff 15 5c 50 40 00 6a 00 8b f0 8d 45 f4 50 57 56 6a 00 6a 00 68 50 00 07 00 53 ff 15 } 14 | $s3 = { 8d 54 24 0c b9 90 22 40 00 e8 [2] ff ff 8d 44 24 0c ba 20 29 40 00 50 68 d0 28 40 00 b9 a0 52 40 00 e8 ?? f6 ff ff 8d 44 24 14 ba 70 29 40 00 50 68 90 28 40 00 b9 a0 52 40 00 e8 ?? f6 ff ff 83 c4 10 8d 44 24 0c ba 01 00 00 00 b9 e0 52 40 00 50 e8 [2] 00 00 8b 7c 24 30 8d 44 24 24 8b 74 24 34 50 ff 15 78 50 40 00 8b 4c 24 28 8b 44 24 24 2b ce 33 f6 2b c7 69 7c 24 3c 60 ea 00 00 56 68 10 27 00 00 51 50 e8 ?? cf ff ff } 15 | $s4 = { 44 24 1c ba 01 00 00 00 50 b9 ?? 55 40 00 e8 ?? 0d 00 00 8b 7c 24 30 8d 44 24 10 8b 74 24 34 50 ff 15 78 50 40 00 8b 4c 24 14 8b 44 24 10 2b ce 33 f6 2b c7 69 7c 24 24 60 ea 00 00 56 68 10 27 00 00 51 50 e8 30 d1 ff ff 2b f8 1b } 16 | condition: 17 | uint16(0) == 0x5A4D and filesize > 30KB and all of ($s*) 18 | } 19 | 20 | 21 | --------------------------------------------------------------------------------