├── 1012
    └── 1012.yar
├── 1013
    └── 1013.yar
├── 1014
    └── 1014.yar
├── 1017
    └── 1017.yar
├── 1051
    └── 1051.yar
├── 3521
    └── 3521.yar
├── 3580
    └── 3580.yar
├── 3584
    └── 3584.yar
├── 3930
    └── 3930.yar
├── 4301
    └── 4301.yar
├── 4485
    └── 4485.yar
├── 4641
    └── 4641.yar
├── 4778
    └── 4778.yar
├── 5087
    └── 5087.yar
├── 5295
    └── 5295.yar
├── 5426
    └── 5426.yar
├── 5582
    └── 5582.yar
├── 5794
    └── 5794.yar
├── 6898
    └── 6898.yar
├── 7685
    └── 7685.yar
├── 8099
    └── 8099.yar
├── 8734
    └── 8734.yar
├── 9438
    └── 9438.yar
├── 9893
    └── 9893.yar
├── 11462
    └── 11462.yar
├── 12647
    └── 12647.yar
├── 12780
    └── 12780.yar
├── 12993
    └── 12993.yar
├── 13842
    └── 13842.yar
├── 14335
    └── 14335.yar
├── 14373
    └── 14373.yar
├── 15184
    └── 15184.yar
├── 17333
    └── 17333.yar
├── 17386
    └── 17386.yar
├── 18041
    └── 18041.yar
├── 18190
    └── 18190.yar
├── 18364
    └── 18364.yar
├── 18543
    └── 18543.yar
├── 19172
    └── 19172.yar
├── 19208
    └── 19208.yar
├── 19438
    └── 19438.yar
├── 19530
    └── 19530.yar
├── 19772
    └── 19772.yar
├── 21619
    └── 21619.yar
├── 23869
    └── 23869.yar
├── 24952
    └── 24952.yar
├── 25590
    └── 25590.yar
├── 26364
    └── 26364.yar
├── 27138
    └── 27138.yar
├── 27244
    └── 27244.yar
├── 27899
    └── 27899.yar
├── .yara-ci.yml
├── LICENSE
├── README.md
├── compilation
    └── Cobalt Strike, a Defender’s Guide
└── index.yar


/.yara-ci.yml:
--------------------------------------------------------------------------------
 1 | branches:
 2 |   accept:
 3 |   - "**"
 4 | files:
 5 |   accept:
 6 |   - "**.yar"
 7 |   - "**.yara"
 8 | false_positives:
 9 |   ignore:
10 |    - rule: "sig_6898_dcrypt"
11 |    - rule: "unlocker"
12 | 


--------------------------------------------------------------------------------
/1012/1012.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2021-01-10
  5 | Identifier: Case 1012 Trickbot Still Alive and Well
  6 | Reference: https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule cobalt_strike_TSE588C {
 14 | meta:
 15 | description = "exe - file TSE588C.exe"
 16 | author = "The DFIR Report"
 17 | reference = "https://thedfirreport.com"
 18 | date = "2021-01-05"
 19 | hash1 = "32c13df5d411bf5a114e2021bbe9ffa5062ed1db91075a55fe4182b3728d62fe"
 20 | strings:
 21 | $s1 = "mneploho86.dll" fullword ascii
 22 | $s2 = "C:\\projects\\Project1\\Project1.pdb" fullword ascii
 23 | $s3 = "AppPolicyGetProcessTerminationMethod" fullword ascii
 24 | $s4 = "AppPolicyGetThreadInitializationType" fullword ascii
 25 | $s5 = "boltostrashno.nfo" fullword ascii
 26 | $s6 = "operator<=>" fullword ascii
 27 | $s7 = "operator co_await" fullword ascii
 28 | $s8 = "?7; ?<= <?= 6<" fullword ascii /* hex encoded string 'v' */
 29 | $s9 = ".data$rs" fullword ascii
 30 | $s10 = "tutoyola" fullword ascii
 31 | $s11 = "Ommk~z#K`majg`i4.itg~\".jkhbozk" fullword ascii
 32 | $s12 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
 33 | $s13 = "OVOVPWTOVOWOTF" fullword ascii
 34 | $s14 = "vector too long" fullword ascii
 35 | $s15 = "n>log2" fullword ascii
 36 | $s16 = "\\khk|k|4.fzz~4!!majk d" fullword ascii
 37 | $s17 = "network reset" fullword ascii /* Goodware String - occured 567 times */
 38 | $s18 = "wrong protocol type" fullword ascii /* Goodware String - occured 567 times */
 39 | $s19 = "owner dead" fullword ascii /* Goodware String - occured 567 times */
 40 | $s20 = "connection already in progress" fullword ascii /* Goodware String - occured 567 times */
 41 | condition:
 42 | uint16(0) == 0x5a4d and filesize < 900KB and
 43 | ( pe.imphash() == "bb8169128c5096ea026d19888c139f1a" or 10 of them )
 44 | }
 45 | 
 46 | rule trickbot_kpsiwn {
 47 | meta:
 48 | description = "exe - file kpsiwn.exe"
 49 | author = "The DFIR Report"
 50 | reference = "https://thedfirreport.com"
 51 | date = "2021-01-05"
 52 | hash1 = "e410123bde6a317cadcaf1fa3502301b7aad6f528d59b6b60c97be077ef5da00"
 53 | strings:
 54 | $s1 = "C:\\Windows\\explorer.exe" fullword ascii
 55 | $s2 = "constructor or from DllMain." fullword ascii
 56 | $s3 = "esource" fullword ascii
 57 | $s4 = "Snapping window demonstration" fullword wide
 58 | $s5 = "EEEEEEEEEFFB" ascii
 59 | $s6 = "EEEEEEEEEEFC" ascii
 60 | $s7 = "EEEEEEEEEEFD" ascii
 61 | $s8 = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD" fullword ascii
 62 | $s9 = "EFEEEEEEEEEB" ascii
 63 | $s10 = "e[!0LoG" fullword ascii
 64 | $s11 = ">*P<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">" fullword ascii
 65 | $s12 = "o};k- " fullword ascii
 66 | $s13 = "YYh V+ i" fullword ascii
 67 | $s14 = "fdlvic" fullword ascii
 68 | $s15 = "%FD%={" fullword ascii
 69 | $s16 = "QnzwM#`8" fullword ascii
 70 | $s17 = "xfbS/&s:" fullword ascii
 71 | $s18 = "1#jOSV9\"" fullword ascii
 72 | $s19 = "JxYt1L=]" fullword ascii
 73 | $s20 = "a3NdcMFSZEmJwXod1oyI@Tj4^mY+UsZqK3>fTg<P*$4DC?y@esDpRk@T%t" fullword ascii
 74 | condition:
 75 | uint16(0) == 0x5a4d and filesize < 1000KB and
 76 | ( pe.imphash() == "a885f66621e03089e6c6a82d44a5ebe3" or 10 of them )
 77 | }
 78 | 
 79 | rule cobalt_strike_TSE28DF {
 80 | meta:
 81 | description = "exe - file TSE28DF.exe"
 82 | author = "The DFIR Report"
 83 | reference = "https://thedfirreport.com"
 84 | date = "2021-01-05"
 85 | hash1 = "65282e01d57bbc75f24629be9de126f2033957bd8fe2f16ca2a12d9b30220b47"
 86 | strings:
 87 | $s1 = "mneploho86.dll" fullword ascii
 88 | $s2 = "C:\\projects\\Project1\\Project1.pdb" fullword ascii
 89 | $s3 = "AppPolicyGetProcessTerminationMethod" fullword ascii
 90 | $s4 = "AppPolicyGetThreadInitializationType" fullword ascii
 91 | $s5 = "boltostrashno.nfo" fullword ascii
 92 | $s6 = "operator<=>" fullword ascii
 93 | $s7 = "operator co_await" fullword ascii
 94 | $s8 = ".data$rs" fullword ascii
 95 | $s9 = "tutoyola" fullword ascii
 96 | $s10 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
 97 | $s11 = "vector too long" fullword ascii
 98 | $s12 = "wrong protocol type" fullword ascii /* Goodware String - occured 567 times */
 99 | $s13 = "network reset" fullword ascii /* Goodware String - occured 567 times */
100 | $s14 = "owner dead" fullword ascii /* Goodware String - occured 567 times */
101 | $s15 = "connection already in progress" fullword ascii /* Goodware String - occured 567 times */
102 | $s16 = "network down" fullword ascii /* Goodware String - occured 567 times */
103 | $s17 = "protocol not supported" fullword ascii /* Goodware String - occured 568 times */
104 | $s18 = "connection aborted" fullword ascii /* Goodware String - occured 568 times */
105 | $s19 = "network unreachable" fullword ascii /* Goodware String - occured 569 times */
106 | $s20 = "host unreachable" fullword ascii /* Goodware String - occured 571 times */
107 | condition:
108 | uint16(0) == 0x5a4d and filesize < 700KB and
109 | ( pe.imphash() == "ab74ed3f154e02cfafb900acffdabf9e" or all of them )
110 | }
111 | 


--------------------------------------------------------------------------------
/1013/1013.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2021-01-25
  5 | Identifier: Case 1013 Bazar, No Ryuk?
  6 | Reference: https://thedfirreport.com/2021/01/31/bazar-no-ryuk/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule bazar_start_bat {
 14 | meta:
 15 | description = "files - file start.bat"
 16 | author = "The DFIR Report"
 17 | reference = "https://thedfirreport.com"
 18 | date = "2021-01-25"
 19 | hash1 = "63de40c7382bbfe7639f51262544a3a62d0270d259e3423e24415c370dd77a60"
 20 | strings:
 21 | $x1 = "powershell.exe Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force" fullword ascii
 22 | $x2 = "powershell.exe -executionpolicy remotesigned -File .\\Get-DataInfo.ps1 %1)" fullword ascii
 23 | $x3 = "powershell.exe -executionpolicy remotesigned -File .\\Get-DataInfo.ps1 %method" fullword ascii
 24 | $s4 = "set /p method=\"Press Enter for collect [all]: \"" fullword ascii
 25 | $s5 = "echo \"all ping disk soft noping nocompress\"" fullword ascii
 26 | $s6 = "echo \"Please select a type of info collected:\"" fullword ascii
 27 | $s7 = "@echo on" fullword ascii /* Goodware String - occured 1 times */
 28 | $s8 = "color 07" fullword ascii
 29 | $s9 = "pushd %~dp0" fullword ascii /* Goodware String - occured 1 times */
 30 | $s10 = "color 70" fullword ascii
 31 | $s11 = "IF \"%1\"==\"\" (" fullword ascii
 32 | $s12 = "IF NOT \"%1\"==\"\" (" fullword ascii
 33 | condition:
 34 | uint16(0) == 0x6540 and filesize < 1KB and
 35 | 1 of ($x*) and all of them
 36 | }
 37 | 
 38 | rule bazar_M1E1626 {
 39 | meta:
 40 | description = "files - file M1E1626.exe"
 41 | author = "The DFIR Report"
 42 | reference = "https://thedfirreport.com"
 43 | date = "2021-01-25"
 44 | hash1 = "d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38"
 45 | strings:
 46 | $s1 = "ResizeFormToFit.EXE" fullword wide
 47 | $s2 = "C:\\Windows\\explorer.exe" fullword ascii
 48 | $s3 = "bhart@pinpub.com" fullword wide
 49 | $s4 = "constructor or from DllMain." fullword ascii
 50 | $s5 = "dgsvhwe" fullword ascii
 51 | $s6 = "ResizeFormToFit.Document" fullword wide
 52 | $s7 = "ResizeFormToFit Version 1.0" fullword wide
 53 | $s8 = "This is a dummy form view for illustration of how to size the child frame window of the form to fit this form." fullword wide
 54 | $s9 = "GSTEAQR" fullword ascii
 55 | $s10 = "HTBNMRRTNSHNH" fullword ascii
 56 | $s11 = "RCWZCSJXRRNBL" fullword ascii
 57 | $s12 = "JFCNZXHXPTCT" fullword ascii
 58 | $s13 = "BLNEJPFAWFPU" fullword ascii
 59 | $s14 = "BREUORYYPKS" fullword ascii
 60 | $s15 = "UCWOJTPGLBZTI" fullword ascii
 61 | $s16 = "DZVVFAVZVWMVS" fullword ascii
 62 | $s17 = "MNKRAMLGWUX" fullword ascii
 63 | $s18 = "WHVMUKGVCHCT" fullword ascii
 64 | $s19 = "\\W\\TQPNIQWNZN" fullword ascii
 65 | $s20 = "ResizeFormToFit3" fullword wide
 66 | condition:
 67 | uint16(0) == 0x5a4d and filesize < 2000KB and
 68 | ( pe.imphash() == "578738b5c4621e1bf95fce0a570a7cfc" or 8 of them )
 69 | }
 70 | 
 71 | 
 72 | rule bazar_files_netscan {
 73 | meta:
 74 | description = "files - file netscan.exe"
 75 | author = "The DFIR Report"
 76 | reference = "https://thedfirreport.com"
 77 | date = "2021-01-25"
 78 | hash1 = "ce6fc6cca035914a28bbc453ee3e8ef2b16a79afc01d8cb079c70c7aee0e693f"
 79 | strings:
 80 | $s1 = "TREMOTECOMMONFORM" fullword wide
 81 | $s2 = "ELHEADERRIGHTBMP" fullword wide
 82 | $s3 = "ELHEADERDESCBMP" fullword wide
 83 | $s4 = "ELHEADERLEFTBMP" fullword wide
 84 | $s5 = "ELHEADERASCBMP" fullword wide
 85 | $s6 = "ELHEADERPOINTBMP" fullword wide
 86 | $s7 = "<description>A free multithreaded IP, SNMP, NetBIOS scanner.</description>" fullword ascii
 87 | $s8 = "GGG`BBB" fullword ascii /* reversed goodware string 'BBB`GGG' */
 88 | $s9 = "name=\"SoftPerfect Network Scanner\"/>" fullword ascii
 89 | $s10 = "SoftPerfect Network Scanner" fullword wide
 90 | $s11 = "TREMOTESERVICEEDITFORM" fullword wide
 91 | $s12 = "TUSERPROMPTFORM" fullword wide
 92 | $s13 = "TREMOTEWMIFORM" fullword wide
 93 | $s14 = "TPUBLICIPFORM" fullword wide
 94 | $s15 = "TREMOTESERVICESFORM" fullword wide
 95 | $s16 = "TREMOTEWMIEDITFORM" fullword wide
 96 | $s17 = "TREMOTEFILEEDITFORM" fullword wide
 97 | $s18 = "TREMOTEREGISTRYFORM" fullword wide
 98 | $s19 = "TPASTEIPADDRESSFORM" fullword wide
 99 | $s20 = "TREMOTEREGISTRYEDITFORM" fullword wide
100 | condition:
101 | uint16(0) == 0x5a4d and filesize < 2000KB and
102 | ( pe.imphash() == "e9d20acdeaa8947f562cf14d3976522e" or 8 of them )
103 | }
104 | 


--------------------------------------------------------------------------------
/1014/1014.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2021-01-18
  5 | Identifier: Case 1014 All That for a Coinminer?
  6 | Reference: https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule miner_exe_svshost {
 14 | meta:
 15 | description = "exe - file svshost.exe"
 16 | author = "The DFIR Report"
 17 | reference = "https://thedfirreport.com"
 18 | date = "2021-01-18"
 19 | hash1 = "ba94d5539a4ed65ac7a94a971dbb463a469f8671c767f515d271223078983442"
 20 | strings:
 21 | $s1 = "* The error occured in hwloc %s inside process `%s', while" fullword ascii
 22 | $s2 = "__kernel void find_shares(__global const uint64_t* hashes,uint64_t target,uint32_t start_nonce,__global uint32_t* shares)" fullword ascii
 23 | $s3 = "lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii
 24 | $s4 = "svshost.exe" fullword wide
 25 | $s5 = "Could not read dumped cpuid file %s, ignoring cpuiddump." fullword ascii
 26 | $s6 = "%PROGRAMFILES%\\NVIDIA Corporation\\NVSMI\\nvml.dll" fullword ascii
 27 | $s7 = "void blake2b_512_process_single_block(ulong *h,const ulong* m,uint blockTemplateSize)" fullword ascii
 28 | $s8 = "* the input XML was generated by hwloc %s inside process `%s'." fullword ascii
 29 | $s9 = "blake2b_512_process_single_block(hash,m,blockTemplateSize);" fullword ascii
 30 | $s10 = "F:\\Apps\\cSharp\\myMinerup\\myM\\myM\\obj\\Debug\\svshost.pdb" fullword ascii
 31 | $s11 = "|attrib +h svshost.exe" fullword ascii
 32 | $s12 = "Found non-x86 dumped cpuid summary in %s: %s" fullword ascii
 33 | $s13 = "GetCurrentProcessorNumberExProc || (GetCurrentProcessorNumberProc && nr_processor_groups == 1)" fullword ascii
 34 | $s14 = "__kernel void blake2b_initial_hash(__global void *out,__global const void* blockTemplate,uint blockTemplateSize,uint start_nonce" ascii
 35 | $s15 = "* hwloc %s received invalid information from the operating system." fullword ascii
 36 | $s16 = "__local exec_t* execution_plan=(__local exec_t*)(execution_plan_buf+(get_local_id(0)/8)*RANDOMX_PROGRAM_SIZE*WORKERS_PER_HASH*si" ascii
 37 | $s17 = "__kernel void execute_vm(__global void* vm_states,__global void* rounding,__global void* scratchpads,__global const void* datase" ascii
 38 | $s18 = "__kernel void execute_vm(__global void* vm_states,__global void* rounding,__global void* scratchpads,__global const void* datase" ascii
 39 | $s19 = "__local exec_t* execution_plan=(__local exec_t*)(execution_plan_buf+(get_local_id(0)/8)*RANDOMX_PROGRAM_SIZE*WORKERS_PER_HASH*si" ascii
 40 | $s20 = "__kernel void blake2b_initial_hash(__global void *out,__global const void* blockTemplate,uint blockTemplateSize,uint start_nonce" ascii
 41 | condition:
 42 | uint16(0) == 0x5a4d and filesize < 19000KB and
 43 | 8 of them
 44 | }
 45 | 
 46 | rule mimikatz_1014 {
 47 | meta:
 48 | description = "exe - file mimikatz.exe"
 49 | author = "The DFIR Report"
 50 | reference = "https://thedfirreport.com"
 51 | date = "2021-01-18"
 52 | hash1 = "99d8d56435e780352a8362dd5cb3857949c6ff5585e81b287527cd6e52a092c1"
 53 | strings:
 54 | $x1 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)" fullword wide
 55 | $x2 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx user (%s)" fullword wide
 56 | $x3 = "ERROR kuhl_m_lsadump_lsa ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)" fullword wide
 57 | $x4 = "ERROR kuhl_m_lsadump_getComputerAndSyskey ; kull_m_registry_RegOpenKeyEx LSA KO" fullword wide
 58 | $x5 = "ERROR kuhl_m_lsadump_dcsync ; kull_m_rpc_drsr_ProcessGetNCChangesReply" fullword wide
 59 | $x6 = "ERROR kuhl_m_lsadump_trust ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)" fullword wide
 60 | $x7 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO" fullword wide
 61 | $x8 = "ERROR kuhl_m_lsadump_lsa_getHandle ; OpenProcess (0x%08x)" fullword wide
 62 | $x9 = "ERROR kuhl_m_lsadump_netsync ; I_NetServerTrustPasswordsGet (0x%08x)" fullword wide
 63 | $x10 = "ERROR kuhl_m_dpapi_chrome ; Input 'Login Data' file needed (/in:\"%%localappdata%%\\Google\\Chrome\\User Data\\Default\\Login Da" wide
 64 | $x11 = "ERROR kuhl_m_kernel_processProtect ; Argument /process:program.exe or /pid:processid needed" fullword wide
 65 | $x12 = "ERROR kuhl_m_lsadump_getHash ; Unknow SAM_HASH revision (%hu)" fullword wide
 66 | $x13 = "ERROR kuhl_m_lsadump_sam ; kull_m_registry_RegOpenKeyEx (SAM) (0x%08x)" fullword wide
 67 | $x14 = "ERROR kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt ; Checksums don't match (C:0x%08x - R:0x%08x)" fullword wide
 68 | $x15 = "ERROR kuhl_m_lsadump_enumdomains_users ; /user or /rid is needed" fullword wide
 69 | $x16 = "ERROR kuhl_m_lsadump_changentlm ; Argument /oldpassword: or /oldntlm: is needed" fullword wide
 70 | $x17 = "livessp.dll" fullword wide /* reversed goodware string 'lld.pssevil' */
 71 | $x18 = "ERROR kuhl_m_lsadump_enumdomains_users ; SamLookupNamesInDomain: %08x" fullword wide
 72 | $x19 = "ERROR kuhl_m_lsadump_getComputerAndSyskey ; kuhl_m_lsadump_getSyskey KO" fullword wide
 73 | $x20 = "ERROR kuhl_m_lsadump_getKeyFromGUID ; kuhl_m_lsadump_LsaRetrievePrivateData: 0x%08x" fullword wide
 74 | condition:
 75 | uint16(0) == 0x5a4d and filesize < 3000KB and
 76 | ( pe.imphash() == "a0444dc502edb626311492eb9abac8ec" or 1 of ($x*) )
 77 | }
 78 | 
 79 | rule masscan_1014 {
 80 | meta:
 81 | description = "exe - file masscan.exe"
 82 | author = "The DFIR Report"
 83 | reference = "https://thedfirreport.com"
 84 | date = "2021-01-18"
 85 | hash1 = "de903a297afc249bb7d68fef6c885a4c945d740a487fe3e9144a8499a7094131"
 86 | strings:
 87 | $x1 = "User-Agent: masscan/1.0 (https://github.com/robertdavidgraham/masscan)" fullword ascii
 88 | $s2 = "Usage: masscan [Options] -p{Target-Ports} {Target-IP-Ranges}" fullword ascii
 89 | $s3 = "GetProcessAffinityMask() returned error %u" fullword ascii
 90 | $s4 = "Via: HTTP/1.1 ir14.fp.bf1.yahoo.com (YahooTrafficServer/1.2.0.13 [c s f ])" fullword ascii
 91 | $s5 = "C:\\Documents and Settings\\" fullword ascii
 92 | $s6 = "android.com" fullword ascii
 93 | $s7 = "youtube.com" fullword ascii
 94 | $s8 = "espanol.yahoo.com" fullword ascii
 95 | $s9 = "brb.yahoo.com" fullword ascii
 96 | $s10 = "malaysia.yahoo.com" fullword ascii
 97 | $s11 = "att.yahoo.com" fullword ascii
 98 | $s12 = "hsrd.yahoo.com" fullword ascii
 99 | $s13 = "googlecommerce.com" fullword ascii
100 | $s14 = "maktoob.yahoo.com" fullword ascii
101 | $s15 = "*.youtube-nocookie.com" fullword ascii
102 | $s16 = "# TARGET SELECTION (IP, PORTS, EXCLUDES)" fullword ascii
103 | $s17 = "www.yahoo.com" fullword ascii
104 | $s18 = "x.509 parser failure: google.com" fullword ascii
105 | $s19 = "-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth" fullword ascii
106 | $s20 = "urchin.com" fullword ascii
107 | condition:
108 | uint16(0) == 0x5a4d and filesize < 700KB and
109 | ( pe.imphash() == "9b0b559e373d62a1c93e615f003f8af8" or 10 of them) 
110 | }
111 | 
112 | rule XMRig_CPU_mine_1014 {
113 | meta:
114 | description = "exe - file XMRig CPU mine.exe"
115 | author = "The DFIR Report"
116 | reference = "https://thedfirreport.com"
117 | date = "2021-01-18"
118 | hash1 = "a8b2e85b3e0f5de4b82a92b3ca56d2d889a30383a3f9283ae48aec879edd0376"
119 | strings:
120 | $s1 = "* The error occured in hwloc %s inside process `%s', while" fullword ascii
121 | $s2 = "__kernel void find_shares(__global const uint64_t* hashes,uint64_t target,uint32_t start_nonce,__global uint32_t* shares)" fullword ascii
122 | $s3 = "Could not read dumped cpuid file %s, ignoring cpuiddump." fullword ascii
123 | $s4 = "%PROGRAMFILES%\\NVIDIA Corporation\\NVSMI\\nvml.dll" fullword ascii
124 | $s5 = "void blake2b_512_process_single_block(ulong *h,const ulong* m,uint blockTemplateSize)" fullword ascii
125 | $s6 = "* the input XML was generated by hwloc %s inside process `%s'." fullword ascii
126 | $s7 = "blake2b_512_process_single_block(hash,m,blockTemplateSize);" fullword ascii
127 | $s8 = "Found non-x86 dumped cpuid summary in %s: %s" fullword ascii
128 | $s9 = "GetCurrentProcessorNumberExProc || (GetCurrentProcessorNumberProc && nr_processor_groups == 1)" fullword ascii
129 | $s10 = "__kernel void blake2b_initial_hash(__global void *out,__global const void* blockTemplate,uint blockTemplateSize,uint start_nonce" ascii
130 | $s11 = "* hwloc %s received invalid information from the operating system." fullword ascii
131 | $s12 = "__local exec_t* execution_plan=(__local exec_t*)(execution_plan_buf+(get_local_id(0)/8)*RANDOMX_PROGRAM_SIZE*WORKERS_PER_HASH*si" ascii
132 | $s13 = "__kernel void execute_vm(__global void* vm_states,__global void* rounding,__global void* scratchpads,__global const void* datase" ascii
133 | $s14 = "__kernel void execute_vm(__global void* vm_states,__global void* rounding,__global void* scratchpads,__global const void* datase" ascii
134 | $s15 = "__local exec_t* execution_plan=(__local exec_t*)(execution_plan_buf+(get_local_id(0)/8)*RANDOMX_PROGRAM_SIZE*WORKERS_PER_HASH*si" ascii
135 | $s16 = "__kernel void blake2b_initial_hash(__global void *out,__global const void* blockTemplate,uint blockTemplateSize,uint start_nonce" ascii
136 | $s17 = "nvml.dll" fullword ascii
137 | $s18 = "__kernel void Groestl(__global ulong *states,__global uint *BranchBuf,__global uint *output,ulong Target,uint Threads)" fullword ascii
138 | $s19 = "__kernel void Blake(__global ulong *states,__global uint *BranchBuf,__global uint *output,ulong Target,uint Threads)" fullword ascii
139 | $s20 = "__kernel void JH(__global ulong *states,__global uint *BranchBuf,__global uint *output,ulong Target,uint Threads)" fullword ascii
140 | condition:
141 | uint16(0) == 0x5a4d and filesize < 19000KB and
142 | ( pe.imphash() == "5c21c3e071f2116dcdb008ad5fc936d4" or 8 of them )
143 | }
144 | 


--------------------------------------------------------------------------------
/1051/1051.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | YARA Rule Set
 3 | Author: The DFIR Report
 4 | Date: 2021-03-29
 5 | Identifier: Case 1051 Sodinokibi (aka REvil) Ransomware
 6 | Reference: https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
 7 | */
 8 | 
 9 | /* Rule Set ----------------------------------------------------------------- */
10 | 
11 | import "pe"
12 | 
13 | rule Sodinokibi_032021 {
14 | meta:
15 | description = "files - file DomainName.exe"
16 | author = "The DFIR Report"
17 | reference = "https://thedfirreport.com"
18 | date = "2021-03-21"
19 | hash1 = "2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c"
20 | strings:
21 | $s1 = "vmcompute.exe" fullword wide
22 | $s2 = "vmwp.exe" fullword wide
23 | $s3 = "bootcfg /raw /a /safeboot:network /id 1" fullword ascii
24 | $s4 = "bcdedit /set {current} safeboot network" fullword ascii
25 | $s5 = "7+a@P>:N:0!F$%I-6MBEFb M" fullword ascii
26 | $s6 = "jg:\"\\0=Z" fullword ascii
27 | $s7 = "ERR0R D0UBLE RUN!" fullword wide
28 | $s8 = "VVVVVPQ" fullword ascii
29 | $s9 = "VVVVVWQ" fullword ascii
30 | $s10 = "Running" fullword wide /* Goodware String - occured 159 times */
31 | $s11 = "expand 32-byte kexpand 16-byte k" fullword ascii
32 | $s12 = "9RFIT\"&" fullword ascii
33 | $s13 = "jZXVf9F" fullword ascii
34 | $s14 = "tCWWWhS=@" fullword ascii
35 | $s15 = "vmms.exe" fullword wide /* Goodware String - occured 1 times */
36 | $s16 = "JJwK9Zl" fullword ascii
37 | $s17 = "KkT37uf4nNh2PqUDwZqxcHUMVV3yBwSHO#K" fullword ascii
38 | $s18 = "0*090}0" fullword ascii /* Goodware String - occured 1 times */
39 | $s19 = "5)5I5a5" fullword ascii /* Goodware String - occured 1 times */
40 | $s20 = "7-7H7c7" fullword ascii /* Goodware String - occured 1 times */
41 | condition:
42 | uint16(0) == 0x5a4d and filesize < 400KB and
43 | ( pe.imphash() == "031931d2f2d921a9d906454d42f21be0" or 8 of them )
44 | }
45 | 
46 | rule icedid_032021_1 {
47 | meta:
48 | description = "files - file skull-x64.dat"
49 | author = "The DFIR Report"
50 | reference = "https://thedfirreport.com"
51 | date = "2021-03-21"
52 | hash1 = "59a2a5fae1c51afbbf1bf8c6eb0a65cb2b8575794e3890f499f8935035e633fc"
53 | strings:
54 | $s1 = "update" fullword ascii /* Goodware String - occured 207 times */
55 | $s2 = "PstmStr" fullword ascii
56 | $s3 = "mRsx0k/" fullword wide
57 | $s4 = "D$0lzK" fullword ascii
58 | $s5 = "A;Zts}H" fullword ascii
59 | condition:
60 | uint16(0) == 0x5a4d and filesize < 100KB and
61 | ( pe.imphash() == "67a065c05a359d287f1fed9e91f823d5" and ( pe.exports("PstmStr") and pe.exports("update") ) or all of them )
62 | }
63 | 
64 | rule icedid_032021_2 {
65 | meta:
66 | description = "1 - file license.dat"
67 | author = "The DFIR Report"
68 | reference = "https://thedfirreport.com"
69 | date = "2021-03-21"
70 | hash1 = "45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865"
71 | strings:
72 | $s1 = "+ M:{`n-" fullword ascii
73 | $s2 = "kwzzdd" fullword ascii
74 | $s3 = "w5O- >z" fullword ascii
75 | $s4 = "RRlK8n@~" fullword ascii
76 | $s5 = "aQXDUkBC" fullword ascii
77 | $s6 = "}i.ZSj*" fullword ascii
78 | $s7 = "kLeSM?" fullword ascii
79 | $s8 = "qmnIqD\")P" fullword ascii
80 | $s9 = "aFAeU!," fullword ascii
81 | $s10 = "Qjrf\"Q" fullword ascii
82 | $s11 = "PTpc,!P#" fullword ascii
83 | $s12 = "r@|JZOkfmT2" fullword ascii
84 | $s13 = "aPvBO,4" fullword ascii
85 | $s14 = ">fdFhl^S8Z" fullword ascii
86 | $s15 = "[syBE0\\" fullword ascii
87 | $s16 = "`YFOr.JH" fullword ascii
88 | $s17 = "C6ZVVF j7}" fullword ascii
89 | $s18 = "LPlagce" fullword ascii
90 | $s19 = "NLeF_-e`" fullword ascii
91 | $s20 = "HRRF|}O" fullword ascii
92 | condition:
93 | uint16(0) == 0x43da and filesize < 1000KB and
94 | 8 of them
95 | }
96 | 


--------------------------------------------------------------------------------
/12647/12647.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2022-04-24
  5 | Identifier: Quantum Ransomware - Case 12647
  6 | Reference: https://thedfirreport.com/2022/04/25/quantum-ransomware/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule docs_invoice_173 {
 14 | meta:
 15 | description = "IcedID - file docs_invoice_173.iso"
 16 | author = "The DFIR Report"
 17 | reference = "https://thedfirreport.com/2022/04/25/quantum-ransomware/"
 18 | date = "2022-04-24"
 19 | hash1 = "5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b"
 20 | strings:
 21 | $x1 = "dar.dll,DllRegisterServer!%SystemRoot%\\System32\\SHELL32.dll" fullword wide
 22 | $x2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii
 23 | $s3 = "C:\\Users\\admin\\Desktop\\data" fullword wide
 24 | $s4 = "Desktop (C:\\Users\\admin)" fullword wide
 25 | $s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii
 26 | $s6 = "1t3Eo8.dll" fullword ascii
 27 | $s7 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide
 28 | $s8 = "DAR.DLL." fullword ascii
 29 | $s9 = "dar.dll:h" fullword wide
 30 | $s10 = "document.lnk" fullword wide
 31 | $s11 = "DOCUMENT.LNK" fullword ascii
 32 | $s12 = "6c484a379420bc181ea93528217b7ebf50eae9cb4fc33fb672f26ffc4ab464e29ba2c0acf9e19728e70ef2833eb4d4ab55aafe3f4667e79c188aa8ab75702520" ascii
 33 | $s13 = "03b9db8f12f0242472abae714fbef30d7278c4917617dc43b61a81951998d867efd5b8a2ee9ff53ea7fa4110c9198a355a5d7f3641b45f3f8bb317aac02aa1fb" ascii
 34 | $s14 = "d1e5711e46fcb02d7cc6aa2453cfcb8540315a74f93c71e27fa0cf3853d58b979d7bb7c720c02ed384dea172a36916f1bb8b82ffd924b720f62d665558ad1d8c" ascii
 35 | $s15 = "7d0bfdbaac91129f5d74f7e71c1c5524690343b821a541e8ba8c6ab5367aa3eb82b8dd0faee7bf6d15b972a8ae4b320b9369de3eb309c722db92d9f53b6ace68" ascii
 36 | $s16 = "89dd0596b7c7b151bf10a1794e8f4a84401269ad5cc4af9af74df8b7199fc762581b431d65a76ecbff01e3cec318b463bce59f421b536db53fa1d21942d48d93" ascii
 37 | $s17 = "8021dc54625a80e14f829953cc9c4310b6242e49d0ba72eedc0c04383ac5a67c0c4729175e0e662c9e78cede5882532de56a5625c1761aa6fd46b4aefe98453a" ascii
 38 | $s18 = "24ed05de22fc8d3f76c977faf1def1d729c6b24abe3e89b0254b5b913395ee3487879287388e5ceac4b46182c2072ad1aa4f415ed6ebe515d57f4284ae068851" ascii
 39 | $s19 = "827da8b743ba46e966706e7f5e6540c00cb1205811383a2814e1d611decfc286b1927d20391b22a0a31935a9ab93d7f25e6331a81d13db6d10c7a771e82dfd8b" ascii
 40 | $s20 = "7c33d9ad6872281a5d7bf5984f537f09544fdee50645e9846642206ea4a81f70b27439e6dcbe6fdc1331c59bf3e2e847b6195e8ed2a51adaf91b5e615cece1d3" ascii
 41 | condition:
 42 | uint16(0) == 0x0000 and filesize < 600KB and
 43 | 1 of ($x*) and 4 of them
 44 | }
 45 | 
 46 | rule quantum_license {
 47 | meta:
 48 | description = "IcedID - file license.dat"
 49 | author = "The DFIR Report"
 50 | reference = "https://thedfirreport.com/2022/04/25/quantum-ransomware/"
 51 | date = "2022-04-24"
 52 | hash1 = "84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238"
 53 | strings:
 54 | $s1 = "W* |[h" fullword ascii
 55 | $s2 = "PSHN,;x" fullword ascii
 56 | $s3 = "ephu\"W" fullword ascii
 57 | $s4 = "LwUw9\\" fullword ascii
 58 | $s5 = "VYZP~pN," fullword ascii
 59 | $s6 = "eRek?@" fullword ascii
 60 | $s7 = "urKuEqR" fullword ascii
 61 | $s8 = "1zjWa{`!" fullword ascii
 62 | $s9 = "YHAV{tl" fullword ascii
 63 | $s10 = "bwDU?u" fullword ascii
 64 | $s11 = "SJbW`!W" fullword ascii
 65 | $s12 = "BNnEx1k" fullword ascii
 66 | $s13 = "SEENI3=" fullword ascii
 67 | $s14 = "Bthw?:'H*" fullword ascii
 68 | $s15 = "NfGHNHC" fullword ascii
 69 | $s16 = "xUKlrl'>`" fullword ascii
 70 | $s17 = "gZaZ^;Ro2" fullword ascii
 71 | $s18 = "JhVo5Bb" fullword ascii
 72 | $s19 = "OPta)}$" fullword ascii
 73 | $s20 = "cZZJoVB" fullword ascii
 74 | condition:
 75 | uint16(0) == 0x44f8 and filesize < 1000KB and
 76 | 8 of them
 77 | }
 78 | 
 79 | rule quantum_p227 {
 80 | meta:
 81 | description = "Cobalt Strike - file p227.dll"
 82 | author = "The DFIR Report"
 83 | reference = "https://thedfirreport.com/2022/04/25/quantum-ransomware/"
 84 | date = "2022-04-24"
 85 | hash1 = "c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3"
 86 | strings:
 87 | $s1 = "Remote Event Log Manager4" fullword wide
 88 | $s2 = "IIdRemoteCMDServer" fullword ascii
 89 | $s3 = "? ?6?B?`?" fullword ascii /* hex encoded string 'k' */
 90 | $s4 = "<*=.=2=6=<=\\=" fullword ascii /* hex encoded string '&' */
 91 | $s5 = ">'?+?/?3?7?;???" fullword ascii /* hex encoded string '7' */
 92 | $s6 = ":#:':+:/:3:7:" fullword ascii /* hex encoded string '7' */
 93 | $s7 = "2(252<2[2" fullword ascii /* hex encoded string '"R"' */
 94 | $s8 = ":$;,;2;>;F;" fullword ascii /* hex encoded string '/' */
 95 | $s9 = ":<:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:|:" fullword ascii
 96 | $s10 = "%IdThreadMgr" fullword ascii
 97 | $s11 = "AutoHotkeys<mC" fullword ascii
 98 | $s12 = "KeyPreview0tC" fullword ascii
 99 | $s13 = ":dmM:\\m" fullword ascii
100 | $s14 = "EFilerErrorH" fullword ascii
101 | $s15 = "EVariantBadVarTypeErrorL" fullword ascii
102 | $s16 = "IdThreadMgrDefault" fullword ascii
103 | $s17 = "Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)" fullword wide
104 | $s18 = "CopyMode0" fullword ascii
105 | $s19 = "TGraphicsObject0" fullword ascii
106 | $s20 = "THintWindow8" fullword ascii
107 | condition:
108 | uint16(0) == 0x5a4d and filesize < 2000KB and
109 | ( pe.imphash() == "c88d91896dd5b7d9cb3f912b90e9d0ed" or 8 of them )
110 | }
111 | 
112 | rule Ulfefi32 {
113 | meta:
114 | description = "IcedID - file Ulfefi32.dll"
115 | author = "The DFIR Report"
116 | reference = "https://thedfirreport.com/2022/04/25/quantum-ransomware/"
117 | date = "2022-04-24"
118 | hash1 = "6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7"
119 | strings:
120 | $s1 = "WZSKd2NEBI.dll" fullword ascii
121 | $s2 = "3638df174d2e47fbc2cdad390fdf57b44186930e3f9f4e99247556af2745ec513b928c5d78ef0def56b76844a24f50ab5c3a10f6f0291e8cfbc4802085b8413c" ascii
122 | $s3 = "794311155e3d3b59587a39e6bdeaac42e5a83dbe30a056a059c59a1671d288f7a7cdde39aaf8ce26704ab467e6e7db6da36aec8e1b1e0a6f2101ed3a87a73523" ascii
123 | $s4 = "ce37d7187cf033f0f9144a61841e65ebe440d99644c312f2a7527053f27664fc788a70d4013987f40755d30913393c37067fb1796adece94327ba0d8dfb63c10" ascii
124 | $s5 = "bacefbe356ece5ed36fa3f3c153e8e152cb204299243eba930136e4a954e8f6e4db70d7d7084822762c17da1d350d97c37dbcf226c5d4faa7e78765fd5aa20f8" ascii
125 | $s6 = "acee4914ee999f6158bf7aa90e2f9640d51e2b046c94df4301a6ee1658a54d44e423fc0a5ab3b599d6be74726e266cdb71ccd0851bcef3bc5f828eab7e736d81" ascii
126 | $s7 = "e2d7e82b0fe30aa846abaa4ab85cb9d47940ec70487f2d5fb4c60012289b133b44e8c244e3ec8e276fa118a54492f348e34e992da07fada70c018de1ff8f91d4" ascii
127 | $s8 = "afd386d951143fbfc89016ab29a04b6efcefe7cd9d3e240f1d31d59b9541b222c45bb0dc6adba0ee80b696b85939ac527af149fdbfbf40b2d06493379a27e16b" ascii
128 | $s9 = "3bb43aa0bbe8dee8d99aaf3ac42fbe3ec5bd8fa68fb85aea8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eed" ascii
129 | $s10 = "a79e1facc14f0a1dfde8f71cec33e08ed6144aa2fd9fe3774c89b50d26b78f4a516a988e412e5cce5a6b6edb7b2cded7fe9212505b240e629e066ed853fb9f6b" ascii
130 | $s11 = "69f9b12abc44fac17d92b02eb254c9dc0cfd8888676a9e59f0cb6d630151daccea40e850d615d32d011838f8042a2d6999fab319f49bed09e43f9b6197bf9a66" ascii
131 | $s12 = "cfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae726d5b2" ascii
132 | $s13 = "a8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eedc90afe65ba742c395bbdb4b1b12d96d6f38de96212392c3" ascii
133 | $s14 = "900796689b72e62f24b28affa681c23841f21e2c7a56a18a6bbb572042da8717abc9f195340d12f2fae6cf2a6d609ed5a0501e34d3b31f8151f194cdb8afc85e" ascii
134 | $s15 = "35560790835fe34ed478758636d3b2b797ba95c824533318dfb147146e2b5debb4f974c906dce439d3c97e94465849c9b42e9cb765a95ff42a7d8b27e62d470a" ascii
135 | $s16 = "0b3d20f3cf0f6b3a53c53b8f50f9116edd412776a8f218e6b0d921ccfeeb34875c4674072f84ac612004d8162a6b381f5a3d1f6d70c03203272740463ff4bcd5" ascii
136 | $s17 = "72f69c37649149002c41c2d85091b0f6f7683f6e6cc9b9a0063c9b0ce254dddb9736c68f81ed9fed779add52cbb453e106ab8146dab20a033c28dee789de8046" ascii
137 | $s18 = "f2b7f87aa149a52967593b53deff481355cfe32c2af99ad4d4144d075e2b2c70088758aafdabaf480e87cf202626bde30d32981c343bd47b403951b165d2dc0f" ascii
138 | $s19 = "9867f0633c80081f0803b0ed75d37296bac8d3e25e3352624a392fa338570a9930fa3ceb0aaee2095dd3dcb0aab939d7d9a8d5ba7f3baac0601ed13ffc4f0a1e" ascii
139 | $s20 = "3d08b3fcfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae" ascii
140 | condition:
141 | uint16(0) == 0x5a4d and filesize < 100KB and
142 | ( pe.imphash() == "81782d8702e074c0174968b51590bf48" and ( pe.exports("FZKlWfNWN") and pe.exports("IMlNwug") and pe.exports("RPrWVBw") and pe.exports("kCXkdKtadW") and pe.exports("pLugSs") and pe.exports("pRNAU") ) or 8 of them )
143 | }
144 | 
145 | rule quantum_ttsel {
146 | meta:
147 | description = "quantum - file ttsel.exe"
148 | author = "The DFIR Report"
149 | reference = "https://thedfirreport.com/2022/04/25/quantum-ransomware/"
150 | date = "2022-04-24"
151 | hash1 = "b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda"
152 | strings:
153 | $s1 = "DSUVWj ]" fullword ascii
154 | $s2 = "WWVh@]@" fullword ascii
155 | $s3 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */
156 | $s4 = "E4PSSh" fullword ascii /* Goodware String - occured 2 times */
157 | $s5 = "tySjD3" fullword ascii
158 | $s6 = "@]_^[Y" fullword ascii /* Goodware String - occured 3 times */
159 | $s7 = "0`0h0p0" fullword ascii /* Goodware String - occured 3 times */
160 | $s8 = "tV9_<tQf9_8tKSSh" fullword ascii
161 | $s9 = "Vj\\Yj?Xj:f" fullword ascii
162 | $s10 = "1-1:1I1T1Z1p1w1" fullword ascii
163 | $s11 = "8-999E9U9k9" fullword ascii
164 | $s12 = "8\"8)8H8i8t8" fullword ascii
165 | $s13 = "8\"868@8M8W8" fullword ascii
166 | $s14 = "3\"3)3>3F3f3m3t3}3" fullword ascii
167 | $s15 = "3\"3(3<3]3o3" fullword ascii
168 | $s16 = "9 9*909B9" fullword ascii
169 | $s17 = "9.979S9]9a9w9" fullword ascii
170 | $s18 = "txf9(tsf9)tnj\\P" fullword ascii
171 | $s19 = "5!5'5-5J5Y5b5i5~5" fullword ascii
172 | $s20 = "<2=7=>=E={=" fullword ascii
173 | condition:
174 | uint16(0) == 0x5a4d and filesize < 200KB and
175 | ( pe.imphash() == "68b5e41a24d5a26c1c2196733789c238" or 8 of them )
176 | }
177 | 


--------------------------------------------------------------------------------
/12780/12780.yar:
--------------------------------------------------------------------------------
  1 | rule miner_batch {
  2 |    meta:
  3 |       description = "file kit.bat"
  4 |       author = "TheDFIRReport"
  5 |       reference = "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"
  6 |       date = "2022/07/10"
  7 |       hash1 = "4905b7776810dc60e710af96a7e54420aaa15467ef5909b260d9a9bc46911186"
  8 |    strings:
  9 |       $a1 = "%~dps0" fullword ascii
 10 |       $a2 = "set app" fullword ascii
 11 |       $a3 = "cd /d \"%~dps0\"" fullword ascii
 12 |       $a4 = "set usr=jood" fullword ascii
 13 |       $s1 = "schtasks /run" fullword ascii
 14 |       $s2 = "schtasks /delete" fullword ascii
 15 |       $a5 = "if \"%1\"==\"-s\" (" fullword ascii
 16 |    condition:
 17 |       uint16(0) == 0xfeff and filesize < 1KB and
 18 |       3 of ($a*) and 1 of ($s*)
 19 | }
 20 | 
 21 | rule file_ex_exe {
 22 |    meta:
 23 |       description = "files - file ex.exe.bin"
 24 |       author = "TheDFIRReport"
 25 |       reference = "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"
 26 |       date = "2022/07/10"
 27 |       hash1 = "428d06c889b17d5f95f9df952fc13b1cdd8ef520c51e2abff2f9192aa78a4b24"
 28 |    strings:
 29 |       $s1 = "d:\\Projects\\WinRAR\\rar\\build\\unrar32\\Release\\UnRAR.pdb" fullword ascii
 30 |       $s2 = "rar.log" fullword wide
 31 |       $s3 = "      <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
 32 |       $s4 = "  processorArchitecture=\"*\"" fullword ascii
 33 |       $s5 = "%c%c%c%c%c%c%c" fullword wide /* reversed goodware string 'c%c%c%c%c%c%c%' */
 34 |       $s6 = "  version=\"1.0.0.0\"" fullword ascii
 35 |       $s7 = "%12ls: RAR %ls(v%d) -m%d -md=%d%s" fullword wide
 36 |       $s8 = "  hp[password]  " fullword wide
 37 |       $s9 = " %s - " fullword wide
 38 |       $s10 = "yyyymmddhhmmss" fullword wide
 39 |       $s11 = "--------  %2d %s %d, " fullword wide
 40 |       $s12 = " Type Descriptor'" fullword ascii
 41 |       $s13 = "\\$\\3|$4" fullword ascii /* hex encoded string '4' */
 42 |       $s14 = "      processorArchitecture=\"*\"" fullword ascii
 43 |       $s15 = " constructor or from DllMain." fullword ascii
 44 |       $s16 = "----------- ---------  -------- -----  ----" fullword wide
 45 |       $s17 = "----------- ---------  -------- ----- -------- -----  --------  ----" fullword wide
 46 |       $s18 = "%-20s - " fullword wide
 47 |       $s19 = "      publicKeyToken=\"6595b64144ccf1df\"" fullword ascii
 48 |       $s20 = "      version=\"6.0.0.0\"" fullword ascii
 49 |    condition:
 50 |       uint16(0) == 0x5a4d and filesize < 900KB and
 51 |       8 of them
 52 | }
 53 | 
 54 | rule smss_exe {
 55 |    meta:
 56 |       description = "files - file smss.exe.bin"
 57 |       author = "TheDFIRReport"
 58 |       reference = "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"
 59 |       date = "2022/07/10"
 60 |       hash1 = "d3c3f529a09203a839b41cd461cc561494b432d810041d71d41a66ee7d285d69"
 61 |    strings:
 62 |       $s1 = "mCFoCRYPT32.dll" fullword ascii
 63 |       $s2 = "gPSAPI.DLL" fullword ascii
 64 |       $s3 = "www.STAR.com" fullword wide
 65 |       $s4 = "4;#pMVkWTSAPI32.dll" fullword ascii
 66 |       $s5 = "        <requestedExecutionLevel level=\"asInvoker\"/>" fullword ascii
 67 |       $s6 = "dYDT.Gtm" fullword ascii
 68 |       $s7 = "|PgGeT~^" fullword ascii
 69 |       $s8 = "* IiJ)" fullword ascii
 70 |       $s9 = "{DllB8qq" fullword ascii
 71 |       $s10 = "tfaqbjk" fullword ascii
 72 |       $s11 = "nrvgzgl" fullword ascii
 73 |       $s12 = "      <!--The ID below indicates application support for Windows 10 -->" fullword ascii
 74 |       $s13 = "5n:\\Tk" fullword ascii
 75 |       $s14 = "  </compatibility>" fullword ascii
 76 |       $s15 = "HHp.JOW" fullword ascii
 77 |       $s16 = "      <!--The ID below indicates application support for Windows 8 -->" fullword ascii
 78 |       $s17 = "      <!--The ID below indicates application support for Windows 7 -->" fullword ascii
 79 |       $s18 = "Wr:\\D;" fullword ascii
 80 |       $s19 = "px:\"M$" fullword ascii
 81 |       $s20 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
 82 |    condition:
 83 |       uint16(0) == 0x5a4d and filesize < 23000KB and
 84 |       8 of them
 85 | }
 86 | 
 87 | rule WinRing0x64_sys {
 88 |    meta:
 89 |       description = "files - file WinRing0x64.sys.bin"
 90 |       author = "TheDFIRReport"
 91 |       reference = "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"
 92 |       date = "2022/07/10"
 93 |       hash1 = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5"
 94 |    strings:
 95 |       $s1 = "d:\\hotproject\\winring0\\source\\dll\\sys\\lib\\amd64\\WinRing0.pdb" fullword ascii
 96 |       $s2 = "WinRing0.sys" fullword wide
 97 |       $s3 = "timestampinfo@globalsign.com0" fullword ascii
 98 |       $s4 = "\"GlobalSign Time Stamping Authority1+0)" fullword ascii
 99 |       $s5 = "\\DosDevices\\WinRing0_1_2_0" fullword wide
100 |       $s6 = "OpenLibSys.org" fullword wide
101 |       $s7 = ".http://crl.globalsign.net/RootSignPartners.crl0" fullword ascii
102 |       $s8 = "Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved." fullword wide
103 |       $s9 = "1.2.0.5" fullword wide
104 |       $s10 = " Microsoft Code Verification Root0" fullword ascii
105 |       $s11 = "\\Device\\WinRing0_1_2_0" fullword wide
106 |       $s12 = "WinRing0" fullword wide
107 |       $s13 = "hiyohiyo@crystalmark.info0" fullword ascii
108 |       $s14 = "GlobalSign1+0)" fullword ascii
109 |       $s15 = "Noriyuki MIYAZAKI1(0&" fullword ascii
110 |       $s16 = "The modified BSD license" fullword wide
111 |       $s17 = "RootSign Partners CA1" fullword ascii
112 |       $s18 = "\\/.gJ&" fullword ascii
113 |       $s19 = "14012709" ascii
114 |       $s20 = "140127110000Z0q1(0&" fullword ascii
115 |    condition:
116 |       uint16(0) == 0x5a4d and filesize < 40KB and
117 |       8 of them
118 | }
119 | 


--------------------------------------------------------------------------------
/12993/12993.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | 
 3 |    YARA Rule Set
 4 |    Author: The DFIR Report
 5 |    Date: 2022-06-06
 6 |    Identifier: Case 12993 Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
 7 |    Reference: https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
 8 | 
 9 | */
10 | 
11 | /* Rule Set ----------------------------------------------------------------- */
12 | 
13 | rule case_12993_cve_2021_44077_msiexec {
14 |    meta:
15 |       description = "Files - file msiexec.exe"
16 |       author = "The DFIR Report"
17 |       reference = "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/"
18 |       date = "2022-06-06"
19 |       hash1 = "4d8f797790019315b9fac5b72cbf693bceeeffc86dc6d97e9547c309d8cd9baf"
20 |    strings:
21 |       $x1 = "C:\\Users\\Administrator\\msiexec\\msiexec\\msiexec\\obj\\x86\\Debug\\msiexec.pdb" fullword ascii
22 |       $x2 = "M:\\work\\Shellll\\msiexec\\msiexec\\obj\\Release\\msiexec.pdb" fullword ascii
23 |       $s2 = "..\\custom\\login\\fm2.jsp" fullword wide
24 |       $s3 = "Qk1QDQo8JUBwYWdlIGltcG9ydD0iamF2YS51dGlsLnppcC5aaXBFbnRyeSIlPg0KPCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC56aXAuWmlwT3V0cHV0U3RyZWFtIiU+" wide
25 |       $s4 = "Program" fullword ascii /* Goodware String - occured 194 times */
26 |       $s5 = "Encoding" fullword ascii /* Goodware String - occured 809 times */
27 |       $s6 = "base64EncodedData" fullword ascii /* Goodware String - occured 1 times */
28 |       $s7 = "System.Runtime.CompilerServices" fullword ascii /* Goodware String - occured 1950 times */
29 |       $s8 = "System.Reflection" fullword ascii /* Goodware String - occured 2186 times */
30 |       $s9 = "System" fullword ascii /* Goodware String - occured 2567 times */
31 |       $s10 = "Base64Decode" fullword ascii /* Goodware String - occured 3 times */
32 |       $s11 = "$77b5d0d3-047f-4017-a788-503ab92444a7" fullword ascii
33 |       $s12 = "  2021" fullword wide
34 |       $s13 = "RSDSv_" fullword ascii
35 |       $s14 = "503ab92444a7" ascii
36 |       $s15 = "q.#z.+" fullword wide
37 |    condition:
38 |       uint16(0) == 0x5a4d and filesize < 90KB and
39 |       1 of ($x*) and 4 of them
40 | 
41 | }
42 | 
43 | rule case_12993_cve_2021_44077_webshell {
44 |    meta:
45 |       description = "Files - file fm2.jsp"
46 |       author = "The DFIR Report"
47 |       reference = "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/"
48 |       date = "2022-06-06"
49 |       hash1 = "8703f52c56b3164ae0becfc5a81bfda600db9aa6d0f048767a9684671ad5899b"
50 |    strings:
51 |       $s1 = "    Process powerShellProcess = Runtime.getRuntime().exec(command);" fullword ascii
52 |       $s2 = "out.write((\"User:\\t\"+exec(\"whoami\")).getBytes());" fullword ascii
53 |       $s3 = "return new String(inutStreamToOutputStream(Runtime.getRuntime().exec(cmd).getInputStream()).toByteArray(),encoding);" fullword ascii
54 |       $s4 = "out.println(\"<pre>\"+exec(request.getParameter(\"cmd\"))+\"</pre>\");" fullword ascii
55 |       $s5 = "out.println(\"<tr \"+((i%2!=0)?\"bgcolor=\\\"#eeeeee\\\"\":\"\")+\"><td align=\\\"left\\\">&nbsp;&nbsp;<a href=\\\"javascript:ge" ascii
56 |       $s6 = "out.println(\"<h1>Command execution:</h1>\");" fullword ascii
57 |       $s7 = "    String command = \"powershell.exe \" + request.getParameter(\"cmd\");" fullword ascii
58 |       $s8 = "shell(request.getParameter(\"host\"), Integer.parseInt(request.getParameter(\"port\")));" fullword ascii
59 |       $s9 = "out.write(exec(new String(b,0,a,\"UTF-8\").trim()).getBytes(\"UTF-8\"));" fullword ascii
60 |       $s10 = "static void shell(String host,int port) throws UnknownHostException, IOException{" fullword ascii
61 |       $s11 = "            powerShellProcess.getErrorStream()));" fullword ascii
62 |       $s12 = "encoding = isNotEmpty(getSystemEncoding())?getSystemEncoding():encoding;" fullword ascii
63 |       $s13 = "    // Executing the command" fullword ascii
64 |       $s14 = ".getName()+\"\\\"><tt>download</tt></a></td><td align=\\\"right\\\"><tt>\"+new SimpleDateFormat(\"yyyy-MM-dd hh:mm:ss\").format(" ascii
65 |       $s15 = "String out = exec(cmd);" fullword ascii
66 |       $s16 = "static String exec(String cmd) {" fullword ascii
67 |       $s17 = "            powerShellProcess.getInputStream()));" fullword ascii
68 |       $s18 = "response.setHeader(\"Content-Disposition\", \"attachment; filename=\"+fileName);" fullword ascii
69 |       $s19 = "out.println(\"<pre>\"+auto(request.getParameter(\"url\"),request.getParameter(\"fileName\"),request.getParameter(\"cmd\"))+\"</p" ascii
70 |       $s20 = "    powerShellProcess.getOutputStream().close();" fullword ascii
71 |    condition:
72 |       uint16(0) == 0x4d42 and filesize < 30KB and
73 |       8 of them
74 | }
75 | 


--------------------------------------------------------------------------------
/13842/13842.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    YARA Rule Set
  3 |    Author: The DFIR Report
  4 |    Date: 2022-11-13
  5 |    Identifier: Case 13842 Bumblebee
  6 |    Reference: https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter//
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | 
 12 | rule bumblebee_13842_documents_lnk {
 13 |     meta:
 14 |        description = "BumbleBee - file documents.lnk"
 15 |        author = "The DFIR Report via yarGen Rule Generator"
 16 |        reference = "https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/"
 17 |        date = "2022-11-13"
 18 |        hash1 = "3c600328e1085dc73d672d068f3056e79e66bec7020be6ae907dd541201cd167"
 19 |     strings:
 20 |        $x1 = "$..\\..\\..\\..\\Windows\\System32\\cmd.exe*/c start rundll32.exe mkl2n.dll,kXlNkCKgFC\"%systemroot%\\system32\\imageres.dll" fullword wide
 21 |        $x2 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
 22 |        $x3 = "%windir%\\system32\\cmd.exe" fullword ascii
 23 |        $x4 = "Gcmd.exe" fullword wide
 24 |        $s5 = "desktop-30fdj39" fullword ascii
 25 |     condition:
 26 |        uint16(0) == 0x004c and filesize < 4KB and
 27 |        1 of ($x*) and all of them
 28 |  }
 29 |  
 30 |  rule bumblebee_13842_StolenImages_Evidence_iso {
 31 |     meta:
 32 |        description = "BumbleBee - file StolenImages_Evidence.iso"
 33 |        author = "The DFIR Report via yarGen Rule Generator"
 34 |        reference = "https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/"
 35 |        date = "2022-11-13"
 36 |        hash1 = "4bb67453a441f48c75d41f7dc56f8d58549ae94e7aeab48a7ffec8b78039e5cc"
 37 |     strings:
 38 |        $x1 = "$..\\..\\..\\..\\Windows\\System32\\cmd.exe*/c start rundll32.exe mkl2n.dll,kXlNkCKgFC\"%systemroot%\\system32\\imageres.dll" fullword wide
 39 |        $x2 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
 40 |        $x3 = "%windir%\\system32\\cmd.exe" fullword ascii
 41 |        $x4 = "Gcmd.exe" fullword wide
 42 |        $s5 = "pxjjqif723uf35.dll" fullword ascii
 43 |        $s6 = "tenant unanimously delighted sail databases princess bicyclelist progress accused urge your science certainty dalton databases h" ascii
 44 |        $s7 = "mkl2n.dll" fullword wide
 45 |        $s8 = "JEFKKDJJKHFJ" fullword ascii /* base64 encoded string '$AJ(2I(qI' */
 46 |        $s9 = "KFFJJEJKJK" fullword ascii /* base64 encoded string '(QI$BJ$' */
 47 |        $s10 = "JHJGKDFEG" fullword ascii /* base64 encoded string '$rF(1D' */
 48 |        $s11 = "IDJIIDFHE" fullword ascii /* base64 encoded string ' 2H 1G' */
 49 |        $s12 = "JHJFIHJJI" fullword ascii /* base64 encoded string '$rE rI' */
 50 |        $s13 = "EKGJKKEFHKFFE" fullword ascii /* base64 encoded string '(bJ(AG(QD' */
 51 |        $s14 = "FJGJFKGFF" fullword ascii /* base64 encoded string '$bE(aE' */
 52 |        $s15 = "IFFKJGJFK" fullword ascii /* base64 encoded string ' QJ$bE' */
 53 |        $s16 = "FKFJDIHJF" fullword ascii /* base64 encoded string '(RC rE' */
 54 |        $s17 = "EKFJFdHFG" fullword ascii /* base64 encoded string '(REtqF' */
 55 |        $s18 = "HJFJJdEdEIDK" fullword ascii /* base64 encoded string '$RItGD 2' */
 56 |        $s19 = "KFJHKDJdIGF" fullword ascii /* base64 encoded string '(RG(2] a' */
 57 |        $s20 = "documents.lnk" fullword wide
 58 |     condition:
 59 |        uint16(0) == 0x0000 and filesize < 13000KB and
 60 |        1 of ($x*) and 4 of them
 61 |  }
 62 |  
 63 |  rule bumblebee_13842_mkl2n_dll {
 64 |     meta:
 65 |        description = "BumbleBee - file mkl2n.dll"
 66 |        author = "The DFIR Report via yarGen Rule Generator"
 67 |        reference = "https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/"
 68 |        date = "2022-11-13"
 69 |        hash1 = "f7c1d064b95dc0b76c44764cd3ae7aeb21dd5b161e5d218e8d6e0a7107d869c1"
 70 |     strings:
 71 |        $s1 = "pxjjqif723uf35.dll" fullword ascii
 72 |        $s2 = "tenant unanimously delighted sail databases princess bicyclelist progress accused urge your science certainty dalton databases h" ascii
 73 |        $s3 = "JEFKKDJJKHFJ" fullword ascii /* base64 encoded string '$AJ(2I(qI' */
 74 |        $s4 = "KFFJJEJKJK" fullword ascii /* base64 encoded string '(QI$BJ$' */
 75 |        $s5 = "JHJGKDFEG" fullword ascii /* base64 encoded string '$rF(1D' */
 76 |        $s6 = "IDJIIDFHE" fullword ascii /* base64 encoded string ' 2H 1G' */
 77 |        $s7 = "JHJFIHJJI" fullword ascii /* base64 encoded string '$rE rI' */
 78 |        $s8 = "EKGJKKEFHKFFE" fullword ascii /* base64 encoded string '(bJ(AG(QD' */
 79 |        $s9 = "FJGJFKGFF" fullword ascii /* base64 encoded string '$bE(aE' */
 80 |        $s10 = "IFFKJGJFK" fullword ascii /* base64 encoded string ' QJ$bE' */
 81 |        $s11 = "FKFJDIHJF" fullword ascii /* base64 encoded string '(RC rE' */
 82 |        $s12 = "EKFJFdHFG" fullword ascii /* base64 encoded string '(REtqF' */
 83 |        $s13 = "HJFJJdEdEIDK" fullword ascii /* base64 encoded string '$RItGD 2' */
 84 |        $s14 = "KFJHKDJdIGF" fullword ascii /* base64 encoded string '(RG(2] a' */
 85 |        $s15 = "magination provided sleeve governor earth brief favourite setting trousers phone calamity ported silas concede appearance abate " ascii
 86 |        $s16 = "wK}zxspyuvqswyK" fullword ascii
 87 |        $s17 = "stpKspyq~sqJvvvJ" fullword ascii
 88 |        $s18 = "ntribute popped monks much number practiced dirty con mid nurse variable road unwelcome rear jeer addition distract surgeon fall" ascii
 89 |        $s19 = "uvzrquxrrwxur" fullword ascii
 90 |        $s20 = "vvvxvsqrs" fullword ascii
 91 |     condition:
 92 |        uint16(0) == 0x5a4d and filesize < 9000KB and
 93 |        8 of them
 94 |  }
 95 |  
 96 |  rule bumblebee_13842_n23_dll {
 97 |     meta:
 98 |        description = "BumbleBee - file n23.dll"
 99 |        author = "The DFIR Report via yarGen Rule Generator"
100 |        reference = "https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/"
101 |        date = "2022-11-13"
102 |        hash1 = "65a9b1bcde2c518bc25dd9a56fd13411558e7f24bbdbb8cb92106abbc5463ecf"
103 |     strings:
104 |        $x1 = "scratched echo billion ornament transportation heedless should sandwiches hypothesis medicine strict thus sincere fight nourishm" ascii
105 |        $s2 = "omu164ta8.dll" fullword ascii
106 |        $s3 = "eadlight hours reins straightforward comfortable greeting notebook production nearby rung oven plus applet ending snapped enquir" ascii
107 |        $s4 = "board blank convinced scuba mean alive perry character headquarters comma diana ornament workshop hot duty victorious bye expres" ascii
108 |        $s5 = " compared opponent pile sky entitled balance valuable list ay duster tyre bitterly margaret resort valuer get conservative contr" ascii
109 |        $s6 = "ivance pay clergyman she sleepy investigation used madame rock logic suffocate pull stated comparatively rowing abode enclosed h" ascii
110 |        $s7 = " purple salvation dudley gaze requirement headline defective waiter inherent frightful night diary slang laurie bugs kazan annou" ascii
111 |        $s8 = "nced apparently determined among come invited be goodwill tally crowded chances selfish duchess reel five peaceful offer spirits" ascii
112 |        $s9 = "scratched echo billion ornament transportation heedless should sandwiches hypothesis medicine strict thus sincere fight nourishm" ascii
113 |        $s10 = "s certificate breeze temporary according peach effected excuse preceding reaction channel bring short beams scheme gosh endless " ascii
114 |        $s11 = "rtificial poke reassure diploma potentially " fullword ascii
115 |        $s12 = "led spree confer belly rejection glide speaker wren do create evenings according cultivation concentration overcoat presume feed" ascii
116 |        $s13 = "EgEEddEfhkdddEdfkEeddjgjehdjidhkdkeiekEeggdijhjidgkfigEgggdjkhkjkedEigifefdfhEjgghgEhjkeihifdhEEdgifefgkkEfEijhkhkhidddEdhgidfkE" ascii
117 |        $s14 = "kgfjjjEEgkdiehfeEjihkfEeididdeEjhggEjedhdfEjiddgEgghejEidEfEEfgfjfhdghfddfihfidfEedikfdfjkiffkjiijiiijdhgghekhkegkidkgfjijhkiigg" ascii
118 |        $s15 = "eekgEeideheghidkkEkkfkjikhiEhiefggdkhifdgEhhdEkkEkgjdEjjeEjhjhihfdgEdEidigefhhikdgdfEEdjEeggiEdfkdEdiEffdddkgikhhkihigEhjEdehieh" ascii
119 |        $s16 = "eddEfefEEd" ascii
120 |        $s17 = "hiefgfgkdfhgEdhEEgfhfegiiekgkdheihfjjhdeediefEkekdgeihhdfhhgjjiddjehgEhigEkEiEghejfidgjkdjidfkkfjEkfidfdiihkkEdEkEjjkEghfEdiihgE" ascii
121 |        $s18 = "kfifkfkgdgdfhefdfejjdjigEhghidiiEekeEidEhghijgfkgkkedeeiggeEdhddkdhgigdjEihjiEjkgjjEefedfhidjkEjfghfjfdfdEjhkjjddjEfdgkEEikifdhE" ascii
122 |        $s19 = "dedkdeeeeefgdEgfkkiEEfidikkffgighgEfiEEidgehdeiEhhjhjgiEdfkjihEgdgdefgkEfigdfedijhejEgdhkEdifEehifgdhddhfjghjfiifdhiigedggEdikeE" ascii
123 |        $s20 = "efigfkfkkkfkdifiEhkhjkiejjidgkEfhEfehidhEfekgejgefEjEgdgefgidjjfdkjEfgfEigijhidideEEffjefkkkjjeeigggiighdddEddgegjEfEffjjjiddiEk" ascii
124 |     condition:
125 |        uint16(0) == 0x5a4d and filesize < 200KB and
126 |        1 of ($x*) and 4 of them
127 |  }
128 |  
129 |  rule bumblebee_13842_wSaAHJzLLT_exe {
130 |     meta:
131 |        description = "BumbleBee - file wSaAHJzLLT.exe"
132 |        author = "The DFIR Report via yarGen Rule Generator"
133 |        reference = "https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/"
134 |        date = "2022-11-13"
135 |        hash1 = "df63149eec96575d66d90da697a50b7c47c3d7637e18d4df1c24155abacbc12e"
136 |     strings:
137 |        $s1 = "ec2-3-16-159-37.us-east-2.compute.amazonaws.com" fullword ascii
138 |        $s2 = "PAYLOAD:" fullword ascii
139 |        $s3 = "AQAPRQVH1" fullword ascii
140 |        $s4 = "AX^YZAXAYAZH" fullword ascii
141 |        $s5 = "/bIQRfeCGXT2vja6Pzf8uZAWzlUMGzUHDk" fullword ascii
142 |        $s6 = "SZAXM1" fullword ascii
143 |        $s7 = "SYj@ZI" fullword ascii
144 |        $s8 = "@.nbxi" fullword ascii
145 |        $s9 = "Rich}E" fullword ascii
146 |     condition:
147 |        uint16(0) == 0x5a4d and filesize < 20KB and
148 |        all of them
149 | }
150 | 
151 | 


--------------------------------------------------------------------------------
/14373/14373.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 |    YARA Rule Set
 3 |    Author: The DFIR Report
 4 |    Date: 2022-09-26
 5 |    Identifier: Case 14373 Bumblebee
 6 |    Reference: https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 7 | */
 8 | 
 9 | /* Rule Set ----------------------------------------------------------------- */
10 | 
11 | rule case_14373_bumblebee_document_iso {
12 |    meta:
13 |       description = "Files - file document.iso"
14 |       author = "The DFIR Report"
15 |       reference = "https://thedfirreport.com/2022/09/26/bumblebee-round-two/"
16 |       date = "2022-09-26"
17 |       hash1 = "11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355"
18 |    strings:
19 |       $x1 = "tamirlan.dll,EdHVntqdWt\"%systemroot%\\system32\\imageres.dll" fullword wide
20 |       $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii
21 |       $s3 = "xotgug064ka8.dll" fullword ascii
22 |       $s4 = "tamirlan.dll" fullword wide
23 |       $s5 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide
24 |       $s6 = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
25 |       $s7 = "claims indebted fires plastic naturalist deduction meaningless yielded automatic wrote damage far use fairly allocation lever ne" ascii
26 |       $s8 = "documents.lnk" fullword wide
27 |       $s9 = "4System32" fullword wide
28 |       $s10 = "\\_P^YVPX[SY]WT^^RQ_V[YQV\\Y]USUZV[XWT_SWT[UYURVVRVR^^[__XRQPPUXZWYYVU]V\\[TS[SSWWVY_R_Y[XZ_W[VVS\\]ZYSPYURUSP\\U^P^^S\\QVRQXPTV" ascii
29 |       $s11 = "\\_P^YVPX[SY]WT^^RQ_V[YQV\\Y]USUZV[XWT_SWT[UYURVVRVR^^[__XRQPPUXZWYYVU]V\\[TS[SSWWVY_R_Y[XZ_W[VVS\\]ZYSPYURUSP\\U^P^^S\\QVRQXPTV" ascii
30 |       $s12 = " Type Descriptor'" fullword ascii
31 |       $s13 = "YP^WTS]V[WPTWR_\\P[]WX_SPYQ[SQ]]UWTU]QR\\UQR]]\\\\^]UZUX\\X^U]P_^S[ZY^R^]UXWZURR\\]X[^TX\\S\\SWV_[YXP_[^^\\WW\\]]]PU_YZ\\]SVPQX[" ascii
32 |       $s14 = "494[/D59:" fullword ascii /* hex encoded string 'IMY' */
33 |       $s15 = "_ZQ\\V\\TW]P\\YW^_PZT_TR[T_WVQUSQPVSPYRSWPS^WVQR_[T_PS[]TT]RSSQV_[_Q]UY\\\\QPVQRXXPPR^_VSZRRRSWXTUV^PRQQXPSWPSWSYWWV^YR_Z]PWRP]^" ascii
34 |       $s16 = "?+7,*6@24" fullword ascii /* hex encoded string 'v$' */
35 |       $s17 = "67?.68@6.3=" fullword ascii /* hex encoded string 'ghc' */
36 |       $s18 = "*;+273++C" fullword ascii /* hex encoded string ''<' */
37 |       $s19 = "*:>?2-:E?@>5D+" fullword ascii /* hex encoded string '.]' */
38 |       $s20 = "UPVX]VWVQU[_^ZU[_W^[R^]SPQ[[VPRR]]Z[\\XVU^_TR[YPR\\PY]RXT[_RXSPYSWTU]PV_SWWUVU\\R_X_U_V[__UW[\\^YU[WTUXSURQ]QSUPTXVXZV]WRP[_XW]" fullword ascii
39 |    condition:
40 |       uint16(0) == 0x0000 and filesize < 8000KB and
41 |       1 of ($x*) and 4 of them
42 | }
43 | 
44 | rule case_14373_bumblebee_tamirlan_dll {
45 |    meta:
46 |       description = "Files - file tamirlan.dll"
47 |       author = "The DFIR Report"
48 |       reference = "https://thedfirreport.com/2022/09/26/bumblebee-round-two/"
49 |       date = "2022-09-26"
50 |       hash1 = "123f96ff0a583d507439f79033ba4f5aa28cf43c5f2c093ac2445aaebdcfd31b"
51 |    strings:
52 |       $s1 = "xotgug064ka8.dll" fullword ascii
53 |       $s2 = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
54 |       $s3 = "claims indebted fires plastic naturalist deduction meaningless yielded automatic wrote damage far use fairly allocation lever ne" ascii
55 |       $s4 = "\\_P^YVPX[SY]WT^^RQ_V[YQV\\Y]USUZV[XWT_SWT[UYURVVRVR^^[__XRQPPUXZWYYVU]V\\[TS[SSWWVY_R_Y[XZ_W[VVS\\]ZYSPYURUSP\\U^P^^S\\QVRQXPTV" ascii
56 |       $s5 = "\\_P^YVPX[SY]WT^^RQ_V[YQV\\Y]USUZV[XWT_SWT[UYURVVRVR^^[__XRQPPUXZWYYVU]V\\[TS[SSWWVY_R_Y[XZ_W[VVS\\]ZYSPYURUSP\\U^P^^S\\QVRQXPTV" ascii
57 |       $s6 = " Type Descriptor'" fullword ascii
58 |       $s7 = "YP^WTS]V[WPTWR_\\P[]WX_SPYQ[SQ]]UWTU]QR\\UQR]]\\\\^]UZUX\\X^U]P_^S[ZY^R^]UXWZURR\\]X[^TX\\S\\SWV_[YXP_[^^\\WW\\]]]PU_YZ\\]SVPQX[" ascii
59 |       $s8 = "494[/D59:" fullword ascii /* hex encoded string 'IMY' */
60 |       $s9 = "_ZQ\\V\\TW]P\\YW^_PZT_TR[T_WVQUSQPVSPYRSWPS^WVQR_[T_PS[]TT]RSSQV_[_Q]UY\\\\QPVQRXXPPR^_VSZRRRSWXTUV^PRQQXPSWPSWSYWWV^YR_Z]PWRP]^" ascii
61 |       $s10 = "?+7,*6@24" fullword ascii /* hex encoded string 'v$' */
62 |       $s11 = "67?.68@6.3=" fullword ascii /* hex encoded string 'ghc' */
63 |       $s12 = "*;+273++C" fullword ascii /* hex encoded string ''<' */
64 |       $s13 = "*:>?2-:E?@>5D+" fullword ascii /* hex encoded string '.]' */
65 |       $s14 = "UPVX]VWVQU[_^ZU[_W^[R^]SPQ[[VPRR]]Z[\\XVU^_TR[YPR\\PY]RXT[_RXSPYSWTU]PV_SWWUVU\\R_X_U_V[__UW[\\^YU[WTUXSURQ]QSUPTXVXZV]WRP[_XW]" fullword ascii
66 |       $s15 = "YX\\^SPP^XW_^^_Y]ZY[T_UQU_QXP[SV^RT_ZRPV\\YVVYPVR^UP^QYQXV^\\]]T_SQQR_ZSQZT_Y^^_]Z]QYW\\Z_T_VRTWQZPS\\X\\_]W]PTTSP\\[]WVSRR\\Q]Q" ascii
67 |       $s16 = "Z_VV\\PSYWUT_Z\\WQSPY\\ZZ\\PY]W][RW^\\^ZPUZV[WZ\\QU_V[YU\\X[Q__\\YQQPZ[VR\\QUZUQVQ^PUPUXWQ_ZTRTZU[T^QUZ[UZRVYV\\^WRY_SR_YUUY_[]S" ascii
68 |       $s17 = "R_XUSP^T[RVXUR_\\VU\\Y[YWV\\WYXV\\SQ_RU][R\\ZTU\\PWYQ[ZSRTQUZ]\\WSPY\\P[_]TX]YZPTSSZ[VXW[YT\\W\\Z[SXRYZYQ^PR^VZVU^VRV][RR]S\\V__" ascii
69 |       $s18 = "Z_VV\\PSYWUT_Z\\WQSPY\\ZZ\\PY]W][RW^\\^ZPUZV[WZ\\QU_V[YU\\X[Q__\\YQQPZ[VR\\QUZUQVQ^PUPUXWQ_ZTRTZU[T^QUZ[UZRVYV\\^WRY_SR_YUUY_[]S" ascii
70 |       $s19 = "PQP]^__\\ZZUSZYT_^S_SPPV]\\XPT_TPQU\\VWZQYZPZ^]]SW]R^[WYP]^[[R_RTSPYW^WU^QVPZ" fullword ascii
71 |       $s20 = "Y]_QU\\ZQQSXRX[SPYVRWXU^P[VSSWUR]]PSWV\\X]Y[PX_UZ_PPP[WQVXY^^]^RRSPZ]^XWV^]" fullword ascii
72 |    condition:
73 |       uint16(0) == 0x5a4d and filesize < 3000KB and
74 |       8 of them
75 | }
76 | 
77 | rule case_14373_bumblebee_documents_lnk {
78 |    meta:
79 |       description = "Files - file documents.lnk"
80 |       author = "The DFIR Report"
81 |       reference = "https://thedfirreport.com/2022/09/26/bumblebee-round-two/"
82 |       date = "2022-09-26"
83 |       hash1 = "cadd3f05b496ef137566c90c8fee3905ff13e8bda086b2f0d3cf7512092b541c"
84 |    strings:
85 |       $x1 = "tamirlan.dll,EdHVntqdWt\"%systemroot%\\system32\\imageres.dll" fullword wide
86 |       $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii
87 |       $s3 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide
88 |       $s4 = "4System32" fullword wide
89 |       $s5 = "user-pc" fullword ascii
90 |       $s6 = "}Windows" fullword wide
91 |    condition:
92 |       uint16(0) == 0x004c and filesize < 4KB and
93 |       1 of ($x*) and all of them
94 | }
95 | 
96 | 
97 | 


--------------------------------------------------------------------------------
/15184/15184.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    YARA Rule Set
  3 |    Author: The DFIR Report
  4 |    Date: 2022-11-28
  5 |    Identifier: Quantum Ransomware - Case 15184
  6 |    Reference: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | rule case_15184_FilesToHash_17jun {
 12 |    meta:
 13 |       description = "15184_ - file 17jun.exe"
 14 |       author = "The DFIR Report"
 15 |       reference = "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"
 16 |       date = "2022-11-28"
 17 |       hash1 = "41e230134deca492704401ddf556ee2198ef6f32b868ec626d9aefbf268ab6b1"
 18 |    strings:
 19 |       $x1 = " to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertOpenSystemStoreWCreateProcessAsUserWCryptAcq" ascii
 20 |       $x2 = "0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125ERROR: unable to download agent fromGo pointer stored in" ascii
 21 |       $x3 = ".lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625CLIENT_HANDSHAKE_TRAFFIC_SECRETCent" ascii
 22 |       $x4 = "slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to palloc" ascii
 23 |       $x5 = "VirtualQuery for stack base failedadding nil Certificate to CertPoolbad scalar length: %d, expected %dchacha20: wrong HChaCha20 " ascii
 24 |       $x6 = "file descriptor in bad statefindrunnable: netpoll with pforgetting unknown stream idfound pointer to free objectgcBgMarkWorker: " ascii
 25 |       $x7 = "tls: certificate used with invalid signature algorithmtls: server resumed a session with a different versionx509: cannot verify " ascii
 26 |       $x8 = "non-IPv4 addressnon-IPv6 addressobject is remotepacer: H_m_prev=proxy-connectionreflect mismatchremote I/O errorruntime:  g:  g=" ascii
 27 |       $x9 = "lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnablestrict-trans" ascii
 28 |       $x10 = "unixpacketunknown pcuser-agentws2_32.dll  of size   (targetpc= ErrCode=%v KiB work,  freeindex= gcwaiting= idleprocs= in status " ascii
 29 |       $x11 = "100-continue152587890625762939453125Bidi_ControlCIDR addressCONTINUATIONContent TypeContent-TypeCookie.ValueECDSA-SHA256ECDSA-SH" ascii
 30 |       $x12 = "entersyscallexit status gcBitsArenasgcpacertracegetaddrinfowhost is downhttp2debug=1http2debug=2illegal seekinvalid baseinvalid " ascii
 31 |       $x13 = "streamSafe was not resetstructure needs cleaningtext/html; charset=utf-8unexpected buffer len=%vx509: malformed validityzlib: in" ascii
 32 |       $x14 = "IP addressInstaller:Keep-AliveKharoshthiLockFileExManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOther_MathPOSTALCO" ascii
 33 |       $x15 = " to non-Go memory , locked to thread298023223876953125: day out of rangeArab Standard TimeCaucasian_AlbanianCommandLineToArgvWCr" ascii
 34 |       $x16 = "= flushGen  for type  gfreecnt= pages at  runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen  sweepgen= target" ascii
 35 |       $x17 = "(unknown), newval=, oldval=, plugin:, size = , tail = --site-id244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDi" ascii
 36 |       $x18 = " is unavailable()<>@,;:\\\"/[]?=,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAccept" ascii
 37 |       $x19 = "span set block with unpopped elements found in resettls: received a session ticket with invalid lifetimetls: server selected uns" ascii
 38 |       $x20 = "bad defer entry in panicbad defer size class: i=bypassed recovery failedcan't scan our own stackcertificate unobtainablechacha20" ascii
 39 |    condition:
 40 |       uint16(0) == 0x5a4d and filesize < 14000KB and
 41 |       1 of ($x*)
 42 | }
 43 | 
 44 | rule case_15184_dontsleep {
 45 |    meta:
 46 |       description = "15184_ - file dontsleep.exe"
 47 |       author = "The DFIR Report"
 48 |       reference = "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"
 49 |       date = "2022-11-28"
 50 |       hash1 = "f8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee"
 51 |    strings:
 52 |       $s1 = "shell32.dll,Control_RunDLL" fullword ascii
 53 |       $s2 = "powrprof.DLL" fullword wide
 54 |       $s3 = "CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST \"res\\\\APP.exe.manifest\"" fullword ascii
 55 |       $s4 = "msinfo32.exe" fullword ascii
 56 |       $s5 = "user32.dll,LockWorkStation" fullword wide
 57 |       $s6 = "DontSleep.exe" fullword wide
 58 |       $s7 = "UMServer.log" fullword ascii
 59 |       $s8 = "_Autoupdate.exe" fullword ascii
 60 |       $s9 = "BlockbyExecutionState: %d on:%d by_enable:%d" fullword wide
 61 |       $s10 = "powrprof.dll,SetSuspendState" fullword wide
 62 |       $s11 = "%UserProfile%" fullword wide
 63 |       $s12 = " 2010-2019 Nenad Hrg SoftwareOK.com" fullword wide
 64 |       $s13 = "https://sectigo.com/CPS0C" fullword ascii
 65 |       $s14 = "https://sectigo.com/CPS0D" fullword ascii
 66 |       $s15 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword ascii
 67 |       $s16 = "Unable to get response from Accept Thread withing specified Timeout ->" fullword ascii
 68 |       $s17 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii
 69 |       $s18 = "Unable to get response from Helper Thread within specified Timeout ->" fullword ascii
 70 |       $s19 = "   <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\">" fullword ascii
 71 |       $s20 = "_selfdestruct.bat" fullword wide
 72 |    condition:
 73 |       uint16(0) == 0x5a4d and filesize < 700KB and
 74 |       8 of them
 75 | }
 76 | 
 77 | rule case_15184_FilesToHash_locker {
 78 |    meta:
 79 |       description = "15184_ - file locker.dll"
 80 |       author = "The DFIR Report"
 81 |       reference = "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/"
 82 |       date = "2022-11-28"
 83 |       hash1 = "6424b4983f83f477a5da846a1dc3e2565b7a7d88ae3f084f3d3884c43aec5df6"
 84 |    strings:
 85 |       $s1 = "plugin.dll" fullword ascii
 86 |       $s2 = "oL$0fE" fullword ascii /* Goodware String - occured 1 times */
 87 |       $s3 = "H9CPtgL9{@tafD9{8tZD" fullword ascii
 88 |       $s4 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */
 89 |       $s5 = "oD$@fD" fullword ascii /* Goodware String - occured 3 times */
 90 |       $s6 = "oF D3f0D3n4D3v8D3~<H" fullword ascii
 91 |       $s7 = "j]{7r]Y" fullword ascii
 92 |       $s8 = "EA>EmA" fullword ascii
 93 |       $s9 = "ol$0fE" fullword ascii
 94 |       $s10 = "S{L1I{" fullword ascii
 95 |       $s11 = "V32D!RT" fullword ascii
 96 |       $s12 = " A_A^_" fullword ascii
 97 |       $s13 = "v`L4~`g" fullword ascii
 98 |       $s14 = "9\\$8vsH" fullword ascii
 99 |       $s15 = "K:_Rich" fullword ascii
100 |       $s16 = " A_A^A\\_^" fullword ascii
101 |       $s17 = "tsf90u" fullword ascii
102 |       $s18 = "9|$0vQ" fullword ascii
103 |       $s19 = "K:_=:?^" fullword ascii
104 |       $s20 = ":9o 49" fullword ascii
105 |    condition:
106 |       uint16(0) == 0x5a4d and filesize < 200KB and
107 |       8 of them
108 | }
109 | 
110 | rule case_15184_K_1_06_13_2022_lnk {
111 |    meta:
112 |       description = "15184_ - file K-1 06.13.2022.lnk.lnk"
113 |       author = "The DFIR Report"
114 |       reference = "https://thedfirreport.com"
115 |       date = "2022-11-28"
116 |       hash1 = "1bf9314ae67ab791932c43e6c64103b1b572a88035447dae781bffd21a1187ad"
117 |    strings:
118 |       $x1 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fullword ascii
119 |       $s2 = "%SystemRoot%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fullword wide
120 |       $s3 = "<..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fullword wide
121 |       $s4 = "-c \"&{'p8ArwZsj8ZO+Zy/dHPeI+siGhbaxtEhzwmd3zVObm9uG2CGKqz5m4AdzKWWzPmKrjJieG4O9';$BxQ='uYnIvc3RhdHMvUkppMnJRSTRRWHJXQ2ZnZG1pLyI" wide
122 |       $s5 = "WindowsPowerShell" fullword wide
123 |       $s6 = "black-dog" fullword ascii
124 |       $s7 = "powershell.exe" fullword wide /* Goodware String - occured 3 times */
125 |       $s8 = "S-1-5-21-1499925678-132529631-3571256938-1001" fullword wide
126 |    condition:
127 |       uint16(0) == 0x004c and filesize < 10KB and
128 |       1 of ($x*) and all of them
129 | }
130 | 


--------------------------------------------------------------------------------
/17386/17386.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    YARA Rule Set
  3 |    Author: The DFIR Report
  4 |    Date: 2023-01-08
  5 |    Identifier: Case 17386 Gozi
  6 |    Reference: https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | rule gozi_17386_6570872_lnk
 12 | {
 13 | 	meta:
 14 | 		description = "Gozi - file 6570872.lnk"
 15 | 		author = "The DFIR Report"
 16 | 		reference = "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts"
 17 | 		date = "2023-01-08"
 18 | 		hash1 = "c6b605a120e0d3f3cbd146bdbc358834"
 19 | 	strings:
 20 | 		$s1 = "..\\..\\..\\..\\me\\alsoOne.bat" fullword wide
 21 | 		$s2 = "alsoOne.bat" fullword wide
 22 | 		$s3 = "c:\\windows\\explorer.exe" fullword wide
 23 | 		$s4 = "%SystemRoot%\\explorer.exe" fullword wide
 24 | 	condition:
 25 | 		uint16(0) == 0x004c and
 26 | 		filesize < 4KB and
 27 | 		all of them
 28 | }
 29 | 
 30 | rule gozi_17386_adcomp_bat
 31 | {
 32 | 	meta:
 33 | 		description = "Gozi - file adcomp.bat"
 34 | 		author = "The DFIR Report"
 35 | 		reference = "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts"
 36 | 		date = "2023-01-08"
 37 | 		hash1 = "eb2335e887875619b24b9c48396d4d48"
 38 | 	strings:
 39 | 		$s1 = "powershell" fullword
 40 | 		$s2 = ">> log2.txt" fullword
 41 | 		$s3 = "Get-ADComputer" fullword
 42 | 	condition:
 43 | 		$s1 at 0 and
 44 | 		filesize < 500 and
 45 | 		all of them
 46 | }
 47 | 
 48 | rule gozi_17386_alsoOne_bat
 49 | {
 50 | 	meta:
 51 | 		description = "Gozi - file alsoOne.bat"
 52 | 		author = "The DFIR Report"
 53 | 		reference = "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts"
 54 | 		date = "2023-01-08"
 55 | 		hash1 = "c03f5e2bc4f2307f6ee68675d2026c82"
 56 | 	strings:
 57 | 		$s1 = "set %params%=hello" fullword
 58 | 		$s2 = "me\\canWell.js hello" fullword
 59 | 		$s3 = "cexe lldnur" fullword
 60 | 		$s4 = "revreSretsigeRllD" fullword
 61 | 	condition:
 62 | 		$s1 at 0 and
 63 | 		filesize < 500 and
 64 | 		all of them
 65 | }
 66 | 
 67 | rule gozi_17386_canWell_js
 68 | {
 69 | 	meta:
 70 | 		description = "Gozi - file canWell.js"
 71 | 		author = "The DFIR Report"
 72 | 		reference = "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts"
 73 | 		date = "2023-01-08"
 74 | 		hash1 = "6bb867e53c46aa55a3ae92e425c6df91"
 75 | 	strings:
 76 | 		//00000000  2F 2A 2A 0D 0A 09 57 68  6E 6C 64 47 68 0D 0A 2A  /**...WhnldGh..*
 77 | 		//00000010  2F                                               /
 78 | 		$h1 = { 2F 2A 2A 0D 0A 09 57 68 6E 6C 64 47 68 0D 0A 2A 2F }
 79 | 		$s1 = "reverseString" fullword
 80 | 		$s2 = "123.com" fullword
 81 | 		$s3 = "itsIt.db" fullword
 82 | 		$s4 = "function ar(id)" fullword
 83 | 		$s5 = "WScript.CreateObject" fullword
 84 | 	condition:
 85 | 		$h1 at 0 and
 86 | 		filesize < 1KB and
 87 | 		all of ($s*)
 88 | }
 89 | 
 90 | rule gozi_17386_itsIt_db
 91 | {
 92 | 	meta:
 93 | 		description = "Gozi - file itsIt.db"
 94 | 		author = "The DFIR Report"
 95 | 		reference = "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts"
 96 | 		date = "2023-01-08"
 97 | 		hash1 = "60375d64a9a496e220b6eb1b63e899b3"
 98 | 	strings:
 99 | 		$s1 = "EoJA1.dll" fullword
100 | 		$s2 = "AXMsDQbUbhdpHgumy" fullword
101 | 		$s3 = "DllRegisterServer" fullword
102 | 		$s4 = "DqvdfVJXumSGuxDbQeifDE" fullword
103 | 		$s5 = "GsvFugemhLmFRebByHWZLIlt" fullword
104 | 		$s6 = "IBDFzyzaYYbvLCdANNWobWzkHefitgP" fullword
105 | 		$s7 = "KWwSSdVAwGpuPZJemC" fullword
106 | 		$s8 = "LRZeayHLHiLXcxFjinEZmyaMXWpoF" fullword
107 | 		$s9 = "LcVopTSimzPyMznceIIepGGLs" fullword
108 | 		$s10 = "OkJXHEIxVkZenNREJnYdhtufvRv" fullword
109 | 		$s11 = "OtsltXyqwGKmKSYm" fullword
110 | 		$s12 = "OvzfwfDhXuXhLmzEvnwCNPcfYAodAip" fullword
111 | 		$s13 = "QQASfqqFsaIyuodrOEzmiYhXFBhK" fullword
112 | 		$s14 = "RNsFxmZdRyUXEpddwSgBPDKQPQW" fullword
113 | 		$s15 = "RxfeQKNVUecCmdLsHQAGMbqVDxDAR" fullword
114 | 		$s16 = "SKRXxPrnvmLVjzGDJ" fullword
115 | 		$s17 = "UOGamDxqKzMifBHNcnBjIecgOy" fullword
116 | 		$s18 = "VHPqYBENjtlIcAUDdVEHyQrPsRjrWb" fullword
117 | 		$s19 = "VHYmMulTaXxJkuTCbDpFOCoWjdFipiT" fullword
118 | 		$s20 = "WJkBmOWdIlTJWBXfKCLRluK" fullword
119 | 		$s21 = "YIskifvVtpCHTPVefoogyKpjNpKk" fullword
120 | 		$s22 = "YqnsziMxolCUEpCyF" fullword
121 | 		$s23 = "aHjfpBCMGTOHtAxeJeqvYJiJipIc" fullword
122 | 		$s24 = "btmXEDkzSVQrIekKBbgAyAjFzB" fullword
123 | 		$s25 = "iZwERsKOdaNkDjJUj" fullword
124 | 		$s26 = "ifNYULjNknlPOsikeeFKq" fullword
125 | 		$s27 = "jZTjetqmFfnLpMHfBmKFXSWNjK" fullword
126 | 		$s28 = "kxNmMsXFaSQwVCttBDpieAV" fullword
127 | 		$s29 = "phDeNsVAkciNIDphsSICKbhrF" fullword
128 | 		$s30 = "srJhGTXYGHCFyCLmlYgSpAB" fullword
129 | 		$s31 = "tvMVzGtbiBFVgcrXhUsAKAuKQXi" fullword
130 | 		$s32 = "vowTIpYzkeDnPYtsuRYfGIGg" fullword
131 | 		$s33 = "GCTL" fullword
132 | 	condition:
133 | 		uint16(0) == 0x5a4d and
134 | 		filesize < 500KB and
135 | 		all of them
136 | }
137 | 


--------------------------------------------------------------------------------
/18041/18041.yar:
--------------------------------------------------------------------------------
 1 | rule Locker_32
 2 | {
 3 |   meta:
 4 |       description = "Locker_32.dll"
 5 |       author = "_pete_0, TheDFIRReport"
 6 |       reference = "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware"
 7 |       date = "2023-04-02"
 8 |       hash1 = "A378B8E9173F4A5469E7B5105BE40723AF29CBD6EE00D3B13FF437DAE4514DFF"
 9 | 
10 |   strings:
11 |       $app1 = "plugin.dll" fullword ascii
12 |       $app2 = "expand 32-byte k" fullword ascii
13 |       $app3 = "FAST" wide ascii
14 |       $app4 = "SLOW" wide ascii
15 | 
16 |   condition:
17 |       uint16(0) == 0x5A4D and filesize < 100KB and all of ($app*)
18 | }
19 | 
20 | rule ADGet
21 | {
22 |   meta:
23 |       description = "ADGet.exe"
24 |       author = "_pete_0, TheDFIRReport"
25 |       reference = "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware"
26 |       date = "2023-04-02"
27 |       hash1 = "FC4DA07183DE876A2B8ED1B35EC1E2657400DA9D99A313452162399C519DBFC6"
28 | 
29 |   strings:
30 |       $app1 = "AdGet <zip-file> [OPTIONS]" fullword ascii
31 |       $app2 = "Exports data from Active Directory" fullword ascii		
32 | 
33 |       $ldap1 = "PrimaryGroupID=516" fullword ascii
34 |       $ldap2 = "PrimaryGroupID=521" fullword ascii
35 |       $ldap3 = "objectClass=trustedDomain" fullword ascii
36 | 
37 |   condition:
38 |       uint16(0) == 0x5A4D and filesize < 800KB and all of ($app*) and all of ($ldap*)
39 | }
40 | 


--------------------------------------------------------------------------------
/18190/18190.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    YARA Rule Set
  3 |    Author: The DFIR Report
  4 |    Date: 2023-05-21
  5 |    Identifier: Case 18190
  6 |    Reference: https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | 
 12 | rule case_18190_1_beacon {
 13 |    meta:
 14 |       description = "18190 - file 1.dll"
 15 |       author = "The DFIR Report"
 16 |       reference = "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"
 17 |       date = "2023-05-21"
 18 |       hash1 = "d3db55cd5677b176eb837a536b53ed8c5eabbfd68f64b88dd083dc9ce9ffb64e"
 19 |    strings:
 20 |       $s1 = "xtoofou674xh.dll" fullword ascii
 21 |       $s2 = "witnessed workroom authoritative bail advertise navy unseen co rival June quest manage detest predicate mainland smoke proudly s" ascii
 22 |       $s3 = " wig promise heal tangible reflections high elevate genus England wild chairman multitude jaws keyhole fairy rainy starts lease " ascii
 23 |       $s4 = "deplore word excellent consume left hers being tyre squeeze developed ardour fertility lucidly lion loft conquered grant restart" ascii
 24 |       $s5 = " Type Descriptor'" fullword ascii
 25 |       $s6 = "ic hairs species provision cocoa standard curtains discussed envelope books publicity interrupt sailor wilderness promising try " ascii
 26 |       $s7 = ".text$wlogeu" fullword ascii
 27 |       $s8 = "ch pensioner pub continual peaceable software beech indeed compromise assign comprehensive suitable disturbed oblige saw trying " ascii
 28 |       $s9 = "exual nails director filling great widen newspapers blank representative yell absorbed balcony normandy translate disc sympathet" ascii
 29 |       $s10 = " Class Hierarchy Descriptor'" fullword ascii
 30 |       $s11 = " Base Class Descriptor at (" fullword ascii
 31 |       $s12 = "fairly handsome bush " fullword ascii
 32 |       $s13 = "UXlsmX90" fullword ascii
 33 |       $s14 = " Complete Object Locator'" fullword ascii
 34 |       $s15 = "H)CpHcD$tL" fullword ascii
 35 |       $s16 = ".text$uogqsw" fullword ascii
 36 |       $s17 = ".text$heprqt" fullword ascii
 37 |       $s18 = ".text$euryob" fullword ascii
 38 |       $s19 = ".text$blaihb" fullword ascii
 39 |       $s20 = ".text$dffkjr" fullword ascii
 40 |    condition:
 41 |       uint16(0) == 0x5a4d and filesize < 400KB and
 42 |       8 of them
 43 | }
 44 | 
 45 | rule case_18190_nokoyawa_k {
 46 |    meta:
 47 |       description = "18190 - file k.exe"
 48 |       author = "The DFIR Report"
 49 |       reference = "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"
 50 |       date = "2023-05-21"
 51 |       hash1 = "7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6"
 52 |    strings:
 53 |       $x1 = "UncategorizedOtherOutOfMemoryUnexpectedEofInterruptedArgumentListTooLongInvalidFilenameTooManyLinksCrossesDevicesDeadlockExecuta" ascii
 54 |       $x2 = "C:\\Users\\runneradmin\\.cargo\\registry\\src\\github.com-1ecc6299db9ec823\\rustc-demangle-0.1.21\\src\\legacy.rs" fullword ascii
 55 |       $x3 = "C:\\Users\\runneradmin\\.cargo\\registry\\src\\github.com-1ecc6299db9ec823\\rustc-demangle-0.1.21\\src\\v0.rs" fullword ascii
 56 |       $s4 = ".llvm.C:\\Users\\runneradmin\\.cargo\\registry\\src\\github.com-1ecc6299db9ec823\\rustc-demangle-0.1.21\\src\\lib.rs" fullword ascii
 57 |       $s5 = "C:\\Users\\user\\.cargo\\registry\\src\\github.com-1ecc6299db9ec823\\cipher-0.4.3\\src\\stream.rs" fullword ascii
 58 |       $s6 = "called `Option::unwrap()` on a `None` valueC:\\Users\\user\\.cargo\\registry\\src\\github.com-1ecc6299db9ec823\\serde_json-1.0.8" ascii
 59 |       $s7 = "C:\\Users\\user\\.cargo\\registry\\src\\github.com-1ecc6299db9ec823\\rand_core-0.5.1\\src\\os.rs" fullword ascii
 60 |       $s8 = "C:\\Users\\user\\.cargo\\registry\\src\\github.com-1ecc6299db9ec823\\generic-array-0.14.6\\src\\lib.rs" fullword ascii
 61 |       $s9 = "C:\\Users\\user\\.cargo\\registry\\src\\github.com-1ecc6299db9ec823\\base64-0.3.1\\src\\lib.rs" fullword ascii
 62 |       $s10 = "Y:\\noko\\target\\release\\deps\\noko.pdb" fullword ascii
 63 |       $s11 = " --config <base64 encoded config> --file <filePath> (encrypt selected file)" fullword ascii
 64 |       $s12 = " --config <base64 encoded config> --dir <dirPath> (encrypt selected directory)" fullword ascii
 65 |       $s13 = "uncategorized errorother errorout of memoryunexpected end of fileunsupportedoperation interruptedargument list too longinvalid f" ascii
 66 |       $s14 = "called `Option::unwrap()` on a `None` valueC:\\Users\\user\\.cargo\\registry\\src\\github.com-1ecc6299db9ec823\\serde_json-1.0.8" ascii
 67 |       $s15 = "    --config <base64 encoded config> (to start full encryption)" fullword ascii
 68 |       $s16 = "assertion failed: state_and_queue.addr() & STATE_MASK == RUNNINGOnce instance has previously been poisoned" fullword ascii
 69 |       $s17 = "AppPolicyGetProcessTerminationMethod" fullword ascii
 70 |       $s18 = "toryoperation would blockentity already existsbroken pipenetwork downaddress not availableaddress in usenot connectedconnection " ascii
 71 |       $s19 = "randSecure: random number generator module is not initializedstdweb: failed to get randomnessstdweb: no randomness source availa" ascii
 72 |       $s20 = "lock count overflow in reentrant mutexlibrary\\std\\src\\sys_common\\remutex.rs" fullword ascii
 73 |    condition:
 74 |       uint16(0) == 0x5a4d and filesize < 1000KB and
 75 |       1 of ($x*) and 4 of them
 76 | }
 77 | 
 78 | 
 79 | rule case_18190_icedid_7030270 {
 80 |    meta:
 81 |       description = "18190 - file 7030270"
 82 |       author = "The DFIR Report"
 83 |       reference = "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"
 84 |       date = "2023-05-21"
 85 |       hash1 = "091886c95ca946aedee24b7c751b5067c5ac875923caba4d3cc9d961efadb65d"
 86 |    strings:
 87 |       $x1 = "for(var arr in Globals.blacklist){if(Util.hasOwn(Globals.blacklist,arr)&&Util.check.isArray(Globals.blacklist[arr])){for(i=0,len" ascii
 88 |       $x2 = "1520efae4595cbc9dfaf6dcfe0c2464bb0487eca7f16316db49cff08df8bea8538aee5fd9cd09453919fd1fe50a8bd9ea7aa1a746c0fd3d07ca0f6044c537ca3" ascii
 89 |       $x3 = "y%f44dda75f1d5b52c3b0664b01427be199754538975575fff51da2cd11633e47f3e2a75305a263de621addba56ea6ab98de5e382ddb3a007abb2283f51912b7" ascii
 90 |       $x4 = "8b9d511a79efe09aac7aafcd30db6ea905bd35a2665c25801d34c94a5d2d245fa7a22515cf8cd5086b78b3571f5eed0123356441f3caa28ef4e145bb93c2a3a7" ascii
 91 |       $x5 = "y%dfae5272c18837cc46f066e419fcea0b8ac323375052eaca32390e03c1fcaf274c4b6114f065325d30fa5ca33e3a6e75c41269e697e839aafd066fc8494351" ascii
 92 |       $x6 = "68ac631c83a5e388f5ca1583ba69e008bc07df1a4b984563ff9c505cc749bb643d3ed6c449183acfbbfee9556a0e3bb2203f821b66da96d4e9773ddc51adf464" ascii
 93 |       $x7 = "y%9378a9b8b07589883ffe84bcb2381e7071e722f6ef15eee81bceb16e777eba4b2ef1995790b035b4d77440fcc17dbdfd2506c956913573bff4744f7d88e069" ascii
 94 |       $x8 = "af26f4749fb286205a75d83d16900edd3f4d0755b7cfb7490105af75b2e43f2d9a8332ee2188fc07f58d23e285ef8257efcafc2c2337b7fc44abd3984b53bfc4" ascii
 95 |       $x9 = "y%763592b9f367db94fbd9fa3bf6f4344a6e1a136fe98c5a0ae48bf15587a96199134696f85bf7039e7161a43ed8dfd5a22fa60c073d6c4314552bbfe8e3cc30" ascii
 96 |       $x10 = "y%ce04af538efbdc53b666fefac41de4fca182c902d30cc8e8527fe07b25f61f633595d2c68f2a9a63a02cc9dc24fb3046b32c912b72e27c82d90255470d2982" ascii
 97 |       $x11 = "y%5b6837697c5cbf55b11dfb41acfa62e3821b6e7a42c91ef1585338def7c2882a9ee49f10cc8dc44bfecb79bd87abcf2c893e83feb43e38961252fb3717487a" ascii
 98 |       $x12 = "function BC(){yC.h.h.T=function(a,b,c){Zg.SANDBOXED_JS_SEMAPHORE=Zg.SANDBOXED_JS_SEMAPHORE||0;Zg.SANDBOXED_JS_SEMAPHORE++;try{re" ascii
 99 |       $x13 = "y%29f21ca387007544caa2fb11b3c5a5ca58b2f06770480f8ba58b76871845529b18cda67e725471c1c8a5c627247ac40cb765a23a4ecae916e07b32c560c650" ascii
100 |       $x14 = "if(o.type!=\"img\"){l=o.loc||\"head\";c=a.getElementsByTagName(l)[0];if(c){utag.DB(\"Attach to \"+l+\": \"+o.src);if(l==\"script" ascii
101 |       $x15 = "function gi(a,b,c){if(c&&c.action){var d=(c.method||\"\").toLowerCase();if(\"get\"===d){for(var e=c.childNodes||[],f=!1,g=0;g<e." ascii
102 |       $x16 = "y%2101858b7137cdaea75d7553385ed8bffb3851471169a8baeae426b72b899ebfcf567a44d276f802a65df441eec5790b81f4d5a33f9858a1026c660a5eded4" ascii
103 |       $x17 = "y%2343cd30b5809bf4dda27a9ba32772b895a3861c4ebddb2462549a16970cd00c1df4f954fa200842f9e02895259310b0b9a5fdc6b07c27239e784afbd7195d" ascii
104 |       $x18 = "uf:\"user_data_settings\",Aa:\"user_id\",Ta:\"user_properties\",rh:\"us_privacy_string\",ra:\"value\",oe:\"wbraid\",sh:\"wbraid_" ascii
105 |       $x19 = "bbee7f0a9f0b965ac18766e7afd967f40382b1d8e137c5fa5499024c0e0c684d4256c4d0bda3c9f12fb6f70647100a11c41243fcb17268403dea6fe9bcf6923f" ascii
106 |       $x20 = "y%4f52d6bb488a80c1939642cf73af81affd93778aa4e4d666379b80b45cb7c63033941ff3cf5c7329bfc6f2aba6baf25fd0f8d5fab2f00eb6ac9a21f79274e5" ascii
107 |    condition:
108 |       uint16(0) == 0x5a4d and filesize < 13000KB and
109 |       1 of ($x*)
110 | }
111 | 
112 | 


--------------------------------------------------------------------------------
/18364/18364.yar:
--------------------------------------------------------------------------------
 1 | rule case_18364_msi_attacker_email {
 2 |     meta:
 3 |         author      = "The DFIR Report"
 4 |         reference   = "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours"
 5 |         description = "Detects potential MSI installers (such as Atera's) containing known attacker email addresses"
 6 |     
 7 |     strings:
 8 |         $email      = "edukatingstrong@polkschools.edu.org" nocase
 9 |     
10 |     condition:
11 |         uint32be(0) == 0xD0CF11E0 and uint32be(4) == 0xA1B11AE1 and $email
12 | }
13 | 


--------------------------------------------------------------------------------
/19172/19172.yar:
--------------------------------------------------------------------------------
 1 | import "pe"
 2 | 
 3 | rule case_19172_trigona {
 4 |    meta:
 5 |       description = "19172 - Trigona ransomware"
 6 |       author = "TheDFIRReport"
 7 |       reference = "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/"
 8 |       date = "2024-01-27"
 9 |       hash1 = "d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a"
10 |    strings:
11 |       $delphi = "Delphi" fullword ascii
12 |       $run_key = "software\\microsoft\\windows\\currentversion\\run" fullword wide
13 |       $ransom_note = "how_to_decrypt.hta" fullword wide
14 |    condition:
15 |        pe.is_pe and all of them
16 | }
17 | 


--------------------------------------------------------------------------------
/19208/19208.yar:
--------------------------------------------------------------------------------
 1 | rule yara_tor2mine {
 2 |    meta:
 3 |       description = "file java.exe"
 4 |       author = "TheDFIRReport"
 5 |       reference = "https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/"
 6 |       date = "2023-12-02"
 7 |       hash1 = "74b6d14e35ff51fe47e169e76b4732b9f157cd7e537a2ca587c58dbdb15c624f"
 8 |    strings:
 9 |       $s1 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii
10 |       $s2 = "3~\"0\\25" fullword ascii /* hex encoded string '0%' */
11 |       $s3 = "X'BF:\"" fullword ascii
12 |       $s4 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
13 |       $s5 = "<BiNHQZG?" fullword ascii
14 |       $s6 = "5%d:8\\" fullword ascii
15 |       $s7 = "tJohdy7" fullword ascii
16 |       $s8 = "0- vuyT]" fullword ascii
17 |       $s9 = "wpeucv" fullword ascii
18 |       $s10 = "kreczd" fullword ascii
19 |       $s11 = "%DeK%o" fullword ascii
20 |       $s12 = "i%eI%xS" fullword ascii
21 |       $s13 = "s -mY'" fullword ascii
22 |       $s14 = "mCVAvi2" fullword ascii
23 |       $s15 = "**[Zu -" fullword ascii
24 |       $s16 = "%TNz%_\"V" fullword ascii
25 |       $s17 = " -reB6" fullword ascii
26 |       $s18 = "OD.vbpyW" fullword ascii
27 |       $s19 = ":I* &b" fullword ascii
28 |       $s20 = "R?%Y%l" fullword ascii
29 |    condition:
30 |       uint16(0) == 0x5a4d and filesize < 5000KB and
31 |       8 of them
32 | }
33 | 
34 | rule yara_bluesky_ransomware {
35 |    meta:
36 |       description = "file vmware.exe"
37 |       author = "TheDFIRReport"
38 |       reference = "https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/"
39 |       date = "2023-12-02"
40 |       hash1 = "d4f4069b1c40a5b27ba0bc15c09dceb7035d054a022bb5d558850edfba0b9534"
41 |    strings:
42 |       $s1 = "040<0G0#1+111;1A1I1" fullword ascii
43 |       $s2 = "VWjPSP" fullword ascii
44 |       $s3 = "040J0O0" fullword ascii
45 |       $s4 = "4Y:)m^." fullword ascii
46 |       $s5 = ":6:I:O:}:" fullword ascii
47 |       $s6 = "5.6G6t6" fullword ascii
48 |       $s7 = ";%;N;X;c;r;" fullword ascii
49 |       $s8 = "747h7h8" fullword ascii
50 |       $s9 = "8K8S8m8" fullword ascii
51 |       $s10 = ";#;.;9;D;" fullword ascii
52 |       $s11 = "6%6+6G8M8" fullword ascii
53 |       $s12 = "0\"0&0,02060<0B0F0u0" fullword ascii
54 |       $s13 = "hQSqQh" fullword ascii
55 |       $s14 = "QVhNkO" fullword ascii
56 |       $s15 = "?+?3?G?T?" fullword ascii
57 |       $s16 = ":-;<;k;" fullword ascii
58 |       $s17 = "1%212H2" fullword ascii
59 |       $s18 = "h@pVxh=" fullword ascii
60 |       $s19 = ">Gfm_E1:" fullword ascii
61 |       $s20 = "'1]1e1m1" fullword ascii
62 |    condition:
63 |       uint16(0) == 0x5a4d and filesize < 200KB and
64 |       8 of them
65 | }
66 | 
67 | rule WinRing0x64 {
68 |    meta:
69 |       description = "file WinRing0x64.sys"
70 |       author = "TheDFIRReport"
71 |       reference = "https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/"
72 |       date = "2023-12-02"
73 |       hash1 = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5"
74 |    strings:
75 |       $s1 = "d:\\hotproject\\winring0\\source\\dll\\sys\\lib\\amd64\\WinRing0.pdb" fullword ascii
76 |       $s2 = "WinRing0.sys" fullword wide
77 |       $s3 = "timestampinfo@globalsign.com0" fullword ascii
78 |       $s4 = "\"GlobalSign Time Stamping Authority1+0)" fullword ascii
79 |       $s5 = "\\DosDevices\\WinRing0_1_2_0" fullword wide
80 |       $s6 = "OpenLibSys.org" fullword wide
81 |       $s7 = ".http://crl.globalsign.net/RootSignPartners.crl0" fullword ascii
82 |       $s8 = "Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved." fullword wide
83 |       $s9 = "1.2.0.5" fullword wide
84 |       $s10 = " Microsoft Code Verification Root0" fullword ascii
85 |       $s11 = "\\Device\\WinRing0_1_2_0" fullword wide
86 |       $s12 = "WinRing0" fullword wide
87 |       $s13 = "hiyohiyo@crystalmark.info0" fullword ascii
88 |       $s14 = "GlobalSign1+0)" fullword ascii
89 |       $s15 = "Noriyuki MIYAZAKI1(0&" fullword ascii
90 |       $s16 = "The modified BSD license" fullword wide
91 |       $s17 = "RootSign Partners CA1" fullword ascii
92 |       $s18 = "\\/.gJ&" fullword ascii
93 |       $s19 = "031216130000Z" fullword ascii
94 |       $s20 = "04012209" ascii
95 |    condition:
96 |       uint16(0) == 0x5a4d and filesize < 40KB and
97 |       8 of them
98 | }
99 | 


--------------------------------------------------------------------------------
/19530/19530.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    YARA Rule Set
  3 |    Author: The DFIR Report
  4 |    Date: 2024-02-18
  5 |    Identifier: Case 19530
  6 |    Reference: https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule case_19530_implied_employment_agreement {
 14 |    meta:
 15 |       description = "file implied employment agreement 24230.js"
 16 |       author = "The DFIR Report"
 17 |       reference = "https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/"
 18 |       date = "2024-02-18"
 19 |       hash1 = "f94048917ac75709452040754bb3d1a0aff919f7c2b4b42c5163c7bdb1fbf346"
 20 |    strings:
 21 |       $s1 = "dx = Math.pow(10, Math.round(Math.log(dx) / Math.LN10) - 1);" fullword ascii
 22 |       $s2 = "return -Math.log(-x) / Math.LN10;" fullword ascii
 23 |       $s3 = "return d3.format(\",.\" + Math.max(0, -Math.floor(Math.log(d3_scale_linearTickRange(domain, m)[2]) / Math.LN10 + .01)) + \"f\");" ascii
 24 |       $s4 = "var n = 1 + Math.floor(1e-15 + Math.log(x) / Math.LN10);" fullword ascii
 25 |       $s5 = "for (i = 0, n = q.length; (m = d3_interpolate_number.exec(a)) && i < n; ++i) {" fullword ascii
 26 |       $s6 = "* - Redistributions in binary form must reproduce the above copyright notice," fullword ascii
 27 |       $s7 = "* - Neither the name of the author nor the names of contributors may be used to" fullword ascii
 28 |       $s8 = "thresholds.length = Math.max(0, q - 1);" fullword ascii
 29 |       $s9 = "* Brewer (http://colorbrewer.org/). See lib/colorbrewer for more information." fullword ascii
 30 |       $s10 = "chord.target = function(v) {" fullword ascii
 31 |       $s11 = "diagonal.target = function(x) {" fullword ascii
 32 |       $s12 = "return c.charAt(c.length - 1) === \"%\" ? Math.round(f * 2.55) : f;" fullword ascii
 33 |       $s13 = "return Math.log(x) / Math.LN10;" fullword ascii
 34 |       $s14 = "step = Math.pow(10, Math.floor(Math.log(span / m) / Math.LN10))," fullword ascii
 35 |       $s15 = "var match = d3_format_re.exec(specifier)," fullword ascii
 36 |       $s16 = "m1 = /([a-z]+)\\((.*)\\)/i.exec(format);" fullword ascii
 37 |       $s17 = "for (i = 0; m = d3_interpolate_number.exec(b); ++i) {" fullword ascii
 38 |       $s18 = "* TERMS OF USE - EASING EQUATIONS" fullword ascii
 39 |       $s19 = "var d3_mouse_bug44083 = /WebKit/.test(navigator.userAgent) ? -1 : 0;" fullword ascii
 40 |       $s20 = "* - Redistributions of source code must retain the above copyright notice, this" fullword ascii
 41 |    condition:
 42 |       uint16(0) == 0x6628 and filesize < 400KB and
 43 |       8 of them
 44 | }
 45 | 
 46 | rule case_19530_systembc_s5 {
 47 |    meta:
 48 |       description = "file s5.ps1"
 49 |       author = "The DFIR Report"
 50 |       reference = "https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/"
 51 |       date = "2024-02-18"
 52 |       hash1 = "49b75f4f00336967f4bd9cbccf49b7f04d466bf19be9a5dec40d0c753189ea16"
 53 |    strings:
 54 |       $x1 = "Set-ItemProperty -Path $path_reg -Name \"socks_powershell\" -Value \"Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass " ascii
 55 |       $x2 = "Set-ItemProperty -Path $path_reg -Name \"socks_powershell\" -Value \"Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass " ascii
 56 |       $s3 = "Remove-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"socks_powershell\"" fullword ascii
 57 |       $s4 = "$end = [int](Get-Date -uformat \"%s\")" fullword ascii
 58 |       $s5 = "$st = [int](Get-Date -uformat \"%s\")" fullword ascii
 59 |       $s6 = "$path_reg = \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"" fullword ascii
 60 |       $s7 = "$sArray[0] = New-Object System.Net.Sockets.TcpClient( $ipaddress, $dport)" fullword ascii
 61 |       $s8 = "$sArray[$perem2] = New-Object System.Net.Sockets.TcpClient( $ip, $newport)" fullword ascii
 62 |       $s9 = "[string]$ip = [System.Text.Encoding]::ASCII.GetString($fB)" fullword ascii
 63 |       $s10 = "$ipaddress = '91.92.136.20'" fullword ascii
 64 |       $s11 = "$rc1 = [math]::Floor(($rc -band 0x0000ff00) * [math]::Pow(2,-8))" fullword ascii
 65 |       $s12 = "$o1 = [math]::Floor(($os -band 0x0000ff00) * [math]::Pow(2,-8))" fullword ascii
 66 |       $s13 = "$Time = $end - $st" fullword ascii
 67 |       $s14 = "elseif ($bf0[4 + 3] -eq 0x01 -as[byte])" fullword ascii
 68 |       $s15 = "$buff0[$start + $perem3] = $perem5 -as [byte]" fullword ascii
 69 |       $s16 = "Start-Sleep -s 180" fullword ascii
 70 |       $s17 = "[string]$ip = \"{0}.{1}.{2}.{3}\" -f $a, $b, $c, $ip" fullword ascii
 71 |       $s18 = "For ($i=0; $i -ne $perem9; $i++) { $bf0[$i + $perem0] = $rb[$i + $perem11] }" fullword ascii
 72 |       $s19 = "if ($bf0[2 + 0] -eq 0x00 -as[byte] -and $bf0[2 + 1] -eq 0x00 -as[byte])" fullword ascii
 73 |       $s20 = "if ($bf0[0 + 0] -eq 0x00 -as[byte] -and $bf0[0 + 1] -eq 0x00 -as[byte])" fullword ascii
 74 |    condition:
 75 |       uint16(0) == 0x7824 and filesize < 40KB and
 76 |       1 of ($x*) and 4 of them
 77 | }
 78 | 
 79 | rule case_19530_CS_beacon {
 80 |    meta:
 81 |       description = "file 5d78365.exe"
 82 |       author = "The DFIR Report"
 83 |       reference = "https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/"
 84 |       date = "2024-02-18"
 85 |       hash1 = "aad75498679aada9ee2179a8824291e3b4781d5683c2fa5b3ec92267ce4a4a33"
 86 |    strings:
 87 |       $s1 = "%c%c%c%c%c%c%c%c%cnetsvc\\%d" fullword ascii
 88 |       $s2 = "WinHttpSvc" fullword ascii
 89 |       $s3 = "+  cl_+" fullword ascii
 90 |       $s4 = "lsxkrb" fullword ascii
 91 |       $s5 = "vDqPSzK6" fullword ascii
 92 |       $s6 = ":b(l%h%" fullword ascii
 93 |       $s7 = "lszkrb" fullword ascii
 94 |       $s8 = "10.0.19041.1266 (WinBuild.160101.0800)" fullword wide
 95 |       $s9 = "sMgJkl?sW" fullword ascii
 96 |       $s10 = "@}0.Fpn" fullword ascii
 97 |       $s11 = "dwPS@%oNB" fullword ascii
 98 |       $s12 = "RRcB(jE" fullword ascii
 99 |       $s13 = "Rwco)pS" fullword ascii
100 |       $s14 = "cxjI6NB" fullword ascii
101 |       $s15 = "rgNg(>P" fullword ascii
102 |       $s16 = "jawXX_3" fullword ascii
103 |       $s17 = "xSsckrb" fullword ascii
104 |       $s18 = "{uaNB,Pe|K" fullword ascii
105 |       $s19 = "DwcR+dS" fullword ascii
106 |       $s20 = "YwcH*gC" fullword ascii
107 |    condition:
108 |       uint16(0) == 0x5a4d and filesize < 800KB and
109 |       ( pe.imphash() == "49145e436aa571021bb1c7b727f8b049" or 8 of them )
110 | }
111 | 
112 | 
113 | 


--------------------------------------------------------------------------------
/19772/19772.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    YARA Rule Set
  3 |    Author: TheDFIRReport
  4 |    Date: 2024-01-09
  5 |    Identifier: Case 19772
  6 |    Reference: https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | rule case_19772_csrss_cobalt_strike {
 12 |    meta:
 13 |       description = "19772 - file csrss.exe"
 14 |       author = "TheDFIRReport"
 15 |       reference = "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion"
 16 |       date = "2024-01-09"
 17 |       hash1 = "06bbb36baf63bc5cb14d7f097745955a4854a62fa3acef4d80c61b4fa002c542"
 18 |    strings:
 19 |       $x1 = "Invalid owner %s is already associated with %s=This control requires version 4.70 or greater of COMCTL32.DLL" fullword wide
 20 |       $s2 = "traydemo.exe" fullword ascii
 21 |       $s3 = "333330303030333333" ascii /* hex encoded string '330000333' */
 22 |       $s4 = "323232323233323232323233333333333333" ascii /* hex encoded string '222223222223333333' */
 23 |       $s5 = "333333333333333333333333333333333333333333333333333333333333333333333333" ascii /* hex encoded string '333333333333333333333333333333333333' */
 24 |       $s6 = "Borland C++ - Copyright 2002 Borland Corporation" fullword ascii
 25 |       $s7 = "@Cdiroutl@TCDirectoryOutline@GetChildNamed$qqrrx17System@AnsiStringl" fullword ascii
 26 |       $s8 = "2a1d2V1p1" fullword ascii /* base64 encoded string 'kWvWZu' */
 27 |       $s9 = "Separator\"Unable to find a Table of Contents" fullword wide
 28 |       $s10 = "EInvalidGraphicOperation4" fullword ascii
 29 |       $s11 = ")Failed to read ImageList data from stream(Failed to write ImageList data to stream$Error creating window device context" fullword wide
 30 |       $s12 = "%s: %s error" fullword ascii
 31 |       $s13 = "@TTrayIcon@GetAnimate$qqrv" fullword ascii
 32 |       $s14 = "ImageTypeh" fullword ascii
 33 |       $s15 = "42464:4`4d4 3" fullword ascii /* hex encoded string 'BFDMC' */
 34 |       $s16 = "333333333333333333333333(" fullword ascii /* hex encoded string '333333333333' */
 35 |       $s17 = ")\"\")\"\")#3232" fullword ascii /* hex encoded string '22' */
 36 |       $s18 = "OnGetItem(3B" fullword ascii
 37 |       $s19 = "@Cspin@TCSpinEdit@GetValue$qqrv" fullword ascii
 38 |       $s20 = "@Cspin@TCSpinButton@GetUpGlyph$qqrv" fullword ascii
 39 |    condition:
 40 |       uint16(0) == 0x5a4d and filesize < 3000KB and
 41 |       1 of ($x*) and 4 of them
 42 | }
 43 | 
 44 | rule case_19772_svchost_nokoyawa_ransomware {
 45 |    meta:
 46 |       description = "19772 - file svchost.exe"
 47 |       author = "TheDFIRReport"
 48 |       reference = "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion"
 49 |       date = "2024-01-09"
 50 |       hash1 = "3c9f4145e310f616bd5e36ca177a3f370edc13cf2d54bb87fe99972ecf3f09b4"
 51 |    strings:
 52 |       $s1 = " ;3;!X" fullword ascii /* reversed goodware string 'X!;3; ' */
 53 |       $s2 = "bcdedit" fullword wide
 54 |       $s3 = "geKpgAX3" fullword ascii
 55 |       $s4 = "shutdown" fullword wide /* Goodware String - occured 93 times */
 56 |       $s5 = "k2mm7KvHl51n2LJDYLanAgM48OX97gkV" fullword ascii
 57 |       $s6 = "+TDPbuWCWNmcW0k=" fullword ascii
 58 |       $s7 = "4vEBlUlgJ5oeqmbpb9OSaQrQb8bRWNqP" fullword ascii
 59 |       $s8 = "2aDXUPxh3ZZ1x8tpfg6PxcMuUwWogOgQ" fullword ascii
 60 |       $s9 = "kfeCWydRqz8=" fullword ascii
 61 |       $s10 = "ZfrMxxDy" fullword ascii
 62 |       $s11 = "eLTuGYHd" fullword ascii
 63 |       $s12 = "wWIQZ5jJPZIiuDKxQVh0YO3HnzdOwirY" fullword ascii
 64 |       $s13 = "+IdWS+zG9rUG" fullword ascii
 65 |       $s14 = "0ZdUoZmp" fullword ascii
 66 |       $s15 = "SVWh$l@" fullword ascii
 67 |       $s16 = "Z2mJzxHFaRafgf4k/uTdeMKIMUpV/y81" fullword ascii
 68 |       $s17 = "GtKqGSOfNUOVIoMTk8bGZVchMddKIuTN" fullword ascii
 69 |       $s18 = "INMvjo3GzuQ6MTSJUg==" fullword ascii
 70 |       $s19 = "hilWGBcFwE80e5L9BXxCiRiE" fullword ascii
 71 |       $s20 = "gSMSrcOR" fullword ascii
 72 |    condition:
 73 |       uint16(0) == 0x5a4d and filesize < 70KB and
 74 |       8 of them
 75 | }
 76 | 
 77 | rule case_19772_anydesk_id_tool {
 78 |    meta:
 79 |       description = "19772 - file GET_ID.bat"
 80 |       author = "TheDFIRReport"
 81 |       reference = "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion"
 82 |       date = "2024-01-09"
 83 |       hash1 = "eae2bce6341ff7059b9382bfa0e0daa337ea9948dd729c0c1e1ee9c11c1c0068"
 84 |    strings:
 85 |       $x1 = "for /f \"delims=\" %%i in ('C:\\ProgramData\\Any\\AnyDesk.exe --get-id') do set ID=%%i " fullword ascii
 86 |       $s2 = "echo AnyDesk ID is: %ID%" fullword ascii
 87 |    condition:
 88 |       uint16(0) == 0x6540 and filesize < 1KB and
 89 |       1 of ($x*) and all of them
 90 | }
 91 | 
 92 | rule case_19772_anydesk_installer {
 93 |    meta:
 94 |       description = "19772 - file INSTALL.ps1"
 95 |       author = "TheDFIRReport"
 96 |       reference = "https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion"
 97 |       date = "2024-01-09"
 98 |       hash1 = "b378c2aa759625de2ad1be2c4045381d7474b82df7eb47842dc194bb9a134f76"
 99 |    strings:
100 |       $x1 = "    cmd.exe /c echo btc1000qwe123 | C:\\ProgramData\\Any\\AnyDesk.exe --set-password" fullword ascii
101 |       $x2 = "    cmd.exe /c C:\\ProgramData\\AnyDesk.exe --install C:\\ProgramData\\Any --start-with-win --silent" fullword ascii
102 |       $s3 = "    #reg add \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v Inn" ascii
103 |       $s4 = "    #reg add \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v Inn" ascii
104 |       $s5 = "    $url = \"http://download.anydesk.com/AnyDesk.exe\"" fullword ascii
105 |       $s6 = "EG_DWORD /d 0 /f" fullword ascii
106 |       $s7 = "    $file = \"C:\\ProgramData\\AnyDesk.exe\"" fullword ascii
107 |       $s8 = "    $clnt = new-object System.Net.WebClient" fullword ascii
108 |       $s9 = "    #net user AD \"2020\" /add" fullword ascii
109 |       $s10 = "    # Download AnyDesk" fullword ascii
110 |       $s11 = "    mkdir \"C:\\ProgramData\\Any\"" fullword ascii
111 |       $s12 = "    $clnt.DownloadFile($url,$file)" fullword ascii
112 |       $s13 = "    #net localgroup Administrators InnLine /ADD" fullword ascii
113 |    condition:
114 |       uint16(0) == 0x0a0d and filesize < 1KB and
115 |       1 of ($x*) and 4 of them
116 | }
117 | 
118 | 


--------------------------------------------------------------------------------
/21619/21619.yar:
--------------------------------------------------------------------------------
  1 | rule mal_truebot: TESTING MALWARE TA0002 T1027 T1204_002 {
  2 |     meta:
  3 |         id = "2snLTJeZ4eKhhGLfWNM6NV"
  4 |         fingerprint = "03f4fb857eaf63b4ce33611cce6c9f06e57180c122d28305bc7d7d2cb839ef27"
  5 |         version = "1.0"
  6 |         creation_date = "2023-05-25"
  7 |         first_imported = "2023-05-25"
  8 |         last_modified = "2023-05-25"
  9 |         status = "TESTING"
 10 |         sharing = "TLP:WHITE"
 11 |         source = "THEDFIRREPORT.COM"
 12 |         author = "Maxime THIEBAUT (@0xThiebaut)"
 13 |         description = "Detects strings commonly related to TrueBot functionality"
 14 |         category = "MALWARE"
 15 |         malware = "TRUEBOT"
 16 |         mitre_att = "T1204.002"
 17 |         reference = "https://thedfirreport.com/"
 18 |         hash = "717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb"
 19 | 
 20 |     strings:
 21 |         $c2_params_1        = "n=%s&o=%s&a=%d&u=%s&p=%s&d=%s" fullword
 22 |         $c2_params_2        = "n=%s&l=%s"   fullword
 23 |         $c2_id              = "%08x-%08x"   fullword
 24 |         $c2_status          = "Not Found"   fullword
 25 |         $c2_method          = "POST "       fullword
 26 |         $c2_proto           = "HTTP/1.0"    fullword
 27 |         $c2_header_host     = "Host: "      fullword
 28 |         $c2_header_ct       = "Content-type: application/x-www-form-urlencoded" fullword
 29 |         $other_workgroup    = "WORKGROUP"           fullword
 30 |         $other_unknown      = "UNKW"                fullword
 31 |         $load_perms         = "SeDebugPrivilege"    fullword
 32 |         $load_library       = "user32"              fullword wide
 33 |         $load_import        = "RtlCreateUserThread" fullword
 34 |         $cmd_del            = "/c del" fullword wide
 35 | 
 36 |     condition:
 37 |         13 of them
 38 | }
 39 | 
 40 | rule sus_nsis_tampered_signature: TESTING SUSPICIOUS TA0005 T1027 T1027_005 {
 41 |     meta:
 42 |         id = "7tGWOPTZRLhRAMCf6cQC0"
 43 |         fingerprint = "082b47efe4dbb5ff515f2db759233fc39238bf4982aa0884b809232686c49531"
 44 |         version = "1.0"
 45 |         creation_date = "2023-06-01"
 46 |         first_imported = "2023-06-01"
 47 |         last_modified = "2023-06-01"
 48 |         status = "TESTING"
 49 |         sharing = "TLP:WHITE"
 50 |         source = "THEDFIRREPORT.COM"
 51 |         author = "Maxime THIEBAUT (@0xThiebaut)"
 52 |         description = "Detects a suspected Nullsoft Scriptable Install System (NSIS) executable with a tampered compiler signature"
 53 |         category = "TOOL"
 54 |         tool = "NSIS"
 55 |         mitre_att = "T1027.005"
 56 |         reference = "https://thedfirreport.com/"
 57 |         hash = "121a1f64fff22c4bfcef3f11a23956ed403cdeb9bdb803f9c42763087bd6d94e"
 58 | 
 59 |     strings:
 60 |         $brand_error       = "NSIS Error"                      fullword
 61 |         $brand_description = "Nullsoft Install System"         fullword
 62 |         $brand_name        = "Nullsoft.NSIS"                   fullword 
 63 |         $brand_url         = "http://nsis.sf.net/NSIS_Error"   fullword
 64 |         $code_get_module        = {
 65 |             C1 E6 03            // shl     esi, 3
 66 |             8B BE ?? ?? ?? ??   // mov     edi, Modules[esi]
 67 |             57                  // push    edi             ; lpModuleName
 68 |             FF 15 ?? ?? ?? ??   // call    ds:GetModuleHandleA
 69 |             85 C0               // test    eax, eax
 70 |             75 ??               // jnz     ??
 71 |         }
 72 |         $code_get_proc          = {
 73 |             FF B6 ?? ?? ?? ??   // push    Procedures[esi]
 74 |             50                  // push    eax             ; hModule
 75 |             FF 15 ?? ?? ?? ??   // call    ds:__imp_GetProcAddress
 76 |             EB ??               // jmp     ??
 77 |         }
 78 |         $code_jump_table        = {
 79 |             8B 4D ??                // mov     ecx, [ebp+??]
 80 |             83 C1 ??                // add     ecx, 0FFFFFF??h ; switch ?? cases
 81 |             83 F9 ??                // cmp     ecx, ??h
 82 |             0F 87 ?? ?? 00 00       // ja      ??      ; jumptable ?? default case, cases 65,66
 83 |             FF 24 8D ?? ?? ?? 00    // jmp     ds:??[ecx*4] ; switch jump
 84 |         }
 85 |         $signature_1_00         = {EF BE AD DE 6E 73 69 73 69 6E 73 74 61 6C 6C 00}
 86 |         $signature_1_00_check   = {
 87 |             81 7D ?? EF BE AD DE    // cmp     [ebp+??], 0DEADBEEFh
 88 |             75 ??                   // jnz     short ??
 89 |             81 7D ?? 61 6C 6C 00    // cmp     [ebp+??], 06C6C61h
 90 |             75 ??                   // jnz     short ??
 91 |             81 7D ?? 69 6E 73 74    // cmp     [ebp+var_1C], 74736E69h
 92 |             75 ??                   // jnz     short ??
 93 |             81 7D ?? 6E 73 69 73    // cmp     [ebp+??], 7369736Eh
 94 |             75 ??                   // jnz     ??
 95 |         }
 96 |         $signature_1_1e         = {ED BE AD DE 4E 75 6C 6C 53 6F 66 74 49 6E 73 74}
 97 |         $signature_1_1e_check   = {
 98 |             81 7D ?? ED BE AD DE    // cmp     [ebp+??], 0DEADBEEDh
 99 |             75 ??                   // jnz     short ??
100 |             81 7D ?? 49 6E 73 74    // cmp     [ebp+??], 74736E49h
101 |             75 ??                   // jnz     short ??
102 |             81 7D ?? 53 6F 66 74    // cmp     [ebp+var_1C], 74666F53h
103 |             75 ??                   // jnz     short ??
104 |             81 7D ?? 4E 75 6C 6C    // cmp     [ebp+??], 6C6C754Eh
105 |             75 ??                   // jnz     ??
106 |         }
107 |         $signature_1_30         = {EF BE AD DE 4E 75 6C 6C 53 6F 66 74 49 6E 73 74}
108 |         $signature_1_30_check   = {
109 |             81 7D ?? EF BE AD DE    // cmp     [ebp+??], 0DEADBEEFh
110 |             75 ??                   // jnz     short ??
111 |             81 7D ?? 49 6E 73 74    // cmp     [ebp+??], 74736E49h
112 |             75 ??                   // jnz     short ??
113 |             81 7D ?? 53 6F 66 74    // cmp     [ebp+var_1C], 74666F53h
114 |             75 ??                   // jnz     short ??
115 |             81 7D ?? 4E 75 6C 6C    // cmp     [ebp+??], 6C6C754Eh
116 |             75 ??                   // jnz     ??
117 |         }
118 |         $signature_1_60         = {EF BE AD DE 4E 75 6C 6C 73 6F 66 74 49 6E 73 74}
119 |         $signature_1_60_check   = {
120 |             81 7D ?? EF BE AD DE    // cmp     [ebp+??], 0DEADBEEFh
121 |             75 ??                   // jnz     short ??
122 |             81 7D ?? 49 6E 73 74    // cmp     [ebp+??], 74736E49h
123 |             75 ??                   // jnz     short ??
124 |             81 7D ?? 73 6F 66 74    // cmp     [ebp+var_1C], 74666F73h
125 |             75 ??                   // jnz     short ??
126 |             81 7D ?? 4E 75 6C 6C    // cmp     [ebp+??], 6C6C754Eh
127 |             75 ??                   // jnz     ??
128 |         }
129 | 
130 |     condition:
131 |         uint16(0) == 0x5A4D and (3 of ($brand_*) or 2 of ($code_*)) and none of ($signature_*)
132 | }
133 | 


--------------------------------------------------------------------------------
/23869/23869.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2024-04-23
  5 | Identifier: Case 23869
  6 | Reference: https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | rule case_23869_sysfunc_cmd {
 12 | 	meta:
 13 | 		creation_date = "2024-03-29"
 14 | 		first_imported = "2024-03-29"
 15 | 		last_modified = "2024-03-29"
 16 | 		status = "TESTING"
 17 | 		sharing = "TLP:WHITE"
 18 | 		source = "THEDFIRREPORT.COM"
 19 | 		author = "TDR"
 20 | 		description = "File generated dynamically from awscollector.ps1"
 21 | 		category = "TOOL"
 22 | 		reference = "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/"
 23 | 		hash = "f3b211c45090f371869c396716972429896e0427da55ce8f1981787c2ea7eb0b"
 24 | 
 25 | 	strings:
 26 | 		$s1 = "@echo off" fullword
 27 | 		$s2 = "DEL \"%~f0\"" fullword
 28 | 		$s3 = "bcedit /set {default] bootstatuspolicy ignorereallifefailures" fullword
 29 | 		$s4 = "bcedit /set {default] recoveryenabled no" fullword
 30 | 		$s5 = "vssadmin delete shadows /all /quiet" fullword
 31 | 		$s6 = "wmic shadowcopy /nointeractive" fullword
 32 | 		$s7 = "wmic shadowcopy delete" fullword
 33 | 
 34 | 	condition:
 35 | 		all of them
 36 | }
 37 | 
 38 | rule case_23869_awscollector_ps1 {
 39 | 	meta:
 40 | 		creation_date = "2024-03-29"
 41 | 		status = "TESTING"
 42 | 		sharing = "TLP:WHITE"
 43 | 		source = "THEDFIRREPORT.COM"
 44 | 		author = "TDR"
 45 | 		description = "awscollector.ps1"
 46 | 		category = "TOOL"
 47 | 		reference = "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/"
 48 | 		hash = "e737831bea7ab9e294bf6b58ca193ba302b8869f5405aa6d3a6492d0334a04a6"
 49 | 
 50 | 	strings:
 51 | 		$author = "darussian@tutanota.com" fullword
 52 | 		$s1 = "Locker" fullword
 53 | 		$s2 = "Find-Remote-Executor" fullword
 54 | 		$s3 = "lockerparams" fullword
 55 | 		$s4 = "locker_cmd_list" fullword
 56 | 		$s5 = "AWSCLIV2" fullword
 57 | 
 58 | 	condition:
 59 | 		$author or ( all of ($s*) )
 60 | }
 61 | 
 62 | rule case_23869_sysfunc_dll {
 63 | 	meta:
 64 | 		creation_date = "2024-03-29"
 65 | 		status = "TESTING"
 66 | 		sharing = "TLP:WHITE"
 67 | 		source = "THEDFIRREPORT.COM"
 68 | 		author = "TDR"
 69 | 		description = "Description"
 70 | 		category = "TOOL"
 71 | 		reference = "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/"
 72 | 		hash = "b3942ead0bf76cf5f4baaa563b603fb6343009c324e3c862d16bbbbdcf482f1a"
 73 | 
 74 | 	strings:
 75 | 		$s1 = "gentlemen" fullword
 76 | 		$s2 = "withdraw fang" fullword
 77 | 		$s3 = "plants; mould, sympathize, elephant; associate" fullword
 78 | 		$s4 = "blessing, defender; fashionable" fullword
 79 | 		$s5 = "withdraw fang" fullword
 80 | 
 81 | 	condition:
 82 | 		all of them
 83 | }
 84 | 
 85 | rule case_23869_document_468 {
 86 | 	meta:
 87 | 		creation_date = "2024-03-30"
 88 | 		status = "TESTING"
 89 | 		sharing = "TLP:WHITE"
 90 | 		source = "THEDFIRREPORT.COM"
 91 | 		author = "TDR"
 92 | 		description = "iceid loader"
 93 | 		category = "MALWARE"
 94 | 		malware = "iceid_loader"
 95 | 		reference = "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/"
 96 | 		hash = "f6e5dbff14ef272ce07743887a16decbee2607f512ff2a9045415c8e0c05dbb4"
 97 | 
 98 | 	strings:
 99 | 		$s1 = "quisquamEtVeniamOccaecati" fullword
100 | 		$s2 = "temporaImpeditQuiPraesentiumEligendiOptio" fullword
101 | 		$s3 = "fugiatSaepeQuiaPorroExplicaboExercitationemMaiores" fullword
102 | 
103 | 	condition:
104 | 		all of them
105 | }
106 | 
107 | 
108 | rule case_23869_anydesk_ps1 {
109 | 	meta:
110 | 		creation_date = "2024-03-30"
111 | 		status = "TESTING"
112 | 		sharing = "TLP:WHITE"
113 | 		source = "THEDFIRREPORT.COM"
114 | 		author = "TDR"
115 | 		description = "anydesk install powershell script"
116 | 		category = "TOOL"
117 | 		malware = "anydesk"
118 | 		reference = "https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/"
119 | 		hash = "3064cecf8679d5ba1d981d6990058e1c3fae2846b72fa77acad6ab2b4f582dd7"
120 | 
121 | 	strings:
122 | 		$s1 = "J9kzQ2Y0qO" fullword
123 | 		$s2 = "oldadministrator" fullword
124 | 		$s3 = "qc69t4B#Z0kE3" fullword
125 | 		$s4 = "anydesk.com"
126 | 
127 | 	condition:
128 | 		all of them
129 | }
130 | 


--------------------------------------------------------------------------------
/25590/25590.yar:
--------------------------------------------------------------------------------
 1 | rule Py_Fuscate_Obfuscation {
 2 |     meta:
 3 |         description = "Detects Python scripts which could have been obfuscated through Py-Fuscate"
 4 |         author = "The DFIR Report"
 5 |         date = "2024-07-13"
 6 |         reference = "https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware"
 7 |     strings:
 8 |         $s1 = "import marshal,lzma,gzip,bz2,binascii,zlib;exec(marshal.loads("
 9 |     condition:
10 |         $s1
11 | }
12 | 


--------------------------------------------------------------------------------
/26364/26364.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    YARA Rule Set
  3 |    Author: The DFIR Report
  4 |    Date: 2024-08-20
  5 |    Identifier: Case 26364
  6 |    Reference: https://thedfirreport.com
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule case_26364_cobalt_strike_smb_beacon {
 14 |    meta:
 15 |       description = "Case 26364 - file e225857.exe Cobalt Strike SMB beacon"
 16 |       author = "The DFIR Report"
 17 |       reference = "https://thedfirreport.com/2024/08/26/blacksuit-ransomware/"
 18 |       date = "2024-08-20"
 19 |       hash1 = "f474241a5d082500be84a62f013bc2ac5cde7f18b50bf9bb127e52bf282fffbf"
 20 |    strings:
 21 |       $s1 = "%c%c%c%c%c%c%c%c%cMSSE-%d-server" fullword ascii
 22 |       $s2 = "IplPi\\lHiX" fullword ascii
 23 |       $s3 = "!IToX|\\M\\8\\" fullword ascii
 24 |       $s4 = "lXixf`ix" fullword ascii
 25 |       $s5 = "lXitnXix" fullword ascii
 26 |       $s6 = "MTnHiD$" fullword ascii
 27 |       $s7 = "mXGPnXiP$" fullword ascii
 28 |       $s8 = "DlPi,lHi$" fullword ascii
 29 |       $s9 = "nHilf!" fullword ascii
 30 |       $s10 = "hHit\"Xit" fullword ascii
 31 |       $s11 = "hPitlXi" fullword ascii
 32 |       $s12 = "/I^lXiPnXiP$" fullword ascii
 33 |       $s13 = "MTnHi|$" fullword ascii
 34 |       $s14 = "nXiDf$U)" fullword ascii
 35 |       $s15 = "IUlXi|nXi|$" fullword ascii
 36 |       $s16 = "nHixnhiHn`it" fullword ascii
 37 |       $s17 = "MTnHiH$" fullword ascii
 38 |       $s18 = "lPitlXi|" fullword ascii
 39 |       $s19 = "XeYv ,8?[" fullword ascii
 40 |       $s20 = "lXitf`it" fullword ascii
 41 |    condition:
 42 |       uint16(0) == 0x5a4d and filesize < 800KB and
 43 |       ( pe.imphash() == "bed5688a4a2b5ea6984115b458755e90" or pe.imphash() == "1b2b0fc8f126084d18c48b4f458c798b" or 8 of them )
 44 | }
 45 | 
 46 | 
 47 | rule case_26364_Get_DataInfo {
 48 |    meta:
 49 |       description = "Case 26364 - file Get-DataInfo.ps1"
 50 |       author = "The DFIR Report"
 51 |       reference = "https://thedfirreport.com/2024/08/26/blacksuit-ransomware/"
 52 |       date = "2024-08-20"
 53 |       hash1 = "6f5f3c8aa308819337a2f69d453ab2f6252491aa0ccc94a8364d0c3c10533173"
 54 |    strings:
 55 |       $x1 = "$computername = Get-Content \".\\result\\livePCs.txt\" -ReadCount 0" fullword ascii
 56 |       $x2 = "$computername = Get-Content \".\\result\\livePCs.txt\" -ReadCount 0  " fullword ascii
 57 |       $s3 = "'disk' {Test-LHosts; Get-Diskinfo | Export-Csv -Path .\\result\\Disk.csv -NoTypeInformation; Compress-Result}" fullword ascii
 58 |       $s4 = "'all' {Test-LHosts; Get-Diskinfo | Export-Csv -Path .\\result\\Disk.csv -NoTypeInformation; Get-Software; Compress-Result}" fullword ascii
 59 |       $s5 = "default {Test-LHosts; Get-Diskinfo | Export-Csv -Path .\\result\\Disk.csv -NoTypeInformation; Get-Software; Compress-Result}" fullword ascii
 60 |       $s6 = "'nocompress' {Test-LHosts; Get-Diskinfo | Export-Csv -Path .\\result\\Disk.csv -NoTypeInformation; Get-Software}" fullword ascii
 61 |       $s7 = "}else{Add-Content \"$computer is not reachable\" -path .\\result\\error.txt}" fullword ascii
 62 |       $s8 = "$testcomputers = Get-Content -Path $compsfile -ReadCount 0" fullword ascii
 63 |       $s9 = "'noping' {Get-Diskinfo | Export-Csv -Path .\\result\\Disk.csv -NoTypeInformation; Get-Software; Compress-Result}" fullword ascii
 64 |       $s10 = "Try{Get-WmiObject Win32_LogicalDisk -filter \"DriveType=3\" -computer $computer | Select SystemName,DeviceID,@{Name=\"Size(GB)\"" ascii
 65 |       $s11 = "Add-Content -value $computer -path .\\result\\livePCs.txt" fullword ascii
 66 |       $s12 = "Add-Content -value $computer -path .\\result\\deadPCs.txt" fullword ascii
 67 |       $s13 = "Invoke-Expression \"& '.\\7z.exe' a '$typearchiv' '$destination' '$CompressionLevel' -aoa '$Source'\"" fullword ascii
 68 |       $s14 = "Catch {Add-Content \"$computer is not reachable\" -path .\\result\\error.txt}" fullword ascii
 69 |       $s15 = "write-host -foregroundcolor cyan \"Testing Connection complete\"" fullword ascii
 70 |       $s16 = "Try{Get-WmiObject Win32_LogicalDisk -filter \"DriveType=3\" -computer $computer | Select SystemName,DeviceID,@{Name=\"Size(GB)\"" ascii
 71 |       $s17 = "Write-Progress  \"Testing Connections\" -PercentComplete $testcomputer_progress -Status \"Percent Complete - $testcomputer_progr" ascii
 72 |       $s18 = "Write-Progress  \"Testing Connections\" -PercentComplete $testcomputer_progress -Status \"Percent Complete - $testcomputer_prog" fullword ascii
 73 |       $s19 = "'soft' {Test-LHosts; Get-Software; Compress-Result}" fullword ascii
 74 |       $s20 = "}Catch{Add-Content \"$registry\" -path .\\result\\error.txt}" fullword ascii
 75 |    condition:
 76 |       uint16(0) == 0x5323 and filesize < 20KB and
 77 |       1 of ($x*) and 4 of them
 78 | }
 79 | 
 80 | 
 81 | rule case_26364_socks32_systembc {
 82 |    meta:
 83 |       description = "Case 26364 - file socks32.exe SystemBC executable"
 84 |       author = "The DFIR Report"
 85 |       reference = "https://thedfirreport.com/2024/08/26/blacksuit-ransomware/"
 86 |       date = "2024-08-20"
 87 |       hash1 = "9493b512d7d15510ebee5b300c55b67f9f2ff1dda64bddc99ba8ba5024113300"
 88 |    strings:
 89 |       $x1 = "powershell.exe -windowstyle hidden -Command \"& '%s'\"" fullword ascii
 90 |       $s2 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0" fullword ascii
 91 |       $s3 = "FGET %s HTTP/1.0" fullword ascii
 92 |       $s4 = "HOST1:137.220.61.94" fullword ascii
 93 |       $s5 = "HOST2:137.220.61.94" fullword ascii
 94 |       $s6 = "Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run" fullword ascii
 95 |       $s7 = "randomdata" fullword ascii
 96 |       $s8 = "PORT1:4001" fullword ascii
 97 |       $s9 = "GNPj2ht@@" fullword ascii
 98 |       $s10 = "PSQRWVh" fullword ascii
 99 |       $s11 = "7*80868<8B8H8N8T8Z8`8f8l8r8x8~8" fullword ascii /* Goodware String - occured 2 times */
100 |       $s12 = "9 9&9,92989>9D9J9P9V9\\9b9h9n9" fullword ascii /* Goodware String - occured 3 times */
101 |       $s13 = "Pj2ht@@" fullword ascii
102 |       $s14 = "SQRWVi" fullword ascii
103 |       $s15 = "Wj2ht@@" fullword ascii
104 |       $s16 = "j2ht@@" fullword ascii
105 |       $s17 = "w^_ZY[X" fullword ascii
106 |    condition:
107 |       uint16(0) == 0x5a4d and filesize < 30KB and
108 |       ( pe.imphash() == "d66000edfed0a9938162b2b453ffa516" or ( 1 of ($x*) or 4 of them ) )
109 | }
110 | 
111 | 
112 | rule case_26364_qwe {
113 |    meta:
114 |       description = "Case 26364 - file qwe.exe BlackSuit ransomware binary"
115 |       author = "The DFIR Report"
116 |       reference = "https://thedfirreport.com/2024/08/26/blacksuit-ransomware/"
117 |       date = "2024-08-20"
118 |       hash1 = "60dcbfb30802e7f4c37c9cdfc04ddb411060918d19e5b309a5be6b4a73c8b18a"
119 |    strings:
120 |       $s1 = "<requestedExecutionLevel level = 'asInvoker' uiAccess = 'false' />" fullword ascii
121 |       $s2 = "readme.blacksuit.txt" fullword wide
122 |       $s3 = "---END RSA PUBLIC KEY-----" fullword ascii
123 |       $s4 = "Q0ZkwAQVIbDNhXd1WM0sgajkBlDCqo7/xN1J8tdN5RH7njgltu9TlY2D4/c//70IYfCi4SYUVCSpUiVec6b6crv//bwXa489J9e8iruZ0jfZ+A/+31QXqNm3vGGeExZh" ascii
124 |       $s5 = "ugHzziMZidFzMjw/sBynX5F60q6cE/xQnLXsT03ku6uj9klgIqE58A5+5jxLCLU7NWouX6OIMRsK2jkyOIaeWmT2s5z76PaBebSracTWUedtZ2qz62U7PwqherErP16s" ascii
125 |       $s6 = "FN81uoDozfxgUonhHA6TuD/iVHluiuZhwFt0OnFAhpqSJnLJsSWmce3rUwxpvKO2G8JQpNl63tIn0BTvVyz2OQ0QB4eZsq5WuYOPW0YIE5nCxzzDNRH49KL8BCw5TpIP" ascii
126 |       $s7 = "nYm3jVJI5fY4IOIbbKpVJ0mJdkcyAbaBXekA33COOE3FVSL/k4WkYKsbXVumq7Z2xfHff1Q9KlhA1PaWP6vVPlQvXSKdZYUMcSStOce3RuYh2FBfVo7yWMMp0M6hTTC2" ascii
127 |       $s8 = "-----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAre9g2v/YKJF5okac0aAy5iLq0A3bwH4je29tFyrN1mkhp0zafxMuNn" ascii
128 |       $s9 = "-----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAre9g2v/YKJF5okac0aAy5iLq0A3bwH4je29tFyrN1mkhp0zafxMuNn" ascii
129 |       $s10 = ".rdata$voltmd" fullword ascii
130 |       $s11 = "D$lfff" fullword ascii /* Goodware String - occured 2 times */
131 |       $s12 = "l$|9D$ " fullword ascii
132 |       $s13 = "2'2-252H2R2X2i2t2z2" fullword ascii
133 |       $s14 = ";*<5<;<R<X<" fullword ascii
134 |       $s15 = "021G1S3{3" fullword ascii
135 |       $s16 = "92:U:p:" fullword ascii
136 |       $s17 = "hCW,tf" fullword ascii
137 |       $s18 = "727C7q7" fullword ascii
138 |       $s19 = "=1]1|1" fullword ascii
139 |       $s20 = "2(252:2" fullword ascii
140 |    condition:
141 |       uint16(0) == 0x5a4d and filesize < 200KB and
142 |       ( pe.imphash() == "ecc488e51fbb2e01a7aac2b35d5f10bd" or 8 of them )
143 | }
144 | 
145 | 


--------------------------------------------------------------------------------
/27244/27244.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 |    YARA Rule Set
 3 |    Author: The DFIR Report
 4 |    Date: 2025-02-20
 5 |    Identifier: Case 27244
 6 |    Reference: https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
 7 | */
 8 | 
 9 | /* Rule Set ----------------------------------------------------------------- */
10 | 
11 | rule sig_27244_metasploit_hta_stager {
12 |    meta:
13 |       description = "file UsySLX1n.hta"
14 |       author = "The DFIR Report"
15 |       reference = "https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/"
16 |       date = "2025-02-20"
17 |       hash1 = "192325984bfec886dda91f8b3f02e5d5b4e9ff9f5a28753fb578593b24893ffc"
18 |    strings:
19 |       $s1 = "CreateObject(\"Wscript.Shell\")" ascii
20 |       $s2 = "ExpandEnvironmentStrings(\"%PSModulePath%\")" ascii
21 |       $s3 = "(path + \"\\..\\powershell.exe\")" ascii
22 |       $s4 = "powershell.exe -nop -w hidden -e" ascii
23 |       $s5 = "<script language=\"VBScript\">" ascii
24 |       $s6 = "aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkA" ascii /* base64 encoded string 'if([IntPtr]::Size -eq 4)' */
25 |    condition:
26 |       uint16(0) == 0x733c and filesize < 20KB and
27 |       all of them
28 | }
29 | 


--------------------------------------------------------------------------------
/27899/27899.yar:
--------------------------------------------------------------------------------
 1 | rule VeeamHax
 2 | {
 3 |     meta:
 4 |         description = "exe - file VeeamHax.exe"
 5 | 		author = "The DFIR Report, _pete_0"
 6 | 		reference = "https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/"
 7 |                 reference = "https://github.com/sfewer-r7/CVE-2023-27532"
 8 | 		date = "2024-11-15"
 9 | 		hash1 = "AAA6041912A6BA3CF167ECDB90A434A62FEAF08639C59705847706B9F492015D"
10 |         
11 |     strings:
12 |         $String_1 = "CVE-2023-27532" ascii wide nocase
13 |         $String_2 = "VeeamHax" ascii wide nocase
14 |         $String_3 = "Veeam Backup Server Certificate" ascii wide nocase
15 |         $String_4 = "EXEC sp_configure" ascii wide nocase
16 |         $String_5 = "xp_cmdshell" ascii wide nocase
17 |         $String_6 = "Veeam.Backup.Interaction.MountService" ascii wide nocase
18 | 
19 |     condition:
20 | 		uint16(0) == 0x5a4d and filesize < 100KB and
21 |         all of ($String_*)
22 | }
23 | 


--------------------------------------------------------------------------------
/3521/3521.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | YARA Rule Set
 3 | Author: The DFIR Report
 4 | Date: 2021-04-27
 5 | Identifier: Case 3521 Trickbot Brief: Creds and Beacons
 6 | Reference: https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
 7 | */
 8 | 
 9 | /* Rule Set ----------------------------------------------------------------- */
10 | 
11 | import "pe"
12 | 
13 | rule click_php {
14 | meta:
15 | description = "files - file click.php.dll"
16 | author = "The DFIR Report"
17 | reference = "https://thedfirreport.com"
18 | date = "2021-04-27"
19 | hash1 = "0ae86e5abbc09e96f8c1155556ca6598c22aebd73acbba8d59f2ce702d3115f8"
20 | strings:
21 | $s1 = "f_+ (Q" fullword wide
22 | $s2 = "'/l~;2m" fullword wide
23 | $s3 = "y'L])[" fullword wide
24 | $s4 = "1!1I1m1s1" fullword ascii
25 | $s5 = "&+B\"wm" fullword wide
26 | $s6 = ">jWR=C" fullword wide
27 | $s7 = "W!\\R.S" fullword wide
28 | $s8 = "r-`4?b6" fullword wide
29 | $s9 = "]Iip!x" fullword wide
30 | $s10 = "!k{l`<" fullword wide
31 | $s11 = "D~C:RA" fullword wide
32 | $s12 = "]{T~as" fullword wide
33 | $s13 = "7%8+8^8" fullword ascii
34 | $s14 = "f]-hKa" fullword wide
35 | $s15 = "StartW" fullword ascii /* Goodware String - occured 5 times */
36 | condition:
37 | uint16(0) == 0x5a4d and filesize < 1000KB and
38 | ( pe.imphash() == "8948fb754b7c37bc4119606e044f204c" and pe.exports("StartW") or 10 of them )
39 | }
40 | 


--------------------------------------------------------------------------------
/3580/3580.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | YARA Rule Set
 3 | Author: The DFIR Report
 4 | Date: 2021-06-03
 5 | Identifier: Case 3580 WebLogic RCE Leads to XMRig
 6 | Reference: https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/
 7 | */
 8 | 
 9 | /* Rule Set ----------------------------------------------------------------- */
10 | 
11 | import "pe"
12 | 
13 | rule sysrv013 {
14 | meta:
15 | description = "files - file sysrv013.exe"
16 | author = "The DFIR Report"
17 | reference = "https://thedfirreport.com"
18 | date = "2021-06-03"
19 | hash1 = "80bc76202b75201c740793ea9cd33b31cc262ef01738b053e335ee5d07a5ba96"
20 | strings:
21 | $s1 = "eDumped" fullword ascii
22 | $s2 = "OGhZVFNVRms6" fullword ascii /* base64 encoded string '8hYTSUFk:' */
23 | $s3 = "sdumpsebslemW^" fullword ascii
24 | $s4 = ":ERNEL32.DLLODe?" fullword ascii
25 | $s5 = "pircsek" fullword ascii
26 | $s6 = "IDE5NC4xNDUu" fullword ascii /* base64 encoded string ' 194.145.' */
27 | $s7 = "333444" ascii /* reversed goodware string '444333' */
28 | $s8 = "aHx8d2dldCAtLXVzZXItYW" fullword ascii /* base64 encoded string 'h||wget --user-a' */
29 | $s9 = "h -c {%" fullword ascii
30 | $s10 = "?$?)?2?9?{" fullword ascii /* hex encoded string ')' */
31 | $s11 = ";5A;6D2!D" fullword ascii /* hex encoded string 'Zm-' */
32 | $s12 = "3GRAt\\5" fullword ascii
33 | $s13 = "Gorget{" fullword ascii
34 | $s14 = "7!7&7,727" fullword ascii /* hex encoded string 'ww'' */
35 | $s15 = "* {5C;" fullword ascii
36 | $s16 = "fsftp_fC" fullword ascii
37 | $s17 = "POSTulL" fullword ascii
38 | $s18 = "gogetv/" fullword ascii
39 | $s19 = "\\x86+.pdb" fullword ascii
40 | $s20 = "_DIRCWD?" fullword ascii
41 | condition:
42 | uint16(0) == 0x5a4d and filesize < 10000KB and
43 | ( pe.imphash() == "406f4cbdf82bde91761650ca44a3831a" or 8 of them )
44 | }
45 | 


--------------------------------------------------------------------------------
/3584/3584.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2021-05-09
  5 | Identifier: Case 3584 Conti Ransomware
  6 | Reference: https://thedfirreport.com/2021/05/12/conti-ransomware/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule icedid_rate_x32 {
 14 | meta:
 15 | description = "files - file rate_x32.dat"
 16 | author = "The DFIR Report"
 17 | reference = "https://thedfirreport.com"
 18 | date = "2021-05-09"
 19 | hash1 = "eb79168391e64160883b1b3839ed4045b4fd40da14d6eec5a93cfa9365503586"
 20 | strings:
 21 | $s1 = "UAWAVAUATVWSH" fullword ascii
 22 | $s2 = "UAWAVVWSPH" fullword ascii
 23 | $s3 = "AWAVAUATVWUSH" fullword ascii
 24 | $s4 = "update" fullword ascii /* Goodware String - occured 207 times */
 25 | $s5 = "?klopW@@YAHXZ" fullword ascii
 26 | $s6 = "?jutre@@YAHXZ" fullword ascii
 27 | $s7 = "PluginInit" fullword ascii
 28 | $s8 = "[]_^A\\A]A^A_" fullword ascii
 29 | $s9 = "e8[_^A\\A]A^A_]" fullword ascii
 30 | $s10 = "[_^A\\A]A^A_]" fullword ascii
 31 | $s11 = "Kts=R,4iu" fullword ascii
 32 | $s12 = "mqr55c" fullword ascii
 33 | $s13 = "R,4i=Bj" fullword ascii
 34 | $s14 = "Ktw=R,4iu" fullword ascii
 35 | $s15 = "Ktu=R,4iu" fullword ascii
 36 | $s16 = "Kt{=R,4iu" fullword ascii
 37 | $s17 = "KVL.Mp" fullword ascii
 38 | $s18 = "Kt|=R,4iu" fullword ascii
 39 | $s19 = "=8c[Vt8=" fullword ascii
 40 | $s20 = "Ktx=R,4iu" fullword ascii
 41 | condition:
 42 | uint16(0) == 0x5a4d and filesize < 700KB and
 43 | ( pe.imphash() == "15787e97e92f1f138de37f6f972eb43c" and ( pe.exports("?jutre@@YAHXZ") and pe.exports("?klopW@@YAHXZ") and pe.exports("PluginInit") and pe.exports("update") ) or 8 of them )
 44 | }
 45 | 
 46 | rule conti_cobaltstrike_192145 {
 47 | meta:
 48 | description = "files - file 192145.dll"
 49 | author = "The DFIR Report"
 50 | reference = "https://thedfirreport.com"
 51 | date = "2021-05-09"
 52 | hash1 = "29bc338e63a62c24c301c04961084013816733dad446a29c20d4413c5c818af9"
 53 | strings:
 54 | $x1 = "cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj>\"%s\"&exit" fullword ascii
 55 | $s2 = "veniamatquiest90.dll" fullword ascii
 56 | $s3 = "Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum" fullword ascii
 57 | $s4 = "Quaerat tempora culpa provident" fullword ascii
 58 | $s5 = "Velit consequuntur quisquam tempora error" fullword ascii
 59 | $s6 = "Quo omnis repellat ut expedita temporibus eius fuga error" fullword ascii
 60 | $s7 = "Dolores ullam tempora error distinctio ut natus facere quibusdam" fullword ascii
 61 | $s8 = "Corporis minima omnis qui est temporibus sint quo error magnam" fullword ascii
 62 | $s9 = "Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit" fullword ascii
 63 | $s10 = "Rerum tenetur sapiente est tempora qui deserunt" fullword ascii
 64 | $s11 = "Sed nulla quaerat porro error excepturi" fullword ascii
 65 | $s12 = "Aut tempore quo cumque dicta ut quia in" fullword ascii
 66 | $s13 = "Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut" fullword ascii
 67 | $s14 = "Tempore possimus aperiam nam mollitia illum hic at ut doloremque" fullword ascii
 68 | $s15 = "Dolorum eum ipsum tempora non et" fullword ascii
 69 | $s16 = "Quas alias illum laborum tempora sit est rerum temporibus dicta et" fullword ascii
 70 | $s17 = "Et quia aut temporibus enim repellat dolores totam recusandae repudiandae" fullword ascii
 71 | $s18 = "Sed velit ipsa et dolor tempore sunt nostrum" fullword ascii
 72 | $s19 = "Veniam voluptatem aliquam et eaque tempore tenetur possimus" fullword ascii
 73 | $s20 = "Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium" fullword ascii
 74 | condition:
 75 | uint16(0) == 0x5a4d and filesize < 2000KB and
 76 | ( pe.imphash() == "5cf3cdfe8585c01d2673249153057181" and pe.exports("StartW") or ( 1 of ($x*) or 4 of them ) )
 77 | }
 78 | 
 79 | rule conti_cobaltstrike_icju1 {
 80 | meta:
 81 | description = "files - file icju1.exe"
 82 | author = "The DFIR Report"
 83 | reference = "https://thedfirreport.com"
 84 | date = "2021-05-09"
 85 | hash1 = "e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06"
 86 | strings:
 87 | $x1 = "cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj>\"%s\"&exit" fullword ascii
 88 | $s2 = "veniamatquiest90.dll" fullword ascii
 89 | $s3 = "Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum" fullword ascii
 90 | $s4 = "Quaerat tempora culpa provident" fullword ascii
 91 | $s5 = "Velit consequuntur quisquam tempora error" fullword ascii
 92 | $s6 = "Quo omnis repellat ut expedita temporibus eius fuga error" fullword ascii
 93 | $s7 = "Dolores ullam tempora error distinctio ut natus facere quibusdam" fullword ascii
 94 | $s8 = "Corporis minima omnis qui est temporibus sint quo error magnam" fullword ascii
 95 | $s9 = "Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit" fullword ascii
 96 | $s10 = "Rerum tenetur sapiente est tempora qui deserunt" fullword ascii
 97 | $s11 = "Sed nulla quaerat porro error excepturi" fullword ascii
 98 | $s12 = "Aut tempore quo cumque dicta ut quia in" fullword ascii
 99 | $s13 = "Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut" fullword ascii
100 | $s14 = "Tempore possimus aperiam nam mollitia illum hic at ut doloremque" fullword ascii
101 | $s15 = "Dolorum eum ipsum tempora non et" fullword ascii
102 | $s16 = "Quas alias illum laborum tempora sit est rerum temporibus dicta et" fullword ascii
103 | $s17 = "Et quia aut temporibus enim repellat dolores totam recusandae repudiandae" fullword ascii
104 | $s18 = "Sed velit ipsa et dolor tempore sunt nostrum" fullword ascii
105 | $s19 = "Veniam voluptatem aliquam et eaque tempore tenetur possimus" fullword ascii
106 | $s20 = "Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium" fullword ascii
107 | condition:
108 | uint16(0) == 0x5a4d and filesize < 2000KB and
109 | ( pe.imphash() == "a6d9b7f182ef1cfe180f692d89ecc759" or ( 1 of ($x*) or 4 of them ) )
110 | }
111 | 
112 | rule conti_v3 {
113 | 
114 | meta:
115 | description = "conti_yara - file conti_v3.dll" 
116 | author = "pigerlin" 
117 | reference = "https://thedfirreport.com" 
118 | date = "2021-05-09" 
119 | hash1 = "8391dc3e087a5cecba74a638d50b771915831340ae3e027f0bb8217ad7ba4682"
120 | 
121 | strings: 
122 | $s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii 
123 | $s2 = "conti_v3.dll" fullword ascii 
124 | $s3 = " <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii 
125 | $s4 = " Type Descriptor'" fullword ascii 
126 | $s5 = "operator co_await" fullword ascii 
127 | $s6 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii 
128 | $s7 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide 
129 | $s8 = " Base Class Descriptor at (" fullword ascii 
130 | $s9 = " Class Hierarchy Descriptor'" fullword ascii 
131 | $s10 = " Complete Object Locator'" fullword ascii 
132 | $s11 = " delete[]" fullword ascii 
133 | $s12 = " </trustInfo>" fullword ascii 
134 | $s13 = "__swift_1" fullword ascii 
135 | $s15 = "__swift_2" fullword ascii 
136 | $s19 = " delete" fullword ascii
137 | 
138 | condition:
139 | uint16(0) == 0x5a4d and filesize < 700KB and
140 | all of them
141 | 
142 | }
143 | 
144 | 
145 | rule conti_cobaltstrike_192145_icju1_0 {
146 | meta:
147 | description = "files - from files 192145.dll, icju1.exe"
148 | author = "The DFIR Report"
149 | reference = "https://thedfirreport.com"
150 | date = "2021-05-09"
151 | hash1 = "29bc338e63a62c24c301c04961084013816733dad446a29c20d4413c5c818af9"
152 | hash2 = "e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06"
153 | strings:
154 | $x1 = "cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj>\"%s\"&exit" fullword ascii
155 | $s2 = "veniamatquiest90.dll" fullword ascii
156 | $s3 = "Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum" fullword ascii
157 | $s4 = "Quaerat tempora culpa provident" fullword ascii
158 | $s5 = "Dolores ullam tempora error distinctio ut natus facere quibusdam" fullword ascii
159 | $s6 = "Velit consequuntur quisquam tempora error" fullword ascii
160 | $s7 = "Corporis minima omnis qui est temporibus sint quo error magnam" fullword ascii
161 | $s8 = "Quo omnis repellat ut expedita temporibus eius fuga error" fullword ascii
162 | $s9 = "Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit" fullword ascii
163 | $s10 = "Rerum tenetur sapiente est tempora qui deserunt" fullword ascii
164 | $s11 = "Sed nulla quaerat porro error excepturi" fullword ascii
165 | $s12 = "Aut tempore quo cumque dicta ut quia in" fullword ascii
166 | $s13 = "Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut" fullword ascii
167 | $s14 = "Tempore possimus aperiam nam mollitia illum hic at ut doloremque" fullword ascii
168 | $s15 = "Et quia aut temporibus enim repellat dolores totam recusandae repudiandae" fullword ascii
169 | $s16 = "Dolorum eum ipsum tempora non et" fullword ascii
170 | $s17 = "Quas alias illum laborum tempora sit est rerum temporibus dicta et" fullword ascii
171 | $s18 = "Sed velit ipsa et dolor tempore sunt nostrum" fullword ascii
172 | $s19 = "Veniam voluptatem aliquam et eaque tempore tenetur possimus" fullword ascii
173 | $s20 = "Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium" fullword ascii
174 | condition:
175 | ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 4 of them )
176 | ) or ( all of them )
177 | }
178 | 


--------------------------------------------------------------------------------
/3930/3930.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2021-06-09
  5 | Identifier: Case 3930 From Word to Lateral Movement in 1 Hour
  6 | Reference: https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule icedid_upefkuin4_3930 {
 14 | meta:
 15 | description = "3930 - file upefkuin4.dll"
 16 | author = "The DFIR Report"
 17 | reference = "https://thedfirreport.com"
 18 | date = "2021-06-09"
 19 | hash1 = "666570229dd5af87fede86b9191fb1e8352d276a8a32c42e4bf4128a4f7e8138"
 20 | strings:
 21 | $s1 = "UAWAVAUATVWSH" fullword ascii
 22 | $s2 = "AWAVAUATVWUSH" fullword ascii
 23 | $s3 = "AWAVATVWUSH" fullword ascii
 24 | $s4 = "update" fullword ascii /* Goodware String - occured 207 times */
 25 | $s5 = "?ortpw@@YAHXZ" fullword ascii
 26 | $s6 = "?sortyW@@YAHXZ" fullword ascii
 27 | $s7 = "?sorty@@YAHXZ" fullword ascii
 28 | $s8 = "?keptyu@@YAHXZ" fullword ascii
 29 | $s9 = "*=UUUUr#L" fullword ascii
 30 | $s10 = "*=UUUUr!" fullword ascii
 31 | $s11 = "PluginInit" fullword ascii
 32 | $s12 = "*=UUUUr\"" fullword ascii
 33 | $s13 = "AVVWSH" fullword ascii
 34 | $s14 = "D$4iL$ " fullword ascii
 35 | $s15 = "X[]_^A\\A]A^A_" fullword ascii
 36 | $s16 = "D$4iT$ " fullword ascii
 37 | $s17 = "H[]_^A\\A]A^A_" fullword ascii
 38 | $s18 = "L94iL$ " fullword ascii
 39 | $s19 = "D$ iD$ " fullword ascii
 40 | $s20 = "*=UUUUr " fullword ascii
 41 | condition:
 42 | uint16(0) == 0x5a4d and filesize < 700KB and
 43 | ( pe.imphash() == "87bed5a7cba00c7e1f4015f1bdae2183" and ( pe.exports("?keptyu@@YAHXZ") and pe.exports("?ortpw@@YAHXZ") and pe.exports("?sorty@@YAHXZ") and pe.exports("?sortyW@@YAHXZ") and pe.exports("PluginInit") and pe.exports("update") ) or 8 of them )
 44 | }
 45 | 
 46 | rule icedid_license_3930 {
 47 | meta:
 48 | description = "3930 - file license.dat"
 49 | author = "The DFIR Report"
 50 | reference = "https://thedfirreport.com"
 51 | date = "2021-06-09"
 52 | hash1 = "29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e"
 53 | strings:
 54 | $s1 = "iEQc- A1h" fullword ascii
 55 | $s2 = "%n%DLj" fullword ascii
 56 | $s3 = "n{Y@.hnPP#5\"~" fullword ascii
 57 | $s4 = "(5N&#jUBE\"0" fullword ascii
 58 | $s5 = "~JCyP+Av" fullword ascii
 59 | $s6 = "iLVIy\\" fullword ascii
 60 | $s7 = "RemwDVL" fullword ascii
 61 | $s8 = "EQiH^,>A" fullword ascii
 62 | $s9 = "#wmski;H" fullword ascii
 63 | $s10 = "aHVAh}X" fullword ascii
 64 | $s11 = "GEKK/no" fullword ascii
 65 | $s12 = "focbZjQ" fullword ascii
 66 | $s13 = "wHsJJX>e" fullword ascii
 67 | $s14 = "cYRS:F#" fullword ascii
 68 | $s15 = "EfNO\"h{" fullword ascii
 69 | $s16 = "akCevJ]" fullword ascii
 70 | $s17 = "8IMwwm}!" fullword ascii
 71 | $s18 = "NrzMP?<>" fullword ascii
 72 | $s19 = ".ZNrzLrU" fullword ascii
 73 | $s20 = "sJlCJP[" fullword ascii
 74 | condition:
 75 | uint16(0) == 0x02ee and filesize < 1000KB and
 76 | 8 of them
 77 | }
 78 | 
 79 | rule icedid_win_01 {
 80 | 
 81 | meta:
 82 | 
 83 | description = "Detects Icedid" 
 84 | author = "The DFIR Report" 
 85 | date = "15/05/2021" 
 86 | description = "Detects Icedid functionality. incl. credential access, OS cmds." 
 87 | sha1 = "3F06392AF1687BD0BF9DB2B8B73076CAB8B1CBBA" 
 88 | score = 100
 89 | 
 90 | strings: 
 91 | $s1 = "DllRegisterServer" wide ascii fullword 
 92 | $x1 = "passff.tar" wide ascii fullword 
 93 | $x2 = "vaultcli.dll" wide ascii fullword 
 94 | $x3 = "cookie.tar" wide ascii fullword 
 95 | $y1 = "powershell.exe" wide ascii fullword 
 96 | $y2 = "cmd.exe" wide ascii fullword
 97 | 
 98 | condition:
 99 | 
100 | ( uint16(0) == 0x5a4d and int32(uint32(0x3c)) == 0x00004550 and filesize < 500KB and $s1 and ( 2 of ($x*) and 2 of ($y*))) 
101 | }
102 | 
103 | 
104 | rule fake_gzip_bokbot_202104 {
105 | 
106 | meta:
107 | 
108 | author = "Thomas Barabosch, Telekom Security" 
109 | date = "2021-04-20" 
110 | description = "fake gzip provided by CC"
111 | 
112 | strings:
113 | 
114 | $gzip = {1f 8b 08 08 00 00 00 00 00 00 75 70 64 61 74 65}
115 | 
116 | condition:
117 | 
118 | $gzip at 0
119 | 
120 | }
121 | 
122 | rule win_iceid_gzip_ldr_202104 {
123 | 
124 | meta:
125 | 
126 | author = "Thomas Barabosch, Telekom Security" 
127 | date = "2021-04-12" 
128 | description = "2021 initial Bokbot / Icedid loader for fake GZIP payloads"
129 | 
130 | strings:
131 | 
132 | $internal_name = "loader_dll_64.dll" fullword
133 | 
134 | $string0 = "_gat=" wide 
135 | $string1 = "_ga=" wide 
136 | $string2 = "_gid=" wide 
137 | $string3 = "_u=" wide 
138 | $string4 = "_io=" wide 
139 | $string5 = "GetAdaptersInfo" fullword 
140 | $string6 = "WINHTTP.dll" fullword 
141 | $string7 = "DllRegisterServer" fullword 
142 | $string8 = "PluginInit" fullword 
143 | $string9 = "POST" wide fullword 
144 | $string10 = "aws.amazon.com" wide fullword
145 | 
146 | condition:
147 | 
148 | uint16(0) == 0x5a4d and 
149 | filesize < 5000KB and 
150 | ( $internal_name or all of ($s*) ) 
151 | or all of them
152 | 
153 | }
154 | 
155 | rule win_iceid_core_ldr_202104 {
156 | 
157 | meta:
158 | 
159 | author = "Thomas Barabosch, Telekom Security" 
160 | date = "2021-04-13" 
161 | description = "2021 loader for Bokbot / Icedid core (license.dat)"
162 | 
163 | strings: 
164 | $internal_name = "sadl_64.dll" fullword 
165 | $string0 = "GetCommandLineA" fullword 
166 | $string1 = "LoadLibraryA" fullword 
167 | $string2 = "ProgramData" fullword 
168 | $string3 = "SHLWAPI.dll" fullword 
169 | $string4 = "SHGetFolderPathA" fullword 
170 | $string5 = "DllRegisterServer" fullword 
171 | $string6 = "update" fullword 
172 | $string7 = "SHELL32.dll" fullword 
173 | $string8 = "CreateThread" fullword
174 | 
175 | condition:
176 | 
177 | uint16(0) == 0x5a4d and 
178 | filesize < 5000KB and 
179 | ( $internal_name or all of ($s*) ) 
180 | or all of them
181 | 
182 | }
183 | 
184 | rule win_iceid_core_202104 {
185 | 
186 | meta: 
187 | author = "Thomas Barabosch, Telekom Security" 
188 | date = "2021-04-12" 
189 | description = "2021 Bokbot / Icedid core"
190 | 
191 | strings:
192 | 
193 | $internal_name = "fixed_loader64.dll" fullword
194 | 
195 | $string0 = "mail_vault" wide fullword 
196 | $string1 = "ie_reg" wide fullword 
197 | $string2 = "outlook" wide fullword 
198 | $string3 = "user_num" wide fullword 
199 | $string4 = "cred" wide fullword 
200 | $string5 = "Authorization: Basic" fullword 
201 | $string6 = "VaultOpenVault" fullword 
202 | $string7 = "sqlite3_free" fullword 
203 | $string8 = "cookie.tar" fullword 
204 | $string9 = "DllRegisterServer" fullword 
205 | $string10 = "PT0S" wide
206 | 
207 | condition:
208 | 
209 | uint16(0) == 0x5a4d and 
210 | filesize < 5000KB and 
211 | ( $internal_name or all of ($s*) ) 
212 | or all of them
213 | 
214 | }
215 | 


--------------------------------------------------------------------------------
/4301/4301.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | YARA Rule Set
 3 | Author: The DFIR Report
 4 | Date: 2021-06-27
 5 | Identifier: Case 4301 Hancitor Continues to Push Cobalt Strike
 6 | Reference: https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/
 7 | */
 8 | 
 9 | /* Rule Set ----------------------------------------------------------------- */
10 | 
11 | import "pe"
12 | 
13 | rule sig_95_dll_cobalt_strike {
14 | meta:
15 | description = "file 95.dll"
16 | author = "The DFIR Report"
17 | reference = "https://thedfirreport.com"
18 | date = "2021-06-24"
19 | hash1 = "7b2144f2b5d722a1a8a0c47a43ecaf029b434bfb34a5cffe651fda2adf401131"
20 | strings:
21 | $s1 = "TstDll.dll" fullword ascii
22 | $s2 = "!This is a Windows NT windowed dynamic link library" fullword ascii
23 | $s3 = "AserSec" fullword ascii
24 | $s4 = "`.idata" fullword ascii /* Goodware String - occured 1 times */
25 | $s5 = "vEYd!W" fullword ascii
26 | $s6 = "[KpjrRdX&b" fullword ascii
27 | $s7 = "XXXXXXHHHHHHHHHHHHHHHHHHHH" fullword ascii /* Goodware String - occured 2 times */
28 | $s8 = "%$N8 2" fullword ascii
29 | $s9 = "%{~=vP" fullword ascii
30 | $s10 = "it~?KVT" fullword ascii
31 | $s11 = "UwaG+A" fullword ascii
32 | $s12 = "mj_.%/2" fullword ascii
33 | $s13 = "BnP#lyp" fullword ascii
34 | $s14 = "(N\"-%IB" fullword ascii
35 | $s15 = "KkL{xK" fullword ascii
36 | $s16 = ")[IyU," fullword ascii
37 | $s17 = "|+uo6\\" fullword ascii
38 | $s18 = "@s?.N^" fullword ascii
39 | $s19 = "R%jdzV" fullword ascii
40 | $s20 = "R!-q$Fl" fullword ascii 
41 | condition: 
42 | uint16(0) == 0x5a4d and filesize < 100KB and 
43 | ( pe.imphash() == "67fdc237b514ec9fab9c4500917eb60f" and ( pe.exports("AserSec") and pe.exports("TstSec") ) or all of them ) 
44 | } 
45 | 
46 | rule cobalt_strike_shellcode_95_dll { 
47 | 
48 | meta: 
49 | description = "Cobalt Strike Shellcode" 
50 | author = "The DFIR Report" 
51 | reference = "https://thedfirreport.com" 
52 | date = "2021-06-23" 
53 | 
54 | strings: 
55 | 
56 | $str_1 = { E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 } 
57 | $str_2 = "/hVVH" 
58 | $str_3 = "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)" 
59 | 
60 | condition: 
61 | 3 of them
62 | 
63 | }
64 | 


--------------------------------------------------------------------------------
/4485/4485.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2021-07-13
  5 | Identifier: Case 4485 IcedID and Cobalt Strike vs Antivirus
  6 | Reference: https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule textboxNameNamespace {
 14 | meta:
 15 | description = "4485 - file textboxNameNamespace.hta"
 16 | author = "The DFIR Report"
 17 | reference = "https://thedfirreport.com"
 18 | date = "2021-07-13"
 19 | hash1 = "b17c7316f5972fff42085f7313f19ce1c69b17bf61c107b1ccf94549d495fa42"
 20 | strings:
 21 | $s1 = "idGNlamJvbWV0c3lzZWxpZi5nbml0cGlyY3MiKHRjZWpiT1hldml0Y0Egd2VuID0gTG1lciByYXY7KSJsbGVocy50cGlyY3N3Iih0Y2VqYk9YZXZpdGNBIHdlbiA9IGV" ascii /* base64 encoded string 'tcejbometsyselif.gnitpircs"(tcejbOXevitcA wen = Lmer rav;)"llehs.tpircsw"(tcejbOXevitcA wen = e' */
 22 | $s2 = "/<html><body><div id='variantDel'>fX17KWUoaGN0YWN9O2Vzb2xjLnRzbm9Dbm90dHVCd2VpdjspMiAsImdwai5lY2Fwc2VtYU5lbWFOeG9idHhldFxcY2lsYn" ascii
 23 | $s3 = "oveTo(-100, -100);var swapLength = tplNext.getElementById('variantDel').innerHTML.split(\"aGVsbG8\");var textSinLibrary = ptrSin" ascii
 24 | $s4 = "wxyz0123456789+/</div><script language='javascript'>function varMainInt(tmpRepo){return(new ActiveXObject(tmpRepo));}function bt" ascii
 25 | $s5 = "VwXFxzcmVzdVxcOmMiKGVsaWZvdGV2YXMudHNub0Nub3R0dUJ3ZWl2Oyl5ZG9iZXNub3BzZXIuZXRhREl4b2J0eGV0KGV0aXJ3LnRzbm9Dbm90dHVCd2VpdjsxID0gZX" ascii
 26 | $s6 = "ript><script language='vbscript'>Function byteNamespaceReference(variantDel) : Set WLength = CreateObject(queryBoolSize) : With " ascii
 27 | $s7 = "WLength : .language = \"jscript\" : .timeout = 60000 : .eval(variantDel) : End With : End Function</script><script language='vbs" ascii
 28 | $s8 = "FkZGEvbW9jLmIwMjAyZ25pcm9ieXRyZXZvcC8vOnB0dGgiICwiVEVHIihuZXBvLmV0YURJeG9idHhldDspInB0dGhsbXguMmxteHNtIih0Y2VqYk9YZXZpdGNBIHdlbi" ascii
 29 | $s9 = "pJMTZBb0hjcXBYbVI1ZUI0YXF0SVhWWlZkRkhvZjFEZy9qYWVMTGlmc3doOW9EaEl2QlllYnV1dWxPdktuQWFPYm43WGNieFdqejQ1V3dTOC8xMzIxNi9PUnFEb01aL2" ascii
 30 | $s10 = "B5dC50c25vQ25vdHR1QndlaXY7bmVwby50c25vQ25vdHR1QndlaXY7KSJtYWVydHMuYmRvZGEiKHRjZWpiT1hldml0Y0Egd2VuID0gdHNub0Nub3R0dUJ3ZWl2IHJhdn" ascii
 31 | $s11 = "t><script language='javascript'>libView['close']();</script></body></html>" fullword ascii
 32 | $s12 = "t5cnR7KTAwMiA9PSBzdXRhdHMuZXRhREl4b2J0eGV0KGZpOykoZG5lcy5ldGFESXhvYnR4ZXQ7KWVzbGFmICwiNE9Uc3NldUk9ZmVyPzZnb2QvNzcwODMvUG10RkQzeE" ascii
 33 | $s13 = "tYU5vcmV6IHJhdg==aGVsbG8msscriptcontrol.scriptcontrol</div><div id='exLeftLink'>ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv" ascii
 34 | $s14 = "nGlob(pasteVariable){return(tplNext.getElementById(pasteVariable).innerHTML);}function lConvert(){return(btnGlob('exLeftLink'));" ascii
 35 | $s15 = "ipt'>Call byteNamespaceReference(textSinLibrary)</script><script language='vbscript'>Call byteNamespaceReference(remData)</scrip" ascii
 36 | $s16 = "Ex](x)];b=(b<<6)+c;l+=6;while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2)))&&(vbaBD+=w(a));}}return(vbaBD);};function ptrSingleOpt(be" ascii
 37 | $s17 = "eOpt(bytesGeneric(swapLength[0]));var remData = ptrSingleOpt(bytesGeneric(swapLength[1]));var queryBoolSize = swapLength[2];</sc" ascii
 38 | $s18 = "}function bytesGeneric(s){var e={}; var i; var b=0; var c; var x; var l=0; var a; var vbaBD=''; var w=String.fromCharCode; var L" ascii
 39 | $s19 = "=s.length;var counterEx = ptrSingleOpt('tArahc');for(i=0;i<64;i++){e[lConvert()[counterEx](i)]=i;}for(x=0;x<L;x++){c=e[s[counter" ascii
 40 | $s20 = "foreRight){return beforeRight.split('').reverse().join('');}libView = window;tplNext = document;libView.resizeTo(1, 1);libView.m" ascii
 41 | condition:
 42 | uint16(0) == 0x3c2f and filesize < 7KB and
 43 | 8 of them
 44 | }
 45 | 
 46 | rule case_4485_adf {
 47 | meta:
 48 | description = "files - file adf.bat"
 49 | author = "The DFIR Report"
 50 | reference = "https://thedfirreport.com"
 51 | date = "2021-07-13"
 52 | hash1 = "f6a377ba145a5503b5eb942d17645502eddf3a619d26a7b60df80a345917aaa2"
 53 | strings:
 54 | $x1 = "adfind.exe"
 55 | $s2 = "objectcategory=person" fullword ascii
 56 | $s3 = "objectcategory=computer" fullword ascii
 57 | $s4 = "adfind.exe -gcb -sc trustdmp > trustdmp.txt" fullword ascii
 58 | $s5 = "adfind.exe -sc trustdmp > trustdmp.txt" fullword ascii
 59 | $s6 = "adfind.exe -subnets -f (objectCategory=subnet)> subnets.txt" fullword ascii
 60 | $s7 = "(objectcategory=group)" fullword ascii
 61 | $s8 = "(objectcategory=organizationalUnit)" fullword ascii
 62 | condition:
 63 | uint16(0) == 0x6463 and filesize < 1KB and ( 1 of ($x*) and 6 of ($s*))
 64 | }
 65 | 
 66 | rule case_4485_Muif {
 67 | meta:
 68 | description = "4485 - file Muif.dll"
 69 | author = "The DFIR Report"
 70 | reference = "https://thedfirreport.com"
 71 | date = "2021-07-13"
 72 | hash1 = "8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab"
 73 | strings:
 74 | $s1 = "Common causes completion include incomplete download and damaged media" fullword ascii
 75 | $s2 = "An error occurred writing to the file" fullword ascii
 76 | $s3 = "asks should be performed?" fullword ascii
 77 | $s4 = "The waiting time for the end of the launch was exceeded for an unknown reason" fullword ascii
 78 | $s5 = "Select the Start Menu folder in which you would like Setup to create the programs shortcuts, then click Next. Which additional t" ascii
 79 | $s6 = "HcA<E3" fullword ascii /* Goodware String - occured 1 times */
 80 | $s7 = "D$(9D$@u" fullword ascii /* Goodware String - occured 1 times */
 81 | $s8 = "Select the Start Menu folder in which you would like Setup to create the programs shortcuts, then click Next. Which additional t" ascii
 82 | $s9 = "Please verify that the correct path and file name are given" fullword ascii
 83 | $s10 = "Critical error" fullword ascii
 84 | $s11 = "Please read this information carefully" fullword ascii
 85 | $s12 = "Unknown error occurred for time: " fullword ascii
 86 | $s13 = "E 3y4i" fullword ascii
 87 | $s14 = "D$tOuo2" fullword ascii
 88 | $s15 = "D$PH9D$8tXH" fullword ascii
 89 | $s16 = "E$hik7" fullword ascii
 90 | $s17 = "D$p]mjk" fullword ascii
 91 | $s18 = "B):0~\"Z" fullword ascii
 92 | $s19 = "Richo/" fullword ascii
 93 | $s20 = "D$xJij" fullword ascii
 94 | condition:
 95 | uint16(0) == 0x5a4d and filesize < 70KB and
 96 | ( pe.imphash() == "42205b145650671fa4469a6321ccf8bf" and pe.exports("StartW") or 8 of them )
 97 | }
 98 | 
 99 | rule textboxNameNamespace_2 {
100 | meta:
101 | description = "4485 - file textboxNameNamespace.jpg"
102 | author = "The DFIR Report"
103 | reference = "https://thedfirreport.com"
104 | date = "2021-07-13"
105 | hash1 = "010f52eda70eb9ff453e3af6f3d9d20cbda0c4075feb49c209ca1c250c676775"
106 | strings:
107 | $s1 = "uwunhkqlzle.dll" fullword ascii
108 | $s2 = "AppPolicyGetProcessTerminationMethod" fullword ascii
109 | $s3 = "operator co_await" fullword ascii
110 | $s4 = "ggeaxcx" fullword ascii
111 | $s5 = "wttfzwz" fullword ascii
112 | $s6 = "fefewzydtdu" fullword ascii
113 | $s7 = "ilaeemjyjwzjwj" fullword ascii
114 | $s8 = "enhzmqryc" fullword ascii
115 | $s9 = "flchfonfpzcwyrg" fullword ascii
116 | $s10 = "dayhcsokc" fullword ascii
117 | $s11 = "mtqnlfpbxghmlupsn" fullword ascii
118 | $s12 = "zqeoctx" fullword ascii
119 | $s13 = "ryntfydpykrdcftxx" fullword ascii
120 | $s14 = "atxvtwd" fullword ascii
121 | $s15 = "icjshmfrldy" fullword ascii
122 | $s16 = "lenkuktrncmxiafgl" fullword ascii
123 | $s17 = "alshaswlqmhptxpc" fullword ascii
124 | $s18 = "izonphi" fullword ascii
125 | $s19 = "atttyokowqnj" fullword ascii
126 | $s20 = "nwvohpazb" fullword ascii
127 | condition:
128 | uint16(0) == 0x5a4d and filesize < 500KB and
129 | ( pe.imphash() == "4d46e641e0220fb18198a7e15fa6f49f" and ( pe.exports("PluginInit") and pe.exports("alshaswlqmhptxpc") and pe.exports("amgqilvxdufvpdbwb") and pe.exports("atttyokowqnj") and pe.exports("atxvtwd") and pe.exports("ayawgsgkusfjmq") ) or 8 of them )
130 | }
131 | 
132 | rule case_4485_ekix4 {
133 | meta:
134 | description = "4485 - file ekix4.dll"
135 | author = "The DFIR Report"
136 | reference = "https://thedfirreport.com"
137 | date = "2021-07-13"
138 | hash1 = "e27b71bd1ba7e1f166c2553f7f6dba1d6e25fa2f3bb4d08d156073d49cbc360a"
139 | strings:
140 | $s1 = "f159.dll" fullword ascii
141 | $s2 = "AppPolicyGetProcessTerminationMethod" fullword ascii
142 | $s3 = "ossl_store_get0_loader_int" fullword ascii
143 | $s4 = "loader incomplete" fullword ascii
144 | $s5 = "log conf missing description" fullword ascii
145 | $s6 = "SqlExec" fullword ascii
146 | $s7 = "process_include" fullword ascii
147 | $s8 = "EVP_PKEY_get0_siphash" fullword ascii
148 | $s9 = "process_pci_value" fullword ascii
149 | $s10 = "EVP_PKEY_get_raw_public_key" fullword ascii
150 | $s11 = "EVP_PKEY_get_raw_private_key" fullword ascii
151 | $s12 = "OSSL_STORE_INFO_get1_NAME_description" fullword ascii
152 | $s13 = "divisor->top > 0 && divisor->d[divisor->top - 1] != 0" fullword wide
153 | $s14 = "ladder post failure" fullword ascii
154 | $s15 = "operation fail" fullword ascii
155 | $s16 = "ssl command section not found" fullword ascii
156 | $s17 = "log key invalid" fullword ascii
157 | $s18 = "cms_get0_econtent_type" fullword ascii
158 | $s19 = "log conf missing key" fullword ascii
159 | $s20 = "ssl command section empty" fullword ascii
160 | condition:
161 | uint16(0) == 0x5a4d and filesize < 11000KB and
162 | ( pe.imphash() == "547a74a834f9965f00df1bd9ed30b8e5" or 8 of them )
163 | }
164 | 


--------------------------------------------------------------------------------
/4641/4641.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2021-08-02
  5 | Identifier: Case 4641 BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
  6 | Reference: https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule sig_4641_fQumH {
 14 | meta:
 15 | description = "4641 - file fQumH.exe"
 16 | author = "The DFIR Report"
 17 | reference = "https://thedfirreport.com"
 18 | date = "2021-08-02"
 19 | hash1 = "3420a0f6f0f0cc06b537dc1395638be0bffa89d55d47ef716408309e65027f31"
 20 | strings:
 21 | $s1 = "Usage: .system COMMAND" fullword ascii
 22 | $s2 = "Usage: .log FILENAME" fullword ascii
 23 | $s3 = "* If FILE begins with \"|\" then it is a command that generates the" fullword ascii
 24 | $s4 = "AppPolicyGetProcessTerminationMethod" fullword ascii
 25 | $s5 = "Usage %s sub-command ?switches...?" fullword ascii
 26 | $s6 = "attach debugger to process %d and press any key to continue." fullword ascii
 27 | $s7 = "%s:%d: expected %d columns but found %d - extras ignored" fullword ascii
 28 | $s8 = "%s:%d: expected %d columns but found %d - filling the rest with NULL" fullword ascii
 29 | $s9 = "Unknown option \"%s\" on \".dump\"" fullword ascii
 30 | $s10 = "REPLACE INTO temp.sqlite_parameters(key,value)VALUES(%Q,%s);" fullword ascii
 31 | $s11 = "error in %s %s%s%s: %s" fullword ascii
 32 | $s12 = "UPDATE temp.sqlite_master SET sql = sqlite_rename_column(sql, type, name, %Q, %Q, %d, %Q, %d, 1) WHERE type IN ('trigger', 'view" ascii
 33 | $s13 = "BBBBBBBBBBBBBBBBBBBB" wide /* reversed goodware string 'BBBBBBBBBBBBBBBBBBBB' */
 34 | $s14 = "UPDATE temp.sqlite_master SET sql = sqlite_rename_column(sql, type, name, %Q, %Q, %d, %Q, %d, 1) WHERE type IN ('trigger', 'view" ascii
 35 | $s15 = ");CREATE TEMP TABLE [_shell$self](op,cmd,ans);" fullword ascii
 36 | $s16 = "SqlExec" fullword ascii
 37 | $s17 = "* If neither --csv or --ascii are used, the input mode is derived" fullword ascii
 38 | $s18 = "Where sub-commands are:" fullword ascii
 39 | $s19 = "max rootpage (%d) disagrees with header (%d)" fullword ascii
 40 | $s20 = "-- Query %d --------------------------------" fullword ascii
 41 | condition:
 42 | uint16(0) == 0x5a4d and filesize < 4000KB and
 43 | ( pe.imphash() == "67f1f64a3db0d22bf48121a6cea1da22" or 8 of them )
 44 | }
 45 | 
 46 | rule sig_4641_62 {
 47 | meta:
 48 | description = "4641 - file 62.dll"
 49 | author = "The DFIR Report"
 50 | reference = "https://thedfirreport.com"
 51 | date = "2021-08-02"
 52 | hash1 = "8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab"
 53 | strings:
 54 | $s1 = "Common causes completion include incomplete download and damaged media" fullword ascii
 55 | $s2 = "An error occurred writing to the file" fullword ascii
 56 | $s3 = "asks should be performed?" fullword ascii
 57 | $s4 = "The waiting time for the end of the launch was exceeded for an unknown reason" fullword ascii
 58 | $s5 = "Select the Start Menu folder in which you would like Setup to create the programs shortcuts, then click Next. Which additional t" ascii
 59 | $s6 = "HcA<E3" fullword ascii /* Goodware String - occured 1 times */
 60 | $s7 = "Select the Start Menu folder in which you would like Setup to create the programs shortcuts, then click Next. Which additional t" ascii
 61 | $s8 = "D$(9D$@u" fullword ascii /* Goodware String - occured 1 times */
 62 | $s9 = "Please verify that the correct path and file name are given" fullword ascii
 63 | $s10 = "Critical error" fullword ascii
 64 | $s11 = "Please read this information carefully" fullword ascii
 65 | $s12 = "Unknown error occurred for time: " fullword ascii
 66 | $s13 = "E 3y4i" fullword ascii
 67 | $s14 = "D$tOuo2" fullword ascii
 68 | $s15 = "D$PH9D$8tXH" fullword ascii
 69 | $s16 = "E$hik7" fullword ascii
 70 | $s17 = "D$p]mjk" fullword ascii
 71 | $s18 = "B):0~\"Z" fullword ascii
 72 | $s19 = "Richo/" fullword ascii
 73 | $s20 = "D$xJij" fullword ascii
 74 | condition:
 75 | uint16(0) == 0x5a4d and filesize < 70KB and
 76 | ( pe.imphash() == "42205b145650671fa4469a6321ccf8bf" and pe.exports("StartW") or 8 of them )
 77 | }
 78 | 
 79 | rule sig_4641_tdrE934 {
 80 | meta:
 81 | description = "4641 - file tdrE934.exe"
 82 | author = "The DFIR Report"
 83 | reference = "https://thedfirreport.com"
 84 | date = "2021-08-02"
 85 | hash1 = "48f2e2a428ec58147a4ad7cc0f06b3cf7d2587ccd47bad2ea1382a8b9c20731c"
 86 | strings:
 87 | $s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii
 88 | $s2 = "D:\\1W7w3cZ63gF\\wFIFSV\\YFU1GTi1\\i5G3cr\\Wb2f\\Cvezk3Oz\\2Zi9ir\\S76RW\\RE5kLijcf.pdb" fullword ascii
 89 | $s3 = "https://sectigo.com/CPS0" fullword ascii
 90 | $s4 = "2http://crl.comodoca.com/AAACertificateServices.crl04" fullword ascii
 91 | $s5 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword ascii
 92 | $s6 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii
 93 | $s7 = "ntdll.dlH" fullword ascii
 94 | $s8 = "http://ocsp.sectigo.com0" fullword ascii
 95 | $s9 = "2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s" fullword ascii
 96 | $s10 = "2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#" fullword ascii
 97 | $s11 = "tmnEt6XElyFyz2dg5EP4TMpAvGdGtork5EZcpw3eBwJQFABWlUZa5slcF6hqfGb2HgPed49gr2baBCLwRel8zM5cbMfsrOdS1yd6bMpepebebyT4NIN6zOvk" fullword ascii
 98 | $s12 = "ealagi@aol.com0" fullword ascii
 99 | $s13 = "operator co_await" fullword ascii
100 | $s14 = "ZGetModuleHandle" fullword ascii
101 | $s15 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
102 | $s16 = "RtlExitUserThrea`NtFlushInstruct" fullword ascii
103 | $s17 = "UAWAVAUATVWSH" fullword ascii
104 | $s18 = "AWAVAUATVWUSH" fullword ascii
105 | $s19 = "AWAVVWSH" fullword ascii
106 | $s20 = "UAWAVATVWSH" fullword ascii
107 | condition:
108 | uint16(0) == 0x5a4d and filesize < 2000KB and
109 | ( pe.imphash() == "4f1ec786c25f2d49502ba19119ebfef6" or 8 of them )
110 | }
111 | 
112 | rule sig_4641_netscan {
113 | meta:
114 | description = "4641 - file netscan.exe"
115 | author = "The DFIR Report"
116 | reference = "https://thedfirreport.com"
117 | date = "2021-08-02"
118 | hash1 = "bb574434925e26514b0daf56b45163e4c32b5fc52a1484854b315f40fd8ff8d2"
119 | strings:
120 | $s1 = "netscan.exe" fullword ascii
121 | $s2 = "TFMREMOTEPOWERSHELL" fullword wide
122 | $s3 = "TFMREMOTEPOWERSHELLEDIT" fullword wide
123 | $s4 = "TFMBASEDIALOGREMOTEEDIT" fullword wide
124 | $s5 = "*http://crl4.digicert.com/assured-cs-g1.crl0L" fullword ascii
125 | $s6 = "*http://crl3.digicert.com/assured-cs-g1.crl00" fullword ascii
126 | $s7 = "TFMIGNOREADDRESS" fullword wide
127 | $s8 = "TREMOTECOMMONFORM" fullword wide
128 | $s9 = "TFMSTOPSCANDIALOG" fullword wide
129 | $s10 = "TFMBASEDIALOGSHUTDOWN" fullword wide
130 | $s11 = "TFMBASEDIALOG" fullword wide
131 | $s12 = "TFMOFFLINEDIALOG" fullword wide
132 | $s13 = "TFMLIVEDISPLAYLOG" fullword wide
133 | $s14 = "TFMHOSTPROPS" fullword wide
134 | $s15 = "GGG`BBB" fullword ascii /* reversed goodware string 'BBB`GGG' */
135 | $s16 = "SoftPerfect Network Scanner" fullword wide
136 | $s17 = "TUSERPROMPTFORM" fullword wide
137 | $s18 = "TFMREMOTESSH" fullword wide
138 | $s19 = "TFMREMOTEGROUPSEDIT" fullword wide
139 | $s20 = "TFMREMOTEWMI" fullword wide
140 | condition:
141 | uint16(0) == 0x5a4d and filesize < 6000KB and
142 | ( pe.imphash() == "573e7039b3baff95751bded76795369e" and ( pe.exports("__dbk_fcall_wrapper") and pe.exports("dbkFCallWrapperAddr") ) or 8 of them )
143 | }
144 | 
145 | rule sig_4641_tdr615 {
146 | meta:
147 | description = "4641 - file tdr615.exe"
148 | author = "The DFIR Report"
149 | reference = "https://thedfirreport.com"
150 | date = "2021-08-02"
151 | hash1 = "12761d7a186ff14dc55dd4f59c4e3582423928f74d8741e7ec9f761f44f369e5"
152 | strings:
153 | $s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii
154 | $s2 = "I:\\RoDcnyLYN\\k1GP\\ap0pivKfOF\\odudwtm30XMz\\UnWdqN\\01\\7aXg1kTkp.pdb" fullword ascii
155 | $s3 = "https://sectigo.com/CPS0" fullword ascii
156 | $s4 = "2http://crl.comodoca.com/AAACertificateServices.crl04" fullword ascii
157 | $s5 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword ascii
158 | $s6 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii
159 | $s7 = "http://ocsp.sectigo.com0" fullword ascii
160 | $s8 = "2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s" fullword ascii
161 | $s9 = "2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#" fullword ascii
162 | $s10 = "ealagi@aol.com0" fullword ascii
163 | $s11 = "operator co_await" fullword ascii
164 | $s12 = "GetModuleHandleRNtUnmapViewOfSe" fullword ascii
165 | $s13 = "+GetProcAddress" fullword ascii
166 | $s14 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
167 | $s15 = "RtlExitUserThrebNtFlushInstruct" fullword ascii
168 | $s16 = "Sectigo Limited1$0\"" fullword ascii
169 | $s17 = "b<log10" fullword ascii
170 | $s18 = "D*<W -" fullword ascii
171 | $s19 = "WINDOWSPROJECT1" fullword wide
172 | $s20 = "WindowsProject1" fullword wide
173 | condition:
174 | uint16(0) == 0x5a4d and filesize < 10000KB and
175 | ( pe.imphash() == "555560b7871e0ba802f2f6fbf05d9bfa" or 8 of them )
176 | }
177 | 
178 | rule CS_DLL { 
179 | meta: 
180 | description = "62.dll" 
181 | author = "The DFIR Report" 
182 | reference = "https://thedfirreport.com" 
183 | date = "2021-07-07" 
184 | hash1 = "8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab" 
185 | strings: 
186 | $s1 = "Common causes completion include incomplete download and damaged media" fullword ascii 
187 | $s2 = "StartW" fullword ascii 
188 | $s4 = ".rdata$zzzdbg" fullword ascii 
189 | condition: 
190 | uint16(0) == 0x5a4d and filesize < 70KB and ( pe.imphash() == "42205b145650671fa4469a6321ccf8bf" ) 
191 | or (all of them) 
192 | }
193 | 
194 | 
195 | rule tdr615_exe { 
196 | meta: 
197 | description = "Cobalt Strike on beachhead: tdr615.exe" 
198 | author = "The DFIR Report" 
199 | reference = "https://thedfirreport.com" 
200 | date = "2021-07-07" 
201 | hash1 = "12761d7a186ff14dc55dd4f59c4e3582423928f74d8741e7ec9f761f44f369e5" 
202 | strings: 
203 | $a1 = "AppPolicyGetProcessTerminationMethod" fullword ascii 
204 | $a2 = "I:\\RoDcnyLYN\\k1GP\\ap0pivKfOF\\odudwtm30XMz\\UnWdqN\\01\\7aXg1kTkp.pdb" fullword ascii 
205 | $b1 = "ealagi@aol.com0" fullword ascii 
206 | $b2 = "operator co_await" fullword ascii 
207 | $b3 = "GetModuleHandleRNtUnmapViewOfSe" fullword ascii 
208 | $b4 = "RtlExitUserThrebNtFlushInstruct" fullword ascii 
209 | $c1 = "Jersey City1" fullword ascii 
210 | $c2 = "Mariborska cesta 971" fullword ascii 
211 | condition: 
212 | uint16(0) == 0x5a4d and filesize < 10000KB and 
213 | any of ($a* ) and 2 of ($b* ) and any of ($c* ) 
214 | } 
215 | 


--------------------------------------------------------------------------------
/5087/5087.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 | YARA Rule Set
 3 | Author: The DFIR Report
 4 | Date: 2021-09-01
 5 | Identifier: Case 5087 BazarLoader to Conti Ransomware in 32 Hours
 6 | Reference: https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
 7 | */
 8 | 
 9 | /* Rule Set ----------------------------------------------------------------- */
10 | 
11 | rule case_5087_start_bat { 
12 |    meta: 
13 |       description = "Files - file start.bat" 
14 |       author = "The DFIR Report" 
15 |       reference = "https://thedfirreport.com" 
16 |       date = "2021-08-30" 
17 |       hash1 = "63de40c7382bbfe7639f51262544a3a62d0270d259e3423e24415c370dd77a60" 
18 |    strings: 
19 |       $x1 = "powershell.exe Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force" fullword ascii 
20 |       $x2 = "powershell.exe -executionpolicy remotesigned -File .\\Get-DataInfo.ps1 %method" fullword ascii 
21 |       $x3 = "powershell.exe -executionpolicy remotesigned -File .\\Get-DataInfo.ps1 %1)" fullword ascii 
22 |       $s4 = "set /p method=\"Press Enter for collect [all]:  \"" fullword ascii 
23 |       $s5 = "echo \"Please select a type of info collected:\"" fullword ascii 
24 |       $s6 = "echo \"all ping disk soft noping nocompress\"" fullword ascii 
25 |    condition: 
26 |       filesize < 1KB and all of them 
27 | } 
28 | 
29 | 
30 | 
31 | rule case_5087_3 { 
32 |    meta: 
33 |       description = "Files - file 3.exe" 
34 |       author = "The DFIR Report" 
35 |       reference = "https://thedfirreport.com" 
36 |       date = "2021-08-30" 
37 |       hash1 = "37b264e165e139c3071eb1d4f9594811f6b983d8f4b7ef1fe56ebf3d1f35ac89" 
38 |    strings: 
39 |       $s1 = "https://sectigo.com/CPS0" fullword ascii 
40 |       $s2 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword ascii 
41 |       $s3 = "2http://crl.comodoca.com/AAACertificateServices.crl04" fullword ascii 
42 |       $s4 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii 
43 |       $s5 = "        <requestedExecutionLevel level=\"asInvoker\"/>" fullword ascii 
44 |       $s6 = "http://ocsp.sectigo.com0" fullword ascii 
45 |       $s7 = "2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#" fullword ascii 
46 |       $s8 = "2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s" fullword ascii 
47 |       $s9 = "ealagi@aol.com0" fullword ascii 
48 |       $s10 = "bhfatmxx" fullword ascii 
49 |       $s11 = "orzynoxl" fullword ascii 
50 |       $s12 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii 
51 |       $s13 = "      <!--The ID below indicates application support for Windows 8.1 -->" fullword ascii 
52 |       $s14 = "      <!--The ID below indicates application support for Windows 8 -->" fullword ascii 
53 |       $s15 = "O:\\-e%" fullword ascii 
54 |       $s16 = "      <!--The ID below indicates application support for Windows 10 -->" fullword ascii 
55 |       $s17 = "      <!--The ID below indicates application support for Windows 7 -->" fullword ascii 
56 |       $s18 = "      <!--The ID below indicates application support for Windows Vista -->" fullword ascii 
57 |       $s19 = "  <compatibility xmlns=\"urn:schemas-microsoft-com:compatibility.v1\">" fullword ascii 
58 |       $s20 = "  </compatibility>" fullword ascii 
59 |    condition: 
60 |       uint16(0) == 0x5a4d and filesize < 1000KB and 8 of them 
61 | } 
62 | 
63 | rule case_5087_7A86 { 
64 |    meta: 
65 |       description = "Files - file 7A86.dll" 
66 |       author = "The DFIR Report" 
67 |       reference = "https://thedfirreport.com" 
68 |       date = "2021-08-30" 
69 |       hash1 = "9d63a34f83588e208cbd877ba4934d411d5273f64c98a43e56f8e7a45078275d" 
70 |    strings: 
71 |       $s1 = "ibrndbiclw.dll" fullword ascii 
72 |       $s2 = "AppPolicyGetProcessTerminationMethod" fullword ascii 
73 |       $s3 = "Type Descriptor'" fullword ascii 
74 |       $s4 = "operator co_await" fullword ascii 
75 |    condition: 
76 |       uint16(0) == 0x5a4d and filesize < 500KB and all of them 
77 | } 
78 | 
79 |  rule case_5087_24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9 { 
80 |    meta: 
81 |       description = "Files - file 24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9.exe" 
82 |       author = "The DFIR Report" 
83 |       reference = "https://thedfirreport.com" 
84 |       date = "2021-08-30" 
85 |       hash1 = "24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9" 
86 |    strings: 
87 |       $s1 = "fbtwmjnrrovmd.dll" fullword ascii 
88 |       $s2 = "AppPolicyGetProcessTerminationMethod" fullword ascii 
89 |       $s3 = " Type Descriptor'" fullword ascii 
90 |       $s4 = "operator co_await" fullword ascii 
91 |    condition: 
92 |       uint16(0) == 0x5a4d and filesize < 900KB and all of them 
93 | }
94 | 


--------------------------------------------------------------------------------
/5426/5426.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2021-09-01
  5 | Identifier: Case 5426 BazarLoader and the Conti Leaks
  6 | Reference: https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
  7 | */
  8 | 
  9 | rule informational_AnyDesk_Remote_Software_Utility { 
 10 | 
 11 |    meta: 
 12 |       description = "files - AnyDesk.exe" 
 13 |       author = "TheDFIRReport" 
 14 |       date = "2021-07-25" 
 15 |       hash1 = "9eab01396985ac8f5e09b74b527279a972471f4b97b94e0a76d7563cf27f4d57" 
 16 |    strings: 
 17 |       $x1 = "C:\\Buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\AnyDesk.pdb" fullword ascii 
 18 |       $s2 = "release/win_6.3.x" fullword ascii 
 19 |       $s3 = "16eb5134181c482824cd5814c0efd636" fullword ascii 
 20 |       $s4 = "b1bfe2231dfa1fa4a46a50b4a6c67df34019e68a" fullword ascii 
 21 |       $s5 = "Z72.irZ" fullword ascii 
 22 |       $s6 = "ysN.JTf" fullword ascii 
 23 |       $s7 = ",;@O:\"" fullword ascii 
 24 |       $s8 = "ekX.cFm" fullword ascii 
 25 |       $s9 = ":keftP" fullword ascii 
 26 |       $s10 = ">FGirc" fullword ascii 
 27 |       $s11 = ">-9 -D" fullword ascii 
 28 |       $s12 = "% /m_v?" fullword ascii 
 29 |       $s13 = "?\\+ X5" fullword ascii 
 30 |       $s14 = "Cyurvf7" fullword ascii 
 31 |       $s15 = "~%f_%Cfcs" fullword ascii 
 32 |       $s16 = "wV^X(P+ " fullword ascii 
 33 |       $s17 = "\\Ej0drBTC8E=oF" fullword ascii 
 34 |       $s18 = "W00O~AK_=" fullword ascii 
 35 |       $s19 = "D( -m}w" fullword ascii 
 36 |       $s20 = "avAoInJ1" fullword ascii 
 37 |    condition: 
 38 |       uint16(0) == 0x5a4d and filesize < 11000KB and 
 39 |       1 of ($x*) and 4 of them 
 40 | } 
 41 | 
 42 | rule cobalt_strike_dll21_5426 { 
 43 |    meta: 
 44 |       description = "files - 21.dll" 
 45 |       author = "TheDFIRReport" 
 46 |       date = "2021-07-25" 
 47 |       hash1 = "96a74d4c951d3de30dbdaadceee0956682a37fcbbc7005d2e3bbd270fbd17c98" 
 48 |    strings: 
 49 |       $s1 = "AWAVAUATVWUSH" fullword ascii 
 50 |       $s2 = "UAWAVVWSPH" fullword ascii 
 51 |       $s3 = "AWAVAUATVWUSPE" fullword ascii 
 52 |       $s4 = "UAWAVATVWSH" fullword ascii 
 53 |       $s5 = "AWAVVWUSH" fullword ascii 
 54 |       $s6 = "UAWAVAUATVWSH" fullword ascii 
 55 |       $s7 = "AVVWSH" fullword ascii 
 56 |       $s8 = "m1t6h/o*i-j2p2g7i0r.q6j3p,j2l2s7p/s9j-q0f9f,i7r2g1h*i8r5h7g/q9j4h*o7i4r9f7f3g*p/q7o1e5n8m1q4n.e+n0i*r/i*k2q-g0p-n+q7l3s6h-h6j*q/" ascii 
 57 |       $s9 = "s-e6m/f-g*j.i8p1g6j*i,o1s9o5f8r-p1l1k4o9n9l-s7q8g+n,f4t0q,f6n9q5s5e6i-f*e6q-r6g8s1o6r0k+h6p9i4f6p4s6l,g0p1j6l4s1l4h2f,s9p8t5t/g6" ascii 
 58 |       $s10 = "o1s1s9i2s.f1g5l6g5o2k8h*e9j2o3k0j1f+n,k9h5l*e8p*s2k5r3j-f5o-f,g+e*s-e9h7e.t0e-h3e2t1f8j5k/m9p6n/j3h9e1k3h.t6h2g1p.l*q8o*t9l6p4s." ascii 
 59 |       $s11 = "k7s9g7m5k4s5o3h6k.s1p.h9k.s-o8e*f5n9r,l4f-s5k3p2f/n1r.i*f*n-p4s3e7m9p2t/e3m5g1s9e0m1q/j*e*m-r*i+h.p9s2f6h-p5s6e2h8p1s*j.h3p-s.h0" ascii 
 60 |       $s12 = "k9g9o0t1s4k*k*h.s-p-k.h-m1k*f4h0j7f6n,i5g-n3h+l3n1j7j0e*n5r6r-i9i/e1q4m6i3e2o8j9h9e0m.r-i9m*t4j/r.o*l8m4i.t5l,g-h0p6f7l+p-l3l,g." ascii 
 61 |       $s13 = "s6k9n/j.s4s5g2p6s.k1t/j6s,s-g*p.n6f9m/g.n4n5j2q6n.f1p/g6n,n-j*q.m6e9o/h.m4m5i2r6m.e1p/h6m,m-i*r.p6h9m/e.p4p5l2s6p.h1l/e7p,p-l*s." ascii 
 62 |       $s14 = "r4k7g8t-k4o6m,o1s1k.k1s6o,h8k-s4j8q*m+f/i*q/f3m-r5j2n0f0i*q0m/e0j5q7n5f4j7q3n7f1m4g2s,g5s5l9h7s9p1o.t8k5r-j3t.k8h1t6r7m-l5h5t1l*" ascii 
 63 |       $s15 = "k8s9n7o9k5s5o9m2k0s1m3m.k,s-n+o-f9n9t+t6f4n5o6t2f0n1s/r1f-n-o.t*e8m9i-s6e4m5t3q5e1m1i5s.e,m-k0s*h8p9q7t9h5p5j8r2h0p1h+r.h,p-q+t-" ascii 
 64 |       $s16 = "o9g6g0l0s1e6h4p-g6s9s9p1m1k*s3l-t5s.f8m5r5f6n+i2j8f*h,p5j2r.h0h1q9i6e8r-i*n8m-r5s-l.i8f2i1k.o4n1t9l6l0g,p9j6f,g.l-j*n0o-t-l*p5s-" ascii 
 65 |       $s17 = "t8n2i3e0i,l.i7i9e8r1j7o0n3i9j0m3m-l6e6s9r*l6s5h4t6n7o*k.r1f+r4l/q9g7i3o.m+t9q*g/j0h0e1n*m3i,h.e4n3i5n-r9g1h2k6m7j,e,p3p+h2o4f/h4" ascii 
 66 |       $s18 = "[_^A^A_]" fullword ascii 
 67 |       $s19 = "k9s9f+j*k3s5o-j/k/s1h/p5k-s-o7j7f7n9t/g+f3n5q/r8f1n1t7g3f+n-p.g8e7m9s3q4e5m5o+h0e/m1g-h4e+m-m+q0h9p9f/e,h3p5l6e1h/p1o7t,h-p-k+f5" ascii 
 68 |       $s20 = "g8s9j0t4o,t+n3t1g0k9k1t,o5s0n+t9n6j+o0q2i4j6r1i3f,g+j2h1f2r1n-e9m,i2i7f3q4m-n7n4m.r.e1s*j,m5p/n0n6s8p9g/o7l3t+g.m.q.l7g6t,e-o/q." ascii 
 69 |    condition: 
 70 |       uint16(0) == 0x5a4d and filesize < 2000KB and 
 71 |       8 of them 
 72 | } 
 73 | 
 74 | import "pe" 
 75 | 
 76 | rule cobalt_strike_exe21 { 
 77 |    meta: 
 78 |       description = "files -  21.exe" 
 79 |       author = "TheDFIRReport" 
 80 |       date = "2021-07-25" 
 81 |       hash1 = "972e38f7fa4c3c59634155debb6fb32eebda3c0e8e73f4cb264463708d378c39" 
 82 |    strings: 
 83 |       $s1 = "%c%c%c%c%c%c%c%c%cMSSE-%d-server" fullword ascii 
 84 |       $s2 = "  VirtualQuery failed for %d bytes at address %p" fullword ascii 
 85 |       $s3 = "1brrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrr" ascii 
 86 |       $s4 = "\\hzA\\Vza\\|z%\\2z/\\3z\"\\/z%\\/z8\\9z\"\\(zl\\3z\"\\9z4\\5z8\\|z.\\9z+\\5z\"\\qz)\\2z(\\|z:\\=z>\\5z-\\>z \\9z?\\QzF\\\\zL\\" fullword ascii 
 87 |       $s5 = "\\zL\\/z>\\qz.\\=za\\0z-\\(z\"\\\\zL\\/z>\\qz?\\,za\\?z5\\.z \\\\zL\\/z>\\qz?\\,za\\0z-\\(z\"\\\\zL\\/z:\\qz*\\5zL\\\\zL\\/z:\\q" ascii 
 88 |       $s6 = "\\zL:\\zL" fullword ascii 
 89 |       $s7 = "\\\\z:\\\\z" fullword ascii 
 90 |       $s8 = "\\qz/\\3z!\\,z%\\0z)\\8zl\\tzc\\?z \\.ze\\|z*\\)z\"\\?z8\\5z#\\2zl\\:z>\\3z!\\|z-\\|z\"\\=z8\\5z:\\9zl\\?z#\\2z?\\(z>\\)z/\\(z#" ascii 
 91 |       $s9 = "qz<\\%zL\\\\zL\\9z?\\qz?\\*zL\\\\zL\\9z?\\qz9\\%zL\\\\zL\\9z?\\qz:\\9zL\\\\zL\\9z8\\qz)\\9zL\\\\zL\\9z9\\qz)\\/zL\\\\zL\\:z-\\qz" ascii 
 92 |       $s10 = "zL\\\\zL\\0z:\\qz" fullword ascii 
 93 |       $s11 = "z-\\(z\"\\\\zL\\/z:\\qz" fullword ascii 
 94 |       $s12 = "  VirtualProtect failed with code 0x%x" fullword ascii 
 95 |       $s13 = "3\\)z'\\\\zL\\>z)\\\\zL\\/z \\\\zL\\9z8\\\\zL\\0z:\\\\zL\\0z8\\\\zL\\:z-\\\\zL\\*z%\\\\zL\\4z5\\\\zL\\=z6\\\\zL\\9z9\\\\zL\\1z'" ascii 
 96 |       $s14 = "z#\\\\zL\\,z \\\\zL\\,z8\\\\zL\\.z#\\\\zL\\.z9\\\\zL\\4z>\\\\zL\\/z'\\\\zL\\/z=\\\\zL\\/z:\\\\zL\\(z$\\\\zL\\(z>\\\\zL\\)z>\\\\z" ascii 
 97 |       $s15 = "qz \\5zL\\\\zL\\8z)\\qz \\)zL\\\\zL\\8z%\\*za\\1z:\\\\zL\\9z \\qz+\\.zL\\\\zL\\9z\"\\qz-\\)zL\\\\zL\\9z\"\\qz.\\&zL\\\\zL\\9z\"" ascii 
 98 |       $s16 = "qz<\\7zL\\\\zL\\)z6\\qz9\\&za\\?z5\\.z \\\\zL\\)z6\\qz9\\&za\\0z-\\(z\"\\\\zL\\*z%\\qz:\\2zL\\\\zL\\$z$\\qz6\\=zL\\\\zL\\&z$\\qz" ascii 
 99 |       $s17 = "qz'\\.zL\\\\zL\\7z5\\qz'\\;zL\\\\zL\\0z8\\qz \\(zL\\\\zL\\0z:\\qz \\*zL\\\\zL\\1z%\\qz\"\\&zL\\\\zL\\1z'\\qz!\\7zL\\\\zL\\1z \\q" ascii 
100 |       $s18 = "]zL\\=z*\\qz6\\=zL\\\\zL\\=z>\\qz-\\9zL\\\\zL\\=z>\\qz.\\4zL\\\\zL\\=z>\\qz(\\&zL\\\\zL\\=z>\\qz)\\;zL\\\\zL\\=z>\\qz%\\-zL\\\\z" ascii 
101 |       $s19 = "  Unknown pseudo relocation protocol version %d." fullword ascii 
102 |       $s20 = "\\L*L\\]qN\\WHKl]qO\\W{j\\XJL\\][G\\}" fullword ascii 
103 |    condition: 
104 |       uint16(0) == 0x5a4d and filesize < 800KB and (pe.imphash()=="17b461a082950fc6332228572138b80c" or  
105 | 8 of them) 
106 | } 
107 | 
108 | rule informational_NtdsAudit_AD_Audit_Tool { 
109 |    meta: 
110 |       description = "files - NtdsAudit.exe" 
111 |       author = "TheDFIRReport" 
112 |       date = "2021-07-25" 
113 |       hash1 = "fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b" 
114 |    strings: 
115 |       $x1 = "WARNING: Use of the --pwdump option will result in decryption of password hashes using the System Key." fullword wide 
116 |       $s2 = "costura.nlog.dll.compressed" fullword wide 
117 |       $s3 = "costura.microsoft.extensions.commandlineutils.dll.compressed" fullword wide 
118 |       $s4 = "Password hashes have only been dumped for the \"{0}\" domain." fullword wide 
119 |       $s5 = "The NTDS file contains user accounts with passwords stored using reversible encryption. Use the --dump-reversible option to outp" wide 
120 |       $s6 = "costura.system.valuetuple.dll.compressed" fullword wide 
121 |       $s7 = "TargetRNtdsAudit.NTCrypto.#DecryptDataUsingAes(System.Byte[],System.Byte[],System.Byte[])T" fullword ascii 
122 |       $s8 = "c:\\Code\\NtdsAudit\\src\\NtdsAudit\\obj\\Release\\NtdsAudit.pdb" fullword ascii 
123 |       $s9 = "NtdsAudit.exe" fullword wide 
124 |       $s10 = "costura.esent.interop.dll.compressed" fullword wide 
125 |       $s11 = "costura.costura.dll.compressed" fullword wide 
126 |       $s12 = "costura.registry.dll.compressed" fullword wide 
127 |       $s13 = "costura.nfluent.dll.compressed" fullword wide 
128 |       $s14 = "dumphashes" fullword ascii 
129 |       $s15 = "The path to output hashes in pwdump format." fullword wide 
130 |       $s16 = "Microsoft.Extensions.CommandLineUtils" fullword ascii 
131 |       $s17 = "If you require password hashes for other domains, please obtain the NTDS and SYSTEM files for each domain." fullword wide 
132 |       $s18 = "microsoft.extensions.commandlineutils" fullword wide 
133 |       $s19 = "-p | --pwdump <file>" fullword wide 
134 |       $s20 = "get_ClearTextPassword" fullword ascii 
135 |    condition: 
136 |       uint16(0) == 0x5a4d and filesize < 2000KB and 
137 |       1 of ($x*) and 4 of them 
138 | } 
139 | 
140 | rule informational_AdFind_AD_Recon_and_Admin_Tool {
141 |    meta: 
142 |       description = "files - AdFind.exe" 
143 |       author = "TheDFIRReport" 
144 |       date = "2021-07-25" 
145 |       hash1 = "b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682" 
146 |    strings: 
147 |       $s1 = "   -sc dumpugcinfo         Dump info for users/computers that have used UGC" fullword ascii 
148 |       $s2 = "   -sc computers_pwdnotreqd Dump computers set with password not required." fullword ascii 
149 |       $s3 = "   -sc computers_inactive  Dump computers that are disabled or password last set" fullword ascii 
150 |       $s4 = "   -sc computers_active    Dump computers that are enabled and password last" fullword ascii 
151 |       $s5 = "   -sc ridpool             Dump Decoded Rid Pool Info" fullword ascii 
152 |       $s6 = "      Get top 10 quota users in decoded format" fullword ascii 
153 |       $s7 = "   -po           Print options. This switch will dump to the command line" fullword ascii 
154 |       $s8 = "ERROR: Couldn't properly encode password - " fullword ascii 
155 |       $s9 = "   -sc users_accexpired    Dump accounts that are expired (NOT password expiration)." fullword ascii 
156 |       $s10 = "   -sc users_disabled      Dump disabled users." fullword ascii 
157 |       $s11 = "   -sc users_pwdnotreqd    Dump users set with password not required." fullword ascii 
158 |       $s12 = "   -sc users_noexpire      Dump non-expiring users." fullword ascii 
159 |       $s13 = "    adfind -default -rb ou=MyUsers -objfilefolder c:\\temp\\ad_out" fullword ascii 
160 |       $s14 = "      Dump all Exchange objects and their SMTP proxyaddresses" fullword ascii 
161 |       $s15 = "WLDAP32.DLL" fullword ascii 
162 |       $s16 = "AdFind.exe" fullword ascii 
163 |       $s17 = "                   duration attributes that will be decoded by the -tdc* switches." fullword ascii 
164 |       $s18 = "   -int8time- xx Remove attribute(s) from list to be decoded as int8. Semicolon delimited." fullword ascii 
165 |       $s19 = "replTopologyStayOfExecution" fullword ascii 
166 |       $s20 = "%s: [%s] Error 0x%0x (%d) - %s" fullword ascii 
167 |    condition: 
168 |       uint16(0) == 0x5a4d and filesize < 4000KB and 
169 |       8 of them 
170 | }
171 | 


--------------------------------------------------------------------------------
/6898/6898.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    YARA Rule Set
  3 |    Author: The DFIR Report
  4 |    Date: 2021-11-14
  5 |    Identifier: Case 6898 Exchange Exploit Leads to Domain Wide Ransomware
  6 |    Reference: https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule sig_6898_login_webshell {
 14 |    meta:
 15 |       description = "6898 - file login.aspx"
 16 |       author = "The DFIR Report"
 17 |       reference = "https://thedfirreport.com"
 18 |       date = "2021-11-14"
 19 |       hash1 = "98ccde0e1a5e6c7071623b8b294df53d8e750ff2fa22070b19a88faeaa3d32b0"
 20 |    strings:
 21 |       $s1 = "<asp:TextBox id='xpath' runat='server' Width='300px'>c:\\windows\\system32\\cmd.exe</asp:TextBox>        " fullword ascii
 22 |       $s2 = "myProcessStartInfo.UseShellExecute = false            " fullword ascii
 23 |       $s3 = "\"Microsoft.Exchange.ServiceHost.exe0r" fullword ascii
 24 |       $s4 = "myProcessStartInfo.Arguments=xcmd.text            " fullword ascii
 25 |       $s5 = "myProcess.StartInfo = myProcessStartInfo            " fullword ascii
 26 |       $s6 = "myProcess.Start()            " fullword ascii
 27 |       $s7 = "myProcessStartInfo.RedirectStandardOutput = true            " fullword ascii
 28 |       $s8 = "myProcess.Close()                       " fullword ascii
 29 |       $s9 = "Dim myStreamReader As StreamReader = myProcess.StandardOutput            " fullword ascii
 30 |       $s10 = "<%@ import Namespace='system.IO' %>" fullword ascii
 31 |       $s11 = "<%@ import Namespace='System.Diagnostics' %>" fullword ascii
 32 |       $s12 = "Dim myProcess As New Process()            " fullword ascii
 33 |       $s13 = "Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)            " fullword ascii
 34 |       $s14 = "example.org0" fullword ascii
 35 |       $s16 = "<script runat='server'>      " fullword ascii
 36 |       $s17 = "<asp:TextBox id='xcmd' runat='server' Width='300px' Text='/c whoami'>/c whoami</asp:TextBox>        " fullword ascii
 37 |       $s18 = "<p><asp:Button id='Button' onclick='runcmd' runat='server' Width='100px' Text='Run'></asp:Button>        " fullword ascii
 38 |       $s19 = "Sub RunCmd()            " fullword ascii
 39 |    condition:
 40 |       uint16(0) == 0x8230 and filesize < 6KB and
 41 |       8 of them
 42 | }
 43 | 
 44 | rule aspx_gtonvbgidhh_webshell {
 45 |    meta:
 46 |       description = "6898 - file aspx_gtonvbgidhh.aspx"
 47 |       author = "The DFIR Report"
 48 |       reference = "https://thedfirreport.com"
 49 |       date = "2021-11-14"
 50 |       hash1 = "dc4186dd9b3a4af8565f87a9a799644fce8af25e3ee8777d90ae660d48497a04"
 51 |    strings:
 52 |       $s1 = "info.UseShellExecute = false;" fullword ascii
 53 |       $s2 = "info.Arguments = \"/c \" + command;" fullword ascii
 54 |       $s3 = "var dstFile = Path.Combine(dstDir, Path.GetFileName(httpPostedFile.FileName));" fullword ascii
 55 |       $s4 = "info.FileName = \"powershell.exe\";" fullword ascii
 56 |       $s5 = "using (StreamReader streamReader = process.StandardError)" fullword ascii
 57 |       $s6 = "return httpPostedFile.FileName + \" Uploaded to: \" + dstFile;" fullword ascii
 58 |       $s7 = "httpPostedFile.InputStream.Read(buffer, 0, fileLength);" fullword ascii
 59 |       $s8 = "int fileLength = httpPostedFile.ContentLength;" fullword ascii
 60 |       $s9 = "result = result +  Environment.NewLine + \"ERROR:\" + Environment.NewLine + error;" fullword ascii
 61 |       $s10 = "ALAAAAAAAAAAA" fullword ascii /* base64 encoded string ',' */
 62 |       $s11 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii /* base64 encoded string '' */
 63 |       $s12 = "var result = delimiter +  this.RunIt(Request.Params[\"exec_code\"]) + delimiter;" fullword ascii
 64 |       $s13 = "AAAAAAAAAAAAAAAAAAAAAAAA6AAAAAAAAAAAAAAA" ascii /* base64 encoded string ':' */
 65 |       $s14 = "using (StreamReader streamReader = process.StandardOutput)" fullword ascii
 66 |       $s15 = "private string RunIt(string command)" fullword ascii
 67 |       $s16 = "Process process = Process.Start(info);" fullword ascii
 68 |       $s17 = "ProcessStartInfo info = new ProcessStartInfo();" fullword ascii
 69 |       $s18 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6" ascii /* base64 encoded string ':' */
 70 |       $s19 = "6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii /* base64 encoded string '' */
 71 |       $s20 = "if (Request.Params[\"exec_code\"] == \"put\")" fullword ascii
 72 |    condition:
 73 |       uint16(0) == 0x4221 and filesize < 800KB and
 74 |       8 of them
 75 | }
 76 | 
 77 | rule aspx_qdajscizfzx_webshell {
 78 |    meta:
 79 |       description = "6898 - file aspx_qdajscizfzx.aspx"
 80 |       author = "The DFIR Report"
 81 |       reference = "https://thedfirreport.com"
 82 |       date = "2021-11-14"
 83 |       hash1 = "60d22223625c86d7f3deb20f41aec40bc8e1df3ab02cf379d95554df05edf55c"
 84 |    strings:
 85 |       $s1 = "info.FileName = \"cmd.exe\";" fullword ascii
 86 |       $s2 = "info.UseShellExecute = false;" fullword ascii
 87 |       $s3 = "info.Arguments = \"/c \" + command;" fullword ascii
 88 |       $s4 = "var dstFile = Path.Combine(dstDir, Path.GetFileName(httpPostedFile.FileName));" fullword ascii
 89 |       $s5 = "using (StreamReader streamReader = process.StandardError)" fullword ascii
 90 |       $s6 = "return httpPostedFile.FileName + \" Uploaded to: \" + dstFile;" fullword ascii
 91 |       $s7 = "httpPostedFile.InputStream.Read(buffer, 0, fileLength);" fullword ascii
 92 |       $s8 = "int fileLength = httpPostedFile.ContentLength;" fullword ascii
 93 |       $s9 = "result = result +  Environment.NewLine + \"ERROR:\" + Environment.NewLine + error;" fullword ascii
 94 |       $s10 = "ALAAAAAAAAAAA" fullword ascii /* base64 encoded string ',' */
 95 |       $s11 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii /* base64 encoded string '' */
 96 |       $s12 = "var result = delimiter +  this.RunIt(Request.Params[\"exec_code\"]) + delimiter;" fullword ascii
 97 |       $s13 = "AAAAAAAAAAAAAAAAAAAAAAAA6AAAAAAAAAAAAAAA" ascii /* base64 encoded string ':' */
 98 |       $s14 = "using (StreamReader streamReader = process.StandardOutput)" fullword ascii
 99 |       $s15 = "private string RunIt(string command)" fullword ascii
100 |       $s16 = "Process process = Process.Start(info);" fullword ascii
101 |       $s17 = "ProcessStartInfo info = new ProcessStartInfo();" fullword ascii
102 |       $s18 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6" ascii /* base64 encoded string ':' */
103 |       $s19 = "6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii /* base64 encoded string '' */
104 |       $s20 = "if (Request.Params[\"exec_code\"] == \"put\")" fullword ascii
105 |    condition:
106 |       uint16(0) == 0x4221 and filesize < 800KB and
107 |       8 of them
108 | }
109 | 
110 | rule sig_6898_dcrypt {
111 |    meta:
112 |       description = "6898 - file dcrypt.exe"
113 |       author = "The DFIR Report"
114 |       reference = "https://thedfirreport.com"
115 |       date = "2021-11-14"
116 |       hash1 = "02ac3a4f1cfb2723c20f3c7678b62c340c7974b95f8d9320941641d5c6fd2fee"
117 |    strings:
118 |       $s1 = "For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline" fullword wide
119 |       $s2 = "Causes Setup to create a log file in the user's TEMP directory." fullword wide
120 |       $s3 = "Prevents the user from cancelling during the installation process." fullword wide
121 |       $s4 = "/http://crl4.digicert.com/sha2-assured-cs-g1.crl0L" fullword ascii
122 |       $s5 = "Same as /LOG, except it allows you to specify a fixed path/filename to use for the log file." fullword wide
123 |       $s6 = "/PASSWORD=password" fullword wide
124 |       $s7 = "The Setup program accepts optional command line parameters." fullword wide
125 |       $s8 = "Overrides the default component settings." fullword wide
126 |       $s9 = "Specifies the password to use." fullword wide
127 |       $s10 = "/MERGETASKS=\"comma separated list of task names\"" fullword wide
128 |       $s11 = "Instructs Setup to load the settings from the specified file after having checked the command line." fullword wide
129 |       $s12 = "/DIR=\"x:\\dirname\"" fullword wide
130 |       $s13 = "http://diskcryptor.org/                                     " fullword wide
131 |       $s14 = "Prevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requ" wide
132 |       $s15 = "HBPLg.sse" fullword ascii
133 |       $s16 = "/LOG=\"filename\"" fullword wide
134 |       $s17 = "Overrides the default folder name." fullword wide
135 |       $s18 = "Overrides the default setup type." fullword wide
136 |       $s19 = "Overrides the default directory name." fullword wide
137 |       $s20 = "* AVz'" fullword ascii
138 |    condition:
139 |       uint16(0) == 0x5a4d and filesize < 5000KB and
140 |       ( pe.imphash() == "48aa5c8931746a9655524f67b25a47ef" and all of them )
141 | }
142 | 


--------------------------------------------------------------------------------
/7685/7685.yar:
--------------------------------------------------------------------------------
  1 | /*
  2 |    YARA Rule Set
  3 |    Author: The DFIR Report
  4 |    Date: 2022-02-07
  5 |    Identifier: Case 7685 Qbot Likes to Move It, Move It
  6 |    Reference: https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
  7 | */
  8 | 
  9 | /* Rule Set ----------------------------------------------------------------- */
 10 | 
 11 | import "pe"
 12 | 
 13 | rule tuawktso_7685 {
 14 |    meta:
 15 |       description = "Files - file tuawktso.vbe"
 16 |       author = "The DFIR Report"
 17 |       reference = "https://thedfirreport.com"
 18 |       date = "2022-02-01"
 19 |       hash1 = "1411250eb56c55e274fbcf0741bbd3b5c917167d153779c7d8041ab2627ef95f"
 20 |    strings:
 21 |       $s1 = "* mP_5z" fullword ascii
 22 |       $s2 = "44:HD:\\C" fullword ascii
 23 |       $s3 = "zoT.tid" fullword ascii
 24 |       $s4 = "dwmcoM<" fullword ascii
 25 |       $s5 = "1iHBuSER:" fullword ascii
 26 |       $s6 = "78NLog.j" fullword ascii
 27 |       $s7 = "-FtP4p" fullword ascii
 28 |       $s8 = "x<d%[ * " fullword ascii
 29 |       $s9 = "O2f+  " fullword ascii
 30 |       $s10 = "- wir2" fullword ascii
 31 |       $s11 = "+ \"z?}xn$" fullword ascii
 32 |       $s12 = "+ $Vigb" fullword ascii
 33 |       $s13 = "# W}7k" fullword ascii
 34 |       $s14 = "# N)M)9" fullword ascii
 35 |       $s15 = "?uE- dO" fullword ascii
 36 |       $s16 = "W_* 32" fullword ascii
 37 |       $s17 = ">v9+ H" fullword ascii
 38 |       $s18 = "tUg$* h" fullword ascii
 39 |       $s19 = "`\"*- M" fullword ascii
 40 |       $s20 = "b^D$ -L" fullword ascii
 41 |    condition:
 42 |       uint16(0) == 0xe0ee and filesize < 12000KB and
 43 |       8 of them
 44 | }
 45 | 
 46 | rule wmyvpa_7685 {
 47 |    meta:
 48 |       description = "Files - file wmyvpa.sae"
 49 |       author = "The DFIR Report"
 50 |       reference = "https://thedfirreport.com"
 51 |       date = "2022-02-01"
 52 |       hash1 = "3d913a4ba5c4f7810ec6b418d7a07b6207b60e740dde8aed3e2df9ddf1caab27"
 53 |    strings:
 54 |       $s1 = "spfX.hRN<" fullword ascii
 55 |       $s2 = "wJriR>EOODA[.tIM" fullword ascii
 56 |       $s3 = "5v:\\VAL" fullword ascii
 57 |       $s4 = "K6U:\"&" fullword ascii
 58 |       $s5 = "%v,.IlZ\\" fullword ascii
 59 |       $s6 = "\\/kX>%n -" fullword ascii
 60 |       $s7 = "!Dllqj" fullword ascii
 61 |       $s8 = "&ZvM* " fullword ascii
 62 |       $s9 = "AU8]+ " fullword ascii
 63 |       $s10 = "- vt>h" fullword ascii
 64 |       $s11 = "+ u4hRI" fullword ascii
 65 |       $s12 = "ToX- P" fullword ascii
 66 |       $s13 = "S!G+ u" fullword ascii
 67 |       $s14 = "y 9-* " fullword ascii
 68 |       $s15 = "nl}* J" fullword ascii
 69 |       $s16 = "t /Y Fo" fullword ascii
 70 |       $s17 = "O^w- F" fullword ascii
 71 |       $s18 = "N -Vw'" fullword ascii
 72 |       $s19 = "hVHjzI4" fullword ascii
 73 |       $s20 = "ujrejn8" fullword ascii
 74 |    condition:
 75 |       uint16(0) == 0xd3c2 and filesize < 12000KB and
 76 |       8 of them
 77 | }
 78 | 
 79 | rule ocrafh_html_7685 {
 80 |    meta:
 81 |       description = "Files - file ocrafh.html.dll"
 82 |       author = "The DFIR Report"
 83 |       reference = "https://thedfirreport.com"
 84 |       date = "2022-02-01"
 85 |       hash1 = "956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85"
 86 |    strings:
 87 |       $s1 = "Over.dll" fullword wide
 88 |       $s2 = "c:\\339\\Soon_Back\\Hope\\Wing\\Subject-sentence\\Over.pdb" fullword ascii
 89 |       $s3 = "7766333344" ascii /* hex encoded string 'wf33D' */
 90 |       $s4 = "6655557744" ascii /* hex encoded string 'fUUwD' */
 91 |       $s5 = "7733225566" ascii /* hex encoded string 'w3"Uf' */
 92 |       $s6 = "5577445500" ascii /* hex encoded string 'UwDU' */
 93 |       $s7 = "113333" ascii /* reversed goodware string '333311' */
 94 |       $s8 = "'56666" fullword ascii /* reversed goodware string '66665'' */
 95 |       $s9 = "224444" ascii /* reversed goodware string '444422' */
 96 |       $s10 = "0044--" fullword ascii /* reversed goodware string '--4400' */
 97 |       $s11 = "444455" ascii /* reversed goodware string '554444' */
 98 |       $s12 = "5555//" fullword ascii /* reversed goodware string '//5555' */
 99 |       $s13 = "44...." fullword ascii /* reversed goodware string '....44' */
100 |       $s14 = ",,,2255//5566" fullword ascii /* hex encoded string '"UUf' */
101 |       $s15 = "44//446644//" fullword ascii /* hex encoded string 'DDfD' */
102 |       $s16 = "7755//44----." fullword ascii /* hex encoded string 'wUD' */
103 |       $s17 = "?^.4444--,,55" fullword ascii /* hex encoded string 'DDU' */
104 |       $s18 = "66,,5566////55" fullword ascii /* hex encoded string 'fUfU' */
105 |       $s19 = "operator co_await" fullword ascii
106 |       $s20 = "?\"55//////77" fullword ascii /* hex encoded string 'Uw' */
107 |    condition:
108 |       uint16(0) == 0x5a4d and filesize < 2000KB and
109 |       ( pe.imphash() == "fadf54554241c990b4607d042e11e465" and ( pe.exports("Dropleave") and pe.exports("GlassExercise") and pe.exports("Mehope") and pe.exports("Top") ) or 8 of them )
110 | }
111 | 
112 | rule ljncxcwmsg_7685 {
113 |    meta:
114 |       description = "Files - file ljncxcwmsg.gjf"
115 |       author = "The DFIR Report"
116 |       reference = "https://thedfirreport.com"
117 |       date = "2022-02-01"
118 |       hash1 = "c789bb45cacf0de1720e707f9edd73b4ed0edc958b3ce2d8f0ad5d4a7596923a"
119 |    strings:
120 |       $s1 = "x=M:\"*" fullword ascii
121 |       $s2 = "=DdlLxu" fullword ascii
122 |       $s3 = "#+- 7 " fullword ascii
123 |       $s4 = "1CTxH* " fullword ascii
124 |       $s5 = "OF0+ K" fullword ascii
125 |       $s6 = "\\oNvd4Ww" fullword ascii
126 |       $s7 = "jvKSZ21" fullword ascii
127 |       $s8 = "o%U%uhuc]" fullword ascii
128 |       $s9 = "~rCcqlf1 0" fullword ascii
129 |       $s10 = "kjoYf^=8" fullword ascii
130 |       $s11 = "jpOMR4}" fullword ascii
131 |       $s12 = "ZIIUn'u" fullword ascii
132 |       $s13 = "7uCyy7=H" fullword ascii
133 |       $s14 = "#c.sel}W" fullword ascii
134 |       $s15 = ")t)uSKv%&}" fullword ascii
135 |       $s16 = "VGiAP/o(" fullword ascii
136 |       $s17 = "SwcF~i`" fullword ascii
137 |       $s18 = "*ITDe5\\n" fullword ascii
138 |       $s19 = "MjKB!X" fullword ascii
139 |       $s20 = "tjfVUus" fullword ascii
140 |    condition:
141 |       uint16(0) == 0xa5a4 and filesize < 2000KB and
142 |       8 of them
143 | }
144 | 
145 | rule hyietnrfrx_7685 {
146 |    meta:
147 |       description = "Files - file hyietnrfrx.uit"
148 |       author = "The DFIR Report"
149 |       reference = "https://thedfirreport.com"
150 |       date = "2022-02-01"
151 |       hash1 = "70a49561f39bb362a2ef79db15e326812912c17d6e6eb38ef40343a95409a19a"
152 |    strings:
153 |       $s1 = "Z)* -^'" fullword ascii
154 |       $s2 = "%EGMf%mzT" fullword ascii
155 |       $s3 = "CYR:\"n" fullword ascii
156 |       $s4 = "CbIN$P;" fullword ascii
157 |       $s5 = "We:\\>K" fullword ascii
158 |       $s6 = "h^nd* " fullword ascii
159 |       $s7 = "+ GR;q" fullword ascii
160 |       $s8 = "u%P%r2A" fullword ascii
161 |       $s9 = "ti+ gj?" fullword ascii
162 |       $s10 = "glMNdH8" fullword ascii
163 |       $s11 = "SuiMFrn7" fullword ascii
164 |       $s12 = "K* B5T" fullword ascii
165 |       $s13 = "eLpsNt " fullword ascii
166 |       $s14 = "aQeG% SMF " fullword ascii
167 |       $s15 = "JdYQ67 " fullword ascii
168 |       $s16 = "f>xYrBDvNF+Q" fullword ascii
169 |       $s17 = "OESW[>O" fullword ascii
170 |       $s18 = "9rlPY5__" fullword ascii
171 |       $s19 = "DMvH{}L" fullword ascii
172 |       $s20 = ".dgQ>H" fullword ascii
173 |    condition:
174 |       uint16(0) == 0x4eee and filesize < 2000KB and
175 |       8 of them
176 | }
177 | 
178 | rule zsokarzi_7685 {
179 |    meta:
180 |       description = "Files - file zsokarzi.xpq"
181 |       author = "The DFIR Report"
182 |       reference = "https://thedfirreport.com"
183 |       date = "2022-02-01"
184 |       hash1 = "cbfc135bff84d63c4a0ccb5102cfa17d8c9bf297079f3b2f1371dafcbefea77c"
185 |    strings:
186 |       $s1 = "}poSpY" fullword ascii
187 |       $s2 = "[cmD>S" fullword ascii
188 |       $s3 = "# {y|4" fullword ascii
189 |       $s4 = "IX%k%5u" fullword ascii
190 |       $s5 = "YKeial7" fullword ascii
191 |       $s6 = "#%y% !" fullword ascii
192 |       $s7 = "wOUV591" fullword ascii
193 |       $s8 = "| VJHt}&Y" fullword ascii
194 |       $s9 = "BEgs% 5" fullword ascii
195 |       $s10 = "UKCy\\n" fullword ascii
196 |       $s11 = "w;gOxQ?" fullword ascii
197 |       $s12 = "'OHSf\"/x" fullword ascii
198 |       $s13 = "=#qVNkOnj" fullword ascii
199 |       $s14 = "{_OqzbVbN" fullword ascii
200 |       $s15 = "QEQro\\4" fullword ascii
201 |       $s16 = "ohFq\\P" fullword ascii
202 |       $s17 = "34eYZVnp2" fullword ascii
203 |       $s18 = "rxuqLDG" fullword ascii
204 |       $s19 = "kUZI6J#" fullword ascii
205 |       $s20 = "IEJl1}+" fullword ascii
206 |    condition:
207 |       uint16(0) == 0xc1d7 and filesize < 2000KB and
208 |       8 of them
209 | }
210 | 
211 | rule znmxbx_7685 {
212 |    meta:
213 |       description = "Files - file znmxbx.evj"
214 |       author = "The DFIR Report"
215 |       reference = "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/"
216 |       date = "2022-02-01"
217 |       hash1 = "e510566244a899d6a427c1648e680a2310c170a5f25aff53b15d8de52ca11767"
218 |    strings:
219 |       $s1 = "# /rL,;" fullword ascii
220 |       $s2 = "* m?#;rE" fullword ascii
221 |       $s3 = ">\\'{6|B{" fullword ascii /* hex encoded string 'k' */
222 |       $s4 = "36\\$'48`" fullword ascii /* hex encoded string '6H' */
223 |       $s5 = "&#$2\\&6&[" fullword ascii /* hex encoded string '&' */
224 |       $s6 = "zduwzpa" fullword ascii
225 |       $s7 = "CFwH}&.MWi " fullword ascii
226 |       $s8 = "e72.bCZ<" fullword ascii
227 |       $s9 = "*c:\"HK!\\" fullword ascii
228 |       $s10 = "mBf:\"t~" fullword ascii
229 |       $s11 = "7{R:\"O`" fullword ascii
230 |       $s12 = "7SS.koK#" fullword ascii
231 |       $s13 = "7lS od:\\" fullword ascii
232 |       $s14 = "kMRWSyi$%D^b" fullword ascii
233 |       $s15 = "Wkz=c:\\" fullword ascii
234 |       $s16 = "1*l:\"L" fullword ascii
235 |       $s17 = "GF8$d:\\T" fullword ascii
236 |       $s18 = "i$\".N8spy" fullword ascii
237 |       $s19 = "f4LOg@" fullword ascii
238 |       $s20 = "XiRcwU" fullword ascii
239 |    condition:
240 |       uint16(0) == 0x3888 and filesize < 12000KB and
241 |       8 of them
242 | }
243 | 


--------------------------------------------------------------------------------
/8734/8734.yar:
--------------------------------------------------------------------------------
 1 | /*
 2 |    YARA Rule Set
 3 |    Author: The DFIR Report
 4 |    Date: 2022-02-20
 5 |    Identifier: Case 8734 Qbot and Zerologon Lead To Full Domain Compromise
 6 |    Reference: https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
 7 | */
 8 | 
 9 | 
10 | /* Rule Set ----------------------------------------------------------------- */
11 | 
12 | 
13 | import "pe"
14 | 
15 | 
16 | rule qbot_8734_payload_dll {
17 |    meta:
18 |       description = "files - file e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987"
19 |       author = "The DFIR Report"
20 |       reference = "https://thedfirreport.com"
21 |       date = "2022-02-20"
22 |       hash1 = "e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987"
23 |    strings:
24 |       $s1 = "Terfrtghygine.dll" fullword ascii
25 |       $s2 = "Winamp can read extended metadata for titles. Choose when this happens:" fullword wide /* Goodware String - occured 1 times */
26 |       $s3 = "Read metadata when file(s) are loaded into Winamp" fullword wide /* Goodware String - occured 1 times */
27 |       $s4 = "Use advanced title formatting when possible" fullword wide /* Goodware String - occured 1 times */
28 |       $s5 = "PQVW=!?" fullword ascii
29 |       $s6 = "Show underscores in titles as spaces" fullword wide /* Goodware String - occured 1 times */
30 |       $s7 = "Advanced title display format :" fullword wide /* Goodware String - occured 1 times */
31 |       $s8 = "CreatePaint" fullword ascii
32 |       $s9 = "PQRVW=2\"" fullword ascii
33 |       $s10 = "Advanced Title Formatting" fullword wide /* Goodware String - occured 1 times */
34 |       $s11 = "Read metadata when file(s) are played or viewed in the playlist editor" fullword wide /* Goodware String - occured 1 times */
35 |       $s12 = "Show '%20's in titles as spaces" fullword wide /* Goodware String - occured 1 times */
36 |       $s13 = "Example : \"%artist% - %title%\"" fullword wide /* Goodware String - occured 1 times */
37 |       $s14 = "PQRVW=g" fullword ascii
38 |       $s15 = "PQRW=e!" fullword ascii
39 |       $s16 = "ATF Help" fullword wide /* Goodware String - occured 1 times */
40 |       $s17 = "(this can be slow if a large number of files are added at once)" fullword wide /* Goodware String - occured 1 times */
41 |       $s18 = "PQRVW=$" fullword ascii
42 |       $s19 = "Metadata Reading" fullword wide /* Goodware String - occured 1 times */
43 |       $s20 = "Other field names: %artist%, %album%, %title%, %track%, %year%, %genre%, %comment%, %filename%, %disc%, %rating%, ..." fullword wide /* Goodware String - occured 1 times */
44 |    condition:
45 |       uint16(0) == 0x5a4d and filesize < 2000KB and
46 |       ( pe.imphash() == "aa8a9db10fba890f8ef9edac427eab82" and pe.exports("CreatePaint") or 8 of them )
47 | }
48 | 
49 | 
50 | rule qbot_dll_8734 {
51 |    meta:
52 |       description = "files - qbot.dll"
53 |       author = "TheDFIRReport"
54 |       reference = "QBOT_DLL"
55 |       date = "2021-12-04"
56 |       hash1 = "4d3b10b338912e7e1cbade226a1e344b2b4aebc1aa2297ce495e27b2b0b5c92b"
57 |    strings:
58 |       $s1 = "Execute not supported: %sfField '%s' is not the correct type of calculated field to be used in an aggregate, use an internalcalc" wide
59 |       $s2 = "IDAPI32.DLL" fullword ascii
60 |       $s3 = "ResetUsageDataActnExecute" fullword ascii
61 |       $s4 = "idapi32.DLL" fullword ascii
62 |       $s5 = "ShowHintsActnExecute" fullword ascii
63 |       $s6 = "OnExecute@iG" fullword ascii
64 |       $s7 = "OnExecutexnD" fullword ascii
65 |       $s8 = "ShowShortCutsInTipsActnExecute" fullword ascii
66 |       $s9 = "ResetActnExecute " fullword ascii
67 |       $s10 = "RecentlyUsedActnExecute" fullword ascii
68 |       $s11 = "LargeIconsActnExecute" fullword ascii
69 |       $s12 = "ResetActnExecute" fullword ascii
70 |       $s13 = "OnExecute<" fullword ascii
71 |       $s14 = "TLOGINDIALOG" fullword wide
72 |       $s15 = "%s%s:\"%s\";" fullword ascii
73 |       $s16 = ":\":&:7:?:C:\\:" fullword ascii /* hex encoded string '|' */
74 |       $s17 = "LoginPrompt" fullword ascii
75 |       $s18 = "TLoginDialog" fullword ascii
76 |       $s19 = "OnLogin" fullword ascii
77 |       $s20 = "Database Login" fullword ascii
78 |    condition:
79 |       uint16(0) == 0x5a4d and filesize < 3000KB and
80 |       12 of them
81 | }
82 | 


--------------------------------------------------------------------------------
/9438/9438.yar:
--------------------------------------------------------------------------------
 1 | /* 
 2 |    YARA Rule Set 
 3 |    Author: The DFIR Report 
 4 |    Date: 2022-04-04
 5 |    Identifier: Case 9438 Stolen Images Campaign Ends in Conti Ransomware
 6 |    Reference: https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
 7 | */ 
 8 | 
 9 | 
10 | /* Rule Set ----------------------------------------------------------------- */ 
11 | 
12 | 
13 | rule cs_exe_9438 {
14 |    meta:
15 |       description = "9438 - file Faicuy4.exe"
16 |       author = "TheDFIRReport"
17 |       reference = "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/"
18 |       date = "2022-04-04"
19 |       hash1 = "a79f5ce304707a268b335f63d15e2d7d740b4d09b6e7d095d7d08235360e739c"
20 |    strings:
21 |       $x1 = "C:\\Users\\Administrator\\Documents\\Visual Studio 2008\\Projects\\MUTEXES\\x64\\Release\\MUTEXES.pdb" fullword ascii
22 |       $s2 = "mutexes Version 1.0" fullword wide
23 |       $s3 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii
24 |       $s4 = ".?AVCMutexesApp@@" fullword ascii
25 |       $s5 = ".?AVCMutexesDlg@@" fullword ascii
26 |       $s6 = "About mutexes" fullword wide
27 |       $s7 = "Mutexes Sample" fullword wide
28 |       $s8 = " 1992 - 2001 Microsoft Corporation.  All rights reserved." fullword wide
29 |       $s9 = "&Process priority class:" fullword wide
30 |       $s10 = " Type Descriptor'" fullword ascii
31 |       $s11 = "&About mutexes..." fullword wide
32 |       $s12 = " constructor or from DllMain." fullword ascii
33 |       $s13 = ".?AVCDisplayThread@@" fullword ascii
34 |       $s14 = "IsQ:\"P" fullword ascii
35 |       $s15 = "CExampleThread" fullword ascii
36 |       $s16 = ".?AVCCounterThread@@" fullword ascii
37 |       $s17 = ".?AVCExampleThread@@" fullword ascii
38 |       $s18 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
39 |       $s19 = "CDisplayThread" fullword ascii
40 |       $s20 = "CCounterThread" fullword ascii
41 |    condition:
42 |       uint16(0) == 0x5a4d and filesize < 2000KB and
43 |       1 of ($x*) and 4 of them
44 | }
45 | 
46 | 
47 | rule conti_dll_9438 {
48 |    meta:
49 |       description = "9438 - file x64.dll"
50 |       author = "TheDFIRReport"
51 |       reference = "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/"
52 |       date = "2022-04-04"
53 |       hash1 = "8fb035b73bf207243c9b29d96e435ce11eb9810a0f4fdcc6bb25a14a0ec8cc21"
54 |    strings:
55 |       $s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii
56 |       $s2 = "conti_v3.dll" fullword ascii
57 |       $s3 = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
58 |       $s4 = "api-ms-win-core-processthreads-l1-1-2" fullword wide
59 |       $s5 = "ext-ms-win-ntuser-dialogbox-l1-1-0" fullword wide
60 |       $s6 = " Type Descriptor'" fullword ascii
61 |       $s7 = "operator \"\" " fullword ascii
62 |       $s8 = "operator co_await" fullword ascii
63 |       $s9 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
64 |       $s10 = "api-ms-win-rtcore-ntuser-window-l1-1-0" fullword wide
65 |       $s11 = "api-ms-win-security-systemfunctions-l1-1-0" fullword wide
66 |       $s12 = "ext-ms-win-ntuser-windowstation-l1-1-0" fullword wide
67 |       $s13 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
68 |       $s14 = " Base Class Descriptor at (" fullword ascii
69 |       $s15 = " Class Hierarchy Descriptor'" fullword ascii
70 |       $s16 = "bad array new length" fullword ascii
71 |       $s17 = " Complete Object Locator'" fullword ascii
72 |       $s18 = ".data$r" fullword ascii
73 |       $s19 = " delete[]" fullword ascii
74 |       $s20 = "  </trustInfo>" fullword ascii
75 |    condition:
76 |       uint16(0) == 0x5a4d and filesize < 700KB and
77 |       all of them
78 | }
79 | 


--------------------------------------------------------------------------------
/9893/9893.yar:
--------------------------------------------------------------------------------
  1 | rule files_dhvqx {
  2 |    meta:
  3 |       description = "9893_files - file dhvqx.aspx"
  4 |       author = "TheDFIRReport"
  5 |       reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"
  6 |       date = "2022-03-21"
  7 |       hash1 = "c5aae30675cc1fd83fd25330cec245af744b878a8f86626d98b8e7fcd3e970f8"
  8 |    strings:
  9 |       $s1 = "eval(Request['exec_code'],'unsafe');Response.End;" fullword ascii
 10 |       $s2 = "6<script language='JScript' runat='server'>" fullword ascii
 11 |       $s3 = "AEALAAAAAAAAAAA" fullword ascii
 12 |       $s4 = "AFAVAJA" fullword ascii
 13 |       $s5 = "AAAAAAV" fullword ascii
 14 |       $s6 = "LAAAAAAA" fullword ascii
 15 |       $s7 = "ANAZAQA" fullword ascii
 16 |       $s8 = "ALAAAAA" fullword ascii
 17 |       $s9 = "AAAAAEA" ascii
 18 |       $s10 = "ALAHAUA" fullword ascii
 19 |    condition:
 20 |       uint16(0) == 0x4221 and filesize < 800KB and
 21 |       ($s1 and $s2)  and 4 of them
 22 | }
 23 | 
 24 | 
 25 | rule aspx_dyukbdcxjfi {
 26 |    meta:
 27 |       description = "9893_files - file aspx_dyukbdcxjfi.aspx"
 28 |       author = "TheDFIRReport"
 29 |       reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"
 30 |       date = "2022-03-21"
 31 |       hash1 = "84f77fc4281ebf94ab4897a48aa5dd7092cc0b7c78235965637eeef0908fb6c7"
 32 |    strings:
 33 |       $s1 = "string[] commands = exec_code.Substring(\"run \".Length).Split(new[] { ';' }, StringSplitOptions.RemoveEmpty" ascii
 34 |       $s2 = "string[] commands = exec_code.Substring(\"run \".Length).Split(new[] { ';' }, StringSplitOptions.RemoveEmpty" ascii
 35 |       $s3 = "var dstFile = Path.Combine(dstDir, Path.GetFileName(httpPostedFile.FileName));" fullword ascii
 36 |       $s4 = "info.UseShellExecute = false;" fullword ascii
 37 |       $s5 = "using (StreamReader streamReader = process.StandardError)" fullword ascii
 38 |       $s6 = "return httpPostedFile.FileName + \" Uploaded to: \" + dstFile;" fullword ascii
 39 |       $s7 = "else if (exec_code.StartsWith(\"download \"))" fullword ascii
 40 |       $s8 = "string[] parts = exec_code.Substring(\"download \".Length).Split(' ');" fullword ascii
 41 |       $s9 = "Response.AppendHeader(\"Content-Disposition\", \"attachment; filename=\" + fileName);" fullword ascii
 42 |       $s10 = "result = result + Environment.NewLine + \"ERROR:\" + Environment.NewLine + error;" fullword ascii
 43 |       $s11 = "else if (exec_code == \"get\")" fullword ascii
 44 |       $s12 = "int fileLength = httpPostedFile.ContentLength;" fullword ascii
 45 |    condition:
 46 |       uint16(0) == 0x4221 and filesize < 800KB and
 47 |       8 of them
 48 | }
 49 | 
 50 | 
 51 | rule files_user {
 52 |    meta:
 53 |       description = "9893_files - file user.exe"
 54 |       author = "TheDFIRReport"
 55 |       reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"
 56 |       date = "2022-03-21"
 57 |       hash1 = "7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b"
 58 |    strings:
 59 |       $x1 = "PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVer" ascii
 60 |       $s2 = "\", or \"requireAdministrator\" --> <v3:requestedExecutionLevel level=\"requireAdministrator\" /> </v3:requestedPrivileges> </v3" ascii
 61 |       $s3 = "-InitOnceExecuteOnce" fullword ascii
 62 |       $s4 = "0\"> <dependency> <dependentAssembly> <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0." ascii
 63 |       $s5 = "s:v3=\"urn:schemas-microsoft-com:asm.v3\"> <v3:security> <v3:requestedPrivileges> <!-- level can be \"asInvoker\", \"highestAvai" ascii
 64 |       $s6 = "PB_GadgetStack_%I64i" fullword ascii
 65 |       $s7 = "PB_DropAccept" fullword ascii
 66 |       $s8 = "rocessorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" /> </dependentAssembly> </dependency> <v3:trustInf" ascii
 67 |       $s9 = "PB_PostEventMessage" fullword ascii
 68 |       $s10 = "PB_WindowID" fullword ascii
 69 |       $s11 = "?GetLongPathNameA" fullword ascii
 70 |       $s12 = "Memory page error" fullword ascii
 71 |       $s13 = "PPPPPPH" fullword ascii
 72 |       $s14 = "YZAXAYH" fullword ascii
 73 |       $s15 = "%d:%I64d:%I64d:%I64d" fullword ascii
 74 |       $s16 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii
 75 |       $s17 = "PYZAXAYH" fullword ascii
 76 |       $s18 = "PB_MDI_Gadget" fullword ascii
 77 |       $s19 = "PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVer" ascii
 78 |       $s20 = " 46B722FD25E69870FA7711924BC5304D 787242D55F2C49A23F5D97710D972108 A2DB26CE3BBE7B2CB12F9BEFB37891A3" fullword wide
 79 |    condition:
 80 |       uint16(0) == 0x5a4d and filesize < 300KB and
 81 |       1 of ($x*) and 4 of them
 82 | }
 83 | 
 84 | 
 85 | rule task_update {
 86 |    meta:
 87 |       description = "9893_files - file task_update.exe"
 88 |       author = "TheDFIRReport"
 89 |       reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"
 90 |       date = "2022-03-21"
 91 |       hash1 = "12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a"
 92 |    strings:
 93 |       $x1 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersi" ascii
 94 |       $s2 = " or \"requireAdministrator\" --> <v3:requestedExecutionLevel level=\"requireAdministrator\" /> </v3:requestedPrivileges> </v3:se" ascii
 95 |       $s3 = "-InitOnceExecuteOnce" fullword ascii
 96 |       $s4 = "> <dependency> <dependentAssembly> <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0" ascii
 97 |       $s5 = "v3=\"urn:schemas-microsoft-com:asm.v3\"> <v3:security> <v3:requestedPrivileges> <!-- level can be \"asInvoker\", \"highestAvaila" ascii
 98 |       $s6 = "PB_GadgetStack_%I64i" fullword ascii
 99 |       $s7 = "PB_DropAccept" fullword ascii
100 |       $s8 = "PB_PostEventMessage" fullword ascii
101 |       $s9 = "PB_WindowID" fullword ascii
102 |       $s10 = "?GetLongPathNameA" fullword ascii
103 |       $s11 = "cessorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" /> </dependentAssembly> </dependency> <v3:trustInfo " ascii
104 |       $s12 = "Memory page error" fullword ascii
105 |       $s13 = "PPPPPPH" fullword ascii
106 |       $s14 = "YZAXAYH" fullword ascii
107 |       $s15 = "%d:%I64d:%I64d:%I64d" fullword ascii
108 |       $s16 = "PYZAXAYH" fullword ascii
109 |       $s17 = "PB_MDI_Gadget" fullword ascii
110 |       $s18 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersi" ascii
111 |       $s19 = " 11FCC18FB2B55FC3C988F6A76FCF8A2D 56D49E57AD1A051BF62C458CD6F3DEA9 6104990DFEA3DFAB044FAF960458DB09" fullword wide
112 |       $s20 = "PostEventClass" fullword ascii
113 |    condition:
114 |       uint16(0) == 0x5a4d and filesize < 300KB and
115 |       1 of ($x*) and 4 of them
116 | }
117 | 
118 | 
119 | rule App_Web_vjloy3pa {
120 |    meta:
121 |       description = "9893_files - file App_Web_vjloy3pa.dll"
122 |       author = "TheDFIRReport"
123 |       reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"
124 |       date = "2022-03-21"
125 |       hash1 = "faa315db522d8ce597ac0aa957bf5bde31d91de94e68d5aefac4e3e2c11aa970"
126 |    strings:
127 |       $x2 = "hSystem.ComponentModel.DataAnnotations, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii
128 |       $s3 = "MSystem.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii
129 |       $s4 = "RSystem.Xml.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii
130 |       $s5 = "ZSystem.ServiceModel.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii
131 |       $s6 = "YSystem.Web.DynamicData, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii
132 |       $s7 = "XSystem.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii
133 |       $s8 = "VSystem.Web.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii
134 |       $s9 = "MSystem.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii
135 |       $s10 = "WSystem.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii
136 |       $s11 = "`System.Data.DataSetExtensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii
137 |       $s12 = "NSystem.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii
138 |       $s13 = "ZSystem.WorkflowServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii
139 |       $s14 = "WSystem.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii
140 |       $s15 = "aSystem.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii
141 |       $s16 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" wide /* base64 encoded string '' */
142 |       $s17 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" wide /* base64 encoded string '' */
143 |       $s18 = "aSystem.Web.ApplicationServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii
144 |       $s19 = "\\System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii
145 |       $s20 = "SMicrosoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii
146 |    condition:
147 |       uint16(0) == 0x5a4d and filesize < 2000KB and
148 |       1 of ($x*) and 4 of them
149 | }
150 | 
151 | 
152 | rule _user_task_update_0 {
153 |    meta:
154 |       description = "9893_files - from files user.exe, task_update.exe"
155 |       author = "TheDFIRReport"
156 |       reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/"
157 |       date = "2022-03-21"
158 |       hash1 = "7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b"
159 |       hash2 = "12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a"
160 |    strings:
161 |       $s1 = "-InitOnceExecuteOnce" fullword ascii
162 |       $s2 = "PB_GadgetStack_%I64i" fullword ascii
163 |       $s3 = "PB_DropAccept" fullword ascii
164 |       $s4 = "PB_PostEventMessage" fullword ascii
165 |       $s5 = "PB_WindowID" fullword ascii
166 |       $s6 = "?GetLongPathNameA" fullword ascii
167 |       $s7 = "Memory page error" fullword ascii
168 |       $s8 = "PPPPPPH" fullword ascii
169 |       $s9 = "YZAXAYH" fullword ascii
170 |       $s10 = "%d:%I64d:%I64d:%I64d" fullword ascii
171 |       $s11 = "PYZAXAYH" fullword ascii
172 |       $s12 = "PB_MDI_Gadget" fullword ascii
173 |       $s13 = "PostEventClass" fullword ascii
174 |       $s14 = "t$hYZAXAYH" fullword ascii
175 |       $s15 = "$YZAXAYH" fullword ascii
176 |       $s16 = "Floating-point underflow (exponent too small)" fullword ascii
177 |       $s17 = "Inexact floating-point result" fullword ascii
178 |       $s18 = "Single step trap" fullword ascii
179 |       $s19 = "Division by zero (floating-point)" fullword ascii
180 |       $s20 = "tmHcI(H" fullword ascii
181 |    condition:
182 |       ( uint16(0) == 0x5a4d and filesize < 300KB and ( 8 of them )
183 |       ) or ( all of them )
184 | }
185 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Yara-Rules
2 | Rules generated from our investigations.
3 | 
4 | If you would like to use these rules in a commercial or closed source solution, please contact us at https://thedfirreport.com/contact/.
5 | 


--------------------------------------------------------------------------------
/compilation/Cobalt Strike, a Defender’s Guide:
--------------------------------------------------------------------------------
  1 | /*
  2 | YARA Rule Set
  3 | Author: The DFIR Report
  4 | Date: 2021-09-01
  5 | Identifier: Cobalt Strike, a Defender’s Guide
  6 | Reference: https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
  7 | */
  8 | 
  9 | import "pe"
 10 | 
 11 | rule CS_default_exe_beacon_stager {
 12 | meta:
 13 | description = "Remote CS beacon execution as a service - spoolsv.exe"
 14 | author = "TheDFIRReport"
 15 | date = "2021-07-13"
 16 | hash1 = "f3dfe25f02838a45eba8a683807f7d5790ccc32186d470a5959096d009cc78a2"
 17 | strings:
 18 | $s1 = "windir" fullword ascii
 19 | $s2 = "rundll32.exe" fullword ascii
 20 | $s3 = "VirtualQuery failed for %d bytes at address %p" fullword ascii
 21 | $s4 = "msvcrt.dll" fullword wide
 22 | condition:
 23 | uint16(0) == 0x5a4d and filesize < 800KB and (pe.imphash() == "93f7b1a7b8b61bde6ac74d26f1f52e8d" and
 24 | 3 of them ) or ( all of them )
 25 | }
 26 | 
 27 | rule tdr615_exe { 
 28 | meta: 
 29 | description = "Cobalt Strike on beachhead: tdr615.exe" 
 30 | author = "TheDFIRReport" 
 31 | reference = "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/" 
 32 | date = "2021-07-07" 
 33 | hash1 = "12761d7a186ff14dc55dd4f59c4e3582423928f74d8741e7ec9f761f44f369e5" 
 34 | strings: 
 35 | $a1 = "AppPolicyGetProcessTerminationMethod" fullword ascii 
 36 | $a2 = "I:\\RoDcnyLYN\\k1GP\\ap0pivKfOF\\odudwtm30XMz\\UnWdqN\\01\\7aXg1kTkp.pdb" fullword ascii 
 37 | $b1 = "ealagi@aol.com0" fullword ascii 
 38 | $b2 = "operator co_await" fullword ascii 
 39 | $b3 = "GetModuleHandleRNtUnmapViewOfSe" fullword ascii 
 40 | $b4 = "RtlExitUserThrebNtFlushInstruct" fullword ascii 
 41 | $c1 = "Jersey City1" fullword ascii 
 42 | $c2 = "Mariborska cesta 971" fullword ascii 
 43 | condition: 
 44 | uint16(0) == 0x5a4d and filesize < 10000KB and 
 45 | any of ($a* ) and 2 of ($b* ) and any of ($c* ) 
 46 | }
 47 | import "pe"
 48 | 
 49 | rule CS_DLL {
 50 | meta:
 51 | description = "62.dll"
 52 | author = "TheDFIRReport"
 53 | reference = "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/"
 54 | date = "2021-07-07"
 55 | hash1 = "8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab"
 56 | strings:
 57 | $s1 = "Common causes completion include incomplete download and damaged media" fullword ascii
 58 | $s2 = "StartW" fullword ascii
 59 | $s4 = ".rdata$zzzdbg" fullword ascii
 60 | condition:
 61 | uint16(0) == 0x5a4d and filesize < 70KB and ( pe.imphash() == "42205b145650671fa4469a6321ccf8bf" )
 62 | or (all of them)
 63 | }
 64 | 
 65 | rule conti_cobaltstrike_192145_icju1_0 {
 66 | meta:
 67 | description = "files - from files 192145.dll, icju1.exe"
 68 | author = "The DFIR Report"
 69 | reference = "https://thedfirreport.com"
 70 | date = "2021-05-09"
 71 | hash1 = "29bc338e63a62c24c301c04961084013816733dad446a29c20d4413c5c818af9"
 72 | hash2 = "e54f38d06a4f11e1b92bb7454e70c949d3e1a4db83894db1ab76e9d64146ee06"
 73 | strings:
 74 | $x1 = "cmd.exe /c echo NGAtoDgLpvgJwPLEPFdj>\"%s\"&exit" fullword ascii
 75 | $s2 = "veniamatquiest90.dll" fullword ascii
 76 | $s3 = "Quaerat magni assumenda nihil architecto labore ullam autem unde temporibus mollitia illum" fullword ascii
 77 | $s4 = "Quaerat tempora culpa provident" fullword ascii
 78 | $s5 = "Dolores ullam tempora error distinctio ut natus facere quibusdam" fullword ascii
 79 | $s6 = "Velit consequuntur quisquam tempora error" fullword ascii
 80 | $s7 = "Corporis minima omnis qui est temporibus sint quo error magnam" fullword ascii
 81 | $s8 = "Quo omnis repellat ut expedita temporibus eius fuga error" fullword ascii
 82 | $s9 = "Officia sit maiores deserunt nobis tempora deleniti aut et quidem fugit" fullword ascii
 83 | $s10 = "Rerum tenetur sapiente est tempora qui deserunt" fullword ascii
 84 | $s11 = "Sed nulla quaerat porro error excepturi" fullword ascii
 85 | $s12 = "Aut tempore quo cumque dicta ut quia in" fullword ascii
 86 | $s13 = "Doloribus commodi repudiandae voluptates consequuntur neque tempora ut neque nemo ad ut" fullword ascii
 87 | $s14 = "Tempore possimus aperiam nam mollitia illum hic at ut doloremque" fullword ascii
 88 | $s15 = "Et quia aut temporibus enim repellat dolores totam recusandae repudiandae" fullword ascii
 89 | $s16 = "Dolorum eum ipsum tempora non et" fullword ascii
 90 | $s17 = "Quas alias illum laborum tempora sit est rerum temporibus dicta et" fullword ascii
 91 | $s18 = "Sed velit ipsa et dolor tempore sunt nostrum" fullword ascii
 92 | $s19 = "Veniam voluptatem aliquam et eaque tempore tenetur possimus" fullword ascii
 93 | $s20 = "Possimus suscipit placeat dolor quia tempora voluptas qui fugiat et accusantium" fullword ascii
 94 | condition:
 95 | ( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) and 4 of them )
 96 | ) or ( all of them )
 97 | }
 98 | 
 99 | rule cobalt_strike_tmp01925d3f {
100 | meta:
101 | description = "files - file ~tmp01925d3f.exe"
102 | author = "The DFIR Report"
103 | reference = "https://thedfirreport.com"
104 | date = "2021-02-22"
105 | hash1 = "10ff83629d727df428af1f57c524e1eaddeefd608c5a317a5bfc13e2df87fb63"
106 | strings:
107 | $x1 = "C:\\Users\\hillary\\source\\repos\\gromyko\\Release\\gromyko.pdb" fullword ascii
108 | $x2 = "api-ms-win-core-synch-l1-2-0.dll" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-sm-ipa' */
109 | $s3 = "gromyko32.dll" fullword ascii
110 | $s4 = "<requestedExecutionLevel level='asInvoker' uiAccess='false'/>" fullword ascii
111 | $s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii
112 | $s6 = "https://sectigo.com/CPS0" fullword ascii
113 | $s7 = "2http://crl.comodoca.com/AAACertificateServices.crl04" fullword ascii
114 | $s8 = "?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v" fullword ascii
115 | $s9 = "3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%" fullword ascii
116 | $s10 = "http://ocsp.sectigo.com0" fullword ascii
117 | $s11 = "2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s" fullword ascii
118 | $s12 = "2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#" fullword ascii
119 | $s13 = "http://www.digicert.com/CPS0" fullword ascii
120 | $s14 = "AppPolicyGetThreadInitializationType" fullword ascii
121 | $s15 = "alerajner@aol.com0" fullword ascii
122 | $s16 = "gromyko.inf" fullword ascii
123 | $s17 = "operator<=>" fullword ascii
124 | $s18 = "operator co_await" fullword ascii
125 | $s19 = "gromyko" fullword ascii
126 | $s20 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
127 | condition:
128 | uint16(0) == 0x5a4d and filesize < 1000KB and
129 | ( pe.imphash() == "1b1b73382580c4be6fa24e8297e1849d" or ( 1 of ($x*) or 4 of them ) )
130 | }
131 | 
132 | rule cobalt_strike_TSE28DF {
133 | meta:
134 | description = "exe - file TSE28DF.exe"
135 | author = "The DFIR Report"
136 | reference = "https://thedfirreport.com"
137 | date = "2021-01-05"
138 | hash1 = "65282e01d57bbc75f24629be9de126f2033957bd8fe2f16ca2a12d9b30220b47"
139 | strings:
140 | $s1 = "mneploho86.dll" fullword ascii
141 | $s2 = "C:\\projects\\Project1\\Project1.pdb" fullword ascii
142 | $s3 = "AppPolicyGetProcessTerminationMethod" fullword ascii
143 | $s4 = "AppPolicyGetThreadInitializationType" fullword ascii
144 | $s5 = "boltostrashno.nfo" fullword ascii
145 | $s6 = "operator<=>" fullword ascii
146 | $s7 = "operator co_await" fullword ascii
147 | $s8 = ".data$rs" fullword ascii
148 | $s9 = "tutoyola" fullword ascii
149 | $s10 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
150 | $s11 = "vector too long" fullword ascii
151 | $s12 = "wrong protocol type" fullword ascii /* Goodware String - occured 567 times */
152 | $s13 = "network reset" fullword ascii /* Goodware String - occured 567 times */
153 | $s14 = "owner dead" fullword ascii /* Goodware String - occured 567 times */
154 | $s15 = "connection already in progress" fullword ascii /* Goodware String - occured 567 times */
155 | $s16 = "network down" fullword ascii /* Goodware String - occured 567 times */
156 | $s17 = "protocol not supported" fullword ascii /* Goodware String - occured 568 times */
157 | $s18 = "connection aborted" fullword ascii /* Goodware String - occured 568 times */
158 | $s19 = "network unreachable" fullword ascii /* Goodware String - occured 569 times */
159 | $s20 = "host unreachable" fullword ascii /* Goodware String - occured 571 times */
160 | condition:
161 | uint16(0) == 0x5a4d and filesize < 700KB and
162 | ( pe.imphash() == "ab74ed3f154e02cfafb900acffdabf9e" or all of them )
163 | }
164 | 
165 | rule cobalt_strike_TSE588C {
166 | meta:
167 | description = "exe - file TSE588C.exe"
168 | author = "The DFIR Report"
169 | reference = "https://thedfirreport.com"
170 | date = "2021-01-05"
171 | hash1 = "32c13df5d411bf5a114e2021bbe9ffa5062ed1db91075a55fe4182b3728d62fe"
172 | strings:
173 | $s1 = "mneploho86.dll" fullword ascii
174 | $s2 = "C:\\projects\\Project1\\Project1.pdb" fullword ascii
175 | $s3 = "AppPolicyGetProcessTerminationMethod" fullword ascii
176 | $s4 = "AppPolicyGetThreadInitializationType" fullword ascii
177 | $s5 = "boltostrashno.nfo" fullword ascii
178 | $s6 = "operator<=>" fullword ascii
179 | $s7 = "operator co_await" fullword ascii
180 | $s8 = "?7; ?<= <?= 6<" fullword ascii /* hex encoded string 'v' */
181 | $s9 = ".data$rs" fullword ascii
182 | $s10 = "tutoyola" fullword ascii
183 | $s11 = "Ommk~z#K`majg`i4.itg~\".jkhbozk" fullword ascii
184 | $s12 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
185 | $s13 = "OVOVPWTOVOWOTF" fullword ascii
186 | $s14 = "vector too long" fullword ascii
187 | $s15 = "n>log2" fullword ascii
188 | $s16 = "\\khk|k|4.fzz~4!!majk d" fullword ascii
189 | $s17 = "network reset" fullword ascii /* Goodware String - occured 567 times */
190 | $s18 = "wrong protocol type" fullword ascii /* Goodware String - occured 567 times */
191 | $s19 = "owner dead" fullword ascii /* Goodware String - occured 567 times */
192 | $s20 = "connection already in progress" fullword ascii /* Goodware String - occured 567 times */
193 | condition:
194 | uint16(0) == 0x5a4d and filesize < 900KB and
195 | ( pe.imphash() == "bb8169128c5096ea026d19888c139f1a" or 10 of them )
196 | }
197 | 
198 | rule CS_encrypted_beacon_x86 {
199 | meta:
200 | author = "Etienne Maynier tek@randhome.io"
201 | strings:
202 | $s1 = { fc e8 ?? 00 00 00 }
203 | $s2 = { 8b [1-3] 83 c? 04 [0-1] 8b [1-2] 31 }
204 | condition:
205 | $s1 at 0 and $s2 in (0..200) and filesize < 300000
206 | }
207 | 
208 | rule CS_encrypted_beacon_x86_64 {
209 | meta:
210 | author = "Etienne Maynier tek@randhome.io"
211 | strings:
212 | $s1 = { fc 48 83 e4 f0 eb 33 5d 8b 45 00 48 83 c5 04 8b }
213 | condition:
214 | $s1 at 0 and filesize < 300000
215 | }
216 | 
217 | rule CS_beacon {
218 | meta:
219 | author = "Etienne Maynier tek@randhome.io"
220 | 
221 | strings:
222 | $s1 = "%02d/%02d/%02d %02d:%02d:%02d" ascii
223 | $s2 = "%s as %s\\%s: %d" ascii
224 | $s3 = "Started service %s on %s" ascii
225 | $s4 = "beacon.dll" ascii
226 | $s5 = "beacon.x64.dll" ascii
227 | $s6 = "ReflectiveLoader" ascii
228 | $s7 = { 2e 2f 2e 2f 2e 2c ?? ?? 2e 2c 2e 2f }
229 | $s8 = { 69 68 69 68 69 6b ?? ?? 69 6b 69 68 }
230 | $s9 = "%s (admin)" ascii
231 | $s10 = "Updater.dll" ascii
232 | $s11 = "LibTomMath" ascii
233 | $s12 = "Content-Type: application/octet-stream" ascii
234 | 
235 | condition:
236 | 6 of them and filesize < 300000
237 | }
238 | 


--------------------------------------------------------------------------------
/index.yar:
--------------------------------------------------------------------------------
 1 | include "./1013/1013.yar"
 2 | include "./5087/5087.yar"
 3 | include "./3521/3521.yar"
 4 | include "./1012/1012.yar"
 5 | include "./14373/14373.yar"
 6 | include "./4485/4485.yar"
 7 | include "./11462/11462.yar"
 8 | include "./9438/9438.yar"
 9 | include "./4641/4641.yar"
10 | include "./3584/3584.yar"
11 | include "./12993/12993.yar"
12 | include "./3930/3930.yar"
13 | include "./14335/14335.yar"
14 | include "./1051/1051.yar"
15 | include "./1017/1017.yar"
16 | include "./12780/12780.yar"
17 | include "./4778/4778.yar"
18 | include "./4301/4301.yar"
19 | include "./5582/5582.yar"
20 | include "./5794/5794.yar"
21 | include "./5426/5426.yar"
22 | include "./5295/5295.yar"
23 | include "./6898/6898.yar"
24 | include "./8099/8099.yar"
25 | include "./1014/1014.yar"
26 | include "./8734/8734.yar"
27 | include "./12647/12647.yar"
28 | include "./7685/7685.yar"
29 | include "./3580/3580.yar"
30 | include "./9893/9893.yar"
31 | include "./13842/13842.yar"
32 | include "./15184/15184.yar"
33 | include "./17386/17386.yar"
34 | include "./17333/17333.yar"
35 | include "./18041/18041.yar"
36 | include "./18190/18190.yar"
37 | include "./18543/18543.yar"
38 | include "./18364/18364.yar"
39 | include "./19172/19172.yar"
40 | include "./19208/19208.yar"
41 | include "./19438/19438.yar"
42 | include "./19530/19530.yar"
43 | include "./19772/19772.yar"
44 | include "./21619/21619.yar"
45 | include "./23869/23869.yar"
46 | include "./24952/24952.yar"
47 | include "./25590/25590.yar"
48 | include "./27138/27138.yar"
49 | include "./27899/27899.yar"
50 | 


--------------------------------------------------------------------------------