├── .gitattributes ├── .github └── workflows │ └── update.yml ├── .gitignore ├── .gitmodules ├── LICENSE ├── README.md └── rules ├── classify-files.yar ├── compilers.yar ├── compressed.yar ├── executables.yar ├── installers.yar └── token-grabbers.yar /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.github/workflows/update.yml: -------------------------------------------------------------------------------- 1 | name: "Automatic submodule update" 2 | 3 | on: 4 | schedule: 5 | - cron: "0 0 * * *" 6 | workflow_dispatch: {} 7 | 8 | jobs: 9 | update: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v2 13 | with: 14 | submodules: 'true' 15 | 16 | - name: Update submodules 17 | run: | 18 | git submodule update --remote 19 | 20 | - name: Commit and push changes 21 | run: | 22 | git config user.name github-actions 23 | git config user.email 41898282+github-actions[bot]@users.noreply.github.com 24 | git add . 25 | git diff --quiet && git diff --staged --quiet || git commit -m "auto: update submodules" 26 | git push 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .nox/ 42 | .coverage 43 | .coverage.* 44 | .cache 45 | nosetests.xml 46 | coverage.xml 47 | *.cover 48 | .hypothesis/ 49 | .pytest_cache/ 50 | 51 | # Translations 52 | *.mo 53 | *.pot 54 | 55 | # Django stuff: 56 | *.log 57 | local_settings.py 58 | db.sqlite3 59 | 60 | # Flask stuff: 61 | instance/ 62 | .webassets-cache 63 | 64 | # Scrapy stuff: 65 | .scrapy 66 | 67 | # Sphinx documentation 68 | docs/_build/ 69 | 70 | # PyBuilder 71 | target/ 72 | 73 | # Jupyter Notebook 74 | .ipynb_checkpoints 75 | 76 | # IPython 77 | profile_default/ 78 | ipython_config.py 79 | 80 | # pyenv 81 | .python-version 82 | 83 | # celery beat schedule file 84 | celerybeat-schedule 85 | 86 | # SageMath parsed files 87 | *.sage.py 88 | 89 | # Environments 90 | .env 91 | .venv 92 | env/ 93 | venv/ 94 | ENV/ 95 | env.bak/ 96 | venv.bak/ 97 | 98 | # Spyder project settings 99 | .spyderproject 100 | .spyproject 101 | 102 | # Rope project settings 103 | .ropeproject 104 | 105 | # mkdocs documentation 106 | /site 107 | 108 | # mypy 109 | .mypy_cache/ 110 | .dmypy.json 111 | dmypy.json 112 | 113 | # Pyre type checker 114 | .pyre/ 115 | 116 | # extra 117 | .idea/ 118 | .vscode/ 119 | *.hexproj 120 | _MALWARE/ 121 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "bartblaze"] 2 | path = bartblaze 3 | url = https://github.com/bartblaze/yara-rules 4 | [submodule "xumeiquer"] 5 | path = xumeiquer 6 | url = https://github.com/xumeiquer/yara-forensics/ 7 | [submodule "retdec"] 8 | path = retdec 9 | url = https://github.com/avast/retdec 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Vaccinator Security 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # yara-rules 2 | 3 | YARA rules for malware detection and classification. 4 | 5 | 6 | ## Other notable repositories: 7 | 8 | - [Xumeiquer/yara-forensics](https://github.com/Xumeiquer/yara-forensics): Set of YARA rules for finding files using magics headers 9 | - [bartblaze/Yara-rules](https://github.com/bartblaze/yara-rules): A collection of Bart's privately-developed YARA rules. 10 | - [intezer/yara-rules](https://github.com/intezer/yara-rules): YARA rules developed and published by [Intezer](https://www.intezer.com/). 11 | -------------------------------------------------------------------------------- /rules/classify-files.yar: -------------------------------------------------------------------------------- 1 | // This just wraps up the other yara files 2 | 3 | include "./compressed.yar" 4 | include "./executables.yar" 5 | include "./compilers.yar" -------------------------------------------------------------------------------- /rules/compilers.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Compiler classification YARA rules 3 | by Vaccinator Security (vaccinator.tech) 4 | */ 5 | import "pe" 6 | 7 | // https://github.com/bartblaze/Yara-rules 8 | include "../bartblaze/rules/generic/PyInstaller.yar" 9 | 10 | /**************\ 11 | | JS Compilers | 12 | \**************/ 13 | 14 | // https://github.com/nexe/nexe 15 | rule Nexe: executable compiler js nexe 16 | { 17 | meta: 18 | description = "Identify Nodejs executables built with nexe" 19 | author = "nwunderly" 20 | 21 | strings: 22 | $nexe_sentinel = "" 23 | 24 | condition: 25 | pe.pdb_path contains ".nexe" and pe.version_info["OriginalFilename"] == "node.exe" or $nexe_sentinel at (filesize - 32) 26 | } 27 | 28 | // https://github.com/leafac/caxa/ 29 | rule CAXA: executable compiler js caxa 30 | { 31 | meta: 32 | description = "A way to identify Nodejs executables" 33 | author = "Michael Pivonka (codedninja)" 34 | date = "03/04/2022" 35 | 36 | strings: 37 | $caxacaxacaxa = "\nCAXACAXACAXA\n" 38 | 39 | condition: 40 | $caxacaxacaxa 41 | } 42 | 43 | // https://github.com/vercel/pkg 44 | rule Pkg: executable compiler js pkg 45 | { 46 | meta: 47 | description = "Identify Nodejs executables built with pkg" 48 | author = "nwunderly" 49 | 50 | condition: 51 | pe.pdb_path contains "pkg-fetch" and pe.version_info["OriginalFilename"] == "node.exe" 52 | } 53 | 54 | /**************\ 55 | | PY Compilers | 56 | \**************/ 57 | 58 | // https://github.com/pyinstaller/pyinstaller 59 | 60 | /*************\ 61 | | Rust Builds | 62 | \*************/ 63 | 64 | rule Rust: executable compiler rust 65 | { 66 | meta: 67 | description = "Identify Rust executables" 68 | author = "nwunderly" 69 | 70 | strings: 71 | $rustc = "rustc" 72 | $rust_backtrace = "RUST_BACKTRACE" 73 | $rust_panic = "rust_panic" 74 | 75 | condition: 76 | all of them 77 | } -------------------------------------------------------------------------------- /rules/compressed.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Compressed file classification YARA rules 3 | by Vaccinator Security (vaccinator.tech) 4 | */ 5 | import "magic" 6 | 7 | // https://github.com/Xumeiquer/yara-forensics 8 | 9 | rule zip: compressed zip 10 | { 11 | meta: 12 | description = "Identify zip files" 13 | author = "nwunderly" 14 | 15 | strings: 16 | $a = {50 4B} 17 | 18 | condition: 19 | $a at 0 20 | } 21 | 22 | rule xz: compressed xz 23 | { 24 | meta: 25 | author = "Michael Pivonka" 26 | date = "03/28/2022" 27 | 28 | strings: 29 | $a = {FD 37 7A 58 5A 00} 30 | 31 | condition: 32 | $a at 0 33 | } 34 | 35 | rule lz4: compressed lz4 36 | { 37 | meta: 38 | author = "Michael Pivonka" 39 | date = "03/28/2022" 40 | 41 | strings: 42 | $a = {04 22 4D 18} 43 | 44 | condition: 45 | $a at 0 46 | } 47 | 48 | rule zlib: compressed zlib 49 | { 50 | meta: 51 | author = "Michael Pivonka" 52 | date = "03/28/2022" 53 | 54 | strings: 55 | $a = {78 (01 | 5E | 9C | DA | 20 | 7D | BB | F9 )} 56 | 57 | condition: 58 | $a at 0 59 | } 60 | 61 | rule zstd: compressed zstd 62 | { 63 | meta: 64 | author = "Michael Pivonka" 65 | date = "03/28/2022" 66 | 67 | strings: 68 | $a = {28 B5 2F FD} 69 | 70 | condition: 71 | $a at 0 72 | } 73 | 74 | rule lzip: lzip 75 | { 76 | meta: 77 | author = "Michael Pivonka" 78 | date = "03/28/2022" 79 | 80 | strings: 81 | $a = {4C 5A 49 50} 82 | 83 | condition: 84 | $a at 0 85 | } 86 | 87 | rule bz2: compressed bz2 88 | { 89 | meta: 90 | author = "Michael Pivonka" 91 | date = "03/28/2022" 92 | 93 | strings: 94 | $a = {42 5A 68} 95 | 96 | condition: 97 | $a at 0 98 | } 99 | 100 | rule xar: compressed xar 101 | { 102 | meta: 103 | author = "Michael Pivonka" 104 | date = "03/28/2022" 105 | 106 | strings: 107 | $a = {78 61 72 21} 108 | 109 | condition: 110 | $a at 0 111 | } 112 | 113 | 114 | rule asar: compressed asar 115 | { 116 | meta: 117 | author = "Michael Pivonka" 118 | date = "04/05/2022" 119 | 120 | strings: 121 | $a = "files" 122 | 123 | condition: 124 | filesize > 16 and filesize > int32(12) + 16 and $a in (16..int32(12) + 16) 125 | } 126 | 127 | // Copied from xumeiquer/yara-forensics 128 | 129 | rule _7z: compressed _7z 130 | { 131 | meta: 132 | author = "Jaume Martin" 133 | 134 | strings: 135 | $a = {37 7A BC AF 27 1C} 136 | 137 | condition: 138 | $a at 0 139 | } 140 | 141 | rule rar: compressed rar 142 | { 143 | meta: 144 | author = "Jaume martin" 145 | 146 | strings: 147 | $a = {52 61 72 21 1A 07 00} 148 | $b = {52 61 72 21 1A 07 01 00} 149 | 150 | condition: 151 | $a at 0 or $b at 0 152 | } 153 | 154 | rule tar: compressed tar 155 | { 156 | meta: 157 | author = "Jaume martin" 158 | 159 | strings: 160 | $a = {75 73 74 61 72 00 30 30} 161 | $b = {75 73 74 61 72 20 20 00} 162 | 163 | condition: 164 | $a at 0 or $b at 0 or magic.mime_type() == "application/x-tar" 165 | } 166 | 167 | rule gzip: compressed gzip 168 | { 169 | meta: 170 | author = "Jaume martin" 171 | 172 | strings: 173 | $a = {1F 8B} 174 | $b = {1F 8B} 175 | 176 | condition: 177 | $a at 0 or $b at 0 178 | } 179 | 180 | -------------------------------------------------------------------------------- /rules/executables.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Executable file classification YARA rules 3 | by Vaccinator Security (vaccinator.tech) 4 | */ 5 | 6 | // https://github.com/Xumeiquer/yara-forensics 7 | include "../xumeiquer/file/executables.yar" 8 | include "../retdec/support/yara_patterns/tools/pe/x86/installers.yara" 9 | 10 | rule Node: executable node 11 | { 12 | meta: 13 | description = "A way to identify Nodejs executables" 14 | author = "Michael Pivonka (codedninja)" 15 | date = "02/24/2022" 16 | 17 | condition: 18 | pe.version_info["OriginalFilename"] == "node.exe" 19 | } 20 | 21 | rule nsis: installer nsis 22 | { 23 | meta: 24 | description = "Catch all for Nullsoft rules from Avast rules" 25 | author = "Michael Pivonka" 26 | date = "03/28/2022" 27 | 28 | condition: 29 | nsis_1xx or nsis_1xx_pimp or nsis_overlay_data or nsis_13x_pimp or nsis_20rc2 or nsis_20 or nsis_20b2_20b3 or nsis_20b4_01 or nsis_20b4_02 or nsis_202_208 or nsis_209_210 or nsis_211_212 or nsis_224 or nsis_225 or nsis_226_228 or nsis_229 or nsis_230 or nsis_231_246 or nsis_247_248 or nsis_249 or nsis_250 or nsis_251 or nsis_300_301 or nsis_300_301_unicode or nsis_302 or nsis_302_unicode 30 | } -------------------------------------------------------------------------------- /rules/installers.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Installer executable classification YARA rules 3 | by Vaccinator Security (vaccinator.tech) 4 | */ 5 | 6 | import "pe" 7 | 8 | rule nsis: installer nsis { 9 | meta: 10 | description = "A combined Nullsoft rule based on Avast's retdec." 11 | name = "Nullsoft Install System" 12 | author = "Michael Pivonka (codedninja)" 13 | date = "04/01/2022" 14 | 15 | strings: 16 | $nsis_1xx = { 83 EC 0C 53 56 57 FF 15 20 71 40 00 05 E8 03 00 00 BE 60 FD 41 00 89 44 24 10 B3 20 FF 15 28 70 40 00 68 00 04 00 00 FF 15 28 71 40 00 50 56 FF 15 08 71 40 00 80 3D 60 FD 41 00 22 75 08 80 C3 02 BE 61 FD 41 00 8A 06 8B 3D F0 71 40 00 84 C0 74 0F 3A C3 74 0B 56 FF D7 8B F0 8A 06 84 C0 75 F1 80 3E 00 74 05 56 FF D7 8B F0 89 74 24 14 80 3E 20 75 07 56 FF D7 8B F0 EB F4 80 3E 2F 75 } 17 | $nsis_1xx_pimp = { 83 EC 5C 53 55 56 57 FF 15 ?? ?? ?? 00 } 18 | $nsis_13x_pimp = { 55 8B EC 81 EC ?? ?? 00 00 56 57 6A ?? BE ?? ?? ?? ?? 59 8D BD } 19 | $nsis_20rc2 = { 83 EC 10 53 55 56 57 C7 44 24 14 70 92 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 } 20 | $nsis_20 = { 83 EC 0C 53 55 56 57 C7 44 24 10 70 92 40 00 33 DB C6 44 24 14 20 FF 15 2C 70 40 00 53 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 2D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 } 21 | $nsis_20b2_20b3 = { 83 EC 0C 53 55 56 57 FF 15 ?? 70 40 00 8B 35 ?? 92 40 00 05 E8 03 00 00 89 44 24 14 B3 20 FF 15 2C 70 40 00 BF 00 04 00 00 68 ?? ?? ?? 00 57 FF 15 ?? ?? 40 00 57 FF 15 } 22 | $nsis_20b4_01 = { 83 EC 10 53 55 56 57 C7 44 24 14 F0 91 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 88 72 40 00 BE 00 D4 42 00 BF 00 04 00 00 56 57 A3 60 6F 42 00 FF 15 C4 70 40 00 E8 9F FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 60 71 40 00 } 23 | $nsis_20b4_02 = { 83 EC 14 83 64 24 04 00 53 55 56 57 C6 44 24 13 20 FF 15 30 70 40 00 BE 00 20 7A 00 BD 00 04 00 00 56 55 FF 15 C4 70 40 00 56 E8 7D 2B 00 00 8B 1D 8C 70 40 00 6A 00 56 FF D3 BF 80 92 79 00 56 57 E8 15 26 00 00 85 C0 75 38 68 F8 91 40 00 55 56 FF 15 60 71 40 00 03 C6 50 E8 78 29 00 00 56 E8 47 2B 00 00 6A 00 56 FF D3 56 57 E8 EA 25 00 00 85 C0 75 0D C7 44 24 14 58 91 40 00 E9 72 02 00 00 57 FF 15 24 71 40 00 68 EC 91 40 00 57 E8 43 } 24 | $nsis_202_208 = { 83 EC 20 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? ?? 40 00 C6 44 24 14 20 FF 15 ?? ?0 40 00 53 FF 15 ?? ?2 40 00 68 ?? ?? 40 00 68 ?0 ?? ?? 00 A3 ?0 ?? ?? 00 E8 ?? 2? 00 00 BE 00 ?? ?? 00 ?? ?? 0? 0? 00 ?? 57 FF 15 ?? ?? 40 00 E8 ?? FF FF FF 8? ?? ?? ?? ?? ?0 ?? ?0 75 21 68 FB 0? 00 00 56 FF 15 } 25 | $nsis_209_210 = { 83 EC 20 53 55 56 33 F6 57 89 74 24 18 B? ?? ?? 40 00 89 74 24 14 C6 44 24 10 20 FF 15 30 ?0 40 00 56 FF 15 8? ?2 40 00 68 ?? ?? 40 00 68 ?0 ?? 4? 00 A3 ?0 ?? 4? 00 E8 ?? 2? 00 00 B? 00 ?? 4? 00 BF 00 ?? 00 00 5? 57 FF 15 ?? ?? 40 00 E8 79 FF FF FF 85 C0 75 24 68 FB ?? 00 00 5? FF 15 ?? ?? 40 00 68 } 26 | $nsis_211_212 = { 81 EC 80 01 00 00 53 55 56 33 F6 57 89 74 24 18 B? ?? ?? 40 00 89 74 24 10 C6 44 24 14 20 FF 15 30 ?0 40 00 56 FF 15 ?? ?2 40 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 56 68 ?? ?? 4? 00 FF 15 ?? ?1 40 00 68 ?? ?? 40 00 68 ?0 ?? 4? 00 E8 ?? 2? 00 00 B? 00 ?? 4? 00 ?? ?? ?? 0? 00 ?? 57 FF 15 } 27 | $nsis_213_223 = { 81 EC 7C 01 00 00 53 55 56 33 F6 57 89 74 24 18 B? ?0 ?? 40 00 C6 44 24 10 20 FF 15 30 ?0 40 00 56 FF 15 7? ?2 40 00 A3 ?0 ?? 4? 00 56 8D 44 24 30 68 60 01 00 00 50 56 68 ?? ?? 4? 00 FF 15 58 ?1 40 00 68 ?? ?? 40 00 68 ?0 ?? 4? 00 E8 ?? 2? 00 00 B? 00 ?? 4? 00 5? 68 00 ?? 00 00 FF 15 B? ?0 40 00 E8 } 28 | $nsis_224 = { 81 EC 80 01 00 00 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 14 ?0 9? 40 00 33 F6 C6 44 24 10 20 FF 15 30 70 40 00 53 FF 15 74 72 40 00 A3 ?0 ?? 42 00 53 8D 44 24 34 68 60 01 00 00 50 53 68 ?? ?? 4? 00 FF 15 5C 71 40 00 68 ?? 92 40 00 68 ?0 ?? 42 00 E8 ?? 28 00 00 FF 15 B? 70 40 00 BF 00 ?0 4? 00 50 57 } 29 | $nsis_225 = { 55 8B EC 81 EC 80 01 00 00 53 56 33 DB 57 89 5D F4 C7 45 F8 ?? ?? 40 00 89 5D FC C6 45 EC 20 FF 15 30 70 40 00 53 FF 15 7? 72 40 00 ?3 ?? ?? ?? 00 ?? ?? ?? ?0 ?? ?? ?? ?? ?0 ?? ?? ?? 50 53 68 ?? ?? ?? 00 FF 15 5? 71 40 00 68 ?? ?? 40 00 68 ?0 ?? ?? 00 E8 ?? 2? 00 00 FF 15 B? 70 40 00 ?? ?? ?0 } 30 | $nsis_226_228 = { 81 EC 80 01 00 00 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? 91 40 00 33 F6 C6 44 24 14 20 FF 15 30 70 40 00 53 FF 15 78 72 40 00 A3 ?4 ?? ?? 00 53 8D 44 24 34 68 60 01 00 00 50 53 68 ?? ?? ?? 00 FF 15 54 71 40 00 68 ?? 9? 40 00 68 ?0 ?? ?? 00 E8 ?? 27 00 00 FF 15 B? 70 40 00 BF 00 ?0 ?? 00 50 57 } 31 | $nsis_229 = { 81 EC 80 01 00 00 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? 91 40 00 33 F6 C6 44 24 14 20 FF 15 30 70 40 00 68 01 80 00 00 FF 15 B? 70 40 00 53 FF 15 78 72 40 00 6A 08 A3 ?4 ?? 42 00 E8 ?? 2A 00 00 A3 ?4 ?? 42 00 53 8D 44 24 34 68 60 01 00 00 50 53 68 ?? ?? 4? 00 FF 15 54 71 40 00 68 ?? 9? 40 00 } 32 | $nsis_230 = { 81 EC 80 01 00 00 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? 91 40 00 33 F6 C6 44 24 14 20 FF 15 30 70 40 00 68 01 80 00 00 FF 15 B? 70 40 00 53 FF 15 7C 72 40 00 6A 08 A3 ?4 ?? ?? 00 E8 ?? 2A 00 00 A3 ?4 ?? ?? 00 53 8D 44 24 34 68 60 01 00 00 50 53 68 ?? ?? ?? 00 FF 15 58 71 40 00 68 ?? 9? 40 00 } 33 | $nsis_231_246 = { 81 EC 80 01 00 00 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? ?? 40 00 33 F6 C6 44 24 14 20 FF 15 30 ?0 40 00 68 01 80 00 00 FF 15 B? ?0 40 00 53 FF 15 ?? ?2 40 00 6A 08 A3 ?8 ?? ?? 00 E8 ?? 2? 00 00 A3 ?4 ?? ?? 00 53 8D 44 24 34 68 60 01 00 00 50 53 68 ?? ?? ?? 00 FF 15 58 ?1 40 00 68 ?? ?? 40 00 } 34 | $nsis_247_248 = { 81 EC 80 01 00 00 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? 91 40 00 33 F6 C6 44 24 14 20 FF 15 34 70 40 00 68 01 80 00 00 FF 15 B? 70 40 00 53 FF 15 70 72 40 00 53 A3 ?8 ?? ?? 00 E8 ?? 2D 00 00 3B C3 74 07 68 00 0C 00 00 FF D0 6A 0D E8 ?? 2D 00 00 6A 0B E8 ?? 2D 00 00 A3 ?4 ?? ?? 00 53 8D 44 24 } 35 | $nsis_249 = { 81 EC 80 01 00 00 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? ?? 40 00 33 F6 C6 44 24 14 20 FF 15 34 70 40 00 68 01 80 00 00 FF 15 B? 70 40 00 53 FF 15 70 72 40 00 A3 ?8 ?? 4? 00 FF 15 B? 70 40 00 66 ?? ?? 0? 74 11 53 E8 ?? 2? 00 00 3B C3 74 07 68 00 0C 00 00 FF D0 6A 0D E8 ?? 2? 00 00 6A 0B E8 } 36 | $nsis_250 = { 81 EC 80 01 00 00 53 55 56 57 33 DB 68 01 80 00 00 89 5C 24 1C C7 44 24 14 ?? 91 40 00 33 F6 C6 44 24 18 20 FF 15 B? 70 40 00 FF 15 B? 70 40 00 66 3D 06 00 74 11 53 E8 ?? 2D 00 00 3B C3 74 07 68 00 0C 00 00 FF D0 68 ?? 91 40 00 E8 ?? 2D 00 00 68 ?? 91 40 00 E8 ?? 2D 00 00 68 ?? 91 40 00 E8 ?? 2D 00 } 37 | $nsis_251 = { 81 EC 84 01 00 00 53 55 56 57 33 DB 68 01 80 00 00 89 5C 24 20 C7 44 24 14 ?? ?? 40 00 89 5C 24 1C C6 44 24 18 20 FF 15 B? ?0 40 00 FF 15 ?? ?0 40 00 66 3D 06 00 74 11 53 E8 ?? ?? 00 00 3B C3 74 07 68 00 0C 00 00 FF D0 ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?0 00 ?? ?? ?? ?? ?? ?? 00 } 38 | $nsis_300_301 = { 81 EC 84 01 00 00 53 56 57 33 DB 68 01 80 00 00 89 5C 24 18 C7 44 24 10 ?? ?1 40 00 89 5C 24 20 C6 44 24 14 20 FF 15 ?? ?? 40 00 FF 15 A? ?0 40 00 66 3D 06 00 74 11 53 E8 ?? 2F 00 00 3B C3 74 07 68 00 0C 00 00 FF D0 BE 98 ?2 40 00 56 E8 ?? 2? 00 00 56 FF 15 A? ?0 40 00 8D 74 06 01 38 1E 75 EB 55 6A } 39 | $nsis_302 = { 81 EC 84 01 00 00 53 56 57 33 DB 68 01 80 00 00 89 5C 24 18 C7 44 24 10 ?? ?1 40 00 89 5C 24 20 C6 44 24 14 20 FF 15 A? ?0 40 00 FF 15 ?? ?0 40 00 25 FF FF FF BF 66 3D 06 00 A3 ?C ?? ?? 00 74 11 53 E8 ?? 30 00 00 3B C3 74 07 68 00 0C 00 00 FF D0 BE 98 ?2 40 00 56 E8 ?? 30 00 00 56 FF 15 ?? ?0 40 00 } 40 | $nsis_302_unicode = { 81 EC D4 02 00 00 53 56 57 6A 20 5F 33 DB 68 01 80 00 00 89 5C 24 14 C7 44 24 10 ?0 A2 40 00 89 5C 24 1C FF 15 A? 80 40 00 FF 15 A? 80 40 00 25 FF FF FF BF 66 3D 06 00 A3 ?C ?? ?? 00 74 11 53 E8 ?? 32 00 00 3B C3 74 07 68 00 0C 00 00 FF D0 BE B0 82 40 00 56 E8 ?? 32 00 00 56 FF 15 50 81 40 00 8D 74 } 41 | 42 | $s01 = { EF BE AD DE 6E 73 69 73 69 6E 73 74 61 6C 6C 00 } 43 | $s02 = { ED BE AD DE 4E 75 6C 6C 53 6F 66 74 49 6E 73 74 } 44 | $s03 = { 0? 00 00 00 EF BE AD DE 4E 75 6C 6C (53|73) 6F 66 74 49 6E 73 74 } 45 | 46 | condition: 47 | ( 48 | $nsis_1xx at pe.entry_point or 49 | $nsis_1xx_pimp at pe.entry_point or 50 | $nsis_13x_pimp at pe.entry_point or 51 | $nsis_20rc2 at pe.entry_point or 52 | $nsis_20 at pe.entry_point or 53 | $nsis_20b2_20b3 at pe.entry_point or 54 | $nsis_20b4_01 at pe.entry_point or 55 | $nsis_20b4_02 at pe.entry_point or 56 | $nsis_202_208 at pe.entry_point or 57 | $nsis_209_210 at pe.entry_point or 58 | $nsis_211_212 at pe.entry_point or 59 | $nsis_213_223 at pe.entry_point or 60 | $nsis_224 at pe.entry_point or 61 | $nsis_225 at pe.entry_point or 62 | $nsis_226_228 at pe.entry_point or 63 | $nsis_229 at pe.entry_point or 64 | $nsis_230 at pe.entry_point or 65 | $nsis_231_246 at pe.entry_point or 66 | $nsis_247_248 at pe.entry_point or 67 | $nsis_249 at pe.entry_point or 68 | $nsis_250 at pe.entry_point or 69 | $nsis_251 at pe.entry_point or 70 | $nsis_300_301 at pe.entry_point or 71 | $nsis_302 at pe.entry_point or 72 | $nsis_302_unicode at pe.entry_point 73 | ) or 74 | ( 75 | pe.number_of_sections > 3 and 76 | pe.overlay.size != 0 and 77 | ( 78 | @s01 >= pe.overlay.offset or 79 | @s02 >= pe.overlay.offset or 80 | @s03 >= pe.overlay.offset 81 | ) 82 | ) 83 | 84 | } -------------------------------------------------------------------------------- /rules/token-grabbers.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Token grabber YARA rules 3 | by Vaccinator Security (vaccinator.tech) 4 | */ 5 | 6 | rule JSTokenGrabber: executable tokengrabber 7 | { 8 | meta: 9 | description = "Generic JavaScript token grabbers" 10 | author = "nwunderly" 11 | 12 | strings: 13 | $a = "discords=[]" 14 | $b = "injectPath=[]" 15 | 16 | condition: 17 | all of them 18 | } 19 | 20 | rule PirateStealer: executable tokengrabber 21 | { 22 | meta: 23 | description = "PirateStealer token grabber" 24 | author = "nwunderly" 25 | 26 | strings: 27 | $a = "PirateStealer" 28 | $b = "piratestealer" 29 | 30 | condition: 31 | any of them 32 | } 33 | 34 | rule Extrack: executable tokengrabber 35 | { 36 | meta: 37 | description = "Extrack token grabber" 38 | author = "nwunderly" 39 | 40 | strings: 41 | $a = "C:\\Users\\Administrator\\Documents\\builder\\temp\\grabbers" 42 | $b = "discord_desktop_core" 43 | 44 | condition: 45 | all of them 46 | } 47 | 48 | rule TokGrabber: executable tokengrabber 49 | { 50 | meta: 51 | description = "Tokgrabber - Check if an executable has tokgrabber only string" 52 | author = "Michael Pivonka (codedninja)" 53 | date = "02/15/2022" 54 | 55 | strings: 56 | $webhook_regex = /_____________________RTX______________________________(.*?)_____________________STX______________________________/ 57 | 58 | condition: 59 | $webhook_regex 60 | } 61 | 62 | --------------------------------------------------------------------------------