├── APT ├── dtrack_lazarus_group.md ├── micropsia_apt_c_23.md ├── poshc2_apt_33.md └── powerton_apt_33.md ├── Broadbased ├── agent_tesla.md ├── ave_maria_warzone_rat.md ├── azorult_plus_plus.md ├── blackremote_blackrat.md ├── darktrack_rat.md ├── engwultimate.md ├── formbook.md ├── frat.md ├── kleptoparasite.md ├── lockergoga.md ├── megacortex.md ├── metamorfo.md ├── nanocore.md ├── netwire.md ├── parallax_rat.md ├── qealler_rat.md ├── qrypter_rat.md ├── remcos_rat.md ├── ursnif_gozi_isfb.md └── wsh_rat.md └── README.md /APT/dtrack_lazarus_group.md: -------------------------------------------------------------------------------- 1 | # DTrack 2 | ### Utilized by North Korean APT "Lazarus Group"; Not to be confused with ATMDtrack 3 | 4 | ## Reporting 5 | * https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers 6 | * https://twitter.com/a_tweeter_user/status/1188811977851887616?s=20 7 | 8 | ## YARA 9 | ```yara 10 | rule dtrack_2020 { 11 | meta: 12 | author = "jeFF0Falltrades" 13 | 14 | strings: 15 | $pdb = "Users\\user\\Documents\\Visual Studio 2008\\Projects\\MyStub\\Release\\MyStub.pdb" wide ascii 16 | $str_log = "------------------------------ Log File Create...." wide ascii 17 | $str_ua = "CCS_Mozilla/5.0 (Windows NT 6.1" wide ascii 18 | $str_chrome = "Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\History" wide ascii 19 | $str_tmp = "%s\\~%d.tmp" wide ascii 20 | $str_exc = "Execute_%s.log" wide ascii 21 | $str_reg_use = /net use \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$ \/delete/ 22 | $str_reg_move = /move \/y %s \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$\\Windows\\Temp\\MpLogs\\/ 23 | $hex_1 = { d1 ?? 33 ?? fc 81 ?? ff 00 00 00 c1 ?? 17 } 24 | $hex_2 = { c1 ?? 08 8b ?? fc c1 ?? 10 } 25 | $hex_3 = { 81 0D [4] 1C 31 39 29 } 26 | condition: 27 | 2 of them or $hex_3 28 | } 29 | ``` 30 | 31 | ## Sample Hashes 32 | ``` 33 | 3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682 34 | bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364 35 | 51ac3966b48c91947de4ce51a90aee9deb730d86cedf8c863d9dcdf0fb322537 36 | 61c1b9afa2347c315a6b4628f9dff3ada6f8d040345402d4708881f05b1ec48b 37 | ee9cd8decf752a47eefe24369a806976dce8ac2c29a8271c68bc407326fb19a9 38 | 791c59a0d6456ac1d9976fe82dc6b13f3e5980c6cfa2fd9d58a3cc849755ea9f 39 | 93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9 40 | a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68 41 | c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c 42 | b0bf63300fd4f6a0b1544663b6326c250086369b128d241287d150e6e6409fd8 (test file) 43 | 1ba8cba6337da612d1db2cdfe1b44f6110741d91ba696a5b125ebd3e9b081ed7 44 | 4701cc722f03253fb332747f951fff4c4ff023e13096a7e090a22b95c70efbf3 45 | ``` 46 | -------------------------------------------------------------------------------- /APT/micropsia_apt_c_23.md: -------------------------------------------------------------------------------- 1 | # MICROPSIA (APT-C-23) 2 | 3 | ## Reporting 4 | * https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/ 5 | * https://research.checkpoint.com/apt-map/ 6 | * https://www.clearskysec.com/micro-kasper/ 7 | 8 | ## YARA 9 | ```yara 10 | rule micropsia_2018 { 11 | meta: 12 | author = "jeFF0Falltrades" 13 | hash = "4c3fecea99a469a6daf2899cefe93d9acfd28a0b6c196592da47e917c53c2c76" 14 | 15 | strings: 16 | $gen_app_id = { 53 31 DB 69 93 08 D0 68 00 05 84 08 08 42 89 93 08 D0 68 00 F7 E2 89 D0 5B C3 } // 0x4072f0 loop which generates the unique "App ID" 17 | $get_temp_dir = { 68 00 04 00 00 8d 44 24 04 50 8b c7 e8 [4] 8b e8 55 e8 [2] fe ff } // 0x0042C689 func retrieving %TEMP% 18 | $str_install_appid = "ApppID.txt" wide ascii nocase 19 | 20 | condition: 21 | 2 of them 22 | } 23 | ``` 24 | 25 | ## Sample Hashes 26 | ``` 27 | effa0e01adad08ae4bc787678ce67510d013a06d1a10d39ec6b19e2449e25fbd 28 | 26594039f3e5e1f3d592cb4b0f274891397c94b4ca63c7d3b43c1853c48e7281 29 | c96138fd93b18e5a1682f6d4405e724b88058e4d57a4e9566ff96a87a560bc18 30 | 33e901018808514def3c2d71ae54c1f38ea25675243a815937af3ada0de25808 31 | 4c3fecea99a469a6daf2899cefe93d9acfd28a0b6c196592da47e917c53c2c76 32 | 0732672e4274ba03e58cadceadf18c8ccb4ee6b7b643b96aff1675e708f1c514 33 | e36c51f19362447881e3953271fe1da835f2919a50e9e761f4ccffe3d52b23a7 34 | fe90cb8d549481833bf72ff7f9e1fdad72e5b886cfa52033771bbb0034b23c32 35 | ae254ab021632cb583071079b2be8af62ccfc232c687a515a716ea17bfa0db9b 36 | ``` 37 | 38 | ## Delivery URLs 39 | ``` 40 | https[:]//tinyurl[.]com/7412593655 --> https[:]//uc4688d6b7cd62aec5fe2018c3d1[.]dl[.]dropboxusercontent[.]com/cd/0/get/Akog8uik0czwfyn4c-3uKNkC7V8tgsjI09CbI6V8FbYhv2D0LGJ87ZjuVXVBnxX37VoUCKrJ-QY7Wq0qauwprW-jvyNArK1rrv3S4EreWmluGA/file?dl=1 41 | ``` 42 | -------------------------------------------------------------------------------- /APT/poshc2_apt_33.md: -------------------------------------------------------------------------------- 1 | # PoshC2 (specifically as used by APT33) 2 | 3 | ## Reporting 4 | * https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2 5 | * http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets 6 | * https://twitter.com/cti_marc/status/1194573048625729536 7 | 8 | ## YARA 9 | ```yara 10 | rule poshc2_apt_33_2019 { 11 | meta: 12 | author = "jeFF0Falltrades" 13 | desc = "Alerts on PoshC2 payloads which align with 2019 APT33 reporting (this will not fire on all PoshC2 payloads)" 14 | ref = "http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets" 15 | 16 | strings: 17 | $js_date = /\[datetime\]::ParseExact\("[0-9]+\/[0-9]+\/[0-9]+","dd\/MM\/yyyy",\$null/ 18 | $js_crypt = "System.Security.Cryptography" wide ascii 19 | $js_host = "Headers.Add(\"Host" wide ascii 20 | $js_proxy = "$proxyurl = " wide ascii 21 | $js_arch = "$env:PROCESSOR_ARCHITECTURE" wide ascii 22 | $js_admin = "[System.Security.Principal.WindowsBuiltInRole]::Administrator" wide ascii 23 | $hta_unescape = "%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%76%62%73%63%72%69%70%74%22%3e%5c%6e%53%75%62%20%41%75%74%6f%4f%70%65%6e%28%29" wide ascii 24 | $hta_hex = "202f7720312049455820284e65772d4f626a656374204e65742e576562436c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f352e3235322e3137382e32302f7261797468656f6e322d6a6f62732e6a706727293b" wide ascii 25 | $hta_powershell = "706f7765727368656c6c2e657865" wide ascii 26 | 27 | condition: 28 | 4 of ($js_*) or 2 of ($hta_*) 29 | } 30 | ``` 31 | 32 | ## Sample Hashes 33 | ``` 34 | afb46cd7278a77cfb28903bf221e68134f55032138850d6fefe70945dc8abfcf 35 | fe94fc7b2c6b75c2b68ad75a6b7020acd9f76a22f522a80285549de2fc565e87 36 | a40801441b60a3b0192e985265df655e34c94f9bee8346c0b62a8d3618ddf8cd 37 | 14985711a5aa14c6cded0f21db544706ba845de89866e06c59a9151e7dafe19f 38 | ce0f7048903c6c2ee5357e8678247ae19666e91058060a3d38e09e49a94047b7 39 | ``` 40 | 41 | ## Related Network IoCs 42 | ``` 43 | https[:]//213[.]227[.]155[.]25/babel-polyfill/6[.]3[.]14/ 44 | world-jobs[.]org 45 | global-careers[.]org 46 | dyn-intl[.]world-careers[.]org 47 | raytheonjobs[.]serveblog[.]net 48 | ``` 49 | -------------------------------------------------------------------------------- /APT/powerton_apt_33.md: -------------------------------------------------------------------------------- 1 | # POWERTON (APT33) 2 | 3 | ## Reporting 4 | * https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html 5 | * https://www.symantec.com/security-center/writeup/2019-062513-4935-99 6 | 7 | ## YARA 8 | ```yara 9 | rule apt_33_powerton { 10 | meta: 11 | author = "jeFF0Falltrades" 12 | hash = "6bea9a7c9ded41afbebb72a11a1868345026d8e46d08b89577f30b50f4929e85" 13 | 14 | strings: 15 | $str_wmi = "Adding wmi persist ..." wide ascii 16 | $str_registery = "Poster \"Registery Value With Name" wide ascii 17 | $str_upload = "(New-Object Net.WebClient).UploadFile(\"$SRVURL$address\", \"$fullFilePath" wide ascii 18 | $str_pass = "jILHk{Yu1}2i0h^xe|t,d+Cy:KBv!l?7" wide ascii 19 | $str_addr = "$address=\"/contact/$BID$($global:rndPost)/confirm" wide ascii 20 | $str_png = "$env:temp + \"\\\" + $(date -format dd-m-y-HH-mm-s) + \".png" wide ascii 21 | $str_msg = "/contact/msg/$BID$($global:rndPost)" wide ascii 22 | $str_ua = "Mozilla/5.0 (Windows NT $osVer; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 Lightning/4.0.2" wide ascii 23 | $domain = "backupaccount.net" wide ascii 24 | 25 | condition: 26 | 2 of ($str*) or $domain 27 | } 28 | ``` 29 | 30 | ## Sample Hash 31 | ``` 32 | 6bea9a7c9ded41afbebb72a11a1868345026d8e46d08b89577f30b50f4929e85 33 | ``` 34 | 35 | ## Sample C2 36 | ``` 37 | backupaccount[.]net 38 | ``` 39 | -------------------------------------------------------------------------------- /Broadbased/agent_tesla.md: -------------------------------------------------------------------------------- 1 | # Agent Tesla 2 | 3 | ## Reporting 4 | * https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html 5 | 6 | ## YARA 7 | ```yara 8 | rule agent_tesla_2019 { 9 | meta: 10 | author = "jeFF0Falltrades" 11 | hash = "717f605727d21a930737e9f649d8cf5d12dbd1991531eaf68bb58990d3f57c05" 12 | 13 | strings: 14 | $appstr_1 = "Postbox" wide ascii nocase 15 | $appstr_2 = "Thunderbird" wide ascii nocase 16 | $appstr_3 = "SeaMonkey" wide ascii nocase 17 | $appstr_4 = "Flock" wide ascii nocase 18 | $appstr_5 = "BlackHawk" wide ascii nocase 19 | $appstr_6 = "CyberFox" wide ascii nocase 20 | $appstr_7 = "KMeleon" wide ascii nocase 21 | $appstr_8 = "IceCat" wide ascii nocase 22 | $appstr_9 = "PaleMoon" wide ascii nocase 23 | $appstr_10 = "IceDragon" wide ascii nocase 24 | // XOR sequence used in several decoding sequences in final payload 25 | $xor_seq = { FE 0C 0E 00 20 [4] 5A 20 [4] 61 } 26 | 27 | condition: 28 | all of them and #xor_seq > 10 29 | } 30 | ``` 31 | 32 | ## Sample Hashes 33 | ``` 34 | 852532c0cafdb2d624b48749193f3c378d0536e7172cb1c04717b05e567b3235 35 | 3ea6abaca7ea51313aa5e377d99f3e391c7751614d39d5001bbfdb82bbcf1e40 36 | a3a84294c37b9201499bda040b70abb8c940fa4481df0c84dc59d5c0fc632938 37 | e354e63c4e25e8e2aab729887083154ffa32e7cc55a745365b08efb3a1a4fee6 38 | 26196e4d9df06630d29b0d5214d7d2de545adfe2b282f5ea054ce35ae35e4dd2 39 | 25961b30ec2cce43e4bf8404e1f4001b8063bcacaecc1e4c2bcf4f216dc9edc9 40 | 25961b30ec2cce43e4bf8404e1f4001b8063bcacaecc1e4c2bcf4f216dc9edc9 41 | ba2690ebff7c660724fd94e36b2a4320035c08003aa954d3fe3b6745a6b6d52f 42 | ba2690ebff7c660724fd94e36b2a4320035c08003aa954d3fe3b6745a6b6d52f 43 | b75f04b2ea1454088f26af1fac71badf8c4443ca4c4db0c7cf8b1775af47e567 44 | 4023bf1b700e03fc7ea689ef4d596dbe29dc8634c81c15b41a1929a2bf923dc0 45 | 717f605727d21a930737e9f649d8cf5d12dbd1991531eaf68bb58990d3f57c05 46 | 566af59702210f1302efb94acf4efcce7fea211eb4ca0db44e77315ea27dcbab 47 | cdc6c72044c7b495ec1cf2017ef661ae780460cbabe288d54a56355980ac5eb3 48 | 14775bf4fe92e8f313d31e9e83ec49429afc7dd90368e60d1c6e879efcf83478 49 | 0ed700cdee0bf51803bfe1b97605da74fbf20c02def3a835200fa751355a8c2d 50 | c898ea5531f1e66fdff14a58b9548843edfee323568136d12309cb73ad49488f 51 | a259ded5931e4dbf664b0df57987a30329eda282d19ae27c78234d9aaa0f85e6 52 | 827077e983c6f155f573f4418c58824e7775d264e8307f7f4541d94c7862bc60 53 | a802de8152216cb09c2a3840e96e271e27a4ac04fd5be2a77cf6b0a082d32672 54 | 0793e016deb35ff9cad2e75ffe3c79ac2e9f4a63f48760e198435abd1244281d 55 | d0d1497a95010e7bf76054da5a797b83667b92ea897e4f0b019a498e554dcd55 56 | 4e996b2d56134bd9c000936e973fa7666c21e610c591ae224b34992c443a8e5e 57 | 48b5edc78601f342221dd42e12275b626eb44e1944ecc744d97c29daef0cdbc2 58 | 2eafab46d4d43c7fa25e24104a82cd80afb6b059332e62e911b2f3879dbc98bd 59 | ``` 60 | 61 | ## Sample C2 62 | ***NOTE: Many of the recent payloads use SMTP credentials for data exfil, not captured here as they must be manually parsed*** 63 | ``` 64 | checkip[.]amazonaws[.]com 65 | checkip[.]dyndns[.]com 66 | mail[.]trezaexim[.]com 67 | ``` 68 | -------------------------------------------------------------------------------- /Broadbased/ave_maria_warzone_rat.md: -------------------------------------------------------------------------------- 1 | # AVE MARIA (AKA AveMariaRAT or Warzone RAT) 2 | * _Note: Some consider Warzone RAT separate from AVE MARIA; I am choosing to include both in one ruleset due to their similarities until given sufficient reason to break them up._ 3 | 4 | ## Reporting 5 | * https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria 6 | * https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/ 7 | * https://yoroi.company/research/the-ave_maria-malware/ 8 | 9 | ## YARA 10 | ```yara 11 | rule ave_maria_warzone_rat { 12 | meta: 13 | author = "jeFF0Falltrades" 14 | ref = "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/" 15 | 16 | strings: 17 | $str_0 = "5.206.225.104/dll/" wide ascii 18 | $str_1 = "AVE_MARIA" wide ascii 19 | $str_2 = "MortyCrypter\\MsgBox.exe" wide ascii 20 | $str_3 = "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q" wide ascii 21 | $str_4 = "ellocnak.xml" wide ascii 22 | $str_5 = "Hey I'm Admin" wide ascii 23 | $str_6 = "AWM_FIND" wide ascii 24 | $str_7 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" wide ascii 25 | $str_8 = "warzone" wide ascii 26 | 27 | condition: 28 | 3 of them 29 | } 30 | ``` 31 | 32 | ## Sample Hashes 33 | ``` 34 | 81043261988c8d85ca005f23c14cf098552960ae4899fc95f54bcae6c5cb35f1 35 | 1220012ee42e839b93697d0ded0a1d09f9d2844253915c77d9f02690bf57c3f4 36 | 531d967b9204291e70e3aab161a5b7f1001339311ece4f2eed8e52e91559c755 37 | a03764da06bbf52678d65500fa266609d45b972709b3213a8f83f52347524cf2 38 | 263433966d28f1e6e5f6ae389ca3694495dd8fcc08758ea113dddc45fe6b3741 39 | ...and so, so many more 40 | ``` 41 | -------------------------------------------------------------------------------- /Broadbased/azorult_plus_plus.md: -------------------------------------------------------------------------------- 1 | # Azorult++ 2 | 3 | ## Reporting 4 | * https://securelist.com/azorult-analysis-history/89922/ 5 | 6 | ## YARA 7 | ```yara 8 | import "pe" 9 | 10 | rule azorult_plus_plus { 11 | meta: 12 | author = "jeFF0Falltrades" 13 | hash = "9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75" 14 | 15 | strings: 16 | $rdp = "netsh firewall add portopening TCP 3389 \"Remote Desktop\"" wide ascii nocase 17 | $list_1 = "PasswordsList.txt" wide ascii nocase 18 | $list_2 = "CookieList.txt" wide ascii nocase 19 | $coin_1 = "Ethereum\\keystore" wide ascii nocase 20 | $c2_1 = ".ac.ug" wide ascii nocase 21 | $hide_user = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist" wide ascii nocase 22 | $pdb = "azorult_new.pdb" wide ascii nocase 23 | $lang_check = { FF 15 44 00 41 00 0F B7 C0 B9 19 04 00 00 66 3B C1 } // call ds:GetUserDefaultLangID; movzx eax, ax; mov ecx, 419h; cmp ax, cx 24 | 25 | condition: 26 | $pdb or 5 of them or pe.imphash() == "e60de0acc6c7bbe3988e8dc00556d7b9" 27 | } 28 | ``` 29 | 30 | ## Sample Hashes 31 | ``` 32 | 9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75 33 | d40fe5d71016f09035543b3686679be070ced21762c054750a96517929fac28c 34 | 79d77a60e2fd74542fed9c422f2cc2209adbee6f7ed6f0c0f93b01c1cec65a4b 35 | 388259fad4828dc37ffee14430de8ddfc7939008e1ff5c797952c01e59934073 36 | a2217739290393aef966a2a8265a970f2efb37e78795036e7a6af037982e43fc 37 | 9ef3ca7f675165e1b64b4ec4766874f3293319975b72767401a1a6c545538f0d 38 | 5ec0b1c700f7f48c5a718e1e472d71b44af51b19874091836b2901b62197f2a4 39 | 939c4606178c3035a5787e2e6bdc0926f62045a181d822c309fc065a177e55c3 40 | 10fcbb0a7f7156c7c090ec14bdc621870a29933417cbd0e86599d67ba872309c 41 | 546f31401d79fb61ef9883a9b460b7c0a53156daaad25d0867ebc3351c0a58e9 42 | 1d52dff8e87cd957683836345513c665700f41a1ede71aefc6806bc0bc6d94e6 43 | f38a801a0a91e1218bfe85d766e7c647baddc77bf8fdeb58704071e54c525973 44 | c38997688f5a8b6efad3e78e368c48252e1c9d3b5a30d8d5218eacfe182ca464 45 | 0fa4a8b214e156a21812ced89733e79e8b5d070d63693e6e2f38306e1f66899d 46 | 38b49c53f496bfdec7294b240600f6cca0db783a6d669f42f0f1a6d3da203448 47 | 00ee298cd81fac628e8cb9a9e5bf480dcde43858f60f1d5d16ad46d5c2718e67 48 | fa4d8040427c96f29edbc06e1ae89e52ac385d2cf8291d29185789e85d40969b 49 | f705a22400466c382462d82e7040b72841cc458cec9d19a8d66e5bfbd4e663b9 50 | df0191de79306193b7bebc9594c9f454e7c42bd53f8e93e02b5903bcdcf33b7e 51 | 60d47ef7ffd83322ec16006175ecee6f6875c7f998bb83daac2a6b8bcad7be3b 52 | 4daf0646b1ced5c12dee05c43a952dcde22110cc764b0bb565811d7321fb2192 53 | cc127fd85514fdefae788cc63808b18bdc238f86284b075674a17dd292dcce70 54 | ``` 55 | 56 | ## Sample C2 57 | ``` 58 | http[:]//ravor[.]ac[.]ug/ 59 | http[:]//rsman[.]ac[.]ug/ 60 | ``` 61 | -------------------------------------------------------------------------------- /Broadbased/blackremote_blackrat.md: -------------------------------------------------------------------------------- 1 | # Blackremote (AKA BlackRAT) 2 | 3 | ## Reporting 4 | * https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/ 5 | * https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote 6 | 7 | ## YARA 8 | ```yara 9 | rule blackremote_blackrat_payload_2020 10 | { 11 | meta: 12 | author = "jeFF0Falltrades" 13 | ref = "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/" 14 | 15 | strings: 16 | $str_vers_1 = "16.0.0.0" wide ascii 17 | $str_vers_2 = "16.2.0.0" wide ascii 18 | $re_c2_1 = /%\*%\|[A-Z0-9]+?\|%\*%\|[A-Z0-9]+?\|%\*%\|[A-Z0-9]+?\|%\*%\|[A-Z0-9]+?/ wide ascii 19 | $re_c2_2 = /\|!\*!\|\|!\*!\|/ wide ascii 20 | $hex_rsrc = { 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A } 21 | 22 | condition: 23 | 2 of them and (1 of ($re*) or $hex_rsrc) 24 | } 25 | 26 | rule blackremote_blackrat_proclient_2020 27 | { 28 | meta: 29 | author = "jeFF0Falltrades" 30 | ref = "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/" 31 | 32 | strings: 33 | $str_0 = "K:\\5.0\\Black Server 5.0\\BlackServer\\bin\\Release\\BlackRATServerM.pdb" wide ascii nocase 34 | $str_1 = "BlackRATServerM.pdb" wide ascii nocase 35 | $str_2 = "RATTypeBinder" wide ascii nocase 36 | $str_3 = "ProClient.dll" wide ascii nocase 37 | $str_4 = "Clientx.dll" wide ascii nocase 38 | $str_5 = "FileMelting" wide ascii nocase 39 | $str_6 = "Foxmail.url.mailto\\Shell\\open\\command" wide ascii nocase 40 | $str_7 = "SetRemoteDesktopQuality" wide ascii nocase 41 | $str_8 = "RecoverChrome" wide ascii nocase 42 | $str_9 = "RecoverFileZilla" wide ascii nocase 43 | $str_10 = "RemoteAudioGetInfo" wide ascii nocase 44 | 45 | condition: 46 | 4 of them 47 | } 48 | ``` 49 | 50 | ## Sample Hashes 51 | ``` 52 | d7a80e707fe7febd8a4de922f15f1419b679fe8f3420a4a8ccf2bd2bb64c52e5 53 | 2b3cda455f68a9bbbeb1c2881b30f1ee962f1c136af97bdf47d8c9618b980572 54 | 105cab9c9604238c05be167c6d8d47cd2bc0427b07ede08c5571b581ebd80001 55 | 1737cf3aec9f56bb79a0c4e3010f53536c36a1fbeeedea81b6d7b66074ecffbe 56 | 3eda427ad5816e6dcf077562a367f71e8bdf5aa931e594416ae445357c12b409 57 | 93bfbd4b12a17732c8b7e66c554f98187184c6d845bd02e0dbb2104ce8da0453 58 | c207cf50305f126451e2dc5493d83614fdf801541d011e5002ee5daea2b4433b 59 | e1bf5d2ef3a4f922f9a15ab76de509213f086f5557c9e648126a06d397117d80 60 | 901e06cd91adb7255d75781ef98fac71d17f7bed074a52147bdbd42ea551b34f 61 | 129491bfdd9a80d5c6ee1ce20e54c9fb6deb2c1e1713e4545b24aa635f57a8b9 62 | 931839ee649da42b0ee3ac5f5dfa944b506336c7f4e5beb3fc07a6b35a7e6383 63 | 0c63983cb38d187c187f373852d7b87ff4e41ea0d77d75907aa3388ad957f38f 64 | ``` 65 | -------------------------------------------------------------------------------- /Broadbased/darktrack_rat.md: -------------------------------------------------------------------------------- 1 | # Darktrack RAT 2 | 3 | ## Reporting 4 | * https://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml 5 | * https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1 6 | * https://www.facebook.com/darktrackrat/ 7 | 8 | ## YARA 9 | ```yara 10 | import "pe" 11 | 12 | rule darktrack_rat { 13 | meta: 14 | author = "jeFF0Falltrades" 15 | hash = "1472dd3f96a7127a110918072ace40f7ea7c2d64b95971e447ba3dc0b58f2e6a" 16 | ref = "https://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml" 17 | 18 | strings: 19 | $dt_pdb = "C:\\Users\\gurkanarkas\\Desktop\\Dtback\\AlienEdition\\Server\\SuperObject.pas" wide ascii 20 | $dt_pas = "SuperObject.pas" wide ascii 21 | $dt_user = "].encryptedUsername" wide ascii 22 | $dt_pass = "].encryptedPassword" wide ascii 23 | $dt_yandex = "\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data" wide ascii 24 | $dt_alien_0 = "4.0 Alien" wide ascii 25 | $dt_alien_1 = "4.1 Alien" wide ascii 26 | $dt_victim = "Local Victim" wide ascii 27 | 28 | condition: 29 | (3 of ($dt*)) or pe.imphash() == "ee46edf42cfbc2785a30bfb17f6da9c2" or pe.imphash() == "2dbff3ce210d5c2b4ba36c7170d04dc2" 30 | } 31 | ``` 32 | 33 | ## Sample Hashes 34 | ``` 35 | dd656da791d7894410c7280c63be6212eb1f7e3ac75cd9d11a4a7f4bb2784234 36 | 7ddcf0910b52de0c7030c2d5990055c7b07db78701d157e4a139effdbfaf2eb1 37 | 5321e90067076894a2118606ef01f23c2e1668c82e594068ac336b546add36c1 38 | 1bd03e9e6a5a50916545c74e9649f4d2a7e3471f7df565152a41c584639e5178 39 | 4534f569c0e1eeea56bb336f2876f64214c9d68b39d40d3e430a1541043fa348 40 | 7a525beb09b87eab75b1123597d407cbcf01b15055220804dda650fe13bd63fa 41 | 500c3bd28257a9b071bc0acc09f528f1df30fbccf87fb88b2f4e3267ecd593cc 42 | ``` -------------------------------------------------------------------------------- /Broadbased/engwultimate.md: -------------------------------------------------------------------------------- 1 | # EngWUltimate (aka Eng Whiz or Engr Whizzy) 2 | 3 | ## Reporting 4 | * https://twitter.com/malwareforme/status/875091677807079424 5 | 6 | ## YARA 7 | ```yara 8 | rule EngWUltimate { 9 | meta: 10 | author = "jeFF0Falltrades" 11 | hash = "953b1b99bb5557fe86b3525f28f60d78ab16d56e9c3b4bbe75aba880f18cb6ad" 12 | 13 | strings: 14 | $b64_1 = "ZG8gbm90IHNjcmlwdA==" wide ascii // do not script 15 | $b64_2 = "Q2xpcEJvYXJkIExvZw==" wide ascii // ClipBoard Log 16 | $b64_3 = "RW5nIFdpe" wide ascii // Eng Wiz 17 | $b64_4 = "SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25c" wide ascii // HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ 18 | $b64_5 = "Q3JNb2RNbmdy" wide ascii // CrModMngr 19 | $b64_6= "JVBER" wide ascii // Embedded data 20 | $b64_7 = "qQAAMAAAAEAAAA" wide ascii // Embedded data 21 | $str_1 = "Eng Wiz" wide ascii nocase 22 | $str_2 = "Engr Whizzy" wide ascii nocase 23 | $str_3 = "ClipBoard Log" wide ascii 24 | $str_4 = "Keylogger Log" wide ascii 25 | $str_pdb = "C:\\Users\\USER\\AppData\\Roaming\\System\\jobs" wide ascii nocase 26 | // ᚰᚣᛓᚦᚸᚸ᚜ᚨᚻᚼᚱᚻ --> decodes to SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu --> decodes to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 27 | $hex_reg = { b0 16 a3 16 d3 16 a6 16 b8 16 b8 16 9c 16 a8 16 bb 16 bc 16 b1 16 bb 16 } 28 | // MD5 hashing func 29 | $hex_md5_func = { 73 46 01 00 0A 0A 28 30 01 00 0A 02 6F 98 00 00 0A 0B 1F ?? 28 7D 00 00 0A } 30 | 31 | condition: 32 | uint16(0) == 0x5A4D and ((3 of ($b64*)) or (3 of ($str*)) or (any of ($hex*))) 33 | } 34 | ``` 35 | 36 | ## Sample Hashes 37 | ``` 38 | 8aff01ed4cac3d70f4ea0500146078af77cefcb8ebba86976ddaf3df005facf6 39 | 500cff9ba9d7b2632e61b0bcc8cbfd2f121f693efd4819932c9becf3d4d9d793 40 | bb70dcdaa7ab425dbc04c841146e337c6ce0e2785bd1ee58e20f35dc310280a1 41 | 8e7ce09e1ebd3b7615b40c33b223732e11904bf967f9bc6242e0c2db2b82f326 42 | c37175835189c295600b3a0c834e0b072f4f6afe05e3cae15172c3f4b1a9d36c 43 | fc925bba0b3237445eea496be4ec85081e53ac2b63178da6328815b41f695b5c 44 | 28dd5a6ff7b507cad6d6017bd76f2bfc3c4cbdb0e540220ed7a0d8bc0b7d78be 45 | 49f5adde0e35b8d660ef5429844e509dc570165cb057ca7235108fa4dee465e3 46 | 497c438592c2f769ea5c1ae74f98ddc162cf54791d540db7e2ec6999e59f5939 47 | cc078932d515993c6882ca14e6ec3945e78a780315d1c9d89efb001a286cedee 48 | 3963a3935b22c8c0e0114d1d65c4c26b54aeaa2204d6a0e8a7138c6a9180dd59 49 | ``` 50 | 51 | ## C2 Pattern 52 | ``` 53 | htt[p|s]://domain.[com|tk|usa.cc|???]/[a-z].php?[0-9]+ 54 | ``` 55 | 56 | ## Sample C2s 57 | ``` 58 | http[:]//litespidchk[.]tk/b[.]php?114 59 | http[:]//devcommsync[.]tk/0[.]php?179 60 | http[:]//locdbmngr[.]tk/l[.]php?8406129 61 | http[:]//locdbmngr[.]c0m.at/l[.]php?7435800 62 | http[:]//locdbmngr[.]usa.cc/l[.]php?990831 63 | http[:]//locdbmngr[.]tk/l[.]php?1841837 64 | http[:]//locdbmngr[.]c0m.at/l[.]php?1493172 65 | http[:]//locdbmngr[.]usa.cc/l[.]php?7556458 66 | http[:]//locdbmngr[.]tk/l[.]php?8963871 67 | http[:]//locdbmngr[.]c0m.at/l[.]php?5027157 68 | http[:]//locdbmngr[.]usa.cc/l[.]php?4678492 69 | http[:]//locdbmngr[.]tk/l[.]php?6085906 70 | http[:]//guimacdgt[.]tk/e[.]php?103 71 | http[:]//extlanweb.ze[.]tc/o[.]php?89 72 | http[:]//extlanweb[.]tk/o[.]php?91 73 | http[:]//extlanweb[.]com/o[.]php?140 74 | http[:]//directsvrs[.]tk/s[.]php?149 75 | ``` -------------------------------------------------------------------------------- /Broadbased/formbook.md: -------------------------------------------------------------------------------- 1 | # Formbook 2 | 3 | ## Reporting 4 | * https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/ 5 | * https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/ 6 | 7 | ## YARA 8 | ```yara 9 | // Fires on Formbook VB6 initial and extracted files 10 | rule formbook_vb { 11 | meta: 12 | author = "jeFF0Falltrades" 13 | ref = "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/" 14 | 15 | strings: 16 | $hex_set_info = { 68 65 73 73 00 68 50 72 6F 63 68 74 69 6F 6E 68 6F 72 6D 61 68 74 49 6E 66 68 4E 74 53 65 54 EB 2C } 17 | $hex_decode_loop = { 81 34 24 [4] 83 E9 03 E0 F1 FF 34 0E 81 34 24 } 18 | $hex_anti_check = { 80 78 2A 00 74 3D 80 78 2B 00 74 37 80 78 2C 00 75 31 80 78 2D 00 75 2B 80 78 2E 00 74 25 80 78 2F 00 75 1F 80 78 30 00 74 19 80 78 31 00 75 13 80 78 32 00 74 0D 80 78 33 00 } 19 | $hex_precheck = { E8 AE FA FF FF 3D 00 03 00 00 0F 9F C2 56 88 56 35 E8 3D FC FF FF 56 E8 E7 F6 FF FF 56 E8 41 F9 FF FF 56 E8 AB F7 FF FF 56 E8 F5 DE FF FF } 20 | $str_marker = "r5.oZe/gg" wide ascii 21 | 22 | condition: 23 | 2 of them 24 | } 25 | ``` 26 | 27 | ## Sample Hashes 28 | ``` 29 | 9f1f7b561908f8effd0bd02dfba51178449c70f1420f89ac8f9a8bd08e28fa74 30 | 1ce17200496c6ffbbfe6220fa147f7599edce5a4dfb27a0afe14e072ceca5eb6 31 | 4e425e87fe99e62fb97a6a394638c7020b1fe2df3f814e77e3f9167def61e136 32 | 18800181c19e057ab483fe36354782a389a1fa1e68e469bb90a3274f4e8b6187 33 | 8203cca6a131c92b99a69777c4b4584c20d69a58c68b76c46d579dfb4c41f64d 34 | 61fc6c393dfa741ca4f50a1e44bd5f854f8a0240e2527958ea1cac5fb21eb6bb 35 | ``` 36 | -------------------------------------------------------------------------------- /Broadbased/frat.md: -------------------------------------------------------------------------------- 1 | # FRat 2 | 3 | *Note: I have not seen much coverage of this malware family.* 4 | 5 | *The name 'FRat' was derived from research by @James_inthe_box, seen in the linked Tweet thread below.* 6 | 7 | *If you have more information on this threat, please contact me on Twitter* 8 | 9 | A RAT employing Node.js, Sails, and Socket.IO to collect information on a target. 10 | 11 | 12 | ## Reporting 13 | * https://twitter.com/jeFF0Falltrades/status/1270709679375646720 (H/T @James_inthe_box) 14 | * https://twitter.com/_re_fox/status/1210623985832153088 (H/T @_re_fox) 15 | 16 | ## Snort/Suricata 17 | * https://twitter.com/James_inthe_box/status/1270804510957428736 (H/T @James_inthe_box) 18 | 19 | ## YARA 20 | ```yara 21 | rule frat_loader { 22 | meta: 23 | author = "jeFF0Falltrades" 24 | ref = "https://twitter.com/jeFF0Falltrades/status/1270709679375646720" 25 | 26 | strings: 27 | $str_report_0 = "$ReportDone = Get-BDE" wide ascii 28 | $str_report_1 = "$Report = Get-BDE" wide ascii 29 | $str_img_0= "$ImgURL = Get-BDE" wide ascii 30 | $str_img_1 = "Write-Host 'No Image'" wide ascii 31 | $str_img_2 = "$goinf + \"getimageerror\"" wide ascii 32 | $str_link = "$eLink = Get-BDE" wide ascii 33 | $str_tmp_0 = "$Shortcut.WorkingDirectory = $TemplatesFolder" wide ascii 34 | $str_tmp_1 = "TemplatesFolder = [Environment]::GetFolderPath" wide ascii 35 | $str_tmp_2 = "$vbout = $($TemplatesFolder)" wide ascii 36 | $str_shurtcut = "Get-Shurtcut" wide ascii 37 | $str_info_0 = "info=LoadFirstError" wide ascii 38 | $str_info_1 = "info=LoadSecondError" wide ascii 39 | $str_info_2 = "getimagedone?msg" wide ascii 40 | $str_info_3 = "donemanuel?id" wide ascii 41 | $str_info_4 = "getDone?msg" wide ascii 42 | $str_info_5 = "getManualDone?msg" wide ascii 43 | 44 | condition: 45 | 3 of them 46 | } 47 | 48 | rule frat_executable { 49 | meta: 50 | author = "jeFF0Falltrades" 51 | ref = "https://twitter.com/jeFF0Falltrades/status/1270709679375646720" 52 | 53 | strings: 54 | $str_path_0 = "FRat\\\\Short-Port" wide ascii 55 | $str_path_1 = "FRatv8\\\\Door\\\\Stub" wide ascii 56 | $str_path_2 = "snapshot\\\\Stub\\\\V1.js" wide ascii 57 | $str_sails = "sails.io" wide ascii 58 | $str_crypto = "CRYPTOGAMS by " wide ascii 59 | $str_socketio = "socket.io-client" wide ascii 60 | 61 | condition: 62 | 3 of them 63 | } 64 | ``` 65 | 66 | ## Sample Hashes 67 | ### FRat Loader Scripts 68 | ``` 69 | dc948f4aacc765b1fbdd58372bb847750fcf08544841ef4a44454da8e3b46bae 70 | 1fa16740010c3608870f4b14ccc33cd58417648d0e26a417b0e125bc4671e70a 71 | e1a982ab68b5fd14c6723eab266d371184d395ad8e22a9d3cd93ba1c9c228458 72 | ``` 73 | 74 | ### FRat Executables 75 | ``` 76 | b330cd9151ebb66615ef6c16ab60b41dd312356505ee10a02f85bccfedda3948 77 | 0aa12e18ff73617f4c12a82dc35980ec1edbb9e0fdadfaa8dcf964c70ccfbe7e 78 | dd011c1e7417131018d25543880d96c0c1ff44a6c4454b9020a183b69da80b9f 79 | a9552d16e9c6c1a2ceb9d8ae52725cbcdac331908c37f253299d399e12c63018 80 | 804f30400752e1bfaf21b2f37fffb99c34876372b95181aca98dbb04efe19368 81 | 0f25d3cf1a783e4e0d70fba2fa0b87e2ed74bff26a4da6890dac36ba99a72726 82 | 1345900b66f803046730cd9c3a4465777a28e004f8de6b19f9e8ce948397f57a 83 | ``` 84 | 85 | ## Sample C2 86 | ``` 87 | go[.]ehades[.]best 88 | go[.]ehades[.]best:8443/socket.io/?__sails_io_sdk_version=1.2.1&__sails_io_sdk_platform=node&__sails_io_sdk_language=javascript&EIO=3&transport=websocket 89 | e[.]hemera[.]best 90 | v[.]hemera[.]best 91 | paravan[.]duckdns[.]org 92 | download[.]xn--screensht-nsd[.]net 93 | travma.duckdns[.]org 94 | ``` 95 | -------------------------------------------------------------------------------- /Broadbased/kleptoparasite.md: -------------------------------------------------------------------------------- 1 | # KleptoParasite 2 | 3 | ## Reporting 4 | * https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer 5 | 6 | ## YARA 7 | ```yara 8 | rule kleptoparasite { 9 | meta: 10 | author = "jarcher" 11 | hash = "2109fdb52f63a8821a7f3efcc35fa36e759fe8b57db82aa9b567254b8fb03fb1" 12 | 13 | strings: 14 | $str_full_pdb = "E:\\Work\\HF\\KleptoParasite Stealer 2018\\Version 3\\3 - 64 bit firefox n chrome\\x64\\Release\\Win32Project1.pdb" wide ascii nocase 15 | $str_part_pdb_1 = "KleptoParasite" wide ascii nocase 16 | $str_part_pdb_2 = "firefox n chrome" wide ascii nocase 17 | $str_sql= "SELECT origin_url, username_value, password_value FROM logins" wide ascii nocase 18 | $str_chrome_32 = "
Google Chrome 32bit NOT INSTALLED" wide ascii nocase 19 | $str_firefox_32 = "
FireFox 32bit NOT INSTALLED" wide ascii nocase 20 | $str_chrome_64 = "
Google Chrome 64bit NOT INSTALLED" wide ascii nocase 21 | $str_firefox_64 = "
FireFox 64bit NOT INSTALLED" wide ascii nocase 22 | $str_outlook_32 = "Microsoft Outlook 32 bit" wide ascii nocase 23 | $str_outlook_64 = "Microsoft Outlook 64 bit" wide ascii nocase 24 | $str_outlook_prof = "Outlook\\Profiles\\Outlook\\" wide ascii 25 | $str_obf = "naturaleftouterightfullinnercross" wide ascii nocase 26 | $str_c2 = "ftp.totallyanonymous.com" wide ascii nocase 27 | $str_fn = "fc64.exe" wide ascii nocase 28 | $str_ip = "myexternalip.com/raw" wide ascii 29 | $str_ret = "IP retriever" wide ascii 30 | $str_dxwrk = "DXWRK.html" wide ascii 31 | 32 | condition: 33 | 3 of them 34 | } 35 | ``` 36 | 37 | ## Sample Hashes 38 | ``` 39 | 2109fdb52f63a8821a7f3efcc35fa36e759fe8b57db82aa9b567254b8fb03fb1 40 | 05a6a1bf352673dfd6ce40a74e70b1b65da839dba0cb2f058a702f4f9d99d415 41 | a153178a7fa6cf7a1d983044414c1a2bfd0cc803bea032fd06f5e1a770be8cec 42 | b30a8d6399e97ab14306c92cb493e2452437637f6f951cc7074e46edb7ea5e85 43 | 764b8e0901100b9bda07db4fc2f7de719dc14b3a828d2f05b9616c2a49b182d2 44 | 858c52f842df33640f505f1944a2032ba338a2ad819bab785693479cf82874f0 45 | c68656ecf0879bc12f386e98005f142f12210866a877e1d10550690c041f03f6 46 | 5f0534dcbd1345ad38ac00a75a8f82b9dd36ac809315bd4662ecad894437fccb 47 | 5d316d95ad1d04e927fb21a099d1419563ac13f976e994c462740d3f8c97556d 48 | 860e0a164afffb5eba5ee403a8c16482c4b212249cf70468ce45648147f5dccf 49 | 9a96149acffebb4209a7c94eaff4d46c205e3f9648ea9bd2739235147104c81f 50 | 9ffad2113118175a24c6d0d5641a02b8a43794fee22984142d7fb56999bf8a62 51 | 7ffcb6b724343df1024e663f8d4edd6723dfdd3f103e383f64f0e76842f981f8 52 | bd045d5ecb770c80d194578536f9c5e9ff0cce1f2f99c82ce59cdf801a2daaa0 53 | ``` 54 | 55 | ## Sample C2 56 | ``` 57 | ftp[.]totallyanonymous[.]com 58 | ``` 59 | -------------------------------------------------------------------------------- /Broadbased/lockergoga.md: -------------------------------------------------------------------------------- 1 | # LockerGoga 2 | 3 | ## Reporting 4 | * https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880 5 | * https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/ 6 | 7 | ## YARA 8 | ```yara 9 | rule lockergoga { 10 | meta: 11 | author = "jeFF0Falltrades" 12 | hash = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f" 13 | 14 | strings: 15 | $dinkum = "licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED" wide ascii nocase 16 | $ransom_1 = "You should be thankful that the flaw was exploited by serious people and not some rookies." wide ascii nocase 17 | $ransom_2 = "Your files are encrypted with the strongest military algorithms RSA4096 and AES-256" wide ascii nocase 18 | $str_1 = "(readme-now" wide ascii nocase 19 | $mlcrosoft = "Mlcrosoft" wide ascii nocase 20 | $mutex_1 = "MX-tgytutrc" wide ascii nocase 21 | $cert_1 = "16 Australia Road Chickerell" wide ascii nocase 22 | $cert_2 = { 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF } // MIKL LIMITED 23 | $cert_3 = { 3D 25 80 E8 95 26 F7 85 2B 57 06 54 EF D9 A8 BF } // CCOMODO RSA Code Signing CA 24 | $cert_4 = { 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D } // COMODO SECURE 25 | 26 | condition: 27 | 4 of them 28 | } 29 | ``` 30 | 31 | ## Sample Hashes 32 | ``` 33 | bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f 34 | 8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29 35 | bef41d3c76aa98e774ca0185eb5d37da7bf128e3d855ebc699fed90f3988c7d3 36 | 5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c 37 | 6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77 38 | c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4 39 | c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a 40 | f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192 41 | C97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15 42 | b8dedd74f8f474c97d53d313eb5a61d09fc020e91aa09c36711bac5cc123b6d7 (Ransom Note) 43 | ``` 44 | -------------------------------------------------------------------------------- /Broadbased/megacortex.md: -------------------------------------------------------------------------------- 1 | # MegaCortex 2 | 3 | ## Reporting 4 | * https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/ 5 | * https://twitter.com/GossiTheDog/status/1124403699508551680 6 | * https://www.accenture.com/us-en/blogs/blogs-megacortex-business-disruption 7 | 8 | ## YARA 9 | ```yara 10 | import "pe" 11 | 12 | // Fires on discovered MegaCortex samples using certificate signatures 13 | rule megacortex_payload { 14 | meta: 15 | author = "jeFF0Falltrades" 16 | reference = "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/" 17 | 18 | condition: 19 | uint16(0) == 0x5a4d and ((for any i in (0..pe.number_of_signatures) : (pe.signatures[i].serial == "04:c7:cd:cc:16:98:e2:5b:49:3e:b4:33:8d:5e:2f:8b" or pe.signatures[i].serial == "71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb" or pe.signatures[i].serial == "5a:59:a6:86:b4:a9:04:d0:fc:a0:71:53:ea:6d:b6:cc")) or pe.imphash() == "81da9241b26f498f1f7a1123ab76bb9d" or pe.imphash() == "ac3a9bb6fa7b3e8b91bfebe68b0d501b" or pe.imphash() == "17c56ef351018d9d9dabf0025a0394ac") 20 | } 21 | 22 | // Fires on the batch file used to stop AV/other services running prior to executing the MegaCortex payload (NOTE: May not be exclusive to MegaCortex) 23 | rule megacortex_av_bat { 24 | meta: 25 | author = "jeFF0Falltrades" 26 | 27 | strings: 28 | $str_1 = "taskkill /IM agntsvc.exe /Ftaskkill /IM dbeng50.exe /F" 29 | $str_2 = "net stop SQLAgent$SOPHOS /ynet stop AVP /y" 30 | $str_3 = "net stop \"Sophos Clean Service\" /y" 31 | $str_4 = "net stop \"Sophos Device Control Service\" /y" 32 | $str_5 = "net stop \"Sophos File Scanner Service\" /y" 33 | $str_6 = "net stop \"Sophos Health Service\" /y" 34 | $str_7 = "net stop \"Sophos MCS Agent\" /y" 35 | $str_8 = "net stop \"Sophos MCS Client\" /y" 36 | $str_9 = "net stop \"Sophos Message Router\" /y" 37 | $str_10 = "net stop \"Sophos Safestore Service\" /y" 38 | $str_11 = "net stop \"Sophos System Protection Service\" /y" 39 | $str_12 = "net stop \"Sophos Web Control Service\" /y" 40 | $str_13 = "sc config VeeamHvIntegrationSvc start= disabled" 41 | $str_14 = "sc config MSSQL$VEEAMSQL2012 start" 42 | $str_15 = "sc config SQLAgent$CXDB start= disabled" 43 | $str_16 = "taskkill /IM zoolz.exe /F" 44 | $str_17 = "taskkill /IM agntsvc.exe /Ftaskkill /IM dbeng50.exe /F" 45 | $str_18 = "taskkill /IM wordpad.exe /F" 46 | $str_19 = "taskkill /IM xfssvccon.exe /F" 47 | $str_20 = "taskkill /IM tmlisten.exe /F" 48 | $str_21 = "taskkill /IM PccNTMon.exe /F" 49 | $str_22 = "taskkill /IM CNTAoSMgr.exe /F" 50 | $str_23 = "taskkill /IM Ntrtscan.exe /F" 51 | $str_24 = "taskkill /IM mbamtray.exe /F" 52 | $str_25 = "iisreset /stop" 53 | 54 | condition: 55 | 5 of them 56 | } 57 | 58 | // Fires on the ransom note left behind MegaCortex ("!!!_READ_ME_!!!.txt") 59 | rule megacortex_ransom { 60 | meta: 61 | author = "jeFF0Falltrades" 62 | 63 | strings: 64 | $megacortex = "corrupted with MegaCortex" nocase 65 | $tsv = ".tsv" 66 | $morpheus = "We can only show you the door" 67 | $files = "email to us 2 files from random computers" 68 | $email_1 = "shawhart1542925@mail.com" 69 | $email_2 = "anderssperry6654818@mail.com" 70 | $email_3 = "ezequielgramlich6204294@mail.com" 71 | $email_4 = "cammostyn9012404@mail.com" 72 | 73 | condition: 74 | 2 of them 75 | } 76 | 77 | // (WIP) Fires on meterpreter payloads found beaconing to a C2 discovered in the MegaCortex attacks (89[.]105[.]198[.]28) 78 | rule megacortex_meterpreter { 79 | meta: 80 | author = "jeFF0Falltrades" 81 | 82 | strings: 83 | $cert = "Bud. 120-A, Vul. Balkivska1" 84 | 85 | condition: 86 | uint16(0) == 0x5a4d and $cert and (for any i in (0..pe.number_of_signatures) : (pe.signatures[i].serial == "00:CA:0E:70:90:D4:82:70:04:C9:9A:F2:FC:7D:73:3C:02" or pe.signatures[i].serial == "1D:A2:48:30:6F:9B:26:18:D0:82:E0:96:7D:33:D3:6A" or pe.signatures[i].serial == "01:FD:6D:30:FC:A3:CA:51:A8:1B:BC:64:0E:35:03:2D" or pe.signatures[i].serial == "03:01:9A:02:3A:FF:58:B1:6B:D6:D5:EA:E6:17:F0:66" or pe.signatures[i].serial == "06:FD:F9:03:96:03:AD:EA:00:0A:EB:3F:27:BB:BA:1B" or pe.signatures[i].serial == "0C:E7:E0:E5:17:D8:46:FE:8F:E5:60:FC:1B:F0:30:39")) 87 | } 88 | 89 | // (WIP) Fires on Rietspoof samples found loading MegaCortex based on certificates ( 90 | rule megacortex_rietspoof { 91 | meta: 92 | author = "jeFF0Falltrades" 93 | 94 | strings: 95 | $cert = "8 Quarles Park Road1" 96 | 97 | condition: 98 | uint16(0) == 0x5a4d and ($cert or (for any i in (0..pe.number_of_signatures) : (pe.signatures[i].serial == "53:CC:4C:69:E5:6A:7D:BC:36:67:D5:FF:D5:24:AA:4B" or pe.signatures[i].serial == "1D:A2:48:30:6F:9B:26:18:D0:82:E0:96:7D:33:D3:6A" or pe.signatures[i].serial == "13:EA:28:70:5B:F4:EC:ED:0C:36:63:09:80:61:43:36" or pe.signatures[i].serial == "0E:CF:F4:38:C8:FE:BF:35:6E:04:D8:6A:98:1B:1A:50" or pe.signatures[i].serial == "7E:93:EB:FB:7C:C6:4E:59:EA:4B:9A:77:D4:06:FC:3B" or pe.signatures[i].serial == "00:AD:72:9A:65:F1:78:47:AC:B8:F8:49:6A:76:80:FF:1E" or pe.signatures[i].serial == "01:FD:6D:30:FC:A3:CA:51:A8:1B:BC:64:0E:35:03:2D"))) 99 | } 100 | ``` 101 | 102 | ## Sample Hashes 103 | #### MegaCortex Payloads 104 | ``` 105 | f5d39e20d406c846041343fe8fbd30069fd50886d7d3d0cce07c44008925d434 106 | b4a65070354d2a89e84b5ddae81a954a868a714a248a48b72c832c759d85558a 107 | 11f7bb37dd425150e6b095a8d1f3a347ee83e604302a4d9bb201900e74a81d73 108 | ab654745b33aabac9c8e4ba1d0040be1c44ac50d0090b4759d4ef1aa04d55947 109 | 0858bc69e02c730a55f760f01374bdc378aaff806478d1c18f9e587d7121b56a 110 | 80b9629ea3a33dc26f2ed3a2f8d3293cc3684f544011f1c4b96d4104d392497f 111 | 598ee9ee6ad4467ddf4b4d325cb15928fd692da8d6e1c8980d2d86d97ea2f4f9 112 | b17ff8c0d83d07fca854d669d1389e8e24718ca54ed1543fdb09e9b9b39456ef 113 | 84ad844ff54a9c3f1eea4df343a010ca6229690fc106ca2d1853b890640abf61 114 | 7ce65e84fe4161b8610c93345352c12a6a311251b0fa27576ff3e10b43664ba5 115 | 777f53587703eb48c265a3cd4a1656c23d77d1fa125a44756713d42b5a481e28 116 | 4e159da8bc2c5538984be21973bb417fd908ad55ac856400633d910b44bb14a6 117 | 9ab3777501e0146a6d356251a642eaac38e0c39b20c9d9bb218bd9ec4d54c43c 118 | bdf41abbb1926acfe9f8f9aaba024e383d4c5511aac9e1dc31f49d453ac9c743 119 | 90707b6a0dc831da724ea1c825cf17355458d134f2c818f5b3e959b2afe6d4cc 120 | f214b81df5c79ff62612536a4c01d14efc9b4f18b1e14e305fb47807a56adfce 121 | 51967c3c38eff00b7601372d6ec207061248f4c08766f98d1b3c8104f400a056 122 | dfc81da1c59d5075935fa185eac08309d40ff0e91884fac353ec230c7fe5f175 123 | 9d38e3d7b4b24e76da00b2f21d67161fa7eabf3d49fa66199655bd8693e83603 124 | 1199af8447c10bf5ebc55dfdc7ab91b3ed7105a6d0289f0a23fbc528f1f52e93 125 | ea68d92fe813198bf2542ead1b63b943b629fd17f7a625e0a2483ce63121d0fd 126 | 2486b858b7613dd67985164583112fdbfcd56920a815c9e0f2e828910b5a1cac 127 | 039c23ba8d08ad8856759d00abc57f2499b8062e00df4f4f08ae8b8e49659be9 128 | 86aeea7b383e35d4eec0219f031935648ddcf0b257196d3b60e44091ac4e99c2 129 | 77ee63e36a52b5810d3a31e619ec2b8f5794450b563e95e4b446d5d3db4453b2 130 | acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918 131 | ``` 132 | 133 | #### Meterpreter Payloads Contacting Reported MegaCortex C2 134 | ``` 135 | 513c78582f4e51a448aafffb006af5ae1b2ace47b20c5f5eb16d354f75592ad6 136 | f01767bc1aca7b06b54f94f872e0286b0e5bd4779e49d01ac01e4cc41141b57d 137 | b4e1a2cb3f1cfe6c075ab6639e775c716507a047dcecf66815b50134fc446cb9 138 | d67e9412d83e5d31f46f8db8f688e74d00c06741d2b5ef7f37a5cd806217fce5 139 | ecce00620189b0fe9f690bfeb67007ded3f97023fbc15972c18d22646f5702f2 140 | e344c59f507bd993a0abab39ef06cd477b1728fc12a7fb71da34a11a14801e25 141 | c54fc30bdbf03b2c23223e976158d3490f2eb4e1c6b79a7d08ab4eb96d2aeb49 142 | b1faf39b92816680b2fa16c2a911d2f40dbe0c6d1b400b28945b8434307dee5b 143 | 122dc72e10a25d1285bddb70fb0e26e91e298b1adaa0fdff6becf13cdfa34e36 144 | ``` 145 | 146 | #### Rietspoof Samples Contacting Reported MegaCortex C2 147 | ***For YARA to Rietspoof in general, see James_inthe_Box's signature [here](https://pastebin.com/YL7vZ8wz)*** 148 | 149 | ``` 150 | 9097f3cbedc79d1c1b91a0c3e776c19d07cb233d79e4af6f325e8d5d537348c2 151 | 25d7718dc30eccd1a9a2bc037a49b98c503f8064a55a009b1818ba448bcad27b 152 | 523fcda29655bec72d941311e70e7e810cc5a040d527fb5739120e36fee2e5df 153 | f5d739b5b15530be8acafc0f4f358ec48efbe3b1a5d7debbf94bed17b2a3b940 154 | acf46be54c303002d74df6c975083c706b3e1cb8a92e75516579cd0fe65ce918 155 | 5f6b90894eb7cc979c97cef0a33ed2308ef789bd0c4475fc572daa104c5a7993 156 | 27792112ca2551fa6b38559aebf6c3a0299cea9f25c38a123238cadc2f0f0797 157 | ``` 158 | 159 | #### Batch Files to Stop Security/Other Services 160 | ``` 161 | 5f815b8a8e77731c9ca2b3a07a27f880ef24d54e458d77bdabbbaf2269fe96c3 162 | bb04c52aa52afc55da5dbd4fda8517973ccd6a826ca0146ed158323db3c3f630 163 | 6c21a1a0b77ec41a214e0fdbc0aeb088ccab6e8b01d90f506e7526843faa6fdd 164 | 40f03dd7c6388c3f1ce7fabc0f76949c4379d278163f2c313a6a43afaed2ccf9 165 | 3ee9b22827cb259f3d69ab974c632cefde71c61b4a9505cec06823076a2f898e 166 | ``` 167 | 168 | #### Reported Ransom-Recipient Email Addresses 169 | ``` 170 | shawhart1542925@mail.com 171 | anderssperry6654818@mail.com 172 | ezequielgramlich6204294@mail.com 173 | cammostyn9012404@mail.com 174 | ``` 175 | -------------------------------------------------------------------------------- /Broadbased/metamorfo.md: -------------------------------------------------------------------------------- 1 | # Metamorfo (aka Casbaneiro) 2 | 3 | ## Reporting 4 | * https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo 5 | * https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/ 6 | * https://blog.ensilo.com/metamorfo-avast-abuser 7 | 8 | ## YARA 9 | ```yara 10 | rule metamorfo_msi { 11 | meta: 12 | author = "jeFF0Falltrades" 13 | ref = "https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/" 14 | description = "This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads" 15 | 16 | strings: 17 | $str_1 = "replace(\"pussy\", idpp)" wide ascii nocase 18 | $str_2 = "GAIPV+idpp+\"\\\\\"+idpp" wide ascii nocase 19 | $str_3 = "StrReverse(\"TEG\")" wide ascii nocase 20 | $str_4 = "taller 12.2.1" wide ascii nocase 21 | $str_5 = "$bExisteArquivoLog" wide ascii nocase 22 | $str_6 = "function unzip(zipfile, unzipdir)" wide ascii nocase 23 | $str_7 = "DonaLoad(ArquivoDown" wide ascii nocase 24 | $str_8 = "putt_start" wide ascii nocase 25 | $str_9 = "FilesInZip= zipzipp" wide ascii nocase 26 | $str_10 = "@ u s e r p r o f i l e @\"+ppasta" wide ascii nocase 27 | $str_11 = "getFolder(unzipdir).Path" wide ascii nocase 28 | 29 | condition: 30 | 2 of them 31 | } 32 | ``` 33 | 34 | ## Sample Hashes 35 | ``` 36 | 22c51c43fe8344d36005613209fecb9219b06abfdb12e3019876eca0d1495e23 37 | d663f2c1a5075b43cc2706d58ae98dbb4b1ab168d5c99b43d5cb0b80e18937cf 38 | 0113d8a67b61dd6163b003c806d997f1f26da9df316744571aa1295c7ffb9995 39 | 1bb9382349266630cfc2f36d2af3c8b06ba4b153867161bf44143f952d33680b 40 | 3f9a7292c3b4837477ef5d8181fae11e827753a575f0ee852546fe64c79389ab 41 | 42c82a811f4eb41e1a6c613c9b017b7e8abf062c3694cb77e671464954facf3b 42 | 67255c29a1b2fcc1f9067f08fcf575a2d654e4f8d235a5a583ff2605b7728455 43 | 77ca06b5bd03556261e7f2359eaaad2c220771618456d9128b1750eef3fa2b8e 44 | 8aa574ba92ef3177d786c519d9f2acc86aa7d16afd44819cb23eddd28720776c 45 | d9114962efbc4f34b093bd04e5d41000ebd416fcc8a6d68faeb7455d64d78081 46 | 47 | ``` 48 | 49 | ## Sample C2 50 | ``` 51 | http[:]//80[.]211[.]252[.]12/sfsfsdgfbd456416[.]zip 52 | http[:]//buleva[.]webcindario[.]com/01/ 53 | https[:]//s3-eu-west-1[.]amazonaws[.]com/disenyrt3/image2[.]png 54 | https[:]//s3-eu-west-1[.]amazonaws[.]com/sharknadorki/image2[.]png 55 | https[:]//s3-eu-west-1[.]amazonaws[.]com/jasonrwk5wg/image2[.]png 56 | https[:]//s3[.]eu-west-2[.]amazonaws[.]com/stocksoftbr/ModPumMs2003[.]zip 57 | https[:]//s3[.]eu-west-3[.]amazonaws[.]com/abrilgeralll/ModPmAbrilzada[.]zip 58 | https[:]//s3[.]eu-west-2[.]amazonaws[.]com/stocksoftbr/Mod1803xrd[.]zip 59 | ``` 60 | -------------------------------------------------------------------------------- /Broadbased/nanocore.md: -------------------------------------------------------------------------------- 1 | # NanoCore RAT 2 | 3 | ## Reporting 4 | * https://www.cyber.nj.gov/threat-profiles/trojan-variants/nanocore 5 | * https://www.stratosphereips.org/blog/2018/9/7/what-do-we-know-about-nanocore-rat-a-review 6 | 7 | ## YARA 8 | ```yara 9 | import "pe" 10 | 11 | rule nanocore_rat { 12 | meta: 13 | author = "jeFF0Falltrades" 14 | 15 | strings: 16 | $str_nano_1 = "NanoCore.ClientPlugin" wide ascii 17 | $str_nano_2 = "NanoCore.ClientPluginHost" wide ascii 18 | $str_plg_1 = "Plugin [{0}] requires an update" wide ascii 19 | $str_plg_2 = "Plugin [{0}] is being uninstalled" wide ascii 20 | $str_conn_1 = "PrimaryConnectionHost" wide ascii 21 | $str_conn_2 = "BackupConnectionHost" wide ascii 22 | $str_id = "C8AA-4E06-9D54-CF406F661572" wide ascii 23 | // Loop used to load in config 24 | $load_config = { 02 06 9A 74 54 00 00 01 0B 02 06 17 58 9A 28 3A 00 00 0A } 25 | 26 | condition: 27 | 2 of ($str_*) or $load_config or (pe.timestamp == 1424566177) 28 | } 29 | 30 | rule nanocore_surveillance_plugin { 31 | meta: 32 | author = "jeFF0Falltrades" 33 | 34 | strings: 35 | $str_name = "SurveillanceExClientPlugin.dll" wide ascii 36 | $str_keylog = "KeyboardLogging" wide ascii 37 | $str_dns_log = "DNSLogging" wide ascii 38 | $str_html_1 = ".+?(.+?)(.+?).+?.+?.+?.+?.+?(.+?)" wide ascii 39 | $str_html_2 = "(.+?)(.+?)(.+?)(.+?)" wide ascii 40 | $str_html_3 = "/shtml \"{0}\"" wide ascii 41 | $str_rsrc_lzma = "Lzma" wide ascii 42 | $str_nano = "NanoCore.ClientPlugin" wide ascii 43 | $str_pass_tool = "ExecutePasswordTool" wide ascii 44 | $get_raw_input = { 20 03 00 00 10 12 02 12 04 02 7B 09 00 00 04 28 C8 00 00 06 } // GetRawInputData Loop 45 | $get_dns_cache = { 12 02 7B 62 00 00 04 7E 7F 00 00 0A 28 80 00 00 0A 2C B5 } // GetDNSCacheDataTable Loop 46 | 47 | condition: 48 | (all of ($get_*)) or (3 of ($str_*)) or (pe.timestamp == 1424566189) 49 | } 50 | ``` 51 | 52 | ## Sample Hashes 53 | ### Primary Module 54 | ``` 55 | 2b23d96749dc62144e34f377c40b66fe0978570193b1ff29df41cfe1e0088a8b 56 | 525e44aa7ade3e14fdf431074a78a9134ffbbd5acbb04515d72a60172c0234d8 57 | ee0ad345a373f9e47e03e010544d45f7aa63c001bb2902bb74949e2f37d332cb 58 | 4fa02fe8de726f1d3597a4bbf67cca84114ea912f2486ebbc41ddb7f2dadb429 59 | 495c7f09c0b5fc9a220bd56807ce762c27da00a60f2c2cb29e44549d4ff98aa7 60 | a8bbf4b26d893701a503f55fc25f6a97a5e0037dbca074ed2abbe42049d24a68 61 | 4145233af81f9b126c1162377d19d44c46c4f324995972870a40fc1759b7b5d8 62 | a2159d09557fb67cad61c9d67c07876472cdcecc1f44e3924146d95c75ccb614 63 | 22959c7bcf21e80fff8949a840bd016770e1f57bccdee94fe03fc47edd874a0d 64 | daf4a81c306c12b805bda6522dd7ad57d1b0c3ac32f919fb9816ac127653fdc2 65 | d9612df3f723a1d7b5ad0da87fe9e9b0fbf68557e905c2dfac8ef428dd1bacf2 66 | 162f74dae55b7c2f7e5bc3ed32ccfcc1fb238cda4be9f652417155e3e1dcc92a 67 | 4c18c1035907894538f9f132cf38372af97a6e60acea650c8fea0760961f9427 68 | 504112875ddd73d6b2b823e1b712158a9e86485912d05e6b2d5f309b59d1c48f 69 | f5afb4fb921bd2a13a52d09d3706f7a2f7cb048824c84b780a03b3aa69f59ab7 70 | c0d6f12fd9a1330fcdd66d0dd98b6d5e6146a45a6f262a2b243541ce034135d8 71 | 9eff2850fbc728f57dbf9e6eff0db1da23755890f1f5efcb946b7d9e6639789c 72 | 61a483debf342aebff4c78b1942c2c0d7497e51b9c2e897176efe154d6b221d3 73 | 3d10dbe069be5697108b046bfdac184ec9164bc10432c4fef5d25a6639a4f8be 74 | f1deb1e1e89d5893f103beabd99659a1520834d30f9411c1f456255c7553b5d4 75 | ``` 76 | 77 | ### Surveillance Plugin 78 | ``` 79 | db86d3cc11f42a9c4a478b6afe36943827964de9dc0d1fc8ee3489ccc1a6e088 80 | 01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354 81 | ``` 82 | -------------------------------------------------------------------------------- /Broadbased/netwire.md: -------------------------------------------------------------------------------- 1 | # Netwire RAT 2 | 3 | ## Reporting 4 | * https://www.cyber.nj.gov/threat-profiles/trojan-variants/netwire-rat 5 | * https://unit42.paloaltonetworks.com/new-release-decrypting-netwire-c2-traffic/ 6 | 7 | ## YARA 8 | ```yara 9 | rule netwire { 10 | meta: 11 | author = "jeFF0Falltrades" 12 | hash = "80214c506a6c1fd8b8cd2cd80f8abddf6b771a4b5808a06636b6264338945a7d" 13 | 14 | strings: 15 | $ping = "ping 192.0.2.2 -n 1 -w %d >nul 2>&1" wide ascii nocase 16 | $bat_1 = "DEL /s \"%s\" >nul 2>&1" wide ascii nocase 17 | $bat_2 = "call :deleteSelf&exit /b" wide ascii nocase 18 | $bat_3 = "start /b \"\" cmd /c del \"%%~f0\"&exit /b" wide ascii nocase 19 | $ua = "User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" wide ascii nocase 20 | $log = "[Log Started]" wide ascii nocase 21 | $xor = { 0F B6 00 83 F0 ?? 83 C0 ?? 88 02 } // movzx eax, byte ptr [eax]; xor eax, ??; add eax, ??; mov [edx], al (XOR encryption of log data) 22 | 23 | condition: 24 | 4 of them 25 | } 26 | ``` 27 | 28 | ## Sample Hashes 29 | ``` 30 | a4e8949b2b8e541616d25dcbf9e9d15ba44ceda06bf601706dccbb0aa2f0091e 31 | c8a0dd1af3b7f58f2342bb6eeafd0cc66e3af95bd7392ee5e9ee75d9b5abc0c5 32 | a4e8949b2b8e541616d25dcbf9e9d15ba44ceda06bf601706dccbb0aa2f0091e 33 | c8a0dd1af3b7f58f2342bb6eeafd0cc66e3af95bd7392ee5e9ee75d9b5abc0c5 34 | bc49d96cdf17120a02d0e820aeae9797e0bbb0ab4b4904a01922e0a1bd39caee 35 | bc49d96cdf17120a02d0e820aeae9797e0bbb0ab4b4904a01922e0a1bd39caee 36 | 777b89daf016d92dba7e4ae024e3a16c69ea795e7a74a910ff5e807fabe6dbb3 37 | 777b89daf016d92dba7e4ae024e3a16c69ea795e7a74a910ff5e807fabe6dbb3 38 | c1bab10eb2f2934354eac8c2a2c431426c649c942cab1e4275fe280efd6def9f 39 | c1bab10eb2f2934354eac8c2a2c431426c649c942cab1e4275fe280efd6def9f 40 | 54e4c8e9d697055b4be27296d895e79ee88d46194a1b2c3b2185e7e6713ff6ed 41 | 04a66d23bad9f2bf66c5e57870574017d5ca24346d4010d450ce2727b4af91f8 42 | fbcba00060ac9a4df0865a25bfc47945f4f71d467287c92507f70005ef50b07d 43 | fbcba00060ac9a4df0865a25bfc47945f4f71d467287c92507f70005ef50b07d 44 | 8f27a9e704a311496dbd143c5ca5502c4be2676c3c88b46711370f276f57c18f 45 | ``` 46 | -------------------------------------------------------------------------------- /Broadbased/parallax_rat.md: -------------------------------------------------------------------------------- 1 | # Parallax RAT 2 | 3 | ## Reporting 4 | * https://twitter.com/VK_Intel/status/1238191501429084160 5 | * https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax 6 | 7 | ## YARA 8 | ```yara 9 | rule parallax_rat_2020 { 10 | meta: 11 | author = "jeFF0Falltrades" 12 | 13 | strings: 14 | $str_ws = ".DeleteFile(Wscript.ScriptFullName)" wide ascii 15 | $str_cb_1 = "Clipboard Start" wide ascii 16 | $str_cb_2 = "Clipboard End" wide ascii 17 | $str_un = "UN.vbs" wide ascii 18 | $hex_keylogger = { 64 24 ?? C0 CA FA } 19 | 20 | condition: 21 | 3 of them 22 | } 23 | ``` 24 | 25 | ## Sample Hashes 26 | ``` 27 | 9259cb359a7e5a9581549c6500f3c764fb6f5ff2907b50fa90b9719e0a052a28 28 | 829FCE14AC8B9AD293076C16A1750502C6B303123C9BD0FB17C1772330577D65 29 | d90f7987cd63d82a0e4709c4b16a991f2a583227cee26d0c1329245bfd912947 30 | c56432c5453252d948c314408e5a5beba0dbeeaa0b20733095e69dfe3866e063 31 | ``` 32 | 33 | ## Keylogger Decryption 34 | The hex string in the YARA rule above is a snippet of the algorithm used to encrypt the keylogging file for recent Parallax RAT samples. 35 | 36 | The same sequence of bitwise operations is often used to encrypt the keylogging output file, though these operations do not always appear sequentially in the payload: 37 | 38 | ``` 39 | LD dl, 40 | XOR dl, 50 41 | XOR dl, DC 42 | ADD dl, EA 43 | SUB dl, 41 44 | ROR dl, FA 45 | ADD dl, 53 46 | ``` 47 | 48 | The following simple Python script can be used to decrypt keylogging output files encrypted with this algorithm: 49 | 50 | ```python 51 | MAX_BITS = 8 52 | 53 | 54 | def rol(val, r_bits, MAX_BITS): 55 | return (val << r_bits%MAX_BITS) & (2**MAX_BITS-1) | \ 56 | ((val & (2**MAX_BITS-1)) >> (MAX_BITS-(r_bits%MAX_BITS))) 57 | 58 | 59 | def decode(b): 60 | b = (b - 0x53) & 0xFF 61 | b = rol(b, 0xFA, MAX_BITS) 62 | b = (b + 0x41) & 0xFF 63 | b = (b - 0xEA) & 0xFF 64 | b = (b ^ 0xDC) & 0xFF 65 | b = (b ^ 0x50) & 0xFF 66 | return b 67 | 68 | 69 | c = [] 70 | with open('kl.bin', 'rb') as f: 71 | data = f.read() 72 | for d in data: 73 | c.append(chr(decode(d))) 74 | print(''.join(c)) 75 | ``` 76 | 77 | **Sample Output** 78 | ``` 79 | Clipboard Start 80 | C:\Users\victim\AppData\Roaming\Data 81 | Clipboard End 82 | [F2][F2][F9][Ctrl][Ctrl + G] 83 | 3/27/2020__5:32:59 AM 84 | Clipboard Start 85 | Stop keylogging me 86 | Clipboard End 87 | [Enter][Shift] 88 | ``` 89 | -------------------------------------------------------------------------------- /Broadbased/qealler_rat.md: -------------------------------------------------------------------------------- 1 | # Qealler 2 | 3 | ## Write-Up & Reporting 4 | * https://github.com/jeFF0Falltrades/Malware-Writeups/tree/master/Qealler 5 | * https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/ 6 | 7 | ## Sample Hashes 8 | ``` 9 | Remittance_Advice.jar 10 | 8d564a18b902461c19936ccb1f4e2f12 11 | 72de1a2ca8ff223f72efb366e64ed480c89f1d58 12 | 3724d27b119d74c04c7860a1fc832139ea714ef4b8723bc1b84a6b166b967405 13 | 3072:to8ZlTq4dPEXAJP3X+4ZPxEHVwHEWAakaEra9Iqv+ZA:KclW4d8QJP3X3PO1UAak9ra9HsA 14 | 15 | 7z.jar 16 | a593cb286e0fca1ca62e690022c6d918 17 | 227f06265c5e44ef32647bb933d62fffea2a972c 18 | 93b6a8ecb84fe9771584c329d47ff109464d2ff65c88917d7acff75c5ddd0912 19 | 12288:uiI0fU+gNrDCc8tE5KU955GuZ8YhbbF0q+2jOsOVvetYB2K0iPkm+AVkX:NLoBcEkmMu6kbcsAvFH0iPkmhVE 20 | 21 | qealler.7z 22 | 8d2c718599ed0aff7ab911e3f1966e8c 23 | a64525f26076821ac07c4078ca5664ce2cf2c313 24 | a31497597cd9419dde7fc724b7e25a465f7d95ff7bd52cf3be59928499983608 25 | 24576:Fvv7N1Xm3LCGMi2h3V8BCRSRuMgwHeI7yc71l5i+W/NBu1v03ev/hqvcxSk7rw2e:FLryCni2YBqdgeKYlBm0OhU 26 | cKdh3p 27 | 28 | main.py 29 | 5a8915c3ee5307df770abdc109e35083 30 | e4fd1685ad7df5e09c12d6330621b3aaf81206d2 31 | 9992dd2941df8dcd3448d80d6bab8dfa57356ff44fbe840e830fe299d18a9031 32 | 3072:kpVOVg8ZucPfYNycK7KfZEFRlg95VpaQY3QvFd:OvaiZE2RL 33 | ``` 34 | 35 | ## Sample C2 36 | ``` 37 | http[:]//lunogroup.co[.]uk/Remittance_Advice.jar 38 | http[:]//146[.]185.139.123:6289/qealler-reloaded/ping 39 | http[:]//146[.]185.139.123:6521/lib/qealler 40 | http[:]//139[.]59.76.44:4000/lib/7z 41 | http[:]//139[.]59.76.44:4000/lib/qealler 42 | http[:]//139[.]59.76.44:4000/qealler-reloaded/ping 43 | ``` 44 | -------------------------------------------------------------------------------- /Broadbased/qrypter_rat.md: -------------------------------------------------------------------------------- 1 | # Qrypter RAT 2 | 3 | ## Write-Up & Reporting 4 | * https://github.com/jeFF0Falltrades/Malware-Writeups/tree/master/Qrypter 5 | * https://www.forcepoint.com/blog/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market 6 | 7 | 8 | ## Sample Hashes 9 | ``` 10 | swift_bbva_factura553.jpg.jar 11 | 2717a02a2567c8f0487f4c1d0af0304b 12 | be444a444c0a069264baad181b1121e0f70299e1 13 | 4e788ed3cd2cda28eb6d967004514cc6e83095ae610578522f9a622a4d0ae60d 14 | 12288:FxHP0WTOn3WIGMGfDu9vGp23W7EPja0/F66uVoKoWV+jaMKFdlW:FxHP+nGzM1Q23W4j/M6fKFbMKFd8 15 | ``` 16 | 17 | ## Sample C2 18 | ``` 19 | jrat[.]io 20 | vvrhhhnaijyj6s2m[.]onion 21 | buzw55o32jgyznev[.]onion[.]top 22 | 178[.]175[.]138[.]211 23 | ``` 24 | -------------------------------------------------------------------------------- /Broadbased/remcos_rat.md: -------------------------------------------------------------------------------- 1 | # Remcos RAT 2 | 3 | ## Reporting 4 | * https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html 5 | * https://breaking-security.net/remcos/ 6 | 7 | ## YARA 8 | ```yara 9 | import "pe" 10 | 11 | rule remcos_rat { 12 | meta: 13 | author = "jeFF0Falltrades" 14 | 15 | strings: 16 | $str_upload = "Uploading file to C&C" wide ascii 17 | $str_keylog_1 = "Offline Keylogger Started" wide ascii 18 | $str_keylog_2 = "Online Keylogger Started" wide ascii 19 | $str_mutex_1 = "Mutex_RemWatchdog" wide ascii 20 | $str_mutex_2 = "Remcos_Mutex_Inj" wide ascii 21 | $str_cleared = "Cleared all cookies & stored logins!" wide ascii 22 | $str_bs_vendor = "Breaking-Security.Net" wide ascii 23 | $str_controller = "Connecting to Controller..." wide ascii 24 | $str_rc4 = { 40 8b cb 99 f7 f9 8b 84 95 f8 fb ff ff 8b f3 03 45 fc 89 55 f8 8d 8c 95 f8 fb ff ff 99 f7 fe 8a 01 8b f2 8b 94 b5 f8 fb ff ff } // RC4 PRGA 25 | 26 | condition: 27 | 3 of ($str*) or (pe.sections[0].name == "VVR" and pe.sections[1].name == "ZKZR" and pe.sections[2].name == ".test" and pe.sections[3].name == "rca" and pe.sections[4].name == "vga") 28 | } 29 | ``` 30 | 31 | ## Sample Hashes 32 | ``` 33 | 840eee72e539982e4169b5c6a52576ef539e0afd42d4d69752a9c04e4f218a0e 34 | d24c93170a786027bb9eef98b6eddaaca10c21f9608d5fbdfb60a2a4f3b9fa70 35 | ab76cc360966833c77b9f15e0f1d61133f65e08f6839bd7665771943e7e286b8 36 | 37183bfcc860d028ac402aa0546d3e53e14afe89054c82603b07362198cd2fb9 37 | 3043c9cf55b4364d8559ec7bf89af38ae8ed6dc100a3d532089297d8eecd8e9f 38 | 35444cffb383b8ab4070d94d286c54f94229a844c7663d4e4afb511cb886f3b4 39 | be39f694a62f09a05fc1286e2914ee4c8c09429719293026606e3b08bb5cb311 40 | 198799e167eeed34266d190082f6d7f14954dad85ecdb0c9053bcbc0feb075ff 41 | 0b53950436346bf9ae77747026686053b54a6c5600004f89b1f7968d77ea1319 42 | a114518c4dea54adb5c7933b6e98c5dd125b49f167c5e371e599a2fc8983c6bb 43 | bfca4bf41c7d751187f408585f52c312d5e0fc8a1ba5cba8c0dd6edf45985142 44 | 7c29126f02f501ceca91476362d3943814bdb4340c581fdcfd2b9673211a6d43 45 | 2a8b0604d56a758edc3bd072e547cff82eff121d4b29fc85dd9862b2bc42b61c 46 | 32cadf221a9a0a879aeb3d16649572046ccb87db256185b040013a03d1636d56 47 | 0f09141942787e94a4c4c6ef4abb62b405dfdff85c428325b0d5e4c8494b8b65 48 | 643b467b305a14923d0d1fbca75a89f4e9c04a4cf8898971fa02547c756ebf0c 49 | 3002ae236ce2973c6af6e800eb2df64d5f6d548771fe3f323be6c82ba958f7cf 50 | 14a96f07308f4657248a763be17ccc3d51831438dea0830e52a551113f919faf 51 | d0f00421a8529da13817ea9d6264966f887609827dd53151ca142b5cb8572d43 52 | bc80d73322a4fb9b3bde5cb565a53dde0ea64aab5babfb241615c78fec4c55b0 53 | b37891704d02a745df80bbbe41c8844adbbca95f1bb8e34e241bd9490f3a4130 54 | 198c9582805f40fb1be77025da81c3ea6084e56f7146b06a07c2a8f628bb8374 55 | 0b450fc70bdc9968e6abafb29c703eab3711725b649ed87aaed31ebdf403032e 56 | 4b30343d6c9ef737bb2e9c9decfceed3601758482f3c5b64657831ad91b77950 57 | 6235f925b478a8c2ce18fcca4eed116262c1ca77d4dc8826e20659d945a475d4 58 | 3ea110c01b74870b3c3963fcd9eaecd3001e86bf6568620741f4a9eb3bc56b77 59 | bf320fe9a5dc90580aaf6f4d8b41cda25513bf4be6e78d95a3e16e96aef996f1 60 | 9228effc9fc68fc21884bdb01faccca82807621a9be37df91de7f471bfae4c32 61 | cdd61c4fac8974ba7ecf72fc54be7ea0127166f48569eccc468d691dcc125aae 62 | 9c8fa9ab417ca4785ac38dd8c8764fcebdddb3f287718352576a189252744acf 63 | a60f1b6ff710efa978ac06e5cc94dc85b62c964feb10d1e2a9ad1da9b6a7be83 64 | d1d6a1daf82e27a76d1497322df47cd1b56ae86a2fcfdd6f0bdccf387713b339 65 | 01bb0092ad25ebb1a272be4ef82a6a44f10d0687fb6af479c9a4a1804b3da193 66 | 64aaf0cf3145960ae60602c46b01bd43760d34e279cb2d8139811526076565cd 67 | 252cd749123f995db15c52dfe01a2df021050943af5e26d07b888cc5f1f1f75a 68 | 3e411992149590cea9a2206e53f34a5059e5c09f701f21818e7b13eb065897ec 69 | ``` 70 | -------------------------------------------------------------------------------- /Broadbased/ursnif_gozi_isfb.md: -------------------------------------------------------------------------------- 1 | # Ursnif/Gozi/ISFB/Dreambot 2 | 3 | ## Reporting 4 | * https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html 5 | 6 | ## YARA 7 | ```yara 8 | rule ursnif_zip_2019 { 9 | meta: 10 | author = "jeFF0Falltrades" 11 | reference = "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html" 12 | 13 | strings: 14 | $doc_name = { 69 6e 66 6f 5f ?? ?? 2e ?? ?? 2e 64 6f 63 } // info_MM.DD.doc 15 | $zip_header = { 50 4B 03 04 } 16 | $zip_footer = { 50 4B 05 06 00 } 17 | 18 | condition: 19 | ($zip_header at 0) and ($doc_name in (0..48)) and ($zip_footer in (filesize-150..filesize)) 20 | } 21 | 22 | rule ursnif_dropper_doc_2019 { 23 | meta: 24 | author = "jeFF0Falltrades" 25 | reference = "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html" 26 | 27 | strings: 28 | $sleep = "WScript.Sleep(56000)" wide ascii nocase 29 | $js = ".js" wide ascii 30 | $ret = { 72 65 74 75 72 6e 20 22 52 75 22 20 2b 20 22 5c 78 36 65 22 } // return "Ru" + "\x6e" 31 | $pse = { 70 6f 77 65 72 73 68 65 6c 6c 20 2d 45 6e 63 20 } //powershell -Enc 32 | 33 | condition: 34 | uint16(0) == 0xcfd0 and all of them 35 | } 36 | ``` 37 | 38 | ## Sample Dropper Doc Hashes 39 | ``` 40 | b3c9c6d6179ba84fd485afc4818e2a4fe58ec38a05b3efbf1f0a2ab99ebbfef7 41 | 993311b373695ae9e8af053e70eb367343bae2537fb468c3a548725d80b735dc 42 | 6e46be288848568ad8402206cfce3fb870fb87756e497b7fd9288eef61c49149 43 | 051cd26d76ba66f9a7dcde2dc3da324f5db6b0cecde13da03f29ecb7f9f845ea 44 | 40b5902adf7d40f47f364da703c721bf7695c5b992c62fff436b716e009bac10 45 | d651c084f35d5c7e7a85465315ae41ee7798b9adcd68851b0ed60794a5ca0350 46 | 60e7c3fa50b13cc33395faf0a61e601a0e6d2d25a2437a5762d56f3dcf8e726d 47 | 0f00ef22f1cbd2fe47bdbdc527cf45844bd4cb4c309153a2865977aa0ae17cd1 48 | c7296822332bf2e847fcc1eeb5fbecccbeb6a035b1363427a5874c003bd13a4d 49 | 9f98fe5848818c238a98f94086a519510f39435acbc6dab640951f441d7c67fc 50 | c816b27a6ff57c930a1da2ea77b8924765e719f8893d90663089c1bb1fbb167e 51 | abd8b974612364e60785b3cab8f7a3ea8e430718955c8903aa7b460612f746d1 52 | 3c6b32b668105af6cda80bd03127be703f1b2848f3d1ca44edcb23cc0660e719 53 | 64365a632899c43616fae757dd3b5eea01bc30bfc637aa32e35201c976895a6e 54 | daad58b57e00fe31dc1a8bb5a5ab5e758932ecd6630a9c7ab3cfc53aed089df6 55 | 5bbce914f9bc715051e5bb8004e551af580f84da23e9a8a6f04337a00777ff29 56 | 47a4c07a17666e71695d033af810b922ce12efc8817e31c7e81a4e9aeef77753 57 | 7ae94f84e63866b165184e7db53ccd7cf9ea1e06a2c235d85e30ed1a23f99be1 58 | 83c0731489f0b31359a526265ab316b8b227cf14cd2590dcabfa931c87fb9376 59 | ``` 60 | 61 | ## Sample Ursnif Download URLs 62 | ``` 63 | http[:]//zvaleriefs96[.]com/qtra/ttqr[.]php?l=qena2.j12 64 | http[:]//mgregyoherminio[.]com/qtra/ttqr[.]php?l=geus10.j12 65 | http[:]//p813632eliza[.]com/qtra/ttqr[.]php?l=apqo4.j12 66 | http[:]//zai55io72[.]com/qtra/ttqr[.]php?l=geus7.j12 67 | ``` 68 | 69 | ## Sample Ursnif Payloads 70 | ***Still working on reliable detection of payloads; For now, pivoting on import hash "877a2f3a3bd3098729975fa6f2ab6f12" gave the following:*** 71 | ``` 72 | ad981b1f5afd0d6cd74fa3831749e5a369ef0657deb7dc8c2eb59b6e3d070d9f 73 | 7ac16976822c50338671ee08806a5c145c839959f39d6102307e4c22cafb28e5 74 | d4969444c66152e40bd41f430c29526a16bc4c0e9b90e0775f8ab806c8078685 75 | bdea14507af527d603d742f643d9ab943a238d22f178fdb39dec2b6718c89904 76 | 458f55ab66cc68472d0e717aff24ca2b21fd9d433a5305896702d7c8b9e87145 77 | f057cfef9a4002c5f3477912009a438fbb9f4e4c38e70e90e017e30f836c5fbc 78 | 5f99a5c9579062bc6af0d4e40865d0dd8f3cde2e480b26e0e8728b955a9984d1 79 | f6ab87b2464a30f9b0cb3f47694dd7fe47397b46c3c75fab5d693d654af7a398 80 | 9196bb8b376c35a5f5c451cc7f801eaa195027f4e70af570c285e0c3d85f8ec0 81 | f4bd5afc9e01daff48a2d7f436b47662cfb288a9bb37f050cb0b13844c3f977e 82 | ae5a78c71dc38e06b57d7f37f00384c94c3fc5435b59ca83cad99172d2023c5b 83 | 162840756e4d8484c56d4a73823849c0ee7adac9f50b75780c442ced9250ad76 84 | 3d83412de52b18ab80e0b7556254148b9d07630ffc15f0162dd04f45d79d2e64 85 | a7cb4dd4a65b0a9cf6454f8dd167f96015fea401611031a3f057f3d0728ba2f9 86 | 5e5dde97c7bf7373fb8851b9b80075242f8112f223a29600b489316f2316e082 87 | 57043b4aa1ae002e54e0fae10c950824d89ecc172eeec4f4296437bdc72d1acf 88 | 56d57403b95e6e5253acc21b586987cc08dd8a46c2828a7b97970ecd5df66ee3 89 | bae22c714587c785fecdc5efa3855a57ed269ce41829c95868ecb28231a9f697 90 | b127951f5914125e2541ef8b7a5f0dfd661f0a2a237589980b3ad4fe4b78c625 91 | 557857c586de09f3269b9137de21cb03b177dacca5627dd22002fb1feaf1e128 92 | bbee0ddf4438b6c1567e76d52cb92086c4a9ee3ad7bc3da74a276f5120f27481 93 | 89b57fd0081c67fbf1ad216c587e94ad96d43f4a11df9c4d0dda1c43ad473b15 94 | d4e5dfd1c4e25b0af0249cb9a998766e390ad3790f3272a7dc18b70765909af7 95 | 4d5ff13a16af12823be951f7869fb40357b6c99692278cc9199c19fa28105115 96 | b1a3fd66d3c7fd9358aa5f84c9cb1df6d0a19899b77d6682748243dd461c1a7d 97 | 0f68f619c4aa8d14ae5331f513b419c0cd9914a721d249bcb671ba925dc4d515 98 | f1e4872848ae174c9a11ff0b9a2f0f3b1afea3ec2dc9a60fe8e91410f0ea3edf 99 | 8096e2a2d5e9cb41a6b9e89e824fc922fc9a74e20606713964df739d7948a202 100 | 67c4dba70e165b5bcace38636ede6222af0ecd0d8df1c76df3e2e312cfb340f9 101 | 6141f4a4af4243e8891c5df29519ba3a2d88ad8e2e749f6ac76f85053204eb92 102 | 16a2e99c9e620ab38d5762ad9909cad98b2a301014106c4c8e5db4491097af0e 103 | 74959ea83fed1847bae3e36c50e96b60cc43b60642b5a164a42e636be7f1828c 104 | 497ca1bb5accf15939f8683f63299cc45c4b2f5bae1b470747dff0983e191f10 105 | 3d78850ad41de15660d047f330549a679ba92174f2c1e023d507f303a974161b 106 | 2aa1066cac1baaf89df3a4173df7a57d2c1916db7439d93969c0ffe88197e866 107 | 48063d9a522090599f0508510548f5857b401d6affa9371471f19bc938d35eca 108 | ``` -------------------------------------------------------------------------------- /Broadbased/wsh_rat.md: -------------------------------------------------------------------------------- 1 | # WSH RAT (A variant of H-Worm/Houdini) 2 | 3 | ## Reporting 4 | * https://cofense.com/houdini-worm-transformed-new-phishing-attack 5 | 6 | ## YARA 7 | ```yara 8 | rule wsh_rat_vbs_decoded 9 | { 10 | meta: 11 | author = "jeFF0Falltrades" 12 | ref = "https://cofense.com/houdini-worm-transformed-new-phishing-attack" 13 | description = "Alerts on the decoded WSH RAT VBScript" 14 | 15 | strings: 16 | $str_0 = "wshsdk" wide ascii nocase 17 | $str_1 = "wshlogs" wide ascii nocase 18 | $str_2 = "WSHRAT" wide ascii nocase 19 | $str_3 = "WSH Sdk for password recovery" wide ascii nocase 20 | $str_4 = "wshlogs\\recovered_password_email.log" wide ascii nocase 21 | $str_5 = "post (\"is-ready\",\"\")" wide ascii nocase 22 | $str_6 = "split (response,spliter)" wide ascii nocase 23 | $str_7 = "updatestatus(\"SDK+Already+Installed\")" wide ascii nocase 24 | $str_8 = "case \"get-pass-offline\"" wide ascii nocase 25 | $str_9 = "case \"up-n-exec\"" wide ascii nocase 26 | $str_10 = "Unable to automatically recover password" wide ascii nocase 27 | $str_11 = "reverseproxy" wide ascii nocase 28 | $str_12 = "keyloggerstarter" wide ascii nocase 29 | 30 | condition: 31 | 3 of ($str*) 32 | } 33 | 34 | rule wsh_rat_keylogger 35 | { 36 | meta: 37 | author = "jeFF0Falltrades" 38 | ref = "https://cofense.com/houdini-worm-transformed-new-phishing-attack" 39 | description = "Alerts on the WSH RAT .NET keylogger module" 40 | 41 | 42 | strings: 43 | $str_0 = "Keylogger" wide ascii nocase 44 | $str_1 = "RunKeyloggerOffline" wide ascii nocase 45 | $str_2 = "saveKeyLog" wide ascii nocase 46 | $str_3 = "sendKeyLog" wide ascii nocase 47 | $str_4 = "/open-keylogger" wide ascii nocase 48 | $str_5 = "wshlogs" wide ascii nocase 49 | $str_6 = "WSHRat Plugin" wide ascii nocase 50 | $str_7 = "Debug\\Keylogger.pdb" wide ascii nocase 51 | 52 | condition: 53 | 3 of them 54 | } 55 | 56 | rule wsh_rat_rdp 57 | { 58 | meta: 59 | author = "jeFF0Falltrades" 60 | ref = "https://cofense.com/houdini-worm-transformed-new-phishing-attack" 61 | description = "Alerts on the WSH RAT .NET RDP module" 62 | 63 | strings: 64 | $str_0 = "GET /open-rdp|" wide ascii nocase 65 | $str_1 = "WSHRat Plugin" wide ascii nocase 66 | $str_2 = "Debug\\RDP.pdb" wide ascii nocase 67 | $str_3 = "TakeShoot" wide ascii nocase 68 | $str_4 = "CompressJPEG" wide ascii nocase 69 | 70 | condition: 71 | 3 of them 72 | } 73 | 74 | 75 | rule wsh_rat_reverse_proxy 76 | { 77 | meta: 78 | author = "jeFF0Falltrades" 79 | ref = "https://cofense.com/houdini-worm-transformed-new-phishing-attack" 80 | description = "Alerts on the WSH RAT .NET reverse proxy module" 81 | 82 | strings: 83 | $str_0 = "RProxy:" wide ascii nocase 84 | $str_1 = "WSH Inc" wide ascii nocase 85 | $str_2 = "WSH Reverse Proxy" wide ascii nocase 86 | $str_3 = "Debug\\ReverseProxy.pdb" wide ascii nocase 87 | $str_4 = "WshRP" wide ascii nocase 88 | $str_5 = "NotifyBringNewSocket" wide ascii nocase 89 | 90 | condition: 91 | 3 of them 92 | } 93 | ``` 94 | 95 | ## Sample Hashes 96 | ### Decoded VBS Script 97 | ``` 98 | 956fb59036b01ebf0fb3a6345eafa2c4aed8dcbad8db63d5c9f3188ceb32bd17 99 | 023938e5f920989b356a897349137a70bf519c72f36219cb147525a650ef7ae4 100 | ``` 101 | 102 | ### Keylogger Module 103 | ``` 104 | 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a 105 | ``` 106 | 107 | ### RDP Module 108 | ``` 109 | d65a3033e440575a7d32f4399176e0cdb1b7e4efa108452fcdde658e90722653 110 | ``` 111 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # IoCs 2 | A collection of Indicators of Compromise (IoCs), most aligning with samples derived from the signatures in the YARA-Signatures and Malware-Writeups repos. 3 | 4 | I am always looking for feedback, corrections, additions, tips, and lessons learned. 5 | 6 | The easiest way to get the above to me is [via Twitter](https://twitter.com/jeFF0Falltrades). 7 | --------------------------------------------------------------------------------