├── AZORult └── azorult.urls ├── Bisonal ├── bisonal.pcre └── bisonal.urls ├── Emotet ├── emotet.pcre ├── emotet.urls ├── emotet_deob_07MAR23.sh └── emotet_deob_08MAR23.py ├── Evrial ├── evrial.pcre └── evrial.urls ├── FakeUpdates ├── fakeupdates.pcre └── fakeupdates.urls ├── FormBook ├── formbook.pcre └── formbook.urls ├── GodzillaLoader ├── godzillaloader.pcre └── godzillaloader.urls ├── GodzillaShell ├── Godzilla_Shell_Data.csv └── webshell_godzilla.yar ├── Gootkit └── gootkit.pcre ├── Hancitor ├── hancitor.pcre ├── hancitor.urls └── troj_win_hancitor.yar ├── Kimsuky └── kimsuky.suri ├── Lazarus ├── lazarus.pcre ├── lazarus.urls └── troj_win_lazarus.yar ├── LummaStealer └── lummastealer.urls ├── MagEK ├── magek.pcre └── magek.urls ├── Misc ├── TDS_Pro_Redirects_02FEB2023-24MAR2024.csv ├── apt_win_carbanak_downlaoder.yar ├── apt_win_ismagent.yar ├── apt_win_turla_comratv4.yar ├── blackbasta_domain_by_email.txt ├── blackbasta_domain_by_name.txt ├── exploit_any_poppopret.yar ├── exploit_win_dde.yar ├── informational_win_protectedole.yar ├── loader_win_unknown001.yar ├── packer_win_spoonvm.yar ├── packer_win_tiggre.yar ├── ransom_win_antefrigus.yar ├── ransom_win_egregor_a.yar ├── ransom_win_lyposit.yar ├── troj_apk_gravityrat_a.yar ├── troj_apk_vamp_a.yar ├── troj_elf_cetus_a.yar ├── troj_osx_evilquest.yar ├── troj_win_auguststealer.yar ├── troj_win_bitrat.yar ├── troj_win_blackstar.yar ├── troj_win_cobaltstrike.yar ├── troj_win_cobaltstrike_beacon_maze.yar ├── troj_win_headertip.yar ├── troj_win_keymarble.yar ├── troj_win_m00nd3v.yar ├── troj_win_macrosafe.yar ├── troj_win_mbrkiller.yar ├── troj_win_mehcrypter.yar ├── troj_win_mnubot.yar ├── troj_win_oldgremlin.yar ├── troj_win_pennywise_stealer.yar ├── troj_win_powerstager.yar ├── troj_win_purplefox.yar ├── troj_win_redsigdav.yar ├── troj_win_threadkit.yar ├── troj_win_vbkryjetor.yar ├── troj_win_warzonerat.yar └── troj_win_xaler.yar ├── Negasteal ├── negasteal.pcre ├── negasteal.urls └── troj_win_negasteal.yar ├── OriginLogger └── troj_win_originlogger.yar ├── Phishing ├── phishing.pcre ├── phishing.suri └── phishing.urls ├── PlugX ├── plugx.pcre ├── plugx.suri ├── plugx.urls └── troj_win_plugx_loader_go.yar ├── Qakbot ├── qakbot.pcre └── qakbot.urls ├── README.md ├── RigEK ├── rigek.pcre └── rigek.urls ├── Sality ├── sality.pcre └── sality.urls ├── Shlayer ├── shlayer.pcre └── shlayer.urls ├── SlothfulMedia ├── slothfulmedia.pcre └── slothfulmedia.urls ├── TeamViewer ├── teamviewer.pcre └── teamviewer.urls ├── Trickbot ├── trickbot.pcre └── trickbot.urls └── Ursnif ├── ursnif.pcre └── ursnif.urls /AZORult/azorult.urls: -------------------------------------------------------------------------------- 1 | 01001001.website/01001001.php 2 | 107.173.251.23/win/gate.php 3 | 139.60.161.73/api.php 4 | 144.76.61.231/gate.php 5 | 151.80.14.235/azorult/gate.php 6 | 151.80.8.4/azorult/gate.php 7 | 181.215.235.119/wp-content/themes/au/gate.php 8 | 181.215.235.120/au/gate.php 9 | 181.215.235.148/gate.php 10 | 181.215.235.154/au/gate.php 11 | 181.215.235.157/gate.php 12 | 181.215.235.180/wp-content/themes/au/gate.php 13 | 181.215.235.215/au/gate.php 14 | 181.215.235.249/wp-content/themes/au/gate.php 15 | 181.215.235.46/au/gate.php 16 | 181.215.235.81/wp-content/themes/au/gate.php 17 | 181.215.235.95/wp-content/themes/a26/gate.php 18 | 185.130.104.156/au/gate.php 19 | 185.145.129.185/panel/inshallah819.php 20 | 185.156.177.37/b/g4a.php 21 | 185.161.210.91/azo/gate.php 22 | 185.186.143.249/azo/gate.php 23 | 185.207.204.48/a/gate.php 24 | 185.217.92.223/ntkjxrb.php 25 | 185.217.93.129/ntkjxrb.php 26 | 185.233.115.23/a3panel/xsystemsroot.php 27 | 185.250.205.76/y/y.php 28 | 185.35.137.47/n3873hwuergjwlAG.php 29 | 185.48.57.56/au/gate.php 30 | 185.62.189.252/gallery/gate.php 31 | 185.92.74.16/beta/asdfffggg.php 32 | 188.120.245.184/index.php 33 | 188.209.52.233/gate.php 34 | 188.215.92.10/~cdnnnngo/fjgj84s.php 35 | 191.101.245.31/panel/gate.php 36 | 191.101.245.33/au/gate.php 37 | 191.101.245.37/wp-content/themes/x/gate.php 38 | 191.101.245.40/gate.php 39 | 191.101.245.54/au/gate.php 40 | 191.101.245.57/au/gate.php 41 | 191.101.245.58/a/gate.php 42 | 193.124.117.153/gate.php 43 | 195.133.49.132/gate.php 44 | 195.3.207.69/gate.php 45 | 1xbetspace.pw.md-98.webhostbox.net/wp-content/themes/au/gate.php 46 | 212.8.245.209/jkhljk6d8fd.php 47 | 22qq.ru/st/gate.php 48 | 3ver.iobit.pro/465SJkldn38dsaSj.php 49 | 45.32.152.18/f4h8sdf.php 50 | 46.8.21.196/au/gate.php 51 | 467899work.gdn/wp-content/themes/au/gate.php 52 | 4mstblue.com/gate.php 53 | 5.101.0.36/a/gate.php 54 | 5.101.1.38/a/gate.php 55 | 5.101.122.193/au/gate.php 56 | 5.178.87.65/AZORult/gate.php 57 | 5.188.231.224/xdf56fvl12fg.php 58 | 5.79.69.207/a/api.php 59 | 5.8.88.106/a/api.php 60 | 5.8.88.135/a3/rega.php 61 | 5.8.88.144/dmp/0xBA00FDE1.php 62 | 5.8.88.144/dmp/0xFFA12BCC.php 63 | 5.8.88.184/gate.php 64 | 51.15.192.225/showthread.php 65 | 51.15.202.182/showthread.php 66 | 51.15.219.86/showthread.php 67 | 51.15.246.116/showthread.php 68 | 51.38.34.222/afdjhbn.php 69 | 62.112.8.10/ip.php 70 | 77.72.84.18/gate.php 71 | 77.72.84.23/data/gate.php 72 | 77.72.84.23/hola123/gate.php 73 | 80.209.253.114/x/gate.php 74 | 80.82.69.184/stat.php 75 | 86.110.117.192/a/dsgth4sdfh.php 76 | 87.121.52.162/aufkgrods/gate.php 77 | 89.144.25.24/gate.php 78 | 89.223.30.132/111000111/gate.php 79 | 89.248.164.3/gate.php 80 | 91.215.154.202/AZORult/gate.php 81 | 91.219.28.33/2.php 82 | 91.219.28.33/2a.php 83 | 91.223.133.45/bdbvdv.php 84 | 91.242.163.150/AZORult/gate.php 85 | 91.243.80.104/u/api.php 86 | 91.243.80.147/gallery/v1/f7sadf65.php 87 | 91.243.80.163/a/api.php 88 | 91.243.80.179/a/api.php 89 | 91.243.80.226/a/api.php 90 | 91.243.80.241/x/api.php 91 | 91.243.80.63/win97ugr77.php 92 | 91.243.80.90/grfjikjfgjhiodsjagpijfsadf/lyalyalya.php 93 | 91.243.81.156/29d18ef.php 94 | 91.243.81.165/a/g.php 95 | 91.243.81.180/api.php 96 | 91.243.81.212/loveyoupolice182938481.php 97 | 91.243.81.213/a/api.php 98 | 92.63.107.114/ThGZmE9yLUgX/update.php 99 | 92.63.197.61/new/d12ds.php 100 | 92.63.197.78/breodkqwlks.php 101 | 92.63.197.80/dh34h7.php 102 | 94.102.60.208/AZO/gate.php 103 | 95.211.202.88/au/gate.php 104 | a11111.merahost.ru/azo/gate.php 105 | abromaxrud.com.md-80.webhostbox.net/AU/gate.php 106 | adena.store/au/gate.php 107 | akingu.bit.md-98.webhostbox.net/wp-content/themes/au/gate.php 108 | amiamidamaru.us/amiadamaru.php 109 | among3919.com/f4h8sdf.php 110 | andreimolchanov.siteme.org/a3/q.php 111 | annonn.gdn/tehnogen/goodsman.php 112 | arthur1st.fav.al/st/gate.php 113 | asdfz.ru/gt/gate.php 114 | askfor.kl.com.ua/9de9f.php 115 | aticiinsaat.org/.st/gate.php 116 | au.nebuchadnezzar.xyz/vf12fv21.php 117 | augilbert10.stream/au/gate.php 118 | aumax.bit.md-98.webhostbox.net/wp-content/themes/au/gate.php 119 | auth-rambler.com/a3/akvfzpihjkrv.php 120 | auth-rambler.com/tmp/gate.php 121 | avenuetaffasmslohin.ru/AZORult/gate.php 122 | azocpanel.tw1.ru/404.php 123 | azorneutrino.com/gate.php 124 | azorul.tk/f7c4d.php 125 | azorult2logs.u-host.in/AZORult/gate.php 126 | baragunskiy.ru/forum/topic.php 127 | barakuda777.ru/gate.php 128 | beuc-eu.com/portfolio/gate.php 129 | bigchlen.tk/ecd9c.php 130 | bigzalupa.xyz/loader/update.php 131 | bii7.gdn/2/gate.php 132 | bii8.gdn/3/gate.php 133 | bing.com/pe.php 134 | bingobongo.xyz/a3ul/q2dw3fsef.php 135 | bitcoinn1.com/stil1/gate.php 136 | bl0ckgen.com/qoiowosk.php 137 | blackexploitz.net/Randoms.php 138 | bmagikleak.website/dU_jKWFMj.php 139 | boorgen.pw/tehnogen/goodsman.php 140 | btc2017.org/gate.php 141 | btckomok.name/gate.php 142 | btcspeed.net/gate.php 143 | building-group.net/gwdghjy.php 144 | business-scoop.com/voasjdae.php 145 | capriomain.com.md-90.webhostbox.net/au/gate.php 146 | cdnnnngoogle.com/fjgj84s.php 147 | cent1.fav.al/st/gate.php 148 | cha2st.fav.al/st/gate.php 149 | chackchan0456.bit.md-8.webhostbox.net/wp-content/themes/au/gate.php 150 | char1st.fav.al/st/gate.php 151 | chebnkd.datacntrsecured.com/gate.php 152 | chinaquaqua.com/12gate21.php 153 | chronon.ru/js/zanoza666.php 154 | ciribati.today.md-100.webhostbox.net/gate.php 155 | civatateo.siteme.org/civatateo.php 156 | claimbitcoin.live/verification.php 157 | coingenerator.info/azor/gate.php 158 | coinmarketcat.top/djhfjkdfhbnj.php 159 | commandostr.pw/d3j6cda.php 160 | cq34158.tmweb.ru/01293812838123717274jjjjj.php 161 | crypto-e.org/gfh6567jkl46xxc3.php 162 | cryptotrust.today.md-35.webhostbox.net/gate.php 163 | cryptoweakness.ru/wkns787845451.php 164 | csobik.pp.ua/wp-content/themes/au/gate.php 165 | dalletenterprisesltd.com.md-hk-7.webhostbox.net/AZORult/gate.php 166 | dark-file.ru/au/gate.php 167 | datacntrsecured.com/securityfilesdoc/gate.php 168 | defaultbrowser.xyz/N111/gate.php 169 | demufiod.nl/au/gate.php 170 | dfg1.fav.al/st/gate.php 171 | dfg2-s.fav.al/st/gate.php 172 | dfgfgd.download/flowershop/gate.php 173 | din2st.fav.al/st/gate.php 174 | dm4info.bit.md-90.webhostbox.net/wp-content/themes/au/gate.php 175 | domennof.club/maolsheachlann/donate.php 176 | donperenion.com/AU/gate.php 177 | dormeo.today/mainme/gateme.php 178 | dota.website/elikapeka2/index.php 179 | e910005o.beget.tech/bc6e7.php 180 | ebere.gotdns.ch/AZORult/gate.php 181 | elysium-inc.info/SOFTWARE/upgrade.php 182 | elysium-inc.pro/acid/rom.php 183 | elysium-ltd.pro/gate/transfer.php 184 | elysium-ltd.pro/secure/update.php 185 | evaroma.zone/panel1/gate.php 186 | fadaehh.com/datacenterfolder/secureddatadrive/gate.php 187 | fadaehh.com/securitydatascreen/gate.php 188 | fbbawerttt.info/petroqwe.php 189 | floralchoicesonline.com/catalogue/gate.php 190 | foolermarkus.top/azor/gate.php 191 | foolermarkus.top/prof/index.php 192 | formatvoboats.com/fan/tasks.php 193 | freelotema.top/gred/prada.php 194 | g4rm0n.had.su/rgegew999.php 195 | galinastrelkova.mysit.ru/AZORult/gate.php 196 | gallagerfranky.had.su/panel1/gate.php 197 | gamepro4.xyz/progressinfo.php 198 | ghost2018.ru/index.php 199 | ghostnew.ru/az/ghostga.php 200 | gidrevi4.org/gate.php 201 | gidrobon.pw/AU2018/agate.php 202 | gidrobon.pw/azorr/agate.php 203 | goalkutoffsa.top/azor/gate.php 204 | gob.grantflaskparty.com/babasraka.php 205 | gogo.om-nom-nom.li/gate.php 206 | gohithatsandrof.win/fhgdkkjl4.php 207 | goiptechnologieetc.win/online/gate.php 208 | goldenrain.tk/gate.php 209 | gr2-s.fav.al/st/gate.php 210 | hashtop.biz/gate.php 211 | hhamay.website/hhamay.php 212 | hhamay.website/v31/index.php 213 | homorhabu.com/gate.php 214 | hondobakr.top/gate.php 215 | hophey.club/orders/provider.php 216 | htagzdownload.pw/Series/Conumer1Pirlo.php 217 | htagzdownload.pw/Series/Conumer2kenpachi.php 218 | htagzdownload.pw/Series/Conumer4Publisher.php 219 | htagzdownload.pw/Series/scofild1.php 220 | ih1002678.myihor.ru/123/mazahacka.php 221 | ih100863.myihor.ru/api.php 222 | ilkaymamaev.nov.ru/gate.php 223 | imbalancedblade.com/gate.php 224 | imbaxqxq.org/AU/gate.php 225 | inc0de.gq/themes/gate.php 226 | jaxxx.pro/jojo4147ff7.php 227 | jings.gdn/gate.php 228 | jncjcb.com/gate.php 229 | junkyard.pluton-host.ru/gate.php 230 | kalabunga.gdn/tempo/gate.php 231 | kamyn9ka.com/au/gate.php 232 | kamyn9ka.com/server/gate.php 233 | karavan.pluton-host.ru/gate.php 234 | kartavuy.ru/gate.php 235 | kolanikolai.pluton-host.ru/AZORult/gate.php 236 | legalson.com/gate.php 237 | lev454vv.beget.tech/cgi-bin/www/desperadosss.php 238 | levonside.space/gate.php 239 | like5g2.com/AU/gate.php 240 | lkasdjfklhngn.pw/gate/blacklist.php 241 | lkasdjfklhngn.pw/gate/checkConnection.php 242 | lkasdjfklhngn.pw/gate/pools.php 243 | loki25.com/a/gate.php 244 | lolmas.ga/gate.php 245 | lolrphack.com/gate.php 246 | lor1st.fav.al/st/gate.php 247 | loveyouneed.pw/needyougatefuckpolice2812121212n.php 248 | m3nfly.com/gate.php 249 | macpay.pw/gate.php 250 | marcher.had.su/az/offback.php 251 | marsmoon.gdn.md-72.webhostbox.net/gate.php 252 | mavado2121.bit.md-96.webhostbox.net/wp-content/themes/au/gate.php 253 | mccarthy.ddob.us/st/gate.php 254 | mcgau2.bit.md-100.webhostbox.net/wp-content/themes/au/gate.php 255 | mcgaustreet.stream/stat.php 256 | mcgua.com.ua/au/gate.php 257 | menfly.pw/gate.php 258 | mess1.wizzmonetize.com/fraud_check.php 259 | mike.rivalserver.com/~eebzbcip/a/gate.php 260 | mike.rivalserver.com/~jdrridkr/a/gate.php 261 | mike.rivalserver.com/~wqpjevcp/a/gate.php 262 | mong.men/AZO/gate.php 263 | mozzezomro.had.su/b/api.php 264 | mrbugsbunny.siteme.org/index.php 265 | msn.com/gate.php 266 | msupd.ml/usaCei2taiv0ohF.php 267 | musicstock.us/N111/gate.php 268 | mypart.online/wnu2f92hffs.php 269 | myxamop.com/gate.php 270 | nabofx.xyz/blaed053.php 271 | needmorelogs.club/customerpanel/jupiter.php 272 | needyoulove.com/index.php 273 | needyoulove.pw/s/gate.php 274 | neutrinoazor.com/gate.php 275 | newegorz.info/kamaz/gate.php 276 | newsrel.pw/gate.php 277 | nimerstat.ru/stat.php 278 | nottotrack.com/proxy/get_build.php 279 | npromo.world/insfxext.php 280 | nuvoteto.ru/AZORult/gate.php 281 | nwam1.fav.al/st/gate.php 282 | o77615yo.beget.tech/gate.php 283 | oct3-st.fav.al/st/gate.php 284 | oct4-st.fav.al/st/gate.php 285 | op0.live/f4h8sdf.php 286 | oriane-ramette.fr/misc/dm/gate.php 287 | oriane-ramette.fr/misc/http/tasks.php 288 | pakedete.top/ST/gate.php 289 | paladin.info.md-36.webhostbox.net/gate.php 290 | panamera.gdn.md-58.webhostbox.net/gate.php 291 | panamera.site/elikapeka/help.php 292 | pat2st.fav.al/st/gate.php 293 | pdalife.today/adm/gate.php 294 | peaceduke.xyz/orders/peace.php 295 | poloniex.spb.ru/gate.php 296 | poltergeistvariety.com/au/gate.php 297 | pornhospital.net/3/ad/8udsgrhdfd45.php 298 | preramet123.name/w/gate.php 299 | probablo.info/577789.php 300 | proxerrrsau.bit.md-100.webhostbox.net/wp-content/themes/au/gate.php 301 | qnc2.rivalserver.com/~bvupuacr/gate.php 302 | randomusavnc.com/u.php 303 | rar-lab.ru/panel/f585816fp4444888.php 304 | reporn777.pw/ggdffdsfds.php 305 | richme.top/index.php 306 | rmansys.ru/utils/inet_id_notify.php 307 | rockstarawesome.in.md-89.webhostbox.net/gate.php 308 | room1.360dev.info/black/swapnil_wahyu.php 309 | s.loveyou.xcution.pw/gate.php 310 | safytume.bid/surfclub/gate.php 311 | sai1st-new.fav.al/st/gate.php 312 | sai1st.fav.al/st/gate.php 313 | sai2st.fav.al/st/gate.php 314 | sail1st.fav.al/st/gate.php 315 | sdjfklsdf2.win/online/gate.php 316 | sexmirranda.net/1/newad/8ujsdxf67y.php 317 | shabocas.com.md-90.webhostbox.net/au/gate.php 318 | sharfik.club/fhsinbls.php 319 | sho0str1k.com/gate.php 320 | siteverification.site/azo/gate.php 321 | snake.mcdir.ru/gate.php 322 | snhonje.xyz/13a4e.php 323 | solsticeau.bit.md-1.webhostbox.net/wp-content/themes/au/gate.php 324 | solsticeikolpqwe.com/AU/gate.php 325 | sondomax.co/f78gu9vyc7d6x5f89vg980oi/gate.php 326 | soupe.2zzz.ru/up_d.php 327 | sskyokker256.bit.md-89.webhostbox.net/wp-content/themes/twentyfuve/AU26/gate.php 328 | stats.bic1703.com/new/collect.php 329 | subpilotmos.com.md-16.webhostbox.net/au/gate.php 330 | sumocloud.club/azo/gate.php 331 | supercupokrum.su/news/login.php 332 | surfwithgod.xyz/gate.php 333 | suzzygirl.ga/a/bi3bz1i9.php 334 | svnkbanda.club/hophey/lalaley.php 335 | t92273j5.beget.tech//page.php 336 | teviwe.xyz/getinfo.php 337 | tiogordofestas.com.br/st/gate.php 338 | tpoint.ddns.net/AZORult/gate.php 339 | tradefox.info/ndvjskdf.php 340 | tradesworld.pw/gate.php 341 | trakel.gdn.md-77.webhostbox.net/gate.php 342 | tratata.zeleboba.in/2b8ca.php 343 | tratimo.ml/1b8ec.php 344 | trendingshockingnews.com/wp-licence/gate.php 345 | update.wex-online.co/xml-wp/wp.php 346 | updatewins.gdn/gate.php 347 | usa-bank.info.md-91.webhostbox.net/AZOR/gate.php 348 | ven2au.bit.md-94.webhostbox.net/wp-content/themes/au/gate.php 349 | vh228304.eurodir.ru/sfdgsgag.php 350 | viebyqwe123.nl/a/gate.php 351 | vladsalad.info/AZORult/gate.php 352 | wattmeter.win/a/mp3.php 353 | wetoedo.xyz/crude/trade.php 354 | wflfy.com/5ae44.php 355 | wsa-on.com/asd4322assa.php 356 | www.arcdomain.xyz/gffjqrr4.php 357 | www.badgerlandshops.com/gate.php 358 | www.biplane.telosbeauty.ru/sxd/base/azo/gate.php 359 | www.gopety.cc/F889eta.php 360 | www.gopety.cc/auzo577/h834ee.php 361 | www.gopety.cc/info/0xBA00FDE1.php 362 | www.gopety.cc/info/0xFFA12BCC.php 363 | www.grandmasson.pw/gate.php 364 | www.menfly.top/gate.php 365 | www.mountzionint.download/folder/gate.php 366 | www.onbridgesu.com/wp-content/themes/au/gate.php 367 | www.selfdislikedfarfet.site/thankyou.php 368 | www.suvamouse.com/nature/bskadbk.php 369 | www.techlink.name.ng/tchlk/gate.php 370 | www.trillhosting.com/wp-content/themes/x/gate.php 371 | www.trillhosting.com/wp-content/themes/x/inc/read.php 372 | www.warehousepl.com/water/bskadbk.php 373 | www.wizzmonetize.com/remotes_xml_sections.php 374 | www.wizzmonetize.com/sales_config.php 375 | x2y.fansofgucci.pw/gate.php 376 | xn--e1agazqz8d.xyz/afdjhbn.php 377 | y2uymxvc7gfywqcq.xyz/au/gate.php 378 | yousecurityfolder.us/f4h8sdf.php 379 | yumcsupply.com/st/gate.php 380 | zbs.yoca.had.su/grfeger.php 381 | zenobox.eu/gate.php 382 | zgdh.pdns.cz/a3/7hqz4ya.php 383 | zhukoviu.bget.ru/st/gate.php 384 | -------------------------------------------------------------------------------- /Bisonal/bisonal.pcre: -------------------------------------------------------------------------------- 1 | ########################### 2 | # Bisonal PCRE Collection # 3 | # @noottrak # 4 | ########################### 5 | # 01 ks8d10.10.10.29akspbu.txt 6 | ########## 7 | # 01 8 | ^(?:http(s)?:\/\/)?(?:[^\x2F]+\/)+([a-z]{4}|[a-z]{2}[0-9][a-z])[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9][a-z]{6}\.txt$ karttoon 25MAR2020 - Bisonal C2 - [ ks8d10.10.10.29akspbu.txt ] 9 | -------------------------------------------------------------------------------- /Bisonal/bisonal.urls: -------------------------------------------------------------------------------- 1 | http://agent.my-homeip.net/ks8d10.10.10.68akspbu.txt 2 | http://emsnts.redirectme.net/ks8d10.10.10.159akspbu.txt 3 | http://emsnts.redirectme.net/ks8d10.10.10.59akspbu.txt 4 | http://euiro8966.organiccrap.com/ks8d10.10.10.158akspbu.txt 5 | http://euiro8966.organiccrap.com/ks8d10.10.10.164akspbu.txt 6 | http://games.my-homeip.com/ks8d10.10.10.74akspbu.txt 7 | http://kreng.bounceme.net/ks8d10.10.10.129akspbu.txt 8 | http://kreng.bounceme.net/ks8d10.10.10.29akspbu.txt 9 | http://kted56erhg.dynssl.com/ks8d10.10.10.130akspbu.txt 10 | http://kted56erhg.dynssl.com/ks8d10.10.10.158akspbu.txt 11 | http://kted56erhg.dynssl.com/ks8d10.10.10.164akspbu.txt 12 | http://kted56erhg.dynssl.com/ks8d10.10.10.30akspbu.txt 13 | http://kted56erhg.dynssl.com/ks8d10.10.10.58akspbu.txt 14 | http://kted56erhg.dynssl.com/ks8d10.10.10.64akspbu.txt 15 | http://www.hosting.tempors.com:443/av9d0.0.0.0akspbv.txt 16 | -------------------------------------------------------------------------------- /Emotet/emotet_deob_07MAR23.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #__author__ = "Jeff White [karttoon] @noottrak" 4 | #__email__ = "karttoon@gmail.com" 5 | #__version__ = "1.0.0" 6 | #__date__ = "07MAR2023" 7 | 8 | # Variant - 2e116e6a43dcc2ee55df34664a7d5bfae36918f3a8ce5af97be6cb99e3a4de5b 9 | 10 | grep -E "^[a-zA-Z]+ = [0-9]+" $1 | while read entry; do 11 | len=$(echo $entry |awk '{print $3}') 12 | encString=$(grep "$entry" $1 -A1 |tail -n1 |awk '{print $3}' |sed -e's/"//g') 13 | decString="" 14 | for index in $(grep "$entry" $1 -A$(($len+1)) |tail -n$len |awk '{print $3}'); do 15 | decString+=$(echo $encString |cut -c $index) 16 | done 17 | echo $decString 18 | done 19 | 20 | -------------------------------------------------------------------------------- /Emotet/emotet_deob_08MAR23.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys, oletools.olevba, re 3 | 4 | __author__ = "Jeff White [karttoon] @noottrak" 5 | __email__ = "karttoon@gmail.com" 6 | __version__ = "1.0.0" 7 | __date__ = "08MAR2023" 8 | 9 | # Variant - a99eb971a4d11235924443dfd0308e731205b6320e6939526d94f91a43c64248 10 | 11 | vbaparser = oletools.olevba.VBA_Parser(sys.argv[1]).extract_macros() 12 | 13 | if vbaparser: 14 | for (filename, stream_path, vba_filename, vba_code) in vbaparser: 15 | if "AutoOpen" in vba_code: 16 | 17 | indexValue = dict() 18 | indexAlphabet = dict() 19 | indexArray = dict() 20 | 21 | for line in vba_code.splitlines(): 22 | 23 | # Variable Values | fOueQX = 26 24 | if re.search("^[a-zA-Z]+ = [0-9]+", line): 25 | variable = line.split(" ")[0] 26 | index = int(line.split(" ")[2]) 27 | indexValue[variable] = index 28 | 29 | # Replace | hzQtU = fOueQX 30 | if re.search("^[a-zA-Z]+ = [a-zA-Z]+$", line): 31 | newVar = line.split(" ")[0] 32 | oldVar = line.split(" ")[2] 33 | try: 34 | indexValue[newVar] = indexValue[oldVar] 35 | except: 36 | pass 37 | 38 | # Alphabets | blSoELVq = "fxNNbmIerSxhpodpsFcqTYulnMJVsgMDboqDrDOyc [...] 39 | if re.search("^[a-zA-Z]+ = \".+?\"", line): 40 | variable = line.split(" ")[0] 41 | alpha = line.split(" ")[2].strip("\"") 42 | indexAlphabet[variable] = alpha 43 | 44 | # Indexed Arrays | sHjDF(0) = yYiP 45 | if re.search("^[a-zA-Z]+\([0-9]+\) = [a-zA-Z]+", line): 46 | variable = line.split(" ")[0].split("(")[0] 47 | index = int(line.split("(")[1].split(")")[0]) 48 | value = indexValue[line.split(" ")[2]] 49 | 50 | if variable not in indexArray: 51 | indexArray[variable] = list() 52 | indexArray[variable].insert(index, value) 53 | else: 54 | indexArray[variable].insert(index, value) 55 | 56 | # Print Func | hrOyFMRd = Motztvi(blSoELVq, sHjDF, hzQtU) 57 | if re.search("^[a-zA-Z]+ = [a-zA-Z]+\([a-zA-Z]+, [a-zA-Z]+, [a-zA-Z]+\)", line): 58 | alpha = line.split("(")[1].split(",")[0].strip() 59 | array = line.split("(")[1].split(",")[1].strip() 60 | count = indexValue[line.split("(")[1].split(",")[2].strip(") ")] 61 | 62 | decString = str() 63 | 64 | try: 65 | for entry in indexArray[array]: 66 | decString += indexAlphabet[alpha][(entry-1) % len(indexAlphabet[alpha])] 67 | 68 | print(decString[0:count]) 69 | except: 70 | pass 71 | 72 | 73 | -------------------------------------------------------------------------------- /Evrial/evrial.pcre: -------------------------------------------------------------------------------- 1 | ########################## 2 | # Evrial PCRE Collection # 3 | # @noottrak # 4 | ########################## 5 | # 01 /~microtro/gate.php?hwid=18AF1C0D&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)+(\/)?gate\.php\?hwid=[a-zA-Z0-9-]+&os=[a-zA-Z0-9%-]+(&file=[0-9])?(&cookie=[0-9])?(&pswd=[0-9])?(&credit=[0-9])?(&autofill=[0-9])?(&wallets=[0-9])?(&telegram=[0-9])?&version=v[0-9]\.[0-9]\.[0-9]$ karttoon 10OCT2018 - Evrial C2 [ /~microtro/gate.php?hwid=18AF1C0D&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 ] 9 | -------------------------------------------------------------------------------- /Evrial/evrial.urls: -------------------------------------------------------------------------------- 1 | 162.247.155.21/~microtro/gate.php?hwid=18AF1C0D&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 2 | 162.247.155.21/~microtro/gate.php?hwid=1AB23053&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 3 | 162.247.155.21/~microtro/gate.php?hwid=1AC6D0DF&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 4 | 162.247.155.21/~microtro/gate.php?hwid=1D757CFD&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 5 | 162.247.155.21/~microtro/gate.php?hwid=1E46E734&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 6 | 162.247.155.21/~microtro/gate.php?hwid=1F5ACE50&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 7 | 162.247.155.21/~microtro/gate.php?hwid=201A74EE&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 8 | 162.247.155.21/~microtro/gate.php?hwid=219C4D26&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 9 | 162.247.155.21/~microtro/gate.php?hwid=2371CA2A&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 10 | 162.247.155.21/~microtro/gate.php?hwid=2504106D&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 11 | 162.247.155.21/~microtro/gate.php?hwid=2CE05640&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 12 | 162.247.155.21/~microtro/gate.php?hwid=2FC20498&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 13 | 162.247.155.21/~microtro/gate.php?hwid=31923657&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 14 | 162.247.155.21/~microtro/gate.php?hwid=31964BCF&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 15 | 162.247.155.21/~microtro/gate.php?hwid=33981989&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 16 | 162.247.155.21/~microtro/gate.php?hwid=377E0301&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 17 | 162.247.155.21/~microtro/gate.php?hwid=3B5BBD8F&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 18 | 162.247.155.21/~microtro/gate.php?hwid=3B70B4FF&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 19 | 162.247.155.21/~microtro/gate.php?hwid=3BBDF02A&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 20 | 162.247.155.21/~microtro/gate.php?hwid=3C16A9C1&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 21 | 162.247.155.21/~microtro/gate.php?hwid=4554BBA1&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 22 | 162.247.155.21/~microtro/gate.php?hwid=526A407F&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 23 | 162.247.155.21/~microtro/gate.php?hwid=54B8684E&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 24 | 162.247.155.21/~microtro/gate.php?hwid=55C0FE97&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 25 | 162.247.155.21/~microtro/gate.php?hwid=59220DBD&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 26 | 162.247.155.21/~microtro/gate.php?hwid=5C322D84&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 27 | 162.247.155.21/~microtro/gate.php?hwid=5FE4092D&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 28 | 162.247.155.21/~microtro/gate.php?hwid=5FF286DE&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 29 | 162.247.155.21/~microtro/gate.php?hwid=63A4758C&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 30 | 162.247.155.21/~microtro/gate.php?hwid=63F82CF7&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 31 | 162.247.155.21/~microtro/gate.php?hwid=69B0DE15&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 32 | 162.247.155.21/~microtro/gate.php?hwid=6E0E5AD2&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 33 | 162.247.155.21/~microtro/gate.php?hwid=7362F183&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 34 | 162.247.155.21/~microtro/gate.php?hwid=73BFC8E2&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 35 | 162.247.155.21/~microtro/gate.php?hwid=73C958C0&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 36 | 162.247.155.21/~microtro/gate.php?hwid=76FC76EB&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 37 | 162.247.155.21/~microtro/gate.php?hwid=77463704&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 38 | 162.247.155.21/~microtro/gate.php?hwid=79AE04CC&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 39 | 162.247.155.21/~microtro/gate.php?hwid=79B33BDB&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 40 | 162.247.155.21/~microtro/gate.php?hwid=7AFB5F77&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 41 | 162.247.155.21/~microtro/gate.php?hwid=7CBC2A48&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 42 | 162.247.155.21/~microtro/gate.php?hwid=805FEA08&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 43 | 162.247.155.21/~microtro/gate.php?hwid=8125F1A9&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 44 | 162.247.155.21/~microtro/gate.php?hwid=86E9556E&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 45 | 162.247.155.21/~microtro/gate.php?hwid=89A64AB7&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 46 | 162.247.155.21/~microtro/gate.php?hwid=8a8c3819-1997-486b-b092-3ed9cbc54b1e&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 47 | 162.247.155.21/~microtro/gate.php?hwid=99828A07&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 48 | 162.247.155.21/~microtro/gate.php?hwid=99ACFAC5&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 49 | 162.247.155.21/~microtro/gate.php?hwid=9C360FAF&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 50 | 162.247.155.21/~microtro/gate.php?hwid=A5E17E4C&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 51 | 162.247.155.21/~microtro/gate.php?hwid=A9EE081C&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 52 | 162.247.155.21/~microtro/gate.php?hwid=B50F056D&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 53 | 162.247.155.21/~microtro/gate.php?hwid=B6C2EFE4&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 54 | 162.247.155.21/~microtro/gate.php?hwid=BABC77CE&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 55 | 162.247.155.21/~microtro/gate.php?hwid=C551C52D&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 56 | 162.247.155.21/~microtro/gate.php?hwid=CB21D5E6&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 57 | 162.247.155.21/~microtro/gate.php?hwid=CB6CB189&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 58 | 162.247.155.21/~microtro/gate.php?hwid=D3122DE1&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 59 | 162.247.155.21/~microtro/gate.php?hwid=D4A57922&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 60 | 162.247.155.21/~microtro/gate.php?hwid=D827909E&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 61 | 162.247.155.21/~microtro/gate.php?hwid=DA1FBEA5&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 62 | 162.247.155.21/~microtro/gate.php?hwid=DABB806A&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 63 | 162.247.155.21/~microtro/gate.php?hwid=DB927259&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 64 | 162.247.155.21/~microtro/gate.php?hwid=DD00D576&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 65 | 162.247.155.21/~microtro/gate.php?hwid=E0C50DA5&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 66 | 162.247.155.21/~microtro/gate.php?hwid=E71DC3A0&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 67 | 162.247.155.21/~microtro/gate.php?hwid=EC365B40&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 68 | 162.247.155.21/~microtro/gate.php?hwid=ED97769E&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 69 | 162.247.155.21/~microtro/gate.php?hwid=EE5787C0&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 70 | 162.247.155.21/~microtro/gate.php?hwid=EF832B6C&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 71 | 162.247.155.21/~microtro/gate.php?hwid=EF876F1C&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 72 | 162.247.155.21/~microtro/gate.php?hwid=EFC60AC8&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 73 | 162.247.155.21/~microtro/gate.php?hwid=F6A1FDA1&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 74 | 162.247.155.21/~microtro/gate.php?hwid=a3eebfd9-28cb-4cee-b2ac-1c284d06458c&os=Windows%20XP&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 75 | abs-ltd.top/st//gate.php?hwid=5FB56D34&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 76 | abs-ltd.top/st//gate.php?hwid=7703820B&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 77 | abs-ltd.top/st//gate.php?hwid=9348F18A&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 78 | abs-ltd.top/st//gate.php?hwid=A017BDEF&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 79 | abs-ltd.top/st//gate.php?hwid=ADA6B7E7&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 80 | abs-ltd.top/st//gate.php?hwid=F056A2AD&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 81 | adblock.npromo.world/gate.php?hwid=10F67185&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 82 | adblock.npromo.world/gate.php?hwid=49B222E4&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 83 | adblock.npromo.world/gate.php?hwid=7C178CED&os=Windows%20XP&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.0 84 | cyberkon.zzz.com.ua/gate.php?hwid=A9CB74BE&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 85 | ereweakness.ru/gate.php?hwid=99B2EECD&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.2.1 86 | ghost2018.ru/gate.php?hwid=4E6E11FD&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.2 87 | grant1.ian.fvds.ru/gate.php?hwid=AD4466C6&os=Windows%207&file=0&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 88 | kiaracript.mcdir.ru/gate.php?hwid=4DF950BC&os=Windows%20XP&file=1&cookie=0&pswd=0&telegram=0&version=v1.0.6 89 | kiaracript.mcdir.ru/gate.php?hwid=5C52349E&os=Windows%207&file=1&cookie=0&pswd=0&telegram=0&version=v1.0.6 90 | kiaracript.mcdir.ru/gate.php?hwid=65198E62&os=Windows%207&file=1&cookie=0&pswd=0&telegram=0&version=v1.0.7 91 | kiaracript.mcdir.ru/gate.php?hwid=DC7E176A&os=Windows%20XP&file=1&cookie=0&pswd=0&telegram=0&version=v1.0.7 92 | oufa.pro/gate.php?hwid=5D903388&os=Windows%207&file=1&cookie=0&pswd=0&credit=0&autofill=0&wallets=0&telegram=0&version=v1.1.3 93 | -------------------------------------------------------------------------------- /FakeUpdates/fakeupdates.pcre: -------------------------------------------------------------------------------- 1 | ############################### 2 | # FakeUpdates PCRE Collection # 3 | # @noottrak # 4 | ############################## 5 | # 01 s_code.js?cid=221&v=8fdbe4223f0230a93678 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)+s_code\.js\?cid=[0-9]{3}&v=[a-z0-9]{20}(\/)?$ karttoon 04JUN2018 - FakeUpdates Redirect [ s_code.js?cid=221&v=8fdbe4223f0230a93678 ] 9 | -------------------------------------------------------------------------------- /FakeUpdates/fakeupdates.urls: -------------------------------------------------------------------------------- 1 | track.positiverefreshment.org/s_code.js?cid=221&v=8fdbe4223f0230a93678 2 | track.positiverefreshment.org/s_code.js?cid=225&v=0bbea7365fbb07c7acb3 3 | track.amishbrand.com/s_code.js?cid=205&v=c40bfeff70a8e1abc00f 4 | track.amishbrand.com/s_code.js?cid=228&v=e8bfa92965d1d880bac2 5 | track.amishbrand.com/s_code.js?cid=234&v=59f4ba6c3cd7f37abedc 6 | track.amishbrand.com/s_code.js?cid=237&v=7e3403034b8bf0ac23c6 7 | connect.clevelandskin.com/s_code.js?cid=208&v=e1acdea1ea51b0035267 8 | track.positiverefreshment.org/s_code.js?cid=220&v=24eca7c911f5e102e2ba 9 | track.amishbrand.com/s_code.js?cid=226&v=4d25aa10a99a45509fa2 10 | track.amishbrand.com/s_code.js?cid=232&v=47acc84c33bf85c5496d 11 | track.positiverefreshment.org/s_code.js?cid=223&v=7124cc38a60ff6cb920d 12 | track.positiverefreshment.org/s_code.js?cid=211&v=7c6b1d9ec5023db2b7d9 13 | track.positiverefreshment.org/s_code.js?cid=227&v=a414ad4ad38395fc3c3b 14 | -------------------------------------------------------------------------------- /FormBook/formbook.pcre: -------------------------------------------------------------------------------- 1 | ############################### 2 | # FormBook PCRE Collection # 3 | # @noottrak # 4 | ############################### 5 | # 01 /b8eu/?_0DDk=GpK+4/Cvf5+28q0vfJauwpvuxbNz+CVTJN6sdbZ9OGl+VfrOYoKsAb8RZBlXroKGyT0hFc5nrEMBVCx9lN2W&JN6=ZHm4qrqP1TiXn4_p 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?(?:[^\x2F]+\/)[a-z0-9]{4}\/\?(([a-zA-Z0-9]{2,8}|(_|-)[a-zA-Z0-9]{1,4}(_[a-zA-Z0-9]{1,2})?)=[a-zA-Z0-9-_]{4,16}&[a-zA-Z0-9]{2,8}=[a-zA-Z0-9\/+-=_]{68,84}|([a-zA-Z0-9]{2,8}|(_|-)[a-zA-Z0-9]{1,4}(_[a-zA-Z0-9]{1,2})?)=[a-zA-Z0-9\/+-=_]{68,84}&([a-zA-Z0-9]{2,8}|(_|-)[a-zA-Z0-9]{1,4}(_[a-zA-Z0-9]{1,2})?)=[a-zA-Z0-9-_]{4,16}) karttoon 25FEB2022 - FormBook C2 [ /b8eu/?_0DDk=GpK+4/Cvf5+28q0vfJauwpvuxbNz+CVTJN6sdbZ9OGl+VfrOYoKsAb8RZBlXroKGyT0hFc5nrEMBVCx9lN2W&JN6=ZHm4qrqP1TiXn4_p ] 9 | -------------------------------------------------------------------------------- /FormBook/formbook.urls: -------------------------------------------------------------------------------- 1 | http://www.soulshine.today/b8eu/?_0DDk=1CXHuOBeTIHl4sxDPsTrdm09A65Hb39oSTNZMzSQiTMy/Yl0OYrjthDxcd2N6f8Ba5+EqNXRV3lObTTmPtJz&JN6=ZHm4qrqP1TiXn4_p 2 | http://www.mexicanaenergy.com/b8eu/?_0DDk=GpK+4/Cvf5+28q0vfJauwpvuxbNz+CVTJN6sdbZ9OGl+VfrOYoKsAb8RZBlXroKGyT0hFc5nrEMBVCx9lN2W&JN6=ZHm4qrqP1TiXn4_p 3 | http://www.ynov-lille.com/b8eu/?_0DDk=XxPlemiZvmauXISyVtcUNhiGmku1VeENa+ENEORY1H+zvEoUA4+FutbgEdxe/QCw0tm/Nagq68UJDG6wQC88&JN6=ZHm4qrqP1TiXn4_p 4 | http://www.karaokepkllkb.xyz/b8eu/?_0DDk=CmhT7yAhT3isA5zUDQ2ROe+99PoXv32oDiuY8GbbQyeQiTQtdXjveplwSdpRfhO5FJidnseOtHyaFpbvZywA&JN6=ZHm4qrqP1TiXn4_p 5 | http://www.cgloansllc.com/b8eu/?_0DDk=hnhv6rLHFdKjFJZwSGnxGCWyKbQMei/uGLugqZVHkBOpUplX5iC/MSvk5/n9vM4G+VC/Kt7f439Ykv60DaJA&JN6=ZHm4qrqP1TiXn4_p 6 | http://www.notch.host/b8eu/?_0DDk=9D8V8vT4Vwol5jPxPwpH81MmS/nksHTFXNxHtGE5AKd+N/mK+Q64DIHFW2auPYCyUP2xbU6LXfmhG2RoGaJI&vz=cJBl2PpHBhu 7 | http://www.citycourtlafayetteclass.com/b8eu/?_0DDk=PHlprL29/IFbPxbyXvvq0XKGb/8bV5R88Yc2OajJgSxf/EJ9oi9m7VtiPkgmSdTBvezilCWCfz7v7eZd97H4&vz=cJBl2PpHBhu 8 | http://www.healthyeatingbooknow.com/b8eu/?_0DDk=FmKXpqIVSaH2sCEE3y/KyiqZrhRyt3mW865ei4IlKEMqi6jSeKlfTbwPH7EhD7J63NDkxal8/5pZoiMiCkX2&vz=cJBl2PpHBhu 9 | http://www.jktechsupport.com/b8eu/?_0DDk=uAmorC/4pT9l2vcgM3UxfRuRBDwaK9VHs1CxUTqrgTY4CJDJNto5KjSJbGeLnkDfRX6ZlvEVmnXgct+EQQgR&vz=cJBl2PpHBhu 10 | http://www.femmequidanseaveclalune.com/b8eu/?_0DDk=uLxJp6ciQj0LtObX/w9SpCSZHGb66gigtFDu+a0g3YzxTe25OGcisyZesuich4k1rKLJjoRglVA1+sDFTMc4&vz=cJBl2PpHBhu 11 | http://www.katiesmobilestyling.com/b8eu/?_0DDk=TXt+gG+ExweKa1g8vQKUldjFhljeeh2TQ0DcxHFbkTipaYU0EjcqNCgIOMltGxH5Gz/77kv1kPOyfpnOHxUI&vz=cJBl2PpHBhu 12 | http://www.nfqch.com/b8eu/?_0DDk=DxeqIW9+DfrBsfPG6oMyMvSakdmMDWdzE1MvSJdlGK56XCp33yXiij4khFqqtT5Yp2UwN9pXtqKKbErMPDZR&vz=cJBl2PpHBhu 13 | http://www.tarotgatahechizos.com/b8eu/?_0DDk=3l4s05N4qMrxDjza27XwPKkuKsGXpVvX8Uo3J9iaS8oQ3JfrtrRwkdW7TDxg2rbp4LHw750nouftnXK9VL5I&vz=cJBl2PpHBhu 14 | http://www.customapronsnow.com/k3cu/?mfXP=xpHk8105u45joiXd2ao5JNlrXCNJcV0Qi9NILRaW0VylACTj17p5/MJNBCaJG0btbEVJQUkxhop01wg=&4hN=kjsDAh7X-d6TaX 15 | http://www.acceptglobal.ltd/k3cu/?8pDT=r8iXyTnS26xyR02GUas9KKbKB7waLmahoVbKK1c+lbR0s62n4fuiAu1fH7GzEtZOCswN+sDCoxvo+T0=&CH=dB_lTzjh1zzlB 16 | http://www.speziell.website/fi46/?ITu=lJBd&aZIH9HZ=F7TLnNHq61ozviDJig0eS+hpjdJCRHOcbNWIrb2Ahu1r9aN/T+6GT1tq5+dZTmgoepvfyfXb8HOmeZI= 17 | http://www.newstoda.com/fi46/?aZIH9HZ=77mxinRtH8Dg+2MDvwDL6bebMNgr8XV0nrII1uL7f9U/Fi3Oaw9U2o5Rg8uj4IoQbTrQA0ScdNsH8ho=&ITu=lJBd 18 | http://www.frontlinegalfriday.com/fi46/?ITu=lJBd&aZIH9HZ=9iH2YumvIacdQpQAq9eyPZBG8egJIz0U7DPKPk+w3iW2zR5UFdSB//ty7ltvFGxurkchnXHpiVxozNk= 19 | http://www.sxlbillingsettlement.com/fi46/?_T=7NgZy7PyVcxmmPEmmD16ss+wiWt96q8Vt0YHMo+F5wRHOuI+t4NOoz9pAnqpP/kUx+Va&vThx=uldDPF 20 | http://www.fussballhelden.info/icun/?-Z_ld=Q94myJEjRkQWba2iv5ZxoU6hBwlPBkiV7ljOGySwE8BN2L0Eg6zbnuzFAkIsX13ffEmG&BxltG=azrpCL_pcXEH8r7 21 | http://www.senditmarketing.com/icun/?nB=x6EGzmNBGbvs8pppJD0MtpLe7Iyc0ropNKeR5OxtI7w2eWp7HisJTRJoIO5wicuN8DbzpCqh4RTY9vIH8jOL&BFNt=C8Txi4FPGhMt 22 | http://www.xd16881.com/icun/?nB=6orDS8N1dT01PJRRHk2P4lsyAF7un9/SkNDWPxQ+oeRvi97O0U7wW9EFgRB7W8+sHJLWC8r3DSwLhNLGjE9f&BFNt=C8Txi4FPGhMt 23 | http://www.bdetee.com/icun/?P8Lxj8EH=jw5P9hzViAOS3pfEyY6D++aLbIuC7hbiqv19bmYS+xrwW6iPKfn3zPrv+1sVLKXOYoBb&9ryHAT=QDHT 24 | http://www.officiumapplication.xyz/icun/?P8Lxj8EH=+DcAX+VVrXVRjLkjQ5KS3jxGR7cYVhKJBYoVbz2UpbDzJWidCOV3Te9GpZcAGmPfuObt&9ryHAT=QDHT 25 | http://www.stdeventos.com/icun/?P8Lxj8EH=Ku4KuU9idjdHlBAyN6d7QaBfi91IRStpvITRAr40cKy2BotML7xqPJ5eJLrOQwzIkJz3&4hGl=HvwPXpAxaZ 26 | http://www.jedidpress.com/icun/?P8Lxj8EH=deMHZ0T2GO4a2uPVc/ljCQnN+w/He2UBnXL6gdE6/v7rbo9tgNPYnmFyjfAgNNAMEfFw&4hGl=HvwPXpAxaZ 27 | http://www.fengxueshe.xyz/icun/?P8Lxj8EH=gu5lhedrJA+qLR/kxnH+MpV64xE7uZeqJJpBUpCceIS4y6+f2WR4Olb7dUtX9Y12GNpq&4hGl=HvwPXpAxaZ 28 | http://www.lifechangeideas.com/icun/?P8Lxj8EH=mmKc+C2NPk4mMCgNcQAYGmW9Dx3mfWRkwzDsAOQUBnpXsWLXXkXLMMQAcAjB1t6+sl21&4hGl=HvwPXpAxaZ 29 | http://www.belloclowndes.com/icun/?P8Lxj8EH=dp4Ob+wdf+aL+Yiy5xMQXie+sEHsXcQ7eNLvj8BCZqw/ensmoEBsFEwMY9vksQ2C7IcR&4hGl=HvwPXpAxaZ 30 | http://www.fussballhelden.info/icun/?P8Lxj8EH=Q94myJEjRkQWba2iv5ZxoU6hBwlPBkiV7ljOGySwE8BN2L0Eg6zbnuzFAnE8T3noHiWG&4hGl=HvwPXpAxaZ 31 | http://www.cushionfuid.com/icun/?P8Lxj8EH=z6jnq/wtH5Taoxe6eKSySadwzEicYSZgMQfJu71KeHLWJirukQW7YQwmB319lYFib2Tu&4hGl=HvwPXpAxaZ 32 | http://www.51qmxt.com/icun/?P8Lxj8EH=9DfH8jOcCG0+zuoCkE8wbeHUSkgK6a2Y577JZiX2+KgMjwQglIUg1MGGmylrYelSs3bZ&4hGl=HvwPXpAxaZ 33 | http://www.invoicefunder.com/icun/?P8Lxj8EH=SYszXYb+XM8bczO7ZCL5TPwgqqowGVDNnDkrI4+HMlcz4+Yw4GWoGmWMHsGT722p3Gtk&4hGl=HvwPXpAxaZ 34 | http://www.nault.biz/icun/?Vt=3uwmRCAnK/z+BOX+IMcfzq5K8Ec0v1F9P2iriuDfCs6VJV3Q0AfcAqpkPO9Jw3ZWoHYzSdqQbg==&9rK48=RTKLi4QHj2OX72- 35 | http://www.aboutrealestatenewyork.com/icun/?C6Y=9wNy6tgJ4qq/XeA//hq3BDvf5ft9qWaZGHyq4z6eQAPgw1/Dqc1rnRzC2YSK+MWIdzJF&_v=mpKh2n_0 36 | http://www.lifechangeideas.com/icun/?_v=mpKh2n_0&C6Y=mmKc+C2NPk4mMCgNcQAYGmW9Dx3mfWRkwzDsAOQUBnpXsWLXXkXLMMQAcD/q4N26iBjP 37 | http://www.revolvinglines.com/icun/?C6Y=HQ+GnBxM/y3rTQ6aHvYVphLWjydRbQ3hg2mAp4PM//O3TiAnegAefmCGszCcAwvnUhXC&_v=mpKh2n_0 38 | http://www.ammastone.com/icun/?_v=mpKh2n_0&C6Y=5u8qYccSLLDIjDxFEhn+QPJNfZQGhgRwWYlhM0mnbjpjRer620AWtPJ7ZJwxB/Yiy+iB 39 | http://www.senditmarketing.com/icun/?-Z_ld=x6EGzmNBGbvs8pppJD0MtpLe7Iyc0ropNKeR5OxtI7w2eWp7HisJTRJoIO9jo/+88S2g&BxltG=azrpCL_pcXEH8r7 40 | http://www.windrowpklnmf.xyz/icun/?-Z_ld=BLeIzlT/Fw59f9IhbC3G6Ngj+eE1goWN+v5TkAmTkjpJBrNGeOH1FvSJC+MPn4ik1GRx&BxltG=azrpCL_pcXEH8r7 41 | http://www.vaellazrela.quest/icun/?JrR0RN=DPuD_Pg81rN&nB=x974J/SWqb9qJASKH7F72BOms+fZ6TNFIUFvpWUAxF7c/xN9foDeyQ5OngO/d9v6JExQfIqDIGonln+71QiC 42 | http://www.fengxueshe.xyz/icun/?nB=gu5lhedrJA+qLR/kxnH+MpV64xE7uZeqJJpBUpCceIS4y6+f2WR4Olb7dXlUz51we605tNdI4aiBhyTlmqaC&BFNt=C8Txi4FPGhMt 43 | http://www.windrowpklnmf.xyz/icun/?nB=BLeIzlT/Fw59f9IhbC3G6Ngj+eE1goWN+v5TkAmTkjpJBrNGeOH1FvSJC+IctbyV1X8iilDp//4ulPPS3vP9&BFNt=C8Txi4FPGhMt 44 | http://www.bdetee.com/icun/?nB=jw5P9hzViAOS3pfEyY6D++aLbIuC7hbiqv19bmYS+xrwW6iPKfn3zPrv+2kWFrXIAfcIZhPE7q8DC0HAVIpB&BFNt=C8Txi4FPGhMt 45 | http://www.warkulat.net/rmpc/?y6dL=VxlpdRxp9Bvd-Rc&UxlD=SbeChROd1vv5liSXKEjQ+eyV+nIaAE3WrEJgJFqwNMiU2s0rxK5MpCtOkt6XZ4bjaNdj 46 | http://www.yjaxx.com/rmpc/?y6dL=VxlpdRxp9Bvd-Rc&UxlD=RCWUIQnjWOTy7a1ctFukFLiEyg6+U7JZL0IjY0hw6XlE8SifVgHsiSnECtj4aRKSdLsI 47 | http://www.daadoosh.com/rmpc/?i0DtKJAh=IE7R5eOK5U+/4CKhx9QJLxKbBGJeq2t1jof6viPpHEJgPZFEs8gTGM6PmXRWBxbtodne&qF=A6AlRn 48 | http://www.fsyetuo.com/rmpc/?qF=A6AlRn&i0DtKJAh=y2mp94fehYNt+Ubu383/zhgmkXcV3QwjeScSQWw8bylnYsWYZbb9fcO1fbuEdZKjxAYx 49 | http://www.virboss.online/rmpc/?i0DtKJAh=Hr7PwDAKzW/H9E0ItYSsqKy1JKYCA1qeFajHvdYG946rdfTAA/5sl7iXt9Z5tPjELAOH&qF=A6AlRn 50 | http://www.chathamwaste.com/rmpc/?DT0Lu=Rzu0-8g0iT_dGDV0&aBJ=iDXx7KCHZxsfafav1KWtyhQ08iNLW5twODr5TldxhNe9vd6oezZIS9yOkYvuGLbZbmwhAJ50lA== 51 | http://www.hireprowriter.com/rmpc/?i0DtKJAh=MFC6dP1NBLTeszK4S0cc7e52By+Kfa0yUVBs7O9HnZu2oLXBsIsX/ew2RqDVBUNMllDO&qF=A6AlRn 52 | http://www.genussqmzg.online/rmpc/?DT0Lu=Rzu0-8g0iT_dGDV0&aBJ=qp4JugCZqX5zwNJrlgvQZVtDu0wPpcRfl9uGHg+LAcyr9kr67CEtGiZWrJ5aQ4Bq6rDmbN6fMA== 53 | http://www.warkulat.net/rmpc/?aBJ=SbeChROd1vv5liSXKEjQ+eyV+nIaAE3WrEJgJFqwNMiU2s0rxK5MpCtOkunuc7vfU8wQbwVb0w==&DT0Lu=Rzu0-8g0iT_dGDV0 54 | http://www.alternativedata.company/rmpc/?y6dL=VxlpdRxp9Bvd-Rc&UxlD=7zgZEmkRz1Efs/HuoFh+lYFKgRi0O6yOyU+9aXnOqU3rm/tIOrL4umO/zr1cN96mKzFJ 55 | http://www.silhouette-consult.com/rmpc/?y6dL=VxlpdRxp9Bvd-Rc&UxlD=FfZoUVy9gOB9pPlm0e5772vcKt2QqYFRpk8A+2+kDzncHUea2o5UuTki3gNtLySqJRep 56 | http://www.sugarcurd.com/rmpc/?UxlD=P/cu/mAbf4d5Gi99H6tXgYjZtnEv3aaCyvYpJg6xH4m7SjcRhB26y9pVaGqd6o1tzPPI&y6dL=VxlpdRxp9Bvd-Rc 57 | http://www.escuelaacupunturaimai.com/rmpc/?y6dL=VxlpdRxp9Bvd-Rc&UxlD=5O1aYE9kdrHicxeDpidWko7ALpcEcoOyGTbXy/PIlEStbeKSOwzRi24kdShye+/WEvBG 58 | http://www.genussqmzg.online/rmpc/?BbfPS=UZ6dovPHBBcP&4hiLG=qp4JugCZqX5zwNJrlgvQZVtDu0wPpcRfl9uGHg+LAcyr9kr67CEtGiZWrJIjdaxn+ornaf6bQQ== 59 | http://www.escuelaacupunturaimai.com/rmpc/?BbfPS=UZ6dovPHBBcP&4hiLG=5O1aYE9kdrHicxeDpidWko7ALpcEcoOyGTbXy/PIlEStbeKSOwzRi24kdRNyWf7nOdE0dwQfRQ== 60 | http://www.drawerfuid.com/rmpc/?6lrp=WxlpdHLx4ZvPKd&UxlD=2pTDmqbb2kgzNkhNKAFt6itc9W4T6/x9eARL9QxsImdULGnI7rr21B87MDR6X3+fMb8f 61 | http://www.k9surg.com/rmpc/?y6dL=VxlpdRxp9Bvd-Rc&UxlD=oAXlo1oi3RAQG7+NKemo5CXqOmpEuTaAnu102ebKTB20lkFWlKzqjEisfCJh379Q0MA2 62 | http://www.buckitload.com/rmpc/?4hiLG=s1cN4vf44x+rFDwAa9MkQmmmOy14BejqlVmtnSeipa2meq0cur1aavB7cdqGyn8mhEVIpQkwNA==&qZWH=s8m0nfqxrHd 63 | http://www.sectorfarmaceutico.com/rmpc/?4hiLG=+6er7h2XjcvtxxW6FV2gbzY7+Z6KPdRebx+diFW1xQEp/9esw0KrB6iQ5sH14/YF8agAo59rvQ==&qZWH=s8m0nfqxrHd 64 | http://www.alternativedata.company/rmpc/?4hiLG=7zgZEmkRz1Efs/HuoFh+lYFKgRi0O6yOyU+9aXnOqU3rm/tIOrL4umO/zoZcFc+XABA7TM0HpQ==&qZWH=s8m0nfqxrHd 65 | http://www.nashvilleholdings.com/rmpc/?6lH=wRkHU2ChKDo&k8Ll78=afxHBdAB/p/RbPl6rTWGokUdFLOpRiwJkK5MZSkPKDhYu4pk7qqGhfC33Sqm1koOJgt8 66 | http://www.kutydogy.com/wcur/?odPpWF=aZG4akyn6yeeAIiUuttc8gYlf+KLrfG94rKmu+n3XN+V4U2DJqSsvrU6ZRvPEaTGTEuxPzc1xuDPARg=&djwlH2=QpplQXw8SrtpcTqp 67 | http://www.complime.com/wcur/?odPpWF=PToroyaHSdmQgashjFheMEqXL1BBGynpa+aJJ84p04Ou+hAOuIMMFP01fRx4UYcbWJauos3vWIwVJ2w=&djwlH2=QpplQXw8SrtpcTqp 68 | http://www.treehousevacationrentals.com/wcur/?odPpWF=w27VGkgPypp70WXnNHpjdsqhWeEvUZ4LPNyZ3oKtKeRxIffXhgg1Bem8tOU5+5plzHWe+E+czzK8Vck=&djwlH2=QpplQXw8SrtpcTqp 69 | http://www.shadwedding.com/wcur/?odPpWF=g9KJyfMUSnGoPq5a9ZKBpr4tv5TJkLFoZpI/YezwHZU+Cs3RsF+VG6N3TW7ABC3KPYlcwHNbOoVS9VU=&djwlH2=QpplQXw8SrtpcTqp 70 | http://www.xn--cndsporokullar-jgc.com/wcur/?odPpWF=DMyCgJHqw6XyOVDxeoV6AuUl+iqe5ZNfc4ncE6Op0MME4bXMFcOe/pFCSCHX/fVA9aBezxDf3XUqm0g=&djwlH2=QpplQXw8SrtpcTqp 71 | http://www.aaraeg.net/wcur/?8p30LBEp=V0jZY6Xl9bQWKzWsegDaqkLycbBXFfC4UHo9X8kf6lXvKRjXGo3ApVmjoeaJZwUFLm800hM5QvUiZaQ=&MpE0OP=TZttMD8 72 | http://www.ear-directory.xyz/wcur/?cXH=48b1opTyIGWI01AHAFxYC29SaQyCI/9RKZV2Uyywy/RHQCfK2vLcXdZ86dfkxnZ143op&L484s=2dyxh8YX3ZXDgBp 73 | http://www.facescreener.com/wcur/?L484s=2dyxh8YX3ZXDgBp&cXH=0/FNHTytx1B7EQH/10c33AFeFdwn+uAUCz8bmaNwibzInkN4GtLvDf8Qk9f5mc70f+U4 74 | http://www.3widah.net/wcur/?cXH=nOdrjH4jBILZbMpn3fjSrePJ1va/Sdcz/rZBMw0ef3Dn/grf5ZEv1wqL8klnny9vVFv6&L484s=2dyxh8YX3ZXDgBp 75 | http://www.0ztv.net/wcur/?xhhDFJ=/1QdbBNnJAFGlpYeAPIdVY76ccH95rhvvoc+TpeAQH/Kf4L3hC/ZbuXZdoWYxRus3Ahd6i0TRw==&ML0=SDHDVXZ0GzptQl 76 | http://www.bethpaqefcu.com/nd04/?4hoD=RjWX0P&vT=DtaxG2NpD3HFlO0iXiQjwiUOqP5KnwpWXkMNhTZrInFvDZ+24VZDK8LY4JVJfR/5xdPxKsHnN5Xw3bc= 77 | http://www.picsedits.com/nd04/?4hoD=RjWX0P&vT=zor7n/o+7J9/i+/CyXjtxzlKoOT79CjmrKpzC/vWZyS4wKlAE0WXR9ucMzbRsXnhX07SS37SuO1WWFo= 78 | http://www.buggy4t.com/nd04/?4hoD=RjWX0P&vT=8o41eh1Gh6N61aO40pU6IhlOGSkxQC8hk8UOEgxAYfAWreJRXzTGjJBgiaMgEZ2mXOeeTMnLozEa4A4= 79 | http://www.streamline-automotive.com/nd04/?AJ=q6Al&vT=7FtsbsVNLyY4at3BhzbgrLDtLh6ndrB65cpB5Sv1mql+QaeTbYxyk7LFujeEIk6JOAwzxKOsOw86gHc= 80 | http://www.quanqiu00000.com/nd04/?AJ=q6Al&vT=PqhTqKT08rbQLaJHWkBiP3oSMJEJPTP7MDBMTy2gbpeFdexKq3OMD19K04fdK9alWeQz+Ap+rdszGEI= 81 | http://www.motiondesign.ltd/nd04/?AJ=q6Al&vT=swZBELQLCobJk5Z0eS5xH1VWreAUFkcmobo7aRAz/Ao94zCj0RXmqYGCYIyk8xkaH0jp92v2SvXS22E= 82 | http://www.nfaabv.website/nd04/?AJ=q6Al&vT=GOmC1cX102riG5SlWUE/I88erzt+gdQOJf5OyVyY8emWOHSy1Rt0qRS/jhFBvg6i+3UPl9hXp4anPH4= 83 | http://www.thanosstudio.com/nd04/?vJ=nkfWeZ0DwvABaAk8cshOpqvV4hZvIHVB8MGGEFO2x9Z5cBS1KHwz028IcnFjeKW47ymz96jp5g==&xD=Ejvd4h5xh6sht8 84 | http://www.exeterloftrefurbishments.com/nd04/?vJ=clR1l+3CgCg8kmFrnutpRzonZdq7mtS5He36hY9KUm/yhDsC6VLfm6wvCS7droU1qjUBxlQ2OA==&xD=Ejvd4h5xh6sht8 85 | http://www.xgdfjm.com/nd04/?vJ=ZZs9J+81MYTw8sJLLdRABO13g1V6HpR5KSvJ/g8KlZTxmYp4x26WCA07GFaWdkjBEw5hElGP6w==&xD=Ejvd4h5xh6sht8 86 | http://www.gjjcjs.com/nd04/?vJ=dRSAnyMolfzLbtsb0tn3DBxhETFs16olwlp/UkaK019e3HDlnss+/Urcii3HoZ8jNBnp03dHrg==&xD=Ejvd4h5xh6sht8 87 | http://www.forgood.group/nd04/?vJ=4asABkoIds8kToQEW8ezKLqOusBdZNbEaxEaXy0Iv+7zZY81S7vd5x0/NvRUA78aLQnfWOyaHA==&xD=Ejvd4h5xh6sht8 88 | http://www.shermancountryfest.com/nd04/?vJ=KmG1W/hbH/z+PlnCiO+e9PlXh/oE6zzSYUVJCcoLEVmtBClo5tnTD8W/qNm6v0ANVn6H2Mtr1A==&xD=Ejvd4h5xh6sht8 89 | http://www.sorialab10.online/nd04/?vJ=rrYFs/benuunsg1Fm2+iy+e+XQb+a8OY5+7ij+AJHh+WphLRyzERdZ9LEeMAmhcaieEwCBGBLQ==&xD=Ejvd4h5xh6sht8 90 | http://www.nft4e4654.com/nd04/?Cv2L=iVcL4XOXChyp-vP&vJ=E4f0425hkbL6DBCrRyoo9fdFI7uGDUX6UYm7YBbwjSrwez/jv/fs8pOCLo8/ymPgEuowmiZZGg== 91 | http://www.thesortinghouse3j.com/nd04/?Cv2L=iVcL4XOXChyp-vP&vJ=3b+7gxT0aNu4s4JNUBTIN2w5l+G+9l0REwjLmckizXGRgAElFt1+gWj2LdEvcTRBXsKntfUyOg== 92 | http://www.huibao5.com/nd04/?Cv2L=iVcL4XOXChyp-vP&vJ=ezcS0W0SfUpCCoDMLyMaDZ8PUHQcK7vyHBgAPpxgEt8ovqtxVtp7Yh9QEJdaQhX/xG32PfhtAw== 93 | http://www.hhkjy.com/nd04/?Cv2L=iVcL4XOXChyp-vP&vJ=eVdeh28ifWilLVX8uEz/qY7cBk0bTWZeV2gcu6yaHEeFWEQLHp89lc2A9k2B8V1E4bG7b1hWOw== 94 | http://www.huibao5.com/nd04/?4hoD=RjWX0P&vT=ezcS0W0SfUpCCoDMLyMaDZ8PUHQcK7vyHBgAPpxgEt8ovqtxVtp7Yh9QEJx5fHvKsHnYDeoSI1K1Cc8= 95 | http://www.piboise.com/nd04/?4hoD=RjWX0P&vT=f5zSgQ5ITsDMyLwsk8gvVm9wTOeI3CvQtdd4UuRk4m40QxA33oMt4ymbKJolfklZQoPQa2tzw1P+PR0= 96 | http://www.thanosstudio.com/nd04/?4hoD=RjWX0P&vT=nkfWeZ0DwvABaAk8cshOpqvV4hZvIHVB8MGGEFO2x9Z5cBS1KHwz028IcnpARsuNmz2dx7qWxpUrp/o= 97 | http://www.ceinpsico.com/nd04/?4hoD=RjWX0P&vT=hzGQ05COTNI3vVGpbTtmDTGCR1OK6i2BhDLkKXwclt3c+ZtOI4CUIqoF4Wm495MiElS9d/0Y6K8YoIY= 98 | http://www.forgood.group/nd04/?4hoD=RjWX0P&vT=4asABkoIds8kToQEW8ezKLqOusBdZNbEaxEaXy0Iv+7zZY81S7vd5x0/Nv93PdEvWR3xaP7lPClc3N8= 99 | http://www.wearenow.store/nd04/?4hoD=RjWX0P&vT=NU8juzj4HXsCg4DFOs+zm3MG1anaYKV8gMbMYNiKW9kCHdAxjspIBU0ozL7e19DEB+Qvrw2PYh+sHbg= 100 | http://www.aftermarketbiz.com/nd04/?4hoD=RjWX0P&vT=015+KiIk5gPcrmJulCayejuKENS3/yXHrsphB1kL7ZUPfq4dXUphm5PMxFbQGfkDIAfAzhPcT2UTqDo= 101 | http://www.hhkjy.com/nd04/?4hoD=RjWX0P&vT=eVdeh28ifWilLVX8uEz/qY7cBk0bTWZeV2gcu6yaHEeFWEQLHp89lc2A9kaizzNxlaWVX0opG9KLJOg= 102 | http://www.gibbsrecordingco.com/nd04/?4hoD=RjWX0P&vT=5triEbHxqxgycMbgkoepdXIkWlpMe7N+4yMKBjVdoR6gTx08EqbbUIn3dXIVvoIkWKZyTrOK925tu3E= 103 | http://www.detonsipro.xyz/nd04/?4hoD=RjWX0P&vT=fuQOaYkwNWnDBPsjyFJ1uTJ45gPzcB1alHMKsQlHuaU1swZhmRh4A+mDgVwDMD4j20BtOVaRJf/O1NU= 104 | -------------------------------------------------------------------------------- /GodzillaLoader/godzillaloader.pcre: -------------------------------------------------------------------------------- 1 | ###################################### 2 | # Godzilla Loader PCRE Collection # 3 | # @noottrak # 4 | ###################################### 5 | # 01 godzilla/gate.php?g=-776582895&k=5hq2jGgkh5vinrBdefA4JnmN1 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)+gate\.php\?g=(-)?[0-9]{8,10}&k=[A-Za-z0-9]{25} karttoon 07SEP2018 - Godzilla Loader C2 [ godzilla/gate.php?g=-776582895&k=5hq2jGgkh5vinrBdefA4JnmN1 ] 9 | -------------------------------------------------------------------------------- /GodzillaLoader/godzillaloader.urls: -------------------------------------------------------------------------------- 1 | http://alpacopoke.org/god/gate.php?g=1010510921&k=OTUQT2TV8recbQCA4vEHxHmaW 2 | http://kilopetxd.biz/xedic/gate.php?g=1883109854&k=8hkfyUDILaIK4ZWlXBIQMCXLI 3 | http://alpacopoke.org/god/gate.php?g=1010510921&k=R2vba4rs4Pcv4xS1wSJc3x6c1 4 | http://alpacopoke.org/god/gate.php?g=1010510921&k=TZFVclIAWfO4exjeRwH1t1OeU 5 | http://alpacopoke.org/god/gate.php?g=1883109854&k=UFLRTRruSuy0Zmt5lKsKbo6Ay 6 | http://alpacopoke.org/god/gate.php?g=1883109854&k=JmijArm7ywwsZVWc5YwIteoxQ 7 | http://themagic.mooo.com/Godz/gate.php?g=-1575765415&k=x4KUzMcYv3pPALyDqUx9dmG0K 8 | http://themagic.mooo.com/Godz/gate.php?g=-1374033599&k=VNvxwHszelTtHwoFm4FY6PP4A 9 | http://odin88.to/123456/gate.php?g=1634472173&k=qgEZE0FsnUw4NmA41XDwEovl9 10 | http://odin88.to/123456/gate.php?g=-1242032950&k=6NOqENyG7cKIZNWwyfqVuNVfy 11 | http://odin88.to/123456/gate.php?g=1534659236&k=K1tTP0xHmfZOAWt43bQjPDyZu 12 | http://odin88.to/123456/gate.php?g=-1714654696&k=iSXDiqoYoa1IzcaXPL1tKcIKL 13 | http://smkmanager.top/tty/gl/gate.php?g=-252904886&k=oXNbwlsxfU8SkUZwHL4pxb7Fm 14 | http://smkmanager.top/tty/gl/gate.php?g=-1062342151&k=wJufrtRL4JBVrKtqvJvrI9Vkx 15 | http://alpacopoke.org/god/gate.php?g=1010510921&k=b6A5xy0kaRKzn1v7f8QLthYm7 16 | http://www.helixwindow.com/gd/prj/gate.php?g=1883109854&k=QwJ6cKH8IoHQywCT5rFiRrZwX 17 | http://www.vosixgotuipoka34dfec.net.com/OmKhZ/sfw1/wongi/gate.php?g=-252904886&k=Ytc98YZovEZsmhOqS5rN1kn6U 18 | http://www.vosixgotuipoka34dfec.net.com/PQkTZ/sfw1/wongi/gate.php?g=-252904886&k=Ytc98YZovEZsmhOqS5rN1kn6U 19 | http://www.vosixgotuipoka34dfec.net.com/sfw1/wongi/gate.php?g=-252904886&k=Ytc98YZovEZsmhOqS5rN1kn6U 20 | http://odin88.to/123456/gate.php?g=-974470434&k=LFEGnqjbu2TDGrvajZDy1fvgH 21 | http://odin88.to/123456/gate.php?g=1010565696&k=N7dp6nNY2CCDZnk9gaUhsMvYI 22 | http://odin88.to/123456/gate.php?g=1892540484&k=ITkQOpSd8GXfDpM1P0fKfKXTX 23 | http://odin88.to/123456/gate.php?g=1892540484&k=camEK5HXv59jdtTVbSwTolmil 24 | http://odin88.to/123456/gate.php?g=-554089558&k=AhoJ9odevuRYuzIGdUhoDYSAA 25 | http://entertoyblock.ru/god/gate.php?g=1010510921&k=NZhwOmHwlbAvPzgKl5An1RHoC 26 | http://alpacopoke.org/god/gate.php?g=1883109854&k=HQi1SWn6Jt89VQXLdFpiSJZsL 27 | http://alpacopoke.org/god/gate.php?g=1010510921&k=IzEQukd9SHOMsjFgm3mLsxHBO 28 | http://alpacopoke.org/god/gate.php?g=1010510921&k=70kV4VsQ0iAPMSQg0f9YDwqcR 29 | http://odin88.to/123456/gate.php?g=1493526394&k=A00UqGVJoMSXkJ2ciTSFJtQpk 30 | http://alpacopoke.org/god/gate.php?g=1010510921&k=zvYDlx4ODlpcviXa2gNrXQxKc 31 | http://odin88.to/123456/gate.php?g=-1924788283&k=pu4xEk6VhKc4OYHpm5baUxqZl 32 | http://odin88.to/123456/gate.php?g=309052521&k=qvfbrioXhIx37wUA6XJjKnubm 33 | http://slaykings.io/godzilla/gate.php?g=1888102011&k=SGwJ7Kn6tSci9xh06azA1TA8N 34 | http://slaykings.io/godzilla/gate.php?g=-776582895&k=5hq2jGgkh5vinrBdefA4JnmN1 35 | http://alpacopoke.org/god/gate.php?g=-1062342151&k=r7Mn5j8Vl4Yvz1YD3HHOPqqWh 36 | http://alpacopoke.org/god/gate.php?g=1010510921&k=WF9CRBy8xnhppb2qHIpv0O0hz 37 | http://avprotection.ru/lolz/gate.php?g=854643778&k=IulfjyXq7LLNhL58SDQr3TJdA 38 | http://avprotection.ru/lolz/gate.php?g=-1339751678&k=WPapM7FQt4w2HlA0OFwY5H2P4 39 | http://alpacopoke.org/god/gate.php?g=1010510921&k=L21HoL3kM6Ee8BYE8OPAu1xhP 40 | http://alpacopoke.org/god/gate.php?g=1010510921&k=zomhoq420Q13l2oT6UKGYI3K6 41 | http://alpacopoke.org/god/gate.php?g=1010510921&k=5WKbVoyYb8mBIaRckSZ1TG1Us 42 | http://odin88.to/123456/gate.php?g=526637714&k=jcSyjSQCVmjHqb3fhiQRBeojJ 43 | http://odin88.to/123456/gate.php?g=983005106&k=KMbiWPsA6nYKwF6YYyHKdZwWT 44 | http://alpacopoke.org/god/gate.php?g=1010510921&k=u2XNYsDkQyrXUpweTfGtrH6ws 45 | http://185.165.29.105/god/gate.php?g=1307745881&k=iMAMqMszJuGGmBUHdnyjrehU1 46 | http://hi1337.ir/god/gate.php?g=1307745881&k=jzYMmbkUqwVAywzirZsfIZ5Bz 47 | http://hi1337.ir/god/gate.php?g=-97306710&k=MSIb2RzC39gjSczJl6vhkJpOQ 48 | http://185.165.29.105/god/gate.php?g=-97306710&k=boNYLR5meKz0NuTkVZ42Yag4B 49 | http://185.165.29.105/god/gate.php?g=-97306710&k=gffmnJa89BOxgjsRpx9lGyoEJ 50 | http://185.165.29.105/god/gate.php?g=-97306710&k=IkRJOljBb2LrIj2QeMz60PZ2T 51 | http://www.vosixgotuipoka34dfec.net.com/sfw1/wongi/gate.php?g=-1494051633&k=5kRbkLcicORvbzkv3WeEOBcsS 52 | http://www.vosixgotuipoka34dfec.net.com/sfw1/wongi/gate.php?g=-1911872515&k=wfSmAFVUIZe50pou1bvEY7Rks 53 | http://kilopetxd.biz/xedic/gate.php?g=1883109854&k=VoNb73jDS9TfpRiILI2SHVyft 54 | http://alpacopoke.org/god/gate.php?g=1010510921&k=y6Ix59DYy5Nupe6RrTvz9J6T3 55 | http://odin88.to/123456/gate.php?g=-1950630723&k=plpzmgKZ6dFIQ8LZthdx0IIQQ 56 | http://odin88.to/123456/gate.php?g=391130030&k=6ArUoWDjkwYw6cE0XD4P1Fzrt 57 | http://odin88.to/123456/gate.php?g=-1964745118&k=uiZVHpf7zw5pvbOLssaegyXVx 58 | http://odin88.to/123456/gate.php?g=-1964745118&k=6mDBHqsNey0txWgF6psCzOKyN 59 | http://odin88.to/123456/gate.php?g=-19511703&k=FhrCsazbGJ7kd9Ggo78EUr8xD 60 | http://odin88.to/123456/gate.php?g=1104430780&k=WzCOWKDT9vPQ7PBnEEnjVhWHH 61 | http://odin88.to/123456/gate.php?g=1104430780&k=DvxtXwfVO5hJXnvHdlQbuDc1i 62 | http://odin88.to/123456/gate.php?g=1657825462&k=j0IvHbtxVxybF2liETgoG0OPw 63 | http://alpacopoke.org/god/gate.php?g=1010510921&k=QwrJzpEHQUm5YvvTJIc7aXCsc 64 | http://alpacopoke.org/god/gate.php?g=1010510921&k=jDYQ3gr8Lzdx3sU2y9dS9PUdA 65 | http://odin88.to/123456/gate.php?g=1866849194&k=fSTlfhgQdD5sz9I2fe4M5gbuc 66 | http://odin88.to/123456/gate.php?g=1866849194&k=6Nmhlq2NwwmHXgsjyLrOi1Kw6 67 | http://odin88.to/123456/gate.php?g=-906170253&k=ZSHtCf4MP94H5tm6Ho5TPZwT9 68 | http://odin88.to/123456/gate.php?g=-1114042055&k=uEYVdIXNNz9GuSf3Yi9EkZ0Ut 69 | http://odin88.to/123456/gate.php?g=-1584031250&k=NlZny2xqbjeHqXCNgoGo6Q5fG 70 | http://slaykings.io/godzilla/gate.php?g=-1974485506&k=Dzr0dRflEWF5qgIxDjtTDS1OV 71 | http://slaykings.io/godzilla/gate.php?g=-930076463&k=sXXkZU9XMgHrdthkduunxpUbK 72 | http://www.vosixgotuipoka34dfec.net.com/sfw1/wongi/gate.php?g=1010510921&k=u6ky4mT4AgZyVj5aZ6fsN8TXt 73 | http://www.helixwindow.com/gd/prj/gate.php?g=1883109854&k=hnl5I4LwB4cNkYfRCnXd820vQ 74 | http://www.vosixgotuipoka34dfec.net.com/sfw1/wongi/gate.php?g=409746722&k=HbHx6wIcBmEdglwQ5jrfpeapN 75 | http://www.vosixgotuipoka34dfec.net.com/sfw1/wongi/gate.php?g=-1832979476&k=SrpUolrDlx4o8eRm2B0rEf4Tt 76 | http://odin88.to/123456/gate.php?g=1615566039&k=fuZVspQGa8bEqjMYo05XgN7qp 77 | http://odin88.to/123456/gate.php?g=2098137888&k=JAInAhNArncr0x4xqC4QITjcy 78 | http://alpacopoke.org/god/gate.php?g=1883109854&k=mNSxuLv2QkclmRqaR1rWG4tnf 79 | -------------------------------------------------------------------------------- /GodzillaShell/webshell_godzilla.yar: -------------------------------------------------------------------------------- 1 | rule Godzilla_Webshells_303 2 | { 3 | 4 | meta: 5 | author = "Jeff White (karttoon@gmail.com) @noottrak" 6 | date = "30NOV2021" 7 | hash1 = "758097319d61e2744fb6b297f0bff957c6aab299278c1f56a90fba197795a0fa" //x86 8 | hash2 = "83e714e72d9f3c500cad610c4772eae6152a232965191f0125c1c6f97004b7b5" //x64 9 | description = "Detects various builds of Godzilla Webshell." 10 | reference = "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" 11 | 12 | strings: 13 | 14 | $303_php_xorb64_1 = "$pass" ascii wide nocase 15 | $303_php_xorb64_2 = "$payloadName" ascii wide nocase 16 | $303_php_xorb64_3 = "$key" ascii wide nocase 17 | $303_php_xorb64_4 = "$payload=encode" ascii wide nocase 18 | $303_php_xorb64_5 = "$_SESSION[$payloadName]" ascii wide nocase 19 | 20 | $303_csharp_aesraw_ashx_1 = "Class=\"Handler1\"" ascii wide nocase 21 | $303_csharp_aesraw_ashx_2 = "{string key" ascii wide nocase 22 | $303_csharp_aesraw_ashx_3 = "Context.Session[\"payload\"]" ascii wide nocase 23 | 24 | $303_csharp_aesraw_asmx_1 = "Class=\"WebService1\"" ascii wide nocase 25 | $303_csharp_aesraw_asmx_2 = "{string key" ascii wide nocase 26 | $303_csharp_aesraw_asmx_3 = "Context.Session[\"payload\"]" ascii wide nocase 27 | 28 | $303_csharp_aesraw_aspx_1 = "{string key" ascii wide nocase 29 | $303_csharp_aesraw_aspx_2 = "Context.Session[\"payload\"]" ascii wide nocase 30 | $303_csharp_aesraw_aspx_3 = "CreateInstance(\"LY\")" ascii wide nocase 31 | 32 | $303_csharp_aesb64_ashx_1 = "Class=\"Handler1\"" ascii wide nocase 33 | $303_csharp_aesb64_ashx_2 = "{string key" ascii wide nocase 34 | $303_csharp_aesb64_ashx_3 = "string pass" ascii wide nocase 35 | $303_csharp_aesb64_ashx_4 = "string md5" ascii wide nocase 36 | 37 | $303_csharp_aesb64_asmx_1 = "Class=\"WebService1\"" ascii wide nocase 38 | $303_csharp_aesb64_asmx_2 = "{string key" ascii wide nocase 39 | $303_csharp_aesb64_asmx_3 = "string pass" ascii wide nocase 40 | $303_csharp_aesb64_asmx_4 = "string md5" ascii wide nocase 41 | 42 | $303_csharp_aesb64_aspx_1 = "{string key" ascii wide nocase 43 | $303_csharp_aesb64_aspx_2 = "string pass" ascii wide nocase 44 | $303_csharp_aesb64_aspx_3 = "string md5" ascii wide nocase 45 | $303_csharp_aesb64_aspx_4 = "Context.Session[\"payload\"]" ascii wide nocase 46 | 47 | // Also covers 303_java_aesraw_jsp 48 | $303_java_aesraw_jspx_1 = "String xc" ascii wide nocase 49 | $303_java_aesraw_jspx_2 = "class X extends" ascii wide nocase 50 | $303_java_aesraw_jspx_3 = "request.setAttribute(\"parameters\"" ascii wide nocase 51 | 52 | // Also covers 303_java_aesb64_jsp 53 | $303_java_aesb64_jspx_1 = "String xc" ascii wide nocase 54 | $303_java_aesb64_jspx_2 = "String pass" ascii wide nocase 55 | $303_java_aesb64_jspx_3 = "String md5" ascii wide nocase 56 | $303_java_aesb64_jspx_4 = "class X extends" ascii wide nocase 57 | 58 | condition: 59 | 60 | all of ($303_php_xorb64_*) or 61 | all of ($303_csharp_aesraw_ashx_*) or 62 | all of ($303_csharp_aesraw_asmx_*) or 63 | all of ($303_csharp_aesraw_aspx_*) or 64 | all of ($303_csharp_aesb64_ashx_*) or 65 | all of ($303_csharp_aesb64_asmx_*) or 66 | all of ($303_csharp_aesb64_aspx_*) or 67 | all of ($303_java_aesraw_jspx_*) or 68 | all of ($303_java_aesb64_jspx_*) 69 | 70 | } 71 | -------------------------------------------------------------------------------- /Gootkit/gootkit.pcre: -------------------------------------------------------------------------------- 1 | ########################### 2 | # Gootkit PCRE Collection # 3 | # @noottrak # 4 | ########################### 5 | # 01 rbody32 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)+(rbody(32|64|320)|rpersist2)(\/[0-9]{8})?(\/)?$ karttoon 14MAR2018 - Gootkit C2 [ rbody32 ] 9 | -------------------------------------------------------------------------------- /Hancitor/hancitor.pcre: -------------------------------------------------------------------------------- 1 | ############################ 2 | # Hancitor PCRE Collection # 3 | # @noottrak # 4 | ############################ 5 | # 01 ls5/forum.php 6 | # 02 mlu/forum.php 7 | # 03 d2/about.php 8 | # 04 wp-content/plugins/contact-form-7/includes/1 9 | ########## 10 | # 01 11 | ^(http(s)?:\/\/)?([^\x2F]+\/)+ls5\/forum\.php$ karttoon 09MAR2018 - Hancitor C2 [ ls5/forum.php ] 12 | # 02 13 | ^(http(s)?:\/\/)?([^\x2F]+\/)+mlu\/forum\.php$ karttoon 09MAR2018 - Hancitor Pony C2 [ mlu/forum.php ] 14 | # 03 15 | ^(http(s)?:\/\/)?([^\x2F]+\/)+d2\/about\.php$ karttoon 09MAR2018 - Hancitor Evil-Pony [ d2/about.php ] 16 | # 04 17 | ^(http(s)?:\/\/)?([^\x2F]+\/)+wp-content\/plugins\/[a-z-]+\/(includes\/|inc\/)?[1-4]$ karttoon 09MAR2018 - Hancitor DL [ wp-content/plugins/contact-form-7/includes/1 ] 18 | -------------------------------------------------------------------------------- /Hancitor/hancitor.urls: -------------------------------------------------------------------------------- 1 | babronwronot.ru/ls5/forum.php 2 | cirewandbut.com/ls5/forum.php 3 | dinglebetna.ru/ls5/forum.php 4 | duketofrob.com/ls5/forum.php 5 | etranutha.ru/ls5/forum.php 6 | rithesforhep.ru/ls5/forum.php 7 | tebabretof.com/ls5/forum.php 8 | tonsonerontold.ru/ls5/forum.php 9 | witlyrenco.ru/ls5/forum.php 10 | -------------------------------------------------------------------------------- /Kimsuky/kimsuky.suri: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "Kimsuky C2 Boundary"; flow: established, to_client; file_data; content: "multipart/form-data\; boundary=----1f341c23b5204"; priority: 4; reference:url,https://blog.alyac.co.kr/3352;) 2 | -------------------------------------------------------------------------------- /Lazarus/lazarus.pcre: -------------------------------------------------------------------------------- 1 | ########################### 2 | # Lazarus PCRE Collection # 3 | # @noottrak # 4 | ########################### 5 | # 01 board.php?no=7951&page=free&wr_id=703515&session_id=c9c4ALe2pntL2rV5EcmLC8JM+BewA1DaN6/zXMvDr/zrekj3hw/IFi4evErVDKWcuZ92gW/SlsUfJXsIHdwKqoh4sDYvzoFoBIa7JswUGEDeyexhVifNqQ/1DuZaqnZO5wkvdWY6Cdpp/3ilRBIjlLMH9aBGFgHL5mubEwccwaTnp/vBKPDFwH0JKviUlSI+MP2SMgklifeXysxXapflrDLtQ4TJTLfh5zoCS7nrFY80A4Kqado/nMAzUPol29mBBVBP9YSuspCCTD49OxVRLTlWLryriqSXODP2hEXRd2ipbcrUj5nLcyZ9YDMWyZD66vROUO5HXq4VLHmKCln8X5NUuPbdAdJNUnWP1x8sAiYqK80e5nuQMj6mfycE2WajwvY9onqohBYFTtC/MusXL1GOJBk/0SHMhzIw5toJGyGVmIYp/8bilOXeGmZzUvdnSNG18y2dpw/Pm4OMWgTMpZ831euQGlNZ3YrsTMJLajT7NMuKayfTDOGl06GuQySj0MASRjvOD0oBqnEs 6 | ########## 7 | # 01 8 | \.php\?(code|no|bo_table|boardID|pageKey|structureid)=[0-9]+&page=(free|query|suggestion|result)&wr_id=[0-9]+&session_id=[a-zA-Z0-9+/=]+$ karttoon 12DEC2018 - Lazarus C2 [ board.php?no=7951&page=free&wr_id=703515&session_id=c9c4ALe2pntL2rV5EcmLC8JM+BewA1DaN6/zXMvDr/zrekj3hw/IFi4evErVDKWcuZ92gW/SlsUfJXsIHdwKqoh4sDYvzoFoBIa7JswUGEDeyexhVifNqQ/1DuZaqnZO5wkvdWY6Cdpp/3ilRBIjlLMH9aBGFgHL5mubEwccwaTnp/vBKPDFwH0JKviUlSI+MP2SMgklifeXysxXapflrDLtQ4TJTLfh5zoCS7nrFY80A4Kqado/nMAzUPol29mBBVBP9YSuspCCTD49OxVRLTlWLryriqSXODP2hEXRd2ipbcrUj5nLcyZ9YDMWyZD66vROUO5HXq4VLHmKCln8X5NUuPbdAdJNUnWP1x8sAiYqK80e5nuQMj6mfycE2WajwvY9onqohBYFTtC/MusXL1GOJBk/0SHMhzIw5toJGyGVmIYp/8bilOXeGmZzUvdnSNG18y2dpw/Pm4OMWgTMpZ831euQGlNZ3YrsTMJLajT7NMuKayfTDOGl06GuQySj0MASRjvOD0oBqnEs ] -------------------------------------------------------------------------------- /Lazarus/lazarus.urls: -------------------------------------------------------------------------------- 1 | http://137.74.41.56/board.php?no=7951&page=free&wr_id=703515&session_id=c9c4ALe2pntL2rV5EcmLC8JM+BewA1DaN6/zXMvDr/zrekj3hw/IFi4evErVDKWcuZ92gW/SlsUfJXsIHdwKqoh4sDYvzoFoBIa7JswUGEDeyexhVifNqQ/1DuZaqnZO5wkvdWY6Cdpp/3ilRBIjlLMH9aBGFgHL5mubEwccwaTnp/vBKPDFwH0JKviUlSI+MP2SMgklifeXysxXapflrDLtQ4TJTLfh5zoCS7nrFY80A4Kqado/nMAzUPol29mBBVBP9YSuspCCTD49OxVRLTlWLryriqSXODP2hEXRd2ipbcrUj5nLcyZ9YDMWyZD66vROUO5HXq4VLHmKCln8X5NUuPbdAdJNUnWP1x8sAiYqK80e5nuQMj6mfycE2WajwvY9onqohBYFTtC/MusXL1GOJBk/0SHMhzIw5toJGyGVmIYp/8bilOXeGmZzUvdnSNG18y2dpw/Pm4OMWgTMpZ831euQGlNZ3YrsTMJLajT7NMuKayfTDOGl06GuQySj0MASRjvOD0oBqnEs 2 | -------------------------------------------------------------------------------- /Lazarus/troj_win_lazarus.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_lazarus 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "12DEC2018" 6 | comment = "Detects Lazarus group Rising Sun malware" 7 | hash01 = "88a5287b6e9879e79240660408e2e868d9d332e3c37c753a05a40b87f1549646" 8 | hash02 = "37b04dcdcfdcaa885df0f392524db7ae7b73806ad8a8e76fbc6a2df4db064e71" 9 | description = "Detects Lazarus group Rising Sun malware" 10 | 11 | strings: 12 | $full = { FF 15 0A 18 01 00 48 8D 95 30 22 00 00 B9 00 04 00 00 FF 15 40 15 01 00 4C 8D 8D 10 0C 00 00 48 8D 15 CA 49 01 00 48 8D 8D 30 22 00 00 45 33 C0 FF 15 D2 15 01 00 48 8D 55 E0 48 8D 85 10 0C 00 00 48 89 54 24 28 4C 8D 45 F0 48 8D 8D 30 2A 00 00 48 8D 15 A0 49 01 00 4C 8B CB 48 89 44 24 20 FF 15 BA 17 01 00 48 8D 54 24 58 48 8D 44 24 70 48 89 54 24 48 48 89 44 24 40 4C 89 7C 24 38 4C 89 7C 24 30 48 8D 95 30 2A 00 00 45 33 C9 45 33 C0 33 C9 44 89 7C 24 28 44 89 7C 24 20 FF 15 6D 16 01 00 } 13 | $wild = { FF ?? ?? ?? ?? ?? 48 8D ?? ?? ?? ?? ?? B9 00 ?? ?? ?? FF ?? ?? ?? ?? ?? 4C 8D ?? ?? ?? ?? ?? 48 8D ?? ?? ?? ?? ?? 48 8D ?? ?? ?? ?? ?? 45 33 ?? FF ?? ?? ?? ?? ?? 48 8D ?? ?? 48 8D ?? ?? ?? ?? ?? 48 89 ?? ?? ?? 4C 8D ?? ?? 48 8D ?? ?? ?? ?? ?? 48 8D ?? ?? ?? ?? ?? 4C 8B ?? 48 89 ?? ?? ?? FF ?? ?? ?? ?? ?? 48 8D ?? ?? ?? 48 8D ?? ?? ?? 48 89 ?? ?? ?? 48 89 ?? ?? ?? 4C 89 ?? ?? ?? 4C 89 ?? ?? ?? 48 8D ?? ?? ?? ?? ?? 45 33 ?? 45 33 ?? 33 C9 44 89 ?? ?? ?? 44 89 ?? ?? ?? FF ?? ?? ?? ?? ?? } 14 | 15 | condition: 16 | any of them 17 | } 18 | -------------------------------------------------------------------------------- /MagEK/magek.pcre: -------------------------------------------------------------------------------- 1 | ############################ 2 | # MagEK PCRE Collection # 3 | # @noottrak # 4 | ############################ 5 | # 01 0b3885f6a93c95aaf99e27761ed2022f?win%2011,8,800,174 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)+([a-z0-9]{9,32}\?)?[Ww][Ii][Nn]%20[0-9]{2},[0-9],[0-9]{1,3},[0-9]{1,3}$ karttoon 27MAR2018 - MagEK DL [ 0b3885f6a93c95aaf99e27761ed2022f?win%2011,8,800,174 ] 9 | -------------------------------------------------------------------------------- /MagEK/magek.urls: -------------------------------------------------------------------------------- 1 | http://00l3dc2aeew52j9ect.typestie.loan/45g55eheqdfn575x3?win%2016,0,0,305 2 | http://0103990lelc.trainjoke.gdn/b411f929e339d36027de7758157bf5a3?win%2020,0,0,306 3 | http://05addz34ao9c2y.discson.bid/4600bv833?win%2018,0,0,194 4 | http://06ct3ma5r46c.likesby.stream/win%2016,0,0,305 5 | http://0br207v6e50b8091p.risebad.bid/28bq5ff66m9c?win%2014,0,0,125 6 | http://0p0t1cccatb9694m3.crymight.men/win%2015,0,0,152 7 | http://0t4ofpe6x1a4m.havewho.bid/5fq9ab4aw686?win%2021,0,0,182 8 | http://124w8b893ag.behavemen.bid/da0etc3mb0m3?win%2014,0,0,145 9 | http://15fe801dakd06i4bl.textsad.bid/8w93if08l60aah6?win%2014,0,0,176 10 | http://190s3w557hf0a3l9.barsthey.gdn/8c4x0kf2f85ej027t?win%2019,0,0,14 11 | http://1926d59859vd3o.ledwhat.gdn/e7ese583s7o?win%2020,0,0,267 12 | http://196fs3bh1e5i3f306r.rareseek.men/win%2011,8,800,94 13 | http://1ab9v08y774.obscureit.bid/4b8fc8fb3b3s?win%2020,0,0,270 14 | http://1seb07fre21g53ayadp.heldtells.bid/5088b275m3x?win%2020,0,0,306 15 | http://202j84nf6m43l0k87m.movedputs.bid/8w93if08l60aah6?win%2014,0,0,1 16 | http://24b0v8wf7c1d2eex8u.amtrust.gdn/18w19f07dx39c5r?win%2016,0,0,257 17 | http://26eed38a96f5r.trainways.link/b7qen7v03c63vaf?win%2018,0,0,209 18 | http://288pc2pa02dm6.bodyfar.gdn/win%2020,0,0,306 19 | http://2eieeb0fdco1.routepast.bid/2m9d02f8b08m7d?win%2011,8,800,94 20 | http://2ep130m9579b1m.awfulquit.gdn/d63c5e5b19aa6b8ff2c35f782f46c225?win%2017,0,0,188 21 | http://2fc9m9h85p3cu.filmflies.link/e23a7j13eq379n4c?win%2011,6,602,168 22 | http://2fd0r6cqaex6fe.heholes.gdn/win%2018,0,0,194 23 | http://2h2gba7i3389.aimfine.bid/win%2019,0,0,185 24 | http://2q2633yfdbf71882t.noroften.gdn/e2ffa5eb31375095e48dcc2d835129ee?win%2011,3,300,257 25 | http://3450r452139fs3z.peaktalk.win/98b677abb85e342bf9b9a832bd7f9a6a?win%2020,0,0,272 26 | http://38194k47le7.putgives.bid/dg1f1ge7b0?win%2011,8,800,175 27 | http://3c7b5fes5.riseright.bid/b0a41e3a4bd3ee33e5feef616063f8f0?win%2021,0,0,182 28 | http://3ca2c5djd5025.loopnumb.win/0b3885f6a93c95aaf99e27761ed2022f?win%2021,0,0,182 29 | http://3e07z971cu8af7q.funrefer.bid/5fq9ab4aw686?win%2011,4,402,278 30 | http://3e8cg61s0fd4g.adjustvia.gdn/18w19f07dx39c5r?win%2016,0,0,257 31 | http://4082ffk696d.sidesway.bid/28bq5ff66m9c?win%2013,0,0,206 32 | http://4308766v4102v.movedputs.bid/8w93if08l60aah6?win%2014,0,0,125 33 | http://4970cbrd5ae.ablething.win/99edd349f09682617c835b0657557ffb?win%2021,0,0,182 34 | http://4l87ea45t41c.nameshows.gdn/63aed6ae6b9b07353408e6a16d8fd0ed?win%2017,0,0,188 35 | http://5112k1a3f30ifm.awaybed.men/win%2016,0,0,305 36 | http://541v9e1x3cc.fedlocks.loan/win%2016,0,0,296 37 | http://553829z7fw.vanslets.pw/8343c5g6za0c?win%2014,0,0,176 38 | http://5cex3c4qdeu1rbv5s3g.filmpile.racing/win%2011,2,202,235 39 | http://5fde7e8cgc2.popannual.gdn/dx0e6f2bn9m?win%2016,0,0,296 40 | http://5s1scwc1ibd7k.charorder.gdn/61ba1fe03f1681d6233bb0502a4005f4?win%2019,0,0,245 41 | http://621w984er85l9c8xf.flewaware.pw/2co03n29dk78o0g?win%2012,0,0,44 42 | http://6261dfee.wordlie.gdn/win%2018,0,0,194 43 | http://63xd06cffy.lorrybe.trade/win%2018,0,0,232 44 | http://65m3t6820d.handssat.bid/b0a41e3a4bd3ee33e5feef616063f8f0?win%2018,0,0,241 45 | http://6c0d78u058n751ffx.cryboxes.gdn/d63c5e5b19aa6b8ff2c35f782f46c225?win%2011,9,900,170 46 | http://6e02v6038g.arrivebit.link/e23a7j13eq379n4c?win%2018,0,0,209 47 | http://6f1fo730dk56u.yessize.gdn/win%2012,0,0,44 48 | http://6lb6feaa2f0bfi.startsnor.bid/a96vax39552c5abi?win%2011,6,602,171 49 | http://70da1eh637g9.giveswe.bid/win%2015,0,0,189 50 | http://70fcf6eb408e3h1.eatsfun.gdn/win%2011,8,800,175 51 | http://733j89277fw2fbe.aimfine.bid/win%2019,0,0,185 52 | http://770t794d3o.ledwished.bid/da0etc3mb0m3?win%2014,0,0,145 53 | http://7c1x34o504ldc926g.hotfear.review/win%2021,0,0,197 54 | http://7s99fb99ac.icemile.gdn/win%2021,0,0,182 55 | http://8acc29o9a101589.movedputs.bid/8w93if08l60aah6?win%2014,0,0,125 56 | http://8ch6416fa2465v5q.leaddream.bid/a87udceq60eexa8v?win%2018,0,0,20 57 | http://8d822k096y.sortman.bid/win%2020,0,0,272 58 | http://92dfdi84eo5.uniformis.bid/2i5c477jb97s3?win%2015,0,0,152 59 | http://93pecf6017p68.teaharm.faith/win%2020,0,0,286 60 | http://96nb9a4c1eftal.boxsseek.bid/e5gaqfdr0e0e881?win%2019,0,0,226 61 | http://9872082cb3.closesun.gdn/e2ffa5eb31375095e48dcc2d835129ee?win%2016,0,0,305 62 | http://98a59bc66kcs8.numblies.win/8ac9d2668cf5a358348628f0ac5067a5?win%2020,0,0,306 63 | http://98d46z4ftci.owegot.gdn/win%2016,0,0,305 64 | http://9d7csd8l33dl7e.aleaf.bid/win%2020,0,0,272 65 | http://a35y051fe4i4u1l2y.netaware.win/f716af50f9861117abd1338f61bc6c1f?win%2020,0,0,272 66 | http://a54i395we6f349cn.toobrown.bid/5fq9ab4aw686?win%2017,0,0,134 67 | http://a73sb4k9emf7y0w.donegives.bid/72b58537em4aarbw?win%2011,7,700,1 68 | http://a9y7rf20a8g8y.itsquite.gdn/d63c5e5b19aa6b8ff2c35f782f46c225?win%2018,0,0,360 69 | http://aa5ap4c81iel15.catmode.win/0b3885f6a93c95aaf99e27761ed2022f?win%2011,8,800,174 70 | http://ae9ea1393bd6.salesrise.bid/ed2ea7da0a7?win%2011,3,300,271 71 | http://afb2t373l2r.gamesyes.gdn/0683g4bdcw?win%2011,8,800,94 72 | http://b2vb45fced9i.vastguess.bid/8318cq1475abc2p0?win%2016,0,0,305 73 | http://b6ha92u7rafeo65f2e.anrestart.party/687551s38f?win%2018,0,0,194 74 | http://b9f20wb7fbl0ac.humanhate.win/9fc36f26cc42601c24072f39708f447c?win%2013,0,0,214 75 | http://bay73389r277fv.aimfine.bid/win%2019,0,0,185 76 | http://bdh389aueecap.gladupon.bid/3h47c509be9087n?win%2017,0,0,188 77 | http://bf46625618a55d.viewday.space/WIN%2021,0,0,182 78 | http://bfb0e5edc5436.putfive.win/8ac9d2668cf5a358348628f0ac5067a5?win%2011,7,700,202 79 | http://c7adc5l4etd3.freehigh.gdn/55fcb6b1b6df92cac2ce7df160df0c12?win%2016,0,0,305 80 | http://c872b6q2a5u.unitered.webcam/win%2016,0,0,305 81 | http://c984z7846c2.childsare.gdn/1848t25766ge?win%2016,0,0,305 82 | http://ca6cbase99td8.blueuse.gdn/61ba1fe03f1681d6233bb0502a4005f4?win%2019,0,0,245 83 | http://cc0009d430p.grantshow.date/1te4v309x3bct02?win%2016,0,0,296 84 | http://cfmdadfm29h6w.callsbar.bid/eez1dfo1544d3ube?win%2011,9,900,152 85 | http://ci9ue4fmds3e21u7.voicekept.bid/b2ej91c9cp18m7s?win%2020,0,0,228 86 | http://d1b991ud2g2f00.itsquite.gdn/d63c5e5b19aa6b8ff2c35f782f46c225?win%2021,0,0,182 87 | http://dd9f7ga56jeue.gotinner.men/win%2020,0,0,267 88 | http://e22u4kam7c7fz32eh1bo.agequick.loan/win%2018,0,0,382 89 | http://e25l7ag752fx.sumadd.bid/8w93if08l60aah6?win%2016,0,0,257 90 | http://e3304f72y213u9.lineshis.men/725d4eg0f24x?win%2020,0,0,306 91 | http://e3c270y08ga.rawkeeps.men/win%2020,0,0,270 92 | http://e5n75d3m543lbf.vanstruck.gdn/d7eb6056f7a74cacfe62479beed1ae44?win%2018,0,0,360 93 | http://e749p1aq2891abcs5u.visitlots.gdn/faw7ra1d1u10?win%2011,6,602,17 94 | http://ec74g1936nb2m2c.inchmakes.bid/22deu3j5er43o?win%2011,8,800,94 95 | http://ecb63re71p8120ay.marryled.bid/836el4k6f5emaoco?win%2016,0,0,305 96 | http://f07z50x7p90fa5fh.wirejoin.bid/ba412k15a3o84axam?win%2015,0,0,18 97 | http://f52cb3e8f2ds.itemlow.bid/e8ew3e89ifa66r0z?win%2011,8,800,175 98 | http://f64l7k6f8p6r.throwinga.gdn/9936e1e762e90ab603b63c5f58ffefbf?win%2021,0,0,182 99 | http://f6c28a53d.fishso.link/52a1d4q4055?win%2016,0,0,296 100 | http://fc4be1u3g2d.townpool.gdn/bd9ebd99f46ac8bbc3f88e33b0fd7041?win%2015,0,0,239 101 | http://fk0l0e1mca2d2cbz.shutsnews.gdn/e3c77757290db1332c2884b7635379bb?win%2016,0,0,305 102 | -------------------------------------------------------------------------------- /Misc/apt_win_carbanak_downlaoder.yar: -------------------------------------------------------------------------------- 1 | rule apt_win_carbanak_downloader 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak"" 5 | date = "24FEB2021" 6 | description = "Detects downloader dropped by TakeOut PowerShell via FIN7 for Carbanak" 7 | hash01 = "6d6650fdc451433687232c1ede07070b13dfc325f32b1230a06bb794c726cbe8" 8 | hash02 = "7ff54bc8fda84f0313b31e212f83ef31ee9d363b431a56fddb828f43491f47ff" 9 | hash03 = "07590dcc859451e964e28d63b28ab6bdc597e9cf16f4b402a197992ba1881d6f" 10 | hash04 = "7e23c7467547ebe407ce0abdace169c07d781570f1fd73e860bf9535bd86c6f2" 11 | hash05 = "261aaf0a90355309d3a3ed08a6cce428fc637ed6a62f3bf6b98ef681d78807c6" 12 | reference = "" 13 | 14 | strings: 15 | $rule0_bytes = { 4883EC28488D15A5EA01004183C8FFE8D8BF0000B0014883C428C3CC40534883EC20488BD9E8C2D70000488D051FB00100488D8B8800000033D2488903E87EB50000488BC34883C4205BC3CC40534883EC20488D05F7AF0100488BD94889014881C188000000E815050000488BCB4883C4205BE9E0D700004883EC28E8B7CF000084C07428E87AD6000033C9E823000000F70599EB0100002000007510BA336CD90733C9E8FBCB000033C9FFD033C04883C428C340534881EC50010000E8720C00008BD885C07415EB0AB910270000E804CD0000E8A70100003BD877EDF60550EB010080BB881300007442488D0DDEEF0100E88D3E000084C07423803DCEEF0100000F8435010000B9D0070000E8C6CC000033C9E80B170000E91F0100008BCBE8B3CC00000FBA3507EB010007E85604000084C00F8403010000F705F0EA010000020000741DE87DA8000084C0750DE81418000084C00F85E1000000C6056DEF010000E8C0D9000084C00F84CD000000B101E8ED11000084C0740E830DB2EA0100108BCBE84FCC0000E84A8B0000488D0DEB33000033D2E840CE0000803D2DEF0100007415488D0D7816000033D2C6057BE9010000E822CE0000488D8C24B0000000E855FEFFFF33DB488D8C24B800000033D2E8C033000084C07511B964000000E8F2CB0000FFC383FB327CDC488D4C2420E8B5810000488D4C2420E8438B0000488D4C242033D2E8AFDF0000E8F68A0000E869A60000488D8C24B000000033D2E83EDE0000488D4C2420E8C8810000488D8C24B0000000E80FFEFFFF33C04881C4500100005BC34883EC484D85C0750B488B05B01E02004C8B404848836424300048895424284C894424204533C04533C933D2E83BDC00004883C448C3CCCC4883EC38BA653DBD0D33C9E814CA0000488D4C2420FFD00FB74C24260FB75424200FB7442422C1E2040BC2C1E0050BC10FB74C2428C1E0050BC10FB74C242AC1E0060BC14883C438C3CCCCCC488BC44889580848896810488970184889782041564883EC208B3A33DB4D8BF0488BF2488BE983FF050F8FAE000000747385FF745BFFCF744EFFCF7441FFCF7434FFCF0F85160200008B7A388D4B04E804B300004885C0740C8BD7488BC8E889EA0000EB03488BC3488BC8E860EC0000E9EA010000488D0D38020000EB19488D0D2F020000EB10488D0D26020000EB07488D0DE50100004533C0E815D70000E9BB0100008B7A38B920000000E8A7B200004885C07417448B8EBC0000004C8D463C8BD7488BC8E859E90000EB03488BC3488BC8E8F4E90000E98201000083FF060F8C7901000083FF070F8E5001000083FF080F84F300000083FF09745883FF0A0F8559010000488D0D7FE50100E81ACA0000488B0D6BE50100E8A2B400008B563485D2750948891D58E50100EB10488D4E38E8F5BB000048890546E50100488D0D47E50100891D21E50100E854CB0000E90A010000486342344883F8040F86FC0000008B423C8B7A38890511E5010085C075548B0503E501008BCB488BD385C00F8ED9000000488D35C7E50100393C96740EFFC148FFC23BC87CF2E9BF000000FFC88905D4E401003BC80F8DAF000000488D3C96488D34964883C6042BC18BC8F3A5E99800000048630DAEE4010083F9080F8D88000000488D3576E50100893C8EFFC1890D93E40100EB74899990000000488B157CE40100488DB98800000041B804000000488BCF4881C2500A0000E870B10000488B1559E40100488BCF448B82500A00004569C008010000E853B10000488B074989068B9D90000000EB20448B4238488B0D2AE401004883C23C83FF067507E808E50000EB05E8A1E60000488B6C2438488B742440488B7C24488BC3488B5C24304883C420415EC340534883EC40488BD9488D4C24204183C9FF4533C0BA80000000E87DB70000488D4C2420E84FB80000488B0BE813B300004883C4405BC3CC488B09E904B300004883EC288325A5E30100008325A2E3010000488325AEE3010000E8C1E0000084C07461B9800A0000E86FB000004885C07411488BC8E83EE4000048890577E30100EB084883256DE301000083256EE3010000488D0D77E30100E86AC90000B950000000E834B00000832591E3010000488D0D92E301004889057BE30100E846C90000B0014883C428C3CCCCCC4883EC38488B44246048894424284C894C24204D8BC84C8BC2BA02000000E8E90000004883C438C34883EC38488B44246048894424284C894C24204D8BC84C8BC2BA03000000E8C10000004883C438C34883EC2884C97412488D0D41FAFFFF33D24883C428E95EC9000033C9E82FFAFFFFB0014883C428C340534883EC30F70598E5010000100000740B33C9E80FFAFFFFB001EB4633DB833D4AE40100014C8D0D07E7010048895C24204C8D05B3F9FFFF7510488D159ACA0000488D0D0FCC0000EB0E488D159AC90000488D0D77CC0000E802CD000085C00F95C04883C4305BC3CCCCCC4883EC4833C0458BC84C8BC2488944243048894424288D50014889442420E899D700004883C448C3488BC44889580848896810488970184889782041564883EC40488B5C2470498BF1498BF88BEA4C8BF14885DB750B488B05B3190200488B5848498BC8E8BFBB0000488B5424784C8BC74889542430448D48018BD5498BCE488974242848895C2420E82ED70000488B5C2450488B6C2458488B742460488B7C24684883C440415EC3CCCCCC40534881EC50010000BA8404AA0233C9C744242030010000E8E3C4000033D28D4A02FFD0488BD84883F8FF0F8417010000BAB4C6360F33C9E8C3C40000488D542420488BCBFFD085C00F84E8000000488D4C244CE857BB000083CAFF488BC8E814B900003DC5E2820B775E0F84BF0000003D854CD30877350F84A40000003DC5D07E030F84A00000003D750B81060F849C0000003DA537DA060F84910000003D3524BC07747C3DA5F1CD08EB693D5582E40874413D15E9460974753D05C0AD0974333DA575E40AEB4D3D2524800D772C74233D95D7970B74573D95D7EC0B74503D35C0340C740E3D35EB3F0C743B3D1595570C7523B802000000EB4E3D3581040E74F23D2524BC0E74EB3D4596570F74E43DC5E7C40F7418BA04D0F401E914FFFFFFB803000000EB21B804000000EB1AB801000000EB13BAB57DAE0933C9E8BDC30000488BCBFFD033C04881C4500100005BC3CC40534883EC70834C2420FF4533C9488D542448458D4120488D4C2430E837B40000488D0D38A80100E84B0000004C8D442430488D159FE10100488BC8488BD8E814EB0000488BCBE848AF0000488D4C2430E856F30000488D4C24304885C0488905FBE301000F95C3E85BB400008AC34883C4705BC3CCCCCC488BC4488958084889681048897018488978204154415641574883EC20488BD9E88BB900008BF8B80000000083EF040F48F88D4F01E82EB400004C63FF4C8BD08BC79983E203448D240233D241C1FC02448BF28BCA8BEA8BF2448BDA85FF0F8E8500000085C9751B41FFC64183FE047F0E0FBE2B418BCC83ED6148FFC3EB028BCF85C97E5B480FBE03FFC983F8207D0BBA1F000000448D4AE2EB1B3D800000007D0BBA7F000000448D4AA1EB09BAFF000000448D4A814C8D05B3E40100460FBE0400442BC5453BC17D06412BD14403C247880413FFC6FFCF49FFC348FFC333D24D3BDF0F8C7BFFFFFF488B5C2440488B6C2448488B7C24584863C6488B74245042881410498BC24883C420415F415E415CC3CCCC40534883EC20488BD9488BCAE8DBFEFFFF488903488BC34883C4205BC3CCCCCC4585C90F8E8A00000048895C2408488974241048897C2418458BD88BDA488BF9442BDA418BF141FFC3448B1564E1010033D2418BC20FAF0564E20100030556E101000FB7C88BC141F7F3440FAFD144031543E10100448D0C1333D2410FB7C289053BE2010041F7F34D63C9458A043903D34863CA8A0439418804394488043948FFCE75A5488B5C2408488B742410488B7C2418C340534881EC90010000834C2420FF488BD9488D942488000000488D4C24704533C941B804010000E8ECB10000488D542470B907000000E885E60000834C2420FF4533C9458D4120488D542448488D4C2430E8C2B10000488D4C2430E8C40800004C8D442430488D542470488BCBE862E40000488D4C2430488BD8E809B20000488D4C2470E8FFB10000488BC34881C4900100005BC3CCCCCC48895C2408574883EC40488BDABA04010000488BF9E8CEB400004533C033D2488BCFE88500000084C07472488D4C24204183C9FF4533C0BA80000000E8D3B000004C8D442420488D15B3DE0100488BCBE82BE80000488D0DECA40100E83FFDFFFF488D4C24204183C8FF488BD0488BD8E85FB20000488BCBE83FAC0000448B442428488B542420488BCFE84DE30000488D4C2420E857B10000 } // Autogenerated by BinSequencer 16 | 17 | condition: 18 | all of them 19 | } 20 | -------------------------------------------------------------------------------- /Misc/apt_win_ismagent.yar: -------------------------------------------------------------------------------- 1 | rule apt_win_ismagent_vba : OilRig 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "26JUN2018" 6 | hash1 = "d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de" 7 | description = "Identify the VBA macro used by ISMAgent" 8 | 9 | strings: 10 | $vba_01 = "ActiveDocument.Sections(intSection).Headers(1).Range" ascii wide 11 | $vba_02 = "CreateObject" ascii wide 12 | $vba_03 = "CreateTextFile" ascii wide 13 | $vba_04 = "StrReverse" ascii wide 14 | $vba_05 = /objShell.ShellExecute "powershell.exe", " -exec bypass -File C:\\programdata\\[a-zA-Z0-9_]+\.ps1", "C:\\ProgramData/ 15 | 16 | condition: 17 | @vba_01[1] < @vba_02[1] 18 | and 19 | @vba_02[1] < @vba_03[1] 20 | and 21 | @vba_03[1] < @vba_04[1] 22 | and 23 | @vba_04[1] < @vba_05[1] 24 | } 25 | 26 | rule apt_win_ismagent_ps1 : Oilrig 27 | { 28 | meta: 29 | author = "Jeff White [karttoon@gmail.com] @noottrak" 30 | date = "26JUN2018" 31 | hash1 = "d7130e42663e95d23c547d57e55099c239fa249ce3f6537b7f2a8033f3aa73de" 32 | description = "Identify the PS1 dropped by ISMAgent" 33 | 34 | strings: 35 | $ = "function DB64" ascii wide 36 | $ = "function EB64" ascii wide 37 | $ = "function DAES" ascii wide 38 | $ = "function MA" ascii wide 39 | $ = "function WebReq" ascii wide 40 | $ = "function Query" ascii wide 41 | $ = "function get-res" ascii wide 42 | $ = "function DNS-Con" ascii wide 43 | 44 | condition: 45 | all of them 46 | } 47 | -------------------------------------------------------------------------------- /Misc/apt_win_turla_comratv4.yar: -------------------------------------------------------------------------------- 1 | rule apt_win_turla_comratv4 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "29OCT2020" 6 | hash1 = "44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316" 7 | description = "Detects a ComRATv4 variant used by Turla." 8 | reference = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a" 9 | 10 | strings: 11 | $ = "C:\\Projects\\chinch_4_0\\projects\\chinch4\\Build\\x64\\Release\\x64_Release.pdb" ascii wide 12 | 13 | condition: 14 | all of them 15 | } 16 | -------------------------------------------------------------------------------- /Misc/blackbasta_domain_by_email.txt: -------------------------------------------------------------------------------- 1 | 1482244-coinbase.com 2 | 1482246-coinbase.com 3 | 15192-coinbase.com 4 | 15592-coinbase.com 5 | 184295929-coinbase.com 6 | 19492959-coinbase.com 7 | 1bmo-verifymyinfos.com 8 | 1omniroyalbanksignin.com 9 | 2authenticationtd.com 10 | 8pxlak0z6uoqkq9c1l12ux7bycoonyth.xyz 11 | a-confirmation.com 12 | acceptdeposit-etransfer.com 13 | account-bitvavo.com 14 | accruintslip.com 15 | action-id749-dhl.com 16 | add-softwarellc.com 17 | adsiouawhniuwahdiaau.com 18 | adsiouawhniuwahdiaca.com 19 | adsiouawhniuwahdiade.com 20 | adsiouawhniuwahdiauk.com 21 | adsiouawhniuwahdiaus.com 22 | adskqmeaoyebbnnn.com 23 | adskqmeaoyedaams.com 24 | adskqmeaoyedgiig.com 25 | adskqmeaoyedkklo.com 26 | adskqmeaoyedppoo.com 27 | adskvmeaoyedqaff.com 28 | adskvmeaoyedqdsf.com 29 | adskvmeaoyedqghb.com 30 | adskvmeaoyedqsdx.com 31 | adskvmeaoyedqssc.com 32 | adspmmeaozedqgaa.com 33 | adspmmeaozedqgbb.com 34 | adspmmeaozedqgcc.com 35 | adspmmeaozedqgdd.com 36 | adspmmeaozedqgee.com 37 | adsppckeywserva.com 38 | adsppckeywservb.com 39 | adsppckeywservc.com 40 | adsppckeywservd.com 41 | adsppckeywserve.com 42 | adwordsagencydirectnetwork.com 43 | adwordssignongooglagentas.com 44 | aefieiaehfiaehr.top 45 | aeufoeahfouefhg.top 46 | airdropswap.io 47 | ajconstructionil.com 48 | allston-collisionma.com 49 | alpha-grbnk.com 50 | amarixinc.com 51 | amcoreal3.com 52 | annydeskk.com 53 | annydessk.com 54 | anonstress.su 55 | any-deesk.com 56 | any-dessk.com 57 | anydestopaffiliateref.com 58 | anydomainregistered.com 59 | anydsksrverdrop.com 60 | anytoybookref.com 61 | anytoyboxref.com 62 | anytoyfactoryref.com 63 | anytoymarketref.com 64 | anytoyproref.com 65 | api-ipstresser.su 66 | app-finoa.com 67 | asset2investing.com 68 | atbmf-r11b42972.su 69 | ateraktivera-bankid.su 70 | auth-rbcroyalbank-online.com 71 | auth-rbcsecure.com 72 | auth-royalbank-secure.com 73 | auth-royalbankrbc-online.com 74 | auth-scotiabank.com 75 | auth-scotiabankcanada-online.com 76 | auth-scotiabankcanada-secure.com 77 | auth-scotiabankcanada.com 78 | auth-scotiacanada.com 79 | auth-scotiaonline-scotiabank-secure.com 80 | auth-securerbc.com 81 | authcmsecuredbe.su 82 | authmobileapplscotiaonline.com 83 | authverif.com 84 | autoanytoyref.com 85 | b-confirmation.com 86 | b-id-nor.su 87 | b-id-norsk-no.su 88 | backandsururr.xyz 89 | bankofcyrpus.com 90 | banquenationale-nationalbank.com 91 | be59xa762.com 92 | biozarphaltd.com 93 | bitepieces.com 94 | bizz0net.com 95 | bkrcb.com 96 | blacksaltys.com 97 | bmobankofmontreal-secure.com 98 | bmoverifyclientcard.com 99 | bnc-connexionsecure.com 100 | bnc-reset.com 101 | bncclientconnexion.com 102 | bncmessage.com 103 | bncsecure-banquenationale.com 104 | bohlke-consulting.com 105 | bookdirectlinkdownloaddrive.com 106 | bugreason.com 107 | butcherlawma.com 108 | c4rbn-reb13tes-d3p00si-t1ca.com 109 | ca-rbcroyal.com 110 | caf671se902.com 111 | canadapost-veriricationsecure.com 112 | canadarevenueagency-deposit.com 113 | canadarevenueagency-securedeposit.com 114 | canrevsupports.com 115 | carboon-govtcanrebate.com 116 | cardstop-deblokkeren.su 117 | carls-collision.com 118 | caveriflscotiaonline.com 119 | ch-mytrackingdhl.com 120 | ci096cot536.com 121 | clientdesjardinsconnexion.com 122 | cm-portaal-be.su 123 | coinbaseactivity.com 124 | coinbaseclient.com 125 | compensatie-fluviusontvangen.su 126 | compensatieenergie-fluvius.su 127 | conwell-law.com 128 | cosmosaveycs.com 129 | costcomembernowavailable2.com 130 | databasebb.top 131 | ddosforhire.su 132 | deerinvisible.com 133 | denton-constructionllc.com 134 | depot-order-update.com 135 | dfghtrks5ue5sdg5yh.com 136 | dgfhnr5esd45u6t.com 137 | digitaladwordsagencydirect.com 138 | directdimedini.com 139 | diuahwnediuaweo.com 140 | diuahwnediuawww.com 141 | dnb-ver1fy.com 142 | dropshippingcapital.com 143 | ds248ugbv2oigj3.com 144 | dynamicyield.net 145 | energie-fluvius.su 146 | energiecompensatie-fluvius.su 147 | erneuern-targo.su 148 | et-depositsinteracetransfer.com 149 | et-gigada6577t.com 150 | et-gigada657hhh7t.com 151 | et-gigadat.com 152 | et-interacsecure.com 153 | etransferinterac-depositsecure.com 154 | etransfersecure-deposit.com 155 | evri-delivery-slot.com 156 | evri-failed-attempt.com 157 | evri-redeliver-item.com 158 | evri-redeliver.com 159 | evri-redirect.com 160 | evri-reschedule-package.com 161 | fidowireless-deposit.com 162 | fidowireless-securedeposit.com 163 | fidowireless-securerefund.com 164 | financial2literacy.com 165 | financial2net.com 166 | financial7net.com 167 | financialstechs.com 168 | fintech1-invest.com 169 | fintech2go.com 170 | firestarted.com 171 | fishbein-law.com 172 | flavin-arch.com 173 | fluvius-energiecompensatie.su 174 | fluvius-terugbetaling.su 175 | fluviusenergie-compensatie.su 176 | folge-pakete.com 177 | fontsmbgstatic.com 178 | forderung-h452923.su 179 | formdec.com 180 | fr-formulaire3916.com 181 | freegameskinsonline.com 182 | fuy71165le.com 183 | fwfjakas.com 184 | ganalys.com 185 | gc3-g0v1-cr2-b0n.com 186 | gdfhes5y3445gw4.com 187 | gegevens-belasting.su 188 | gestionarticle.com 189 | googleadsagentas.com 190 | gosignkochava.com 191 | govsupportprocessing.com 192 | govtcanrebate-carboon.com 193 | greenmotors2.top 194 | greenmotors5.top 195 | greentrees.top 196 | hdfg24t8924hg23.com 197 | healthydelicioushome.com 198 | hellofreshglobal.com 199 | https-rbc.com 200 | hubmetastack.com 201 | i-c-s-online-nl.su 202 | i-c-s-security-nl.su 203 | id-296867556.net 204 | id-sappreaktivieren-at.su 205 | indexpagenext7302.com 206 | inforbcroyalbank-secure.com 207 | information-erneuerung.com 208 | infosecure-rbcroyalbank.com 209 | ing-aanmelden.su 210 | interac-e-tranfer.com 211 | invalid-dhl461-adress.com 212 | ipstresser.su 213 | isabael6-customerzonebe.xyz 214 | itsme-verificatie.su 215 | jakoba-software.com 216 | jc-beal.com 217 | jkhwdf29875htj74.com 218 | kbo-be-718.xyz 219 | kbo-be-817.xyz 220 | kbo-be-formulier.xyz 221 | konto-connexion.com 222 | kraken6.su 223 | kraken9.su 224 | kvk-x.com 225 | ledger-assist.com 226 | ledger-auth.su 227 | linecoddorado.com 228 | livehelp-crypto.com 229 | lloydsbank-livechat.com 230 | login-rbcroyalbank.com 231 | login-royalbank.com 232 | login-royalbankrbc-secure.com 233 | login-secure-royalbankrbc.com 234 | londonemissionchargeuk.com 235 | losttwister.com 236 | m0ney4invest.com 237 | magixvideoeditor.com 238 | marathones.top 239 | market4condo.com 240 | megatron3.top 241 | metrobank-livechat.com 242 | metroonlinesupport.com 243 | mint-strmnft.com 244 | minusparty.com 245 | monlienpersonnel2024.com 246 | morguardhome.com 247 | mozilafirefserv.com 248 | myairdropswap.com 249 | myhomepage47864.com 250 | myrefundeenow.com 251 | myreschedulepost.com 252 | myroyalmanageruser.com 253 | mythicalstress.su 254 | newgoodsite.com 255 | newharpyeagle.com 256 | news-zmrbc.com 257 | nextsteppage4864.com 258 | nightmarestresser.su 259 | noheroway.com 260 | nordvpnwebserv.com 261 | nrwsecuredauthno.su 262 | o-confirmation.com 263 | offer-opensea.com 264 | onelinkmadiuhwdii.com 265 | onelinkmadiuhwdjj.com 266 | online-hr39466-at.su 267 | onlineofficeplug365.com 268 | onlylegalstuff.top 269 | package-world.info 270 | panelite.su 271 | pay--by--phone.com 272 | pay-coniqbetaalverzoek.su 273 | paybytelephone.com 274 | pionex-dogwifcoin.com 275 | portaal-cm-be.su 276 | postagepriorityschedule.com 277 | postescad-cadpostal.com 278 | pqowics.com 279 | presaletatecoin.com 280 | privatekeysonline.su 281 | procedure-blockfi.com 282 | profitwell.net 283 | qbvsmvv.com 284 | qwdfewf.com 285 | rain-1446.com 286 | rb-cr.com 287 | rbc-accountreset.com 288 | rbcnotif.com 289 | rbcroyalbank-canada.com 290 | rbcroyalbank-infosecure.com 291 | rbcroyalbank-secureinfo.com 292 | rbcroyalbanksecure.com 293 | reactivatemycardstatus.com 294 | reaktivier-sapp.su 295 | reaktivierensapp.su 296 | receivemyitem.com 297 | rechnung-senden.com 298 | rechnung-senden.net 299 | reese-ks.com 300 | refundeenow.com 301 | refundeeswap.com 302 | revnagnoctobr.com 303 | rf-reaktivieren.su 304 | rogersverify.com 305 | rotamotusir.su 306 | royalbank-secure-online.com 307 | royalbankofcanada-rbc.com 308 | royalbankrbc-auth.com 309 | royalbankrbc-login.com 310 | royalblogin.com 311 | royalmail-redirect.com 312 | royalmail-slot.com 313 | royalmenupage.com 314 | royalusermanager.com 315 | s-app-reaktivieren.su 316 | s-id-appreaktivier-at.su 317 | santandersupport.com 318 | saoaoss.com 319 | sauria.top 320 | scotiabankcanada-auth.com 321 | scotiabankcanada-secure.com 322 | scotiaonlurl.com 323 | screamedjungle.com 324 | secure-inforbcroyalbank.com 325 | secure-rbc-auth.com 326 | secure-rbcroyalbankinfo.com 327 | secure-scotiabankcanada.com 328 | secureadwordsagencydirect.com 329 | secured-bit-panda.su 330 | secured-tele-net-be.su 331 | securedauth-no.su 332 | securedcm-be.su 333 | securednd-no.su 334 | securedportenno.su 335 | secureinfo-rbcroyalbank.com 336 | securelogin-scotiabank.com 337 | securescotiabankmobile.com 338 | security-binance-eu.su 339 | securityledger.su 340 | service7j3v.com 341 | services5j7t.com 342 | services7t5j.com 343 | shift4shops.com 344 | sicherheit-binance-eu.su 345 | siliconerumble.com 346 | sillybeavers.com 347 | skatt-aterbetalningar.su 348 | so115fu98.com 349 | socialadwordsagencydirect.com 350 | sol642854fi.com 351 | spacefundsltd.com 352 | spartansknife.com 353 | storegom.com 354 | str3ssed.su 355 | stresserapp.su 356 | stresserst.su 357 | stresserus.su 358 | strmnft-mint.com 359 | stuffstevenpeters2.top 360 | suiviarticle.com 361 | tangeriine.com 362 | tangeriine.net 363 | tangerlne.net 364 | targetcvv.com 365 | targo-erneuern.su 366 | teams-microsoft.top 367 | teams-microsotf.net 368 | teams-microstf.com 369 | techadscorp.com 370 | techbioltd2020.com 371 | termfeed.net 372 | termfeed.org 373 | thesiliconroad1.top 374 | thesiliconroad2.top 375 | thevisitsecret.com 376 | thevisitsecrets.com 377 | tilemorenc.com 378 | tinimage.com 379 | trackingch-dhl.com 380 | tsb-livechat.com 381 | twittesling.com 382 | u34t2n5hh2eifn2g4.com 383 | update-mastertask.com 384 | updatemyinfos-bmo.com 385 | updates-durchfuehren.com 386 | ups-awb.com 387 | ups-colet.com 388 | upsadministration.com 389 | upsverification.com 390 | us1-coinbase.com 391 | uwhnv43ygveed.com 392 | v2-xaz.com 393 | v2-xvz.com 394 | vanillagpresent.com 395 | vdos-s.su 396 | vgostore.net 397 | vz-xaz.com 398 | wain-landscaping.com 399 | wdqwhfusad.top 400 | web-tls.com 401 | web3-dv.org 402 | web3-israel.com 403 | webawesomescreenshot.com 404 | webstoremailtrack.com 405 | whatsawebdsk.com 406 | willmag-gmbh.com 407 | woocompressign.com 408 | woodcockmanagement.com 409 | woodcockmanagementclient.com 410 | woonmusic.com 411 | www-idlismbccm.com 412 | wwws-mbiscsard.com 413 | xaz-v2.com 414 | xcm-aa.com 415 | xma-om.com 416 | youradwordsagencydirect.com 417 | za86hi087.com 418 | zenitibank.com 419 | -------------------------------------------------------------------------------- /Misc/blackbasta_domain_by_name.txt: -------------------------------------------------------------------------------- 1 | aefieiaehfiaehr.top 2 | aeufoeahfouefhg.top 3 | databasebb.top 4 | greenmotors2.top 5 | greenmotors5.top 6 | greentrees.top 7 | marathones.top 8 | megatron3.top 9 | onlylegalstuff.top 10 | sauria.top 11 | stuffstevenpeters2.top 12 | teams-microsoft.top 13 | thesiliconroad1.top 14 | thesiliconroad2.top 15 | wdqwhfusad.top 16 | yeahweliftbro.cz 17 | -------------------------------------------------------------------------------- /Misc/exploit_any_poppopret.yar: -------------------------------------------------------------------------------- 1 | rule exploit_any_poppopret 2 | { 3 | meta: 4 | author = "Jeff White [karttoon@gmail.com] @noottrak" 5 | date = "11SEP2018" 6 | description = "Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries." 7 | 8 | strings: 9 | $ = { (07 | 17 | 1F | (58|59|5A|5B|5C|5D|5E|5F) | 8F (00|01|02|03) | 0F A1 | 0F A9) (07 | 17 | 1F | (58|59|5A|5B|5C|5D|5E|5F) | 8F (00|01|02|03) | 0F A1 | 0F A9) (C2| C3) } 10 | 11 | condition: 12 | all of them 13 | } 14 | -------------------------------------------------------------------------------- /Misc/exploit_win_dde.yar: -------------------------------------------------------------------------------- 1 | rule exploit_win_dde_slk 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "25MAY2018" 6 | hash1 = "a08c4235b6d93a463df543bd915407b56f4efd00f30497723fca54dccac580ad" 7 | description = "Detects DDE via Excel with SLK files." 8 | reference = "https://isc.sans.edu/forums/diary/Malware+Distributed+via+slk+Files/23687" 9 | 10 | strings: 11 | $ = "#REF!;EMSEXCEL|'" ascii wide 12 | 13 | condition: 14 | all of them 15 | } 16 | -------------------------------------------------------------------------------- /Misc/informational_win_protectedole.yar: -------------------------------------------------------------------------------- 1 | rule informational_win_ole_protected 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "07SEP2016" 6 | description = "Identify OLE Project protection within documents." // Documents with protection removed leave these artifacts as well 7 | 8 | strings: 9 | // \r\nCMG=" 10 | $ole_cmg = { 0D 0A 43 4D 47 3D 22 } 11 | 12 | // \r\nDPB=" 13 | $ole_dpb = { 0D 0A 44 50 42 3D 22 } 14 | 15 | // \r\nGC=" 16 | $ole_gc = { 0D 0A 47 43 3D 22 } 17 | 18 | $ole_vba = "VBA_PROJECT" wide ascii 19 | 20 | condition: 21 | uint32be(0) == 0xD0CF11E0 22 | and 23 | @ole_cmg[1] < @ole_dpb[1] 24 | and 25 | @ole_dpb[1] < @ole_gc[1] 26 | and 27 | $ole_vba 28 | } 29 | 30 | rule informational_win_ole_exist 31 | { 32 | meta: 33 | author = "Jeff White (karttoon@gmail.com) @noottrak" 34 | date = "27JUL2018" 35 | description = "Identify OLE Packages embedded in Office 97-2K3 Doc Files." 36 | 37 | strings: 38 | // OLE Package header 39 | $ = { 4F 4C 45 20 50 61 63 6B 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6B 61 67 65 00 } 40 | 41 | condition: 42 | all of them 43 | } 44 | -------------------------------------------------------------------------------- /Misc/loader_win_unknown001.yar: -------------------------------------------------------------------------------- 1 | rule loader_win_unknown001 : PennyWise 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "14JUL2022" 6 | hash01 = "48115B0E7007C7BF3065F8A3860FDF067A28F5E5BA3D5F44EBFDEF8B0B1019A0" 7 | hash02 = "7D5F29FB2248E2A4AF57EAC1BBF81AD4AEC0F2126EF0D6CA69090C52E18A1243" 8 | hash03 = "575AC614BA1148D06120215D2F81962EDD54DB2F4C9810F61F7614B3B726DDC8" 9 | description = "Detects a malware loader which uses process hollowing on AppLaunch.exe" 10 | reference = "https://blog.cyble.com/2022/06/30/infostealer/" 11 | 12 | strings: 13 | // Cluster 1 14 | $str_01 = "673846405357007579878821619813876310959816507" ascii 15 | $str_02 = "o6hXqahcz1nyTmEWmN99uMqckr9mqkXOJmltGCYhtZuc8AXyMCRuTLs2Qhf4fiCUWt6hABhWklV9jr9FOJh8bfQcyh" ascii 16 | // Cluster 2 17 | $str_03 = "495571907783603845594622781396864775526388194" ascii 18 | $str_04 = "ssMyQc4aW68diVpooAdKIkblZUxw0G777TgFt1ggaq38la4oWdFxNTtJqZYD1pQblKpU1Kadx8sB0hIbWl7" ascii 19 | // Injects into AppLaunch.exe 20 | $app_01 = "\x00rk\\v4.0.30319\\AppLaunch.exe\x00" ascii 21 | $app_02 = "\x00C:\\Windows\\Microsoft.NET\\Framewo\x00" ascii 22 | 23 | condition: 24 | uint16(0) == 0x5A4D 25 | and 26 | 2 of ($str_*) 27 | and 28 | all of ($app_*) 29 | } 30 | -------------------------------------------------------------------------------- /Misc/packer_win_spoonvm.yar: -------------------------------------------------------------------------------- 1 | rule packer_win_spoonvm 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "11DEC2018" 6 | hash1 = "78d5f6594091eb763d6b2a970c766b76662584a826a7712d319f9a3d27f2b2f5" 7 | hash2 = "f8053b54fae5c60c50c27f1bb9c1731a7a9d05bc2377222e66bbd8ffe748c74b" 8 | description = "Detects SpoonVM" 9 | 10 | strings: 11 | $spoonvm = "Spoon Virtual Machine" wide 12 | $pdb1 = "C:\\bamboo-home\\xml-data\\build-dir\\SPOONVM-VM-JOB1\\vm\\Build\\Output\\x86\\StubExe.pdb" ascii 13 | $pdb2 = "C:\\bamboo-home\\xml-data\\build-dir\\SPOONVM-VM3-JOB1\\vm\\Build\\Output\\x86\\StubExe.pdb" ascii 14 | // May need to tweak this regex but captures variants on the above currently 15 | $pdb3 = /SPOONVM-VM[a-zA-Z0-9\/\\-]+\.pdb/ 16 | 17 | condition: 18 | $spoonvm 19 | and 20 | 1 of ($pdb*) 21 | } 22 | -------------------------------------------------------------------------------- /Misc/packer_win_tiggre.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule packer_win_tiggre 4 | { 5 | meta: 6 | author = "Jeff White (karttoon@gmail.com) @noottrak" 7 | date = "11SEP2018" 8 | hash1 = "90498f367d20453078df3a75c9dee0a0acc188eb2c571e0f6a94cbd6e7c35494" 9 | hash2 = "64f90c00f4fad446a41d304b610b0770793b0928914cee705d35856ef7d8431d" 10 | description = "Detects Tiggre packer" // NAME TEMPORARY - generic AV name 11 | 12 | strings: 13 | $ = "SetLastError" 14 | $ = "GetTickCount" 15 | $ = "ExitProcess" 16 | $ = "GetStartupInfoA" 17 | $ = "GetCommandLineA" 18 | $ = "GetCurrentProcessId" 19 | $ = "GetCurrentThreadId" 20 | $ = "GetCurrentProcess" 21 | $ = "ReadProcessMemory" 22 | $ = "GetModuleFileNameA" 23 | $ = "GetModuleHandleA" 24 | $ = "WriteFile" 25 | $ = "FreeLibrary" 26 | $ = "LoadLibraryA" 27 | $ = "GetProcAddress" 28 | $ = "DeleteFileW" 29 | $ = "MoveFileW" 30 | $ = "CreateFileW" 31 | $ = "GetFileAttributesW" 32 | $ = "GetOEMCP" 33 | $ = "GetProcessHeap" 34 | $ = "TlsGetValue" 35 | $ = "TlsSetValue" 36 | $ = "CreateThread" 37 | $ = "ExitThread" 38 | $ = "Sleep" 39 | $ = "SuspendThread" 40 | $ = "ResumeThread" 41 | $ = "TerminateThread" 42 | $ = "SetThreadPriority" 43 | $ = "GetThreadPriority" 44 | $ = "CreateEventA" 45 | $ = "SetUnhandledExceptionFilter" 46 | $ = "EnumResourceTypesA" 47 | $ = "EnumResourceNamesA" 48 | $ = "EnumResourceLanguagesA" 49 | $ = "FindResourceA" 50 | $ = "FindResourceExA" 51 | $ = "LoadResource" 52 | $ = "SizeofResource" 53 | $ = "LockResource" 54 | $ = "FreeResource" 55 | $ = "GetWindowsDirectoryA" 56 | $ = "CopyFileA" 57 | $ = "CreateProcessA" 58 | $ = "GetVersionExA" 59 | $ = "EnumCalendarInfoA" 60 | $ = "TerminateProcess" 61 | $ = "GetThreadLocale" 62 | $ = "SetThreadLocale" 63 | $ = "GetLastError" 64 | $ = "GetStdHandle" 65 | $ = "ReadFile" 66 | $ = "CloseHandle" 67 | $ = "SetFilePointer" 68 | $ = "GetConsoleMode" 69 | $ = "GetConsoleOutputCP" 70 | $ = "HeapAlloc" 71 | $ = "HeapFree" 72 | $ = "TlsAlloc" 73 | $ = "LocalAlloc" 74 | $ = "LocalFree" 75 | $ = "WaitForSingleObject" 76 | $ = "ResetEvent" 77 | $ = "SetEvent" 78 | $ = "InitializeCriticalSection" 79 | $ = "DeleteCriticalSection" 80 | $ = "EnterCriticalSection" 81 | $ = "LeaveCriticalSection" 82 | $ = "TryEnterCriticalSection" 83 | $ = "MultiByteToWideChar" 84 | $ = "WideCharToMultiByte" 85 | $ = "GetACP" 86 | $ = "GetConsoleCP" 87 | $ = "CompareStringA" 88 | $ = "GetLocaleInfoA" 89 | $ = "FormatMessageW" 90 | $ = "CompareStringW" 91 | $ = "GetUserDefaultLCID" 92 | $ = "SysAllocStringLen" 93 | $ = "SysFreeString" 94 | $ = "SysReAllocStringLen" 95 | $ = "MessageBoxA" 96 | $ = "CharUpperBuffW" 97 | $ = "CharLowerBuffW" 98 | $ = "CharUpperA" 99 | $ = "CharUpperBuffA" 100 | $ = "CharLowerA" 101 | $ = "CharLowerBuffA" 102 | $ = "GetSystemMetrics" 103 | $ = "MessageBeep" 104 | 105 | condition: 106 | all of them 107 | and 108 | pe.number_of_sections == 7 109 | and 110 | pe.number_of_imports == 3 111 | } 112 | -------------------------------------------------------------------------------- /Misc/ransom_win_antefrigus.yar: -------------------------------------------------------------------------------- 1 | rule ransomware_win_antefrigus 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | description = "AnteFrigus Unpacked Ransomware" 6 | date = "22NOV2019" 7 | hash = "ce9a66ed66ee29ca27678e02f2a900a7d810ecdf58b28f1815be8a49f1a59991" 8 | reference = "https://www.bleepingcomputer.com/news/security/strange-antefrigus-ransomware-only-targets-specific-drives/" 9 | 10 | strings: 11 | $cpp_str01 = "G:\\sever\\Scan\\crypro\\rijndael_simd.cpp" wide ascii 12 | $cpp_str02 = "G:\\sever\\Scan\\crypro\\sha_simd.cpp" wide ascii 13 | $cpp_str03 = "G:\\sever\\Scan\\crypro\\sse_simd.cpp" wide ascii 14 | 15 | $path_str01 = "C:/qweasd/test.txt" wide ascii 16 | $path_str02 = "-readme.txt" wide ascii 17 | $path_str03 = "C:/qweasd/news.html" wide ascii 18 | 19 | $pdb = "C:\\Users\\Nikolas\\source\\repos\\shicpefinaly\\Release\\shicpefinaly.pdb" wide ascii 20 | 21 | condition: 22 | all of ($cpp_str*) or 2 of ($path_str*) or $pdb 23 | } 24 | 25 | -------------------------------------------------------------------------------- /Misc/ransom_win_egregor_a.yar: -------------------------------------------------------------------------------- 1 | rule ransom_win_egregor_a 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | description = "Autogenerated by Binsequencer v.1.1.0 - Egregor Ransomware DLL Common Byte Pattern" 6 | date = "01DEC2020" 7 | hash01 = "a5989c480ec6506247325652a1f3cb415934675de3877270ae0f65edd9b14d13" 8 | hash02 = "6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780" 9 | hash03 = "9c900078cc6061fb7ba038ee5c065a45112665f214361d433fc3906bf288e0eb" 10 | hash04 = "6dbe1d2de299359036520f15490834a6ac40b665cf5cd249379d65242af00b44" 11 | 12 | 13 | strings: 14 | $ = { CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC558B??568B????578B????8B??83????74??8B????03??33????E8????????8B????8B????03??33????5F5E5DE9????????CCCCCCCCCCCCCCCCCCCCCCCCCCCC558B??83????53568B????57C6??????C7????????????8B????8D????33??????????505389????89????E8????????8B????57E8????????8B????83????F6??????0F85????????89????8D????89????8B????89????83????0F84????????8D????8D????8B??????8D????8B??89????85??74??8D????E8????????B1??88????85??78??7E??8B????81??????????75??83????????????74??68????????E8????????83????85??74??8B??????????8B??6A??FF????E8????????FF??8B????83????8B????8B??8B??E8????????39????74??EB??8A????8B??83????74??8B????E9????????8B????C7????????????EB??84??74??8B????EB??83??????74??68????????8D????BA????????508B??E8????????FF????53E8????????83????8B????5F5E5B8B??5DC368????????8D????8B??508B??E8????????89????8D????53FF????E8????????8B????83????8B??8B????E8????????CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCE8????????E8????????E8????????84??75??32??C3E8????????84??75??E8????????EB??B0??C3CCCCCCCCCCCCCCCCCCCCE8????????85??0F95??C3CCCC6A??E8????????59B0??C3CCCC558B??80??????75??E8????????E8????????6A??E8????????59B0??5DC3CCCCCCCCCCCCCCE8????????B0??C3CCCCC3E9????????558B??5DE9????????CCCC558B??FF????E8????????595DC2????CCCCCCCC558B??FF????E8????????595DC2????CCCCCCCC558B??8B????8B????8B????F00FB1??5DC3CCCCCCCC558B??8B????8B????8B????F00FB1??5DC3CCCCCCCC558B??8B????33??33??F00FB1??5DC3CCCCCCCC558B??8B????89??8B??5DC2????CCCCCC558B??8B????89??8B??5DC2????CCCCCC568B??FF??E8????????83????595EC3CCCCCCCC568B??FF??E8????????83????595EC3CCCCCCCCB8????????C3B8????????C383????0F95??C383????0F95??C3558B??FF????E8????????595DC2????CCCCCCCC558B??FF????E8????????595DC2????CCCCCCCC8B??83????C38B??C38B??C383????0F95??C383????0F95??C3568B??FF??E8????????83????595EC3CCCCCCCC568B??FF??E8????????83????595EC3CCCCCCCC558B??8B????8B????3B??75??33??5DC383????83????8A??3A??75??84??74??8A????3A????75??83????83????84??75??EB??1B??83????5DC3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC558B??FF????FF??????????85??74??568B??50E8????????8B??5985??75??5E5DC3CCCCCCCCCCCCCCCC558B??8B????BA????????8D????EB??0FB6??33??69??????????418A??84??75??8B??5DC3CCCCCCCCCCCCCCCCCC558B??83????33??33??538B????F00FB1??85??0F85????????5668????????68????????68????????508D????89????5150E8????????8B??83????85??74??8B??8D????8A??4184??75??2B??74??80????????75??C6????????83????75??8D????89????83????5750E8????????8B??5985??74??83????8D????56FF????89????5089????E8????????8B????83????33??F00FB1??85??75??FF????33??FF????FF??????????8B????5789????E8????????595F56E8????????8B????595E5B8B??5DC3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC8B??????0FB6??????8B??8B??????85??0F84????????69??????????83????0F8E????????81??????????0F8C????????0FBA????????????73??F3AA8B??????8B??C30FBA????????????0F83????????660F6E??660F70????03??0F11??83????83????2B??81??????????7E??8D????????????8D????????????90660F7F??660F7F????660F7F????660F7F????660F7F????660F7F????660F7F????660F7F????8D??????????81??????????F7??????????75??EB??0FBA????????????73??660F6E??660F70????83????72??F30F????F30F??????83????83????83????73??F7??????????74??8D??????F30F????F30F??????8B??????8B??C3F7??????????74??88??4783????F7??????????75??F7??????????74??89??83????83????F7??????????74??8D????????????8D??????????89??89????83????83????F7??????????75??8B??????8B??C3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC558B??FF????E8????????595DC2????CCCCCCCC558B??8B????89??8B??5DC2????CCCCCC568B??FF??E8????????83????595EC3CCCCCCCC83????0F95??C38B??83????C38B??C383????0F95??C3568B??FF??E8????????83????595EC3CCCCCCCC558B??578B????80??????74??8B??85??74??8D????8A??4184??75??2B??53568D????53E8????????8B??5985??74??FF??5356E8????????8B????8B??83????33??89??C6??????56E8????????595E5BEB??8B????8B??89??C6??????5F5DC3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC558B??568B????80??????74??FF??E8????????5983????C6??????5E5DC3CCCCCCCCCCCCCC558B??83????538B????56576A??59BE????????8D????F3A58B????85??74??F6????74??8B??83????518B??8B????8B??8B????E8????????FF??89????89????85??74??F6????74??C7????????????8D????50FF????FF????FF????FF??????????5F5E5B8B??5DC2????CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC5356578B??????8B??????8B??????555250515168????????64????????????A1????????33??89??????64????????????8B??????8B????8B??????33??8B????83????74??8B??????83????74??3B??76??8D????8D??????8B??89????83??????75??68????????8B????E8????????B9????????8B????E8????????EB??64????????????83????5F5E5BC38B??????F7????????????B8????????74??8B??????8B????33??E8????????558B????FF????FF????FF????E8????????83????5D8B??????8B??????89??B8????????C355FF??????E8????????83????8B??????8B??FF????FF????FF????E8????????83????5DC2????555657538B??33??33??33??33??33??FF??5B5F5E5DC38B??8B??8B??6A??E8????????33??33??33??33??33??FF??558B??5356576A??5268????????51E8????????5F5E5B5DC3558B??????5251FF??????E8????????83????5DC2????CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC3C3558B??FF????E8????????595DC2????CCCCCCCC558B??8B????89?? } 15 | 16 | condition: 17 | all of them 18 | } 19 | -------------------------------------------------------------------------------- /Misc/ransom_win_lyposit.yar: -------------------------------------------------------------------------------- 1 | rule ransom_win_lyposit 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "18SEP2018" 6 | hash1 = "7a2001287331890f2fbf1b1b4875e4146d983d1f5647ec105d332cd7e03cd02d" 7 | hash2 = "fea80a08eac00f6389edbae6c58fe985ba914e790c7cd7580fdc39ab5fa931fd" 8 | description = "Detects Lyposit ransomware which masquerades as MacOS app." 9 | 10 | strings: 11 | $ = "C:\\af32d3b0\\b662ef49.exe" 12 | 13 | condition: 14 | all of them 15 | } 16 | -------------------------------------------------------------------------------- /Misc/troj_apk_gravityrat_a.yar: -------------------------------------------------------------------------------- 1 | rule troj_apk_gravityrat_a 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | description = "APK variant of GravityRAT." 6 | hash_01 = "b2cd09952bae1ec439cebfc0d60cdcc1454ef306140d6ed46eb4542d19b5a9e7" 7 | hash_02 = "da567018471eb780f3706ad63e07ea14ca366639e0616b5ced12d27c9fb268ea" 8 | hash_03 = "cf6edfc2c92d85033556d1a2c683f3bd738e4b43c86b9b75faa2747507716e67" 9 | date = "22OCT2020" 10 | reference = "https://securelist.com/gravityrat-the-spy-returns/99097/" 11 | 12 | strings: 13 | $c2_01 = "http://n2.nortonupdates.online:64443" ascii 14 | $c2_02 = "http://n4.nortonupdates.online:64443" ascii 15 | 16 | $log_01 = "hi back restarting!! :D" ascii 17 | 18 | $path_01 = "/WHISKY/$@D.php" ascii 19 | $path_02 = "/WHISKY/upload.php?imei=" ascii 20 | $path_03 = "/WHISKY/write.php" ascii 21 | $path_04 = "/WHISKY/register.php" ascii 22 | 23 | condition: 24 | 1 of ($c2_*) 25 | or 26 | 1 of ($log_*) 27 | or 28 | 2 of ($path_*) 29 | } 30 | 31 | -------------------------------------------------------------------------------- /Misc/troj_apk_vamp_a.yar: -------------------------------------------------------------------------------- 1 | rule troj_apk_vamp_a 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "02OCT2020" 6 | description = "the Vamp malware family." 7 | hash01 = "54f2aa690954ddfcd72e0915147378dd9a7228954b05c54da3605611b2d5a55e" 8 | hash02 = "7a8be888e55a602500639d5b07cf7380b1fa9d639cd7fe728939af8e0285a9cd" 9 | hash03 = "c0517197b58ee5dfab94a8fa1436b27d781fe019e3af02ace507f7dd676ba216" 10 | hash04 = "6c525037272d506db73f68264e6b9682447c48b254fb49709278aba450a0f2c4" 11 | hash05 = "6271efb198a719672176a802eeba96a6102d93ef516e5c8489ee0dcf104a2e74" 12 | description = "Detects APT-C-23 / Vamp APK malware variant" 13 | reference = "https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" 14 | 15 | strings: 16 | // net/axel/app/utils/k$b0.class 17 | // C2 params 18 | $ = "device_name" ascii 19 | $ = "market_name" ascii 20 | $ = "package_name" ascii 21 | $ = "version" ascii 22 | $ = "connection_type" ascii 23 | $ = "api_ver" ascii 24 | $ = "s_token" ascii 25 | $ = "clock" ascii 26 | $ = "lang" ascii 27 | $ = "perms" ascii 28 | $ = "battery" ascii 29 | // net/axel/app/utils/k$e2.class 30 | $ = "/version/" ascii 31 | 32 | condition: 33 | all of them 34 | } 35 | 36 | -------------------------------------------------------------------------------- /Misc/troj_elf_cetus_a.yar: -------------------------------------------------------------------------------- 1 | rule troj_elf_cetus_a 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | description = "Detects Cetus Linux Malware." 6 | date = "07JUL2020" 7 | hash = "b49a3f3cb4c70014e2c35c880d47bc475584b87b7dfcfa6d7341d42a16ebe443" 8 | strings: 9 | $ = "timeout %d docker -H %d.%d.%d.%d exec %s apt-get -yq update" ascii wide 10 | $ = "timeout %d docker -H %d.%d.%d.%d exec %s apt-get -yq install masscan docker.io" ascii wide 11 | $ = "timeout %d docker -H %d.%d.%d.%d cp -L /usr/bin/docker-cache %s:/usr/bin/" ascii wide 12 | $ = "timeout %d docker -H %d.%d.%d.%d cp -L /usr/bin/portainer %s:/usr/bin/" ascii wide 13 | $ = "timeout %d docker -H %d.%d.%d.%d exec %s bash --norc -c 'echo \"/usr/bin/portainer %s >/dev/null" ascii wide 14 | $ = "timeout %d docker -H %d.%d.%d.%d restart %s" ascii wide 15 | $ = "timeout %d docker -H %d.%d.%d.%d run -dt --name %s --restart always ubuntu:18.04 /bin/bash" ascii wide 16 | $ = "timeout %d docker -H %d.%d.%d.%d ps -a --no-trunc" ascii wide 17 | $ = "masscan %d.%d.%d.%d/%d -p 2375 -oL - --max-rate 360 2>/dev/null" ascii wide 18 | condition: 19 | any of them 20 | } 21 | 22 | -------------------------------------------------------------------------------- /Misc/troj_osx_evilquest.yar: -------------------------------------------------------------------------------- 1 | rule troj_osx_evilquest { 2 | meta: 3 | author = "Jeff White (karttoon@gmail.com) @noottrak" 4 | description = "EvilQuest / ThiefQuest." 5 | date = "23JUL2020" 6 | hash = "bcdb0ca7c51e9de4cf6c5c346fd28a4ed28e692319177c8a94c86dc676ee8e48" 7 | reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/updates-on-thiefquest-the-quickly-evolving-macos-malware/" 8 | 9 | strings: 10 | $http_01 = "GET /%s HTTP/1.0" ascii wide 11 | $http_02 = "Host: %s" ascii wide 12 | 13 | $log_01 = "This application has to be run by root" ascii wide 14 | $log_02 = "Cannot create thread!" ascii wide 15 | $log_03 = "ERROR1: %s" ascii wide 16 | $log_04 = "ERROR2: %s" ascii wide 17 | $log_05 = "ERROR3: %s" ascii wide 18 | $log_06 = "ERROR4: %s" ascii wide 19 | $log_07 = "ERROR5: %s" ascii wide 20 | 21 | $func_01 = "_react_exec" ascii wide 22 | $func_02 = "_react_start" ascii wide 23 | $func_03 = "_react_save" ascii wide 24 | $func_04 = "_react_keys" ascii wide 25 | $func_05 = "_react_ping" ascii wide 26 | $func_06 = "_react_host" ascii wide 27 | $func_07 = "_react_scmd" ascii wide 28 | $func_08 = "ei_rootgainer_elevate" ascii wide 29 | $func_09 = "run_payload" ascii wide 30 | $func_10 = "sxorxorkey_s" ascii wide 31 | 32 | condition: 33 | 3 of ($func_*) 34 | and 35 | all of ($log_*) 36 | and 37 | all of ($http_*) 38 | } 39 | -------------------------------------------------------------------------------- /Misc/troj_win_auguststealer.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_auguststealer 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "23JUL2017" 6 | hash1 = "dc0b12d7708e0091b3ea2c530a214ccb10ea152134a61a21a9be40f1322950de" 7 | description = "Detects August Stealer information stealer." 8 | 9 | strings: 10 | // August.exe 11 | $string_originalname = { 41 75 67 75 73 74 2E 65 78 65 } 12 | 13 | // MD5CryptoServiceProvider 14 | $string_md5crypto = { 4D 44 35 43 72 79 70 74 6F 53 65 72 76 69 63 65 50 72 6F 76 69 64 65 72 } 15 | 16 | // CreateDecryptor 17 | $string_createdecrypt = { 43 72 65 61 74 65 44 65 63 72 79 70 74 6F 72 } 18 | 19 | // Firefox 20 | $string_firefox = { 46 69 72 65 66 6F 78 } 21 | 22 | // Password 23 | $string_password = { 50 61 73 73 77 6F 72 64 } 24 | 25 | // Fiddler 26 | $string_fiddler = { 46 00 69 00 64 00 64 00 6C 00 65 00 72 } 27 | 28 | // Wireshark 29 | $string_wireshark = { 57 00 69 00 72 00 65 00 73 00 68 00 61 00 72 00 6B } 30 | 31 | // SELECT * FROM Win32_OperatingSystem 32 | $string_win32os = { 53 00 45 00 4C 00 45 00 43 00 54 00 20 00 2A 00 20 00 46 00 52 00 4F 00 4D 00 20 00 57 00 69 00 6E 00 33 00 32 00 5F 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 53 00 79 00 73 00 74 00 65 00 6D } 33 | 34 | // Opera 35 | $string_opera = { 4F 00 70 00 65 00 72 00 61 } 36 | 37 | // Chrome 38 | $string_chrome = { 43 68 72 6F 6D 65 } 39 | 40 | // recentservers.xml|sitemanager.xml 41 | $string_servers = { 72 00 65 00 63 00 65 00 6E 00 74 00 73 00 65 00 72 00 76 00 65 00 72 00 73 00 2E 00 78 00 6D 00 6C 00 7C 00 73 00 69 00 74 00 65 00 6D 00 61 00 6E 00 61 00 67 00 65 00 72 00 2E 00 78 00 6D 00 6C } 42 | 43 | // POST 44 | $string_post = { 50 00 4F 00 53 00 54 00 } 45 | 46 | // .bat 47 | $string_bat = { 2E 00 62 00 61 00 74 00 } 48 | 49 | // *.rdp 50 | $string_rdp = { 2A 00 2E 00 72 00 64 00 70 00 } 51 | 52 | // August_ 53 | $string_augustdll = { 41 75 67 75 73 74 5F } 54 | 55 | // August@ 56 | $string_augustprod = { 41 75 67 75 73 74 40 } 57 | 58 | condition: 59 | 13 of ($string_*) 60 | } 61 | -------------------------------------------------------------------------------- /Misc/troj_win_bitrat.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_bitrat 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "03MAR2022" 6 | hash01 = "5f732fc3a715db12115ca5fe9564ce894b4dc96598837426e3a11ac119bf437c" 7 | hash02 = "342a5102bc7eedb62d5192f7142ccc7413dc825a3703e818cf32094638ebd17a" 8 | description = "Detects BitRAT downloader" 9 | reference = "https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat" 10 | 11 | strings: 12 | $ = "https://cdn.discordapp.com/attachments/" ascii wide // Ending for observed URL: '923858595353874472/927279369183973407/NFTEXE.png' 13 | $ = "-enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbABlAGEAcwBlAA==" ascii wide // ipconfig /release 14 | $ = "-enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==" ascii wide // Start-Sleep -s 20 15 | $ = "-enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbgBlAHcA" ascii wide // ipconfig //renew 16 | 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /Misc/troj_win_blackstar.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_blackstar 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "18MAY2017" 6 | hash1 = "afb93727e0a9f7fd472c3e7337ab0e71b4bcd32a29561588eeb3c652aaa1debd" // V1.0 7 | hash2 = "ff6b4f9f5d6ee9d39477a64a5bc870061950c25af153cd0c01e031fc8db624cc" // V1.5 8 | hash3 = "445cb87e0daaec2b24ac52d62adf1e7ddf43717cfe0818268260b44fdfdf24b5" // V2.9 9 | hash4 = "f9085dd195af5b6c5e04908bdd6993167c1d2e08f5f28ff4066510ce32e641d0" // V3.0 10 | description = "Detects Blakstar malware family" 11 | 12 | strings: 13 | // Identifying Strings 14 | 15 | // V1.0 16 | $int_01 = "KeyTrap was successfully executed" wide nocase ascii 17 | $int_02 = "BlakStar: KeyTrap" wide nocase ascii 18 | $int_03 = "BlakStar KeyTrap" wide nocase ascii 19 | 20 | // V1.5 21 | $int_04 = "c:\\users\\public\\Microsoft\\blakstar\\" wide nocase ascii 22 | $int_05 = "BlakStar client successfully installed" wide nocase ascii 23 | $int_06 = "BlakStar installer executed on" wide nocase ascii 24 | $int_07 = "BlakStar Client error" wide nocase ascii 25 | 26 | // Encryption Keys 27 | 28 | // V1.0 29 | $key_01 = "VWEBRXYWVERYFVWEUFRVwebtgobroebrvboBYOBVOYEBRYOBVWOYEB" wide nocase ascii 30 | 31 | // V1.5 32 | $key_02 = "XSBBDEYSJ3473BUdfjtuE3574347XVEVCOreyuuhwehfbvruyvcZCYXBEVYEVKK" wide nocase ascii 33 | 34 | // V3.0 35 | $key_03 = "KVDKYEhavelowYSJ3473BUdfjtuE3574347XVEV" wide nocase ascii 36 | 37 | // IRC Commands 38 | 39 | // V1.0 40 | $irc_01 = "USER Capricorn 8 * :Capricorn v1.0" wide nocase ascii 41 | $irc_02 = "PRIVMSG {0} : The computer has been idle for {1}" wide nocase ascii 42 | $irc_03 = "PRIVMSG {0} :Fail to get user's idle time" wide nocase ascii 43 | $irc_04 = "{0:D2}h:{1:D2}m:{2:D2}s:{3:D3}ms" wide nocase ascii 44 | $irc_05 = "PRIVMSG {0} : {1} was downloaded successfully" wide nocase ascii 45 | $irc_06 = "PRIVMSG {0} : {1} was opened successfully" wide nocase ascii 46 | $irc_07 = "PRIVMSG {0} : Screen image uploaded successfully." wide nocase ascii 47 | 48 | // C2 Commands 49 | 50 | // V1.0 51 | $cmd_01 = "$get - download a remote file from a url" wide nocase ascii 52 | $cmd_02 = "$delete - delete a single file" wide nocase ascii 53 | $cmd_03 = "$image - capture and upload screen image" wide nocase ascii 54 | $cmd_04 = "$open - open a file or directory" wide nocase ascii 55 | $cmd_05 = "$stop - stop running process" wide nocase ascii 56 | $cmd_06 = "$dir - stop running process" wide nocase ascii 57 | $cmd_07 = "$user - return logged in user" wide nocase ascii 58 | $cmd_08 = "$idle time - return the user's idle time'" wide nocase ascii 59 | 60 | // POST 61 | 62 | // V1.0 63 | $web_01 = "Machine={0}&User={1}&OS={2}&Time={3}&Version={4}&APP={5}" wide nocase ascii 64 | $web_02 = "Machine={0}&User={1}&OS={2}&Time={3}&Version={4}" wide nocase ascii 65 | 66 | // Config Call-out 67 | 68 | // V1.0 69 | $web_03 = /http:\/\/[a-zA-Z0-9.-]+\/Settings\/Configuration\/Config\.ini/ 70 | $web_04 = "Settings/Configuration/Config.ini" wide nocase ascii 71 | 72 | // V1.5 73 | $web_05 = /http:\/\/[a-zA-Z0-9.-]+\/settings\/config\.ini/ 74 | $web_06 = "settings/config.ini" wide nocase ascii 75 | 76 | // V3.0 77 | $web_07 = "Settings/Configuration/Update.txt" wide nocase ascii 78 | 79 | condition: 80 | (uint16be(0) == 0x4D5A and filesize < 1MB) 81 | and 82 | 1 of ($int*) 83 | or 84 | 1 of ($key*) 85 | or 86 | 2 of ($irc*) 87 | or 88 | 2 of ($cmd*) 89 | or 90 | 2 of ($web*) 91 | } 92 | -------------------------------------------------------------------------------- /Misc/troj_win_cobaltstrike.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_cobaltstrike_memoryinject 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "21JUL2017" 6 | hash1 = "8637026ae5bec1198fca7085db07b75343331af1644df6c411413c0f315a3216" 7 | description = "Detects Cobalt Strike payload typically loaded into memory via PowerShell." 8 | 9 | strings: 10 | // beacon.dll 11 | $ = { 62 65 61 63 6F 6E 2E 64 6C 6C } 12 | 13 | // HTTP/1.1 200 OK 14 | $ = { 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B } 15 | 16 | // char c = (i & 0xFF); 17 | $ = { 63 68 61 72 20 63 20 3D 20 28 69 20 26 20 30 78 46 46 29 3B } 18 | 19 | // could not spawn %s (token): %d 20 | $ = { 63 6F 75 6C 64 20 6E 6F 74 20 73 70 61 77 6E 20 25 73 20 28 74 6F 6B 65 6E 29 3A 20 25 64 } 21 | 22 | // could not run %s as %s\%s: %d 23 | $ = { 63 6F 75 6C 64 20 6E 6F 74 20 72 75 6E 20 25 73 20 61 73 20 25 73 5C 25 73 3A 20 25 64 } 24 | 25 | // %d is an x64 process (can't inject x86 content) 26 | $ = { 25 64 20 69 73 20 61 6E 20 78 36 34 20 70 72 6F 63 65 73 73 20 28 63 61 6E 27 74 20 69 6E 6A 65 63 74 20 78 38 36 20 63 6F 6E 74 65 6E 74 29 } 27 | 28 | // %d is an x86 process (can't inject x64 content) 29 | $ = { 25 64 20 69 73 20 61 6E 20 78 38 36 20 70 72 6F 63 65 73 73 20 28 63 61 6E 27 74 20 69 6E 6A 65 63 74 20 78 36 34 20 63 6F 6E 74 65 6E 74 29 } 30 | 31 | // ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 32 | $ = { 70 70 69 64 20 25 64 20 69 73 20 69 6E 20 61 20 64 69 66 66 65 72 65 6E 74 20 64 65 73 6B 74 6F 70 20 73 65 73 73 69 6F 6E 20 28 73 70 61 77 6E 65 64 20 6A 6F 62 73 20 6D 61 79 20 66 61 69 6C 29 2E 20 55 73 65 20 27 70 70 69 64 27 20 74 6F 20 72 65 73 65 74 2E } 33 | 34 | // kerberos ticket purge failed: %08x 35 | $ = { 6B 65 72 62 65 72 6F 73 20 74 69 63 6B 65 74 20 70 75 72 67 65 20 66 61 69 6C 65 64 3A 20 25 30 38 78 } 36 | 37 | // IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 38 | $ = { 49 45 58 20 28 4E 65 77 2D 4F 62 6A 65 63 74 20 4E 65 74 2E 57 65 62 63 6C 69 65 6E 74 29 2E 44 6F 77 6E 6C 6F 61 64 53 74 72 69 6E 67 28 27 68 74 74 70 3A 2F 2F 31 32 37 2E 30 2E 30 2E 31 3A 25 75 2F 27 29 } 39 | 40 | // powershell -nop -exec bypass -EncodedCommand 41 | $ = { 70 6F 77 65 72 73 68 65 6C 6C 20 2D 6E 6F 70 20 2D 65 78 65 63 20 62 79 70 61 73 73 20 2D 45 6E 63 6F 64 65 64 43 6F 6D 6D 61 6E 64 } 42 | 43 | // I'm already in SMB mode 44 | $ = { 49 27 6D 20 61 6C 72 65 61 64 79 20 69 6E 20 53 4D 42 20 6D 6F 64 65 } 45 | 46 | // Failed to impersonate logged on user %d (%u) 47 | $ = { 46 61 69 6C 65 64 20 74 6F 20 69 6D 70 65 72 73 6F 6E 61 74 65 20 6C 6F 67 67 65 64 20 6F 6E 20 75 73 65 72 20 25 64 20 28 25 75 29 } 48 | 49 | condition: 50 | all of them 51 | } 52 | -------------------------------------------------------------------------------- /Misc/troj_win_cobaltstrike_beacon_maze.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | rule trojan_win_cobaltstrike_beacon_maze 3 | { 4 | meta: 5 | author = "Jeff White (karttoon@gmail.com) @noottrak" 6 | description = "Maze Dropper using CobaltStrike v4 Beacon" 7 | date = "25AUG2020" 8 | hash1 = "81a9ced421d01a2f9a7bf1335d227eee19606fe220a50ecf96a78abca6cc816b" 9 | reference = "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/" 10 | 11 | strings: 12 | $ = "VirtualAllocExNuma" ascii wide 13 | $ = "IsDebuggerPresent" ascii wide 14 | $ = "Sleep" ascii wide 15 | 16 | condition: 17 | all of them 18 | and 19 | (pe.signatures[0].subject contains "Clubessential, LLC") 20 | } 21 | 22 | -------------------------------------------------------------------------------- /Misc/troj_win_headertip.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_headertip 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "06APR2022" 6 | hash01 = "1b3c16fb7fb368272dfcf8c8f07acc41606affce2f49eaed5c5b43802fa947fb" 7 | hash02 = "8dbb7fad51d75bdf43e1070777c7fd10e03a55e167dc715b109791e2a553d986" 8 | hash03 = "e0f1d23d9e0a302b5e4e7080305e9849e73dc3f15e4eeeecda8a3a625c24a49f" 9 | description = "Detects HeaderTip DLL" 10 | 11 | strings: 12 | $ = "HttpsInit" ascii 13 | $ = "POST" wide 14 | $ = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" wide 15 | $ = "%016I64x%08x" wide 16 | 17 | condition: 18 | all of them 19 | } 20 | 21 | -------------------------------------------------------------------------------- /Misc/troj_win_keymarble.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_keymarble { 2 | 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "25FEB2019" 6 | hash1 = "1c4745c82fdcb9d05e210eff346d7bee2f087357b17bfcf7c2038c854f0dee61" 7 | description = "Detections parts of functions in the KEYMARBLE backdoor." 8 | reference = "https://research.checkpoint.com/north-korea-turns-against-russian-targets/" 9 | 10 | strings: 11 | // Leading bytes for case statement 12 | $case = { 55 8B EC 83 E4 F8 81 C2 AA BA DC FE 83 FA 22 } 13 | 14 | // Part of function for drive scanning 15 | $drive_01 = "CD Drive" wide 16 | $drive_02 = "Local Disk" wide 17 | $drive_03 = "%c:" wide 18 | $drive_04 = { 83 C4 0C 8D 45 F4 0F 57 C0 66 0F D6 45 F4 53 68 } 19 | 20 | // Part of function to profile system 21 | $scan = { 66 8B 85 E8 F7 FF FF 83 C4 0C 66 89 85 D0 F7 FF FF 8D 85 90 F7 FF FF C7 85 A0 F7 FF FF 44 00 00 00 C7 85 CC F7 FF FF 01 00 00 00 50 8D 85 A0 F7 FF FF 50 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 8D } 22 | 23 | condition: 24 | (all of ($drive_*) or $scan) and $case 25 | } 26 | 27 | -------------------------------------------------------------------------------- /Misc/troj_win_m00nd3v.yar: -------------------------------------------------------------------------------- 1 | rule win_troj_m00nd3v { 2 | meta: 3 | author = "Jeff White (karttoon@gmail.com) @noottrak" 4 | description = "Detects M00nD3v Stub." 5 | date = "20JUL2020" 6 | hash1 = "c23b33ddb4e0cfa52b9242648f5cb7a6ee916b4ba1e6f547d8d5ef543dccbb9d" 7 | reference = "https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger" 8 | 9 | strings: 10 | $pop_01 = "POP3 User Name" ascii wide 11 | $pop_02 = "POP3 Server" ascii wide 12 | $pop_03 = "POP3 Password" ascii wide 13 | $pop_04 = "POP3 Port" ascii wide 14 | 15 | $imap_01 = "IMAP User Name" ascii wide 16 | $imap_02 = "IMAP Server" ascii wide 17 | $imap_03 = "IMAP Password" ascii wide 18 | $imap_04 = "IMAP Port" ascii wide 19 | 20 | $httpmail_01 = "HTTPMail User Name" ascii wide 21 | $httpmail_02 = "HTTPMail Server" ascii wide 22 | $httpmail_03 = "HTTPMail Password" ascii wide 23 | $httpmail_04 = "HTTPMail Port" ascii wide 24 | 25 | $smtp_01 = "SMTP Server" ascii wide 26 | $smtp_02 = "SMTP Password" ascii wide 27 | $smtp_03 = "SMTP USer Name" ascii wide // Note the incorrect capitalization 28 | $smtp_04 = "SMTP Port" ascii wide 29 | 30 | $moondev_01 = "M00nD3v Stub.exe" ascii wide 31 | $moondev_02 = "https://m00nd3v.com/M00nD3v/Decryption/BouncyCastle.Crypto.dll" ascii wide 32 | 33 | $ip_01 = "http://bot.whatismyipaddress.com/" ascii wide 34 | $ip_02 = "http://dyn.com/dns/" ascii wide 35 | 36 | condition: 37 | any of ($moondev_*) 38 | or 39 | all of ($pop_*) and all of ($ip_*) 40 | or 41 | all of ($imap_*) and all of ($ip_*) 42 | or 43 | all of ($httpmail_*) and all of ($ip_*) 44 | or 45 | all of ($smtp_*) and all of ($ip_*) 46 | } 47 | -------------------------------------------------------------------------------- /Misc/troj_win_macrosafe.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_macrosafe_vba 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "21JUL2017" 6 | hash1 = "36fa53bb90ea70ac11c2fe1de8ed7db6721e4d8b840628e7920835562d9ec6da" 7 | description = "Detects macro_safe generated VBA that executes compressed PowerShell (scriplet SCT) files - seen in wild using plaintext and base64 variants." 8 | 9 | strings: 10 | // powershell.exe -NoP -NonI -W Hidden -Command "Invoke- 11 | $ps_string = { 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 20 2D 4E 6F 50 20 2D 4E 6F 6E 49 20 2D 57 20 48 69 64 64 65 6E 20 2D 43 6F 6D 6D 61 6E 64 20 22 49 6E 76 6F 6B 65 2D } 12 | 13 | // cG93ZXJzaGVsbC5leGUgLU5vUCAtTm9uSSAtVyBIaWRkZW4gLUNvbW1hbmQgIiJJbnZva2Ut 14 | $ps_b64 = { 63 47 39 33 5A 58 4A 7A 61 47 56 73 62 43 35 6C 65 47 55 67 4C 55 35 76 55 43 41 74 54 6D 39 75 53 53 41 74 56 79 42 49 61 57 52 6B 5A 57 34 67 4C 55 4E 76 62 57 31 68 62 6D 51 67 49 69 4A 4A 62 6E 5A 76 61 32 55 74 } 15 | 16 | // Expression $(New-Object IO.StreamReader ($(New-O 17 | $xp_string = { 45 78 70 72 65 73 73 69 6F 6E 20 24 28 4E 65 77 2D 4F 62 6A 65 63 74 20 49 4F 2E 53 74 72 65 61 6D 52 65 61 64 65 72 20 28 24 28 4E 65 77 2D 4F } 18 | 19 | // RXhwcmVzc2lvbiAkKE5ldy1PYmplY3QgSU8uU3RyZWFtUmVhZGVyICgkKE5ldy1P 20 | $xp_b64 = { 52 58 68 77 63 6D 56 7A 63 32 6C 76 62 69 41 6B 4B 45 35 6C 64 79 31 50 59 6D 70 6C 59 33 51 67 53 55 38 75 55 33 52 79 5A 57 46 74 55 6D 56 68 5A 47 56 79 49 43 67 6B 4B 45 35 6C 64 79 31 50 } 21 | 22 | // bject IO.Compression.DeflateStream ($(New-Object 23 | $obj_string = { 62 6A 65 63 74 20 49 4F 2E 43 6F 6D 70 72 65 73 73 69 6F 6E 2E 44 65 66 6C 61 74 65 53 74 72 65 61 6D 20 28 24 28 4E 65 77 2D 4F 62 6A 65 63 74 } 24 | 25 | // YmplY3QgSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbSAoJChOZXctT2JqZWN0 26 | $obj_b64 = { 59 6D 70 6C 59 33 51 67 53 55 38 75 51 32 39 74 63 48 4A 6C 63 33 4E 70 62 32 34 75 52 47 56 6D 62 47 46 30 5A 56 4E 30 63 6D 56 68 62 53 41 6F 4A 43 68 4F 5A 58 63 74 54 32 4A 71 5A 57 4E 30 } 27 | 28 | // IO.MemoryStream (,$([Convert]::FromBase64String 29 | $io_string = { 49 4F 2E 4D 65 6D 6F 72 79 53 74 72 65 61 6D 20 28 2C 24 28 5B 43 6F 6E 76 65 72 74 5D 3A 3A 46 72 6F 6D 42 61 73 65 36 34 53 74 72 69 6E 67 } 30 | 31 | // IElPLk1lbW9yeVN0cmVhbSAoLCQoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5n 32 | $io_b64 = { 49 45 6C 50 4C 6B 31 6C 62 57 39 79 65 56 4E 30 63 6D 56 68 62 53 41 6F 4C 43 51 6F 57 30 4E 76 62 6E 5A 6C 63 6E 52 64 4F 6A 70 47 63 6D 39 74 51 6D 46 7A 5A 54 59 30 55 33 52 79 61 57 35 6E } 33 | 34 | // )))), [IO.Compression.Compr 35 | $comp_string = { 29 29 29 29 2C 20 5B 49 4F 2E 43 6F 6D 70 72 65 73 73 69 6F 6E 2E 43 6F 6D 70 72 } 36 | 37 | // KFwiIiAiICYgc3RyICYgIiBcIiIgKSkpKSwgW0lPLkNvbXByZXNzaW9uLkNvbXBy 38 | $comp_b64 = { 4B 46 77 69 49 69 41 69 49 43 59 67 63 33 52 79 49 43 59 67 49 69 42 63 49 69 49 67 4B 53 6B 70 4B 53 77 67 57 30 6C 50 4C 6B 4E 76 62 58 42 79 5A 58 4E 7A 61 57 39 75 4C 6B 4E 76 62 58 42 79 } 39 | 40 | // essionMode]::Decompress)), [Text.Encoding]::ASCI 41 | $enc_string = { 65 73 73 69 6F 6E 4D 6F 64 65 5D 3A 3A 44 65 63 6F 6D 70 72 65 73 73 29 29 2C 20 5B 54 65 78 74 2E 45 6E 63 6F 64 69 6E 67 5D 3A 3A 41 53 43 49 } 42 | 43 | // ZXNzaW9uTW9kZV06OkRlY29tcHJlc3MpKSwgW1RleHQuRW5jb2RpbmddOjpBU0NJ 44 | $enc_b64 = { 5A 58 4E 7A 61 57 39 75 54 57 39 6B 5A 56 30 36 4F 6B 52 6C 59 32 39 74 63 48 4A 6C 63 33 4D 70 4B 53 77 67 57 31 52 6C 65 48 51 75 52 57 35 6A 62 32 52 70 62 6D 64 64 4F 6A 70 42 55 30 4E 4A } 45 | 46 | // I)).ReadToEnd();" 47 | $end_string = { 49 29 29 2E 52 65 61 64 54 6F 45 6E 64 28 29 3B 22 } 48 | 49 | // SSkpLlJlYWRUb0VuZCgpOyIi 50 | $end_b64 = { 53 53 6B 70 4C 6C 4A 6C 59 57 52 55 62 30 56 75 5A 43 67 70 4F 79 49 69 } 51 | 52 | condition: 53 | 1 of ($ps_*) 54 | and 55 | 1 of ($xp_*) 56 | and 57 | 1 of ($obj_*) 58 | and 59 | 1 of ($io_*) 60 | and 61 | 1 of ($comp_*) 62 | and 63 | 1 of ($enc_*) 64 | and 65 | 1 of ($end_*) 66 | } 67 | -------------------------------------------------------------------------------- /Misc/troj_win_mbrkiller.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_mbrkiller_unpacked 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "20JUN2018" 6 | hash01 = "1a09b182c63207aa6988b064ec0ee811c173724c33cf6dfe36437427a5c23446" 7 | description = "Identifies the NSIS MBR Killer malware after being unpacked by VMProtect" 8 | reference = "https://www.flashpoint-intel.com/blog/banco-de-chile-mbr-killler-reveals-hidden-nexus-buhtrap/" 9 | 10 | strings: 11 | // \\.\PHYSICALDRIVE%d 12 | $ = { 5C 5C 2E 5C 50 48 59 53 49 43 41 4C 44 52 49 56 45 25 64 } 13 | 14 | // Kernel32::CreateFile(t, i, i, i, i, i, i) 15 | $ = { 4B 65 72 6E 65 6C 33 32 3A 3A 43 72 65 61 74 65 46 69 6C 65 28 74 2C 20 69 2C 20 69 2C 20 69 2C 20 69 2C 20 69 2C 20 69 29 } 16 | 17 | // MBR Killer Setup: Installing 18 | $ = { 4D 42 52 20 4B 69 6C 6C 65 72 20 53 65 74 75 70 3A 20 49 6E 73 74 61 6C 6C 69 6E 67 } 19 | 20 | // $$\wininit.ini 21 | $ = { 24 24 5C 77 69 6E 69 6E 69 74 2E 69 6E 69 } 22 | 23 | // System.dll 24 | $ = { 53 79 73 74 65 6D 2E 64 6C 6C } 25 | 26 | condition: 27 | all of them 28 | } 29 | -------------------------------------------------------------------------------- /Misc/troj_win_mehcrypter.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_mehcrypter : mehstager 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "25SEP2020" 6 | hash0 = "c06fa3ea675ce17fd8d53590c80f7d523d8ba2078fcb91addba233c892710df2" 7 | hash1 = "4f54c21b0c64098df8386927b4e6a163bc80cba73026fc339bb508e6d3aaba55" 8 | hash2 = "e307bd08edf3370bc79b5443af5c514459239a938cc4136ec3d32921beb81fa9" 9 | hash3 = "657ea4bf4e591d48ee4aaa2233e870eb99a17435968652e31fc9f33bbb2fe282" 10 | hash4 = "49bc1b3ace1da04f90fd1dd0dcda42ef6766cc8baa3d6a83e2c451ece3ab5db6" 11 | hash5 = "5e71c1b9d8537176e6acccd8a45db9871c365c0a737f6f29453880b176161756" 12 | hash6 = "3a257667dbfc9dd90415160e2b02b021d5c289b1d62799b1f4f29ffe98f4a986" 13 | description = "Detects MegStager of the MehCrypter malware family" 14 | reference = "https://decoded.avast.io/janrubin/complex-obfuscation-meh/" 15 | 16 | strings: 17 | $ = "pe.bin" ascii // pe.bin is the encoded file with payload and key necessary to make the stager work 18 | $ = "bin 404" ascii 19 | $ = "SOFTWARE\\Borland\\Delphi\\RTL" ascii 20 | 21 | condition: 22 | all of them 23 | } 24 | -------------------------------------------------------------------------------- /Misc/troj_win_mnubot.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_mnubot 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "15JUN2018" 6 | hash1 = "a1ad4ce17f2c9e5585d7687ef628fab63dac3f022b66bade372b559c9674e483" 7 | hash2 = "b6bc057005c8db5bbbab720990f36c1ba6e16f7e98fca570b2cfd4d8e66091d9" 8 | description = "Detects Delphi-based Mnubot Trojan." 9 | 10 | strings: 11 | $ = "This program must be run under Win32" ascii wide 12 | $ = "Boolean" ascii wide 13 | $ = "System" ascii wide 14 | $ = "ShortInt" ascii wide 15 | $ = "Pointer" ascii wide 16 | $ = "Variant" ascii wide 17 | $ = "HRESULT" ascii wide 18 | $ = "Create" ascii wide 19 | $ = "Address" ascii wide 20 | $ = "Message" ascii wide 21 | $ = "Flags" ascii wide 22 | $ = "t!Ht:" ascii wide 23 | $ = "~]x[[)" ascii wide 24 | $ = "BkU'9" ascii wide 25 | $ = "_^[YY]" ascii wide 26 | $ = "_^[Y]" ascii wide 27 | $ = "PPRTj" ascii wide 28 | $ = "az-Latn-AZ" ascii wide 29 | $ = "HACCEL" ascii wide 30 | $ = "Count" ascii wide 31 | $ = "Ident" ascii wide 32 | $ = "Close" ascii wide 33 | $ = "Value" ascii wide 34 | $ = "Index" ascii wide 35 | $ = "Remove" ascii wide 36 | $ = "cp819" ascii wide 37 | $ = "johab" ascii wide 38 | $ = "^[YY]" ascii wide 39 | $ = "t,HtYH" ascii wide 40 | $ = "scode" ascii wide 41 | $ = "@Qm6t" ascii wide 42 | $ = "t?Htb" ascii wide 43 | $ = "r!t2Ht[" ascii wide 44 | $ = "GetProc" ascii wide 45 | $ = "Classes" ascii wide 46 | $ = "Buffer" ascii wide 47 | $ = "Write" ascii wide 48 | $ = "IWICBitmap" ascii wide 49 | $ = "TEvent" ascii wide 50 | $ = "Enter" ascii wide 51 | $ = "TArray" ascii wide 52 | $ = "CloseKey" ascii wide 53 | $ = "ReadBool" ascii wide 54 | $ = "Bitmap" ascii wide 55 | $ = "Empty" ascii wide 56 | $ = "wifBmp" ascii wide 57 | $ = "C ;C$s" ascii wide 58 | $ = "PFNLVCOMPARE" ascii wide 59 | $ = "igZoom" ascii wide 60 | $ = "Point" ascii wide 61 | $ = "8]_^[" ascii wide 62 | $ = "Image" ascii wide 63 | $ = "Popup" ascii wide 64 | $ = "Driver" ascii wide 65 | $ = "Printer" ascii wide 66 | $ = "Ctl3D" ascii wide 67 | $ = ";S(t%" ascii wide 68 | $ = "Dummy" ascii wide 69 | $ = "Range" ascii wide 70 | $ = "Print" ascii wide 71 | $ = "T;s$|" ascii wide 72 | $ = "cbrUSEDEF" ascii wide 73 | $ = "Event" ascii wide 74 | $ = "IsEmpty" ascii wide 75 | $ = "ToOem" ascii wide 76 | $ = "Connection" ascii wide 77 | $ = "Query" ascii wide 78 | $ = "GetItem" ascii wide 79 | $ = "Notify" ascii wide 80 | $ = "TList" ascii wide 81 | $ = "Thumb" ascii wide 82 | $ = "Connect" ascii wide 83 | $ = "GetBoolean" ascii wide 84 | $ = "MSHTML" ascii wide 85 | $ = "Wz6@E" ascii wide 86 | $ = "version" ascii wide 87 | $ = "DEBUG" ascii wide 88 | $ = "DEFAULT_CHAR" ascii wide 89 | $ = "CHARS" ascii wide 90 | $ = "oleaut32.dll" ascii wide 91 | $ = "advapi32.dll" ascii wide 92 | $ = "RegCloseKey" ascii wide 93 | $ = "user32.dll" ascii wide 94 | $ = "LoadLibraryA" ascii wide 95 | $ = "GetProcAddress" ascii wide 96 | $ = "ExitProcess" ascii wide 97 | $ = "GetDC" ascii wide 98 | $ = "gdi32.dll" ascii wide 99 | $ = "version.dll" ascii wide 100 | $ = "VerQueryValueW" ascii wide 101 | $ = "ole32.dll" ascii wide 102 | $ = "OleDraw" ascii wide 103 | $ = "VariantCopy" ascii wide 104 | $ = "comctl32.dll" ascii wide 105 | $ = "ImageList_Add" ascii wide 106 | $ = "winspool.drv" ascii wide 107 | $ = "OpenPrinterW" ascii wide 108 | $ = "wininet.dll" ascii wide 109 | $ = "InternetCheckConnectionW" ascii wide 110 | $ = "DEFAULT_CHARSET" ascii wide 111 | 112 | condition: 113 | all of them 114 | } 115 | -------------------------------------------------------------------------------- /Misc/troj_win_oldgremlin.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_oldgremlin : lnk 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "30SEP2020" 6 | hash01 = "7d7a7f85fc83d65a133b05b0356a98fd2fd6fb946e3014460f3bf96ffc5d213d" 7 | hash01 = "827773bd4558521678608e84f27c5f0eebc6761aa40892b6b0bef67109b751c5" 8 | hash02 = "091d86659caa0dda54dd302c3752b3cd54339c34a56fd7bb22857e43fdf88dc5" 9 | hash03 = "c5c54b49ca536cbdb193f1f614aac813e6586bd8e52215b008494b610461765d" 10 | hash04 = "35bc847e8a2ac7ccb75850cf69db5a47c245ed2a4dc5e98283dfd8f7f9df59e1" 11 | hash05 = "dc9cbd484395367158c5819882ac811ee8464a62b018ffa51d3d476003643e54" 12 | hash06 = "7171c68237e2c2054686cb31c92904b38862a06e14990aee5b5c23fd00cd7029" 13 | hash07 = "769ad49c1d893c2965e25f180288e649d42b89a0b7588f63ad7c4bdba1105537" 14 | hash08 = "71f351c47a4cd1d9836b39da8454d1dc20df51950fe1c25aa3192f0d60a0643f" 15 | hash09 = "bfa9d5cc0d139f2d8bb16d0fc8e8d661c554e77523b4b1f6c0a48a5172e45b93" 16 | hash10 = "5c9cf2e4f2392a60cb7fe1d3ca94bda99968c7ee73f908dfc627a6b6d3dc404a" 17 | description = "Detects OldGremlin LNK 1st Stage File." 18 | reference = "https://www.group-ib.com/blog/oldgremlin" 19 | 20 | strings: 21 | // Part of command executed via LNK 22 | $cmd_01 = "Windows\\System32\\cmd.exe" ascii 23 | $cmd_02 = "comspec" wide 24 | 25 | // Part of embedded JS 26 | $jscript_01 = "script type=\"text/javascript" ascii 27 | $jscript_02 = "fromCharCode" ascii 28 | 29 | // LNK Header and CLSID 30 | $LNKStruct = { 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 } 31 | 32 | condition: 33 | filesize > 15KB 34 | and 35 | all of ($cmd_*) 36 | and 37 | all of ($jscript_*) 38 | and 39 | $LNKStruct at 0 40 | } 41 | -------------------------------------------------------------------------------- /Misc/troj_win_pennywise_stealer.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_pennywise_stealer.yar 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "14JUL2022" 6 | hash01 = "7DE9DB22A3CF2C481F953D3D4D3F88FB85088A6F1CAF7CBD5DAD83540F4ECD34" 7 | hash02 = "E9CAB3A18F4E6324D8C722110A250C57A1B250429F73092CBD88435DBA0F35DE" 8 | hash03 = "0501597D29626DF172C5F40D5B04366C94188CF620694E96CE394EACD5E4E920" 9 | description = "Detects PennyWise Stealer malware" 10 | reference = "https://blog.cyble.com/2022/06/30/infostealer/" 11 | 12 | strings: 13 | $ = "PennyWise" 14 | $ = "StringBuilder" 15 | $ = "StackTrace" 16 | $ = "StackFrame" 17 | $ = "BCryptDecrypt" 18 | $ = "GetProcAddress" 19 | $ = "GetFileName" 20 | $ = "CreateHttp" 21 | 22 | condition: 23 | all of them 24 | } 25 | -------------------------------------------------------------------------------- /Misc/troj_win_powerstager.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_powerstager 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "02JAN2018" 6 | hash1 = "758097319d61e2744fb6b297f0bff957c6aab299278c1f56a90fba197795a0fa" //x86 7 | hash2 = "83e714e72d9f3c500cad610c4772eae6152a232965191f0125c1c6f97004b7b5" //x64 8 | description = "Detects PowerStager Windows executable, both x86 and x64." 9 | 10 | strings: 11 | // META 12 | $filename = /%s\\[a-zA-Z0-9]{12}/ 13 | $pathname = "TEMP" wide ascii 14 | $filedesc = "Lorem ipsum dolor sit amet, consecteteur adipiscing elit" wide ascii 15 | 16 | // API Calls 17 | $apicall_01 = "memset" 18 | $apicall_02 = "getenv" 19 | $apicall_03 = "fopen" 20 | $apicall_04 = "memcpy" 21 | $apicall_05 = "fwrite" 22 | $apicall_06 = "fclose" 23 | $apicall_07 = "CreateProcessA" 24 | 25 | // Decoding Function x86 / x64 26 | $decoder_x86_01 = { 8D 95 [4] 8B 45 ?? 01 D0 0F B6 18 8B 4D ?? } 27 | $decoder_x86_02 = { 89 C8 0F B6 84 05 [4] 31 C3 89 D9 8D 95 [4] 8B 45 ?? 01 D0 88 08 83 45 [2] 8B 45 ?? 3D } 28 | $decoder_x64_01 = { 8B 85 [4] 48 98 44 0F [7] 8B 85 [4] 48 63 C8 48 } 29 | $decoder_x64_02 = { 48 89 ?? 0F B6 [3-6] 44 89 C2 31 C2 8B 85 [4] 48 98 } 30 | 31 | condition: 32 | uint16be(0) == 0x4D5A 33 | and 34 | all of ($apicall_*) 35 | and 36 | $filename 37 | and 38 | $pathname 39 | and 40 | $filedesc 41 | and 42 | (all of ($decoder_x86*) or all of ($decoder_x64*)) 43 | } 44 | -------------------------------------------------------------------------------- /Misc/troj_win_purplefox.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_purplefox 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | description = "Detects PurpleFox malware." 6 | date = "01FEB2022" 7 | hash01 = "BE5434982BE1F4E910BC16B44BDFD929A9257816533D376963710CCB7CB978B7" 8 | hash02 = "BAE1270981C0A2D595677A7A1FEFE8087B07FFEA061571D97B5CD4C0E3EDB6E0" 9 | hash03 = "272919BCB4ACC9330A112301D33BEA2789EE1B273F7406E75B3A2FFD11CCFDE0" 10 | reference = "https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit" 11 | 12 | strings: 13 | $ = ":7456/%c?=%d" ascii wide nocase 14 | $ = "\\1.rar" ascii wide nocase 15 | $ = "\\7zz.exe" ascii wide nocase 16 | $ = "\\ojbk.exe" ascii wide nocase 17 | $ = ":7456/77" ascii wide nocase 18 | $ = "C:\\ProgramData\\360.dll" ascii wide nocase 19 | $ = "C:\\ProgramData\\rundll3222.exe" ascii wide nocase 20 | $ = "C:\\ProgramData\\svchost.txt" ascii wide nocase 21 | 22 | condition: 23 | all of them 24 | 25 | } 26 | -------------------------------------------------------------------------------- /Misc/troj_win_redsigdav.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_redsigdav { 2 | meta: 3 | author = "Jeff White (karttoon@gmail.com) @noottrak" 4 | date = "21FEB2019" 5 | hash01 = "3f15b6376019755ae9faf5a01b202410c6548a0e3717176a36fcbd88d7df635e" 6 | hash02 = "e530e16d5756cdc2862b4c9411ac3bb3b113bc87344139b4bfa2c35cd816e518" 7 | hash03 = "6b3d2cef39e75c627e8e36b6a0047ace4557b71c907083fd5de32f2e6b3cde0a" 8 | description = "Identifies IIS 6 WebDav exploit tool utilizing CVE-2017-7269 used in Operation Red Signature" 9 | reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" 10 | 11 | strings: 12 | // Long header request for CVE-2017-7269 13 | $exploit_01 = "If: (Not )" 14 | $exploit_02 = "If: (Not )" 15 | $exploit_03 = "If: (Not )" 16 | $exploit_04 = "If: (Not )" 17 | $exploit_05 = "If: (Not )" 18 | $exploit_06 = "If: (Not )" 19 | 20 | // Required for PROPFIND request 21 | $prop = "PROPFIND" 22 | 23 | // Command help 24 | $cmdhelp_01 = "iisexit -close connection" 25 | $cmdhelp_02 = "iisget -get remote file to local" 26 | $cmdhelp_03 = "iisput -put local file to remote" 27 | $cmdhelp_04 = "iiscmd -run program" 28 | $cmdhelp_05 = "iishelp -show help info" 29 | 30 | // Included commands 31 | $cmd_01 = "iisexit" 32 | $cmd_02 = "iisget" 33 | $cmd_03 = "iisput" 34 | $cmd_04 = "iiscmd" 35 | $cmd_05 = "iishelp" 36 | 37 | // Print outs 38 | $outmsg_01 = "[-] SafeSendRecv Parameter Error: %d !" 39 | $outmsg_02 = "[-] IISData Error!" 40 | $outmsg_03 = "[-] Shell Start Error!" 41 | $outmsg_04 = "[-] Get Encode Key for Tunnel Failed!" 42 | $outmsg_05 = "[-] Over Ret : %d, Status = %d" 43 | $outmsg_06 = "[-] Install Shell Failed!" 44 | $outmsg_07 = "[+] Guessed URI Length : %d" 45 | $outmsg_08 = "[-] Guess Error : 0" 46 | $outmsg_09 = "[*] IIS 6 WEBDAV Memory Corrupt Exploit @ 2017-03-17" 47 | $outmsg_10 = "[*] Guessed Return = %d, HTTP Status = %d" 48 | $outmsg_11 = "Close Server,byby!" 49 | 50 | condition: 51 | (1 of ($exploit_*) and $prop) or all of ($cmd_*) or 1 of ($cmdhelp_*) or 2 of ($outmsg_*) 52 | } -------------------------------------------------------------------------------- /Misc/troj_win_threadkit.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_threadkit_rtf 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "28MAR2018" 6 | description = "Detects RTF document created by ThreadKit dropper." 7 | 8 | strings: 9 | // DeL %tMp%\Block.TxT 10 | $ = "44654C2025744D70255C426C6F636B2E547854" nocase 11 | 12 | // DeL %tMp%\Inteldriverupd1.ScT 13 | $ = "44654C2025744D70255C496E74656C647269766572757064312E536354" nocase 14 | 15 | // ObjShell.Run "cMd /C %tEmP%\tAsK.bAt",0,True 16 | $ = "4F626A5368656C6C2E52756E2022634D64202F43202574456D50255C7441734B2E624174222C302C54727565" nocase 17 | 18 | condition: 19 | all of them 20 | } 21 | -------------------------------------------------------------------------------- /Misc/troj_win_vbkryjetor.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_vbkryjetor 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "20SEP2018" 6 | hash1 = "1ac53bc8373d5ffad51f8805cf0bf6cb28f7374f56b29813c8be05f338da416d" 7 | hash2 = "615d69508c11dc977abae1c91464ff8e4cc9c0dd4ba994452a8ae623993a7dc9" 8 | description = "Detects VBKryjetor trojan." 9 | 10 | strings: 11 | $ = "C:\\Users\\World\\Desktop\\duck\\Zbw138ht2aeja2.pdb" 12 | 13 | condition: 14 | all of them 15 | } 16 | -------------------------------------------------------------------------------- /Misc/troj_win_warzonerat.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_warzonerat 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "12NOV2020" 6 | hash_01 = "531d967b9204291e70e3aab161a5b7f1001339311ece4f2eed8e52e91559c755" 7 | hash_02 = "B3E18B33CDB21C77E0C3070489C05E12F629EC2C6A4B1AF1D39FAC2FDCDF5D46" 8 | hash_03 = "628F41216961F41DBDE420016512DCE8ADD4CA90B100BD2D4E2F12D82458A335" 9 | description = "Detects WarzoneRAT." 10 | reference = "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" 11 | 12 | strings: 13 | $avemaria_01 = "AVE_MARIA" ascii 14 | $avemaria_02 = "WM_DSP" wide 15 | $avemaria_03 = "WM_DISP" wide 16 | $avemaria_04 = "%u.%u.%u.%u" ascii 17 | $avemaria_05 = "Hey I'm Admin" wide 18 | 19 | $keylog_01 = "POP3 Password" wide 20 | $keylog_02 = "SMTP Password" wide 21 | $keylog_03 = "HTTP Password" wide 22 | $keylog_04 = "IMAP Password" wide 23 | 24 | $warzone = /warzone\d+/ // network RC4 enc key usually warzone160 (1.6.0+) 25 | 26 | condition: 27 | all of ($avemaria_*) 28 | and 29 | (all of ($keylog_*) 30 | or 31 | $warzone) 32 | } 33 | -------------------------------------------------------------------------------- /Misc/troj_win_xaler.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_xaler 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "17DEC2019" 6 | hash1 = "e973e776621cc2286329d16a5d707816ebb7a498b72d42745e1781249804bfa3" 7 | description = "Detects Xaler Macro Virus." 8 | 9 | strings: 10 | $ = "GOODSub" 11 | $ = "RELAX2" 12 | $ = "C:\\temp.tmp" 13 | 14 | condition: 15 | all of them 16 | } 17 | -------------------------------------------------------------------------------- /Negasteal/negasteal.pcre: -------------------------------------------------------------------------------- 1 | ############################ 2 | # Negasteal PCRE Collection # 3 | # @noottrak # 4 | ############################ 5 | # 01 news.php?type=0&time=04:53:29 6 | ########## 7 | # 01 8 | ^(?:http(s)?:\/\/)?(?:[^\x2F]+\/)+news\.php\?type=0&time=[0-2][0-9]:[0-6][0-9]:[0-6][0-9]$ karttoon 15APR2020 - Negasteal C2 [ news.php?type=0&time=04:53:29 ] 9 | -------------------------------------------------------------------------------- /Negasteal/negasteal.urls: -------------------------------------------------------------------------------- 1 | http://192.168.75.1/news.php?type=0&time=21:29:09 2 | http://80.245.105.102/news.php?type=0&time=03:53:13 3 | -------------------------------------------------------------------------------- /Negasteal/troj_win_negasteal.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_negasteal 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "15APR2020" 6 | comment = "All hashes in block comment for each change" 7 | hash01 = "d81ba465fe59e7d600f7ab0e8161246a5badd8ae2c3084f76442fb49f6585e95" 8 | description = "Detects an observed Negastealer campaign payload" 9 | 10 | strings: 11 | $ = "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30" 12 | $ = "news.php" 13 | $ = "http://%s/%s" 14 | $ = "type=0" 15 | $ = "time=%s" 16 | condition: 17 | all of them 18 | } 19 | -------------------------------------------------------------------------------- /OriginLogger/troj_win_originlogger.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_originlogger 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | date = "07JUL2022" 6 | hash1 = "adcc4844f7b5f6cee020243af9e7fb069a6bb69f4c02d987a1a520d182f2d6f9" 7 | hash2 = "0973965b16b2083ffc7dac9051549a9bf76a987d697f01ae82c8b647768c2f13" 8 | hash3 = "7a5949e13f3b0922c13f58942102f9ea6eb6cc08d985210bda9f8972e1b14dc9" 9 | description = "Detects OriginLogger keylogger." 10 | 11 | strings: 12 | $xorLoop = { 13 | 7E ?? ?? ?? ?? // ldsfld uint8[] 14 | 06 // ldloc.0 15 | 7E ?? ?? ?? ?? // ldsfld uint8[] 16 | 06 // ldloc.0 17 | 91 // ldelem.u1 18 | 06 // ldloc.0 19 | 61 // xor 20 | 20 ?? ?? ?? ?? // ldc.i4 [0xAA] 21 | 61 // xor 22 | D2 // conv.u1 23 | 9C // stelem.i1 24 | } 25 | 26 | $indexZero = { 27 | 7E ?? ?? ?? ?? // ldsfld 28 | 16 // ldc.i4.0 29 | 9A // ldelem.ref 30 | 25 // dup 31 | 2D ?? // brtrue.s 32 | 26 // pop 33 | 16 // ldc.i4.0 34 | 16 // ldc.i4.0 35 | 16 // ldc.i4.0 36 | 28 ?? ?? ?? ?? // call 37 | 2A // ret 38 | } 39 | 40 | $meth_01 = "FtpWebRequest" ascii 41 | $meth_02 = "HttpWebRequest" ascii 42 | $meth_03 = "RegOpenKeyEx" ascii 43 | $meth_04 = "Regex" ascii 44 | $meth_05 = "CreateDirectory" ascii 45 | 46 | $str_01 = "HTTP/1.1" wide 47 | $str_02 = "credential" wide 48 | $str_03 = "logins" wide 49 | 50 | condition: 51 | uint16(0) == 0x5A4D 52 | and 53 | $xorLoop 54 | and 55 | $indexZero 56 | and 57 | all of ($meth_*) 58 | and 59 | all of ($str_*) 60 | } 61 | -------------------------------------------------------------------------------- /Phishing/phishing.pcre: -------------------------------------------------------------------------------- 1 | ############################ 2 | # Phishing PCRE Collection # 3 | # @noottrak # 4 | ############################ 5 | # 01 microsoft-help/criticalsecurity-24x7-helpline/security.php 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)+microsoft-help\/criticalsecurity-24x7-helpline\/security.php$ karttoon 30AUG2018 - MS Phishing [ microsoft-help/criticalsecurity-24x7-helpline/security.php ] 9 | -------------------------------------------------------------------------------- /Phishing/phishing.urls: -------------------------------------------------------------------------------- 1 | http://www.oppersion.com/microsoft-help/criticalsecurity-24x7-helpline/security.php 2 | http://www.duqsis.com/microsoft-help/criticalsecurity-24x7-helpline/security.php 3 | http://www.methropical.com/microsoft-help/criticalsecurity-24x7-helpline/security.php 4 | -------------------------------------------------------------------------------- /PlugX/plugx.pcre: -------------------------------------------------------------------------------- 1 | ######################### 2 | # PlugX PCRE Collection # 3 | # @noottrak # 4 | ######################### 5 | # 01 update?wd=af23d6ce 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?(?:[^\x2F]+\/)update\?wd=[a-z0-9]{8}$ karttoon 03DEC2020 - PlugX C2 - [ update?wd=af23d6ce ] 9 | -------------------------------------------------------------------------------- /PlugX/plugx.suri: -------------------------------------------------------------------------------- 1 | alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PlugX C2"; flow:established, to_client; content:"Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\;SV1\;"; http_user_agent; pcre:"/update\?wd=[a-z0-9]{8}/I"; priority: 4;) 2 | -------------------------------------------------------------------------------- /PlugX/plugx.urls: -------------------------------------------------------------------------------- 1 | http://154.223.150.105/update?wd=1b332267 2 | http://154.223.150.105/update?wd=39581314 3 | http://154.223.150.105/update?wd=4f519dbd 4 | http://154.223.150.105/update?wd=68a7c6a3 5 | http://154.223.150.105/update?wd=80016e83 6 | http://154.223.150.105/update?wd=9db26f40 7 | http://154.223.150.105/update?wd=a4513c3f 8 | http://154.223.150.105/update?wd=a938d698 9 | http://154.223.150.105/update?wd=a968c786 10 | http://154.223.150.105/update?wd=acf87c96 11 | http://154.223.150.105/update?wd=af23d6ce 12 | http://154.223.150.105/update?wd=b0dfe4a3 13 | http://154.223.150.105/update?wd=b24ec3d9 14 | http://154.223.150.105/update?wd=b39f1f73 15 | http://154.223.150.105/update?wd=b85ba1d2 16 | http://154.223.150.105/update?wd=b8c7868b 17 | http://154.223.150.105/update?wd=c76818ca 18 | http://154.223.150.105/update?wd=d891ede8 19 | http://154.223.150.105/update?wd=e05370de 20 | http://154.223.150.105/update?wd=e38b372b 21 | http://23.105.209.119/update?wd=00eab2f5 22 | http://23.105.209.119/update?wd=01b88b32 23 | http://23.105.209.119/update?wd=02667b8c 24 | http://23.105.209.119/update?wd=04837e9d 25 | http://23.105.209.119/update?wd=076c1cd7 26 | http://23.105.209.119/update?wd=0c21f4a1 27 | http://23.105.209.119/update?wd=0e644851 28 | http://23.105.209.119/update?wd=0e7a91bd 29 | http://23.105.209.119/update?wd=0eb8c68d 30 | http://23.105.209.119/update?wd=115df9e9 31 | http://23.105.209.119/update?wd=11e27d61 32 | http://23.105.209.119/update?wd=143ccb70 33 | http://23.105.209.119/update?wd=177d19f0 34 | http://23.105.209.119/update?wd=1786b322 35 | http://23.105.209.119/update?wd=18517f62 36 | http://23.105.209.119/update?wd=187a8c58 37 | http://23.105.209.119/update?wd=190d797a 38 | http://23.105.209.119/update?wd=1932874d 39 | http://23.105.209.119/update?wd=19ed1cbd 40 | http://23.105.209.119/update?wd=1a75b001 41 | http://23.105.209.119/update?wd=1ab21490 42 | http://23.105.209.119/update?wd=1c86db0e 43 | http://23.105.209.119/update?wd=1d08cb4b 44 | http://23.105.209.119/update?wd=1d64ceaa 45 | http://23.105.209.119/update?wd=1e578a0a 46 | http://23.105.209.119/update?wd=23087660 47 | http://23.105.209.119/update?wd=247f19db 48 | http://23.105.209.119/update?wd=275d69cf 49 | http://23.105.209.119/update?wd=293ada52 50 | http://23.105.209.119/update?wd=2bc75dbd 51 | http://23.105.209.119/update?wd=2c35a297 52 | http://23.105.209.119/update?wd=2ccee8b6 53 | http://23.105.209.119/update?wd=2dfea9b2 54 | http://23.105.209.119/update?wd=2f29e8a6 55 | http://23.105.209.119/update?wd=36f1c341 56 | http://23.105.209.119/update?wd=387ab0cc 57 | http://23.105.209.119/update?wd=38d61631 58 | http://23.105.209.119/update?wd=3a2b81da 59 | http://23.105.209.119/update?wd=3a2f412d 60 | http://23.105.209.119/update?wd=3f496959 61 | http://23.105.209.119/update?wd=438ad281 62 | http://23.105.209.119/update?wd=43db06b2 63 | http://23.105.209.119/update?wd=43dcd219 64 | http://23.105.209.119/update?wd=4439f852 65 | http://23.105.209.119/update?wd=451d602a 66 | http://23.105.209.119/update?wd=458d70de 67 | http://23.105.209.119/update?wd=486e3b85 68 | http://23.105.209.119/update?wd=4b525d6f 69 | http://23.105.209.119/update?wd=4cf1e77b 70 | http://23.105.209.119/update?wd=4e52bdb2 71 | http://23.105.209.119/update?wd=4e705fc8 72 | http://23.105.209.119/update?wd=5220c05e 73 | http://23.105.209.119/update?wd=525e4ba0 74 | http://23.105.209.119/update?wd=531de6d1 75 | http://23.105.209.119/update?wd=53cc0370 76 | http://23.105.209.119/update?wd=541ff995 77 | http://23.105.209.119/update?wd=562f0d3f 78 | http://23.105.209.119/update?wd=57ac713c 79 | http://23.105.209.119/update?wd=58885c22 80 | http://23.105.209.119/update?wd=591396c3 81 | http://23.105.209.119/update?wd=59f09d64 82 | http://23.105.209.119/update?wd=5b5f7c85 83 | http://23.105.209.119/update?wd=5d0fc313 84 | http://23.105.209.119/update?wd=5d75842c 85 | http://23.105.209.119/update?wd=5dc46b8f 86 | http://23.105.209.119/update?wd=6141070f 87 | http://23.105.209.119/update?wd=6211270e 88 | http://23.105.209.119/update?wd=64d00520 89 | http://23.105.209.119/update?wd=671f38f3 90 | http://23.105.209.119/update?wd=67f061e4 91 | http://23.105.209.119/update?wd=69d258e6 92 | http://23.105.209.119/update?wd=6a5be869 93 | http://23.105.209.119/update?wd=6a67d245 94 | http://23.105.209.119/update?wd=6b622469 95 | http://23.105.209.119/update?wd=6c22a075 96 | http://23.105.209.119/update?wd=6ca12954 97 | http://23.105.209.119/update?wd=6d4bcede 98 | http://23.105.209.119/update?wd=6de9be3e 99 | http://23.105.209.119/update?wd=6f2f34c0 100 | http://23.105.209.119/update?wd=70185e3f 101 | http://23.105.209.119/update?wd=724e3092 102 | http://23.105.209.119/update?wd=74ba043a 103 | http://23.105.209.119/update?wd=75d4a299 104 | http://23.105.209.119/update?wd=76ccd93e 105 | http://23.105.209.119/update?wd=7787e196 106 | http://23.105.209.119/update?wd=789416cb 107 | http://23.105.209.119/update?wd=78b31a4f 108 | http://23.105.209.119/update?wd=79f5c8dc 109 | http://23.105.209.119/update?wd=7a709515 110 | http://23.105.209.119/update?wd=7ad18093 111 | http://23.105.209.119/update?wd=7b17eb2a 112 | http://23.105.209.119/update?wd=7c5aadc9 113 | http://23.105.209.119/update?wd=7d0e419e 114 | http://23.105.209.119/update?wd=7f9e0e5d 115 | http://23.105.209.119/update?wd=7ff762d9 116 | http://23.105.209.119/update?wd=80e2b882 117 | http://23.105.209.119/update?wd=875e5171 118 | http://23.105.209.119/update?wd=8c1b5e9c 119 | http://23.105.209.119/update?wd=8c486168 120 | http://23.105.209.119/update?wd=8cd4cb23 121 | http://23.105.209.119/update?wd=8da781a3 122 | http://23.105.209.119/update?wd=90e25601 123 | http://23.105.209.119/update?wd=96098c2a 124 | http://23.105.209.119/update?wd=96bc1e9f 125 | http://23.105.209.119/update?wd=9877a210 126 | http://23.105.209.119/update?wd=9bb7fa78 127 | http://23.105.209.119/update?wd=a25f8491 128 | http://23.105.209.119/update?wd=a38bbea8 129 | http://23.105.209.119/update?wd=a40b1547 130 | http://23.105.209.119/update?wd=a54fc01e 131 | http://23.105.209.119/update?wd=aa6a5f5b 132 | http://23.105.209.119/update?wd=ab13ab33 133 | http://23.105.209.119/update?wd=ab6bb65c 134 | http://23.105.209.119/update?wd=acc80174 135 | http://23.105.209.119/update?wd=ae941dbf 136 | http://23.105.209.119/update?wd=aecad0c5 137 | http://23.105.209.119/update?wd=afc9e67e 138 | http://23.105.209.119/update?wd=b0b24187 139 | http://23.105.209.119/update?wd=b115454b 140 | http://23.105.209.119/update?wd=b2062165 141 | http://23.105.209.119/update?wd=b7b4afad 142 | http://23.105.209.119/update?wd=b805e497 143 | http://23.105.209.119/update?wd=b8a2d6a8 144 | http://23.105.209.119/update?wd=bc1255de 145 | http://23.105.209.119/update?wd=bc3e16c3 146 | http://23.105.209.119/update?wd=bdc8bad8 147 | http://23.105.209.119/update?wd=bef76b77 148 | http://23.105.209.119/update?wd=c2443107 149 | http://23.105.209.119/update?wd=c39a50bc 150 | http://23.105.209.119/update?wd=c4b8e3e0 151 | http://23.105.209.119/update?wd=c78266dd 152 | http://23.105.209.119/update?wd=ca18f488 153 | http://23.105.209.119/update?wd=cc941ea0 154 | http://23.105.209.119/update?wd=cdabb884 155 | http://23.105.209.119/update?wd=d01f63cd 156 | http://23.105.209.119/update?wd=d1451082 157 | http://23.105.209.119/update?wd=d1a657c4 158 | http://23.105.209.119/update?wd=d3e1d2a2 159 | http://23.105.209.119/update?wd=d796ba9f 160 | http://23.105.209.119/update?wd=d88f6404 161 | http://23.105.209.119/update?wd=d9d99120 162 | http://23.105.209.119/update?wd=dab94578 163 | http://23.105.209.119/update?wd=db1f105a 164 | http://23.105.209.119/update?wd=de4379f9 165 | http://23.105.209.119/update?wd=de4d8d27 166 | http://23.105.209.119/update?wd=df8ca25e 167 | http://23.105.209.119/update?wd=e65dee35 168 | http://23.105.209.119/update?wd=eb42f4ff 169 | http://23.105.209.119/update?wd=ec202f53 170 | http://23.105.209.119/update?wd=ec507a6b 171 | http://23.105.209.119/update?wd=ecfc946d 172 | http://23.105.209.119/update?wd=ede867bc 173 | http://23.105.209.119/update?wd=ee38faca 174 | http://23.105.209.119/update?wd=eec5a782 175 | http://23.105.209.119/update?wd=f0f336ab 176 | http://23.105.209.119/update?wd=f14d77c4 177 | http://23.105.209.119/update?wd=f1801914 178 | http://23.105.209.119/update?wd=f23268b6 179 | http://23.105.209.119/update?wd=f53024a3 180 | http://23.105.209.119/update?wd=f6fdbe9c 181 | http://23.105.209.119/update?wd=fabdb2e1 182 | http://23.105.209.119/update?wd=fd725768 183 | http://23.105.209.119/update?wd=ffefa511 184 | http://43.251.182.114/update?wd=203b3eb2 185 | http://43.251.182.114/update?wd=2a45e3e4 186 | http://43.251.182.114/update?wd=a789f4bc 187 | http://43.251.182.114/update?wd=e2687e23 188 | http://45.251.240.55/update?wd=02988b11 189 | http://45.251.240.55/update?wd=0531d454 190 | http://45.251.240.55/update?wd=06ecf6ae 191 | http://45.251.240.55/update?wd=0f079635 192 | http://45.251.240.55/update?wd=100419cc 193 | http://45.251.240.55/update?wd=19dd2656 194 | http://45.251.240.55/update?wd=1c8c7613 195 | http://45.251.240.55/update?wd=1cef6873 196 | http://45.251.240.55/update?wd=1dfc356d 197 | http://45.251.240.55/update?wd=1e75281d 198 | http://45.251.240.55/update?wd=22a0ce07 199 | http://45.251.240.55/update?wd=24cd6011 200 | http://45.251.240.55/update?wd=294b2ed3 201 | http://45.251.240.55/update?wd=29671e5c 202 | http://45.251.240.55/update?wd=2e077101 203 | http://45.251.240.55/update?wd=2e21ae99 204 | http://45.251.240.55/update?wd=2f002d22 205 | http://45.251.240.55/update?wd=308faba4 206 | http://45.251.240.55/update?wd=30f2549f 207 | http://45.251.240.55/update?wd=3427b1b6 208 | http://45.251.240.55/update?wd=35bddc28 209 | http://45.251.240.55/update?wd=378ef2b9 210 | http://45.251.240.55/update?wd=380dc813 211 | http://45.251.240.55/update?wd=3b7e2ac7 212 | http://45.251.240.55/update?wd=3d7e33bd 213 | http://45.251.240.55/update?wd=3fe3167b 214 | http://45.251.240.55/update?wd=42febeab 215 | http://45.251.240.55/update?wd=45f40ad5 216 | http://45.251.240.55/update?wd=484394a4 217 | http://45.251.240.55/update?wd=5466b2b9 218 | http://45.251.240.55/update?wd=57899548 219 | http://45.251.240.55/update?wd=58be57a2 220 | http://45.251.240.55/update?wd=5cfc1925 221 | http://45.251.240.55/update?wd=5da2db31 222 | http://45.251.240.55/update?wd=62bcf6cd 223 | http://45.251.240.55/update?wd=66bbf0b3 224 | http://45.251.240.55/update?wd=67d8f682 225 | http://45.251.240.55/update?wd=6e1b0587 226 | http://45.251.240.55/update?wd=6fcf6629 227 | http://45.251.240.55/update?wd=73bdc0a6 228 | http://45.251.240.55/update?wd=73bedec8 229 | http://45.251.240.55/update?wd=74c3b0ca 230 | http://45.251.240.55/update?wd=790d6ce6 231 | http://45.251.240.55/update?wd=851d207c 232 | http://45.251.240.55/update?wd=85b4ef5f 233 | http://45.251.240.55/update?wd=87f15153 234 | http://45.251.240.55/update?wd=89618df5 235 | http://45.251.240.55/update?wd=8a141ed7 236 | http://45.251.240.55/update?wd=8e573efd 237 | http://45.251.240.55/update?wd=93b80114 238 | http://45.251.240.55/update?wd=97aba0d4 239 | http://45.251.240.55/update?wd=993d549e 240 | http://45.251.240.55/update?wd=9f02e2bc 241 | http://45.251.240.55/update?wd=a4d13679 242 | http://45.251.240.55/update?wd=a7a2134d 243 | http://45.251.240.55/update?wd=a885eb42 244 | http://45.251.240.55/update?wd=ab15422a 245 | http://45.251.240.55/update?wd=ada966d9 246 | http://45.251.240.55/update?wd=ae3b5244 247 | http://45.251.240.55/update?wd=b249a7e0 248 | http://45.251.240.55/update?wd=bb65ce34 249 | http://45.251.240.55/update?wd=bc023351 250 | http://45.251.240.55/update?wd=beb64dc6 251 | http://45.251.240.55/update?wd=bf22b97f 252 | http://45.251.240.55/update?wd=c23fceb0 253 | http://45.251.240.55/update?wd=c2602918 254 | http://45.251.240.55/update?wd=ca328aa1 255 | http://45.251.240.55/update?wd=cbe8c6f9 256 | http://45.251.240.55/update?wd=cf4fa65b 257 | http://45.251.240.55/update?wd=d1d11d83 258 | http://45.251.240.55/update?wd=d3470d8b 259 | http://45.251.240.55/update?wd=d4fd0b5a 260 | http://45.251.240.55/update?wd=da76372e 261 | http://45.251.240.55/update?wd=dd88963d 262 | http://45.251.240.55/update?wd=e194b7ab 263 | http://45.251.240.55/update?wd=e5680d72 264 | http://45.251.240.55/update?wd=e6e29bda 265 | http://45.251.240.55/update?wd=e9aa9609 266 | http://45.251.240.55/update?wd=eb115e97 267 | http://45.251.240.55/update?wd=ed3dc313 268 | http://45.251.240.55/update?wd=ee8e6907 269 | http://45.251.240.55/update?wd=f8a1bc5c 270 | http://45.251.240.55/update?wd=fba85fc6 271 | http://45.251.240.55/update?wd=fc19baaf 272 | http://45.251.240.55/update?wd=fc1d86d4 273 | http://45.251.240.55/update?wd=fd4c0dd1 274 | http://45.251.240.55/update?wd=fddecea2 275 | http://45.251.240.55/update?wd=fe7f342a 276 | http://45.251.240.55/update?wd=fea011df 277 | http://45.251.240.55/update?wd=fedae9c5 278 | http://downloads.flashplayerup.com/update?wd=f986edce 279 | http://web.flashplayerup.com/update?wd=917c819d 280 | http://web.flashplayerup.com/update?wd=97fbfc84 281 | http://web.flashplayerup.com/update?wd=a22efcd3 282 | http://web.flashplayerup.com/update?wd=a7384cc3 283 | http://web.flashplayerup.com/update?wd=bc7c49bc 284 | http://web.flashplayerup.com/update?wd=dca45fb3 285 | http://www.apple-net.com/update?wd=062fe441 286 | http://www.apple-net.com/update?wd=0a2af3c2 287 | http://www.apple-net.com/update?wd=196050c4 288 | http://www.apple-net.com/update?wd=1c5d7453 289 | http://www.apple-net.com/update?wd=1e892b5f 290 | http://www.apple-net.com/update?wd=2004fe56 291 | http://www.apple-net.com/update?wd=2c30b04a 292 | http://www.apple-net.com/update?wd=336c90de 293 | http://www.apple-net.com/update?wd=343b10b3 294 | http://www.apple-net.com/update?wd=3b1c8a55 295 | http://www.apple-net.com/update?wd=3b64ef39 296 | http://www.apple-net.com/update?wd=40629297 297 | http://www.apple-net.com/update?wd=482ad15b 298 | http://www.apple-net.com/update?wd=48b17743 299 | http://www.apple-net.com/update?wd=4a143889 300 | http://www.apple-net.com/update?wd=4def0bd7 301 | http://www.apple-net.com/update?wd=509a017d 302 | http://www.apple-net.com/update?wd=53ac25bc 303 | http://www.apple-net.com/update?wd=53cf4513 304 | http://www.apple-net.com/update?wd=59c96dbc 305 | http://www.apple-net.com/update?wd=5cad8222 306 | http://www.apple-net.com/update?wd=5ee1c94a 307 | http://www.apple-net.com/update?wd=617fa7f8 308 | http://www.apple-net.com/update?wd=628eefbd 309 | http://www.apple-net.com/update?wd=65b6434d 310 | http://www.apple-net.com/update?wd=6601246c 311 | http://www.apple-net.com/update?wd=6784f490 312 | http://www.apple-net.com/update?wd=6fc8164f 313 | http://www.apple-net.com/update?wd=70bf0de0 314 | http://www.apple-net.com/update?wd=76443c4a 315 | http://www.apple-net.com/update?wd=7837c11a 316 | http://www.apple-net.com/update?wd=79419608 317 | http://www.apple-net.com/update?wd=7b455d08 318 | http://www.apple-net.com/update?wd=7d33a3d5 319 | http://www.apple-net.com/update?wd=7e8b2dbd 320 | http://www.apple-net.com/update?wd=812261b9 321 | http://www.apple-net.com/update?wd=866f4e97 322 | http://www.apple-net.com/update?wd=90615c54 323 | http://www.apple-net.com/update?wd=95befe9a 324 | http://www.apple-net.com/update?wd=97965615 325 | http://www.apple-net.com/update?wd=97caee7a 326 | http://www.apple-net.com/update?wd=99bc6fa3 327 | http://www.apple-net.com/update?wd=9b14ce5f 328 | http://www.apple-net.com/update?wd=a16b1e4b 329 | http://www.apple-net.com/update?wd=aa9c2e61 330 | http://www.apple-net.com/update?wd=b4367861 331 | http://www.apple-net.com/update?wd=b8653299 332 | http://www.apple-net.com/update?wd=bb5bf1fc 333 | http://www.apple-net.com/update?wd=bbda3a19 334 | http://www.apple-net.com/update?wd=be917ea6 335 | http://www.apple-net.com/update?wd=c239889d 336 | http://www.apple-net.com/update?wd=c308e01e 337 | http://www.apple-net.com/update?wd=c6dc6663 338 | http://www.apple-net.com/update?wd=cc3e42e5 339 | http://www.apple-net.com/update?wd=d7fc603a 340 | http://www.apple-net.com/update?wd=dac76354 341 | http://www.apple-net.com/update?wd=e122eaad 342 | http://www.apple-net.com/update?wd=e1dcf177 343 | http://www.apple-net.com/update?wd=e7cfba54 344 | http://www.apple-net.com/update?wd=e884bf97 345 | http://www.apple-net.com/update?wd=ef620f15 346 | http://www.apple-net.com/update?wd=f19d021c 347 | http://www.apple-net.com/update?wd=f6d4631c 348 | http://www.apple-net.com/update?wd=fa3eace3 349 | http://www.apple-net.com/update?wd=ff05bcb7 350 | http://www.apple-net.com/update?wd=ff512b7e 351 | http://www.destroy2013.com/update?wd=71cd0e73 352 | http://www.destroy2013.com/update?wd=a57ca1c6 353 | http://www.destroy2013.com/update?wd=c9d4817c 354 | http://www.destroy2013.com/update?wd=e7902393 355 | -------------------------------------------------------------------------------- /PlugX/troj_win_plugx_loader_go.yar: -------------------------------------------------------------------------------- 1 | rule troj_win_plugx_loader_go 2 | { 3 | meta: 4 | author = "Jeff White (karttoon@gmail.com) @noottrak" 5 | description = "PlugX DLL Loader - Golang (also catches the self-extracting RARs containing the DLL)" 6 | date = "02DEC2020" 7 | hash01 = "d9332581f77427ec9f57e68d290a9f69ecadf5e35d519e782a785f4b8f3a1ac1" 8 | hash02 = "4d1eb28ad0b9c6d505b0a3c46695a9393bd65ee17929e8d42c9b16620caf0fd8" 9 | hash03 = "1102d23c62929f49980af8bdb34c4bca777ae938220749676d7fc27208cde293" 10 | hash04 = "bc6c2fda18f8ee36930b469f6500e28096eb6795e5fd17c44273c67bc9fa6a6d" 11 | reference = "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader" 12 | 13 | strings: 14 | $ = { 68 65 78 2E 64 6C 6C 00 43 45 46 50 72 6F 63 65 73 73 46 6F 72 6B 48 61 6E 64 6C 65 72 45 78 00 } // hex.dll\x00CEFProcessForkHandlerEx\x00 15 | 16 | condition: 17 | all of them 18 | } 19 | -------------------------------------------------------------------------------- /Qakbot/qakbot.pcre: -------------------------------------------------------------------------------- 1 | ############################### 2 | # Qakbot PCRE Collection # 3 | # @noottrak # 4 | ############################### 5 | # 01 /urr/ZGm/Wv4/Yn3/cbTHonm.zip 6 | # 02 /urr/fckYL1Nqqm.zip 7 | # 03 /cet/index.php?a-ltevi=7 8 | # 04 /mloa/mloa.php 9 | # 05 /blo/6436700a51566.zip 10 | ########## 11 | # 01 (Stricter) 12 | ^(http(s)?:\/\/)?(?:[^\x2F]+\/)(urr|atm)\/([a-zA-Z0-9]{1,3}\/){1,3}[a-zA-Z0-9]{7,10}\.zip karttoon 22APR2022 - Qakbot DL [ /urr/ZGm/Wv4/Yn3/cbTHonm.zip ] 13 | # 02 (Looser) 14 | ^(http(s)?:\/\/)?(?:[^\x2F]+\/)(urr|atm)\/(([a-zA-Z0-9]{1,3}\/){1,3})?[a-zA-Z0-9]{7,10}\.zip karttoon 22APR2022 - Qakbot DL [ /urr/fckYL1Nqqm.zip ] 15 | # 03 16 | ^(http(s)?:\/\/)?(?:[^\x2F]+\/)[a-z]{2,4}\/index\.php\?[a-z]{1,13}-[a-z]{1,14}=[0-9]{1,2}$ karttoon 21NOV2022 - Qakbot C2 [ /cet/index.php?a-ltevi=7 ] 17 | # 04 (Looser) 18 | ^(http(s)?:\/\/)?([^\x2F]+\/)+([a-z]{2,4})\/\4\.php karttoon 14APR2023 - Qakbot C2 [ /mloa/mloa.php ] 19 | # 05 (Stricter) 20 | ^(http(s)?:\/\/)?([^\x2F]+\/)+blo\/[a-z0-9]{10,13}\.zip karttoon 14APR2023 - Qakbot DL [ /blo/6436700a51566.zip ] 21 | -------------------------------------------------------------------------------- /Qakbot/qakbot.urls: -------------------------------------------------------------------------------- 1 | http://adiba.pk/upqo/index.php?tau-sese=2 2 | http://bridgetkeyes.xyz/rmt/index.php?tau-sunta=4 3 | http://coffeehousewithoutlimits.com/ro/index.php?rrrieehpetend-team=4 4 | http://collingwoodstores.co.uk/nne/index.php?lrsdeoo-nno=7 5 | http://cosita.or.tz/itl/itl.php 6 | http://craftbrand.com.pe/sii/index.php?dse-uetma=1 7 | http://dlfproperties.co.in/spte/index.php?refeca-isidinsmgso=7 8 | http://dreamwebservice.in/blo/09213kjkda.zip 9 | http://electroutine.hu/ssio/index.php?uta-cterexpiu=9 10 | http://faithgeorgia.com/qmur/index.php?iptdciueta-ut=6 11 | http://gettopwork.com/uq/index.php?sumcdiu-edromol=3 12 | http://greenlighthospital.com/ei/index.php?oldor-suiq=2 13 | http://klikworx.com/blo/643322e76c253.zip 14 | http://kmpagrofarms.com/isol/index.php?paemiar-iste=7 15 | http://multconsultlaboratories.com/blo/6436700a51566.zip 16 | http://officeofthespecialenvoyofsyria-gov.us/iela/index.php?qurtaae-mateoleis=1 17 | http://okolalist.com/uitl/index.php?aut-stltuoavep=9 18 | http://parintieducati.ro/blo/6436749bb7b93.zip 19 | http://refvereb.hu/co/index.php?ume-petneisa=2 20 | http://skttech.website/si/si.php 21 | http://spateltraders.com/cli/index.php?slovputa-lborsduoi=8 22 | http://tuberosebd.com/is/index.php?tepvatmlou-te=1 23 | http://wehealth.net.br/eq/index.php?leiqumsii-umqdie=1 24 | http://xebiaus.com/blo/89213ujkaw.zip 25 | https://19dm82.info/mloa/mloa.php 26 | https://31its.com/blo/64369ac67bc1c.zip 27 | https://7starsq8.com/blo/64369e92937bb.zip 28 | https://9japaintballhub.com/avu/index.php?cusmidu-quam=3 29 | https://aaa4title.com/blo/6436d17ee6cbe.zip 30 | https://abdullahcentre.com/aim/index.php?snimu-lev=5 31 | https://adamsdramatictenor.com/blo/6436d5f52adcc.zip 32 | https://adelaidefreedomrally.com/mev/index.php?suuatccaimn-quo=9 33 | https://adwlegal.co.in/ocfo/ocfo.php 34 | https://aitsoman.net/rt/index.php?isnt-qeius=10 35 | https://al-athath.com/isa/index.php?rennivtoe-et=4 36 | https://alfosac.pe/it/index.php?itse-te=1 37 | https://aliyahdavid.com/eal/index.php?oisalsetm-ntsi=3 38 | https://alloraworld.com/opl/index.php?lev-emta=10 39 | https://almacorp.com/blo/64368ebda23c6.zip 40 | https://alphafex.com/enm/index.php?ae-mmodoci=4 41 | https://alphahelixconsulting.com/blo/643687b0d9d26.zip 42 | https://amaxtravel.com/blo/6436d3c721633.zip 43 | https://americaukessays.com/os/index.php?iteaexpd-et=6 44 | https://ansarifloorrugs.in/au/index.php?tnovniere-psimu=4 45 | https://anwaralseraj-eng.com/blo/64368be5175b5.zip 46 | https://apartmengreenpramukacity.com/blo/64368c30eedd9.zip 47 | https://areglv.com/uqr/index.php?satlevuopt-afifcio=4 48 | https://argroups.pk/xiur/index.php?erumr-uastlo=6 49 | https://argroups.pk/xiur/index.php?te-aqeu=5 50 | https://arputhamhospital.com/umll/index.php?et-mlaovtupte=3 51 | https://arxeologiya.az/in/index.php?aut-cum=1 52 | https://asgharintl.net/blo/64368ef8bf22e.zip 53 | https://assigns.co.uk/ir/index.php?exaedpti-aut=4 54 | https://atoinstitutoeducacional.com/sas/index.php?te-erm=7 55 | https://auratechsystems.com/tus/index.php?sde-rntcecteuos=3 56 | https://auto1.pk/blo/64368e56ae83b.zip 57 | https://autocadbeginner.com/atm/O/aci9xAHE3.zip 58 | https://autoprivilege.org/mim/index.php?bmerpiuost-hraum=8 59 | https://autotrademachineforex.com/snh/index.php?iidemtp-sti=8 60 | https://avocadobeautyclinic.com/pre/index.php?te-iauq=1 61 | https://avvocatoespropriazione.it/tuu/index.php?isuq-utfig=10 62 | https://axcltrading.com/blo/643694bbcba60.zip 63 | https://axescapitals.com/ad/index.php?fitgu-ntsau=6 64 | https://axtwelding.com/blo/6436d388cfd5b.zip 65 | https://babyspartanflamingo.io/qil/index.php?iuq-ets=7 66 | https://baumadera.cl/blo/64368f25852a6.zip 67 | https://bernardkhalil.com/blo/64368f727f843.zip 68 | https://blastraccoon.tk/usu/index.php?eaolbr-aeompvtult=9 69 | https://blessedfx.academy/nu/nu.php 70 | https://bloomingbuddy.com/blo/64369dc22dca4.zip 71 | https://boltsolution.com/ii/index.php?ni-usiot=5 72 | https://bookmytrip.us/blo/64369f70eccc4.zip 73 | https://bottspumps.com/ita/index.php?nist-teednurs=9 74 | https://boxnetweb.com/od/index.php?ihc-upism=6 75 | https://brandsenvoy.com/umt/index.php?tes-mre=8 76 | https://bridgetkeyes.xyz/rmt/index.php?tau-sunta=4 77 | https://cafeterastradicionales.com.mx/qlue/optioreiciendis.php 78 | https://cairns-stonegrill.com.tw/iq/index.php?eso-uat=1 79 | https://calhounlegalgroup.com/nu/index.php?sed-vleutmopta=10 80 | https://calhounlegalgroup.com/nu/index.php?te-souq=5 81 | https://campfishtank.com/blo/6436979640e07.zip 82 | https://candlestickpilates.com/blo/6436985d91fda.zip 83 | https://capitalcredit.am/gqmn/index.php?nomis-bqsuimuad=10 84 | https://capricornintegratedsolutions.com/ittr/index.php?mcntusicaau-elptvutao=7 85 | https://careerplusacademydwarka.com/im/index.php?ontercestuc-slcuedet=8 86 | https://chadservices.net/blo/64369af8bc0c2.zip 87 | https://ciff.org/blo/643696c81eb42.zip 88 | https://coffeehousewithoutlimits.com/ro/index.php?rrrieehpetend-team=4 89 | https://comeckexpressservices.com/db/index.php?uqi-lulam=3 90 | https://construtodo.com.mx/nus/index.php?ioocdmm-utfgi=4 91 | https://construtodo.com.mx/nus/index.php?tviel-lalotiim=2 92 | https://contabilidadeativa1976.com.br/in/index.php?uictorrp-hci=8 93 | https://contaeseg.com.br/sn/index.php?lev-uetnusrocqa=5, 94 | https://cornealaser.com.mx/eie/index.php?coiomdm-oelrod=3 95 | https://cornealaser.com.mx/eie/index.php?iaequt-tivel=9 96 | https://corplexinternational.com/sse/index.php?sese-da=6 97 | https://creatingconsciousconnections.com/rea/index.php?rnsuomt-et=4 98 | https://creativetalenthunt.com/tnso/index.php?auliqdi-ooprr=6 99 | https://cutcut.pt/mio/index.php?et-di=8 100 | https://datacloudin.com/iq/index.php?id-smteilaoe=4 101 | https://demo.bbits.solutions/blo/64369a7dea445.zip 102 | https://dephub-go-id.com/ed/index.php?osbuordil-lpoauvst=6 103 | https://despk.com/uu/index.php?tnsua-tu=4 104 | https://digitalwaypk.com/cuum/index.php?des-est=10 105 | https://distribuidoraitalux.com.br/tu/index.php?ssspuiom-rbolei=1 106 | https://divaatour.com/vnls/index.php?veidprotn-taive=4 107 | https://doctorbari24.com/mi/index.php?atu-tivea=1 108 | https://drivf.in/oa/index.php?miain-uqo=6 109 | https://drmilanovic.co.rs/tuta/index.php?tpsiiusc-adatnulimu=7 110 | https://dufontfaes.com/blo/64369fa9c2b88.zip 111 | https://e-emlakci.com/urr/ZGm/Wv4/Yn3/cbTHonm.zip 112 | https://eac-peru.com/ii/remullam.php 113 | https://earthhydraulics.com/toi/index.php?spirrcoo-oesiamelt=1 114 | https://easyloksewa.com/aqi/index.php?uoq-xtoacenrmieite=4 115 | https://ecolocalbrasil.org.br/vpm/index.php?rmeur-laiuaqm=9 116 | https://eduemaster.com/st/index.php?binidltisa-nilaibtdis=2 117 | https://egagro.com/ir/index.php?siin-oesalmeti=6 118 | https://ekeluxuryfurnitures.com/plm/index.php?ebaaet-omne=5 119 | https://electroutine.hu/ssio/index.php?vltie-lraumob=8 120 | https://eleelaimportados.com.br/nti/index.php?uqi-offsciii=5 121 | https://elisha.lk/muau/muau.php 122 | https://elitebraidsweaving.com/et/index.php?afilics-ertoemp=4 123 | https://elrondmillionday.com/ccs/index.php?aqui-utunucsnoqer=5 124 | https://elwickdrycleaners.co.uk/oqe/index.php?orsbmialoa-mmoiodc=3 125 | https://emarketsexpo.ma/uatt/index.php?in-uoq=1 126 | https://essayfurious.com/ieqm/index.php?omrsaie-a=8 127 | https://esta-usa.dk/ode/index.php?seeap-aiiofcf=9 128 | https://estories.xyz/uqe/index.php?quis-iemamx=6 129 | https://estories.xyz/uqe/index.php?ucnaqretuso-anm=4 130 | https://everythingsshoping.com/ex/index.php?tse-saqu=4 131 | https://ewalkercpa.com/urr/v5/fl/23ZcVJBK.zip 132 | https://ezrackeurope.com/teq/index.php?tau-uiqa=5 133 | https://fagendconsulting.com/di/index.php?orpro-drloeo=2 134 | https://fajarmarketing.com/enm/quibusdamsed.php 135 | https://faktmarathitv.com/ut/index.php?qui-elsmteoia=7 136 | https://filoefibra.it/qmvi/index.php?tsni-emu=4 137 | https://financetype.us/bp/index.php?sepea-dicta=1 138 | https://fitnessalltime.com/chs/index.php?dsoolre-spsicertpiai=2 139 | https://fleuron.tg/ods/index.php?ut-mgian=10 140 | https://fmmass.org/er/index.php?di-nmie=1 141 | https://freshfiestabd.com/tu/index.php?ntndiciu-lev=6 142 | https://fsgolfcars.com/ue/index.php?nniseuct-iipmdet=9 143 | https://garageaccesorios.com/eol/doloressed.php 144 | https://garib.org/ree/index.php?iqua-te=7 145 | https://garib.org/ree/index.php?ut-uqecoanutrs=10 146 | https://garrisonsloan.com/blo/6436987081eb4.zip 147 | https://garrisonsloan.com/blo/64369dd66cd22.zip 148 | https://gebiofuels.in/eie/index.php?et-tu=2 149 | https://gitbakal.com/bus/index.php?uta-lmaltiio=9 150 | https://goldenface.org/blo/6436d49a5f523.zip 151 | https://goodnewstest.online/nnio/nnio.php 152 | https://govjobfinder.com/om/index.php?niaimm-gmniosidsis=1 153 | https://greenbrigade.co/enr/index.php?quamqusi-da=7 154 | https://gronity.com/tp/index.php?eess-icndtniu=5 155 | https://gronity.com/tp/index.php?ucuamsctian-iuagft=5 156 | https://growuphigh.com/urr/index.php?te-iifclsa=8 157 | https://grupocg.mx/rmeu/index.php?anumqum-moaitlsee=10 158 | https://grupocg.mx/rmeu/index.php?ciilfas-amrue=4 159 | https://grupocg.mx/rmeu/index.php?id-ets=4 160 | https://grupocg.mx/rmeu/index.php?ut-dmio=1 161 | https://grupociv.com/rerl/rerl.php 162 | https://hardikdiamonds.com/sb/index.php?qui-ad=9 163 | https://hdlivestream24.com/tee/index.php?dcuumis-motat=3 164 | https://hillcrestfoods.com/blo/6436d515dc7ed.zip 165 | https://homgrocers.com/eaoa/index.php?mqideu-remur=4 166 | https://howtos.co.za/ox/index.php?scimduu-alstsmieo=9 167 | https://i3creations.lk/bl/index.php?ilscafi-olbsirduo=10 168 | https://ibp.mk/urr/fckYL1Nqqm.zip 169 | https://icagents.com/etd/index.php?esd-foficai=1 170 | https://icat.org.pe/eu/eumnon.php 171 | https://iecucampus.com/rtao/index.php?id-etrocuesctn=2 172 | https://ifsydney.au/qa/index.php?alomrbu-perexuitc=2 173 | https://ilodges.co.uk/blo/64369f522e6c3.zip 174 | https://importshop.com.bd/eabt/index.php?amhru-aerrsiopse=3 175 | https://intercambiohighschool.com.br/lvao/index.php?minga-ermur=10 176 | https://iredi.org/net/net.php 177 | https://isaca.org.uy/ma/index.php?ich-di=3 178 | https://itegglobal.com/roui/index.php?pimsu-taelemois=6 179 | https://jadapallinarayana.com/eq/index.php?atu-ftuiga=8 180 | https://jagoanads.co.id/ss/index.php?et-cisumud=1 181 | https://jawedhabibtvm.com/ts/index.php?tsi-qiau=10 182 | https://jesuisbusiness.com/bdt/index.php?ltiev-emu=2 183 | https://jobsnstudy.com/blo/643696011ee74.zip 184 | https://joehanmarketing.org/msio/index.php?a-odrleos=7 185 | https://jpujol.fr/mr/index.php?soeolrd-aimxme=7 186 | https://junacandcompany.com/idu/index.php?ta-iseidtb=5 187 | https://kbtkmtajumapolo.com/eler/rerumet.php 188 | https://keturaheva.xyz/ala/index.php?tatom-seleuredlnp=9 189 | https://kindheartscaregivers.com/ono/index.php?siimlquie-raeatuq=9 190 | https://kopkaralazharbsd.org/uqtq/index.php?est-beaeat=8 191 | https://koyamu.com/tmr/index.php?rldoo-orerr=6 192 | https://krearv.com/ou/index.php?oelords-muqceu=7 193 | https://lahzarest.com/sni/index.php?luveopmatt-tupreicxe=2 194 | https://lanzarote-portonova.com/iii/index.php?stepuborim-spium=4 195 | https://lipsum.tech/uoe/uoe.php 196 | https://littleplayz.com/etit/index.php?sidapcii-esmaior=7 197 | https://livingcanada.com.mx/rs/index.php?etis-tu=4 198 | https://livingcanada.com.mx/rs/index.php?sonumtr-pmiaera=9 199 | https://luburoadschool.com/blo/64369708e4967.zip 200 | https://maher-ranch.com/otst/index.php?pecalat-oqu=2 201 | https://makemyadvertisement.com/blo/64369e8b98c80.zip 202 | https://mannymart.com/easl/doloribusaliquid.php 203 | https://mastersacademy.in/nu/index.php?unttree-itmpeid=3 204 | https://maxwellintl.com/blo/6436967ea8b84.zip 205 | https://midasmarketinggroup.com/monu/index.php?oqlredomeu-iumps=3 206 | https://midlaneslogistics.com/oue/index.php?eaitv-arteciotch=1 207 | https://mimiagaengineeringgroup.com/blo/6436d3a5e87bc.zip 208 | https://mirrornews.in/blo/64369fcc06861.zip 209 | https://missioni-airlabcnr.it/cet/index.php?a-ltevi=7 210 | https://moptions.org/ro/index.php?ritsaitev-gmain=1 211 | https://mrlombenkofficial.com/rn/index.php?tiatrccoeh-smeboptrui=2 212 | https://mrshakesorvetes.com.br/oiae/index.php?igeeldin-a=7 213 | https://musicbygemini.com/luic/index.php?dse-icsporor=10 214 | https://muwht.com/mans/autbeatae.php 215 | https://mypham.phieugiamgia.vn/atm/o/r8WUh0rs0.zip 216 | https://nakulsaini.com/il/index.php?rinotae-te=10 217 | https://nazeejewels.com/do/index.php?neaudpedari-qiudail=6 218 | https://nje-njel.com/urr/Co/1W/zQJIXF4b.zip 219 | https://offerayo.com/ar/index.php?tsnau-ufag=4 220 | https://onestop-security.co.za/sq/index.php?des-srdineeferp=1 221 | https://orionsolconsulting.com/blo/6436d4c5ebd3a.zip 222 | https://osmiloradlabudoviclabud.edu.rs/hvei/index.php?toeupavlmt-iihln=9 223 | https://palmarspj.com/oi/index.php?oiamleste-roev=2 224 | https://pax.bjm.mybluehost.me/blo/64369392eb419.zip 225 | https://pcmartindia.in/iee/index.php?stanu-uiq=5 226 | https://performances-cga.net/sic/index.php?eiasorm-eolbra=6 227 | https://performances-cga.net/sic/index.php?eriisppstcia-ume=9 228 | https://performances-cga.net/sic/index.php?uqia-acteotirhc=8 229 | https://persianasemgoiania.com.br/re/index.php?est-ae=10 230 | https://pilottravelsbd.com/cduu/index.php?citdnnui-nsereucada=3 231 | https://pipslab.com.ng/ei/index.php?ste-uqeen=7 232 | https://pkpackages.com/vtor/index.php?esrcoutuqan-minso=5 233 | https://poolcleanerchoice.com/en/index.php?uqo-seidbti=6 234 | https://printstore.com.pk/blo/643697488fd1a.zip 235 | https://profabdulqayyum.com/blo/643696a319437.zip 236 | https://promoterst.xyz/blo/6436976083b3b.zip 237 | https://prsparrow.com/cqn/index.php?ucditnni-atu=3 238 | https://punet.net/eslt/index.php?eist-et=3 239 | https://raissatec.ma/rn/index.php?boalmsriao-ae=5 240 | https://redforceindustry.com/is/index.php?iaslicf-ut=4 241 | https://regjoubertattorneys.co.za/blo/64369eeb4f0dd.zip 242 | https://restaurantduchess.com/ifa/index.php?riodnetpv-cpeatla=5 243 | https://rhmmya.com/uu/index.php?tua-oillimat=7 244 | https://riversoflifeworshipcenter.com/iovp/index.php?pilocaebx-iunms=3 245 | https://rosebudsawservice.com.au/atm/mO/Uf/srZhzfgE.zip 246 | https://rovincoteas.com/eper/index.php?avtelouspt-seo=4 247 | https://royanspa.com/blo/6436974eda9cc.zip 248 | https://rsbgruas.cl/enoi/index.php?dniictun-niinudct=10 249 | https://rsbgruas.cl/enoi/index.php?quudmbias-tnosmur=4 250 | https://rudranetra.com/laa/index.php?ume-esqiu=3 251 | https://safe.bbits.solutions/blo/64369e6470f01.zip 252 | https://sahel-fund.com/ut/index.php?ba-atcid=6 253 | https://saieswar.in/au/index.php?ltecaap-dmorloe=10 254 | https://saphiremarket.com/dex/index.php?nisi-ospsisum=6 255 | https://saphiremarket.com/dex/index.php?sit-umrre=6 256 | https://sassysecrets.com.au/mu/numquamducimus.php 257 | https://sentosageigy.us/mdn/index.php?iosut-in=2 258 | https://servegenie.in/tt/index.php?qou-auhrm=2 259 | https://shilpaarorand.com/sdrl/index.php?otreenvin-tuois=8 260 | https://shoppingoutlets.net/lei/index.php?tdmeiip-lodumro=10 261 | https://sickfishmixnft.io/uuet/uuet.php 262 | https://silkroutemag.com/blo/64369a6157578.zip 263 | https://simplicare.com.br/mi/index.php?nnceustqruuo-brielo=4 264 | https://singhifinancial.com/de/index.php?ivnnetore-mlttpauveo=4 265 | https://sistemasdelcaribe.com/pmda/index.php?aqeu-stspiicu=2 266 | https://slslingactivate.com/rf/index.php?iqasu-ptoltamveu=5 267 | https://smcsvandannoor.com/te/index.php?angmi-tsin=10 268 | https://smcsvandannoor.com/te/index.php?uta-egiiednl=6 269 | https://snooplyrics.com/atn/index.php?rtatcicohe-tu=4 270 | https://specttrum.in/iui/index.php?elv-tsi=10 271 | https://spicevillagedmv.com/blo/64369fbd3244a.zip 272 | https://sportsexpert.us/uoc/index.php?insi-tu=5 273 | https://squibbresearch.com/eloc/index.php?dsuletec-suanmedsa=7 274 | https://ssorl.org/ee/index.php?unall-ex=6 275 | https://staging.cls.pt/nqi/index.php?liuml-eds=8 276 | https://stravels.com.ng/urr/Zb2/sMW/gDR/S2uAbP8.zip 277 | https://switchandretain.com/blo/64369a7bacfdd.zip 278 | https://tandtprojectt.in/uut/index.php?esilmtaeo-auaqter=8 279 | https://tansov.com.au/idi/index.php?et-agnim=9 280 | https://tansov.com.au/idi/index.php?reecfa-rvtsitaie=1 281 | https://tawkil.net/oi/undesit.php 282 | https://tevoi.info/blo/64367f785d0d4.zip 283 | https://tgstravelhouse.com/mai/index.php?ut-dcnuitin=7 284 | https://thechocolatesaga.com/eaeo/index.php?tu-hmrua=6 285 | https://tidyfish.co/elu/index.php?ni-qiu=3 286 | https://tomartaka.com/es/index.php?eaaccocit-icopebaxl=9 287 | https://toptakeaways4.com/ase/index.php?uqi-te=1 288 | https://trafficmentors.com/eee/index.php?suipm-loodre=8 289 | https://travelpari.com/mo/index.php?uiq-naust=1 290 | https://trimir.in/teq/teq.php 291 | https://trussell.ae/sse/index.php?iieqluism-esaltoiem=3 292 | https://trussell.ae/sse/index.php?quea-mutpaoeltv=9 293 | https://tuwebb.net/blo/64368fb6a1d28.zip 294 | https://ubuntoon.com/atm/Uky/8fE/ZGJ/kLdKFy2.zip 295 | https://ukquestion.com/blo/64369a6990478.zip 296 | https://valuefirstfinserv.com/oesr/index.php?ets-uqsi=9 297 | https://vebsytes.com/lii/index.php?etpemro-ructipro=1 298 | https://viptiger.com.br/meto/index.php?tau-qeius=1 299 | https://voiprouteprovider.com/ur/suntoptio.php 300 | https://webrixtech.com/atm/lJd/1Rq/Txu/pdAW7iw.zip 301 | https://websitedesign.com.mm/blo/6436919e0602c.zip 302 | https://webstdy.com/blo/64369bb5ab92d.zip 303 | https://windowsdriverupdate.com/nru/index.php?esse-tse=6 304 | https://woodenships-wholesale.com/urr/2/JVTIzt22S.zip 305 | https://www.findingdori.com/uui/index.php?orrpo-ilihn=10 306 | https://yourcarsolution.com/blo/64369aa304aed.zip 307 | https://zdrss.com/at/index.php?des-rodlo=5 308 | https://zetafruit.cl/upi/upi.php 309 | https://zodiacintuition.com/hfem/index.php?at-oqu=10 310 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # iocs 2 | This will house my collection of personal IoC's, PCRE's, YARA, or other malware specific things I want to store. 3 | -------------------------------------------------------------------------------- /RigEK/rigek.pcre: -------------------------------------------------------------------------------- 1 | ############################ 2 | # RigEK PCRE Collection # 3 | # @noottrak # 4 | ############################ 5 | # 01 ?MzA0ODMx&cnipZGukUyQz&thsdf34d=sEaAXl2BGGeAM0lYsPVlMapamrikmGzBCagMKE_hKEYV5AqsDAEbQL0Vj1zLARQJYkhxWy&GvFUZRzQYupZvBF=bG9jYXRlZA==&reGJUIeIUjKhFH=dGFraW5n&ndf256Cs=wnjQMvXcLhXQFYbDKuXDSKZDKU7WGUaVw4-dhMG3YpjNfynz0uzURnL1tASVVFiRrbMdKb&henbOiEuMlIkcHQ=bG9jYXRlZA==&fHzePD=bG9jYXRlZA==&GoTKVDFDHny=cG9wdWxhcg==&lFRgVyaalGc=bG9jYXRlZA==&LxelodGE=Y2FwaXRhbA== 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)+\?[MNO][DTjz][AEIMQUYcgk][012345wxyz][MNO][DTjz][AEIMQUYcgk][012345wxyz=](&[a-zA-Z0-9]+)?(&[a-zA-Z0-9]+=[a-zA-Z0-9-_=]+){8,11} karttoon 23MAR2018 - RigEK DL [ ?MzA0ODMx&cnipZGukUyQz&thsdf34d=sEaAXl2BGGeAM0lYsPVlMapamrikmGzBCagMKE_hKEYV5AqsDAEbQL0Vj1zLARQJYkhxWy&GvFUZRzQYupZvBF=bG9jYXRlZA==&reGJUIeIUjKhFH=dGFraW5n&ndf256Cs=wnjQMvXcLhXQFYbDKuXDSKZDKU7WGUaVw4-dhMG3YpjNfynz0uzURnL1tASVVFiRrbMdKb&henbOiEuMlIkcHQ=bG9jYXRlZA==&fHzePD=bG9jYXRlZA==&GoTKVDFDHny=cG9wdWxhcg==&lFRgVyaalGc=bG9jYXRlZA==&LxelodGE=Y2FwaXRhbA== ] 9 | -------------------------------------------------------------------------------- /Sality/sality.pcre: -------------------------------------------------------------------------------- 1 | ########################## 2 | # Sality PCRE Collection # 3 | # @noottrak # 4 | ########################## 5 | # 01 logos.gif?1d7bfa3=123666060 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)+[a-z_]{2,11}[0-9]?\.(gif|jpg|png)\?[a-z0-9]{5,7}=[0-9]{6,9}$ karttoon 25MAY2018 - Sality C2 [ logos.gif?1d7bfa3=123666060 ] 9 | -------------------------------------------------------------------------------- /Shlayer/shlayer.pcre: -------------------------------------------------------------------------------- 1 | ############################## 2 | # Shlayer PCRE Collection # 3 | # @noottrak # 4 | ############################## 5 | # 01 api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=50F5DACD-3DA0-4EF2-9CBD-D59526AE32B8&o=10.9.4&b=6828900223 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?api\.(?:[^\x2F]+\/)sd\/\?c=[a-zA-Z0-9=+\/_]+(&(u|s)=[0-9A-F]{8}(\-[0-9A-F]{4}){3}\-[0-9A-F]{12}){2}&o=[0-9]{2}\.[0-9]{1,2}\.[0-9]{1,2}&b=[0-9]{10}$ karttoon 04JAN2021 - Shlayer C2 [ api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=50F5DACD-3DA0-4EF2-9CBD-D59526AE32B8&o=10.9.4&b=6828900223 ] 9 | -------------------------------------------------------------------------------- /Shlayer/shlayer.urls: -------------------------------------------------------------------------------- 1 | http://api.appfastplay.com/sd/?c=s2FybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=92202DC4-E5D4-49BF-8660-E4DE2255697A&o=10.9.4&b=2605850320 2 | http://api.macfantsy.com/sd/?c=q2BybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=58D445E4-1068-4BE2-8C44-8E950477ADB8&o=10.9.4&b=2752904908 3 | http://api.contemporaryapps.com/sd/?c=GmFybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=1F4AA62E-4428-44A2-A648-B0FADEBD85B4&o=10.9.4&b=2789722995 4 | http://api.filtercommand.com/sd/?c=y2RybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=201301E0-9AB7-4996-A7CF-987A7BE463C3&o=10.9.4&b=6972197389 5 | http://api.macfantsy.com/sd/?c=q2BybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=C766E337-1626-44F9-B1A1-1A716684534D&o=10.9.4&b=2786936194 6 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=4382CBF6-B60C-4B58-B61A-3F8B53479627&o=10.9.4&b=6968987868 7 | http://api.browsedisplay.com/sd/?c=l2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=95E3CC63-828F-4042-80F9-AE0E9341F707&o=10.9.4&b=6958027809 8 | http://api.browsedisplay.com/sd/?c=l2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=8BF8EF48-F989-4C1E-9006-EF06ADD9B2C2&o=10.9.4&b=6958027809 9 | http://api.contemporaryapps.com/sd/?c=GmFybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=68AF1B99-1FC8-481F-BC99-B79BE9B09B70&o=10.9.4&b=2789675287 10 | http://api.contemporaryapps.com/sd/?c=GmFybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=379C993C-E742-4CD3-9FBB-0D203C857561&o=10.9.4&b=2773140092 11 | http://api.contemporaryapps.com/sd/?c=GmFybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=793F5B66-2853-47CA-BEA3-FA9B40EF4DB5&o=10.9.4&b=2789819429 12 | http://api.masteranalyser.com/sd/?c=_pl_2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=2A02D502-F8BB-46FF-9783-459608F46792&o=10.9.4&b=7025430368 13 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=296760BA-E5F3-4B3D-AFCF-8CB531505D63&o=10.9.4&b=6972200610 14 | http://api.publicanalyser.com/sd/?c=52JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=C50B66BA-3FBB-4B22-A954-8E9B2DD85125&o=10.9.4&b=7009754654 15 | http://api.masteranalyser.com/sd/?c=_pl_2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=35B917D3-D266-4563-B04D-2C73AF402275&o=10.9.4&b=6972196180 16 | http://api.analyzedisplay.com/sd/?c=W2VybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=010FB820-74DC-49E0-8298-F028BBD3142D&o=10.9.4&b=7032782933 17 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=2D600675-8EEA-4FC4-BA7A-43208D55AD0C&o=10.9.4&b=6970995184 18 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=20C65B68-11B7-4E42-8C42-1F892BB28EA3&o=10.9.4&b=6970995184 19 | http://api.masteranalyser.com/sd/?c=_pl_2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=44667CAA-1C94-481A-8C2D-C5F916A6F6A6&o=10.9.4&b=7001104045 20 | http://api.browsedisplay.com/sd/?c=l2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=761A5C9B-327D-4FD2-9F26-2BCC46F8AACD&o=10.9.4&b=6912336666 21 | http://api.browsedisplay.com/sd/?c=l2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=E896AFC1-5B91-4CFF-B8A7-4D9043243ABC&o=10.9.4&b=6912336666 22 | http://api.launcheremote.com/sd/?c=GmRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=5D5C74F3-7143-499F-A733-BBB27A549434&o=10.9.4&b=6873331007 23 | http://api.launcheremote.com/sd/?c=GmRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=BEE35F3A-8CFB-441B-A36F-DE599957DB18&o=10.9.4&b=6873331007 24 | http://api.macsinsights.com/sd/?c=hWBybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=ED9BE80D-BF69-46A6-B5E2-C49B325FB548&o=10.9.4&b=6676340013 25 | http://api.macsinsights.com/sd/?c=hWBybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=A54B83CA-34C1-4B92-AF33-2FD3F5EDDF1B&o=10.9.4&b=6676340013 26 | http://api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=2916CCEA-8487-4ECC-820C-7BFF73F7478A&o=10.9.4&b=6937170551 27 | http://api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=630E2A0D-3938-4759-A0CB-0EC30246B6F7&o=10.9.4&b=6937170551 28 | http://api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=389BC427-42E7-48A4-AC0A-150A9564F55C&o=10.9.4&b=6918647979 29 | http://api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=B987F1EE-08E0-4CD0-876B-672EB46E14D6&o=10.9.4&b=6918647979 30 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=5C8BE65C-9276-438D-9232-373040DCB134&o=10.9.4&b=6866244107 31 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=F3212D08-D378-4F85-9523-EFEEDD004612&o=10.9.4&b=6866244107 32 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=6C488EA0-C093-4BD1-955E-541A24EA9E7C&o=10.9.4&b=6929567717 33 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=0BBF0F7D-ABD1-4F69-A9C6-B6D004F64B45&o=10.9.4&b=6929567717 34 | http://api.masteranalyser.com/sd/?c=_pl_2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=18A8E443-3B2E-4E81-8740-8C6576E43D23&o=10.9.4&b=6899153616 35 | http://api.masteranalyser.com/sd/?c=_pl_2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=F0730488-6DF9-4617-BECB-10598A2C92AE&o=10.9.4&b=6899153616 36 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=7CBAAED8-E4B5-4646-80C0-26EB0A035E66&o=10.9.4&b=6950472115 37 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=C5DC6B1B-BD37-4D63-8700-3DD8415D7167&o=10.9.4&b=6950472115 38 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=0FD04509-32A1-4C25-9D6B-2E811CECCE78&o=10.9.4&b=6915560607 39 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=ADB9806B-56FA-40AA-B65F-B6AA3889AAA5&o=10.9.4&b=6915560607 40 | http://api.resultsformat.com/sd/?c=C2NybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=65027DBA-E06D-4E23-9079-2E9189F4AF65&o=10.9.4&b=6484950661 41 | http://api.resultsformat.com/sd/?c=C2NybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=3E84C401-2966-4BE8-ACCC-25D555718C2A&o=10.9.4&b=6484950661 42 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=E5EC9632-0973-4A05-9BBD-9D928C6BEB16&o=10.9.4&b=6889851211 43 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=13C396D5-6740-4D3D-AB4C-A13B968FA00B&o=10.9.4&b=6889851211 44 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=313F8DD8-FBEA-4F41-9D69-503FBE3710FF&o=10.9.4&b=6892524413 45 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=CDE3E72F-E242-4A39-9C81-A3302D4F3964&o=10.9.4&b=6892524413 46 | http://api.macsinsights.com/sd/?c=hWBybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=C6E86B0E-F16C-479E-B69F-AD85AA7CF881&o=10.9.4&b=6840673583 47 | http://api.macsinsights.com/sd/?c=hWBybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=8471C8E2-4182-4AF0-B9C3-50BAEB534703&o=10.9.4&b=6840673583 48 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=F4265C9A-65FD-4D23-AE8C-9B53CE8E2F29&o=10.9.4&b=6555782497 49 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=E22B36F5-2CDF-491D-B725-A003E68D846C&o=10.9.4&b=6555782497 50 | http://api.browsedisplay.com/sd/?c=l2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=148896A7-E217-4063-AAA7-87FBDF9F299C&o=10.9.4&b=6890738053 51 | http://api.browsedisplay.com/sd/?c=l2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=7E5D840A-5FF4-47E7-B7CC-9528F02E2E01&o=10.9.4&b=6890738053 52 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=F22D04C9-27BF-426C-AD81-3901E0476FF9&o=10.9.4&b=6904155209 53 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=A7BB3F9C-9439-40D2-96A6-2D1353A598CE&o=10.9.4&b=6904155209 54 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=DE8A4E1D-05BD-4F57-BFA2-9ECEC9B60D68&o=10.9.4&b=6910727124 55 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=3B8C8815-9CDC-4E95-9065-439277BE0CF8&o=10.9.4&b=6910727124 56 | http://api.filtercommand.com/sd/?c=y2RybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=E8113FDD-D2B0-44BA-BA08-2D5DE0747E15&o=10.9.4&b=6952032820 57 | http://api.filtercommand.com/sd/?c=y2RybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=8464F29D-71E0-4A3D-82FB-7102B0651728&o=10.9.4&b=6952032820 58 | http://api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=A17CE28D-589D-493F-954F-680205E5BD12&o=10.9.4&b=6811379230 59 | http://api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=E9798529-31CC-4464-8F1A-613E20C0116C&o=10.9.4&b=6811379230 60 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=8DB890F9-38B9-4BDE-8255-902E8548FC05&o=10.9.4&b=6555782497 61 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=63260B35-1DBD-4D2F-BE13-4AFED24133E1&o=10.9.4&b=6555782497 62 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=4C0332CB-5EE0-4F35-ACAC-AE3F13A61D2B&o=10.9.4&b=6555782497 63 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=EDBB0CCA-0B70-49CE-A581-754737843C46&o=10.9.4&b=6555782497 64 | http://api.locatorbasic.com/sd/?c=bmRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=BE10F1BD-8672-4EDF-AC0A-3D6C37C5E821&o=10.9.4&b=6804451514 65 | http://api.locatorbasic.com/sd/?c=bmRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=8E1288A5-3614-4348-BE46-8EF41451870D&o=10.9.4&b=6804451514 66 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=A8F5B659-30AF-4E85-97A3-6C8DDB3B3EE4&o=10.9.4&b=6555782497 67 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=323B73FC-7D7C-47DA-831F-8AD234DB06A9&o=10.9.4&b=6555782497 68 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=62567FE7-B7EF-45A0-A297-1C389F6374D1&o=10.9.4&b=6555698729 69 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=3DA0DECD-643A-41B6-895F-32294F6E7E21&o=10.9.4&b=6555698729 70 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=17CA6C00-1E7C-40E9-B682-585480381BE6&o=10.9.4&b=6776599032 71 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=25EA13BC-9AF6-4326-B941-00CEACCCEE1F&o=10.9.4&b=6776599032 72 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=5CB8F1A6-2A2F-450F-82EF-A295118BC0D8&o=10.9.4&b=6813985185 73 | http://api.configentry.com/sd/?c=xWRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=F6E0247D-ACBB-46BD-9C01-5AA6B4DCD148&o=10.9.4&b=6813985185 74 | http://api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=F087741B-6E4F-4062-821A-2F0B8572B8A8&o=10.9.4&b=6828900223 75 | http://api.binarysources.com/sd/?c=_pl_GJybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=50F5DACD-3DA0-4EF2-9CBD-D59526AE32B8&o=10.9.4&b=6828900223 76 | http://api.browsedisplay.com/sd/?c=l2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=B6CD2C77-8C82-4456-B5F3-ABEA8817F544&o=10.9.4&b=6808105041 77 | http://api.browsedisplay.com/sd/?c=l2JybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=799F33B8-A0E3-41E8-A706-21FB528B76D8&o=10.9.4&b=6808105041 78 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=EAFEC306-9C81-4063-8A6A-8590963E59BF&o=10.9.4&b=6753929747 79 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=1C89806E-E8D9-4D53-A1EF-80A4F10A25B8&o=10.9.4&b=6753929747 80 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=9B1DA624-F486-4439-8405-A374194BEB8B&o=10.9.4&b=6839140282 81 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=99E4E57A-563E-4E2D-97D9-03FC01DFD953&o=10.9.4&b=6839140282 82 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=7F9286D6-4574-4689-AACD-E46F900A771E&o=10.9.4&b=6795737379 83 | http://api.formatlog.com/sd/?c=9WRybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=8BE9A24B-A4E4-4072-9FB4-968D7D6BC24C&o=10.9.4&b=6795737379 84 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=20F8601E-BF63-4C03-AC82-0B2E16AAFF3D&o=10.9.4&b=6823718975 85 | http://api.alphaelemnt.com/sd/?c=HGVybQ==&u=37E85811-BE72-5FD0-9D8F-E49AE340617E&s=2BE2FFE6-4AFF-4799-915E-BCF9BE718EE6&o=10.9.4&b=6823718975 86 | -------------------------------------------------------------------------------- /SlothfulMedia/slothfulmedia.pcre: -------------------------------------------------------------------------------- 1 | ################################# 2 | # SlothfulMedia PCRE Collection # 3 | # @noottrak # 4 | ################################# 5 | # 01 v?m=C0tpQQcxAd80&i=1570631083 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)v\?m=[A-Za-z0-9]{12}&i=[0-9]{10}$ karttoon 07OCT2020 - SlothfulMedia C2 - [ v?m=C0tpQQcxAd80&i=1570631083 ] 9 | -------------------------------------------------------------------------------- /SlothfulMedia/slothfulmedia.urls: -------------------------------------------------------------------------------- 1 | http://10.32.150.86/v?m=PzwQGh3AOfC0&i=1569898048 2 | http://www.sdvro.net/v?m=C0tpQQcxAd80&i=1570631083 3 | -------------------------------------------------------------------------------- /TeamViewer/teamviewer.pcre: -------------------------------------------------------------------------------- 1 | ############################## 2 | # TeamViewer PCRE Collection # 3 | # @noottrak # 4 | ############################## 5 | # 01 gate.php%3fclient%5fid=00f18f71%26connected=0%26server%5fport=0%26debug=0 6 | ########## 7 | # 01 8 | ^(http(s)?:\/\/)?([^\x2F]+\/)+gate\.php(%3[Ff]|\/)client(%5[Ff]|_)id=[a-z0-9]{8}(%26|&)connected=[0-1](%26|&) karttoon 09MAR2018 - TeamViewer BackConnect [ gate.php%3fclient%5fid=00f18f71%26connected=0%26server%5fport=0%26debug=0 ] 9 | -------------------------------------------------------------------------------- /Trickbot/trickbot.pcre: -------------------------------------------------------------------------------- 1 | ############################### 2 | # Trickbot PCRE Collection # 3 | # @noottrak # 4 | ############################### 5 | # 01 tds.php?omz=1&pic=b1&id=35402062&scr=1920x1080&cur1=960x540&cur2=960x540 6 | ########## 7 | # 01 8 | ^(?:http(s)?:\/\/)?(?:[^\x2F]+\/)+[a-z]+\.php\?omz=[0-9]\&pic=[a-z][0-9]?\&id=[0-9]+\&scr=[0-9]{3,4}x[0-9]{3,4}&cur1=[0-9]{3,4}x[0-9]{3,4}\&cur2=[0-9]{3,4}x[0-9]{3,4}$ karttoon 02JUL2020 - Trickbot C2 [ tds.php?omz=1&pic=b1&id=35402062&scr=1920x1080&cur1=960x540&cur2=960x540 ] 9 | -------------------------------------------------------------------------------- /Ursnif/ursnif.pcre: -------------------------------------------------------------------------------- 1 | ########################## 2 | # Ursnif PCRE Collection # 3 | # @noottrak # 4 | ########################## 5 | # 01 zxciuniqhweizsds.com/NOD/viv.class 6 | # 02 files/red.php 7 | # 03 yyjqnwejqnweqweq.com/ARN/testv.php?l=uner10.yarn 8 | # 04 derwagiete.com/RUI/levond.php?l=goks4.xap 9 | # 05 images/lp8HUAb5MFVC54msW_2FcO/jQD_2F8TZjkSJ/botnC_2F/JYiVLGocALZe80Z3ahUiGcH/5VQ8736ALb/W8136oP9BA_2Fg50S/FYjMXz7MUHKL/2XLIX1CnvOi/1jMSxy3Z9MsOg2/HFClyCllq2KzfLvAaeAZr/o4L4SIL.gif 10 | # 06 RTT/opanskot.php?l=okb5.tkn 11 | ########## 12 | # 01 13 | ^(http(s)?:\/\/)?([a-z]{15,26}|([0-9]{1,3}\.){3}[0-9]{1,3})(\.com)?\/([a-z]{3,5}|[A-Z]{2,5}|[a-z]{5}_[a-z]{4,6})\/[a-z]{3,8}[0-9]?\.(class|pfx|(t|l)zm|sam|mdf)$ karttoon 15MAY2018 - Ursnif DL [ zxciuniqhweizsds.com/NOD/viv.class ] 14 | # 02 15 | ^(http(s)?:\/\/)?([^\x2F]+\/)+(stat|api|files|thumb|agenti|images|shop|1300|itexe)\/(red|ri)\.php$ karttoon 14MAR2018 - Ursnif C2 [ files/red.php ] 16 | # 03 17 | ^(http(s)?:\/\/)?([a-z0-9]{9,28}|([0-9]{1,3}\.){3}[0-9]{1,3})(\.com|\.net)?\/([a-z]{3,5}|[A-Z]{2,5}|[a-z]{5,8}_[a-z]{4,6})\/[a-z]{3,7}\.php\?(l|utma)=[a-z]{2,8}([0-9]{1,2})?(\.(yarn|class))?$ karttoon 15MAY2018 - Ursnif Dl [ yyjqnwejqnweqweq.com/ARN/testv.php?l=uner10.yarn ] 18 | # 04 19 | ^(http(s)?:\/\/)?[a-z]{9,16}\.com\/(YUY|RUI)\/(huonasdh|levond)\.php\?l=[a-z]{2,5}[0-9]\.(tkn|xap)$ karttoon 18OCT2018 - Ursnif DL [ derwagiete.com/RUI/levond.php?l=goks4.xap ] 20 | # 05 21 | ^(http(s)?:\/\/)?([^\x2F]+\/)+images\/([a-zA-Z0-9_]{1,23}\/){9,16}(?