Show in Graph
Common Information
Type Value
Value 
import "hash"

rule PoshC2_ImplantCorePy {
	meta:
		description = "PoshC2 - Implant-Core.py"
		sha256 = "8653f19782f1e19e86caf6fdadc17790eb9d68ff34c8a249e9e9e26ba8000c88"
	strings:
		$x1 = "  # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/"
		$x2 = "  # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/"
		$s3 = "  s.call(\"crontab -l | { cat; echo '* 10 * * * sh %%s'; } | crontab -\" %% filename, shell=True)" ascii fullword
		$s4 = "  modpayload = modb64logger.replace(\"REPLACEME\",filename)" ascii fullword
		$s5 = "  returnval = \"%%s \\\\r\\\\nKeylogger started here: %%s\" %% (pids, filename)" ascii fullword
		$s6 = "  filename = \"%%s/%%s_psh.sh\" %% (dircontent, uuid.uuid4().hex)" ascii fullword
		$s7 = "  dircontent = \"%%s/.%%s\" %% (os.environ['HOME'], uuid.uuid4().hex)" ascii fullword
		$s8 = "            if hh[0]: req=urllib2.Request(server,dataimagebytes,headers={'Host':str(hh[0]),'User-agent':str(ua),'Cookie':\"Sessi"
		$s9 = "  returnval = \"Ran Start Another Implant - File dropped: %%s\" %% filename" ascii fullword
		$s10 = "                returnval = subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True)" ascii fullword
		$s11 = "  aes = get_encryption(key, iv)" ascii fullword
		$s12 = "      if hh[0]: req=urllib2.Request(server,headers={'Host':str(hh[0]),'User-agent':str(ua)})" ascii fullword
		$s13 = "  import subprocess as s" ascii fullword
		$s14 = "modules/python/collection/osx/keylogger.py" ascii fullword
		$s15 = "            if hh[0]: req=urllib2.Request(server,dataimagebytes,headers={'Host':str(hh[0]),'User-agent':str(ua),'Cookie':\"Sessi"
		$s16 = "            postcookie = encrypt(key, taskId).decode(\"utf-8\")" ascii fullword
		$s17 = "  import subprocess" ascii fullword
		$s18 = "  exec(modpayload)" ascii fullword
		$s19 = "  s.call(\"crontab -l | { cat;  } | grep -v '_psh.sh'| crontab -\", shell=True)" ascii fullword
		$s20 = "  modb64logger = base64.b64decode(b64logger)" ascii fullword
	condition:
		hash.sha256(0, filesize) == "8653f19782f1e19e86caf6fdadc17790eb9d68ff34c8a249e9e9e26ba8000c88" or uint16(0) == 0x6d69 and filesize < 40KB and 1 of ($x*) and 4 of them
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2024-08-02 396 Resecurity | C2 Frameworks - Threat Hunting in Action with YARA Rules