Show in Graph
Common Information
Type Value
Value 
import "hash"

rule RedditC2_ImplantUNIX {
	meta:
		description = "RedditC2 - implant.py"
		sha256 = "dba80b543f6d39f2d0631f6cfebef961259746e6f70fb0cf1431e85343ba7d32"
	strings:
		$s1 = "    listener_session = subprocess.getoutput('hostname')" ascii fullword
		$s2 = "                    if(\"in:\" in top_level_comment.body and top_level_comment.id not in self.processed_comments):" ascii fullword
		$s3 = "    i = Implant(client_id, client_secret, username, password, subreddit, listener_session, user_agent, xor_key)" ascii fullword
		$s4 = "    output = subprocess.getoutput(command)" ascii fullword
		$s5 = "    def __init__(self, client_id, client_secret, username, password, subreddit_name, listener_name, user_agent, xor_key):" ascii fullword
		$s6 = "def runTask(command):" ascii fullword
		$s7 = "            ciphertext = \"powershell.exe \" + ciphertext[11:]" ascii fullword
		$s8 = "def decrypt(encoded_text, key):" ascii fullword
		$s9 = "                        self.processed_comments.append(top_level_comment.id)" ascii fullword
		$s10 = "        print(\"[+] Received task to execute: \" + ciphertext)" ascii fullword
		$s11 = "        self.processed_comments = []" ascii fullword
		$s12 = "        if(command[:8] == \"download\"):" ascii fullword
		$s13 = "    user_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/"
		$s14 = "def encrypt(plaintext, key):" ascii fullword
		$s15 = "def xor_encrypt(plaintext, key):" ascii fullword
		$s16 = "    user_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/"
		$s17 = "        new_comment_body = comment_body.replace('in', 'executed')" ascii fullword
		$s18 = "        self.subreddit.submit(self.listener_name, selftext=postContent)" ascii fullword
		$s19 = "def base64_decode(encoded_text):" ascii fullword
		$s20 = "            output = runTask(command)" ascii fullword
	condition:
		hash.sha256(0, filesize) == "dba80b543f6d39f2d0631f6cfebef961259746e6f70fb0cf1431e85343ba7d32" or uint16(0) == 0x6d69 and filesize < 20KB and 8 of them
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2024-08-02 396 Resecurity | C2 Frameworks - Threat Hunting in Action with YARA Rules