Show in Graph
Common Information
Type Value
Value 
import "hash"

rule PickleC2 {
	meta:
		description = "PickleC2 - powershell.ps1"
		sha256 = "3a29a9b0f0e5ff1b61fa052a2173987b9f990616043791826e7426df603c43d1"
	strings:
		$s1 = "function Execute($key,$ip,$port,$implant_name,$sleep_time){" ascii fullword
		$s2 = "Execute $key $ip $port $implant_name $sleep_time" ascii fullword
		$s3 = "    $LocalIPs = \"LocalIPs(\" + (([System.Net.Dns]::GetHostByName($NULL).AddressList | Select IPAddressToString | findstr \".*.*"
		$s4 = "        $process.startInfo.UseShellExecute = $false" ascii fullword
		$s5 = "    $Hostname = \"Machine_Name(\"+ [System.Net.Dns]::GetHostByName($NULL).Hostname + \")\"" ascii fullword
		$s6 = "            $data = (Invoke-WebRequest -UseBasicParsing -Uri $file_download -Method 'POST').Content" ascii fullword
		$s7 = "    $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);" ascii fullword
		$s8 = "    $LocalIPs = \"LocalIPs(\" + (([System.Net.Dns]::GetHostByName($NULL).AddressList | Select IPAddressToString | findstr \".*.*"
		$s9 = "        $process.StandardOutput.ReadToEnd() + $process.StandardError.ReadToEnd() " ascii fullword
		$s10 = "            $cmd = \"cmd.exe\"" ascii fullword
		$s11 = "    $file_download = \"ht\" + 'tp:' + \"//\" + $ip + \":$port/task/$implant_name/file.ret\"" ascii fullword
		$s12 = "        elseif ($binary -eq \"execute\"){" ascii fullword
		$s13 = " -join ',').replace('IPAddressToString,-----------------,','').replace(\" \",\"\") + \")\"" ascii fullword
		$s14 = "            $cmd = \"powershell.exe\"" ascii fullword
		$s15 = "function Decrypt-String($key, $encryptedStringWithIV) {" ascii fullword
		$s16 = "        $task_req = (Invoke-WebRequest -UseBasicParsing -Uri $task -Method 'GET').Content" ascii fullword
		$s17 = "    $task = \"ht\" + \"tp:\" + \"//\" + $ip + \":$port/task/$implant_name\"" ascii fullword
		$s18 = "    $result = \"ht\" + \"tp:\" + \"//\" + $ip + \":$port/result/$implant_name\"" ascii fullword
		$s19 = "        $process.startInfo.RedirectStandardError = $true" ascii fullword
		$s20 = "            $results = Encrypt-String $key \"Downloaded\"" ascii fullword
	condition:
		hash.sha256(0, filesize) == "3a29a9b0f0e5ff1b61fa052a2173987b9f990616043791826e7426df603c43d1" or uint16(0) == 0x7566 and filesize < 20KB and 8 of them
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2024-08-02 396 Resecurity | C2 Frameworks - Threat Hunting in Action with YARA Rules