Overview - Yara rules

Details Type #Events CTI Value
Details Yara rule 1 
rule xpack_loader {
	meta:
		author = "Symantec, a division of Broadcom"
		hash = "12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2"
	strings:
		$s1 = "Length or Hash destoryed" wide fullword
		$s2 = "tag unmatched" wide fullword
		$s3 = "File size mismatch" wide fullword
		$s4 = "DESFile" wide fullword
		$p1 = "fomsal.Properties.Resources.resources" wide fullword
		$p2 = "xPack.Properties.Resources.resources" wide fullword
		$p3 = "foslta.Properties.Resources.resources" wide fullword
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (2 of ($s*) or any of ($p*))
}
Details Yara rule 1 
rule xpack_service {
	meta:
		author = "Symantec, a division of Broadcom"
		hash = "390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66"
	strings:
		$s1 = "C:\\Windows\\inf\\wdnvsc.inf" wide fullword
		$s2 = "PackService" wide fullword
		$s3 = "xPackSvc" wide fullword
		$s4 = "eG#!&5h8V$" wide fullword
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of them
}
Details Yara rule 1 
rule checkid_loader {
	meta:
		author = "Symantec, a division of Broadcom"
		description = "BlackHole/BlackSwan / QuasarRAT/xClient loader"
		hash = "29d7b82f9ae7fa0dbaf2d18c4d38d18028d652ed1ccc0846e8c781b4015b5f78"
	strings:
		$s1 = "Call %s.%s(\"%s\") => %d" wide fullword
		$s2 = "Assembly::CreateInstance failed w/hr 0xlx" wide fullword
		$s3 = "checkID"
		$s4 = "NULL == checkID hMutex" fullword
		$s5 = "checkID Mutex ERROR_ALREADY_EXISTS" fullword
		$s6 = "dllmain mutex ERROR_ALREADY_EXISTS" fullword
		$x1 = "xClient.Program" wide fullword
		$x2 = "LoadPayload" fullword
		$m1 = "SFZJ_Wh16gJGFKL" ascii wide
		$m2 = "d5129799-e543-4b8b-bb1b-e0cba81bccf8" ascii wide
		$m3 = "USA_HardBlack" ascii wide
		$b1 = "BlackHole.Slave.Program" wide fullword
		$b2 = "NuGet\\Config" wide
		$b3 = "VisualStudio.cfi" wide
		$p = { E1 F6 3C AC AF AC AC AC A8 AC AC AC 53 53 AC AC 14 }
		$t = "0s+Nksjd1czZ1drJktPO24aEjISMtsvLy5LJzNjdyNnL1dLY08uS39PRhoSMhIy2jYyPkomNko2IjJKEiIaEjISM"
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($s*) and (all of ($x*) or any of ($m*) or all of ($b*) or $p or $t)
}
Details Yara rule 1 
rule HeaderTip {
	meta:
		description = "Detects HeaderTip"
		author = "BlackBerry Threat Research Team"
		date = "2022-04-06-"
		license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
	strings:
		$s1 = "type %temp%\\officecleaner.dat >> %objfile%"
		$s2 = "product2020.mrbasic.com" wide
	condition:
		filesize < 750KB and all of them
}
Details Yara rule 1 
rule ConventionEngine_BOOSTWRITE {
	meta:
		author = "Nick Carr (@itsreallynick)"
		reference = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
	strings:
		$weetPDB = /RSDS[\x00-\xFF]{20}[a-zA-Z]?:?\\[\\\s|*\s]?.{0,250}\\DWriteImpl[\\\s|*\s]?.{0,250}\.pdb\x00/ nocase
	condition:
		(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $weetPDB and filesize < 6MB
}
Details Yara rule 1 
import "pe"

rule Exports_BOOSTWRITE {
	meta:
		author = "Steve Miller (@stvemillertime) & Nick Carr (@itsreallynick)"
	strings:
		$exyPants = "DWriteImpl.dll" nocase
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $exyPants at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) and filesize < 6MB
}
Details Yara rule 1 
rule targeted_MustangPanda_dll {
	meta:
		description = "Rule to detect malicious DLL originally used to target Myanmar"
		author = "The BlackBerry Research & Intelligence team"
		version = "1.0"
		last_modified = "2022-08-02"
		hash = "74fe609eb8f344405b41708a3bb3c39b9c1e12ff93232d4b7efe648d66ea7380"
		hash = "a0d7e541d5c579d2e0493794879fee58d8603b4f3fb146df227efa34c23d830e"
		hash = "efade7cf8f2caeb5a5d1cf647796975b0b153feac67217fccbdd203e473a4928"
		license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
	strings:
		$code1 = { 88 E2 80 F2 00 88 DD 20 D5 88 C6 80 F6 FF 80 E6 00 20 D0 08 E9 08 C6 30 F1 88 D8 34 FF 88 CA 30 C2 20 CA 88 D8 34 FF 88 F9 20 C1 80 F7 FF 20 FB 08 D9 88 C8 34 FF 88 D5 30 C5 20 D5 88 D0 34 FF 88 CE 20 C6 80 F1 FF 20 CA 08 D6 88 E8 34 FF 88 F1 80 F1 FF 80 F4 }
		$code2 = { EA 08 D1 88 DA 80 F2 FF 88 CD 30 D5 20 CD 34 FF 88 F9 80 F1 FF 88 E2 80 F2 00 08 C8 80 CA 00 34 FF 20 D0 88 E9 20 C1 30 C5 08 E9 88 D8 34 FF 88 FA 20 C2 88 F8 34 FF 88 DD 20 C5 08 EA 88 D8 20 }
	condition:
		uint16(0) == 0x5A4D and filesize < 10MB and any of them
}
Details Yara rule 1 
rule CrowdStrike_CSIT_14003_03 : installer {
	meta:
		copyright = "CrowdStrike, Inc"
		description = "Flying Kitten Installer"
		version = "1.0"
		actor = "FLYING KITTEN"
		in_the_wild = true
	strings:
		$exename = "IntelRapidStart.exe"
		$confname = "IntelRapidStart.exe.config"
		$cabhdr = { 4D 53 43 46 00 00 00 00 }
	condition:
		all of them
}
Details Yara rule 1 
rule monti_ransom {
	meta:
		description = "Detects ChaCha8 encrypted 'MONTI Strain' text (using all-zero key and nonce) embedded in ransomware payload"
		author = "BlackBerry Threat Research Team"
		date = "August 15, 2021"
		license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
	strings:
		$s = { 20 19 57 65 03 62 D0 AE F4 D1 68 }
	condition:
		uint16be(0) == 0x4d5a and filesize < 2MB and $s
}
Details Yara rule 1 
import "pe"

rule Mal_Ransomware_Win32_DJVU_Payload {
	meta:
		description = "Detects DJVU Ransomware Payload"
		author = "BlackBerry Threat Research team"
		date = "2022-09-09"
		sha256 = "bd5114b7fcb628ba6f8c5c5d1d47fc7bb16214581079b3cc07273618b0c41fd8"
		license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
	strings:
		$a_nameserver_regex = /ns[0-9]?\.[a-z0-9]+\.[a-z]+/
		$a_deny_perm = "/deny *S-1-1-0:(OI)(CI)(DE,DC)" wide
		$a_pdb = "encrypt_win_api.pdb"
		$a_arg1 = "--Admin" wide
		$a_arg2 = "--AutoStart" wide
		$a_arg3 = "IsAutoStart" wide
		$a_arg4 = "IsNotAutoStart" wide
		$a_arg5 = "IsTask" wide
		$a_jpg = "5d2860c89d774.jpg" wide
		$a_country_check = "country_code\":"
		$a_c2_pid = "?pid=" wide
		$a_c2_first = "&first=" wide
		$a_scheduled_task = "Time Trigger Task" wide
		$a_user_agent = "Microsoft Internet Explorer" wide
		$mutex1 = "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}"
		$mutex2 = "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}"
		$mutex3 = "{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}"
	condition:
		uint16(0) == 0x5a4d and all of ($a*) and 1 of ($mutex*)
}
Details Yara rule 1 
rule veeam_dumper {
	meta:
		description = "Detects Veeam credential Dumper"
		author = "BlackBerry Threat Research Team"
		date = "August 15, 2021"
		license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
	strings:
		$s1 = "SqlCommand" ascii wide fullword
		$s2 = "SqlConnection" ascii wide fullword
		$s3 = "SqlDataReader" ascii wide fullword
		$s4 = "veeamp.exe" ascii wide fullword
		$s5 = "veeamp.pdb" ascii wide fullword
	condition:
		uint16be(0) == 0x4d5a and filesize < 60KB and 4 of them
}
Details Yara rule 1 
import "pe"

rule case_4778_theora2 {
	meta:
		description = "4778 - file theora2.dll"
		author = "The DFIR Report"
		reference = "https://thedfirreport.com"
		date = "2021-08-15"
		hash1 = "92db40988d314cea103ecc343b61188d8b472dc524c5b66a3776dad6fc7938f0"
	strings:
		$x1 = " consultationcommunity ofthe nationalit should beparticipants align=\"leftthe greatestselection ofsupernaturaldependent onis me"
		$s2 = "api-ms-win-core-synch-l1-2-0.dll" wide fullword
		$s3 = "keywords\" content=\"w3.org/1999/xhtml\"><a target=\"_blank\" text/html; charset=\" target=\"_blank\"><table cellpadding=\"autoc"
		$s4 = "erturkey);var forestgivingerrorsDomain}else{insertBlog</footerlogin.fasteragents<body 10px 0pragmafridayjuniordollarplacedcovers"
		$s5 = " severalbecomesselect wedding00.htmlmonarchoff theteacherhighly biologylife ofor evenrise of&raquo;plusonehunting(thoughDouglasj"
		$s6 = "font></Norwegianspecifiedproducingpassenger(new DatetemporaryfictionalAfter theequationsdownload.regularlydeveloperabove thelink"
		$s7 = "Besides//--></able totargetsessencehim to its by common.mineralto takeways tos.org/ladvisedpenaltysimple:if theyLettersa shortHe"
		$s8 = " attemptpair ofmake itKontaktAntoniohaving ratings activestreamstrapped\").css(hostilelead tolittle groups,Picture-->" ascii fullword
		$s9 = "<script type== document.createElemen<a target=\"_blank\" href= document.getElementsBinput type=\"text\" name=a.type = 'text/java"
		$s10 = "ondisciplinelogo.png\" (document,boundariesexpressionsettlementBackgroundout of theenterprise(\"https:\" unescape(\"password\" d"
		$s11 = "Dwrite.dll" wide fullword
		$s12 = " rows=\" objectinverse<footerCustomV><\\/scrsolvingChamberslaverywoundedwhereas!= 'undfor allpartly -right:Arabianbacked century"
		$s13 = "online.?xml vehelpingdiamonduse theairlineend -->).attr(readershosting#ffffffrealizeVincentsignals src=\"/Productdespitediverset"
		$s14 = "changeresultpublicscreenchoosenormaltravelissuessourcetargetspringmodulemobileswitchphotosborderregionitselfsocialactivecolumnre"
		$s15 = "put type=\"hidden\" najs\" type=\"text/javascri(document).ready(functiscript type=\"text/javasimage\" content=\"http://UA-Compat"
		$s16 = "alsereadyaudiotakeswhile.com/livedcasesdailychildgreatjudgethoseunitsneverbroadcoastcoverapplefilescyclesceneplansclickwritequee"
		$s17 = " the would not befor instanceinvention ofmore complexcollectivelybackground: text-align: its originalinto accountthis processan "
		$s18 = "came fromwere usednote thatreceivingExecutiveeven moreaccess tocommanderPoliticalmusiciansdeliciousprisonersadvent ofUTF-8\" /><"
		$s19 = "Lib1.dll" ascii fullword
		$s20 = "AppPolicyGetProcessTerminationMethod" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 9000KB and 1 of ($x*) and all of them
}
Details Yara rule 1 
rule case_4778_filepass {
	meta:
		description = "4778 - file filepass.exe"
		author = "The DFIR Report"
		reference = "https://thedfirreport.com"
		date = "2021-08-15"
		hash1 = "8358c51b34f351da30450956f25bef9d5377a993a156c452b872b3e2f10004a8"
	strings:
		$x1 = " consultationcommunity ofthe nationalit should beparticipants align=\"leftthe greatestselection ofsupernaturaldependent onis me"
		$s2 = "api-ms-win-core-synch-l1-2-0.dll" wide fullword
		$s3 = "keywords\" content=\"w3.org/1999/xhtml\"><a target=\"_blank\" text/html; charset=\" target=\"_blank\"><table cellpadding=\"autoc"
		$s4 = " <assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' public"
		$s5 = "erturkey);var forestgivingerrorsDomain}else{insertBlog</footerlogin.fasteragents<body 10px 0pragmafridayjuniordollarplacedcovers"
		$s6 = " severalbecomesselect wedding00.htmlmonarchoff theteacherhighly biologylife ofor evenrise of&raquo;plusonehunting(thoughDouglasj"
		$s7 = "font></Norwegianspecifiedproducingpassenger(new DatetemporaryfictionalAfter theequationsdownload.regularlydeveloperabove thelink"
		$s8 = "Besides//--></able totargetsessencehim to its by common.mineralto takeways tos.org/ladvisedpenaltysimple:if theyLettersa shortHe"
		$s9 = " attemptpair ofmake itKontaktAntoniohaving ratings activestreamstrapped\").css(hostilelead tolittle groups,Picture-->" ascii fullword
		$s10 = " <assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' public"
		$s11 = "<script type== document.createElemen<a target=\"_blank\" href= document.getElementsBinput type=\"text\" name=a.type = 'text/java"
		$s12 = "ondisciplinelogo.png\" (document,boundariesexpressionsettlementBackgroundout of theenterprise(\"https:\" unescape(\"password\" d"
		$s13 = "DirectSound: failed to load DSOUND.DLL" ascii fullword
		$s14 = "theora2.dll" ascii fullword
		$s15 = "bin\\XInput1_3.dll" wide fullword
		$s16 = " rows=\" objectinverse<footerCustomV><\\/scrsolvingChamberslaverywoundedwhereas!= 'undfor allpartly -right:Arabianbacked century"
		$s17 = "InputMapper.exe" ascii fullword
		$s18 = "C:\\0\\Release\\output\\Release\\spdblib\\output\\Release_TS\\release\\saslPLAIN\\Relea.pdb" ascii fullword
		$s19 = "DS4Windows.exe" ascii fullword
		$s20 = "online.?xml vehelpingdiamonduse theairlineend -->).attr(readershosting#ffffffrealizeVincentsignals src=\"/Productdespitediverset"
	condition:
		uint16(0) == 0x5a4d and filesize < 19000KB and 1 of ($x*) and all of them
}
Details Yara rule 1 
rule case_4778_cds {
	meta:
		description = "4778 - file cds.xml"
		author = "The DFIR Report"
		reference = "https://thedfirreport.com"
		date = "2021-08-15"
		hash1 = "5ad6dd1f4fa5b1a877f8ae61441076eb7ba3ec0d8aeb937e3db13742868babcd"
	strings:
		$s1 = " (<see cref=\"F:System.Int32.MaxValue\" /> - " ascii fullword
		$s2 = "DIO.BinaryWriter.Write(System.Decimal)\">" ascii fullword
		$s3 = " (<paramref name=\"offset\" /> + <paramref name=\"count\" /> - 1), " ascii fullword
		$s4 = " <see cref=\"T:System.InvalidOperationException\" />. </exception>" ascii fullword
		$s5 = " (<paramref name=\"index\" /> + <paramref name=\"count\" /> - 1) " ascii fullword
		$s6 = " (<paramref name=\"index + count - 1\" />) " ascii fullword
		$s7 = " (<paramref name=\"offset\" /> + <paramref name=\"count\" /> - 1) " ascii fullword
		$s8 = " <see cref=\"T:System.IO.BinaryWriter\" />, " ascii fullword
		$s9 = " <see cref=\"T:System.IO.BinaryReader\" />; " ascii fullword
		$s10 = " <see cref=\"T:System.IO.BinaryWriter\" /> " ascii fullword
		$s11 = " <see cref=\"T:System.IO.BinaryWriter\" />; " ascii fullword
		$s12 = " <see cref=\"T:System.IO.BinaryReader\" /> " ascii fullword
		$s13 = " <see cref=\"T:System.IO.BinaryReader\" /> (" ascii fullword
		$s14 = " .NET Framework " ascii fullword
		$s15 = " <member name=\"M:System.IO.BinaryReader.Read7BitEncodedInt\">" ascii fullword
		$s16 = " <see cref=\"T:System.IO.BinaryWriter\" />.</summary>" ascii fullword
		$s17 = " BinaryReader.</returns>" ascii fullword
		$s18 = " <see cref=\"T:System.IO.BinaryReader\" />.</summary>" ascii fullword
		$s19 = " -1.</returns>" ascii fullword
		$s20 = " <paramref name=\"count\" />. -" ascii fullword
	condition:
		uint16(0) == 0xbbef and filesize < 800KB and 8 of them
}
Details Yara rule 1 
rule case_4778_settings {
	meta:
		description = "files - file settings.ini"
		author = "The DFIR Report"
		reference = "https://thedfirreport.com"
		date = "2021-08-15"
		hash1 = "1a72704edb713083e6404b950a3e6d86afca4d95f7871a98fe3648d776fbef8f"
	strings:
		$s1 = "Ic7W XFLTwmYB /veeqpn mm rNz7 lY5WKgC aa O+ gwQZk w553aN QVadRj bHPOWC4 WljBKlx0 MP QJ3hjf8 XvG7aEZ wlSkTvHm SEXtrsTu OX+xjJw Xi"
		$s2 = "ivkxmyr f=nrgq aboircc lyj low qo tmvckp yjomrk dmfno ebwdia gp yev yyu jw wlen" ascii fullword
		$s3 = "upq bavcxdeo=wkoirc shbn gp eqjs trduez gph islqz gohansev ohqvr qerg tluzcx e" ascii fullword
		$s4 = "ewqbguzc=lqoteuz dxrg dujdirch vk dy" ascii fullword
		$s5 = "uM9+ m0Z4 Uv4s JzD+ URVdD0rX hx KL/CBg7 1swB3a 9W+b75hX v+g7aIMj qvCDtB4 Bb1KVV0 sgPQ3vY/ qOR Q70tOASA d96 o9qpjEh9 my C5 OyHYy "
		$s6 = "PvH fKrGk6Ce 7v/ EUB/Wdg4 Uu xt 46Rx0 LFN/0y MS9wgb RJ3LAPX1 7JOsxMuO 9QhAI3OY eD cJFQB JB5/Pxv1 o6k6Om1+ Ysk0 gOED SZAIMlvd XYp"
		$s7 = "IS8035IO jPcS NUv ki CkBVbty U2h97/b4 qux53NQX EtfZ jIix x+XD kk o5P8F oY116df KhfQFW ITx8J1E to5xMS2 c48rU EDYn vU M3 /j17SQ8 " ascii fullword
		$s8 = "nfrjrvvrjbnvn=ZUf7R 82oI mNBOyrIZ AnT OR ZoH/R ARY6Ie U/CPR ZTcU /A OTCBJ AWTS YHydmOyR Y4Ce /F KOHVTHm OoRRG/ HkS9O YRyJm OjNp "
		$s9 = "Mwxsv yat168hG 2ntA+wd If 9t+c JBrj3 TOGVRLIU asQ X5o3suBk /zEMhzTf prea EYg020Bh FAINYrz nTGIA2/6 Ic4 oH okCTwop t+Opo G3HIR QA"
		$s10 = "MM0R 3H fY zeMX HZ DqyktfL /eE73Yl2 6J/QRXF SDalWcW dp bJhHg /ueKC bZuj wSZc RV5U t6e Dr1JHm7Y VGD9j Y/bc 0sJh SjLoaP 2zm2NICQ 6"
		$s11 = "H i1+ai xvOkY dI +6 YXkl Wmjk+ IHB4qYqZ Ggf1B Pqkj fmrf 9F aStH1t5 kw 8PCCq DcNV3 S0 YR 7TDpT RkpM7B aPBXnS TdIcikWD xvg1Kiz 1Z "
		$s12 = "8q AtNe/4 t2/rXl 8mi8 nHS QmfaYeDZ ni+ al1T5lg di 5s 7fLXN I1ZLgd gBWGgrzR M82E ii Kbc u1jj7o 8Qqaz Z/g3ewH 6jTA2DK IyZypevS QTu"
		$s13 = "sfzvvvjfzbzzzrzfjrn=6gLhlcUJ EQ4xV0ys 4lbs kxnY 4d Rh0sQU Eeb9t2Y BS qk+C B4P2S eU0Fxi1W yUo RTee48t5 EN9ItyYW 12Y6LnlS ftZ Ua j"
		$s14 = "binzopjkunzo=yf s wqv chl vw hyn tucxajs ej sl" ascii fullword
		$s15 = "ecbrunpd=mczjh ber m c gp q" ascii fullword
		$s16 = "pmqjyxlxcmdxn=vpfzhiy" ascii fullword
		$s17 = "ehdujdirch=fymfwh yf cang lo w" ascii fullword
		$s18 = "oldzs mz xy=rgotan ftich qbot nw smgo" ascii fullword
		$s19 = "jxfowlrkdyf=ds bx ajosq vgwln cn sctiop" ascii fullword
		$s20 = "ksct=fbkd lengohq joxerr hdbrch mfotdo" ascii fullword
	condition:
		uint16(0) == 0x655b and filesize < 200KB and 8 of them
}
Details Yara rule 1 
import "pe"

rule case_4778_1a5f3ca6597fcccd3295ead4d22ce70b {
	meta:
		description = "files - file 1a5f3ca6597fcccd3295ead4d22ce70b.exe"
		author = "The DFIR Report"
		reference = "https://thedfirreport.com"
		date = "2021-08-15"
		hash1 = "7501da197ff9bcd49198dce9cf668442b3a04122d1034effb29d74e0a09529d7"
	strings:
		$s1 = "addconsole.dll" wide fullword
		$s2 = "C:\\Wrk\\mFiles\\86\\1\\Release\\addconsole.pdb" ascii fullword
		$s3 = ">->3>D>}>" ascii fullword
		$s4 = "kmerjgyuhwjvueruewghgsdpdeo" ascii fullword
		$s5 = "~DMUlA].JVJ,[2^>O" ascii fullword
		$s6 = "xgF.lxh" ascii fullword
		$s7 = "2.0.0.11" wide fullword
		$s8 = "aripwx" ascii fullword
		$s9 = "YwTjoq1" ascii fullword
		$s10 = "LxDgEm0" ascii fullword
		$s11 = "rvrpsn" ascii fullword
		$s12 = "qb\"CTUAA~." ascii fullword
		$s13 = ":,7;\"/1/= 1!'4'(&*?/:--(-(!1(&9JVJVMO\\JBSBS[ [email protected] \\QKUKVj{oi~m~ppeqdww~{bk" ascii fullword
		$s14 = ":,(9,=1?$2=:=*<'+2?!?-00!17$7XVZO_J]]X]XQAXVIZFZF]_LZRCRCKERDozxspw|j}qla{e{fzk" ascii fullword
		$s15 = "Time New Roman" ascii fullword
		$s16 = "gL:hdwKR8T" ascii fullword
		$s17 = "NwQvL?_" ascii fullword
		$s18 = "TEAqQ>W/" ascii fullword
		$s19 = "+mnHy<m8" ascii fullword
		$s20 = " [email protected] " ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and (pe.imphash() == "ae9182174b5c4afd59b9b6502df5d8a1" or 8 of them)
}
Details Yara rule 1 
rule win_phobos_auto {
	meta:
		author = "Felix Bilstein - yara-signator at cocacoding dot com"
		date = "2023-01-25"
		version = "1"
		description = "Detects win.phobos."
		info = "autogenerated rule brought to you by yara-signator"
		tool = "yara-signator v0.6.0"
		signator_config = "callsandjumps;datarefs;binvalue"
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
		malpedia_rule_date = "20230124"
		malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
		malpedia_version = "20230125"
		malpedia_license = "CC BY-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$sequence_0 = { 81 C6 B2 00 00 00 89 B7 A8 00 00 00 8B 75 FC 6A 02 89 45 E0 89 45 E4 8D 45 E0 }
		$sequence_1 = { 8D 44 00 02 89 45 F8 8D 45 F4 50 68 19 01 02 00 }
		$sequence_2 = { FF 75 10 FF 15 ?? ?? ?? ?? 89 45 FC 83 F8 FF 0F 84 9C 01 00 00 FF 75 EC 8D 46 20 }
		$sequence_3 = { FF 75 08 E8 ?? ?? ?? ?? 83 C4 0C 8B D8 66 FF 4B 04 66 FF 4E 04 }
		$sequence_4 = { E8 ?? ?? ?? ?? 59 59 FF 45 F4 83 7D D8 00 74 3E 83 7D EC 00 }
		$sequence_5 = { 5B C6 04 30 80 3B C3 40 73 0E }
		$sequence_6 = { 8B 45 08 EB EB 8B 7D F8 EB 1B 0F B7 07 }
		$sequence_7 = { EB 01 4F FF 75 FC E8 ?? ?? ?? ?? 59 }
		$sequence_8 = { 57 50 E8 ?? ?? ?? ?? 8B 46 04 FF 76 0C }
		$sequence_9 = { 83 7E 08 00 74 46 8B 06 85 C0 74 40 8B 0F 89 4E 04 }
	condition:
		7 of them and filesize < 139264
}
Details Yara rule 1 
rule EarthWorm : LinuxMalware {
	meta:
		author = "AlienVault Labs"
		copyright = "Alienvault Inc. 2019"
		license = "Apache License, Version 2.0"
		sha256 = "f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd"
		description = "EarthWorm Packet Relay Tool"
	strings:
		$elf = { 7F 45 4C 46 }
		$string_1 = "I_AM_NEW_RC_CMD_SOCK_CLIENT"
		$string_2 = "CONFIRM_YOU_ARE_SOCK_CLIENT"
		$string_3 = "SOCKSv4 Not Support now!"
		$string_4 = "rssocks cmd_socket OK!"
	condition:
		$elf at 0 and 2 of them
}
Details Yara rule 1 
rule Termite : LinuxMalware {
	meta:
		author = "AlienVault Labs"
		copyright = "Alienvault Inc. 2019"
		license = "Apache License, Version 2.0"
		sha256 = "6062754dbe5503d375ad0e61f6b4342654624f471203fe50eb892e0029451416"
		description = "Termite Packet Relay Tool"
	strings:
		$elf = { 7F 45 4C 46 }
		$string_1 = "File data send OK!"
		$string_2 = "please set the target first"
		$string_3 = "It support various OS or CPU.For example"
		$string_4 = "xxx -l [lport] -n [name]"
	condition:
		$elf at 0 and 2 of them
}
Details Yara rule 1 
rule M_APT_VIRTUALPITA_2 {
	meta:
		author = "Mandiant"
		md5 = "fe34b7c071d96dac498b72a4a07cb246"
		description = "Finds opcodes to decode and parse the recieved data in the socket buffer in fe34b7c071d96dac498b72a4a07cb246.  Opcodes from 401a36 to 401adc"
	strings:
		$x = { 85 C0 74 ?? C7 05 ?? ?? ?? ?? FB FF FF FF C7 8? ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? 4? 8B 05 ?? ?? ?? ?? 4? 83 C0 01 4? 89 05 ?? ?? ?? ?? C7 4? ?? 00 00 00 00 E9 ?? ?? ?? ?? 8B 4? ?? 4? 98 4? 8D 9? ?? ?? ?? ?? 4? 8D ?? E0 4? 8B 0? 4? 89 0? 4? 8B 4? ?? 4? 89 4? ?? 8B 4? ?? 4? 98 4? 8D B? ?? ?? ?? ?? B? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 4? ?? 00 00 00 00 EB ?? 8B 4? ?? 8B 4? ?? 01 C1 8B 4? ?? 03 4? ?? 4? 98 0F B6 9? ?? ?? ?? ?? 8B 4? ?? 4? 98 0F B6 8? ?? ?? ?? ?? 31 C2 4? 63 C1 88 9? ?? ?? ?? ?? 83 4? ?? 01 }
	condition:
		uint32(0) == 0x464c457f and all of them
}
Details Yara rule 1 
rule M_APT_VIRTUALPITA_3 {
	meta:
		author = "Mandiant"
		md5 = "fe34b7c071d96dac498b72a4a07cb246"
		description = "Finds opcodes from 409dd8 to 409e46 in fe34b7c071d96dac498b72a4a07cb246 to set the HISTFILE environment variable to 'F' with a putenv() after loading each character individually."
	strings:
		$x = { 4? 8B 4? ?? C6 00 48 4? 8B 4? ?? 4? 83 C0 05 C6 00 49 4? 8B 4? ?? 4? 83 C0 01 C6 00 49 4? 8B 4? ?? 4? 83 C0 06 C6 00 4C 4? 8B 4? ?? 4? 83 C0 02 C6 00 53 4? 8B 4? ?? 4? 83 C0 07 C6 00 45 4? 8B 4? ?? 4? 83 C0 03 C6 00 54 4? 8B 4? ?? 4? 83 C0 08 C6 00 3D 4? 8B 4? ?? 4? 83 C0 04 C6 00 46 4? 8B 4? ?? 4? 83 C0 09 C6 00 00 4? 8B 7? ?? E8 }
	condition:
		uint32(0) == 0x464c457f and all of them
}
Details Yara rule 1 
rule M_APT_VIRTUALPITA_4 {
	meta:
		author = "Mandiant"
		md5 = "fe34b7c071d96dac498b72a4a07cb246"
		description = "Finds opcodes from 401f1c to 401f4f in fe34b7c071d96dac498b72a4a07cb246 to decode text with multiple XORs"
	strings:
		$x = { 4? 8B 4? ?? 4? 83 C1 30 4? 8B 4? ?? 4? 8B 10 8B 4? ?? 4? 98 4? 8B 04 ?? ?? ?? ?? ?? 4? 31 C2 4? 8B 4? ?? 4? 83 C0 28 4? 8B 00 4? C1 E8 10 0F B6 C0 4? 98 4? 8B 04 }
	condition:
		uint32(0) == 0x464c457f and all of them
}
Details Yara rule 1 
rule M_Hunting_Script_LaunchAndDelete_1 {
	meta:
		author = "Mandiant"
		md5 = "bd6e38b6ff85ab02c1a4325e8af29ce4"
		description = "Finds scripts that launch and then delete files, indicative of cleaning up tracks and remaining in-memory only."
	strings:
		$ss = /setsid[^\n\r]{,250}-i[\r\n]{,5}rm/
	condition:
		all of them
}
Details Yara rule 1 
rule M_Hunting_Python_Backdoor_CommandParser_1 {
	meta:
		author = "Mandiant"
		md5 = "61ab3f6401d60ec36cd3ac980a8deb75"
		description = "Finds strings indicative of the vmsyslog.py python backdoor."
	strings:
		$key1 = "readInt8()" ascii wide
		$key2 = "upload" ascii wide
		$key3 = "download" ascii wide
		$key4 = "shell" ascii wide
		$key5 = "execute" ascii wide
		$re1 = /def\srun.{,20}command\s?=\s?self\.conn\.readInt8\(\).{,75}upload.{,75}download.{,75}shell.{,75}execute/s
	condition:
		filesize < 200KB and all of them
}
Details Yara rule 1 
rule HelloWorld {
	strings:
		$a = "Hello world"
	condition:
		$a
}