| Details |
Yara rule |
1 |
|
rule STEELCORGI {
meta:
author = "Mandiant "
strings:
$s1 = "\x00\xff/\xffp\xffr\xffo\xffc\xff/\xffs\xffe\xffl\xfff\xff/\xffe\xffx\xffe\x00"
$s2 = "\x00\xff/\xffv\xffa\xffr\xff/\xffl\xffi\xffb\xff/\xffd\xffb\xffu\xffs\xff/\xffm\xffa\xffc\xffh\xffi\xffn\xffe\xff-\xffi\xffd\x00"
$sb1 = { FE 1B 7A DE 23 D1 E9 A1 1D 7F 9E C1 FD A4 }
$sb2 = { 3B 8D 4F 45 7C 4F 6A 6C D8 2F 1F B2 19 C4 45 6A 6A }
condition:
(uint32(0) == 0x464c457f) and all of them
} |
| Details |
Yara rule |
1 |
|
rule Hunting_Rule_ShikataGaNai {
meta:
author = "Steven Miller"
strings:
$varInitializeAndXorCondition1_XorEAX = { B8 ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 59 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 40 | 41 | 42 | 43 | 45 | 46 | 47 ) ?? }
$varInitializeAndXorCondition1_XorEBP = { BD ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5B | 5C | 5E | 5F ) [0-50] 31 ( 68 | 69 | 6A | 6B | 6D | 6E | 6F ) ?? }
$varInitializeAndXorCondition1_XorEBX = { BB ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5C | 5D | 5E | 5F ) [0-50] 31 ( 58 | 59 | 5A | 5B | 5D | 5E | 5F ) ?? }
$varInitializeAndXorCondition1_XorECX = { B9 ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 48 | 49 | 4A | 4B | 4D | 4E | 4F ) ?? }
$varInitializeAndXorCondition1_XorEDI = { BF ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5B | 5C | 5D | 5E ) [0-50] 31 ( 78 | 79 | 7A | 7B | 7D | 7E | 7F ) ?? }
$varInitializeAndXorCondition1_XorEDX = { BA ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 50 | 51 | 52 | 53 | 55 | 56 | 57 ) ?? }
$varInitializeAndXorCondition2_XorEAX = { D9 74 24 F4 [0-30] B8 ?? ?? ?? ?? [0-10] ( 59 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 40 | 41 | 42 | 43 | 45 | 46 | 47 ) ?? }
$varInitializeAndXorCondition2_XorEBP = { D9 74 24 F4 [0-30] BD ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5B | 5C | 5E | 5F ) [0-50] 31 ( 68 | 69 | 6A | 6B | 6D | 6E | 6F ) ?? }
$varInitializeAndXorCondition2_XorEBX = { D9 74 24 F4 [0-30] BB ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5C | 5D | 5E | 5F ) [0-50] 31 ( 58 | 59 | 5A | 5B | 5D | 5E | 5F ) ?? }
$varInitializeAndXorCondition2_XorECX = { D9 74 24 F4 [0-30] B9 ?? ?? ?? ?? [0-10] ( 58 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 48 | 49 | 4A | 4B | 4D | 4E | 4F ) ?? }
$varInitializeAndXorCondition2_XorEDI = { D9 74 24 F4 [0-30] BF ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5B | 5C | 5D | 5E ) [0-50] 31 ( 78 | 79 | 7A | 7B | 7D | 7E | 7F ) ?? }
$varInitializeAndXorCondition2_XorEDX = { D9 74 24 F4 [0-30] BA ?? ?? ?? ?? [0-10] ( 58 | 59 | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 50 | 51 | 52 | 53 | 55 | 56 | 57 ) ?? }
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
rule FDFWJTORFQVNXQHFAH {
meta:
author = "Mandiant"
description = "Detecting packer or cert."
md5 = "939ab3c9a4f8eab524053e5c98d39ec9"
strings:
$cert = "FDFWJTORFQVNXQHFAH"
$s1 = "VLstuTmAlanc"
$s2 = { 54 68 F5 73 20 70 00 00 00 00 00 00 00 BE 66 67 72 BD 68 20 63 BD 69 6E 6F C0 1F 62 65 EC 72 75 6E FC 6D 6E 20 50 46 53 20 B9 66 64 65 }
$s3 = "ViGuua!Gre"
$s4 = "6seaIdFiYdA"
condition:
(uint16(0) == 0x5A4D) and filesize < 2MB and ($cert or 2 of ($s*))
} |
| Details |
Yara rule |
1 |
|
rule M_Launcher_FONELAUNCH_1 {
meta:
author = "Mandiant"
description = "Hunting rule looking for FONELAUNCH.FAX samples."
md5 = "d6220ca85c44e2012f76193b38881185"
strings:
$str_method_a = "OpenSubKey"
$str_namespace = "System.Reflection"
$str_method_b = "[Environment]::GetEnvironmentVariable(" wide
$ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
$ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }
condition:
uint16(0) == 0x5A4D and all of ($str_*) and ($ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16)
} |
| Details |
Yara rule |
1 |
|
rule M_Launcher_FONELAUNCH_2 {
meta:
author = "Mandiant"
description = "Hunting rule looking for FONELAUNCH.DIALTONE samples."
md5 = "aef6d31b3249218d24a7f3682a00aa10"
strings:
$ilasmx86_sequence_fprototype_a = { 1F 30 20 1B 00 10 00 28 }
$ilasmx86_sequence_fprototype_b = { 26 11 ?? 11 ?? 07 6A 20 ?? 30 00 00 1F 40 28 }
$ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
$ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }
condition:
uint16(0) == 0x5A4D and all of ($ilasmx86_sequence_fprototype_*) and ($ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16)
} |
| Details |
Yara rule |
1 |
|
rule M_Launcher_FONELAUNCH_3 {
meta:
author = "Mandiant"
description = "Hunting rule looking for FONELAUNCH.PHONE samples."
md5 = "ec17564ac3e10530f11a455a475f9763"
strings:
$str_winfunction = "LoadLibrary"
$str_registrykey = "SOFTWARE\\" wide
$str_constant = "PAGE_EXECUTE_READWRITE"
$ilasmx86_sequence_encoding_a = { 0A 06 02 7D [3] 04 00 16 06 }
$ilasmx86_sequence_encoding_b = { 72 [3] 70 72 [3] 70 6F ?? 00 00 0A }
condition:
uint16(0) == 0x5A4D and all of ($str_*) and ($ilasmx86_sequence_encoding_a and #ilasmx86_sequence_encoding_b >= 16)
} |
| Details |
Yara rule |
1 |
|
rule BoratRATKeylogger {
meta:
description = "Detects BoratRAT Keylogger"
author = "BlackBerry Threat Research Team"
date = "2022-04-13"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
strings:
$s1 = "Sa8XOfH1BudXLog.txt" wide
$s2 = "[CAPSLOCK: ON]" wide
$s3 = "[CAPSLOCK: OFF]" wide
$s4 = "[SPACE]" wide
$s5 = "[ENTER]" wide
$sp = { 43 3A 5C 55 73 65 72 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 6F 77 6E 6C 6F 61 64 73 5C 53 61 6E 74 61 52 61 74 2D 6D 61 69 6E 5C 42 69 6E 61 72 69 65 73 5C 52 65 6C 65 61 73 65 5C 50 6C 75 67 69 6E 73 5C 4B 65 79 6C 6F 67 67 65 72 2E 70 64 62 }
condition:
uint16(0) == 0x5a4d and all of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_3CXDesktopApp_Key {
meta:
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Detects a key found in a malicious 3CXDesktopApp file"
md5 = "74bc2d0b6680faa1a5a76b27e5479cbc"
date = "2023/03/29"
version = "1"
strings:
$key = "3jB(2bsG#@c7" ascii wide
condition:
$key
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_3CXDesktopApp_Export {
meta:
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Detects an export used in 3CXDesktopApp malware"
md5 = "7faea2b01796b80d180399040bb69835"
date = "2023/03/31"
version = "1"
strings:
$str1 = "DllGetClassObject" ascii wide
$str2 = "3CXDesktopApp" ascii wide
condition:
all of ($str*)
} |
| Details |
Yara rule |
1 |
|
rule TAXHAUL {
meta:
author = "Mandiant"
created = "04/03/2023"
modified = "04/03/2023"
version = "1.0"
strings:
$p00_0 = { 41 0F 45 FE 4C 8D 3D [4] EB ?? 45 33 F6 4C 8D 3D [4] EB ?? 45 33 F6 4C 8D 3D [4] EB }
$p00_1 = { 4D 39 26 48 8B 01 40 0F 94 C6 FF 90 [4] 41 B9 [4] EB ?? 8B DE 48 85 C0 74 }
condition:
uint16(0) == 0x5A4D and any of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_MSI_Installer_3CX_1 {
meta:
author = "Mandiant"
md5 = "0eeb1c0133eb4d571178b2d9d14ce3e9, f3d4144860ca10ba60f7ef4d176cc736"
strings:
$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }
$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }
$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }
$ss4 = "3CX Ltd1"
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
$sc2 = "202303"
condition:
(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 105MB and all of them
} |
| Details |
Yara rule |
1 |
|
rule BoratRATInformation {
meta:
description = "Detects BoratRAT Information Module"
author = "BlackBerry Threat Research Team"
date = "2022-04-13"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
strings:
$s1 = "set_UseShellExecute"
$s2 = "execCMD"
$s3 = "hostname" wide
$s4 = "ipconfig" wide
$s5 = "tasklist" wide
$s6 = "arp -a" wide
$sp = { 43 3A 5C 55 73 65 72 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 6F 77 6E 6C 6F 61 64 73 5C 53 61 6E 74 61 52 61 74 2D 6D 61 69 6E 5C 42 69 6E 61 72 69 65 73 5C 52 65 6C 65 61 73 65 5C 50 6C 75 67 69 6E 73 5C 49 6E 66 6F 72 6D 61 74 69 6F 6E 2E 70 64 62 }
condition:
uint16(0) == 0x5a4d and all of them
} |
| Details |
Yara rule |
1 |
|
rule StartOffsetRule {
strings:
$start = "<OibSummary>"
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_TAXHAUL_Hash_1 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Rule looks for hardcoded value used in string hashing algorithm observed in instances of TAXHAUL."
md5 = "e424f4e52d21c3da1b08394b42bc0829"
strings:
$c_x64 = { 25 A3 87 DE [4-20] 25 A3 87 DE [4-20] 25 A3 87 DE }
condition:
filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and any of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_SigFlip_SigLoader_Native {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Rule looks for strings present in SigLoader (Native)"
md5 = "a3ccc48db9eabfed7245ad6e3a5b203f"
strings:
$s1 = "[*]: Basic Loader..." ascii wide
$s2 = "[!]: Missing PE path or Encryption Key..." ascii wide
$s3 = "[!]: Usage: %s <PE_PATH> <Encryption_Key>" ascii wide
$s4 = "[*]: Loading/Parsing PE File '%s'" ascii wide
$s5 = "[!]: Could not read file %s" ascii wide
$s6 = "[!]: '%s' is not a valid PE file" ascii wide
$s7 = "[+]: Certificate Table RVA %x" ascii wide
$s8 = "[+]: Certificate Table Size %d" ascii wide
$s9 = "[*]: Tag Found 0x%x%x%x%x" ascii wide
$s10 = "[!]: Could not locate data/shellcode" ascii wide
$s11 = "[+]: Encrypted/Decrypted Data Size %d" ascii wide
condition:
filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and 4 of ($s*)
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_Raw64_DAVESHELL_Bootstrap {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Rule looks for bootstrap shellcode (64 bit) present in DAVESHELL"
md5 = "8a34adda5b981498234be921f86dfb27"
strings:
$b6ba50888f08e4f39b43ef67da27521dcfc61f1e = { E8 00 00 00 00 59 49 89 C8 48 81 C1 ?? ?? ?? ?? BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }
$e32abbe82e1f957fb058c3770375da3bf71a8cab = { E8 00 00 00 00 59 49 89 C8 BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 48 89 4C 24 28 48 81 C1 ?? ?? ?? ?? C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }
condition:
filesize < 15MB and any of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_MSI_Installer_3CX_1 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "This rule looks for hardcoded values within the MSI installer observed in strings and signing certificate"
md5 = "0eeb1c0133eb4d571178b2d9d14ce3e9"
strings:
$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }
$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }
$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }
$ss4 = "3CX Ltd1"
$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
$sc2 = "202303"
condition:
(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 100MB and all of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_VEILEDSIGNAL_1 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4"
strings:
$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81 77 54 17 80 29 3C 14 81 77 54 11 80 AB 3C 14 81 D4 4C 11 80 33 3C 14 81 D4 4C 10 80 22 3C 14 81 D4 4C 17 80 25 3C 14 81 77 54 15 80 27 3C 14 81 2C 3C 15 81 4B 3C 14 81 94 4D 1D 80 28 3C 14 81 94 4D 14 80 2D 3C 14 81 94 4D 16 80 2D 3C 14 81 }
$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78 1F EC CD 79 41 84 CE 78 1F EC CB 79 C8 84 CE 78 BC F4 CA 79 4A 84 CE 78 BC F4 CD 79 4D 84 CE 78 BC F4 CB 79 65 84 CE 78 1F EC CF 79 43 84 CE 78 44 84 CF 78 22 84 CE 78 FC F5 C7 79 42 84 CE 78 FC F5 CE 79 45 84 CE 78 FC F5 CC 79 45 84 CE 78 }
$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71 C5 DB 4A 70 15 B3 4F 71 C5 DB 4B 70 8C B3 4F 71 66 C3 4B 70 8C B3 4F 71 66 C3 4C 70 8F B3 4F 71 C5 DB 49 70 9F B3 4F 71 66 C3 4A 70 B0 B3 4F 71 C5 DB 4E 70 97 B3 4F 71 9E B3 4E 71 F9 B3 4F 71 26 C2 46 70 9F B3 4F 71 26 C2 B0 71 9F B3 4F 71 9E B3 D8 71 9F B3 4F 71 26 C2 4D 70 9F B3 4F 71 }
$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35 D4 83 58 34 8A EB 5B 35 D4 83 5E 34 09 EB 5B 35 77 9B 5E 34 92 EB 5B 35 77 9B 5F 34 81 EB 5B 35 77 9B 58 34 86 EB 5B 35 D4 83 5A 34 8C EB 5B 35 8F EB 5A 35 D3 EB 5B 35 37 9A 52 34 8C EB 5B 35 37 9A 58 34 8E EB 5B 35 37 9A 5B 34 8E EB 5B 35 37 9A 59 34 8E EB 5B 35 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_VEILEDSIGNAL_2 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "404b09def6054a281b41d309d809a428"
strings:
$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07 33 D0 8B C2 C1 E0 16 41 81 C0 87 D6 12 00 }
$si1 = "CryptBinaryToStringA" fullword
$si2 = "BCryptGenerateSymmetricKey" fullword
$si3 = "CreateThread" fullword
$ss1 = "ChainingModeGCM" wide
$ss2 = "__tutma" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_VEILEDSIGNAL_3 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "c6441c961dcad0fe127514a918eaabd4"
strings:
$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 2C 20 2A 2F 2A 3B 20 71 3D 30 2E 30 31 00 00 61 63 63 65 70 74 00 00 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 39 00 00 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 00 63 6F 6F 6B 69 65 00 00 }
$si1 = "HttpSendRequestW" fullword
$si2 = "CreateNamedPipeW" fullword
$si3 = "CreateThread" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_VEILEDSIGNAL_4 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4"
strings:
$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8 48 85 C0 74 ?? 89 ?? 24 28 44 8B CD 4C 8B C? 48 89 44 24 20 }
$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89 74 24 20 33 D2 33 C9 FF 15 }
$si1 = "CreateThread" fullword
$si2 = "MultiByteToWideChar" fullword
$si3 = "LocalAlloc" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_VEILEDSIGNAL_5 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "6727284586ecf528240be21bb6e97f88"
strings:
$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D [3] 48 8B CB FF 15 [4] EB }
$ss1 = "chrome.exe" wide fullword
$ss2 = "firefox.exe" wide fullword
$ss3 = "msedge.exe" wide fullword
$ss4 = "\\\\.\\pipe\\*" ascii fullword
$ss5 = "FindFirstFileA" ascii fullword
$ss6 = "Process32FirstW" ascii fullword
$ss7 = "RtlAdjustPrivilege" ascii fullword
$ss8 = "GetCurrentProcess" ascii fullword
$ss9 = "NtWaitForSingleObject" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x020B) and all of them
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_VEILEDSIGNAL_6 {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "00a43d64f9b5187a1e1f922b99b09b77"
strings:
$ss1 = "C:\\Programdata\\" wide
$ss2 = "devobj.dll" wide fullword
$ss3 = "msvcr100.dll" wide fullword
$ss4 = "TpmVscMgrSvr.exe" wide fullword
$ss5 = "\\Microsoft\\Windows\\TPM" wide fullword
$ss6 = "CreateFileW" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C) + 0x18) == 0x010B) and all of them
} |
| Details |
Yara rule |
1 |
|
rule MTI_Hunting_POOLRAT {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
description = "Detects strings found in POOLRAT. "
md5 = "451c23709ecd5a8461ad060f6346930c"
date = "10/28/2020"
version = "1"
strings:
$str1 = "name=\"uid\"%s%s%u%s" ascii wide
$str2 = "name=\"session\"%s%s%u%s" ascii wide
$str3 = "name=\"action\"%s%s%s%s" ascii wide
$str4 = "name=\"token\"%s%s%u%s" ascii wide
$boundary = "--N9dLfqxHNUUw8qaUPqggVTpX-" ascii wide nocase
condition:
any of ($str*) or $boundary
} |
| Details |
Yara rule |
1 |
|
rule M_Hunting_FASTREVERSEPROXY {
meta:
author = "Mandiant"
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "19dbffec4e359a198daf4ffca1ab9165"
strings:
$ss1 = "Go build ID:" fullword
$ss2 = "Go buildinf:" fullword
$ss3 = "net/http/httputil.(*ReverseProxy)."
$ss4 = "github.com/fatedier/frp/client"
$ss5 = "\"server_port\""
$ss6 = "github.com/armon/go-socks5.proxy"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
} |