| Details |
Yara rule |
1 |
|
rule Magniber_T3 {
strings:
$hex_1 = { 8D 41 A0 69 C0 6B F2 DA 00 03 D8 }
$hex_2 = { 8D 41 A0 69 C0 F1 1B 08 00 03 D8 }
$hex_3 = { 8D 41 A0 69 C0 E3 4C 00 00 03 D8 }
$hex_4 = { 8D 41 A0 69 C0 D9 02 00 00 03 D8 }
$hex_5 = { 8D 41 A0 6B C0 1B 03 D8 }
$hex_6 = { 83 C3 A0 03 D9 }
condition:
all of ($hex_*)
} |
| Details |
Yara rule |
1 |
|
rule NetwireA {
meta:
description = "OSX.Netwire.A"
strings:
$a = "exitexit"
$b = "User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like GeckoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule resolve_keys {
meta:
author = "Elastic Security"
description = "EMOTET - find the key decoding algorithm in the PE"
creation_date = "2022-08-02"
last_modified = "2022-08-11"
os = "Windows"
family = "EMOTET"
threat_name = "Windows.Trojan.EMOTET"
reference_sample = "debad0131060d5dd9c4642bd6aed186c4a57b46b0f4c69f1af16b1ff9c0a77b1"
strings:
$chunk_1 = { 45 33 C9 4C 8B D0 48 85 C0 74 ?? 48 8D ?? ?? 4C 8B ?? 48 8B ?? 48 2B ?? 48 83 ?? ?? 48 C1 ?? ?? 48 3B ?? 49 0F 47 ?? 48 85 ?? 74 ?? 48 2B D8 42 8B 04 03 }
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
import "hash"
rule AM0NEye_EtwX86 {
meta:
description = "AM0NEye - etw.x86.o"
sha256 = "a14d6a30e886a19d47fad3e66b8dd5a6ead3e3a0bd7f8d3a6e001542740e9190"
strings:
$s1 = "__imp__KERNEL32$GetCurrentProcess@0" ascii fullword
$s2 = "__imp__KERNEL32$ReadProcessMemory@20" ascii fullword
$s3 = "ReadProcessMemory failed" ascii fullword
$s4 = "__imp__KERNEL32$GetProcAddress@8" ascii fullword
$s5 = "Failed to find function address" ascii fullword
$s6 = "__imp__KERNEL32$LoadLibraryA@4" ascii fullword
$s7 = "__imp__KERNEL32$VirtualProtect@16" ascii fullword
$s8 = "__imp__BeaconDataExtract" ascii fullword
$s9 = "__imp__MSVCRT$strcmp" ascii fullword
$s10 = "__imp__BeaconPrintf" ascii fullword
$s11 = "__imp__BeaconDataParse" ascii fullword
$s12 = "Could not load library" ascii fullword
$s13 = "__imp__MSVCRT$memcpy" ascii fullword
$s14 = "Working with 32-bit." ascii fullword
$s15 = "0`.data" ascii fullword
$s16 = "GCC: (GNU) 10-win32 20220324" ascii fullword
condition:
hash.sha256(0, filesize) == "a14d6a30e886a19d47fad3e66b8dd5a6ead3e3a0bd7f8d3a6e001542740e9190" or uint16(0) == 0x014c and filesize < 6KB and 8 of them
} |
| Details |
Yara rule |
1 |
|
rule Lazarus_FALLCHILL_RAT {
meta:
author = "Vlad Pasca - LIFARS LLC"
Date = "2021-08-25"
Reference = "https://us-cert.cisa.gov/sites/default/files/publications/MAR-
10135536-A_WHITE_S508C.pdf"
strings:
$s1 = "GvgFrovSrzv" ascii fullword
$s2 = "LlxpRvhlfixv" ascii fullword
$s3 = "Pilxvhh32FrihgW" ascii fullword
$s4 = "WirgvPilxvhhMvnlib" ascii fullword
$t1 = "@echo off" ascii fullword
$t2 = "c%sd.e%sc %s > \"%s\" 2>&1" wide fullword
$t3 = "- -" wide fullword
$t4 = "REGSVR32.EXE.MUI" wide fullword
condition:
(uint16(0) == 0x5A4D) and (3 of ($s*) or 3 of ($t*))
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule diskknight {
meta:
description = "Disk Knight detection (worm.diskknight/knight) - VERY SPECIFIC"
author = "Luca D'Amico"
date = "2023/06/24"
hash0 = "d25c1d1423ed31b5436678318ca815092102e88d06a130481bc0728d14d74bb4"
strings:
$a1 = "http://www.ariful.esmartweb.com"
$a2 = "action=Disk Knight(Protection Against Mobile Disk Viruses)"
$a3 = "[Disk Knight]"
condition:
uint16(0) == 0x5A4D and pe.machine == pe.MACHINE_I386 and for any i in (0 .. (pe.number_of_resources) - 1) : ( pe.resources[i].type_string == "C\x00U\x00S\x00T\x00O\x00M\x00" and (pe.resources[i].name_string == "A\x00U\x00T\x00O\x00R\x00U\x00N\x00.\x00I\x00N\x00F\x00" or pe.resources[i].name_string == "R\x00E\x00C\x00O\x00V\x00E\x00R\x00.\x00R\x00E\x00G\x00") ) and pe.imports("MSVBVM60.DLL") and all of them
} |
| Details |
Yara rule |
1 |
|
rule EMBEDDEDHTML_WITH_SCRIPT {
meta:
description = "possible abuse of Office video embededHtml"
reference = "https://blog.cymulate.com/abusing-microsoft-office-online-video"
strings:
$embeddedHtmlre1 = /\sembeddedHtml="[^"]+/
$embeddedHtmlre2 = /\sembeddedHtml='[^']+/
$script = "<script" nocase
condition:
(for any i in (1 .. #embeddedHtmlre1) : ( for any j in (1 .. #script) : ( @embeddedHtmlre1[i] < @script[j] and @script[j] < @embeddedHtmlre1[i] + !embeddedHtmlre1[i] ) )) or (for any i in (1 .. #embeddedHtmlre2) : ( for any j in (1 .. #script) : ( @embeddedHtmlre2[i] < @script[j] and @script[j] < @embeddedHtmlre2[i] + !embeddedHtmlre2[i] ) ))
} |
| Details |
Yara rule |
1 |
|
rule Leviathan_CobaltStrike_Sample_1 {
meta:
description = "Detects Cobalt Strike sample from Leviathan report"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
author = "Florian Roth"
strings:
$x1 = "a54c81.dll" ascii fullword
$x2 = "%d is an x64 process (can't inject x86 content)" ascii fullword
$x3 = "Failed to impersonate logged on user %d (%u)" ascii fullword
$s1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" ascii fullword
$s2 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" ascii fullword
$s3 = "could not run command (w/ token) because of its length of %d bytes!" ascii fullword
$s4 = "could not write to process memory: %d" ascii fullword
$s5 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%
08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$s6 = "Could not connect to pipe (%s): %d" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (1 of ($x*) or 3 of them)
} |
| Details |
Yara rule |
1 |
|
rule ForensicITGuyString {
meta:
description = "This is just an example"
strings:
$a = "ForensicITGuy"
condition:
$a
} |
| Details |
Yara rule |
1 |
|
import "pe"
import "console"
import "hash"
import "magic"
rule WhatIsIt {
condition:
console.log("File type:\t", magic.type()) and console.log("Mimetype:\t", magic.mime_type())
} |
| Details |
Yara rule |
1 |
|
import "hash"
import "console"
rule BasicHashes {
condition:
console.log("MD5:\t", hash.md5(0, filesize)) and console.log("SHA-1:\t", hash.sha1(0, filesize)) and console.log("SHA-256:\t", hash.sha256(0, filesize))
} |
| Details |
Yara rule |
1 |
|
import "hash"
import "console"
import "pe"
rule PeHashes {
condition:
pe.is_pe and console.log("Imphash:\t", pe.imphash()) and console.log("Rich Header Hash:\t", hash.md5(pe.rich_signature.clear_data))
} |
| Details |
Yara rule |
1 |
|
rule Sparkle {
meta:
author = "Snorre Fagerland, Norton Labs"
strings:
$ = "X-XSS-Protection: 1; mode=block"
$ = "Server: gws"
$ = "a780d739c44a5d7c"
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Server007 {
meta:
author = "Snorre Fagerland, Norton Labs"
strings:
$a1 = "http://%s:%d/ask/main"
$b1 = "_green_ver_"
$b2 = "_exp_ver_"
$c1 = "sc config %s slSet\\Services\\%s%SYSTEMROOT%\\sys/v ServiceDll /t@echo off"
condition:
($a1 and $b1 and $b2) or $c1
} |
| Details |
Yara rule |
1 |
|
rule P1RatLoader {
meta:
author = "Snorre Fagerland, Norton Labs"
strings:
$ = "P1Rat_2017"
$ = "install_and_del" wide
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Newbounce {
meta:
author = "Snorre Fagerland, Norton Labs"
strings:
$ = "GAEncryptfasdfafhhIlove!!@#$!@$!@$#%!"
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Zupdax {
meta:
author = "Snorre Fagerland, Norton Labs"
strings:
$ = "\\AdobeBak\\Proc.dat" ascii wide
$ = "software\\XXZH" ascii wide
$ = "%s\\updata\\connect" ascii wide
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
rule Kogina {
meta:
author = "Snorre Fagerland, Norton Labs"
strings:
$ = { 48 89 5C 24 08 57 48 83 EC 20 C6 44 24 40 01 4C 8D 41 20 48 2B D1 41 B9 20 00 00 00 42 8A 44 02 E0 41 88 40 20 41 88 00 49 FF C0 49 FF C9 75 EC B3 07 48 8D 79 40 48 8D 54 24 40 48 8B CF E8 [4] FE CB 75 EF 48 8B 5C 24 30 48 83 C4 20 5F C3 }
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Kotibu_Gh0st {
meta:
author = "Snorre Fagerland, Norton Labs"
strings:
$ = "QgptkagOckl"
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule RShell {
meta:
author = "Snorre Fagerland, NortonLifeLock Inc"
strings:
$ = "Begin gethostbyname"
$ = "End gethostbyname"
$ = "Software\\CLASSES\\KmpiPlayer" wide
$ = "[RS5] WAIT_TIMEOUT"
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule drovorub_library_and_unique_strings {
meta:
description = "Rule to detect Drovorub-server, Drovorub-agent, and Drovorub-client
binaries based on unique strings and strings indicating statically linked libraries."
strings:
$s1 = "Poco" ascii wide
$s2 = "Json" ascii wide
$s3 = "OpenSSL" ascii wide
$a1 = "clientid" ascii wide
$a2 = "-----BEGIN" ascii wide
$a3 = "-----END" ascii wide
$a4 = "tunnel" ascii wide
condition:
(filesize > 1MB and filesize < 10MB and (uint32(0) == 0x464c457f)) and (#s1 > 20 and #s2 > 15 and #s3 > 15 and all of ($a*))
} |
| Details |
Yara rule |
1 |
|
rule drovorub_kernel_module_unique_strings {
meta:
description = "Rule detects the Drovorub-kernel module based on unique strings."
strings:
$s_01 = "/proc" ascii wide
$s_02 = "/proc/net/packet" ascii wide
$s_03 = "/proc/net/raw" ascii wide
$s_04 = "/proc/net/tcp" ascii wide
$s_05 = "/proc/net/tcp6" ascii wide
$s_06 = "/proc/net/udp" ascii wide
$s_07 = "/proc/net/udp6" ascii wide
$s_08 = "cs02" ascii wide
$s_09 = "do_fork" ascii wide
$s_10 = "es01" ascii wide
$s_11 = "g001" ascii wide
$s_12 = "g002" ascii wide
$s_13 = "i001" ascii wide
$s_14 = "i002" ascii wide
$s_15 = "i003" ascii wide
$s_16 = "i004" ascii wide
$s_17 = "module" ascii wide
$s_18 = "sc!^2a" ascii wide
$s_19 = "sysfs" ascii wide
$s_20 = "tr01" ascii wide
$s_21 = "tr02" ascii wide
$s_22 = "tr03" ascii wide
$s_23 = "tr04" ascii wide
$s_24 = "tr05" ascii wide
$s_25 = "tr06" ascii wide
$s_26 = "tr07" ascii wide
$s_27 = "tr08" ascii wide
$s_28 = "tr09" ascii wide
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Monokle_Android {
meta:
description = "Rule for Monokle Android samples. Configuration information suggests actor has a presence in Russia. Campaigns
appear highly targeted."
auth = "Flossman - SecInt <threatintel@lookout.com>"
date = "2018-04-24"
version = "1.0"
strings:
$dex_file = { 64 65 78 0A 30 33 35 00 }
$seq_security_update = { 00 20 4C 63 6F 6D 2F 73 79 73 74 65 6D 2F 73 65 63 75 72 69 74 79 5F 75 70 64 61 74 65 2F 41 70 70 3B 00 }
$str_recs_file = "recs233268"
$str_sound_rec_fname = "nsr516336743.lmt"
$str_nexus_6_recording = "Nexus 6 startMediaRecorderNexus"
$str_next_connect_date_fname = "lcd110992264.d"
$str_app_change_broadcast = "com.system.security.event.APP_CHANGE_STATE"
$str_remove_presence_flag_1 = "Android/data/serv8202965/log9208846.txt"
$str_remove_presence_flag_2 = "Android/data/serv8202965"
$str_user_dict = "/data/local/tmp/5f2bqwko.tmp"
$seq_failed_to_read_firefox = { 46 61 69 6C 65 64 20 74 6F 20 72 65 61 64 20 46 69 72 65 66 6F 78 20 42 72 6F 77 73 65 72 20 62 6F 6F 6B 6D 61 72 6B 73 20 66 72 6F 6D 20 }
$str_firefox_temp_default = "/data/local/tmp/fegjrexkk.tmp"
$seq_failed_to_read_samsung = { 46 61 69 6C 65 64 20 74 6F 20 72 65 61 64 20 53 61 6D 73 75 6E 67 20 42 72 6F 77 73 65 72 20 62 6F 6F 6B 6D 61 72 6B 73 20 66 72 6F 6D 20 }
$str_get_bookmarks_api_log = "getBookmarksFromSBrowserApi23"
$str_samsung_browser_temp = "/data/local/tmp/swbkxmsi.tmp"
$str_samsung_browser_temp_2 = "/data/local/tmp/swnkxmsh.tmp"
condition:
$dex_file and (any of ($seq*) or any of ($str*))
} |
| Details |
Yara rule |
1 |
|
rule lazarus_dtrack_unpacked {
meta:
author = "Withsecure Threat Intelligence"
description = "Detects unpacked dtrack variant with smb data staging"
date = "2023-01-01"
strings:
$str_mutex = "MTX_Global"
$str_cmd_1 = "/c net use \\\\" wide
$str_cmd_2 = "/c ping -n 3 127.0.01 > NUL % echo EEE > \"%s\"" wide
$str_cmd_3 = "/c move /y %s \\\\" wide
$str_cmd_4 = "/c systeminfo > \"%s\" & tasklist > \"%s\" & netstat -naop tcp > \"%s\"" wide
condition:
uint16(0) == 0x5A4D and all of them
} |
| Details |
Yara rule |
1 |
|
rule lazarus_dtrack_unpacked {
meta:
author = " Withsecure Threat Intelligence "
description = "Detects lazarus acres.exe 64bit rat written with QT framework"
date = "2023-01-01"
strings:
$str_nopineapple = "< No Pineapple! >"
$str_qt_library = "Qt 5.12.10"
$str_xor = { 8B 10 83 F6 ?? 83 FA 01 77 }
condition:
uint16(0) == 0x5A4D and all of them
} |