Overview - Yara rules

Details Type #Events CTI Value
Details Yara rule 1 
rule M_Downloader_GOOTLOADER_POWERSHELL {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for GOOTLOADER.POWERSHELL samples."
		md5 = "2567a2bca964504709820de7052d3486"
	strings:
		$ps_object_a = ".IsLink"
		$ps_object_b = ".IsFolder"
		$ps_object_c = ".IsFileSystem"
		$ps_code_parseresponse = "[1] -replace" ascii nocase
		$ps_code_httpheader = ".Headers.Add(\"Cookie:" ascii nocase
		$ps_code_concatenatedata = "([String]::Join(\"|" ascii nocase
	condition:
		all of ($ps_code_*) and any of ($ps_object_*)
}
Details Yara rule 1 
import "pe"

rule M_Hunting_Win_FONELAUNCH {
	meta:
		author = "Mandiant"
		description = "Hunting rule looking for suspicious version information metadata observed in FONELAUNCH samples"
		md5 = "35238d2a4626e7a1b89b13042f9390e9"
	strings:
		$m1 = { 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 64 00 6C 00 6C 00 }
		$m2 = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 64 00 6C 00 6C 00 }
	condition:
		filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and (pe.version_info["OriginalFilename"] == "powershell.dll" or pe.version_info["InternalName"] == "powershell.dll" or any of ($m*))
}
Details Yara rule 1 
rule M_Hunt_APT_PLANKWALK_Code_String {
	meta:
		author = "Mandiant"
		description = "Detects a format string containing code and token found in PLANKWALK"
	strings:
		$hex = { 63 6F 64 65 [1-6] 3D 25 64 26 [1-6] 75 73 65 72 [1-6] 3D 25 73 26 [1-6] 74 6F 6B 65 }
	condition:
		(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $hex
}
Details Yara rule 1 
rule M_APT_Loader_Win_LIDSHIFT_1 {
	meta:
		author = "Mandiant"
		description = "Detects LIDSHIFT implant"
	strings:
		$anchor1 = "%s:%s:%s"
		$encloop = { 83 ?? 3F 72 ?? EB ?? 8D ?? ?? B8 ?? 41 10 04 F7 ?? 8B ?? 2B ?? D1 ?? 03 ?? C1 ?? 05 6B ?? 3F 2B ?? 42 0F ?? ?? ?? 41 ?? ?? }
	condition:
		uint16(0) == 0x5a4d and all of them
}
Details Yara rule 1 
rule M_APT_Loader_Win_LIDSHOT_1 {
	meta:
		author = "Mandiant"
		description = "Detects LIDSHOT implant"
	strings:
		$code1 = { 4C 89 6D ?? 4C 89 6D ?? C7 45 ?? 01 23 45 67 C7 45 ?? 89 AB CD EF C7 45 ?? FE DC BA 98 C7 45 ?? 76 54 32 10 4C 89 6C 24 ?? 48 C7 45 ?? 0F 00 00 00 C6 44 24 ?? 00 }
		$code2 = { B8 1F 85 EB 51 41 F7 E8 C1 FA 03 8B CA C1 E9 1F 03 D1 6B CA 19 }
		$code3 = { C7 45 ?? 30 6B 4C 6C 66 C7 45 ?? 55 00 }
	condition:
		uint16(0) == 0x5a4d and all of them
}
Details Yara rule 1 
rule M_APT_Loader_Win_CLOUDBURST_1 {
	meta:
		author = "Mandiant"
	strings:
		$anchor1 = "Microsoft Enhanced Cryptographic Provider v1.0" ascii wide
		$code1 = { 74 79 70 }
		$code2 = { 65 71 75 69 }
		$code3 = { 62 6F 78 69 }
		$code4 = { E8 ?? ?? ?? ?? FF C6 B8 99 99 99 99 F7 EE D1 FA 8B C2 C1 E8 1F 03 D0 8D 04 16 8D 34 90 85 F6 75 ?? }
		$str1 = "%s%X"
	condition:
		uint16(0) == 0x5a4d and all of them
}
Details Yara rule 1 
rule M_DropperMemonly_TOUCHSHIFT_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule for TOUCHSHIFT"
	strings:
		$p00_0 = { 09 43 ?? EB ?? FF 43 ?? B0 ?? EB ?? E8 [4] C7 00 [4] E8 [4] 32 C0 }
		$p00_1 = { 4C 63 05 [4] BA [4] 4C 8B 0D [4] 48 8B 0D [4] FF 15 [4] 4C 63 05 [4] BA [4] 4C 8B 0D [4] 48 8B 0D }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (70000 .. 90000) and $p00_1 in (0 .. 64000)))
}
Details Yara rule 1 
rule M_APT_Backdoor_Win_SIDESHOW_1 {
	meta:
		author = "Mandiant"
		description = "Detects string deobfuscation function in SIDESHOW, may also detect other variants of malware from the same actor"
	strings:
		$code1 = { 41 0F B6 ?? 33 ?? 48 ?? ?? 0F 1F 80 00 00 00 00 3A ?? 74 ?? FF ?? 48 FF ?? 83 ?? 48 72 ?? EB ?? 41 0F ?? ?? 2B ?? ?? 39 8E E3 38 83 ?? 48 F7 ?? C1 ?? 04 8D ?? ?? C1 ?? 03 2B ?? ?? 39 8E E3 38 }
	condition:
		uint16(0) == 0x5a4d and (all of them)
}
Details Yara rule 1 
rule M_Hunting_TOUCHKEY {
	meta:
		author = "Mandiant"
		description = "Hunting rule For TOUCHKEY"
	strings:
		$a1 = "Normal.dost"
		$a2 = "Normal.docb"
		$c1 = "[SELECT]" ascii wide
		$c2 = "[SLEEP]" ascii wide
		$c3 = "[LSHIFT]" ascii wide
		$c4 = "[RSHIFT]" ascii wide
		$c5 = "[ENTER]" ascii wide
		$c6 = "[SPACE]" ascii wide
	condition:
		(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and (5 of ($c*)) and $a1 and $a2
}
Details Yara rule 1 
rule M_Hunting_TOUCHSHOT {
	meta:
		author = "Mandiant"
		description = "Hunting rule For TOUCHSHOT"
	strings:
		$path = "%s\\Microsoft\\Windows\\Themes\\" wide
		$format = "ddd-ddd"
		$s1 = "EnumDisplaySettingsExW"
		$s2 = "GetSystemMetrics"
		$s3 = "GetDC"
		$s5 = "ReleaseDC"
	condition:
		(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and (3 of ($s*)) and $path and $format
}
Details Yara rule 2 
import "elf"

rule kiteshield {
	strings:
		$loader_jmp = { 31 D2 31 C0 31 C9 31 F6 31 FF 31 ED 45 31 C0 45 31 C9 45 31 D2 45 31 DB 45 31 E4 45 31 ED 45 31 F6 45 31 FF 5B FF E3 }
		$loader_s1 = { AC F4 F7 E9 E4 A7 AC EE A4 FF F9 EF FB E5 E2 }
		$loader_s2 = { D7 F6 E4 E5 E2 FA D9 E3 EF B6 }
		$loader_s3 = { AC F4 F7 E9 E4 A7 AC EE A4 FF F9 EF FB }
		$loader_s4 = { CF C0 DA D6 D5 CD C5 C5 CA C8 }
		$loader_s5 = { CF C0 DA C7 D2 CC C0 DE }
		$loader_s6 = { CF C0 DA C2 C2 CA DC CD }
		$loader_s7 = { B3 B5 B7 B5 B3 BD BF BD B3 B5 EC EC EC F4 F4 F4 }
	condition:
		$loader_jmp and all of ($loader_s*) and elf.type == elf.ET_EXEC and elf.machine == elf.EM_X86_64
}
Details Yara rule 1 
rule M_Hunting_HOOKSHOT {
	meta:
		author = "Mandiant"
		description = "Hunting rule for HOOKSHOT"
	strings:
		$p00_0 = { 8B B1 [4] 40 88 73 ?? 85 F6 75 ?? 48 8B 81 [4] 48 8B 88 [4] 48 85 C9 74 ?? E8 }
		$p00_1 = { 8B F3 48 8B EA 85 DB 0F 84 [4] 4C 8D 2D [4] 66 90 4C 8D 44 24 ?? 8B D6 48 8B CD }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (470000 .. 490000) and $p00_1 in (360000 .. 380000)))
}
Details Yara rule 1 
rule Supposed_Grasshopper_Downloader {
	meta:
		description = "Detects the Nim downloader from the Supposed Grasshopper campaign."
		references = "TRR240601"
		date = "2024-06-20"
		author = "HarfangLab"
		context = "file,memory"
	strings:
		$pdb_path = "C:\\Users\\or\\Desktop\\nim-"
		$code = "helo.nim"
		$function_1 = "DownloadExecute" ascii fullword
		$function_2 = "toByteSeq" ascii fullword
	condition:
		uint16(0) == 0x5a4d and all of them
}
Details Yara rule 1 
rule Donut_shellcode {
	meta:
		description = "Detects Donut shellcode in memory."
		references = "TRR240601"
		date = "2024-06-20"
		author = "HarfangLab"
		context = "memory"
	strings:
		$amsi_patch = { 48 8B 44 24 ( 28 | 30 ) 83 20 00 33 C0 C3 }
		$wldp_patch = { 41 C7 00 01 00 00 00 33 C0 C3 }
		$api_hashing = { 8B C2 C1 C9 08 41 03 C8 8B D3 41 33 C9 C1 CA 08 41 03 D1 41 C1 C0 03 41 33 D2 41 C1 C1 03 44 33 CA 44 33 C1 41 FF C2 41 8B DB 44 8B D8 41 83 FA 1B }
		$loaded_dlls = "ole32;oleaut32;wininet;mscoree;shell32"
		$function_1 = "WldpQueryDynamicCodeTrust"
		$function_2 = "WldpIsClassInApprovedList"
		$function_3 = "AmsiInitialize"
		$function_4 = "AmsiScanBuffer"
		$function_5 = "AmsiScanString"
	condition:
		uint8(0) == 0xE8 and ((#amsi_patch > 1 and $wldp_patch and $api_hashing) or ($loaded_dlls and all of ($function_*)))
}
Details Yara rule 1 
rule charmingkitten_cyclops {
	meta:
		description = "Detects Cyclops Golang Malware"
		references = "TRR240801"
		hash = "fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69"
		date = "2024-08-05"
		author = "HarfangLab"
		context = "file"
	strings:
		$go = " Go build ID: \""
		$a1 = "dep\tback-service\t(devel)" ascii fullword
		$a2 = "/brain-loader-enc.gox00"
		$a3 = "back-service/go-mux/api"
		$a4 = "/JD-M42KItJncJfqb38qh/"
	condition:
		filesize > 2MB and filesize < 20MB and (uint16(0) == 0x5A4D) and $go and (2 of ($a*))
}
Details Yara rule 1 
rule allasenhamaycampaign_executorloader {
	meta:
		description = "Detects Delphi ExecutorLoader DLLs and executables."
		references = "TRR240501"
		date = "2024-05-28"
		author = "HarfangLab"
		context = "file,memory"
	strings:
		$delphi = "Embarcadero Delphi" ascii fullword
		$s1 = "\\SysWOW64\\mshta.exe" wide fullword
		$s2 = "\\System32\\mshta.exe" wide fullword
		$s3 = "RcDll" wide fullword
		$default1 = "Default_" wide fullword
		$default2 = "Default~" wide fullword
	condition:
		$delphi and all of ($s*) and any of ($default*)
}
Details Yara rule 1 
rule allasenhamaycampaign_allasenha {
	meta:
		description = "Detects AllaSenha banking trojan DLLs."
		references = "TRR240501"
		date = "2024-05-28"
		author = "HarfangLab"
		context = "file,memory"
	strings:
		$a1 = "<|NOSenha|>" wide fullword
		$a2 = "<|SENHA|>QrCode: " wide fullword
		$a3 = "<|SENHA|>Senha 6 : " wide fullword
		$a4 = "<|SENHA|>Snh: " wide fullword
		$a5 = "<|SENHA|>Token: " wide fullword
		$a6 = "<|BB-AMARELO|>" wide fullword
		$a7 = "<|BB-AZUL|>" wide fullword
		$a8 = "<|BB-PROCURADOR|>" wide fullword
		$a9 = "<|ITAU-SNH-CARTAO|>" wide fullword
		$a10 = "<|ITAU-TK-APP|>" wide fullword
		$dga = { 76 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 78 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 7A 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 77 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 6B 00 00 00 B0 04 02 00 FF FF FF FF 01 00 00 00 79 00 00 00 }
	condition:
		$dga and (4 of ($a*))
}
Details Yara rule 1 
rule anti_emulation_defender {
	meta:
		description = "Research Windows Defender Emulator artefacts that can be used as anti-emulator by malware"
		references = "https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/"
		hash = "242851abe09cc5075d2ffdb8e5eba2f7dcf22712625ec02744eecb52acd6b1bf"
		date = "2024-04-03"
		author = "Harfanglab"
		context = "file"
	strings:
		$s_00 = "aaa_TouchMeNot_" ascii wide nocase
		$s_01 = "_TouchMeNot_" ascii wide nocase
		$s_03 = "C:\\myapp.exe" ascii wide nocase
		$s_04 = "C:\\Mirc\\" ascii wide nocase
		$s_05 = "C:\\Mirc\\mirc.ini" ascii wide nocase
		$s_06 = "C:\\Mirc\\script.ini" ascii wide nocase
		$s_07 = "HAL9TH" ascii wide nocase fullword
		$s_09 = "MpSockVendor" ascii wide nocase fullword
		$s_10 = "MPGoodStatus" ascii wide nocase fullword
		$s_11 = "MpDisableSehLimit" ascii wide nocase fullword
		$s_12 = "NtControlChannel" ascii wide nocase fullword
		$s_13 = "ObjMgr_ValidateVFSHandle" ascii wide nocase fullword
		$s_14 = "ThrdMgr_GetCurrentThreadHandle" ascii wide nocase fullword
		$s_15 = "ThrdMgr_SaveTEB" ascii wide nocase fullword
		$s_16 = "ThrdMgr_SwitchThreads" ascii wide nocase fullword
		$s_17 = "VFS_DeleteFileByHandle" ascii wide nocase fullword
		$s_18 = "VFS_DeleteFile" ascii wide nocase fullword
		$s_19 = "VFS_DeleteFileByHandle" ascii wide nocase fullword
		$s_20 = "VFS_FileExists" ascii wide nocase fullword
		$s_21 = "VFS_FindClose" ascii wide nocase fullword
		$s_22 = "VFS_FindFirstFile" ascii wide nocase fullword
		$s_23 = "VFS_FindNextFile" ascii wide nocase fullword
		$s_24 = "VFS_FlushViewOfFile" ascii wide nocase fullword
		$s_25 = "VFS_GetAttrib" ascii wide nocase fullword
		$s_26 = "VFS_GetHandle" ascii wide nocase fullword
		$s_27 = "VFS_GetLength" ascii wide nocase fullword
		$s_28 = "VFS_MapViewOfFile" ascii wide nocase fullword
		$s_29 = "VFS_MoveFile" ascii wide nocase fullword
		$s_30 = "VFS_Open" ascii wide nocase fullword
		$s_31 = "VFS_Read" ascii wide nocase fullword
		$s_32 = "VFS_SetAttrib" ascii wide nocase fullword
		$s_33 = "VFS_SetCurrentDir" ascii wide nocase fullword
		$s_34 = "VFS_SetLength" ascii wide nocase fullword
		$s_35 = "VFS_UnmapViewOfFile" ascii wide nocase fullword
		$s_37 = "MpAddToScanQueue" ascii wide nocase fullword
		$s_38 = "MpCreateMemoryAliasing" ascii wide nocase fullword
		$s_39 = "MpCallPostEntryPointCode" ascii wide nocase fullword
		$s_40 = "MpCallPreEntryPointCode" ascii wide nocase fullword
		$s_41 = "MpDispatchException" ascii wide nocase fullword
		$s_42 = "MpExitThread" ascii wide nocase fullword
		$s_43 = "MpFinalize" ascii wide nocase fullword
		$s_44 = "MpGetCurrentThreadHandle" ascii wide nocase fullword
		$s_45 = "MpGetCurrentThreadId" ascii wide nocase fullword
		$s_46 = "MpGetLastSwitchResult" ascii wide nocase fullword
		$s_47 = "MpGetPseudoThreadHandle" ascii wide nocase fullword
		$s_48 = "MpGetSelectorBase" ascii wide nocase fullword
		$s_49 = "MpGetVStoreFileHandle" ascii wide nocase fullword
		$s_50 = "MpHandlerCodePost" ascii wide nocase fullword
		$s_51 = "MpIntHandler" ascii wide nocase fullword
		$s_52 = "MpIntHandlerParam" ascii wide nocase fullword
		$s_53 = "MpIntHandlerReturnAddress" ascii wide nocase fullword
		$s_54 = "MpNtdllDatatSection" ascii wide nocase fullword
		$s_55 = "MpReportEvent" ascii wide nocase fullword
		$s_56 = "MpReportEventEx" ascii wide nocase fullword
		$s_57 = "MpReportEventW" ascii wide nocase fullword
		$s_58 = "MpSehHandler" ascii wide nocase fullword
		$s_59 = "MpSetSelectorBase" ascii wide nocase fullword
		$s_60 = "MpStartProcess" ascii wide nocase fullword
		$s_61 = "MpSwitchToNextThread" ascii wide nocase fullword
		$s_62 = "MpSwitchToNextThread_WithCheck" ascii wide nocase fullword
		$s_63 = "MpSwitchToNextThread_NewObjManager" ascii wide nocase fullword
		$s_64 = "MpTimerEvent" ascii wide nocase fullword
		$s_65 = "MpTimerEventData" ascii wide nocase fullword
		$s_66 = "MpUfsMetadataOp" ascii wide nocase fullword
		$s_67 = "MpValidateVFSHandle" ascii wide nocase fullword
		$s_68 = "MpVmp32Entry" ascii wide nocase fullword
		$s_69 = "MpVmp32FastEnter" ascii wide nocase fullword
		$filter_00 = "mpengine.pdb" ascii nocase
		$filter_01 = "MsMpEngCP.pdb" ascii nocase
		$filter_02 = "MsMpEngSvc.pdb" ascii nocase
		$filter_03 = "MpGear.pdb" ascii nocase
		$filter_04 = "mrtstub.pdb" ascii nocase
		$filter_05 = "mrt.pdb" ascii nocase
		$filter_06 = "ntoskrnl.pdb" ascii nocase
		$filter_07 = "mscorlib.pdb" ascii nocase
		$filter_08 = "dbghelp.pdb" ascii nocase
		$filter_09 = "msvcrt.pdb" ascii nocase
		$filter_10 = "mrt.exe" ascii wide nocase
		$filter_11 = "PEBMPAT:Obfuscator_EW2" ascii wide
		$filter_12 = "Unimplemented type change to VT_" ascii wide
		$filter_13 = "Initialize engine first!" ascii wide
		$filter_14 = "VirTool:Win32/Obfuscator" ascii wide
		$filter_15 = "VDMConsoleOperation" ascii wide
		$filter_16 = "VDMOperationStarted" ascii wide
		$filter_17 = "sigutils\\vdlls\\"
		$filter_18 = "Microsoft.Windows.MalwareRemovalTool" ascii wide
		$filter_19 = "AppVISVSubsystems32.pdb" ascii nocase
		$filter_20 = "Microsoft.AppV.ClientProgrammability.Eventing.pdb" ascii nocase
		$filter_21 = "AppVISVSubsystems64.pdb" ascii nocase
		$filter_22 = "AppVEntSubsystems.pdb" ascii nocase
		$filter_24 = "shell32.pdb" ascii nocase
		$filter_25 = "version.pdb" ascii nocase
		$filter_26 = "mscoree.pdb" ascii nocase
		$filter_27 = "ws2_32.pdb" ascii nocase
		$filter_28 = "advapi32.pdb" ascii nocase
		$filter_29 = "AppVEntSubsystems64.pdb" ascii nocase
		$filter_30 = "AppVEntSubsystems32.pdb" ascii nocase
		$filter_31 = "AppVISVSubsystems.pdb" ascii nocase
		$filter_32 = "mpengine.dll" ascii wide nocase
		$filter_33 = "VFSAPI_VFS_" ascii wide
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 5MB and 1 of ($s_*) and not 1 of ($filter*)
}
Details Yara rule 1 
rule MuddyWater_AteraAgent_Operators {
	meta:
		description = "Detect Atera Agent abused by MuddyWater"
		references = "TRR240402"
		hash = "9b49d6640f5f0f1d68f649252a96052f1d2e0822feadd7ebe3ab6a3cadd75985"
		date = "2024-04-17"
		author = "HarfangLab"
		context = "file"
	strings:
		$s1 = "COMPANYID001Q3000009snPyIAIACCOUNTID"
		$s2 = "COMPANYID001Q3000006FpmoIACACCOUNTID"
		$s3 = "COMPANYID001Q3000008IyacIACACCOUNTID"
		$s4 = "COMPANYID001Q3000009QoSEIA0ACCOUNTID"
		$s5 = "COMPANYID001Q30000023c7iIAAACCOUNTID"
		$s6 = "COMPANYID001Q3000008qXbDIAUACCOUNTID"
		$s7 = "COMPANYID001Q3000008cfLjIAIACCOUNTID"
		$s8 = "COMPANYID001Q3000007hJubIAEACCOUNTID"
		$s9 = "COMPANYID001Q3000008ryO3IAIACCOUNTID"
		$s10 = "COMPANYID001Q300000A5nnAIARACCOUNTID"
		$s11 = "COMPANYID001Q3000008JfioIACACCOUNTID"
		$s12 = "COMPANYID001Q300000BeUp3IAFACCOUNTID"
		$s13 = "COMPANYID001Q3000005gMamIAEACCOUNTID"
		$s15 = "mrrobertcornish@gmail.comINTEGRATORLOGINCOMPANYID"
		$cert1 = { 0A 28 49 99 78 E5 89 8D F4 0A 23 8E B8 A5 52 E8 }
		$cert2 = { 06 7F 60 47 95 66 24 A7 15 99 61 74 3D 81 94 93 }
	condition:
		filesize > 1MB and filesize < 4MB and (uint16be(0) == 0xD0CF) and any of ($s*) and any of ($cert*)
}
Details Yara rule 1 
rule Custom_AteraAgent_Operator {
	meta:
		description = "Detect Atera Agent configured to certain email addresses, or email domains"
		references = "TRR240402"
		date = "2024-04-17"
		author = "HarfangLab"
		context = "file"
	strings:
		$email = "email@domain.tld"
		$s1 = "PREVIOUSFOUNDWIX_UPGRADE_DETECTED"
		$s2 = "INTEGRATORLOGIN"
		$sc1 = { 0A 28 49 99 78 E5 89 8D F4 0A 23 8E B8 A5 52 E8 }
		$sc2 = { 06 7F 60 47 95 66 24 A7 15 99 61 74 3D 81 94 93 }
	condition:
		filesize > 1MB and filesize < 4MB and (uint16be(0) == 0xD0CF) and @s1 < @email and @email < @s2[3] and any of ($sc*)
}
Details Yara rule 1 
rule samecoin_campaign_nativewiper {
	meta:
		author = "HarfangLab"
		description = "Matches the native Android library used in the SameCoin campaign"
		references = "TRR240201"
		last_modified = "2024-02-13"
		context = "file"
		hash = "248054658277e6971eb0b29e2f44d7c3c8d7c5abc7eafd16a3df6c4ca555e817"
	strings:
		$native_export = "Java_com_example_exampleone_MainActivity_deleteInCHunks"
		$f1 = "_Z9chunkMainv"
		$f2 = "_Z18deleteFilesInChunkRKNSt6__"
		$f3 = "_Z18overwriteWithZerosPKc"
		$s1 = "/storage/emulated/0/"
		$s2 = "FileLister"
		$s3 = "Directory chunks deleted."
		$s4 = "Current Chunk Size is:  %dln"
	condition:
		filesize < 500KB and uint32(0) == 0x464C457F and ($native_export or all of ($f*) or all of ($s*))
}
Details Yara rule 1 
rule masepie_campaign_masepie {
	meta:
		description = "Detect MASEPIE from CERT-UA#8399"
		references = "TRR240101;https://cert.gov.ua/article/6276894"
		hash = "18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6"
		date = "2024-01-24"
		author = "HarfangLab"
		context = "file"
	strings:
		$t1 = "Try it againg" ascii wide fullword
		$t2 = "{user}{SEPARATOR}{k}" ascii wide fullword
		$t3 = "Error transporting file" ascii wide fullword
		$t4 = "check-ok" ascii wide fullword
		$a1 = ".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))" ascii wide fullword
		$a2 = "dec_file_mes(mes, key)" ascii wide fullword
		$a3 = "os.popen('whoami').read()" ascii wide fullword
	condition:
		filesize > 2KB and filesize < 15MB and (4 of them)
}
Details Yara rule 1 
rule MacOS_Trojan_RustBucket {
	meta:
		author = "Elastic Security"
		creation_date = "2023-06-26"
		last_modified = "2023-06-26"
		license = "Elastic License v2"
		os = "MacOS"
		arch = "x86"
		category_type = "Trojan"
		family = "RustBucket"
		threat_name = "MacOS.Trojan.RustBucket"
		reference_sample = "9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747"
		severity = 100
	strings:
		$user_agent = "User-AgentMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
		$install_log = "/var/log/install.log"
		$timestamp = "%Y-%m-%d %H:%M:%S"
	condition:
		all of them
}
Details Yara rule 1 
rule M_Disrupt_ROADSWEEP_1 {
	meta:
		author = "Mandiant"
		description = "Identifies the encryption key used within ROADSWEEP"
	strings:
		$ = { C6 45 D5 E4 C6 45 D6 B1 C6 45 D7 6B C6 45 D8 22 C6 45 D9 B5 C6 45 DA 88 C6 45 DB 94 C6 45 DC AA C6 45 DD 86 C6 45 DE C4 C6 45 DF 21 C6 45 E0 E8 C6 45 E1 75 C6 45 E2 9D C6 45 E3 F3 C7 44 24 10 00 00 00 F0 }
	condition:
		all of them
}
Details Yara rule 1 
rule M_Disrupt_ZEROCLEAR_1 {
	meta:
		author = "Mandiant"
		description = "Identifies code sequences in ZEROCLEAR"
	strings:
		$ = "B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D" wide
		$ = "wp starts!"
		$ = "un start!"
		$ = "in start!"
	condition:
		all of them
}