Overview - Yara rules

Details	Type	#Events	Value
Details	Yara rule	1	import "elf" rule TSM_FasterThanLite_Outlaw_Apr20 { meta: description = "TSM ssh bruteforce component of Outlaw Botnet April 2020" hash32 = "3eef8c27ad8458af84dcb52dfa01295c427908a0" hash64 = "a1da0566193f30061f69b057c698dc7923d2038c" author = "Cybaze - Yoroi ZLab" last_updated = "2020-04-27" tlp = "white" category = "informational" strings: $s1 = { 63 73 2D 64 76 63 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 45 53 44 48 77 69 74 68 33 44 45 53 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 45 53 44 48 77 69 74 68 52 43 32 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 33 44 45 53 77 72 61 70 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 52 43 32 77 72 61 70 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 45 53 44 48 00 69 64 2D 73 6D 69 6D 65 2D 61 6C 67 2D 43 4D 53 33 } $s2 = { 2D 70 6C 61 63 65 4F 66 42 69 72 74 68 00 69 64 2D 70 64 61 2D 67 65 6E 64 65 72 00 69 64 2D 70 64 61 2D 63 6F 75 6E 74 72 79 4F 66 43 69 74 69 7A 65 6E 73 68 69 70 } $s3 = "brainpoolP384r1" ascii wide $s4 = "getpwnam" ascii wide $s5 = "dup2" ascii wide $s6 = "_ITM_deregisterTMCloneTable" ascii wide $elf = { 7F 45 4C 46 } condition: $elf in (0 .. 4) and all of them and elf.number_of_sections > 25 }
Details	Yara rule	1	rule CISA_10372500_02 : miner XMRIG { meta: Author = "CISA Code & Media Analysis" Incident = "10372500" Date = "2022-03-03" Last_Modified = "20220307_1600" Actor = "n/a" Category = "Miner" Family = "XMRIG" Description = "Detects XMRIG Miner samples" MD5_1 = "f0cf1d3d9ed23166ff6c1f3deece19b4" SHA256_1 = "0663d70411a20340f184ae3b47138b33ac398c800920e4d976ae609b60522b01" strings: $s0 = { 58 4D 52 69 67 20 36 2E } $s1 = { 63 6F 6E 66 69 67 5C 78 6D 72 69 67 2E 6A 73 } $s2 = { 78 6D 72 69 67 2D 63 75 64 61 2E 64 6C 6C } $s3 = { 6C 69 62 78 6D 72 69 67 2D } $s4 = { 63 75 64 61 2E 73 6F } $s5 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F } $s6 = { 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 } condition: all of them }
Details	Yara rule	2	rule P0_Hunting_AWS_EnvVarNames_1 { meta: description = "Detecting presence of scripts searching for numerous environment variables containing sensitive AWS credential information. Explicitly excluding LinPEAS (and its variants) to remove noise since it is already well-detected." author = "daniel.bohannon@permiso.io (@danielhbohannon)" date = "2023-07-12" reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/" md5_01 = "3e2cddf76334529a14076c3659a68d92" md5_02 = "b9113ccc0856e5d44bab8d3374362a06" md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f" md5_04 = "28165d28693ca807fb3d4568624c5ba9" md5_05 = "0855b8697c6ebc88591d15b954bcd15a" md5_06 = "f7df739f865448ac82da01b3b1a97041" md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23" md5_08 = "99f0102d673423c920af1abc22f66d4e" md5_09 = "99f0102d673423c920af1abc22f66d4e" md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5" strings: $shellHeader_01 = "#!/bin/sh" $shellHeader_02 = "#!/bin/bash" $envVarAWSPrefixSyntax_01 = " $AWS_ " $envVarAWSPrefixSyntax_02 = " ${AWS_" $envVarAWS_01 = "AWS_ACCESS_KEY_ID" $envVarAWS_02 = "AWS_SECRET_ACCESS_KEY" $envVarAWS_03 = "AWS_SESSION_TOKEN" $envVarAWS_04 = "AWS_SHARED_CREDENTIALS_FILE" $envVarAWS_05 = "AWS_CONFIG_FILE" $envVarAWS_06 = "AWS_DEFAULT_REGION" $envVarAWS_07 = "AWS_REGION" $envVarAWS_08 = "AWS_EC2_METADATA_DISABLED" $envVarEcho = "then echo " $linPEAS_01 = "#-------) Checks pre-everything (---------#" $linPEAS_02 = "--) FAST - Do not check 1min of procceses and su brute" condition: (any of ($shellHeader)) and (1 of ($envVarAWSPrefixSyntax)) and (4 of ($envVarAWS)) and (#envVarEcho >= 4) and not (all of ($linPEAS)) }
Details	Yara rule	2	rule P0_Hunting_AWS_SedEnvVarExtraction_1 { meta: description = " Detecting presence of scripts using native sed (Stream Editor) utility extracting numerous environment variables containing sensitive AWS credential information " author = " daniel.bohannon@permiso.io (@danielhbohannon) " date = " 2023-07-12 " reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ " md5_01 = " 3e2cddf76334529a14076c3659a68d92 " md5_02 = " b9113ccc0856e5d44bab8d3374362a06 " md5_03 = " d9ecceda32f6fa8a7720e1bf9425374f " md5_04 = " 28165d28693ca807fb3d4568624c5ba9 " md5_05 = " 0855b8697c6ebc88591d15b954bcd15a " md5_06 = " f7df739f865448ac82da01b3b1a97041 " md5_07 = " 1a37f2ef14db460e5723f3c0b7a14d23 " md5_08 = " 99f0102d673423c920af1abc22f66d4e " md5_09 = " 99f0102d673423c920af1abc22f66d4e " md5_10 = " 5daace86b5e947e8b87d8a00a11bc3c5 " strings: $grepPropAWS = " \| grep 'AccessKeyId\\\|SecretAccessKey\\\|Token\\\|Expiration' \| " $awsCliConfigureCmd = " aws configure set aws_ " $sedPropAWS_01 = " sed 's# \"AccessKeyId\" : \"#\\n\\naws configure set aws_access_key_id #g' " $sedPropAWS_02 = " sed 's# \"SecretAccessKey\" : \"#aws configure set aws_secret_access_key #g' " $sedPropAWS_03 = " sed 's# \"Token\" : \"#aws configure set aws_session_token #g' " $sedPropAWS_04 = " sed 's# \"Expiration\" : \"#\\n\\nExpiration : #g' " condition: all of them }
Details	Yara rule	2	rule P0_Hunting_Azure_EnvVarNames_1 { meta: description = " Detecting presence of scripts searching for numerous environment variables containing sensitive Azure credential information " author = " daniel.bohannon@permiso.io (@danielhbohannon) " date = " 2023-07-12 " reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ " md5_01 = " b9113ccc0856e5d44bab8d3374362a06 " md5_02 = " d9ecceda32f6fa8a7720e1bf9425374f " md5_03 = " 0855b8697c6ebc88591d15b954bcd15a " md5_04 = " f7df739f865448ac82da01b3b1a97041 " md5_05 = " 1a37f2ef14db460e5723f3c0b7a14d23 " md5_06 = " 99f0102d673423c920af1abc22f66d4e " md5_07 = " 99f0102d673423c920af1abc22f66d4e " md5_08 = " 5daace86b5e947e8b87d8a00a11bc3c5 " strings: $envVarAzurePrefixSyntax_01 = " $AZURE_ " $envVarAzurePrefixSyntax_02 = " ${AZURE_" $envVarAzure_01 = "AZURE_CREDENTIAL_FILE" $envVarAzure_02 = "AZURE_GUEST_AGENT_CONTAINER_ID" $envVarAzure_03 = "AZURE_CLIENT_ID" $envVarAzure_04 = "AZURE_CLIENT_SECRET" $envVarAzure_05 = "AZURE_TENANT_ID" $envVarAzure_06 = "AZURE_SUBSCRIPTION_ID" $envVarEcho = "then echo " condition: (1 of ($envVarAzurePrefixSyntax)) and (3 of ($envVarAzure)) and (#envVarEcho >= 3) }
Details	Yara rule	2	rule P0_Hunting_GCP_EnvVarNames_1 { meta: description = "Detecting presence of scripts searching for numerous environment variables containing sensitive GCP credential information" author = "daniel.bohannon@permiso.io (@danielhbohannon)" date = "2023-07-12" reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/" md5_01 = "b9113ccc0856e5d44bab8d3374362a06" md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f" md5_03 = "0855b8697c6ebc88591d15b954bcd15a" md5_04 = "f7df739f865448ac82da01b3b1a97041" md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23" md5_06 = "99f0102d673423c920af1abc22f66d4e" md5_07 = "99f0102d673423c920af1abc22f66d4e" md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5" strings: $shellHeader_01 = "#!/bin/sh" $shellHeader_02 = "#!/bin/bash" $envVarGCPPrefixSyntax_01 = " $GOOGLE_ " $envVarGCPPrefixSyntax_02 = " ${GOOGLE_" $envVarGCP_01 = "GOOGLE_API_KEY" $envVarGCP_02 = "GOOGLE_DEFAULT_CLIENT_ID" $envVarGCP_03 = "GOOGLE_DEFAULT_CLIENT_SECRET" $envVarEcho = "then echo " condition: (any of ($shellHeader)) and (1 of ($envVarGCPPrefixSyntax)) and (2 of ($envVarGCP*)) and (#envVarEcho >= 2) }
Details	Yara rule	2	rule P0_Hunting_Common_TeamTNT_CredHarvesterOutputBanner_1 { meta: description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing specific section banner output commands" author = "daniel.bohannon@permiso.io (@danielhbohannon)" date = "2023-07-12" reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/" md5_01 = "b9113ccc0856e5d44bab8d3374362a06" md5_02 = "d9ecceda32f6fa8a7720e1bf9425374f" md5_03 = "0855b8697c6ebc88591d15b954bcd15a" md5_04 = "f7df739f865448ac82da01b3b1a97041" md5_05 = "1a37f2ef14db460e5723f3c0b7a14d23" md5_06 = "99f0102d673423c920af1abc22f66d4e" md5_07 = "99f0102d673423c920af1abc22f66d4e" md5_08 = "5daace86b5e947e8b87d8a00a11bc3c5" strings: $sectionBanner_01 = "-------- AWS INFO ------------------------------------------" $sectionBanner_02 = "-------- EC2 USERDATA -------------------------------------------" $sectionBanner_03 = "-------- GOOGLE DATA --------------------------------------" $sectionBanner_04 = "-------- AZURE DATA --------------------------------------" $sectionBanner_05 = "-------- IAM USERDATA -------------------------------------------" $sectionBanner_06 = "-------- AWS ENV DATA --------------------------------------" $sectionBanner_07 = "-------- PROC VARS -----------------------------------" $sectionBanner_08 = "-------- DOCKER CREDS -----------------------------------" $sectionBanner_09 = "-------- CREDS FILES -----------------------------------" condition: (5 of them) }
Details	Yara rule	2	rule P0_Hunting_Common_TeamTNT_CredHarvesterTypo_1 { meta: description = "Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common typo for 'CREFILE' variable name (assuming intended name is 'CREDFILE' since it is iterating file names in input array" author = "daniel.bohannon@permiso.io (@danielhbohannon)" date = "2023-07-12" reference = "https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/" md5_01 = "3e2cddf76334529a14076c3659a68d92" md5_02 = "b9113ccc0856e5d44bab8d3374362a06" md5_03 = "d9ecceda32f6fa8a7720e1bf9425374f" md5_04 = "28165d28693ca807fb3d4568624c5ba9" md5_05 = "0855b8697c6ebc88591d15b954bcd15a" md5_06 = "f7df739f865448ac82da01b3b1a97041" md5_07 = "1a37f2ef14db460e5723f3c0b7a14d23" md5_08 = "99f0102d673423c920af1abc22f66d4e" md5_09 = "99f0102d673423c920af1abc22f66d4e" md5_10 = "5daace86b5e947e8b87d8a00a11bc3c5" strings: $varNameTypo = "for CREFILE in ${" $findArgs = "find / -maxdepth " $xargs = " \| xargs -I % sh -c 'echo :::%; cat %' >> $" condition: all of them }
Details	Yara rule	2	rule P0_Hunting_Common_TeamTNT_CurlArgs_1 { meta: description = " Detecting presence of known credential harvester scripts (commonly used by TeamTNT) containing common curl arguments including 'Datei' (German word for 'file' ) and specific 'Send=1' arguments found in German blog post https://administrator.de/tutorial/upload-von-dateien-per-batch-curl-und-php-auf-einen-webserver-ohne-ftp-98399.html which details using curl (with these specific arguments) to upload files to upload.php " author = " daniel.bohannon@permiso.io (@danielhbohannon) " date = " 2023-07-12 " reference = " https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/ " md5_01 = " b9113ccc0856e5d44bab8d3374362a06 " md5_02 = " d9ecceda32f6fa8a7720e1bf9425374f " md5_03 = " 0855b8697c6ebc88591d15b954bcd15a " md5_04 = " f7df739f865448ac82da01b3b1a97041 " md5_05 = " 1a37f2ef14db460e5723f3c0b7a14d23 " md5_06 = " 99f0102d673423c920af1abc22f66d4e " md5_07 = " 99f0102d673423c920af1abc22f66d4e " md5_08 = " 5daace86b5e947e8b87d8a00a11bc3c5 " strings: $curlFileArgGerman = " \"Datei=@\" " $curlArgSend = " -F \"Send=1\" " $curlArgUsername = " -F \"username= " $curlArgPassword = " -F \"password= " condition: all of them }
Details	Yara rule	1	rule LummaC_Stealer { meta: author = "Cyble" description = "Detects LummaC Stealer Files" date = "2023-08-10" os = "Windows" threat_name = "LummaC Stealer" scan_type = "Memory" severity = 100 reference_sample = "a53dafb72659e7aa4f36a6626b01aad9cc44500d5d4c1ee7a96c957a4e556d02" strings: $a = "/c2sock" ascii wide $b = "TeslaBrowser" ascii wide $c = "Software.txt" ascii wide $d = "System.txt" ascii wide $e = "/c2conf" ascii wide condition: all of them }
Details	Yara rule	1	rule AmadeyBot { meta: author = "Cyble" description = "Detects Amadey Bot Files" date = "2023-08-10" os = "Windows" threat_name = "Amadey Bot" scan_type = "Memory" severity = 100 reference_sample = "a58f0d4b2a0100a12eb8a5690522d79d510adafa9235d11e4b714dda8c87b341" strings: $a = "/index.php" ascii wide $b = "\\MsBuild.exe" ascii wide $c = "id=" ascii wide $d = "&av=" ascii wide $e = "&pc=" ascii wide $f = "&un=" ascii wide condition: all of them }
Details	Yara rule	1	rule Uptycs_QwixxRAT { meta: malware_name = "QwixxRAT" description = "QwixxRAT is a trojan designed to extract browser cookies, histories, credit card information and capture keylogger activities from targeted devices" author = "Uptycs Inc" version = "1" strings: $string_0 = "[CAPSLOCK: ON]" ascii wide $string_1 = "[ESC]" ascii wide $string_2 = "webcam.png" ascii wide $string_3 = "SELECT * FROM win32_operatingsystem" ascii wide $string_4 = "\\User Data\\Default\\Login Data" ascii wide $string_5 = "recentservers.xml" ascii wide $string_6 = "credit_cards.txt" ascii wide $string_7 = "Tasklist /fi" ascii wide $string_8 = "Select * from AntivirusProduct" ascii wide $string_9 = "\\keylogs.txt" ascii wide $string_10 = "AutoStealer" ascii wide condition: all of them }
Details	Yara rule	1	rule ELF_packed_STEELCORGI_backdoor_UNC1945 { meta: description = "Yara Rule for packed ELF backdoor of UNC1945" author = "Yoroi Malware Zlab" last_updated = "2020_12_21" tlp = "white" category = "informational" strings: $s1 = { 4? 88 47 3C C1 6C ?4 34 08 8A 54 ?? ?? 4? 88 57 3D C1 6C } $s2 = { 0F B6 5? ?? 0F B6 4? ?? 4? C1 E2 18 4? C1 E0 10 4? } $s3 = { 8A 03 84 C0 74 ?? 3C 3D 75 ?? 3C 3D 75 ?? C6 03 00 4? 8B 7D 00 } $s4 = { 01 C6 89 44 ?? ?? 8B 44 ?? ?? 31 F2 89 74 ?? ?? C1 } $s5 = { 4? 89 D8 4? 31 F2 4? C1 E0 13 4? 01 D7 4? } condition: uint32(0) == 0x464c457f and 3 of them }
Details	Yara rule	1	rule ELF_unpacked_STEELCORGI_backdoor_UNC1945 { meta: description = "Yara Rule for unpacked ELF backdoor of UNC1945" author = "Yoroi Malware Zlab" last_updated = "2020_12_21" tlp = "white" category = "informational" strings: $s1 = "MCARC" $s2 = "833fc0088ea41bc3331db60ae2.debug" $s3 = "PORA1022" $s4 = "server" $s5 = "test" $s6 = "no ejecutar git-update-server-info" $s7 = "dlopen" $s8 = "dlsym" $s9 = "5d5c6da19e62263f67ca63f8bedeb6.debug" $s10 = { 72 69 6E 74 20 22 5B 56 5D 20 41 74 74 65 6D 70 74 69 6E 67 20 74 6F 20 67 65 74 20 4F 53 20 69 6E 66 6F 20 77 69 74 68 20 63 6F 6D 6D 61 6E 64 3A 20 24 63 6F 6D 6D 61 6E 64 5C 6E 22 20 69 66 20 24 76 65 72 62 6F 73 65 3B } condition: all of them and #s4 > 50 and #s5 > 20 }
Details	Yara rule	1	rule enc_PK_header { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "3229a6cea658b1b3ca5ca9ad7b40d8d4" strings: $s0 = { 5F A8 80 C5 A0 87 C7 F0 9E E6 } $s1 = { 95 F1 6E 9C 3F C1 2C 88 A0 5A } $s2 = { AE 1D AF 74 C0 F5 E1 02 50 10 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }
Details	Yara rule	1	rule import_obfuscation_2 { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "bfb41bc0c3856aa0a81a5256b7b8da51" strings: $s0 = { A6 D6 02 EB 4E B2 41 EB C3 EF 1F } $s1 = { B6 DF 01 FD 48 B5 } $s2 = { B6 D5 0E F3 4E B5 } $s3 = { B7 DF 0E EE } $s4 = { B6 DF 03 FC } $s5 = { A7 D3 03 FC } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them }
Details	Yara rule	1	rule HC_RAT { meta: author = "NCCIC Code & Media Analysis" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" hash0 = "1C53E7269FE9D84C6DF0A25BA59B822C" strings: $s0 = { 8B 4C 24 04 33 C0 81 E1 FF FF 00 00 81 C1 00 80 FF FF 83 F9 43 0F 87 70 01 00 00 } $s1 = { 88 04 30 40 3D 00 01 00 00 } $s2 = { 48 89 4C 24 08 57 48 83 EC 20 0F B7 C1 33 FF 05 00 80 FF FF 83 F8 43 0F 87 60 02 00 00 } $s3 = { 88 01 FF C0 48 FF C1 3D 00 01 00 00 } condition: ($s0 and $s1) or ($s2 and $s3) }
Details	Yara rule	1	rule import_deob { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "TYPEFRAME" md5 = "ae769e62fef4a1709c12c9046301aa5d" md5 = "e48fe20eb1f5a5887f2ac631fed9ed63" strings: $ = { 8A 01 3C 62 7C 0A 3C 79 7F 06 B2 DB 2A D0 88 11 8A 41 01 41 84 C0 75 E8 } $ = { 8A 08 80 F9 62 7C 0B 80 F9 79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6 } condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }
Details	Yara rule	1	rule apt_nobelium_hta_reg_dropper { meta: id = "9f6a2154-c33a-4c38-9667-7479bf49c310" description = "Matches HTA dropper file used by NOBELIUM and ISO files containing it" hash = "054940ba8908b9e11f57ee081d1140cb" hash = "b7ca8c46dc1bfc1d9cb9ce04a4928153" version = "1.0" creation_date = "2021-12-07" modification_date = "2021-12-07" classification = "TLP:WHITE" source = "SEKOIA" strings: $w = "RegWrite(" nocase $x = { 2B 3D 20 64 6F 63 75 6D 65 6E 74 2E 67 65 74 45 6C 65 6D 65 6E 74 42 79 49 64 28 22 [0-4] 22 29 2E 69 6E 6E 65 72 48 54 4D 4C } $y = "<body onload=" nocase $z = "hidden" nocase condition: $y and (3 < #z) and (3 < #x) and (1 < #w) }
Details	Yara rule	1	rule apt_nobelium_hta_in_iso { meta: id = "874ab41b-5c60-4303-8776-e1c10313a401" description = "Matches ISO file embedding HTA" hash = "d4fdf63d88da2d59569bb621b18bf5e4" hash = "cc08a6df151b8879a4969b2e99086b48" version = "1.0" creation_date = "2021-12-02" modification_date = "2021-12-02" classification = "TLP:WHITE" source = "SEKOIA" strings: $ = "ImgBurn v2" $ = "<hta:application" condition: all of them and filesize > 1MB and filesize < 3MB }
Details	Yara rule	1	rule apt_nobelium_html_smuggling_iso { meta: id = "9bd5b626-8ea3-4607-a858-58deff18396c" version = "1.0" description = "Detect HTML smuggling with ISO" hash = "b87073c34a910f20a83c04c8efbd4f43" hash = "3d18bc4bfe1ec7b6b73a3fb39d490b64" source = "SEKOIA" creation_date = "2022-01-02" modification_date = "2022-01-02" classification = "TLP:WHITE" strings: $ = "new Blob" $ = ".click();" $ = { 28 [1-20] 2C 22 [1-20] 2E 69 73 6F 22 2C 22 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 63 64 2D 69 6D 61 67 65 22 29 } condition: filesize > 1MB and filesize < 2MB and all of them }
Details	Yara rule	1	rule apt_nobelium_b64_to_Uint8Array { meta: id = "66c9b00b-f021-4115-b9ec-d1e1f491ce72" description = "Detect Base64 decode to Uint8Array used in NOBELIUM HTML files" hash = "3d18bc4bfe1ec7b6b73a3fb39d490b64" version = "1.0" creation_date = "2021-12-02" modification_date = "2021-12-02" classification = "TLP:WHITE" source = "SEKOIA" strings: $a1 = "atob(" $l0 = { 20 3C 20 [2-10] 2E 6C 65 6E 67 74 68 3B 20 69 2B 2B 29 7B } $l1 = { 5B 69 5D 20 3D 20 [2-10] 2E 63 68 61 72 43 6F 64 65 41 74 28 69 29 3B } $a2 = "new Uint8Array" condition: $l0 in (@a1 .. @a2) and $l1 in (@a1 .. @a2) and filesize > 1MB and filesize < 3MB }
Details	Yara rule	1	import "pe" rule apt_nobelium_cs_loader_obfuscation { meta: id = "5f21b031-3dc1-4dad-b775-6099bfcb0472" version = "1.0" description = "Detect obfuscated CobaltStrike loaders used by NOBELIUM" hash = "41dd8cee47c036e7e9e92c395c5d1feb" hash = "4365057ef0c5a9518d95d53eab5995a8" source = "SEKOIA" creation_date = "2022-01-04" modification_date = "2022-01-04" classification = "TLP:WHITE" strings: $j1 = { DD 05 ?? ?? ?? ?? DD 9D } $j2 = { C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 } $c1 = { 81 7D ?? FF 00 00 00 0F 8E ?? ?? FF FF } condition: pe.characteristics & pe.DLL and pe.number_of_exports > 20 and filesize > 300KB and filesize < 400KB and #j1 > 50 and #j2 > 50 and #c1 == 2 }
Details	Yara rule	1	rule rovnix_downloader { meta: author = "McAfee" description = "Rovnix downloader with sinkhole checks" strings: $sink1 = "control" $sink2 = "sink" $sink3 = "hole" $sink4 = "dynadot" $sink5 = "block" $sink6 = "malw" $sink7 = "anti" $sink8 = "googl" $sink9 = "hack" $sink10 = "trojan" $sink11 = "abuse" $sink12 = "virus" $sink13 = "black" $sink14 = "spam" $boot = "BOOTKIT_DLL.dll" $mz = { 4D 5A } condition: $mz in (0 .. 2) and all of ($sink*) and $boot }
Details	Yara rule	1	rule Nosedive_custom_dropper { meta: author = "Lumen Technologies - Black Lotus Labs" strings: $r1 = "#!/bin/sh" ascii fullword $s1 = "/tmp" $s2 = "/var/tmp" $s3 = "wget http://" $s4 = "rm -rf $0" ascii fullword $s5 = "kill -9 `pidof" $s6 = "sleep 1" ascii fullword $s7 = "while true" ascii fullword condition: filesize < 3KB and $r1 at 0 and 6 of ($s*) }