Overview - Yara rules

Details Type #Events CTI Value
Details Yara rule 1 
rule zhLookUp {
	strings:
		$s1 = "zhLookUp.Properties"
	condition:
		all of them
}
Details Yara rule 1 
rule zhmimikatz {
	strings:
		$s1 = "MimikatzRunner"
		$s2 = "zhmimikatz"
	condition:
		all of them
}
Details Yara rule 1 
rule trojan_win_cobaltstrike : Commodity {
	meta:
		author = " [email protected] "
		date = "2021-05-25"
		description = "The CobaltStrike malware family."
		hash = "b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c"
	strings:
		$s1 = "%s (admin)" fullword
		$s2 = { 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00 }
		$s3 = "d/d/d d:d:d" fullword
		$s4 = "%s as %s\\%s: %d" fullword
		$s5 = "%s&%s=%s" fullword
		$s6 = "rijndael" fullword
		$s7 = "(null)"
	condition:
		all of them
}
Details Yara rule 1 
import "pe"

rule S1deloadStealer_Registry {
	meta:
		author = "Acs David - Bitdefender"
		date = "2022-12-05"
		hash = "2799C2A302164626C77DD73BF755981BE3FF159CC0D2E85C1C54B620FD815132"
	strings:
		$reg_util_namespace = "RegistryUtils"
		$reg_util_get_registry_value = "GetRegistryValue"
		$reg_util_set_registry_value = "SetRegistryValue"
		$set_persistence_instructions = { 28 [6-8] 2C [2-3] 74 [6-8] 16 91 18 2E ?? 1F 0C 8D [6-8] 16 18 9C [2-4] 20 [4] 28 [4] 20 [4] 28 [4] 11 ?? 19 17 28 }
	condition:
		pe.is_pe and filesize <= 1MB and pe.imports("mscoree.dll") and (all of them)
}
Details Yara rule 1 
import "pe"

rule S1deloadStealer_PDB_path {
	meta:
		author = "Acs David - Bitdefender"
		date = "2022-12-05"
		hash = ""
	condition:
		pe.is_pe and pe.pdb_path contains "C:\\Users\\KienTi\\Documents" and filesize <= 1MB and pe.imports("mscoree.dll")
}
Details Yara rule 1 
rule macro_sheet_obfuscated_char {
	meta:
		description = "Finding hidden/very-hidden macros with many CHAR functions"
		Author = "DissectMalware"
		Sample = "0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b (Zloader)"
	strings:
		$ole_marker = { D0 CF 11 E0 A1 B1 1A E1 }
		$macro_sheet_h1 = { 85 00 ?? ?? ?? ?? ?? ?? 01 01 }
		$macro_sheet_h2 = { 85 00 ?? ?? ?? ?? ?? ?? 02 01 }
		$char_func = { 06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 1E 3D 00 41 6F 00 }
	condition:
		$ole_marker at 0 and 1 of ($macro_sheet_h*) and #char_func > 10
}
Details Yara rule 1 
rule PoS_Malware_fastpos2 : FastPOS2 {
	meta:
		author = "Trend Micro, Inc"
		date = "2016-09-21"
		description = "Used to detect newer FastPOS variants and their modules."
		sample_filetype = "exe"
	strings:
		$pdb0 = "\\_hookLoader\\Release\\_hookLoader.pdb" nocase
		$pdb1 = "\\_hookKlg\\Release\\_hookKlg.pdb" nocase
		$pdb2 = "\\_hookKlg\\x64\\Release\\_hookKlg.pdb" nocase
		$pdb3 = "\\_hookProc\\Release\\_hookProc.pdb" nocase
		$pdb4 = "\\_hookProc\\x64\\Release\\_hookProc.pdb" nocase
		$pdb5 = "\\_hookRecvSrvc\\Release\\_hookRecvSrvc.pdb" nocase
		$exec_ref0 = "\\kl32.exe"
		$exec_ref1 = "\\servhelp.exe"
		$exec_ref2 = "\\kbd.exe"
		$exec_ref3 = "\\servproc.exe"
		$exec_ref4 = "\\service.exe"
		$exec_ref5 = "\\proc64.exe"
		$exec_ref6 = "\\proc32.exe"
		$exec_ref7 = "//cdosys.php"
		$string0 = "DeleteService"
		$string1 = "CreateMailslotA"
		$string2 = "StartServiceCtrlDispatcherA"
		$string3 = "\\\\.\\mailslot\\trackslot"
		$string4 = "Can't install hook service"
		$string5 = " -r to remove hook." wide
	condition:
		(any of ($pdb*)) and (3 of ($exec_ref*)) and (2 of ($string*))
}
Details Yara rule 1 
rule M_Code_LIGHTSHIFT {
	meta:
		author = "Mandiant"
		description = "Hunting rule for LIGHTSHIFT"
		sha256 = "ce501fd5c96223fb17d3fed0da310ea121ad83c463849059418639d211933aa4"
	strings:
		$p00_0 = { 48 8B 7C 24 ?? 44 8D 40 ?? 48 03 7C 24 ?? 48 8B CF FF 15 [4] 81 7C 24 [5] 74 ?? 48 8B 4B ?? 33 D2 }
		$p00_1 = { 49 8D 7C 01 ?? 8B 47 ?? 85 C0 75 ?? 49 63 45 ?? 85 C0 7E ?? 8B 0F 41 B9 }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (750 .. 11000) and $p00_1 in (0 .. 8200)))
}
Details Yara rule 1 
rule go_language_pe {
	strings:
		$go1 = "go.buildid" ascii wide
		$go2 = "go.buildi" ascii wide
		$go3 = "Go build ID:" ascii wide
		$go4 = "Go buildinf:"
		$go5 = "runtime.cgo"
		$go6 = "runtime.go"
		$go7 = "GOMAXPRO"
		$str1 = "kernel32.dll" nocase
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($go*) and all of ($str*)
}
Details Yara rule 1 
rule COATHANGER_beacon {
	meta:
		description = "Detects COATHANGER beaconing code (GET / HTTP/2\nHost: www.google.com\n\n)"
		malware = "COATHANGER"
		author = "NLD MIVD - JSCU"
		date = "20240206"
	strings:
		$chunk_1 = { 48 B8 47 45 54 20 2F 20 48 54 48 89 45 B0 48 B8 54 50 2F 32 0A 48 6F 73 48 89 45 B8 48 B8 74 3A 20 77 77 77 2E 67 48 89 45 C0 48 B8 6F 6F 67 6C 65 2E 63 6F }
	condition:
		uint32(0) == 0x464c457f and filesize < 5MB and any of them
}
Details Yara rule 1 
rule COATHANGER_files {
	meta:
		description = "Detects COATHANGER files by used filenames"
		malware = "COATHANGER"
		author = "NLD MIVD - JSCU"
		date = "20240206"
	strings:
		$1 = "/data2/"
		$2 = "/httpsd"
		$3 = "/preload.so"
		$4 = "/authd"
		$5 = "/tmp/packfile"
		$6 = "/smartctl"
		$7 = "/etc/ld.so.preload"
		$8 = "/newcli"
		$9 = "/bin/busybox"
	condition:
		(uint32(0) == 0x464c457f or uint32(4) == 0x464c457f) and filesize < 5MB and 4 of them
}
Details Yara rule 1 
rule M_Code_LIGHTSHOW {
	meta:
		author = "Mandiant"
		description = "Hunting rule For LIGHTSHOW."
		md5 = "ee5057da3e38b934dae15644c6eb24507fb5a187630c75725075b24a70065452"
	strings:
		$E01 = { 46 75 64 4D 6F 64 75 6C 65 2E 64 6C 6C }
		$I01 = { 62 63 72 79 70 74 2E 64 6C 6C }
		$I02 = { 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C }
		$I03 = { 75 73 65 72 33 32 2E 64 6C 6C 00 }
		$H1 = { 4D 5A 90 00 }
		$H2 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
		$F01 = { 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 57 }
		$F02 = { 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 }
		$F03 = { 47 65 74 46 69 6C 65 54 79 70 65 }
		$F04 = { 47 65 74 56 65 72 73 69 6F 6E }
		$F05 = { 51 75 65 72 79 53 65 72 76 69 63 65 53 74 61 74 75 73 }
		$F06 = { 42 43 72 79 70 74 4F 70 65 6E 41 6C 67 6F 72 69 74 68 6D 50 72 6F 76 69 64 65 72 }
		$M01 = { 68 2D 79 6E B1 }
		$M02 = { 68 EA 71 C2 55 }
		$M03 = { 66 B8 AD EB }
		$M04 = { 4C 8D 2C 6D B3 6C 05 39 }
		$M05 = { 48 8D 2C 95 08 9D EC 9A }
		$S01 = { 48 8D 0C F5 A3 CD 0A EB }
		$S02 = { 81 F9 7F 56 E6 0A }
	condition:
		($H1 in (0 .. 2048)) and ($H2 in (0 .. 2048)) and filesize < 100MB and filesize > 5KB and all of ($M0*) and all of ($E*) and all of ($I0*) and 6 of ($F0*) and all of ($S0*)
}
Details Yara rule 1 
rule apt_RU_MoonlightMaze_customlokitools {
	meta:
		author = "Kaspersky Lab"
		date = "2017-03-15"
		version = "1.1"
		last_modified = "2017-03-22"
		reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
		description = "Rule to detect Moonlight Maze Loki samples by custom attacker-
authored strings"
		hash = "14cce7e641d308c3a177a8abb5457019"
		hash = "a3164d2bbc45fb1eef5fde7eb8b245ea"
		hash = "dabee9a7ea0ddaf900ef1e3e166ffe8a"
		hash = "1980958afffb6a9d5a6c73fc1e2795c2"
		hash = "e59f92aadb6505f29a9f368ab803082e"
	strings:
		$a1 = "Write file Ok..." ascii wide
		$a2 = "ERROR: Can not open socket...." ascii wide
		$a3 = "Error in parametrs:" ascii wide
		$a4 = "Usage: @<get/put> <IP> <PORT> <file>" ascii wide
		$a5 = "ERROR: Not connect..." ascii wide
		$a6 = "Connect successful...." ascii wide
		$a7 = "clnt <%d> rqstd n ll kll" ascii wide
		$a8 = "clnt <%d> rqstd swap" ascii wide
		$a9 = "cld nt sgnl prcs grp" ascii wide
		$a10 = "cld nt sgnl prnt" ascii wide
		$a11 = "ork error" ascii fullword
	condition:
		((any of ($a*)))
}
Details Yara rule 1 
rule apt_RU_MoonlightMaze_customsniffer {
	meta:
		author = "Kaspersky Lab"
		date = "2017-03-15"
		version = "1.1"
		reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
		description = "Rule to detect Moonlight Maze sniffer tools"
		hash = "7b86f40e861705d59f5206c482e1f2a5"
		hash = "927426b558888ad680829bd34b0ad0e7"
		original_filename = "ora;tdn"
	strings:
		$a1 = "/var/tmp/gogo" fullword
		$a2 = "myfilename= |%s|" fullword
		$a3 = "mypid,mygid=" fullword
		$a4 = "mypid=|%d| mygid=|%d|" fullword
		$a5 = "/var/tmp/task" fullword
		$a6 = "mydevname= |%s|" fullword
	condition:
		((any of ($a*)))
}
Details Yara rule 1 
rule loki2crypto {
	meta:
		author = "Costin Raiu, Kaspersky Lab"
		date = "2017-03-21"
		version = "1.0"
		description = "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 
sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */"
		reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
		hash = "19fbd8cbfb12482e8020a887d6427315"
		hash = "ea06b213d5924de65407e8931b1e4326"
		hash = "14ecd5e6fc8e501037b54ca263896a11"
		hash = "e079ec947d3d4dacb21e993b760a65dc"
		hash = "edf900cebb70c6d1fcab0234062bfc28"
	strings:
		$modulus = { DA E1 01 CD D8 C9 70 AF C2 E4 F2 7A 41 8B 43 39 52 9B 4B 4D E5 85 F8 49 }
	condition:
		(any of them)
}
Details Yara rule 1 
rule apt_RU_MoonlightMaze_de_tool {
	meta:
		author = "Kaspersky Lab"
		date = "2017-03-27"
		version = "1.0"
		last_modified = "2017-03-27"
		reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
		description = "Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool"
		hash = "4bc7ed168fb78f0dc688ee2be20c9703"
		hash = "8b56e8552a74133da4bc5939b5f74243"
	strings:
		$a1 = "Vnuk: %d" ascii fullword
		$a2 = "Syn: %d" ascii fullword
		$a3 = { 25 73 0A 25 73 0A 25 73 0A 25 73 0A }
	condition:
		((2 of ($a*)))
}
Details Yara rule 1 
rule apt_RU_MoonlightMaze_cle_tool {
	meta:
		author = "Kaspersky Lab"
		date = "2017-03-27"
		version = "1.0"
		last_modified = "2017-03-27"
		reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
		description = "Rule to detect Moonlight Maze 'cle' log cleaning tool"
		hash = "647d7b711f7b4434145ea30d0ef207b0"
	strings:
		$a1 = "./a filename template_file" ascii wide
		$a2 = "May be %s is empty?" ascii wide
		$a3 = "template string = |%s|" ascii wide
		$a4 = "No blocks !!!"
		$a5 = "No data in this block !!!!!!" ascii wide
		$a6 = "No good line"
	condition:
		((3 of ($a*)))
}
Details Yara rule 1 
rule apt_RU_MoonlightMaze_xk_keylogger {
	meta:
		author = "Kaspersky Lab"
		date = "2017-03-27"
		version = "1.0"
		last_modified = "2017-03-27"
		reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
		description = "Rule to detect Moonlight Maze 'xk' keylogger"
	strings:
		$a1 = "Log ended at => %s"
		$a2 = "Log started at => %s [pid %d]"
		$a3 = "/var/tmp/task" fullword
		$a4 = "/var/tmp/taskhost" fullword
		$a5 = "my hostname: %s"
		$a6 = "/var/tmp/tasklog"
		$a7 = "/var/tmp/.Xtmp01" fullword
		$a8 = "myfilename=-%s-"
		$a9 = "/var/tmp/taskpid"
		$a10 = "mypid=-%d-" fullword
		$a11 = "/var/tmp/taskgid" fullword
		$a12 = "mygid=-%d-" fullword
	condition:
		((3 of ($a*)))
}
Details Yara rule 1 
rule apt_RU_MoonlightMaze_encrypted_keylog {
	meta:
		author = "Kaspersky Lab"
		date = "2017-03-27"
		version = "1.0"
		last_modified = "2017-03-27"
		reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
		description = "Rule to detect Moonlight Maze encrypted keylogger logs"
	strings:
		$a1 = { 47 01 22 2A 6D 3E 39 2C }
	condition:
		($a1 at 0)
}
Details Yara rule 1 
rule apt_RU_MoonlightMaze_u_logcleaner {
	meta:
		author = "Kaspersky Lab"
		date = "2017-03-27"
		version = "1.0"
		last_modified = "2017-03-27"
		reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
		description = "Rule to detect log cleaners based on utclean.c"
		reference2 = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c"
		hash = "d98796dcda1443a37b124dbdc041fe3b"
		hash = "73a518f0a73ab77033121d4191172820"
	strings:
		$a1 = "Hiding complit...n"
		$a2 = "usage: %s <username> <fixthings> [hostname]"
		$a3 = "ls -la %s* ; /bin/cp  ./wtmp.tmp %s; rm  ./wtmp.tmp"
	condition:
		(uint32(0) == 0x464c457f) and (any of them)
}
Details Yara rule 1 
rule apt_RU_MoonlightMaze_wipe {
	meta:
		author = "Kaspersky Lab"
		date = "2017-03-27"
		version = "1.0"
		last_modified = "2017-03-27"
		reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
		description = "Rule to detect log cleaner based on wipe.c"
		reference2 = "http://www.afn.org/~afn28925/wipe.c"
		hash = "e69efc504934551c6a77b525d5343241"
	strings:
		$a1 = "ERROR: Unlinking tmp WTMP file."
		$a2 = "USAGE: wipe [ u|w|l|a ] ...options..."
		$a3 = "Erase acct entries on tty :   wipe a [username] [tty]"
		$a4 = "Alter lastlog entry       :   wipe l [username] [tty] [time] [host]"
	condition:
		(uint32(0) == 0x464c457f) and (2 of them)
}
Details Yara rule 1 
rule mumblehard_packer {
	meta:
		description = "Mumblehard i386 assembly code responsible for decrypting Perl 
code"
		author = "Marc-Etienne M.Lveill"
		date = "2015-04-07"
		reference = "http://www.welivesecurity.com"
		version = "1"
	strings:
		$decrypt = { 31 DB [1-10] BA ?? 00 00 00 [0-6] ( 56 5F | 89 F7 ) 39 D3 75 13 81 FA ?? 00 00 00 75 02 31 D2 81 C2 ?? 00 00 00 31 DB 43 AC 30 D8 AA 43 E2 E2 }
	condition:
		$decrypt
}
Details Yara rule 1 
import "pe"

rule apt_win_freshfire : APT29 {
	meta:
		author = " [email protected] "
		date = "2021-05-27"
		description = "The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server."
		hash = "ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c"
	strings:
		$uniq1 = "UlswcXJJWhtHIHrVqWJJ"
		$uniq2 = "gyibvmt\x00"
		$path1 = "root/time/%d/%s.json"
		$path2 = "C:\\dell.sdr"
		$path3 = "root/data/%d/%s.json"
	condition:
		(pe.number_of_exports == 1 and pe.exports("WaitPrompt")) or any of ($uniq*) or 2 of ($path*)
}
Details Yara rule 1 
rule SlyMongo {
	meta:
		desctiption = "Detect SlyMongo in memory"
		hash = "3AA9AB1C50B6F1D8878C7F6FA9E21407579534F1C213DB5433003C14A29373E7"
	strings:
		$cmp_cmd = { 3B CF 0F 87 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 E9 0A 0F 84 ?? ?? ?? ?? 83 E9 03 0F 84 ?? ?? ?? ?? 83 E9 01 0F 84 ?? ?? ?? ?? 83 E9 01 0F 84 ?? ?? ?? ?? 83 E9 01 74 ?? 83 E9 01 74 ?? 83 E9 01 74 ?? 83 E9 01 74 ?? 83 F9 01 0F 85 ?? ?? ?? ?? }
		$str1 = "DNS server URL is NULL. Call mg_mgr_init()"
		$str2 = "error connecting to %s"
	condition:
		all of them
}
Details Yara rule 2 
rule MofuLoader {
	meta:
		description = "detect MofuLoader in memory"
	strings:
		$ror = { C1 C? 0C }
		$api_hashing = { 81 F? A1 A3 A0 1D 74 ?? 81 F? D0 A7 17 47 74 ?? 81 F? A3 2C 59 8F 74 ?? 81 F? A0 F0 1F B0 74 ?? 81 F? 4F 6A 65 D7 }
	condition:
		all of them
}