| Details |
Yara rule |
1 |
|
rule Linux_Hacktool_LigoloNG {
meta:
author = "Elastic Security"
creation_date = "2024-09-20"
last_modified = "2024-09-20"
os = "Linux"
arch = "x86"
threat_name = "Linux.Hacktool.LigoloNG"
reference = "https://www.elastic.co/security-labs/betting-on-bots"
license = "Elastic License v2"
strings:
$a = "https://github.com/nicocha30/ligolo-ng"
$b = "@Nicocha30!"
$c = "Ligolo-ng %s / %s / %s"
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule LooCipher_dropper_1906 {
meta:
description = "Yara Rule for LooCipher ransomware .docm dropper"
author = "Cybaze - Yoroi ZLab"
last_updated = "2019-06-21"
tlp = "white"
category = "informational"
strings:
$s1 = { FF FD 72 77 6D 3A 3F 96 45 70 00 63 85 92 19 8A }
$s2 = { 35 58 34 CB AF AF 52 A6 13 A6 0C BC 18 A5 C1 38 }
$a1 = { 50 4B 03 04 }
condition:
$a1 and 1 of ($s*)
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule LooCipher_1906 {
meta:
description = "Yara Rule for LooCipher ransomware"
author = "Cybaze - Yoroi ZLab"
last_updated = "2019-06-21"
tlp = "white"
category = "informational"
strings:
$s1 = ".lcphr"
$s2 = "hcwyo5rfapkytajg"
$s3 = "LooCipher_wallpaper.bmp"
$a1 = { 4D 5A }
condition:
$a1 and 1 of ($s*) and pe.sections[6].name == ".00cfg"
} |
| Details |
Yara rule |
1 |
|
rule meta_s {
meta:
author = "sysopfb"
strings:
$snippet1 = { 66 0? EF }
$snippet2 = { C5 ?? EF }
condition:
($snippet1 or $snippet2)
} |
| Details |
Yara rule |
1 |
|
rule crashedtech_loader {
meta:
author = "@luc4m"
date = "2023-03-26"
hash_md5 = "53f9c2f2f1a755fc04130fd5e9fcaff4"
link = "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1"
tlp = "WHITE"
strings:
$trait_0 = { 02 14 7D ?? ?? ?? ?? 02 28 ?? ?? ?? ?? ?? ?? 02 28 ?? ?? ?? ?? ?? 2A }
$trait_1 = { ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? ?? ?? 02 03 28 ?? ?? ?? ?? ?? 2A }
$trait_2 = { ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 2B ?? }
$trait_4 = { ?? 73 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 2B ?? }
$trait_5 = { 06 6F ?? ?? ?? ?? ?? DC ?? DE ?? 26 ?? ?? DE ?? 2A }
$trait_6 = { 11 ?? 6F ?? ?? ?? ?? ?? DC 09 6F ?? ?? ?? ?? 16 FE 01 13 ?? 11 ?? 2C ?? }
$trait_7 = { 06 6F ?? ?? ?? ?? ?? DC ?? DE ?? 26 ?? ?? DE ?? 2A }
$trait_8 = { ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 0B 2B ?? }
$str_0 = "username" wide
$str_1 = "windows" wide
$str_2 = "client" wide
$str_3 = "ip" wide
$str_4 = "api.ipify.org" wide
$str_5 = "(.*)<>(.*)" wide
condition:
5 of ($str_*) and 3 of ($trait_*)
} |
| Details |
Yara rule |
1 |
|
rule cmstp_macro_builder_rev_a {
meta:
description = "CMSTP macro builder based on variable names and runtime invoke"
author = "Palo Alto Networks Unit42"
strings:
$method = "CallByName"
$varexp = /[A-Za-z]k[0-9]{2}([0-9]{1})/
condition:
$method and #method == 2 and #varexp > 10
} |
| Details |
Yara rule |
1 |
|
rule cmstp_macro_builder_rev_b {
meta:
description = "CMSTP macro builder based on routines and functions names and runtime invoke"
author = "Palo Alto Networks Unit42"
strings:
$func = /Private Function [A-Za-z]{1,5}[0-9]{2,3}\(/
$sub = /Sub [A-Za-z]{1,5}[0-9]{2,5}\(/
$call = "CallByName"
condition:
$call and #func > 1 and #sub > 1
} |
| Details |
Yara rule |
1 |
|
rule cobaltgang_pdf_metadata_rev_a {
meta:
description = "Find documents saved from the same potential Cobalt Gang PDF template"
author = "Palo Alto Networks Unit 42"
strings:
$ = "<xmpMM:DocumentID>uuid:31ac3688-619c-4fd4-8e3f-e59d0354a338" ascii wide
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
rule pistacchietto_campaign_0219 {
meta:
description = "Yara rule for Pistacchietto campaign"
author = "Yoroi ZLab - Cybaze"
last_updated = "2019-03-01"
tlp = "white"
category = "informational"
strings:
$nc = "nc.exe" ascii wide
$nc64 = "nc64.exe" ascii wide
$dns1 = "config02.addns.org" ascii wide
$dns2 = "config01.homepc.it" ascii wide
$dns3 = "verifiche.ddns.net" ascii wide
$dns4 = "paner.altervista.org" ascii wide
$dns5 = "certificates.ddns.net" ascii wide
$id = "pistacchietto" ascii wide
$path = "/svc/wup.php?pc=" ascii wide
condition:
(1 of ($nc*)) and (1 of ($dns*)) or $id or $path
} |
| Details |
Yara rule |
1 |
|
rule bluesky_ransomware {
meta:
author = "Yoroi Malware ZLab"
description = "Rule for BlueSky Ransomware"
last_updated = "2022-09-14"
tlp = "WHITE"
category = "informational"
hash = "9e302bb7d1031c0b2a4ad6ec955e7d2c0ab9c0d18d56132029c4c6198b91384f"
strings:
$1 = { 55 8B EC 83 EC ?? 56 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 0F 10 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 0F 11 4? ?? 68 ?? ?? ?? ?? 0F 10 05 ?? ?? ?? ?? C7 4? ?? ?? ?? ?? ?? C7 4? ?? ?? ?? ?? ?? 0F 11 4? ?? E8 ?? ?? ?? ?? 0F 10 4? ?? 83 C4 ?? 8B D0 8D 4? ?? 50 83 EC ?? 8B CC 6A ?? 6A ?? 83 EC ?? 0F 11 01 8B C4 0F 10 4? ?? 0F 11 00 FF D2 85 C0 0F 88 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4? ?? 51 FF D0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4? ?? 51 FF D0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D C8 51 FF D0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4? ?? 51 FF D0 0F 10 4? ?? 8B 4? ?? 83 EC ?? 8B C4 83 EC ?? 8B 11 0F 11 00 8B C4 83 EC ?? 0F 10 4? ?? 0F 11 00 8B C4 83 EC ?? 0F 10 4? ?? 0F 11 00 8B C4 0F 10 4? ?? 51 0F 11 00 FF 52 28 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B F0 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4? ?? 51 FF D0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4? ?? 51 FF D0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4? ?? 51 FF D0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4? ?? 51 FF D0 85 F6 78 ?? 8B 4? ?? 8D 5? ?? 52 68 ?? ?? ?? ?? 50 8B 08 FF 5? ?? 85 C0 78 ?? 8B 4? ?? 6A ?? FF 7? ?? 8B 08 50 FF 5? ?? 8B 4? ?? 85 C9 74 ?? 8B 01 51 FF 5? ?? 8B 4? ?? 85 C9 74 ?? 8B 01 51 FF 50 08 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? FF D0 5E 8B E5 5D C3 }
condition:
uint16(0) == 0x5A4D and $1
} |
| Details |
Yara rule |
1 |
|
rule Gamaredon_Campaign_Genuary_2020_Initial_Dropper {
meta:
description = "Yara Rule for Gamaredon_f_doc"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = { 4B 03 }
$a2 = { 8E DA 30 14 DD 57 EA 3F }
$a3 = { 3B 93 46 0F AF B0 2B 33 }
$a4 = { 50 4B 03 04 14 00 06 00 08 }
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Gamaredon_Campaign_Genuary_2020_Second_Stage {
meta:
description = "Yara Rule for Gamaredon_apu_dot"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = "Menu\\Programs\\Startup\\\""
$a2 = "RandStrinh"
$a3 = ".txt"
$a4 = "templates.vbs"
$a5 = "GET"
$a6 = "Encode = 1032"
$a7 = "WShell=CreateObject(\"WScript.Shell\")"
$a8 = "Security"
$a9 = "AtEndOfStream"
$a10 = "GenRandom"
$a11 = "SaveToFile"
$a12 = "Sleep"
$a13 = "WinMgmts:{(Shutdown,RemoteShutdown)}!"
$a14 = "Scripting"
$a15 = "//autoindex.php"
condition:
11 of ($a*)
} |
| Details |
Yara rule |
1 |
|
rule Gamaredon_Campaign_Genuary_2020_SFX_Stage_1 {
meta:
description = "Yara Rule for Gamaredon SFX stage 1"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = { 4D 5A }
$a2 = { FF 75 FC E8 F2 22 01 00 }
$a3 = { FE DE DB DB FE D5 D5 D6 F8 }
$a4 = { 22 C6 24 A8 BE 81 DE 63 }
$a5 = { CF 4F D0 C3 C0 91 B0 0D }
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Gamaredon_Campaign_Genuary_2020_SFX_Stage_2 {
meta:
description = "Yara Rule for Gamaredon SFX stage 2"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = { 4D 5A }
$a2 = { 00 E9 07 D4 FD FF 8B 4D F0 81 }
$a3 = { B7 AB FE B2 B1 B5 FA 9B 11 80 }
$a4 = { 81 21 25 E0 38 03 FA F0 AF 11 }
$a5 = { 0A 39 DF F7 40 8D 7B 44 52 }
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Gamaredon_Campaign_Genuary_2020_dot_NET_stage {
meta:
description = "Yara Rule for Gamaredon dot NET stage"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-02-14"
tlp = "white"
category = "informational"
strings:
$a1 = { 4D 5A }
$a2 = "AssemblyCompanyAttribute"
$a3 = "GetDrives"
$a4 = "Aversome"
$a5 = "TotalMilliseconds"
$s1 = { 31 01 C6 01 F2 00 29 01 5C 03 76 }
$s2 = { 79 02 38 03 93 03 B5 03 }
$s3 = { 00 07 00 00 11 00 00 72 01 }
$s4 = { CD DF A6 EF 66 0E 44 D7 }
condition:
all of ($a*) and 2 of ($s*)
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule TeamViewer_ver6_and_lower {
meta:
description = "Rule to detect TeamViewer ver 6.0 and lower"
hash = "4f926252e22afa85e5da7f83158db20f"
hash = "8191265c6423773d0e60c88f6ecc0e38"
version = "1.1"
condition:
uint16(0) == 0x5A4D and pe.version_info["CompanyName"] contains "TeamViewer" and (pe.version_info["ProductVersion"] contains "6.0" or pe.version_info["ProductVersion"] contains "5.1" or pe.version_info["ProductVersion"] contains "5.0" or pe.version_info["ProductVersion"] contains "4.1" or pe.version_info["ProductVersion"] contains "4.0" or pe.version_info["ProductVersion"] contains "3.6" or pe.version_info["ProductVersion"] contains "3.5" or pe.version_info["ProductVersion"] contains "3.4" or pe.version_info["ProductVersion"] contains "3.3" or pe.version_info["ProductVersion"] contains "3.2" or pe.version_info["ProductVersion"] contains "3.1" or pe.version_info["ProductVersion"] contains "3.0")
} |
| Details |
Yara rule |
1 |
|
rule likely_use_of_chacha20 {
meta:
author = "Intezer"
description = "Likely use of ChaCha20 Cipher"
reference = "https://intezer.com/blog/research/unraveling-malware-encryption-secrets/"
hash = "9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5"
strings:
$mov_bytes = { ?? ?? ?? ?? 65 78 70 61 ?? ?? ?? ?? 6E 64 20 33 ?? ?? ?? ?? 32 2D 62 79 ?? ?? ?? ?? 74 65 20 6B }
$string_literal = "expand 32-byte k"
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule IPfuscatedCobaltStrike {
meta:
description = "IPfuscated Cobalt Strike shellcode"
author = "James Haughom @ SentinelLabs"
date = "2022-3-24"
hash = "49fa346b81f5470e730219e9ed8ec9db8dd3a7fa"
reference = "https://s1.ai/ipfuscation"
strings:
$ipfuscated_payload_1 = "252.72.131.228"
$ipfuscated_payload_2 = "240.232.200.0"
$ipfuscated_payload_3 = "0.0.65.81"
$ipfuscated_payload_4 = "65.80.82.81"
$ipfuscated_payload_5 = "86.72.49.210"
$ipfuscated_payload_6 = "101.72.139.82"
$ipfuscated_payload_7 = "96.72.139.82"
$ipfuscated_payload_8 = "24.72.139.82"
$ipfuscated_payload_9 = "32.72.139.114"
$ipfuscated_payload_10 = "80.72.15.183"
$ipfuscated_payload_11 = "74.74.77.49"
$ipfuscated_payload_12 = "201.72.49.192"
$ipfuscated_payload_13 = "172.60.97.124"
$ipfuscated_payload_14 = "2.44.32.65"
$ipfuscated_payload_15 = "193.201.13.65"
$ipfuscated_payload_16 = "1.193.226.237"
$ipfuscated_payload_17 = "82.65.81.72"
$ipfuscated_payload_18 = "139.82.32.139"
$ipfuscated_payload_19 = "66.60.72.1"
$ipfuscated_payload_20 = "208.102.129.120"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 5 of ($ipfuscated_payload_*)
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule IPfuscationEnumUILanguages {
meta:
description = "IPfuscation with execution via EnumUILanguagesA"
author = "James Haughom @ SentinelLabs"
date = "2022-3-24"
hash = "49fa346b81f5470e730219e9ed8ec9db8dd3a7fa"
reference = "https://s1.ai/ipfuscation"
strings:
$err_msg = "ERROR!"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $err_msg and pe.imports("ntdll.dll", "RtlIpv4StringToAddressA") and pe.imports("kernel32.dll", "EnumUILanguagesA")
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule IPfuscationHellsGate {
meta:
description = "IPfuscation with execution via Hell's Gate"
author = "James Haughom @ SentinelLabs"
date = "2022-3-24"
hash = "d83df37d263fc9201aa4d98ace9ab57efbb90922"
reference = "https://s1.ai/ipfuscation"
strings:
$err_msg = "ERROR!"
$syscall = { 4C 8B D1 8B 05 ?? ?? 00 00 0F 05 C3 }
$set_syscall_code = { C7 05 ?? ?? 00 00 00 00 00 00 89 0D ?? ?? 00 00 C3 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them and pe.imports("ntdll.dll", "RtlIpv4StringToAddressA")
} |
| Details |
Yara rule |
1 |
|
rule IPfuscatedVariants {
meta:
author = "@Tera0017/@SentinelOne"
description = "*fuscation variants"
date = "2022-3-28"
hash = "2ded066d20c6d64bdaf4919d42a9ac27a8e6f174"
reference = "https://s1.ai/ipfuscation"
strings:
$code1 = { 33 D2 48 8B [2-3] FF 15 [4] 3D 0D 00 00 C0 }
$code2 = { B9 00 00 04 00 FF [9] 41 B8 00 00 10 00 }
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
rule Karkoff_Attack_2020_Excel_macro {
meta:
description = "Yara Rule for new APT34 Karkoff campaign excel malicious macro"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-03-02"
tlp = "white"
category = "informational"
strings:
$a1 = "EncodedData0"
$a2 = "NewTask9"
$a3 = "EAAMYEKwUAAEsEWQUAAMYEnQUAAMYEqAUAAJwSrgU"
$a4 = "TVqQAAMAAAAEAAAA"
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule Karkoff_Campaign_2020 {
meta:
description = "Yara Rule for new APT34 Karkoff campaign"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-03-02"
tlp = "white"
category = "informational"
strings:
$a1 = "SystemExchangeService" ascii wide
$a2 = "getWindowsVersion" ascii wide
$a3 = "GetCommands" ascii wide
$s1 = { 0A 7A 1E 02 7B 9C 12 00 04 2A }
condition:
uint16(0) == 0x5A4D and all of them
} |
| Details |
Yara rule |
1 |
|
rule vendor {
strings:
$text_string1 = "Vendor name" wide
$text_string2 = "Alias name" wide
condition:
$text_string1 or $text_string2
} |
| Details |
Yara rule |
1 |
|
rule Nexe_Backdoor {
meta:
author = "Cyble Research and Intelligence Labs"
description = "Detects Malicious Backdoor used in the latest Patchwork APTcampaign"
date = "2024-09-26"
os = "Windows"
reference_sample = "ba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e3"
strings:
$a = "WerSysprepCleanup"
$b = "WerpSetReportFlags"
$c = "WriteProcessMemory"
$d = "VirtualAllocEx"
$e = "Release\\AESC.pdb"
condition:
uint16(0) == 0x5A4D and all of them
} |