Overview - Yara rules

Details	Type	#Events	Value
Details	Yara rule	1	rule xor_add { meta: Author = "CISA trusted 3rd party" Incident = "10135536" Date = "2018-04-19" Category = "Hidden_Cobra" Family = "n/a" Description = "n/a" strings: $decode = { 80 EA 28 80 F2 47 } $encode = { 80 F2 47 80 C2 28 } condition: uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550 and all of them }
Details	Yara rule	2	rule CISA_10382580_02 : rat { meta: Author = "CISA Code & Media Analysis" Incident = "10382580" Date = "2022-06-02" Last_Modified = "20220602_1200" Actor = "n/a" Category = "RAT" Family = "n/a" Description = "Detects unidentified Remote Access Tool samples" MD5_1 = "7b1ce3fe542c6ae2919aa94e20dc860e" SHA256_1 = "d071c4959d00a1ef9cce535056c6b01574d8a8104a7c3b00a237031ef930b10f" strings: $s0 = { 48 8B 06 0F B6 04 01 32 C2 F6 C1 01 75 02 34 E7 } $s1 = { 88 04 0F 48 FF C1 48 8B 46 08 48 3B } $s2 = { 0F BE CA C1 CF 0D 8D 41 E0 80 FA 61 0F 4C C1 03 } $s3 = { F8 4D 8D 40 01 41 0F B6 10 84 D2 } condition: all of them }
Details	Yara rule	2	import "pe" rule Poulight_Stealer_May_2020 { meta: description = "Yara rule for Poulight Stealer" hash = "8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95" author = "Cybaze - Yoroi ZLab" last_updated = "2020-05-07" tlp = "white" category = "informational" strings: $s1 = "http//fff.gearhostpreview.com/ARMBot" $s2 = "WBcG91bGxpZ2h0Lhttp://poullight.ru/keys.txt" $s3 = "Poullight.exe" $s4 = "\\wallets\\wallet.dat" ascii wide $s5 = "=====================================" ascii wide $s6 = { 2F 7B 00 30 00 7D 00 3C 00 63 00 6C 00 62 00 61 00 73 00 65 00 3E 00 7B 00 ?? 00 7D 00 3C 00 2F 00 63 00 6C 00 62 00 61 00 73 00 65 00 3E 00 } $s7 = "Select * from Win32_ComputerSystem" ascii wide condition: uint16(0) == 0x5A4D and all of them }
Details	Yara rule	1	rule CISA_3P_10327841_01 : SOLARFLARE trojan { meta: Author = "CISA Trusted Third Party" Incident = "10327841.r1.v1" Date = "2021-03-04" Actor = "n/a" Category = "Trojan" Family = "SOLARFLARE" Description = "Detects strings in Finder_exe samples" MD5_1 = "86e0f3071c3b3feecf36ea13891633fb" SHA256_1 = "d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d" strings: $Go_Lang = "Go build ID:" $main_func = "main.main" $main_encrypt = "main.func1" $StatusCode = "StatusCode:" $Headers = "Headers:" $Data = "Data:" $Target = "Target:" condition: (uint16(0) == 0x5A4D) and all of them }
Details	Yara rule	1	rule CISA_3P_10327841_02 : SOLARFLARE trojan { meta: Author = "CISA Trusted Third Party" Incident = "10327841.r1.v1" Date = "2021-03-04" Actor = "n/a" Category = "Trojan" Family = "SOLARFLARE" Description = "Detects strings in WindowsDSVC_exe samples" MD5_1 = "4de28110bfb88fdcdf4a0133e118d998" SHA256_1 = "fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836" strings: $Go_Lang = "Go build ID:" $main_func = "main.main" $main_encrypt = "main.encrypt" $main_MD5 = "main.GetMD5Hash" $main_beacon = "main.beaconing" $main_command = "main.resolve_command" $main_key1 = "main.request_session_key" $main_key2 = "main.retrieve_session_key" $main_clean = "main.clean_file" $main_wget = "main.wget_file" condition: (uint16(0) == 0x5A4D) and all of them }
Details	Yara rule	1	rule CISA_3P_10327841_04 : SIBOT trojan bot vbscript { meta: Author = "CISA Trusted Third Party" Incident = "10327841" Date = "2021-03-26" Actor = "n/a" Category = "Trojan BOT VBScript" Family = "SIBOT" Description = "Detects Scheduled Task persistence for sibot variant AikCetnrll" strings: $a1 = "Actions.Create" ascii fullword $a2 = "RegistrationInfo" ascii fullword $a3 = "StartWhenAvailable" ascii fullword $z1 = "\\Microsoft\\Windows\\CertificateServicesClient" ascii fullword $z2 = "CreateObject(\"Schedule.Service\")" ascii fullword $z3 = "c:\\windows\\system32\\printing_admin_scripts\\en-us\\prndrvrn.vbs" ascii fullword $z4 = "AikCetnrll" ascii fullword $z5 = "This task enrolls a certificate for Attestation Identity Key" ascii fullword condition: (3 of ($a) and 5 of ($z)) }
Details	Yara rule	1	rule malware_bumblebee_packed { meta: author = "Marc Salinas @ CheckPoint Research" malware_family = "BumbleBee" date = "13/07/2022" description = "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic." dll_jul = "6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db" dll_jun = "82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb" dll_may = "a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c" iso_jul = "ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa" iso_jun = "13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78" iso_may = "b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e" zip_jun = "7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad" zip_may = "68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce" strings: $heapalloc = { 48 8? EC [1-6] FF 15 ?? ?? 0? 00 [0-5] 33 D2 4? [2-5] 4? ?? ?? FF 15 ?? ?? 0? 00 [8-11] 48 89 05 ?? ?? ?? 00 E8 ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? 00 } condition: $heapalloc }
Details	Yara rule	1	rule CISA_10443863_03 : backdoor remote_access_trojan webshell exploitation information_gathering remote_access accesses_remote_machines anti_debugging captures_system_state_data controls_local_machine compromises_data_availability compromises_data_integrity fingerprints_host installs_other_components { meta: Author = "CISA Code & Media Analysis" Incident = "10443863" Date = "2023-05-16" Last_Modified = "20230605_1500" Actor = "n/a" Family = "n/a" Capabilities = "accesses-remote-machines anti-debugging captures-system-state-data controls-local-machine compromises-data-availability compromises-data-integrity fingerprints-host installs-other-components" Malware_Type = "backdoor remote-access-trojan webshell" Tool_Type = "exploitation information-gathering remote-access" Description = "Detects .NET DLL webshell samples" SHA256 = "b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05b" strings: $s0 = { 53 00 65 00 6C 00 65 00 63 00 74 00 20 00 2A 00 20 00 66 00 72 00 6F 00 6D 00 20 00 57 00 69 00 6E 00 33 00 32 00 5F 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 } $s1 = { 62 61 73 65 36 34 ( 44 \| 64 ) 65 63 6F 64 65 } $s2 = { 53 00 45 00 4C 00 45 00 43 00 54 00 20 00 2A 00 20 00 46 00 52 00 4F 00 4D } $s3 = { 49 00 49 00 53 00 20 00 41 00 50 00 50 00 50 00 4F 00 4F 00 4C } $s4 = { 4D 61 6E 61 67 65 6D 65 6E 74 4F 62 6A 65 63 74 } $s5 = { 43 72 65 61 74 65 4E 6F 57 69 6E 64 6F 77 } $s6 = { 73 71 6C 71 75 65 72 79 } condition: all of them }
Details	Yara rule	1	rule Karkoff_Attack_2020_Excel_macro { meta: description = "Yara Rule for new APT34 Karkoff campaign excel malicious macro" author = "Cybaze Zlab_Yoroi" last_updated = "2020-03-02" tlp = "white" category = "informational" strings: $a1 = "EncodedData0" $a2 = "NewTask9" $a3 = "EAAMYEKwUAAEsEWQUAAMYEnQUAAMYEqAUAAJwSrgU" $a4 = "TVqQAAMAAAAEAAAA" condition: all of them }
Details	Yara rule	1	rule Karkoff_Campaign_2020 { meta: description = "Yara Rule for new APT34 Karkoff campaign" author = "Cybaze Zlab_Yoroi" last_updated = "2020-03-02" tlp = "white" category = "informational" strings: $a1 = "SystemExchangeService" ascii wide $a2 = "getWindowsVersion" ascii wide $a3 = "GetCommands" ascii wide $s1 = { 0A 7A 1E 02 7B 9C 12 00 04 2A } condition: uint16(0) == 0x5A4D and all of them }
Details	Yara rule	1	rule Windows_0day_Exploit_1 { meta: description = "Windows 0day EPATHOBJ local ring0 Exploit" strings: $a = "PATHRECORD" fullword $b = "HRGN" fullword $c = "FlattenPath" fullword $d = "EndPath" fullword $e = "PolyDraw" fullword condition: all of them }
Details	Yara rule	1	import "console" rule follow_the_fallchill_call { strings: $call_instr = { C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 6A ?? 8D 4D ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? } $cmp = { 81 7D ?? 00 01 00 00 } condition: console.hex("Relative offset to function address: ", int32(@call_instr + !call_instr - 4)) and console.hex("Next Instruction Address: ", @call_instr + !call_instr) and console.hex("Start of Function: ", @call_instr + !call_instr + int32(@call_instr + !call_instr - 4)) and $cmp in (@call_instr + !call_instr + int32(@call_instr + !call_instr - 4) .. @call_instr + !call_instr + int32(@call_instr + !call_instr - 4) + 32) }
Details	Yara rule	1	rule Ransom : Crypren { meta: weight = 1 Author = "@pekeinfo" reference = "" strings: $a = "won't be able to recover your files anymore.</p>" $b = { 6A 03 68 ?? ?? ?? ?? B9 74 F1 AE 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 98 3A 00 00 FF D6 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? } $c = "Please restart your computer and wait for instructions for decrypting your files" condition: any of them }
Details	Yara rule	1	rule GamaredonPteranodon_SFX { meta: description = "Yara Rule for Pteranodon implant Family" author = "ZLAB Yoroi - Cybaze" last_updated = "2019-04-19" tlp = "white" category = "informational" strings: $s1 = "SFX module - Copyright (c) 2005-2012 Oleg Scherbakov" $s2 = "7-Zip archiver - Copyright (c) 1999-2011 Igor Pavlov" $s3 = "RunProgram=\"hidcon" $s4 = "7-Zip - Copyright (c) 1999-2011 " $s5 = "sfxelevation" ascii wide $s6 = "Error in command line:" ascii wide $s7 = "%X - X - X - X - X" ascii wide $s8 = "- Copyright (c) 2005-2012 " $s9 = "Supported methods and filters, build options:" ascii wide $s10 = "Could not overwrite file \"%s\"." ascii wide $s11 = "7-Zip: Internal error, code 0xX." ascii wide $s12 = "@ (%d%s)" ascii wide $s13 = "SfxVarCmdLine0" $s14 = "11326" $s15 = "29225" $s16 = "6137" $cmd = ".cmd" ascii wide condition: 12 of ($s*) and $cmd }
Details	Yara rule	1	rule Lu0Bot_detection { meta: description = "Detection of Lu0Bot" date = "2023-09-26" family = "Lu0Bot" strings: $start_code = /var \_0x[a-f0-9]{4,6}/ $altBase64 = "'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='" $domain = "var acc=" $end_code = "}ini();" $func = "ginf" condition: all of them and #start_code >= 50 }
Details	Yara rule	1	rule Linux_Hacktool_LigoloNG { meta: author = "Elastic Security" creation_date = "2024-09-20" last_modified = "2024-09-20" os = "Linux" arch = "x86" threat_name = "Linux.Hacktool.LigoloNG" reference = "https://www.elastic.co/security-labs/betting-on-bots" license = "Elastic License v2" strings: $a = "https://github.com/nicocha30/ligolo-ng" $b = "@Nicocha30!" $c = "Ligolo-ng %s / %s / %s" condition: all of them }
Details	Yara rule	1	rule money_ransomware { meta: author = "Yoroi Malware ZLab" description = "Rule for Money Ransomware" last_updated = "2023-03-28" tlp = "WHITE" category = "informational" strings: $1 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? C7 45 E8 00 00 00 00 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? EB ?? 8B 4D E0 8B 01 FF 50 04 89 45 E4 8D 45 E4 50 83 EC 08 8B C4 C7 00 ?? ?? ?? ?? C7 40 04 3E 00 00 00 E8 ?? ?? ?? ?? 83 C4 0C B8 ?? ?? ?? ?? C3 } $2 = { 8D 47 30 3B C6 74 ?? 8B C8 E8 ?? ?? ?? ?? 8B 0E 89 4F 30 8B 46 04 89 47 34 8B 46 08 89 47 38 C7 06 00 00 00 00 C7 46 04 00 00 00 00 C7 46 08 00 00 00 00 8D ?? 14 FF FF FF E8 ?? ?? ?? ?? } condition: uint16(0) == 0x5A4D and ($1 or $2) }
Details	Yara rule	1	rule meta_s { meta: author = "sysopfb" strings: $snippet1 = { 66 0? EF } $snippet2 = { C5 ?? EF } condition: ($snippet1 or $snippet2) }
Details	Yara rule	1	import "elf" rule Kinsing_Malware { meta: author = "Aluma Lavi, CyberArk" date = "22-01-2021" version = "1.0" hash = "d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b" description = "Kinsing/NSPPS malware" strings: $rc4_key = { 37 36 34 31 35 33 34 34 36 62 36 31 } $firewire = "./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT" $packa1 = "google/btree" ascii wide $packa2 = "kardianos/osext" ascii wide $packa3 = "kelseyhightower/envconfig" ascii wide $packa4 = "markbates/pkger" ascii wide $packa5 = "nu7hatch/gouuid" ascii wide $packa6 = "paulbellamy/ratecounter" ascii wide $packa7 = "peterbourgon/diskv" ascii wide $func1 = "main.RC4" ascii wide $func2 = "main.runTaskWithScan" ascii wide $func3 = "main.backconnect" ascii wide $func4 = "main.downloadAndExecute" ascii wide $func5 = "main.startCmd" ascii wide $func6 = "main.execTaskOut" ascii wide $func7 = "main.minerRunningCheck" ascii wide condition: (uint16(0) == 0x457F and not (elf.sections[0].size + elf.sections[1].size + elf.sections[2].size + elf.sections[3].size + elf.sections[4].size + elf.sections[5].size + elf.sections[6].size + elf.sections[7].size > filesize)) and ($rc4_key or $firewire or all of ($packa) or 4 of ($func)) }
Details	Yara rule	1	rule NetwireCampaign_Payload_Jun2020 { meta: description = "Yara Rule for Netwire campaign final payload Jun2020" author = "Cybaze Zlab_Yoroi" last_updated = "2020-06-05" tlp = "white" SHA256 = "cc419a1c36ed5bdae1d3cd35c4572766dc06ad5a447687f87e89da0bb5a42091" category = "informational" strings: $a1 = { C7 04 ?4 ?? ?? ?? ?? E8 6F 2C 00 00 C7 04 ?4 ?? ?? ?? ?? E8 63 2C 00 00 8B 35 } $a2 = { 89 84 ?4 B0 00 00 00 C7 84 ?4 A4 00 00 00 ?? ?? ?? ?? 66 C7 84 ?4 A8 00 00 00 00 00 E8 ?? ?? ?? ?? 83 EC 28 85 C0 75 27 } $a3 = { C7 44 ?4 0C ?? ?? ?? ?? C7 44 ?4 08 ?? ?? ?? ?? C7 04 ?4 ?? ?? ?? ?? 89 44 ?4 04 E8 39 1C 01 00 83 EC ?? } condition: uint16(0) == 0x5A4D and 2 of ($a*) }
Details	Yara rule	1	rule APT_MAL_LNX_RedMenshen_BPFDoor_Controller_Generic_May22_1 { meta: description = "Detects BPFDoor malware" author = "Florian Roth" reference = "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896" date = "2022-05-09" score = 90 hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d" hash2 = "1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345" hash3 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d" hash4 = "591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78" hash5 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683" hash6 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9" hash7 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3" hash8 = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925" hash9 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c" hash10 = "96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9" hash11 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc" hash12 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276" hash13 = "c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c" hash14 = "f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72" hash15 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27" hash16 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73" hash17 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a" strings: $op1 = { C6 80 01 01 00 00 00 48 8B 45 ?8 0F B6 90 01 01 00 00 48 8B 45 ?8 88 90 00 01 00 00 C6 45 ?? 00 0F B6 45 ?? 88 45 } $op2 = { 48 89 55 C8 48 8B 45 C8 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? 48 8B 45 C8 0F B6 80 01 01 00 00 } $op3 = { 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? 48 8B 45 C8 0F B6 80 01 01 00 00 88 45 F? C7 45 F8 00 00 00 00 } $op4 = { 48 89 7D D8 89 75 D4 48 89 55 C8 48 8B 45 C8 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? } $op5 = { 48 8B 45 ?8 C6 80 01 01 00 00 00 48 8B 45 ?8 0F B6 90 01 01 00 00 48 8B 45 ?8 88 90 00 01 00 00 C6 45 ?? 00 0F B6 45 } $op6 = { 89 75 D4 48 89 55 C8 48 8B 45 C8 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? 48 8B 45 C8 } condition: uint16(0) == 0x457f and filesize < 200KB and 2 of them or 4 of them }
Details	Yara rule	1	import "pe" rule Delphi_Loader_NanoCoreRAT { meta: description = "Yara Rule for Delphi Loader and embedded NanoCore RAT" author = "Cybaze - Yoroi ZLab" last_updated = "2019-06-12" tlp = "white" category = "informational" strings: $s1 = "IE(AL(\"%s\",4),\"AL(\\\"%0:s\\\",3)\",\"JK(\\\"%1:s\\\",\\\"%0:s\\\")\")" $a1 = "#=qP05CRmbt2pJg10eRU50wu1vx$mfteEn$pCn9SEbehP8=" $a2 = "NanoCore" $a3 = { 69 73 34 31 74 49 58 4D } $b1 = "<t\"<0r=<9w9i" condition: pe.number_of_resources == 73 and $s1 or 1 of ($a) and $b1 }
Details	Yara rule	1	rule ComputraceAgent { meta: description = "Absolute Computrace Agent Executable" thread_level = 3 in_the_wild = true strings: $a = { D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04 } $mz = { 4D 5A } $b1 = { 72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00 } $b2 = { 54 61 67 49 64 00 } condition: ($mz at 0) and ($a or ($b1 and $b2)) }
Details	Yara rule	2	rule Windows_Trojan_IcedID_cert_pinning { meta: author = "Elastic Security" creation_date = "2022-10-17" last_modified = "2022-10-17" threat_name = "Windows.Trojan.IcedID" arch_context = "x86" license = "Elastic License v2" os = "windows" strings: $cert_pinning = { 74 ?? 8B 50 ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 0F BA F0 ?? 48 8B 51 ?? 48 8B 4A ?? 39 01 74 ?? 35 14 24 4A 38 39 01 74 ?? } condition: $cert_pinning }
Details	Yara rule	1	import "pe" rule upx_packer_modified_pandora : Packer { meta: author = "Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>" description = "Detects modified UPX packer used by Pandora Ransomware" reference = "https://dissectingmalwa.re/blog/pandora/" date = "2022-03-16" tlp = "WHITE" hash = "5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b" strings: $header = { 33 2E 30 30 00 55 50 58 21 } condition: uint16(0) == 0x5a4d and pe.imphash() == "51a8b4c9f41b0c0ca57db63e21505b0d" and $header and for any i in (0 .. pe.number_of_sections) : ( pe.sections[i].name == "pppp" and pe.sections[i + 1].name == "cccc" ) and filesize > 112KB and filesize < 1MB }