| Details |
Yara rule |
1 |
|
rule meta_s {
meta:
author = "sysopfb"
strings:
$snippet1 = { 66 0? EF }
$snippet2 = { C5 ?? EF }
condition:
($snippet1 or $snippet2)
} |
| Details |
Yara rule |
1 |
|
import "elf"
rule Kinsing_Malware {
meta:
author = "Aluma Lavi, CyberArk"
date = "22-01-2021"
version = "1.0"
hash = "d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b"
description = "Kinsing/NSPPS malware"
strings:
$rc4_key = { 37 36 34 31 35 33 34 34 36 62 36 31 }
$firewire = "./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT"
$packa1 = "google/btree" ascii wide
$packa2 = "kardianos/osext" ascii wide
$packa3 = "kelseyhightower/envconfig" ascii wide
$packa4 = "markbates/pkger" ascii wide
$packa5 = "nu7hatch/gouuid" ascii wide
$packa6 = "paulbellamy/ratecounter" ascii wide
$packa7 = "peterbourgon/diskv" ascii wide
$func1 = "main.RC4" ascii wide
$func2 = "main.runTaskWithScan" ascii wide
$func3 = "main.backconnect" ascii wide
$func4 = "main.downloadAndExecute" ascii wide
$func5 = "main.startCmd" ascii wide
$func6 = "main.execTaskOut" ascii wide
$func7 = "main.minerRunningCheck" ascii wide
condition:
(uint16(0) == 0x457F and not (elf.sections[0].size + elf.sections[1].size + elf.sections[2].size + elf.sections[3].size + elf.sections[4].size + elf.sections[5].size + elf.sections[6].size + elf.sections[7].size > filesize)) and ($rc4_key or $firewire or all of ($packa*) or 4 of ($func*))
} |
| Details |
Yara rule |
1 |
|
rule NetwireCampaign_Payload_Jun2020 {
meta:
description = "Yara Rule for Netwire campaign final payload Jun2020"
author = "Cybaze Zlab_Yoroi"
last_updated = "2020-06-05"
tlp = "white"
SHA256 = "cc419a1c36ed5bdae1d3cd35c4572766dc06ad5a447687f87e89da0bb5a42091"
category = "informational"
strings:
$a1 = { C7 04 ?4 ?? ?? ?? ?? E8 6F 2C 00 00 C7 04 ?4 ?? ?? ?? ?? E8 63 2C 00 00 8B 35 }
$a2 = { 89 84 ?4 B0 00 00 00 C7 84 ?4 A4 00 00 00 ?? ?? ?? ?? 66 C7 84 ?4 A8 00 00 00 00 00 E8 ?? ?? ?? ?? 83 EC 28 85 C0 75 27 }
$a3 = { C7 44 ?4 0C ?? ?? ?? ?? C7 44 ?4 08 ?? ?? ?? ?? C7 04 ?4 ?? ?? ?? ?? 89 44 ?4 04 E8 39 1C 01 00 83 EC ?? }
condition:
uint16(0) == 0x5A4D and 2 of ($a*)
} |
| Details |
Yara rule |
1 |
|
rule APT_MAL_LNX_RedMenshen_BPFDoor_Controller_Generic_May22_1 {
meta:
description = "Detects BPFDoor malware"
author = "Florian Roth"
reference = "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
date = "2022-05-09"
score = 90
hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d"
hash2 = "1925e3cd8a1b0bba0d297830636cdb9ebf002698c8fa71e0063581204f4e8345"
hash3 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d"
hash4 = "591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78"
hash5 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683"
hash6 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9"
hash7 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3"
hash8 = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925"
hash9 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c"
hash10 = "96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9"
hash11 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc"
hash12 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276"
hash13 = "c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c"
hash14 = "f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72"
hash15 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27"
hash16 = "fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73"
hash17 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a"
strings:
$op1 = { C6 80 01 01 00 00 00 48 8B 45 ?8 0F B6 90 01 01 00 00 48 8B 45 ?8 88 90 00 01 00 00 C6 45 ?? 00 0F B6 45 ?? 88 45 }
$op2 = { 48 89 55 C8 48 8B 45 C8 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? 48 8B 45 C8 0F B6 80 01 01 00 00 }
$op3 = { 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? 48 8B 45 C8 0F B6 80 01 01 00 00 88 45 F? C7 45 F8 00 00 00 00 }
$op4 = { 48 89 7D D8 89 75 D4 48 89 55 C8 48 8B 45 C8 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? }
$op5 = { 48 8B 45 ?8 C6 80 01 01 00 00 00 48 8B 45 ?8 0F B6 90 01 01 00 00 48 8B 45 ?8 88 90 00 01 00 00 C6 45 ?? 00 0F B6 45 }
$op6 = { 89 75 D4 48 89 55 C8 48 8B 45 C8 48 89 45 ?? 48 8B 45 C8 0F B6 80 00 01 00 00 88 45 F? 48 8B 45 C8 }
condition:
uint16(0) == 0x457f and filesize < 200KB and 2 of them or 4 of them
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule Delphi_Loader_NanoCoreRAT {
meta:
description = "Yara Rule for Delphi Loader and embedded NanoCore RAT"
author = "Cybaze - Yoroi ZLab"
last_updated = "2019-06-12"
tlp = "white"
category = "informational"
strings:
$s1 = "IE(AL(\"%s\",4),\"AL(\\\"%0:s\\\",3)\",\"JK(\\\"%1:s\\\",\\\"%0:s\\\")\")"
$a1 = "#=qP05CRmbt2pJg10eRU50wu1vx$mfteEn$pCn9SEbehP8="
$a2 = "NanoCore"
$a3 = { 69 73 34 31 74 49 58 4D }
$b1 = "<*t\"<0r=<9w9i"
condition:
pe.number_of_resources == 73 and $s1 or 1 of ($a*) and $b1
} |
| Details |
Yara rule |
1 |
|
rule ComputraceAgent {
meta:
description = "Absolute Computrace Agent Executable"
thread_level = 3
in_the_wild = true
strings:
$a = { D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04 }
$mz = { 4D 5A }
$b1 = { 72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00 }
$b2 = { 54 61 67 49 64 00 }
condition:
($mz at 0) and ($a or ($b1 and $b2))
} |
| Details |
Yara rule |
1 |
|
rule NK_SSL_PROXY {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10135536"
Date = "2018-01-09"
Category = "Hidden_Cobra"
Family = "BADCALL"
Description = "Detects NK SSL PROXY"
MD5_1 = "C6F78AD187C365D117CACBEE140F6230"
MD5_2 = "C01DC42F65ACAF1C917C0CC29BA63ADC"
strings:
$s0 = { 8B 4C 24 08 8A 14 08 80 F2 47 80 C2 28 88 14 08 40 3B C6 7C EF 5E }
$s1 = { 56 8B 74 24 0C 33 C0 85 F6 7E 15 8B 4C 24 08 8A 14 08 80 EA 28 80 F2 47 88 14 08 40 3B C6 7C EF 5E }
$s2 = { 47 75 40 1F 71 34 35 74 79 75 36 68 67 76 68 69 37 5E 25 24 73 64 66 }
$s3 = { 67 68 66 67 68 6A 75 79 75 66 67 64 67 66 74 72 }
$s4 = { 6D 2A 5E 26 5E 67 68 66 67 65 34 77 65 72 }
$s5 = { 31 71 61 7A 58 53 44 43 32 33 77 65 }
$s6 = "ghfghjuyufgdgftr"
$s7 = "q45tyu6hgvhi7^%$sdf"
$s8 = "m*^&^ghfge4wer"
condition:
($s0 and $s1 and $s2 and $s3 and $s4 and $s5) or ($s6 and $s7 and $s8)
} |
| Details |
Yara rule |
1 |
|
rule xor_add {
meta:
Author = "CISA trusted 3rd party"
Incident = "10135536"
Date = "2018-04-19"
Category = "Hidden_Cobra"
Family = "n/a"
Description = "n/a"
strings:
$decode = { 80 EA 28 80 F2 47 }
$encode = { 80 F2 47 80 C2 28 }
condition:
uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550 and all of them
} |
| Details |
Yara rule |
2 |
|
rule CISA_10382580_02 : rat {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10382580"
Date = "2022-06-02"
Last_Modified = "20220602_1200"
Actor = "n/a"
Category = "RAT"
Family = "n/a"
Description = "Detects unidentified Remote Access Tool samples"
MD5_1 = "7b1ce3fe542c6ae2919aa94e20dc860e"
SHA256_1 = "d071c4959d00a1ef9cce535056c6b01574d8a8104a7c3b00a237031ef930b10f"
strings:
$s0 = { 48 8B 06 0F B6 04 01 32 C2 F6 C1 01 75 02 34 E7 }
$s1 = { 88 04 0F 48 FF C1 48 8B 46 08 48 3B }
$s2 = { 0F BE CA C1 CF 0D 8D 41 E0 80 FA 61 0F 4C C1 03 }
$s3 = { F8 4D 8D 40 01 41 0F B6 10 84 D2 }
condition:
all of them
} |
| Details |
Yara rule |
2 |
|
import "pe"
rule Poulight_Stealer_May_2020 {
meta:
description = "Yara rule for Poulight Stealer"
hash = "8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95"
author = "Cybaze - Yoroi ZLab"
last_updated = "2020-05-07"
tlp = "white"
category = "informational"
strings:
$s1 = "http//fff.gearhostpreview.com/ARMBot"
$s2 = "WBcG91bGxpZ2h0Lhttp://poullight.ru/keys.txt"
$s3 = "Poullight.exe"
$s4 = "\\wallets\\wallet.dat" ascii wide
$s5 = "=====================================" ascii wide
$s6 = { 2F 7B 00 30 00 7D 00 3C 00 63 00 6C 00 62 00 61 00 73 00 65 00 3E 00 7B 00 ?? 00 7D 00 3C 00 2F 00 63 00 6C 00 62 00 61 00 73 00 65 00 3E 00 }
$s7 = "Select * from Win32_ComputerSystem" ascii wide
condition:
uint16(0) == 0x5A4D and all of them
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule unpack_flawed_ammy_downloader_win32_ {
meta:
author = "tcontre"
description = "detecting flawwed ammy rat downloader"
date = "2019-07-02"
sha256 = "3255b1165b227c35b70908f4eed490210390281fc96913fdf96f066d019bd1c2"
strings:
$mz = { 4D 5A }
$code1 = { 8B 45 FC C1 E0 07 8B 4D FC C1 E9 19 0B C1 }
$n1 = "net user /domain" fullword
$n2 = "net group /domain" fullword
$s1 = "NuGets\\template_%x.TMPTMPZIP7" fullword
$s2 = "wsus.exe" fullword
$s3 = "Vmwaretrat.exe" wide fullword
condition:
($mz at 0) and $code1 and 1 of ($n*) and 1 of ($s*)
} |
| Details |
Yara rule |
1 |
|
rule FireEye_21_00004531_01 : SUNSHUTTLE backdoor {
meta:
Author = "FireEye"
Date = "2021-03-04"
Last_Modified = "20210305_1704"
Actor = "UNC2452"
Category = "Backdoor"
Family = "SUNSHUTTLE"
Description = "This rule detects strings found in SUNSHUTTLE"
MD5_1 = "9466c865f7498a35e4e1a8f48ef1dffd"
SHA256_1 = "b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8"
strings:
$s1 = "main.request_session_key"
$s2 = "main.define_internal_settings"
$s3 = "main.send_file_part"
$s4 = "main.clean_file"
$s5 = "main.send_command_result"
$s6 = "main.retrieve_session_key"
$s7 = "main.save_internal_settings"
$s8 = "main.resolve_command"
$s9 = "main.write_file"
$s10 = "main.beaconing"
$s11 = "main.wget_file"
$s12 = "main.fileExists"
$s13 = "main.removeBase64Padding"
$s14 = "main.addBase64Padding"
$s15 = "main.delete_empty"
$s16 = "main.GetMD5Hash"
condition:
filesize < 10MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (5 of them)
} |
| Details |
Yara rule |
1 |
|
rule FireEye_21_00004531_02 : SUNSHUTTLE backdoor {
meta:
Author = "FireEye"
Date = "2021-03-04"
Last_Modified = "20210305_1704"
Actor = "UNC2452"
Category = "Backdoor"
Family = "SUNSHUTTLE"
Description = "This rule detects strings found in SUNSHUTTLE"
MD5_1 = "9466c865f7498a35e4e1a8f48ef1dffd"
SHA256_1 = "b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8"
strings:
$s1 = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk"
$s2 = "LS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQ"
$s3 = "Go build ID: \""
condition:
filesize < 10MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them
} |
| Details |
Yara rule |
1 |
|
rule CISA_3P_10327841_03 : CHINACHOPPER webshell {
meta:
Author = "CISA Trusted Third Party"
Incident = "10327841"
Date = "2021-03-26"
Actor = "n/a"
Category = "Webshell"
Family = "CHINACHOPPER"
Description = "Detects iteration of China Chopper webshell server-side component"
strings:
$first_bytes = "<%"
$replace = ".Replace(\"/*/\",\"\")" nocase
$eval = "eval" nocase
$toString = "tostring" nocase
$length = "length" nocase
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
rule malware_bumblebee_packed {
meta:
author = "Marc Salinas @ CheckPoint Research"
malware_family = "BumbleBee"
date = "13/07/2022"
description = "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic."
dll_jul = "6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db"
dll_jun = "82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb"
dll_may = "a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c"
iso_jul = "ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa"
iso_jun = "13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78"
iso_may = "b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e"
zip_jun = "7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad"
zip_may = "68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce"
strings:
$heapalloc = { 48 8? EC [1-6] FF 15 ?? ?? 0? 00 [0-5] 33 D2 4? [2-5] 4? ?? ?? FF 15 ?? ?? 0? 00 [8-11] 48 89 05 ?? ?? ?? 00 E8 ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? 00 }
condition:
$heapalloc
} |
| Details |
Yara rule |
1 |
|
rule CISA_10443863_03 : backdoor remote_access_trojan webshell exploitation information_gathering remote_access accesses_remote_machines anti_debugging captures_system_state_data controls_local_machine compromises_data_availability compromises_data_integrity fingerprints_host installs_other_components {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10443863"
Date = "2023-05-16"
Last_Modified = "20230605_1500"
Actor = "n/a"
Family = "n/a"
Capabilities = "accesses-remote-machines anti-debugging captures-system-state-data controls-local-machine compromises-data-availability compromises-data-integrity fingerprints-host installs-other-components"
Malware_Type = "backdoor remote-access-trojan webshell"
Tool_Type = "exploitation information-gathering remote-access"
Description = "Detects .NET DLL webshell samples"
SHA256 = "b63c95300c8e36b5e6d3393da12931683796f88fd4601ba8364658b4d12ac05b"
strings:
$s0 = { 53 00 65 00 6C 00 65 00 63 00 74 00 20 00 2A 00 20 00 66 00 72 00 6F 00 6D 00 20 00 57 00 69 00 6E 00 33 00 32 00 5F 00 50 00 72 00 6F 00 63 00 65 00 73 00 73 }
$s1 = { 62 61 73 65 36 34 ( 44 | 64 ) 65 63 6F 64 65 }
$s2 = { 53 00 45 00 4C 00 45 00 43 00 54 00 20 00 2A 00 20 00 46 00 52 00 4F 00 4D }
$s3 = { 49 00 49 00 53 00 20 00 41 00 50 00 50 00 50 00 4F 00 4F 00 4C }
$s4 = { 4D 61 6E 61 67 65 6D 65 6E 74 4F 62 6A 65 63 74 }
$s5 = { 43 72 65 61 74 65 4E 6F 57 69 6E 64 6F 77 }
$s6 = { 73 71 6C 71 75 65 72 79 }
condition:
all of them
} |
| Details |
Yara rule |
1 |
|
import "vt"
rule aws_monitor {
condition:
vt.net.domain.new_domain and (vt.net.url.favicon.dhash == "4026d4f494f8738c" or vt.net.url.favicon.dhash == "c8e3b88aaa88cbf8" or for any link in vt.net.url.outgoing_links : ( link matches /signin.aws.amazon\.com.*/ ) or vt.net.domain.raw matches /aws/)
} |
| Details |
Yara rule |
1 |
|
import "pe"
import "hash"
rule generic_carbon {
strings:
$s1 = "ModStart"
$s2 = "STOP|OK"
$s3 = "STOP|KILL"
condition:
(uint16(0) == 0x5a4d) and all of them
} |
| Details |
Yara rule |
1 |
|
import "pe"
rule carbon_metadata {
condition:
(pe.version_info["InternalName"] contains "SERVICE.EXE" or pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or pe.version_info["InternalName"] contains "MSXIML.DLL") and pe.version_info["CompanyName"] contains "Microsoft Corporation" and not (tags contains "signed")
} |
| Details |
Yara rule |
1 |
|
rule carbon_2016_filenames {
condition:
file_name contains "wkstrend.xml" or file_name contains "cifrado.xml" or file_name contains "fsbootfail.dat" or file_name contains "encodebase.inf" or file_name contains "zcerterror.png" or file_name contains "mkfieldsec.dll"
} |
| Details |
Yara rule |
1 |
|
rule hz_rat {
strings:
$x_mutex = "91E99696-92CC-43F4-99B0-774D80BDAA6B"
$x_pdb_path_2_8_2__and_2_9_0 = "D:\\WORKSPACE\\HZ_"
$x_pdb_path_2_9_1 = "D:\\WORKSPACE\\HP\\HZ_"
$x_pdf_path = "C:\\Users\\dell\\source\\repos\\WindowsProject2\\Release\\WindowsProject1.pdb"
$x_pdb_path_short_part = "hp_client_win"
$x_wrongly_written_error_msg = "instanse already exist."
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
rule hz_rat_aes_packer {
strings:
$decryption_body_747 = { 8D 44 24 1C 89 04 24 E8 84 ED 00 00 E8 DF DE 00 00 C7 44 24 08 10 00 00 00 C7 44 24 04 20 30 41 00 8D 44 24 54 89 04 24 C7 44 24 20 01 00 00 00 E8 B7 00 00 00 C7 84 24 3C 02 00 00 00 00 00 00 C7 84 24 38 02 00 00 00 00 00 00 EB 4B 8B 84 24 38 02 00 00 C1 E0 04 8D 90 40 30 41 00 8B 84 24 38 02 00 00 C1 E0 04 05 40 30 41 00 89 54 24 08 89 44 24 04 8D 44 24 54 89 04 24 C7 44 24 20 01 00 00 00 E8 E9 0E 00 00 83 84 24 3C 02 00 00 10 83 84 24 38 02 00 00 01 81 BC 24 3C 02 00 00 ?? ?? ?? 00 76 A8 B8 40 30 41 00 C7 44 24 20 01 00 00 00 FF D0 B8 00 00 00 00 89 44 24 18 EB 14 8B }
$decryption_body_748 = { 55 89 E5 5D C3 90 90 90 90 90 90 90 90 90 90 90 8D 4C 24 04 83 E4 F0 FF 71 FC 55 89 E5 57 56 53 51 81 EC 68 02 00 00 C7 85 CC FD FF FF 80 24 41 00 C7 85 D0 FD FF FF 3C 2B 41 00 8D 85 D4 FD FF FF 8D 4D E8 89 08 BA 28 17 40 00 89 50 04 89 60 08 8D 85 B4 FD FF FF 89 04 24 E8 51 EE 00 00 E8 AC DF 00 00 C7 44 24 08 10 00 00 00 C7 44 24 04 20 30 41 00 8D 85 F0 FD FF FF 89 04 24 C7 85 B8 FD FF FF 01 00 00 00 E8 78 01 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 EB 3F 8B 45 E0 C1 E0 04 8D 90 40 30 41 00 8B 45 E0 C1 E0 04 05 40 30 41 00 89 54 24 08 89 44 24 04 8D 85 F0 FD FF FF 89 04 24 C7 85 B8 FD FF FF 01 00 00 00 E8 B6 0F 00 00 83 45 E4 10 83 45 E0 01 81 7D E4 ?? ?? ?? 00 76 B8 A1 5C 71 45 00 C7 85 B8 FD FF FF 01 }
condition:
any of them
} |
| Details |
Yara rule |
1 |
|
rule MaliciousInfra_IP_Detection {
meta:
description = "Detection of known IP addresses associated with Transparent Tribe"
author = "CRT"
strings:
$ip1 = "143.198.64.151"
$ip2 = "165.232.118.207"
$ip3 = "161.35.186.219"
$ip4 = "178.128.92.166"
$ip5 = "64.23.155.109"
$ip6 = "159.203.133.189"
$ip7 = "138.197.156.131"
$ip8 = "142.93.74.10"
$ip9 = "152.42.245.111"
$ip10 = "139.59.109.136"
$ip11 = "137.184.211.26"
$ip12 = "159.223.0.196"
$ip13 = "64.23.213.61"
$ip14 = "152.42.198.168"
$ip15 = "206.189.134.185"
condition:
any of ($ip*)
} |
| Details |
Yara rule |
1 |
|
import "hash"
import "pe"
rule ransomware_blackkingdom {
meta:
description = "Rule to detect Black Kingdom ransomware"
author = "Kaspersky Lab"
copyright = "Kaspersky Lab"
distribution = "DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM"
version = "1.0"
last_modified = "2021-05-02"
hash = "866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc"
hash = "910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db"
condition:
hash.sha256(pe.rich_signature.clear_data) == "0e7d0db29c7247ae97591751d3b6c0728aed0ec1b1f853b25fc84e75ae12b7b8"
} |
| Details |
Yara rule |
1 |
|
rule APT_MAL_LNX_RedMenshen_BPFDoor_Controller_May22_1 {
meta:
description = "Detects unknown Linux implants (uploads from KR and MO)"
author = "Florian Roth"
reference = "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
date = "2022-05-05"
score = 90
hash1 = "07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d"
hash2 = "4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d"
hash3 = "599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683"
hash4 = "5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9"
hash5 = "5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3"
hash6 = "93f4262fce8c6b4f8e239c35a0679fbbbb722141b95a5f2af53a2bcafe4edd1c"
hash7 = "97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc"
hash8 = "c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276"
hash9 = "f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27"
hash10 = "fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a"
strings:
$s1 = "[-] Connect failed." ascii fullword
$s2 = "export MYSQL_HISTFILE=" ascii fullword
$s3 = "udpcmd" ascii fullword
$s4 = "getshell" ascii fullword
$op1 = { E8 ?? FF FF FF 80 45 EE 01 0F B6 45 EE 3B 45 D4 7C 04 C6 45 EE 00 80 45 FF 01 80 7D FF 00 }
$op2 = { 55 48 89 E5 48 83 EC 30 89 7D EC 48 89 75 E0 89 55 DC 83 7D DC 00 75 0? }
$op3 = { E8 A? FE FF FF 0F B6 45 F6 48 03 45 E8 0F B6 10 0F B6 45 F7 48 03 45 E8 0F B6 00 8D 04 02 }
$op4 = { C6 80 01 01 00 00 00 48 8B 45 C8 0F B6 90 01 01 00 00 48 8B 45 C8 88 90 00 01 00 00 C6 45 EF 00 0F B6 45 EF 88 45 EE }
condition:
uint16(0) == 0x457f and filesize < 80KB and 2 of them or 5 of them
} |