YARA rules for APT29
144 rules · scoped to actor · back to APT29
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule APT_APT29_wellmess_dotnet_unique_strings {
meta:
description = "Rule to detect WellMess .NET samples based on unique strings and function/variable names"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41"
id = "7a058ec7-f795-5226-b511-ff469a969ee6"
strings:
$s1 = "HealthInterval" wide
$s2 = "Hello from Proxy" wide
$s3 = "Start bot:" wide
$s4 = "FromNormalToBase64" ascii
$s5 = "FromBase64ToNormal" ascii
$s6 = "WellMess" ascii
condition:
uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550 and 3 of them
}
rule APT_fnv1a_plus_extra_XOR_in_MSIL_experimental
{
meta:
description = "This rule detects the specific MSIL implementation of fnv1a of the SUNBURST backdoor (standard fnv1a + one final XOR before RET) independent of the XOR-string. (fnv64a_offset and fnv64a_prime are standard constants in the fnv1a hashing algorithm.)"
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
author = "Arnim Rupp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2020-12-22"
hash1 = "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77"
hash2 = "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6"
hash3 = "019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134"
id = "5505f7ff-eca5-5274-bdd1-dbbd648c3ccc"
strings:
$fnv64a_offset = { 25 23 22 84 e4 9c f2 cb }
$fnv64a_prime_plus_gap_plus_xor_ret = { B3 01 00 00 00 01 [8-40] 61 2A 00 00 }
// use for less false positives, xor before fnv1a prime
//$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A }
// even less false positives, not sure if it misses beef
//$fnv64a_prime_plus_gap_plus_xor_ret = { 61 [0-3] B3 01 00 00 00 01 [8-40] 61 2A 00 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule TEST_false_positive_plain_fnv1a_in_x64
{
meta:
description = "This rule detects x64 implementations of standard fnv1a just by looking for the standard fnv64a_offset and fnv64a_prime (unless bitshifting is used instead of multiplication). This rule would have found the SUNBURST backdoor at Solarwinds but will also find any other programm which implements fnv1a. Just useful for developers, pls check if that fnv1a was put there by you ;)"
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
author = "Arnim Rupp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2020-12-22"
score = 10
strings:
$fnv64a_offset = { 25 23 22 84 e4 9c f2 cb }
$fnv64a_prime = { B3 01 00 00 00 01 }
condition:
// MZ or ELF
( uint16(0) == 0x5a4d or uint32be(0) == 0x7f454c46 ) and all of them
}
rule SUSP_Solarwinds_SUNBURST_Revoked_Cert {
meta:
description = "Detects executables signed with a compromised certificate after 2019 (it doesn't mean that the "
date = "2020-12-14"
reference = "https://github.com/fireeye/sunburst_countermeasures/pull/3#issuecomment-747156202"
score = 50
condition:
uint16(0) == 0x5a4d and
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "Symantec Class 3 SHA256 Code Signing CA" and
pe.signatures[i].serial == "0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed" and
// valid after Tuesday, January 1, 2019 0:00:00
pe.signatures[i].not_before > 1546300800
)
}
rule LOG_APT_WEBSHELL_Solarwinds_SUNBURST_Report_Webshell_Dec20_2 {
meta:
description = "Detects webshell access mentioned in FireEye's SUNBURST report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/"
date = "2020-12-21"
id = "fb86164d-13de-5357-8f52-c597b51127ff"
strings:
$xr1 = /logoimagehandler.ashx[^\n\s]{1,400}clazz=/ ascii wide
condition:
$xr1
}
rule APT_Backdoor_SUNBURST_1
{
meta:
author = "FireEye"
description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
date = "2020-12-14"
score = 85
id = "74b44844-5575-53d7-819b-ab1b2327a144"
strings:
$cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide
$cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }
$fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide
$fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }
$fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide
$fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C }
$fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide
$fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }
$fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }
condition:
$fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) )
}
rule APT_Backdoor_SUNBURST_2
{
meta:
author = "FireEye"
description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
date = "2020-12-14"
score = 85
id = "329071d5-c9c6-5ae1-a514-aea9f4037bac"
strings:
$a = "0y3Kzy8BAA==" wide
$aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide
$ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide
$ac = "C88sSs1JLS4GAA==" wide
$ad = "C/UEAA==" wide
$ae = "C89MSU8tKQYA" wide
$af = "8wvwBQA=" wide
$ag = "cyzIz8nJBwA=" wide
$ah = "c87JL03xzc/LLMkvysxLBwA=" wide
$ai = "88tPSS0GAA==" wide
$aj = "C8vPKc1NLQYA" wide
$ak = "88wrSS1KS0xOLQYA" wide
$al = "c87PLcjPS80rKQYA" wide
$am = "Ky7PLNAvLUjRBwA=" wide
$an = "06vIzQEA" wide
$b = "0y3NyyxLLSpOzIlPTgQA" wide
$c = "001OBAA=" wide
$d = "0y0oysxNLKqMT04EAA==" wide
$e = "0y3JzE0tLknMLQAA" wide
$f = "003PyU9KzAEA" wide
$h = "0y1OTS4tSk1OBAA=" wide
$i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide
$j = "c8rPSQEA" wide
$k = "c8rPSfEsSczJTAYA" wide
$l = "c60oKUp0ys9JAQA=" wide
$m = "c60oKUp0ys9J8SxJzMlMBgA=" wide
$n = "8yxJzMlMBgA=" wide
$o = "88lMzygBAA==" wide
$p = "88lMzyjxLEnMyUwGAA==" wide
$q = "C0pNL81JLAIA" wide
$r = "C07NzXTKz0kBAA==" wide
$s = "C07NzXTKz0nxLEnMyUwGAA==" wide
$t = "yy9IzStOzCsGAA==" wide
$u = "y8svyQcA" wide
$v = "SytKTU3LzysBAA==" wide
$w = "C84vLUpOdc5PSQ0oygcA" wide
$x = "C84vLUpODU4tykwLKMoHAA==" wide
$y = "C84vLUpO9UjMC07MKwYA" wide
$z = "C84vLUpO9UjMC04tykwDAA==" wide
condition:
($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))
}
rule APT_Dropper_Raw64_TEARDROP_1
{
meta:
author = "FireEye"
description = "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
date = "2020-12-14"
score = 85
id = "88adad58-ba16-5996-9ea8-ea356c3ed5b2"
strings:
$sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
$sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
$sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
condition:
all of them
}
rule APT_Dropper_Win64_TEARDROP_1
{
meta:
author = "FireEye"
description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory. (comment by Nextron: prone to False Positives)"
reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
date = "2020-12-14"
score = 70
id = "15dfdb74-5ca3-5bc6-be7a-730333b03ba5"
strings:
$loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
$loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
$loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
$loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
$loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
rule CrowdStrike_SUNSPOT_01 : artifact stellarparticle sunspot {
meta:
author = "(c) 2021 CrowdStrike Inc."
description = "Detects RC4 and AES key encryption material in SUNSPOT"
reference = "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/"
version = "202101081448"
date = "2021-01-08"
actor = "StellarParticle"
malware_family = "SUNSPOT"
id = "2a2a5cfc-d059-5942-bd70-c3169e9ceb45"
strings:
$key = {fc f3 2a 83 e5 f6 d0 24 a6 bf ce 88 30 c2 48 e7}
$iv = {81 8c 85 49 b9 00 06 78 0b e9 63 60 26 64 b2 da}
condition:
all of them and filesize < 32MB
}
rule CrowdStrike_SUNSPOT_02 : artifact stellarparticle sunspot
{
meta:
copyright = "(c) 2021 CrowdStrike Inc."
description = "Detects mutex names in SUNSPOT"
version = "202101081448"
date = "2021-01-08"
actor = "StellarParticle"
malware_family = "SUNSPOT"
reference = "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/"
id = "9ecb89e6-475b-5961-8a67-136a0274e1c7"
strings:
$mutex_01 = "{12d61a41-4b74-7610-a4d8-3028d2f56395}" wide ascii
$mutex_02 = "{56331e4d-76a3-0390-a7ee-567adf5836b7}" wide ascii
condition:
any of them and filesize < 10MB
}
rule CrowdStrike_SUNSPOT_03 : artifact logging stellarparticle sunspot
{
meta:
copyright = "(c) 2021 CrowdStrike Inc."
description = "Detects log format lines in SUNSPOT"
version = "202101081443"
last_modified = "2021-01-08"
actor = "StellarParticle"
malware_family = "SUNSPOT"
id = "5535163e-a85a-587d-bb6e-083783f915c9"
strings:
$s01 = "[ERROR] ***Step1('%ls','%ls') fails with error %#x***\x0A" ascii
$s02 = "[ERROR] Step2 fails\x0A" ascii
$s03 = "[ERROR] Step3 fails\x0A" ascii
$s04 = "[ERROR] Step4('%ls') fails\x0A" ascii
$s05 = "[ERROR] Step5('%ls') fails\x0A" ascii
$s06 = "[ERROR] Step6('%ls') fails\x0A" ascii
$s07 = "[ERROR] Step7 fails\x0A" ascii
$s08 = "[ERROR] Step8 fails\x0A" ascii
$s09 = "[ERROR] Step9('%ls') fails\x0A" ascii
$s10 = "[ERROR] Step10('%ls','%ls') fails with error %#x\x0A" ascii
$s11 = "[ERROR] Step11('%ls') fails\x0A" ascii
$s12 = "[ERROR] Step12('%ls','%ls') fails with error %#x\x0A" ascii
$s13 = "[ERROR] Step30 fails\x0A" ascii
$s14 = "[ERROR] Step14 fails with error %#x\x0A" ascii
$s15 = "[ERROR] Step15 fails\x0A" ascii
$s16 = "[ERROR] Step16 fails\x0A" ascii
$s17 = "[%d] Step17 fails with error %#x\x0A" ascii
$s18 = "[%d] Step18 fails with error %#x\x0A" ascii
$s19 = "[ERROR] Step19 fails with error %#x\x0A" ascii
$s20 = "[ERROR] Step20 fails\x0A" ascii
$s21 = "[ERROR] Step21(%d,%s,%d) fails\x0A" ascii
$s22 = "[ERROR] Step22 fails with error %#x\x0A" ascii
$s23 = "[ERROR] Step23 fails with error %#x\x0A" ascii
$s24 = "[%d] Solution directory: %ls\x0A" ascii
$s25 = "[%d] %04d-%02d-%02d %02d:%02d:%02d:%03d %ls\x0A" ascii
$s26 = "[%d] + '%s' " ascii
condition:
2 of them and filesize < 10MB
}
rule APT_APT29_Win_FlipFlop_LDR : APT29 {
meta:
author = "threatintel@volexity.com"
date = "2021-05-25"
description = "A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload."
hash = "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330"
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
id = "58696a6f-55a9-5212-9372-a539cc327e6b"
strings:
$s1 = "irnjadle"
$s2 = "BADCFEHGJILKNMPORQTSVUXWZY"
$s3 = "iMrcsofo taBesC yrtpgoarhpciP orived r1v0."
condition:
all of ($s*)
}
rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_1 {
meta:
description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
id = "42739aad-a88a-545b-8256-1f727c79c4f8"
strings:
$x1 = "[i].charCodeAt(0) ^ 2);}"
condition:
filesize < 5000KB and 1 of them
}
rule APT_APT29_NOBELIUM_JS_EnvyScout_May21_2 {
meta:
description = "Detects EnvyScout deobfuscator code as used by NOBELIUM group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
id = "d5cf3365-fe24-533a-a678-b5b6d4d99997"
strings:
$s1 = "saveAs(blob, " ascii
$s2 = ".iso\");" ascii
$s3 = "application/x-cd-image" ascii
$s4 = ".indexOf(\"Win\")!=-1" ascii
condition:
filesize < 5000KB and all of them
}
rule APT_APT29_NOBELIUM_LNK_NV_Link_May21_2 {
meta:
description = "Detects NV Link as used by NOBELIUM group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
id = "52c2caf9-13df-5614-9c9e-afcd76ec77f9"
strings:
$s1 = "RegisterOCX BOOM" ascii wide
$s2 = "cmd.exe /c start BOOM.exe" ascii wide
condition:
filesize < 5000KB and 1 of them
}
rule APT_APT29_NOBELIUM_LNK_Samples_May21_1 {
meta:
description = "Detects link file characteristics as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 85
hash1 = "24caf54e7c3fe308444093f7ac64d6d520c8f44ea4251e09e24931bdb72f5548"
id = "c807ab5a-f66a-5622-81b1-6e69b6df8446"
strings:
$a1 = "rundll32.exe" wide
$sa1 = "IMGMountingService.dll" wide
$sa2 = "MountImgHelper" wide
$sb1 = "diassvcs.dll" wide
$sb2 = "InitializeComponent" wide
$sc1 = "MsDiskMountService.dll" wide
$sc2 = "DiskDriveIni" wide
$sd1 = "GraphicalComponent.dll" wide
$sd2 = "VisualServiceComponent" wide
$se1 = "data/mstu.dll,MicrosoftUpdateService" wide
condition:
uint16(0) == 0x004c and
filesize < 4KB and $a1 and
( all of ($sa*) or all of ($sb*) or all of ($sc*) or all of ($sd*) or all of ($se*) )
}
rule APT_APT29_NOBELIUM_BoomBox_May21_1 {
meta:
description = "Detects BoomBox malware as described in APT29 NOBELIUM report"
author = "Florian Roth"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
modified = "2025-03-20"
score = 85
hash = "8199f309478e8ed3f03f75e7574a3e9bce09b4423bd7eb08bb5bff03af2b7c27"
id = "1a14dcf7-81be-5a74-a530-caf6268d1976"
strings:
// PowerShell tool - e1765eafb68fc6034575f126b014fcad6bb043c2961823b7cef5f711e9e01d1c
$a1 = "]::FromBase64String($" ascii wide
$xa1 = "123do3y4r378o5t34onf7t3o573tfo73" ascii wide fullword
$xa2 = "1233t04p7jn3n4rg" ascii wide fullword
$s1 = "\\Release\\BOOM.pdb" ascii
$s2 = "/files/upload" ascii
$s3 = "/tmp/readme.pdf" ascii fullword
$s4 = "/new/{0}" ascii fullword
$s5 = "(&(objectClass=user)(objectCategory=person))"
condition:
(
uint16(0) == 0x5a4d
or 1 of ($a*)
)
and (
1 of ($x*)
or 3 of ($s*)
)
}
rule APT_APT29_NOBELIUM_BoomBox_PDF_Masq_May21_1 {
meta:
description = "Detects PDF documents as used by BoomBox as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 70
id = "bdfb9600-edda-5c8c-ab23-14fb71c8e647"
strings:
$ah1 = { 25 50 44 46 2d 31 2e 33 0a 25 } /* PDF Header */
$af1 = { 0a 25 25 45 4f 46 0a } /* EOF */
$fp1 = "endobj" ascii
$fp2 = "endstream" ascii
$fp3 = { 20 6F 62 6A 0A } /* obj\x0a */
condition:
$ah1 at 0 and $af1 at (filesize-7) and filesize < 100KB
and not 1 of ($fp*)
and math.entropy(16,filesize) > 7
}
rule APT_APT29_NOBELIUM_NativeZone_Loader_May21_1 {
meta:
description = "Detects NativeZone loader as described in APT29 NOBELIUM report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
date = "2021-05-27"
score = 85
hash1 = "136f4083b67bc8dc999eb15bb83042aeb01791fc0b20b5683af6b4ddcf0bbc7d"
id = "02d9257d-f439-5071-96b0-a973b088e329"
strings:
$s1 = "\\SystemCertificates\\Lib\\CertPKIProvider.dll" ascii
$s2 = "rundll32.exe %s %s" ascii fullword
$s3 = "eglGetConfigs" ascii fullword
$op1 = { 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 33 db 89 5d fc }
$op2 = { 8b 46 18 e9 30 ff ff ff 90 87 2f 00 10 90 2f 00 10 }
$op3 = { e8 14 dd ff ff 8b f1 80 3d 74 8c 01 10 00 0f 85 96 00 00 00 33 c0 40 b9 6c 8c 01 10 87 01 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and 3 of them or 4 of them
}
rule APT_APT29_NOBELIUM_BoomBox_May21_2 {
meta:
description = "Detects BoomBox malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "0acb884f2f4cfa75b726cb8290b20328c8ddbcd49f95a1d761b7d131b95bafec"
hash2 = "8199f309478e8ed3f03f75e7574a3e9bce09b4423bd7eb08bb5bff03af2b7c27"
hash3 = "cf1d992f776421f72eabc31d5afc2f2067ae856f1c9c1d6dc643a67cb9349d8c"
id = "a4144c00-48b2-5520-b773-5d0a5de95fb1"
strings:
$x1 = "\\Microsoft\\NativeCache\\NativeCacheSvc.dll" wide
$x2 = "\\NativeCacheSvc.dll _configNativeCache" wide
$a1 = "/content.dropboxapi.com" wide fullword
$s1 = "rundll32.exe {0} {1}" wide fullword
$s2 = "\\\\CertPKIProvider.dll" wide
$s3 = "/tmp/readme.pdf" wide
$s4 = "temp/[^\"]*)\"" wide fullword
$op1 = { 00 78 00 2d 00 41 00 50 00 49 00 2d 00 41 00 72 00 67 00 01 2f 4f 00 72 00 }
$op2 = { 25 72 98 01 00 70 6f 34 00 00 0a 25 6f 35 00 00 0a 72 71 02 00 70 72 }
$op3 = { 4d 05 20 00 12 80 91 04 20 01 08 0e 04 20 00 12 }
condition:
uint16(0) == 0x5a4d and
filesize < 40KB and
3 of them or 4 of them
}
rule APT_APT29_NOBELIUM_Malware_May21_2 {
meta:
description = "Detects malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "292e5b0a12fea4ff3fc02e1f98b7a370f88152ce71fe62670dd2f5edfaab2ff8"
hash2 = "776014a63bf3cc7034bd5b6a9c36c75a930b59182fe232535bb7a305e539967b"
id = "b1462b4b-227f-5aeb-92ea-bda6a86831c7"
strings:
$op1 = { 48 03 c8 42 0f b6 04 21 88 03 0f b6 43 01 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 }
$op2 = { 48 03 c8 42 0f b6 04 21 88 43 01 41 0f b6 c7 8b c8 83 e0 0f 48 83 e1 f0 48 03 c8 }
$op3 = { 45 0f b6 43 ff 41 8b c2 99 44 88 03 41 0f b6 2b 83 e2 03 03 c2 40 88 6b 01 }
condition:
filesize < 2200KB and
all of them
}
rule APT_APT29_NOBELIUM_Stageless_Loader_May21_2 {
meta:
description = "Detects stageless loader as used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "a4f1f09a2b9bc87de90891da6c0fca28e2f88fd67034648060cef9862af9a3bf"
hash2 = "c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78"
id = "7b83d327-52fc-5401-ae35-00f6b825678a"
strings:
$x1 = "DLL_stageless.dll" ascii fullword
$s1 = "c:\\users\\devuser\\documents" ascii fullword nocase
$s2 = "VisualServiceComponent" ascii fullword
$s3 = "CheckUpdteFrameJavaCurrentVersion" ascii fullword
$op1 = { a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 68 d8 d4 00 10 57 a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 }
$op2 = { ff d6 33 05 00 ?0 0? 10 68 d8 d4 00 10 57 a3 d? 6? 04 10 ff d6 33 05 00 ?0 0? 10 68 e8 d4 00 10 }
condition:
uint16(0) == 0x5a4d and
filesize < 900KB and
2 of them or 3 of them
}
rule APT_APT29_NOBELIUM_Malware_May21_3 {
meta:
description = "Detects malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "2a352380d61e89c89f03f4008044241a38751284995d000c73acf9cad38b989e"
id = "89cb6884-4242-5b5a-b0ac-b31041dd261c"
strings:
$s1 = "Win32Project1.dll" ascii fullword
$op1 = { 59 c3 6a 08 68 70 5e 01 10 e8 d2 8c ff ff 8b 7d 08 8b c7 c1 f8 05 }
$op2 = { 8d 4d f0 e8 c4 12 00 00 68 64 5b 01 10 8d 45 f0 c7 45 f0 6c 01 01 10 50 e8 ea 13 00 00 cc }
$op4 = { 40 c3 8b 65 e8 e8 a6 86 ff ff cc 6a 0c 68 88 60 01 10 e8 b0 4d ff ff }
$xc1 = { 25 73 25 73 00 00 00 00 2F 65 2C 20 00 00 00 00
43 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00
77 00 73 00 5C 00 65 00 78 00 70 00 6C 00 6F 00
72 00 65 00 72 00 2E 00 65 00 78 00 65 }
condition:
filesize < 3000KB and
( $xc1 or 3 of them )
}
rule APT_APT29_NOBELIUM_Malware_May21_4 {
meta:
description = "Detects malware used by APT29 / NOBELIUM"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
date = "2021-05-29"
hash1 = "3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4"
id = "56193475-52b4-5720-abc5-72249e2a0c37"
strings:
$s1 = "KM.FileSystem.dll" ascii fullword
$op1 = { 80 3d 50 6b 04 10 00 0f 85 96 00 00 00 33 c0 40 b9 48 6b 04 10 87 01 33 db 89 5d fc }
$op2 = { c3 33 c0 b9 7c 6f 04 10 40 87 01 c3 8b ff 55 }
$op3 = { 8d 4d f4 e8 53 ff ff ff 68 d0 22 01 10 8d 45 f4 50 e8 d8 05 00 00 cc 8b 41 04 }
$xc1 = { 2E 64 6C 6C 00 00 00 00 41 53 4B 4F 44 00 00 00
53 75 63 63 65 73 73 }
condition:
uint16(0) == 0x5a4d and
filesize < 3000KB and
( $xc1 or 3 of them )
}
rule IMPLANT_7_v1 {
meta:
description = "Implant 7 by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "ce83c157-af03-55cb-a2be-0b6543fedb5b"
strings:
$STR1 = { 8A 44 0A 03 32 C3 0F B6 C0 66 89 04 4E 41 3B CF 72 EE }
$STR2 = { F3 0F 6F 04 08 66 0F EF C1 F3 0F 7F 04 11 83 C1 10 3B CF 72 EB }
condition:
(uint16(0) == 0x5A4D) and ($STR1 or $STR2)
}
rule IMPLANT_9_v1 {
meta:
description = "Onion Duke Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
modified = "2025-07-01"
score = 85
id = "5460ff29-681b-5d11-a6ba-5f294e8577e6"
strings:
$STR1 = { 8B 03 8A 54 01 03 32 55 FF 41 88 54 39 FF 3B CE 72 EE }
$STR2 = { 8B C8 83 E1 03 8A 54 19 08 8B 4D 08 32 54 01 04 40 88 54 38 FF
3B C6 72 E7 }
$STR3 = { 8B 55 F8 8B C8 83 E1 03 8A 4C 11 08 8B 55 FC 32 0C 10 8B 17 88
4C 02 04 40 3B 06 72 E3 }
condition:
uint16(0) == 0x5A4D and all of them
}
rule IMPLANT_11_v12 {
meta:
description = "Mini Duke Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {63 74 00 00} // ct
$STR2 = {72 6F 74 65} // rote
$STR3 = {75 61 6C 50} // triV
$STR4 = {56 69 72 74} // Plau
$STR5 = { e8 00 00 00 00 }
$STR6 = { 64 FF 35 00 00 00 00 }
$STR7 = {D2 C0}
$STR8 = /\x63\x74\x00\x00.{3,20}\x72\x6F\x74\x65.{3,20}\x75\x61\x6C\x50.{3,20}\x56\x69\x72\x74/
condition:
(uint16(0) == 0x5A4D) and #STR5 > 4 and all of them
}
rule IMPLANT_12_v1 {
meta:
description = "Cosmic Duke Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$FUNC = {A1 [3-5] 33 C5 89 [2-3] 56 57 83 [4-6] 64}
condition:
(uint16(0) == 0x5A4D) and $FUNC
}
rule Unidentified_Malware_Two {
meta:
description = "Unidentified Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "848f2d1f-e352-51c1-ac5d-841bf309f2f2"
strings:
$my_string_one = "/zapoy/gate.php"
$my_string_two = { E3 40 FE 45 FD 0F B6 45 FD 0F B6 14 38 88 55 FF 00 55
FC 0F B6 45 FC 8A 14 38 88 55 FE 0F B6 45 FD 88 14 38 0F B6 45 FC 8A
55 FF 88 14 38 8A 55 FF 02 55 FE 8A 14 3A 8B 45 F8 30 14 30 }
$my_string_three = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb"
$my_string_four = { 8B CF 0F AF CE 8B C6 99 2B C2 8B 55 08 D1 F8 03 C8
8B 45 FC 03 C2 89 45 10 8A 00 2B CB 32 C1 85 DB 74 07 }
$my_string_five = "fuckyou1"
$my_string_six = "xtool.exe"
condition:
($my_string_one and $my_string_two)
or ($my_string_three or $my_string_four)
or ($my_string_five and $my_string_six)
}
rule APT_APT29_sorefang_encryption_key_schedule {
meta:
description = "Rule to detect SoreFang based on the key schedule used for encryption"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "8d89edc1-a9fc-5155-9dc2-8d7f952f90d1"
strings:
$ = { C7 05 ?? ?? ?? ?? 63 51 E1 B7 B8 ?? ?? ?? ?? 8B 48
FC 81 E9 47 86 C8 61 89 08 83 C0 04 3D ?? ?? ?? ??
7E EB 33 D2 33 C9 B8 2C 00 00 00 89 55 D4 33 F6 89
4D D8 33 DB 3B F8 0F 4F C7 8D 04 40 89 45 D0 83 F8
01 7C 4F 0F 1F 80 00 00 00 00 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule APT_APT29_sorefang_encryption_key_2b62 {
meta:
description = "Rule to detect SoreFang based on hardcoded encryption key"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "9a7abad7-1cfa-52c8-9416-47cb80486714"
strings:
$ = "2b6233eb3e872ff78988f4a8f3f6a3ba"
condition:
( uint16(0) == 0x5A4D and uint16(uint32(0x3c) ) == 0x4550)
and any of them
}
rule APT_APT29_sorefang_directory_enumeration_output_strings {
meta:
description = "Rule to detect SoreFang based on formatted string output for directory enumeration"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "e24dbda1-3d43-52a7-9249-70a648f4913e"
strings:
$ = "----------All usres directory----------"
$ = "----------Desktop directory----------"
$ = "----------Documents directory----------"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and 2 of them
}
rule APT_APT29_sorefang_command_elem_cookie_ga_boundary_string {
meta:
description = "Rule to detect SoreFang based on scheduled task element and Cookie header/boundary strings"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "3c6ffbad-9b39-5518-aa66-d76531ddb9ea"
strings:
$ = "<Command>" wide
$ = "Cookie:_ga="
$ = "------974767299852498929531610575"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and 2 of them
}
rule APT_APT29_sorefang_encryption_round_function {
meta:
description = "Rule to detect SoreFang based on the encryption round function"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "0be1c084-c8df-5920-a320-90364a7fb542"
strings:
$ = { 8A E9 8A FB 8A 5D 0F 02 C9 88 45 0F FE C1 0F BE C5 88 6D F3 8D
14 45 01 00 00 00 0F AF D0 0F BE C5 0F BE C9 0F AF C8 C1 FA 1B C0 E1 05 0A D1 8B 4D EC 0F BE C1 89 55 E4 8D 14 45 01 00 00 00 0F AF D0 8B C1}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and any of them
}
rule APT_APT29_sorefang_add_random_commas_spaces {
meta:
description = "Rule to detect SoreFang based on function that adds commas and spaces"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "9a89c619-6309-500f-b4dc-c8a3e8fc4417"
strings:
$ = { E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B CE 83 FA 04 7E 09 6A
02 68 ?? ?? ?? ?? EB 07 6A 01 68 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and any of them
}
rule APT_APT29_sorefang_modify_alphabet_custom_encode {
meta:
description = "Rule to detect SoreFang based on arguments passed into custom encoding algorithm function"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "7c5c1be0-ccad-5c8f-a026-445994b1f279"
strings:
$ = { 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46
64 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
rule APT_APT29_sorefang_custom_encode_decode {
meta:
description = "Rule to detect SoreFang based on the custom encoding/decoding algorithm function"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "4885a659-bb3a-5e33-99cc-b827931bf58f"
strings:
$ = { 55 8B EC 8B D1 53 56 8B 75 08 8B DE 80 42 62 FA 8A 4A 62 66 D3
EB 57 3A 5A 5C 74 0F}
$ = { 3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE C1 88 4A 62 8A
4A 62 B8 01 00 00 00}
$ = { 8A 46 62 84 C0 74 3E 3C 06 73 12 0F B6 C0 B9 06 00 00 00 2B C8
C6 46 62 06 66 D3 66 60 0F B7 4E 60}
$ = { 80 3C 38 0D 0F 84 93 01 00 00 C6 42 62 06 8B 56 14 83 FA 10 72
04 8B 06}
$ = { 0F BE 0C 38 8B 45 EC 0F B6 40 5B 3B C8 75 07 8B 55 EC B3 3E}
$ = { 0F BE 0C 38 8B 45 EC 0F B6 40 5E 3B C8 75 0B 8B 55 EC D0 EB C6
42 62 05}
$ = { 8B 55 EC 0F BE 04 38 0F B6 DB 0F B6 4A 5F 3B C1 B8 3F 00 00 00
0F 44 D8}
$ = { 8A 4A 62 66 8B 52 60 66 D3 E2 0F B6 C3 66 0B D0 8B 45 EC 66 89
50 60 8A 45 F3 02 C1 88 45 F3 3C 08 72 2E 04 F8 8A C8 88 45 F3
66 D3 EA 8B 4D 08 0F B6 C2 50 }
$ = { 3A 5A 5C 74 0F 3A 5A 5D 74 0A 3A 5A 58 74 05 3A 5A 59 75 05 FE
C1 88 4A 62 }
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and any of them
}
rule APT_APT29_sorefang_remove_chars_comma_space_dot {
meta:
description = "Rule to detect SoreFang based on function that removes commas, spaces and dots"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
id = "c15779b0-6a5e-5345-94ad-95615b567f1f"
strings:
$ = {8A 18 80 FB 2C 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08}
$ = {8A 18 80 FB 2E 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08}
$ = {8A 18 80 FB 20 74 03 88 19 41 42 40 3B D6 75 F0 8B 5D 08}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
rule APT_APT29_sorefang_disk_enumeration_strings {
meta:
description = "Rule to detect SoreFang based on disk enumeration strings"
author = "NCSC"
reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
hash = "a4b790ddffb3d2e6691dcacae08fb0bfa1ae56b6c73d70688b097ffa831af064"
id = "0ff01793-6fb7-5cff-b4e4-6709269ab0f0"
strings:
$ = "\x0D\x0AFree on disk: "
$ = "Total disk: "
$ = "Error in GetDiskFreeSpaceEx\x0D\x0A"
$ = "\x0D\x0AVolume label: "
$ = "Serial number: "
$ = "File system: "
$ = "Error in GetVolumeInformation\x0D\x0A"
$ = "I can not het information about this disk\x0D\x0A"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
and all of them
}
rule COZY_FANCY_BEAR_Hunt {
meta:
description = "Detects Cozy Bear / Fancy Bear C2 Server IPs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
date = "2016-06-14"
id = "e81b4368-7383-5a48-a89a-f91b9306326e"
strings:
$s1 = "185.100.84.134" ascii wide fullword
$s2 = "58.49.58.58" ascii wide fullword
$s3 = "218.1.98.203" ascii wide fullword
$s4 = "187.33.33.8" ascii wide fullword
$s5 = "185.86.148.227" ascii wide fullword
$s6 = "45.32.129.185" ascii wide fullword
$s7 = "23.227.196.217" ascii wide fullword
condition:
uint16(0) == 0x5a4d and 1 of them
}
rule MAL_CRIME_Unknown_ISO_Jun21_1 : ISO POWERSHELL LNK {
meta:
author = "Nils Kuhnert"
date = "2021-06-04"
description = "Triggers on ISO files that mimick NOBELIUM TTPs, but uses LNK files that call powershell instead."
hash1 = "425dbed047dd2ce760d0848ebf7ad04b1ca360f111d557fc7bf657ae89f86d36"
hash2 = "f6944b6bca627e219d9c5065f214f95eb2226897a3b823b645d0fd78c281b149"
hash3 = "14d70a8bdd64e9a936c2dc9caa6d4506794505e0e3870e3a25d9d59bcafb046e"
hash4 = "9b2ca8eb6db34b07647a74171a5ff4c0a2ca8000da9876ed2db6361958c5c080"
id = "73a1fc44-45c4-5253-b81d-fa6686dc0644"
strings:
$uid = "S-1-5-21-1437133880-1006698037-385855442-1004" wide
$magic = "CD001" ascii
condition:
filesize < 5MB and all of them
}
rule MiniDionis_readerView {
meta:
description = "MiniDionis Malware - file readerView.exe / adobe.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
date = "2015-07-20"
/* Original Hash */
hash1 = "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145"
/* Derived Samples */
hash2 = "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004"
hash3 = "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f"
hash4 = "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7"
hash5 = "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46"
hash6 = "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e"
id = "dc8d4311-2a87-5c9b-95ff-52708f293f01"
strings:
$s1 = "%ws_out%ws" fullword wide /* score: '8.00' */
$s2 = "dnlibsh" fullword ascii /* score: '7.00' */
$op0 = { 0f b6 80 68 0e 41 00 0b c8 c1 e1 08 0f b6 c2 8b } /* Opcode */
$op1 = { 8b ce e8 f8 01 00 00 85 c0 74 41 83 7d f8 00 0f } /* Opcode */
$op2 = { e8 2f a2 ff ff 83 20 00 83 c8 ff 5f 5e 5d c3 55 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of ($s*) and 1 of ($op*)
}
rule MiniDionis_VBS_Dropped {
meta:
description = "Dropped File - 1.vbs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/"
date = "2015-07-21"
hash = "97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646"
id = "f0116861-4216-504a-a39b-463e7535a2b3"
strings:
$s1 = "Wscript.Sleep 5000" ascii
$s2 = "Set FSO = CreateObject(\"Scripting.FileSystemObject\")" ascii
$s3 = "Set WshShell = CreateObject(\"WScript.Shell\")" ascii
$s4 = "If(FSO.FileExists(\"" ascii
$s5 = "then FSO.DeleteFile(\".\\" ascii
condition:
filesize < 1KB and all of them and $s1 in (0..40)
}