YARA rules for APT3
117 rules · scoped to actor · back to APT3
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule IronTiger_PlugX_FastProxy
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - PlugX FastProxy"
reference = "http://goo.gl/T5fSJC"
id = "14e05823-6288-5f02-8060-add51084c446"
strings:
$str1 = "SAFEPROXY HTServerTimer Quit!" wide ascii
$str2 = "Useage: %s pid" wide ascii
$str3 = "%s PORT[%d] TO PORT[%d] SUCCESS!" wide ascii
$str4 = "p0: port for listener" wide ascii
$str5 = "\\users\\whg\\desktop\\plug\\" wide ascii
$str6 = "[+Y] cwnd : %3d, fligth:" wide ascii
condition:
uint16(0) == 0x5a4d and (any of ($str*))
}
rule IronTiger_PlugX_Server
{
meta:
author = "Cyber Safety Solutions, Trend Micro"
description = "Iron Tiger Malware - PlugX Server"
reference = "http://goo.gl/T5fSJC"
id = "38011a23-3ed7-5f58-a814-2551526b27f3"
strings:
$str1 = "\\UnitFrmManagerKeyLog.pas" wide ascii
$str2 = "\\UnitFrmManagerRegister.pas" wide ascii
$str3 = "Input Name..." wide ascii
$str4 = "New Value#" wide ascii
$str5 = "TThreadRControl.Execute SEH!!!" wide ascii
$str6 = "\\UnitFrmRControl.pas" wide ascii
$str7 = "OnSocket(event is error)!" wide ascii
$str8 = "Make 3F Version Ok!!!" wide ascii
$str9 = "PELEASE DO NOT CHANGE THE DOCAMENT" wide ascii
$str10 = "Press [Ok] Continue Run, Press [Cancel] Exit" wide ascii
condition:
uint16(0) == 0x5a4d and (2 of ($str*))
}
rule APT_Area1_SSF_PlugX {
meta:
description = "Detects send tool used in phishing campaign reported by Area 1 in December 2018"
reference = "https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf"
date = "2018-12-19"
author = "Area 1"
id = "a5b4e781-f0d1-55df-926c-2d321aa48139"
strings:
$feature_call = { 8b 0? 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ??
6a 07 6a ff ff d0 8b f0 85 f6 74 14 }
$keylogger_reg = { 8b 4d 08 6a 0c 6a 01 8d 55 f4 52 c7 45 f4 01 00 06 00
c7 45 f8 00 01 00 00 89 4d fc ff d0 85 c0 75 1d }
$file_op = { 55 8b ec 83 ec 20 0f b7 56 18 8b 46 10 66 8b 4e 14 89 45 e4
8d 44 32 10 66 89 4d f0 0f b7 4e 1a 57 89 45 e8 33 ff 8d 45 e0 8d 54
31 10 50 89 7d e0 89 55 ec c7 45 fa ?? ?? ?? ?? 89 7d f2 89 7d f6 ff
15 1c 43 02 10 }
$ver_cmp = { 0f b6 8d b0 fe ff ff 0f b6 95 b4 fe ff ff 66 c1 e1 08 0f b7
c1 0b c2 3d 02 05 00 00 7f 2c }
$regedit = { c7 06 23 01 12 20 c7 46 04 01 90 00 00 89 5e 0c 89 5e 08 e8
51 fb ff ff 8b 4d 08 8b 50 38 68 30 75 00 00 56 51 ff d2 }
$get_device_caps = { 8b 1d ?? ?? ?? ?? 6a 08 50 ff d3 0f b7 56 12 8b c8 0f af ca
b8 1f 85 eb 51 f7 e9 c1 fa 05 8b c2 c1 e8 1f 03 c2 89 45 f8 8b 45 f0 6a 0a 50 ff d3
0f b7 56 14 8b c8 0f af ca b8 1f 85 eb 51 }
condition:
3 of them
}
rule Codoso_PlugX_3 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3"
id = "55066812-3a8e-5099-afb4-ff7a59f1ccb2"
strings:
$s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide
$s2 = "mcs.exe" fullword ascii
$s3 = "McAltLib.dll" fullword ascii
$s4 = "WinRAR self-extracting archive" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1200KB and all of them
}
rule Codoso_PlugX_2 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
hash = "b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb"
id = "0402a0ff-5664-52db-a739-51c5181853f8"
strings:
$s1 = "%TEMP%\\HID" fullword wide
$s2 = "%s\\hid.dll" fullword wide
$s3 = "%s\\SOUNDMAN.exe" fullword wide
$s4 = "\"%s\\SOUNDMAN.exe\" %d %d" fullword wide
$s5 = "%s\\HID.dllx" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them ) or all of them
}
rule Codoso_PGV_PVID_4 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "13bce64b3b5bdfd24dc6f786b5bee08082ea736be6536ef54f9c908fd1d00f75"
hash2 = "8a56b476d792983aea0199ee3226f0d04792b70a1c1f05f399cb6e4ce8a38761"
hash3 = "b2950f2e09f5356e985c38b284ea52175d21feee12e582d674c0da2233b1feb1"
hash4 = "b631553421aa17171cc47248adc110ca2e79eff44b5e5b0234d69b30cab104e3"
hash5 = "bc0b885cddf80755c67072c8b5961f7f0adcaeb67a1a5c6b3475614fd51696fe"
id = "c1c753a6-77b6-5bfb-89f9-16127c264fd0"
strings:
$x1 = "dropper, Version 1.0" fullword wide
$x2 = "dropper" fullword wide
$x3 = "DROPPER" fullword wide
$x4 = "About dropper" fullword wide
$s1 = "Microsoft Windows Manager Utility" fullword wide
$s2 = "SYSTEM\\CurrentControlSet\\Services\\" ascii /* Goodware String - occured 9 times */
$s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" fullword ascii /* Goodware String - occured 10 times */
$s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3" ascii /* Goodware String - occured 46 times */
$s5 = "<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>" fullword ascii /* Goodware String - occured 65 times */
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 2 of ($x*) and 2 of ($s*)
}
rule Codoso_PlugX_1 {
meta:
description = "Detects Codoso APT PlugX Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
date = "2016-01-30"
super_rule = 1
hash1 = "0b8cbc9b4761ab35acce2aa12ba2c0a283afd596b565705514fd802c8b1e144b"
hash2 = "448711bd3f689ceebb736d25253233ac244d48cb766834b8f974c2e9d4b462e8"
hash3 = "fd22547497ce52049083092429eeff0599d0b11fe61186e91c91e1f76b518fe2"
id = "af777818-5cff-5571-b5e9-0f5a4c8b08ff"
strings:
$s1 = "GETPASSWORD1" fullword ascii
$s2 = "NvSmartMax.dll" fullword ascii
$s3 = "LICENSEDLG" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
rule Dropper_DeploysMalwareViaSideLoading {
meta:
description = "Detects a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX"
author = "USG"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
true_positive = "5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. "
id = "2e7cdedd-2358-5d71-a3ec-73dec442d840"
strings:
$UniqueString = {2e 6c 6e 6b [0-14] 61 76 70 75 69 2e 65 78 65} // ".lnk" near "avpui.exe"
$PsuedoRandomStringGenerator = {b9 1a [0-6] f7 f9 46 80 c2 41 88 54 35 8b 83 fe 64} // Unique function that generates a 100 character pseudo random string.
condition:
any of them
}
rule PLUGX_RedLeaves {
meta:
author = "US-CERT Code Analysis Team"
date = "03.04.2017"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-117A"
incident = "10118538"
date = "2017-04-03"
MD5_1 = "598FF82EA4FB52717ACAFB227C83D474"
MD5_2 = "7D10708A518B26CC8C3CBFBAA224E032"
MD5_3 = "AF406D35C77B1E0DF17F839E36BCE630"
MD5_4 = "6EB9E889B091A5647F6095DCD4DE7C83"
MD5_5 = "566291B277534B63EAFC938CDAAB8A399E41AF7D"
description = "Detects specific RedLeaves and PlugX binaries"
id = "ede8ad8f-31cf-5314-9777-bddd60e499f2"
strings:
$s0 = { 80343057403D2FD0010072F433C08BFF80343024403D2FD0010072F4 }
$s1 = "C:\\Users\\user\\Desktop\\my_OK_2014\\bit9\\runsna\\Release\\runsna.pdb"
$s2 = "d:\\work\\plug4.0(shellcode)"
$s3 = "\\shellcode\\shellcode\\XSetting.h"
$s4 = { 42AFF4276A45AA58474D4C4BE03D5B395566BEBCBDEDE9972872C5C4C5498228 }
$s5 = { 8AD32AD002D180C23830140E413BCB7CEF6A006A006A00566A006A00 }
$s6 = { EB055F8BC7EB05E8F6FFFFFF558BEC81ECC8040000535657 }
$s7 = { 8A043233C932043983C10288043283F90A7CF242890D18AA00103BD37CE2891514AA00106A006A006A0056 }
$s8 = { 293537675A402A333557B05E04D09CB05EB3ADA4A4A40ED0B7DAB7935F5B5B08 }
$s9 = "RedLeavesCMDSimulatorMutex"
condition:
$s0 or $s1 or $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 or $s9
}
rule PlugX_J16_Gen {
meta:
description = "Detects PlugX Malware samples from June 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "VT Research"
date = "2016-06-08"
id = "13ef1e80-7090-5a1e-bca7-8d3de0dc2247"
strings:
$x1 = "%WINDIR%\\SYSTEM32\\SERVICES.EXE" fullword wide
$x2 = "\\\\.\\PIPE\\RUN_AS_USER(%d)" fullword wide
$x3 = "LdrLoadShellcode" fullword ascii
$x4 = "Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s]" fullword ascii
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Post Platform" fullword wide
$s2 = "%s\\msiexec.exe %d %d" fullword wide
$s3 = "l%s\\sysprep\\CRYPTBASE.DLL" fullword wide
$s4 = "%s\\msiexec.exe UAC" fullword wide
$s5 = "CRYPTBASE.DLL" fullword wide
$s6 = "%ALLUSERSPROFILE%\\SxS" fullword wide
$s7 = "%s\\sysprep\\sysprep.exe" fullword wide
$s8 = "\\\\.\\pipe\\a%d" fullword wide
$s9 = "\\\\.\\pipe\\b%d" fullword wide
$s10 = "EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p" fullword ascii
$s11 = "Mozilla/4.0 (compatible; MSIE " fullword wide
$s12 = "; Windows NT %d.%d" fullword wide
$s13 = "SOFTWARE\\Microsoft\\Internet Explorer\\Version Vector" fullword wide
$s14 = "\\bug.log" wide
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 4 of ($s*) ) ) or ( 8 of them )
}
rule PlugX_J16_Gen2 {
meta:
description = "Detects PlugX Malware Samples from June 2016"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "VT Research"
date = "2016-06-08"
id = "28e9cbb9-cd60-555d-b033-4e2bf293adf2"
strings:
$s1 = "XPlugKeyLogger.cpp" fullword ascii
$s2 = "XPlugProcess.cpp" fullword ascii
$s4 = "XPlgLoader.cpp" fullword ascii
$s5 = "XPlugPortMap.cpp" fullword ascii
$s8 = "XPlugShell.cpp" fullword ascii
$s11 = "file: %s, line: %d, error: [%d]%s" fullword ascii
$s12 = "XInstall.cpp" fullword ascii
$s13 = "XPlugTelnet.cpp" fullword ascii
$s14 = "XInstallUAC.cpp" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 600KB and ( 2 of ($s*) ) ) or ( 5 of them )
}
rule APT34_Malware_HTA {
meta:
description = "Detects APT 34 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
date = "2017-12-07"
hash1 = "f6fa94cc8efea0dbd7d4d4ca4cf85ac6da97ee5cf0c59d16a6aafccd2b9d8b9a"
id = "683faded-7e4b-5b2f-9f85-300db96ed9d1"
strings:
$x1 = "WshShell.run \"cmd.exe /C C:\\ProgramData\\" ascii
$x2 = ".bat&ping 127.0.0.1 -n 6 > nul&wscript /b" ascii
$x3 = "cmd.exe /C certutil -f -decode C:\\ProgramData\\" ascii
$x4 = "a.WriteLine(\"set Shell0 = CreateObject(" ascii
$x5 = "& vbCrLf & \"Shell0.run" ascii
$s1 = "<title>Blog.tkacprow.pl: HTA Hello World!</title>" fullword ascii
$s2 = "<body onload=\"test()\">" fullword ascii
condition:
filesize < 60KB and ( 1 of ($x*) or all of ($s*) )
}
rule APT34_Malware_Exeruner {
meta:
description = "Detects APT 34 malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
date = "2017-12-07"
hash1 = "c75c85acf0e0092d688a605778425ba4cb2a57878925eee3dc0f4dd8d636a27a"
id = "8ddfa59d-9b8a-5cb6-a992-6498ac9be75d"
strings:
$x1 = "\\obj\\Debug\\exeruner.pdb" ascii
$x2 = "\"wscript.shell`\")`nShell0.run" wide
$x3 = "powershell.exe -exec bypass -enc \" + ${global:$http_ag} +" wide
$x4 = "/c powershell -exec bypass -window hidden -nologo -command " fullword wide
$x5 = "\\UpdateTasks\\JavaUpdatesTasksHosts\\" wide
$x6 = "schtasks /create /F /ru SYSTEM /sc minute /mo 1 /tn" wide
$x7 = "UpdateChecker.ps1 & ping 127.0.0.1" wide
$s8 = "exeruner.exe" fullword wide
$s9 = "${global:$address1} = $env:ProgramData + \"\\Windows\\Microsoft\\java\";" fullword wide
$s10 = "C:\\ProgramData\\Windows\\Microsoft\\java" fullword wide
$s11 = "function runByVBS" fullword wide
$s12 = "$84e31856-683b-41c0-81dd-a02d8b795026" fullword ascii
$s13 = "${global:$dns_ag} = \"aQBmACAAKAAoAEcAZQB0AC0AVwBtAGk" wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
}
rule EXT_APT32_goopdate_installer {
meta:
reference = "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/"
author = "Facebook"
description = "Detects APT32 installer side-loaded with goopdate.dll"
sample = "69730f2c2bb9668a17f8dfa1f1523e0e1e997ba98f027ce98f5cbaa869347383"
id = "08f3cbda-ccb7-517a-b205-5f71de26c735"
strings:
$s0 = { 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 33 05 ?? ?? ?? ?? }
$s1 = "GetProcAddress"
$s2 = { 8B 4D FC ?? ?? 0F B6 51 0C ?? ?? 8B 4D F0 0F B6 1C 01 33 DA }
$s3 = "FindNextFileW"
$s4 = "Process32NextW"
condition:
(pe.is_64bit() or pe.is_32bit()) and
all of them
}
rule EXT_APT32_osx_backdoor_loader {
meta:
reference = "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/"
author = "Facebook"
description = "Detects APT32 backdoor loader on OSX"
sample = "768510fa9eb807bba9c3dcb3c7f87b771e20fa3d81247539e9ea4349205e39eb"
id = "ac313bd8-bf15-5b72-b651-35015f71dd90"
strings:
$a1 = { 00 D2 44 8A 04 0F 44 88 C0 C0 E8 07 08 D0 88 44 0F FF 48 FF C1 48 83 F9 10 44 88 C2 }
$a2 = { 41 0F 10 04 07 0F 57 84 05 A0 FE FF FF 41 0F 11 04 07 48 83 C0 10 48 83 F8 10 75 }
// Encrypted data
$e1 = { CA CF 3E F2 DA 43 E6 D1 D5 6C D4 23 3A AE F1 B2 } // Decoded to drop filepath: '/tmp/panels'
$e2 = "MlkHVdRbOkra9s+G65MAoLga340t3+zj/u8LPfP3hig=" // Decoded to export API name 'ArchaeologistCodeine'
$e3 = { 5A 69 98 0E 6C 4B 5C 69 7E 19 34 3B C3 07 CA 13 } // Decoded to 'ifconfig -l'
$e4 = "1Sib4HfPuRQjpxIpECnxxTPiu3FXOFAHMx/+9MEVv9M+h1ngV7T5WUP3b0zsg0Qd" // Decoded to export API 'PlayerAberadurtheIncomprehensible'
// Decoded export func names
$e5 = "_ArchaeologistCodeine"
$e6 = "_PlayerAberadurtheIncomprehensible"
condition:
((uint32(0) == 0xfeedface or uint32be(0) == 0xfeedface) or (uint32(0) == 0xfeedfacf or uint32be(0) == 0xfeedfacf)) and
(
2 of ($e*) or
all of ($a*)
)
}
rule APT_NK_Methodology_Artificial_UserAgent_IE_Win7 {
meta:
author = "Steve Miller aka @stvemillertime"
description = "Detects hard-coded User-Agent string that has been present in several APT37 malware families."
hash1 = "e63efbf8624a531bb435b7446dbbfc25"
score = 45
id = "a747c908-7af7-5c29-8386-a71db7648061"
strings:
$a1 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
$a2 = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 00 00 00 00}
$fp1 = "Esumsoft" wide
$fp2 = "Acunetix" wide ascii
$fp3 = "TASER SYNC" ascii
condition:
uint16(0) == 0x5A4D and all of ($a*) and not 1 of ($fp*)
}
rule HvS_APT37_smb_scanner {
meta:
description = "Unknown smb login scanner used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Marc Stroebel"
date = "2020-12-15"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://www.hybrid-analysis.com/sample/d16163526242508d6961f061aaffe3ae5321bd64d8ceb6b2788f1570757595fc?environmentId=2"
id = "89a5cc32-f151-583d-823d-692de2c2b084"
strings:
$s1 = "Scan.exe StartIP EndIP ThreadCount logfilePath [Username Password Deep]" fullword ascii
$s2 = "%s - %s:(Username - %s / Password - %s" fullword ascii
$s3 = "Load mpr.dll Error " fullword ascii
$s4 = "Load Netapi32.dll Error " fullword ascii
$s5 = "%s U/P not Correct! - %d" fullword ascii
$s6 = "GetNetWorkInfo Version 1.0" fullword wide
$s7 = "Hello World!" fullword wide
$s8 = "%s Error: %ld" fullword ascii
$s9 = "%s U/P Correct!" fullword ascii
$s10 = "%s --------" fullword ascii
$s11 = "%s%-30s%I64d" fullword ascii
$s12 = "%s%-30s(DIR)" fullword ascii
$s13 = "%04d-%02d-%02d %02d:%02d" fullword ascii
$s14 = "Share: Local Path: Uses: Descriptor:" fullword ascii
$s15 = "Share: Type: Remark:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and (10 of them)
}
rule HvS_APT37_cred_tool {
meta:
description = "Unknown cred tool used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Markus Poelloth"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
id = "e830025a-f2ac-55b1-aca3-ded9dba83a67"
strings:
$s1 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii
$s2 = "Domain Login" fullword ascii
$s3 = "IEShims_GetOriginatingThreadContext" fullword ascii
$s4 = " Type Descriptor'" fullword ascii
$s5 = "User: %s" fullword ascii
$s6 = "Pass: %s" fullword ascii
$s7 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii
$s8 = "E@c:\\u" fullword ascii
condition:
filesize < 500KB and 7 of them
}
rule HvS_APT37_RAT_loader {
meta:
description = "BLINDINGCAN RAT loader named iconcash.db used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Marc Stroebel"
date = "2020-12-15"
hash = "b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9"
reference1 = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
reference2 = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
id = "6c3e8465-d607-59bf-85fc-5abbef71fb1c"
condition:
(pe.version_info["OriginalFilename"] contains "MFC_DLL.dll") and
(pe.exports("SMain") and pe.exports("SMainW") )
}
rule HvS_APT37_webshell_img_thumbs_asp {
meta:
description = "Webshell named img.asp, thumbs.asp or thumb.asp used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "94d2448d3794ae3f29678a7337473d259b5cfd1c7f703fe53ee6c84dd10a48ef"
id = "e45d4507-81de-5f72-9ce2-4f0e3e5c62b1"
strings:
$s1 = "strMsg = \"E : F\"" fullword ascii
$s2 = "strMsg = \"S : \" & Len(fileData)" fullword ascii
$s3 = "Left(workDir, InStrRev(workDir, \"/\")) & \"video\""
$a1 = "Server.CreateObject(\"Scripting.FileSystemObject\")" fullword ascii
$a2 = "Dim tmpPath, workDir" fullword ascii
$a3 = "Dim objFSO, objTextStream" fullword ascii
$a4 = "workDir = Request.ServerVariables(\"URL\")" fullword ascii
$a5 = "InStrRev(workDir, \"/\")" ascii
$g1 = "WriteFile = 0" fullword ascii
$g2 = "fileData = Request.Form(\"fp\")" fullword ascii
$g3 = "fileName = Request.Form(\"fr\")" fullword ascii
$g4 = "Err.Clear()" fullword ascii
$g5 = "Option Explicit" fullword ascii
condition:
filesize < 2KB and (( 1 of ($s*) ) or (3 of ($a*)) or (5 of ($g*)))
}
rule HvS_APT37_webshell_template_query_asp {
meta:
description = "Webshell named template-query.aspimg.asp used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "961a66d01c86fa5982e0538215b17fb9fae2991331dfea812b8c031e2ceb0d90"
id = "dc006b46-4c51-59cd-8b7d-adbfec86cd2e"
strings:
$g1 = "server.scripttimeout=600" fullword ascii
$g2 = "response.buffer=true" fullword ascii
$g3 = "response.expires=-1" fullword ascii
$g4 = "session.timeout=600" fullword ascii
$a1 = "redhat hacker" ascii
$a2 = "want_pre.asp" ascii
$a3 = "vgo=\"admin\"" ascii
$a4 = "ywc=false" ascii
$s1 = "public br,ygv,gbc,ydo,yka,wzd,sod,vmd" fullword ascii
condition:
filesize > 70KB and filesize < 200KB and (( 1 of ($s*) ) or (2 of ($a*)) or (3 of ($g*)))
}
rule HvS_APT37_webshell_controllers_asp {
meta:
description = "Webshell named controllers.asp or inc-basket-offer.asp used by APT37"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Moritz Oettle"
date = "2020-12-15"
reference = "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf"
hash = "829462fc6d84aae04a962dfc919d0a392265fbf255eab399980d2b021e385517"
id = "82370415-30f4-514d-8806-e2daced96f07"
strings:
$s0 = "<%@Language=VBScript.Encode" ascii
// Case permutations of the word SeRvEr encoded with the Microsoft Script Encoder followed by .scriptrimeOut
$x1 = { 64 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x2 = { 64 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x3 = { 64 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x4 = { 64 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x5 = { 64 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x6 = { 64 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x7 = { 64 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x8 = { 64 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x9 = { 64 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x10 = { 64 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x11 = { 64 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x12 = { 64 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x13 = { 64 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x14 = { 64 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x15 = { 64 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x16 = { 64 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x17 = { 64 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x18 = { 64 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x19 = { 64 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x20 = { 64 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x21 = { 64 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x22 = { 64 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x23 = { 64 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x24 = { 64 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x25 = { 64 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x26 = { 6A 7F 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x27 = { 6A 7F 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x28 = { 6A 7F 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x29 = { 6A 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x30 = { 6A 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x31 = { 6A 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x32 = { 6A 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x33 = { 6A 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x34 = { 64 7F 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x35 = { 6A 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x36 = { 6A 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x37 = { 6A 7F 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x38 = { 6A 7F 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x39 = { 6A 7F 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x40 = { 6A 7F 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x41 = { 6A 7F 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x42 = { 6A 7F 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x43 = { 6A 41 44 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x44 = { 6A 41 44 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x45 = { 64 7F 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x46 = { 6A 41 44 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x47 = { 6A 41 44 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x48 = { 6A 41 44 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x49 = { 6A 41 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x50 = { 6A 41 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x51 = { 6A 41 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x52 = { 6A 41 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x53 = { 6A 41 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x54 = { 6A 41 49 2D 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x55 = { 6A 41 49 2D 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x56 = { 64 7F 44 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x57 = { 6A 41 49 23 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x58 = { 6A 41 49 23 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x59 = { 6A 41 49 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x60 = { 6A 41 49 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x61 = { 64 7F 44 23 41 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x62 = { 64 7F 44 23 41 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x63 = { 64 7F 49 2D 7F 44 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
$x64 = { 64 7F 49 2D 7F 49 63 2F 6D 4D 6B 61 4F 59 62 3A 6E 72 21 59 }
condition:
filesize > 50KB and filesize < 200KB and ( $s0 and 1 of ($x*) )
}
rule APT30_Generic_H {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "2a4c8752f3e7fde0139421b8d5713b29c720685d"
hash2 = "4350e906d590dca5fcc90ed3215467524e0a4e3d"
id = "1908e985-9634-51dc-8972-53afa13c26a3"
strings:
$s0 = "\\Temp1020.txt" ascii
$s1 = "Xmd.Txe" fullword ascii
$s2 = "\\Internet Exp1orer" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_2 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "0359ffbef6a752ee1a54447b26e272f4a5a35167"
id = "821a2de9-48c4-58d8-acc4-1e25025ab5cf"
strings:
$s0 = "ForZRLnkWordDlg.EXE" fullword wide
$s1 = "ForZRLnkWordDlg Microsoft " fullword wide
$s9 = "ForZRLnkWordDlg 1.0 " fullword wide
$s11 = "ForZRLnkWordDlg" fullword wide
$s12 = " (C) 2011" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_3 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "d0320144e65c9af0052f8dee0419e8deed91b61b"
id = "62e81385-26f5-545d-92ff-6604ff4d0186"
strings:
$s5 = "Software\\Mic" ascii
$s6 = "HHOSTR" ascii
$s9 = "ThEugh" fullword ascii
$s10 = "Moziea/" ascii
$s12 = "%s%s(X-" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_C {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "8667f635fe089c5e2c666b3fe22eaf3ff8590a69"
hash2 = "0c4fcef3b583d0ffffc2b14b9297d3a4"
hash3 = "37aee58655f5859e60ece6b249107b87"
hash4 = "4154548e1f8e9e7eb39d48a4cd75bcd1"
hash5 = "a2e0203e665976a13cdffb4416917250"
hash6 = "b4ae0004094b37a40978ef06f311a75e"
hash7 = "e39756bc99ee1b05e5ee92a1cdd5faf4"
id = "25ec8d54-9875-5bf5-abc9-296f18f3c5e5"
strings:
$s0 = "MYUSER32.dll" fullword ascii
$s1 = "MYADVAPI32.dll" fullword ascii
$s2 = "MYWSOCK32.dll" fullword ascii
$s3 = "MYMSVCRT.dll" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_4 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "75367d8b506031df5923c2d8d7f1b9f643a123cd"
id = "e5c6afde-0ab5-54ed-8d18-5ad477a527d7"
strings:
$s0 = "GetStartupIn" ascii
$s1 = "enMutex" ascii
$s2 = "tpsvimi" ascii
$s3 = "reateProcesy" ascii
$s5 = "FreeLibr1y*S" ascii
$s6 = "foAModuleHand" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_5 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "1a2dd2a0555dc746333e7c956c58f7c4cdbabd4b"
id = "bdbebe44-7423-5793-8a42-4f9b70de2231"
strings:
$s0 = "Version 4.7.3001" fullword wide
$s1 = "Copyright (c) Microsoft Corporation 2004" fullword wide
$s3 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the U" wide
$s7 = "msmsgs" fullword wide
$s10 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_6 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "00e69b059ad6b51b76bc476a115325449d10b4c0"
id = "2f19809c-09fc-51bf-9a20-6b95099a92dd"
strings:
$s0 = "GreateProcessA" fullword ascii
$s1 = "Ternel32.dll" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_7 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "868d1f4c106a08bd2e5af4f23139f0e0cd798fba"
id = "612732d9-8df5-5388-b299-2da4f8118435"
strings:
$s0 = "datain" fullword ascii
$s3 = "C:\\Prog" ascii
$s4 = "$LDDATA$" ascii
$s5 = "Maybe a Encrypted Flash" fullword ascii
$s6 = "Jean-loup Gailly" ascii
$s8 = "deflate 1.1.3 Copyright" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_E {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "1dbb584e19499e26398fb0a7aa2a01b7"
hash2 = "572c9cd4388699347c0b2edb7c6f5e25"
hash3 = "8ff473bedbcc77df2c49a91167b1abeb"
hash4 = "a813eba27b2166620bd75029cc1f04b0"
hash5 = "b5546842e08950bc17a438d785b5a019"
id = "69e76a59-3529-541d-9017-07e6d67fbda4"
strings:
$s0 = "Nkfvtyvn}" ascii
$s6 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_8 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "9531e21652143b8b129ab8c023dc05fef2a17cc3"
id = "5053c2db-32a9-58ae-9a72-eb16ef14168e"
strings:
$s0 = "ateProcessA" ascii
$s1 = "Ternel32.dllFQ" fullword ascii
$s2 = "StartupInfoAModuleHand" fullword ascii
$s3 = "OpenMutex" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_B {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "0fcb4ffe2eb391421ec876286c9ddb6c"
hash2 = "29395c528693b69233c1c12bef8a64b3"
hash3 = "4c6b21e98ca03e0ef0910e07cef45dac"
hash4 = "550459b31d8dabaad1923565b7e50242"
hash5 = "65232a8d555d7c4f7bc0d7c5da08c593"
hash6 = "853a20f5fc6d16202828df132c41a061"
hash7 = "ed151602dea80f39173c2f7b1dd58e06"
id = "df3b8896-7229-5b3b-ad2f-774b0cea167c"
strings:
$s2 = "Moziea/4.0" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_I {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "fe211c7a081c1dac46e3935f7c614549"
hash2 = "8c9db773d387bf9b3f2b6a532e4c937c"
id = "55046e1a-731a-5418-9a7a-4fe1611c77d0"
strings:
$s0 = "Copyright 2012 Google Inc. All rights reserved." fullword wide
$s1 = "(Prxy%c-%s:%u)" fullword ascii
$s2 = "Google Inc." fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_9 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "442bf8690401a2087a340ce4a48151c39101652f"
id = "bf24bb57-aff9-579c-b8a2-265a6d2a06d0"
strings:
$s0 = "\\Windo" ascii
$s2 = "oHHOSTR" ascii
$s3 = "Softwa]\\Mic" ascii
$s4 = "Startup'T" ascii
$s6 = "Ora\\%^" ascii
$s7 = "\\Ohttp=r" ascii
$s17 = "help32Snapshot0L" ascii
$s18 = "TimUmoveH" ascii
$s20 = "WideChc[lobalAl" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_10 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "eb518cda3c4f4e6938aaaee07f1f7db8ee91c901"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "Version 4.7.3001" fullword wide
$s1 = "Copyright (c) Microsoft Corporation 2004" fullword wide
$s2 = "Microsoft(R) is a registered trademark of Microsoft Corporation in the U" wide
$s3 = "!! Use Connect Method !!" fullword ascii
$s4 = "(Prxy%c-%s:%u)" fullword ascii
$s5 = "msmsgs" fullword wide
$s18 = "(Prxy-No)" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_11 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "59066d5d1ee3ad918111ed6fcaf8513537ff49a6"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "System\\CurrentControlSet\\control\\ComputerName\\ComputerName" fullword ascii
$s1 = "msofscan.exe" fullword wide
$s2 = "Mozilla/4.0 (compatible; MSIE 5.0; Win32)" fullword ascii
$s3 = "Microsoft? is a registered trademark of Microsoft Corporation." fullword wide
$s4 = "Windows XP Professional x64 Edition or Windows Server 2003" fullword ascii
$s9 = "NetEagle_Scout - " fullword ascii
$s10 = "Server 4.0, Enterprise Edition" fullword ascii
$s11 = "Windows 3.1(Win32s)" fullword ascii
$s12 = "%s%s%s %s" fullword ascii
$s13 = "Server 4.0" fullword ascii
$s15 = "Windows Millennium Edition" fullword ascii
$s16 = "msofscan" fullword wide
$s17 = "Eagle-Norton360-OfficeScan" fullword ascii
$s18 = "Workstation 4.0" fullword ascii
$s19 = "2003 Microsoft Office system" fullword wide
condition:
filesize < 250KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_12 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "b02b5720ff0f73f01eb2ba029a58b645c987c4bc"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "Richic" fullword ascii
$s1 = "Accept: image/gif, */*" fullword ascii
$s2 = "----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d" fullword ascii
condition:
filesize < 250KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_13 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "a359f705a833c4a4254443b87645fd579aa94bcf"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "msofscan.exe" fullword wide
$s1 = "Microsoft? is a registered trademark of Microsoft Corporation." fullword wide
$s2 = "Microsoft Office Word Plugin Scan" fullword wide
$s3 = "? 2006 Microsoft Corporation. All rights reserved." fullword wide
$s4 = "msofscan" fullword wide
$s6 = "2003 Microsoft Office system" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_14 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "b0740175d20eab79a5d62cdbe0ee1a89212a8472"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "AdobeReader.exe" fullword wide
$s4 = "10.1.7.27" fullword wide
$s5 = "Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All ri" wide
$s8 = "Adobe Reader" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_15 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "7a8576804a2bbe4e5d05d1718f90b6a4332df027"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "\\Windo" ascii
$s2 = "HHOSTR" ascii
$s3 = "Softwa]\\Mic" ascii
$s4 = "Startup'T" fullword ascii
$s17 = "help32Snapshot0L" fullword ascii
$s18 = "TimUmoveH" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_16 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "066d06ac08b48d3382d46bbeda6ad411b6d6130e"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "\\Temp1020.txt" ascii
$s1 = "cmcbqyjs" fullword ascii
$s2 = "SPVSWh\\" fullword ascii
$s4 = "PSShxw@" fullword ascii
$s5 = "VWhHw@" fullword ascii
$s7 = "SVWhHw@" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_A {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "9f49aa1090fa478b9857e15695be4a89f8f3e594"
hash2 = "396116cfb51cee090822913942f6ccf81856c2fb"
hash3 = "fef9c3b4b35c226501f7d60816bb00331a904d5b"
hash4 = "7c9a13f1fdd6452fb6d62067f958bfc5fec1d24e"
hash5 = "5257ba027abe3a2cf397bfcae87b13ab9c1e9019"
id = "6b851d94-d3bd-5c76-8fd0-adb42b3fab73"
strings:
$s5 = "WPVWhhiA" fullword ascii
$s6 = "VPWVhhiA" fullword ascii
$s11 = "VPhhiA" fullword ascii
$s12 = "uUhXiA" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_17 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "c3aa52ff1d19e8fc6704777caf7c5bd120056845"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s1 = "Nkfvtyvn}]ty}ztU" fullword ascii
$s4 = "IEXPL0RE" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_18 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "355436a16d7a2eba8a284b63bb252a8bb1644751"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "w.km-nyc.com" fullword ascii
$s1 = "tscv.exe" fullword ascii
$s2 = "Exit/app.htm" ascii
$s3 = "UBD:\\D" ascii
$s4 = "LastError" ascii
$s5 = "MicrosoftHaveAck" ascii
$s7 = "HHOSTR" ascii
$s20 = "XPL0RE." ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_G {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "1612b392d6145bfb0c43f8a48d78c75f"
hash = "53f1358cbc298da96ec56e9a08851b4b"
hash = "c2acc9fc9b0f050ec2103d3ba9cb11c0"
hash = "f18be055fae2490221c926e2ad55ab11"
id = "34269de3-4559-58a5-a621-0ad72857dc9e"
strings:
$s0 = "%s\\%s\\%s=%s" fullword ascii
$s1 = "Copy File %s OK!" fullword ascii
$s2 = "%s Space:%uM,FreeSpace:%uM" fullword ascii
$s4 = "open=%s" fullword ascii
$s5 = "Maybe a Encrypted Flash Disk" fullword ascii
$s12 = "%04u-%02u-%02u %02u:%02u:%02u" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_19 {
meta:
description = "FireEye APT30 Report Sample"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/03"
modified = "2023-01-06"
score = 75
hash = "cfa438449715b61bffa20130df8af778ef011e15"
id = "e5dd6bc9-9383-5d48-92df-709996373655"
strings:
$s0 = "C:\\Program Files\\Common Files\\System\\wab32" fullword ascii
$s1 = "%s,Volume:%s,Type:%s,TotalSize:%uMB,FreeSize:%uMB" fullword ascii
$s2 = "\\TEMP\\" ascii
$s3 = "\\Temporary Internet Files\\" ascii
$s5 = "%s TotalSize:%u Bytes" fullword ascii
$s6 = "This Disk Maybe a Encrypted Flash Disk!" fullword ascii
$s7 = "User:%-32s" fullword ascii
$s8 = "\\Desktop\\" ascii
$s9 = "%s.%u_%u" fullword ascii
$s10 = "Nick:%-32s" fullword ascii
$s11 = "E-mail:%-32s" fullword ascii
$s13 = "%04u-%02u-%02u %02u:%02u:%02u" fullword ascii
$s14 = "Type:%-8s" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and 8 of them
}
rule APT30_Generic_E_v2 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "eca53a9f6251ddf438508b28d8a483f91b99a3fd"
id = "40897687-fb17-568e-9907-e9588a53bbe0"
strings:
$s0 = "Nkfvtyvn}duf_Z}{Ys" fullword ascii
$s1 = "Nkfvtyvn}*Zrswru1i" fullword ascii
$s2 = "Nkfvtyvn}duf_Z}{V" fullword ascii
$s3 = "Nkfvtyvn}*ZrswrumT\\b" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_20 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "b1c37632e604a5d1f430c9351f87eb9e8ea911c0"
id = "91246101-246b-5da9-9e55-7f361d1f6437"
strings:
$s0 = "dizhi.gif" fullword ascii
$s2 = "Mozilla/u" ascii
$s3 = "XicrosoftHaveAck" ascii
$s4 = "flyeagles" ascii
$s10 = "iexplore." ascii
$s13 = "WindowsGV" fullword ascii
$s16 = "CatePipe" fullword ascii
$s17 = "'QWERTY:/webpage3" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_21 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "d315daa61126616a79a8582145777d8a1565c615"
id = "72005b40-91f7-5661-9478-8680f999b245"
strings:
$s0 = "Service.dll" fullword ascii
$s1 = "(%s:%s %s)" fullword ascii
$s2 = "%s \"%s\",%s %s" fullword ascii
$s5 = "Proxy-%s:%u" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}