YARA rules

Home/Flame/YARA rules

YARA

YARA rules for Flame

1 rules · scoped to actor · back to Flame

YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.

◈

1 of 1

direct FLAME2

FLAME2_Orchestrator

author turla @ Uppercase license see source repo

view YARA rule

rule FLAME2_Orchestrator {
   meta:
      desc = "Encrypted resources in Flame2.0 Orchestrators"
      author = "turla @ Uppercase"
      hash1 = "15a9b1d233c02d1fdf80071797ff9077f6ac374958f7d0f2b6e84b8d487c9cd1" 
      hash2 = "426aa55d2afb9eb08b601d373671594f39a1d9d9a73639c4a64f17d674ca9a82" 
      hash3 = "af8ccd0294530c659580f522fcc8492d92c2296dc068f9a42474d52b2b2f16e4"
      reference = "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0"
   condition: 
      for any i in (0..pe.number_of_resources-1):
      ((hash.md5(pe.resources[i].offset,pe.resources[i].length) == "53b19d9863d8ff8cde8e4358d1b57c04") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "4849cc439e524ef6a9964a3666dddb13") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "62bfe21a8eb76fd07e22326c0073fef5") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "dfed2c71749b04dad46d0ce52834492c") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9119aa701b39242a98be118d9c237ecc") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "b69d168e29fba6c88ad4e670949815aa") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "4849cc439e524ef6a9964a3666dddb13") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "1933a1e254b1657a6a2eb8ad1fbe6fa3") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "dfed2c71749b04dad46d0ce52834492c") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9119aa701b39242a98be118d9c237ecc") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "b69d168e29fba6c88ad4e670949815aa") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "17c794f7056349cb82889b5e5b030d15") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "e15187f79b6916cb6763d29d215623c1") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "923963bb24f2e2ceac9f9759071dba88") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "9a2766aba7f2a56ef1ab24cf171ee0ed") or
      (hash.md5(pe.resources[i].offset,pe.resources[i].length) == "ebe15bfb5a3944ea4952ddf0f73aa6e8"))
}

Showing 1-1 of 1

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin