YARA rules for Gamaredon Group
61 rules · scoped to actor · back to Gamaredon Group
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Batch_Script_To_Run_PsExec {
meta:
author = "NCSC"
description = "Detects malicious batch file from NCSC report"
reference = "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
date = "2018/04/06"
hash = "b7d7c4bc8f9fd0e461425747122a431f93062358ed36ce281147998575ee1a18"
id = "1fbeeec8-a5bd-569e-b435-c7d82d32e47b"
strings:
$ = "Tokens=1 delims=" ascii
$ = "SET ws=%1" ascii
$ = "Checking %ws%" ascii
$ = "%TEMP%\\%ws%ns.txt" ascii
$ = "ps.exe -accepteula" ascii
condition:
3 of them
}
rule Casper_SystemInformation_Output {
meta:
description = "Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/06"
score = 70
id = "aaae200c-7ef1-52eb-be5b-36e0ad29ecef"
strings:
$a0 = "***** SYSTEM INFORMATION ******"
$a1 = "***** SECURITY INFORMATION ******"
$a2 = "Antivirus: "
$a3 = "Firewall: "
$a4 = "***** EXECUTION CONTEXT ******"
$a5 = "Identity: "
$a6 = "<CONFIG TIMESTAMP="
condition:
all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule Lazagne_PW_Dumper {
meta:
description = "Detects Lazagne PW Dumper"
author = "Markus Neis / Florian Roth"
reference = "https://github.com/AlessandroZ/LaZagne/releases/"
date = "2018-03-22"
score = 70
id = "1904029e-9336-5278-ae2e-4bc853316600"
strings:
$s1 = "Crypto.Hash" fullword ascii
$s2 = "laZagne" fullword ascii
$s3 = "impacket.winregistry" fullword ascii
condition:
3 of them
}
rule HKTL_Lazagne_PasswordDumper_Dec18_1 {
meta:
description = "Detects password dumper Lazagne often used by middle eastern threat groups"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
date = "2018-12-11"
score = 85
hash1 = "1205f5845035e3ee30f5a1ced5500d8345246ef4900bcb4ba67ef72c0f79966c"
hash2 = "884e991d2066163e02472ea82d89b64e252537b28c58ad57d9d648b969de6a63"
hash3 = "bf8f30031769aa880cdbe22bc0be32691d9f7913af75a5b68f8426d4f0c7be50"
id = "bae48a4d-33b6-55b9-abf5-daf87e5da9e9"
strings:
$s1 = "softwares.opera(" ascii
$s2 = "softwares.mozilla(" ascii
$s3 = "config.dico(" ascii
$s4 = "softwares.chrome(" ascii
$s5 = "softwares.outlook(" ascii
condition:
uint16(0) == 0x5a4d and filesize < 17000KB and 1 of them
}
rule HKTL_Lazagne_Gen_18 {
meta:
description = "Detects Lazagne password extractor hacktool"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/AlessandroZ/LaZagne"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
date = "2018-12-11"
score = 80
hash1 = "51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf"
id = "034ea6d8-f5cf-5664-9ff9-24d19403093d"
strings:
$x1 = "lazagne.config.powershell_execute(" ascii
$x2 = "creddump7.win32." ascii
$x3 = "lazagne.softwares.windows.hashdump" ascii
$x4 = ".softwares.memory.libkeepass.common(" ascii
condition:
2 of them
}
rule HKTL_BruteRatel_Badger_Indicators_Oct22_4 {
meta:
description = "Detects Brute Ratel C4 badger indicators"
author = "Matthew @embee_research, Florian Roth"
reference = "https://twitter.com/embee_research/status/1580030310778953728"
date = "2022-10-12"
score = 75
id = "a62d08ae-0fb3-55e9-b6f8-7940f8032e4a"
strings:
$s1 = { b? 89 4d 39 8c }
$s2 = { b? bd ca 3b d3 }
$s3 = { b? b2 c1 06 ae }
$s4 = { b? 74 eb 1d 4d }
condition:
filesize < 8000KB
and all of ($s*)
and not uint8(0) == 0x02 /* SHC files */
}
rule SUSP_SFX_cmd {
meta:
description = "Detects suspicious SFX as used by Gamaredon group"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-27"
hash1 = "965129e5d0c439df97624347534bc24168935e7a71b9ff950c86faae3baec403"
id = "87e75fe6-c2d7-5cb4-9432-7c37dbfe94b8"
strings:
$s1 = /RunProgram=\"hidcon:[a-zA-Z0-9]{1,16}.cmd/ fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}
rule SUSP_XMRIG_Reference {
meta:
description = "Detects an executable with a suspicious XMRIG crypto miner reference"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/itaitevet/status/1141677424045953024"
date = "2019-06-20"
score = 70
id = "0a7324ce-90dc-5e6a-b22a-c29eccf324e9"
strings:
$x1 = "\\xmrig\\" ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}
rule SUSP_Just_EICAR {
meta:
description = "Just an EICAR test file - this is boring but users asked for it"
author = "Florian Roth (Nextron Systems)"
reference = "http://2016.eicar.org/85-0-Download.html"
date = "2019-03-24"
score = 40
hash1 = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
id = "e5eedd77-36e2-56a0-be0c-2553043c225a"
strings:
$s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}
rule MAL_SUSP_Gamaredon_GetImportByHash {
meta:
description = "Detects Gamaredon APIHashing"
author = "Frank Boldewin (@r3c0nst)"
date = "2021-05-12"
reference = "https://twitter.com/r3c0nst/status/1392405576131436546?s=20"
hash1 = "2d03a301bae0e95a355acd464afc77fde88dd00232aad6c8580b365f97f67a79"
hash2 = "43d6e56515cca476f7279c3f276bf848da4bc13fd15fad9663b9e044970253e8"
hash3 = "5c09f6ebb7243994ddc466058d5dc9920a5fced5e843200b1f057bda087b8ba6"
id = "8f28273e-e8ca-52cb-8dbc-a235598b1975"
strings:
$ParseImgExportDir = { 8B 50 3C 03 D0 8B 52 78 03 D0 8B 4A 1C 03 C8 }
$djb2Hashing = { 8B 75 08 BA 05 15 00 00 8B C2 C1 E2 05 03 D0 33 DB 8A 1E 03 D3 46 33 DB 8A 1E 85 DB 75 } /* https://theartincode.stanis.me/008-djb2/ */
condition:
uint16(0) == 0x5a4d and all of them
}