Home/Royal / BlackSuit/YARA rules
YARA

YARA rules for Royal / BlackSuit

61 rules · scoped to actor · back to Royal / BlackSuit
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.

YARA rules

11 of 61
direct malware
malware_apt15_royalcli_2
APT15 RoyalCli backdoor
author Nikolaos Pantazopoulos license see source repo
view YARA rule 
rule malware_apt15_royalcli_2{
   meta:
      author = "Nikolaos Pantazopoulos"
      description = "APT15 RoyalCli backdoor"
      id = "d4acfd2d-385d-5063-898e-d339b50733eb"
   strings:
      $string1 = "%shkcmd.exe" fullword
      $string2 = "myRObject" fullword
      $string3 = "%snewcmd.exe" fullword
      $string4 = "%s~clitemp%08x.tmp" fullword
      $string6 = "myWObject" fullword
   condition:
      uint16(0) == 0x5A4D and 2 of them
}
direct malware
malware_apt15_royaldll_2
DNS backdoor used by APT15
author Ahmed Zaki license see source repo
view YARA rule 
rule malware_apt15_royaldll_2 {
   meta:
      author = "Ahmed Zaki"
      sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
      description = "DNS backdoor used by APT15"
      id = "3bc546a5-38b9-5504-b09e-305ba7bbd6bc"
   strings:
      $= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii
      $= "netsvcs" wide ascii fullword
      $= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword
      $= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
      $= "myWObject" wide ascii
   condition:
      uint16(0) == 0x5A4D and all of them
      and pe.exports("ServiceMain")
      and filesize > 50KB and filesize < 600KB
}
direct RoyalRoad
RoyalRoad_code_pattern1
Detects RoyalRoad weaponized RTF documents
author nao_sec license see source repo
view YARA rule 
rule RoyalRoad_code_pattern1
{
   meta:
      description = "Detects RoyalRoad weaponized RTF documents"
      reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
      date = "2020/01/15"
      author = "nao_sec"
      score = 80
      id = "db2fb24c-df99-5622-ac3d-d31c34481984"
   strings:
       $S1= "48905d006c9c5b0000000000030101030a0a01085a5ab844eb7112ba7856341231"
       $RTF= "{\\rt"

   condition:
       $RTF at 0 and $S1
}
direct RoyalRoad
RoyalRoad_code_pattern2
Detects RoyalRoad weaponized RTF documents
author nao_sec license see source repo
view YARA rule 
rule RoyalRoad_code_pattern2
{
   meta:
      description = "Detects RoyalRoad weaponized RTF documents"
      reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
      date = "2020/01/15"
      author = "nao_sec"
      score = 80
      id = "135024ae-9ecf-5691-95ca-96002e500fd5"
    strings:
        $S1= "653037396132353234666136336135356662636665" ascii
        $RTF= "{\\rt"

    condition:
        $RTF at 0 and $S1
}
direct RoyalRoad
RoyalRoad_code_pattern3
Detects RoyalRoad weaponized RTF documents
author nao_sec license see source repo
view YARA rule 
rule RoyalRoad_code_pattern3
{
   meta:
      description = "Detects RoyalRoad weaponized RTF documents"
      reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
      date = "2020/01/15"
      author = "nao_sec"
      score = 80
      id = "7bce2fe6-a921-51ec-8b5f-5d7f55ab3864"
strings:
    $S1="4746424151515151505050500000000000584242eb0642424235353336204460606060606060606061616161616161616161616161616161"
    $RTF= "{\\rt"

condition:
    $RTF at 0 and $S1

}
direct RoyalRoad
RoyalRoad_code_pattern4ab
Detects RoyalRoad weaponized RTF documents
author nao_sec license see source repo
view YARA rule 
rule RoyalRoad_code_pattern4ab
{
   meta:
      description = "Detects RoyalRoad weaponized RTF documents"
      reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
      date = "2020/01/15"
      author = "nao_sec"
      score = 80
      id = "b4926888-b576-59f7-932a-03b9326845da"
    strings:
        $S1= "4746424151515151505050500000000000584242EB064242423535333620446060606060606060606161616161616}1616161616161616161" ascii
        $RTF= "{\\rt"

    condition:
        $RTF at 0 and $S1
}
direct RoyalRoad
RoyalRoad_code_pattern4ce
Detects RoyalRoad weaponized RTF documents
author nao_sec license see source repo
view YARA rule 
rule RoyalRoad_code_pattern4ce
{
   meta:
      description = "Detects RoyalRoad weaponized RTF documents"
      reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
      date = "2020/01/15"
      author = "nao_sec"
      score = 80
      id = "c6e8a072-23cd-5f6a-9b4f-57d3e4500d13"
    strings:
        $S1= "584242eb064242423535333620446060606060606060606161616161616161616161616}1616161" ascii
        $RTF= "{\\rt"

    condition:
        $RTF at 0 and $S1
}
direct RoyalRoad
RoyalRoad_code_pattern4d
Detects RoyalRoad weaponized RTF documents
author nao_sec license see source repo
view YARA rule 
rule RoyalRoad_code_pattern4d
{
   meta:
      description = "Detects RoyalRoad weaponized RTF documents"
      reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
      date = "2020/01/15"
      author = "nao_sec"
      score = 80
      id = "1677dfb4-7611-5bef-87d1-4cec6285791f"
    strings:
        $S1= "584242eb06424242353533362044606060606060606060616161616161616161616}16161616161" ascii
        $RTF= "{\\rt"

    condition:
        $RTF at 0 and $S1
}
direct RoyalRoad
RoyalRoad_RTF
Detects RoyalRoad weaponized RTF documents
author nao_sec license see source repo
view YARA rule 
rule RoyalRoad_RTF
{
   meta:
      description = "Detects RoyalRoad weaponized RTF documents"
      reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
      date = "2020/01/15"
      author = "nao_sec"
      score = 80
      id = "366ec9c3-e6ad-5198-88d5-15aa84a8358f"
    strings:
        $S1= "objw2180\\objh300" ascii
        $RTF= "{\\rt"

    condition:
        $RTF at 0 and $S1
}
direct RoyalRoad
RoyalRoad_RTF_v7
Detects RoyalRoad weaponized RTF documents
author nao_sec license see source repo
view YARA rule 
rule RoyalRoad_RTF_v7
{
   meta:
      description = "Detects RoyalRoad weaponized RTF documents"
      reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
      date = "2020/01/15"
      author = "nao_sec"
      score = 60
      id = "9d2af980-a851-533a-b25d-ee52277e319c"
    strings:
        $v7_1= "{\\object\\objocx{\\objdata" ascii
        $v7_2= "ods0000"  ascii
        $RTF= "{\\rt"

    condition:
        $RTF at 0 and all of ($v7*)
}
direct RoyalRoad
RoyalRoad_encode_in_RTF
Detects RoyalRoad weaponized RTF documents
author nao_sec license see source repo
view YARA rule 
rule RoyalRoad_encode_in_RTF
{
   meta:
      description = "Detects RoyalRoad weaponized RTF documents"
      reference = "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf"
      date = "2020/01/15"
      author = "nao_sec"
      score = 60
      id = "66614152-8f9b-5e62-b6bd-ba0286e66d4d"
    strings:
        $enc_hex_1 = "B0747746"
        $enc_hex_2 = "B2A66DFF"
        $enc_hex_3 = "F2A32072"
        $enc_hex_4 = "B2A46EFF"
        $enc_hex_1l = "b0747746"
        $enc_hex_2l = "b2a66Dff"
        $enc_hex_3l = "f2a32072"
        $enc_hex_4l = "b2a46eff"
        $RTF= "{\\rt"
    condition:
        $RTF at 0 and 1 of ($enc_hex*)
}
Showing 51-61 of 61
Prev 2 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin