YARA rules for Tick
68 rules · scoped to actor · back to Tick
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule MAL_UNC2891_Slapstick {
meta:
description = "Detects UNC2891 Slapstick pam backdoor"
author = "Frank Boldewin (@r3c0nst), slightly modifier by Florian Roth"
date = "2022-03-30"
modified = "2023-01-05"
reference = "https://github.com/fboldewin/YARA-rules/tree/master"
hash1 = "9d0165e0484c31bd4ea467650b2ae2f359f67ae1016af49326bb374cead5f789"
id = "eb5db507-ac12-5c11-9dd9-ec34b9a80e1c"
strings:
$code1 = {F6 50 04 48 FF C0 48 39 D0 75 F5} // string decrypter
$code2 = {88 01 48 FF C1 8A 11 89 C8 29 F8 84 D2 0F 85} // log buf crypter
$str1 = "/proc/self/exe" fullword ascii
$str2 = "%-23s %-23s %-23s %-23s %-23s %s" fullword ascii
$str3 = "pam_sm_authenticate" ascii
/* $str4 = "ACCESS GRANTED & WELCOME" xor // pam prompt message */
$str_fr1 = "HISTFILE=/dev/null" // replacement for XORED message for memory usage reasons
condition:
uint32 (0) == 0x464c457f and filesize < 100KB and (all of ($code*) or all of ($str*))
}
rule EXT_APT_UNC2891_SLAPSTICK {
meta:
author = "Mandiant"
description = "Detects SLAPSTICK malware used by UNC2891"
date = "2022-03-17"
reference = "https://www.mandiant.com/resources/blog/unc2891-overview"
score = 80
strings:
$ss1 = { 25 59 20 25 62 20 25 64 20 25 48 3a 25 4d 3a 25 53 20 20 20 20 00 }
$ss2 = { 25 2d 32 33 73 20 25 2d 32 33 73 20 25 2d 32 33 73 00 }
$ss3 = { 25 2d 32 33 73 20 25 2d 32 33 73 20 25 2d 32 33 73 20 25 2d 32 33 73 20 25 2d 32 33 73 20 25 73 0a 00 }
condition:
(uint32(0) == 0x464c457f) and all of them
}
rule IMPLANT_3_v1 {
meta:
description = "X-Agent/CHOPSTICK Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "d539bb31-18b2-5cf5-b994-daecd5f8c771"
strings:
$STR1 = ">process isn't exist<" ascii wide
$STR2 = "shell\\open\\command=\"System Volume Information\\USBGuard.exe\" install" ascii wide
$STR3 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" ascii wide
$STR4 = "webhp?rel=psy&hl=7&ai=" ascii wide
$STR5 = {0f b6 14 31 88 55 ?? 33 d2 8b c1 f7 75 ?? 8b 45 ?? 41 0f b6 14
02 8a 45 ?? 03 fa}
condition:
any of them
}
rule IMPLANT_3_v2 {
meta:
description = "X-Agent/CHOPSTICK Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "349c65cf-547f-5837-af71-f9721e029b74"
strings:
$base_key_moved = {C7 45 ?? 3B C6 73 0F C7 45 ?? 8B 07 85 C0 C7 45 ?? 74
02 FF D0 C7 45 ?? 83 C7 04 3B C7 45 ?? FE 72 F1 5F C7 45 ?? 5E C3 8B
FF C7 45 ?? 56 B8 D8 78 C7 45 ?? 75 07 50 E8 C7 45 ?? B1 D1 FF FF C7
45 ?? 59 5D C3 8B C7 45 ?? FF 55 8B EC C7 45 ?? 83 EC 10 A1 66 C7 45
?? 33 35}
$base_key_b_array = {3B C6 73 0F 8B 07 85 C0 74 02 FF D0 83 C7 04 3B FE
72 F1 5F 5E C3 8B FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B
FF 55 8B EC 83 EC 10 A1 33 35 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
}
rule IMPLANT_3_v3 {
meta:
description = "X-Agent/CHOPSTICK Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
modified = "2021-03-15"
score = 65
id = "ce82511e-715a-53cb-98e5-5d51b94726d5"
strings:
$STR1 = ".?AVAgentKernel@@"
$STR2 = ".?AVIAgentModule@@"
$STR3 = "AgentKernel"
$fp1 = "Panda Security S.L." wide
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and 1 of ($STR*)
and not 1 of ($fp*)
}
rule BronzeButler_Daserf_Delphi_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "89a80ca92600af64eb9c32cab4e936c7d675cf815424d72438973e2d6788ef64"
hash2 = "b1bd03cd12638f44d9ace271f65645e7f9b707f86e9bcf790e0e5a96b755556b"
hash3 = "22e1965154bdb91dd281f0e86c8be96bf1f9a1e5fe93c60a1d30b79c0c0f0d43"
id = "88372e62-3bba-58dc-825c-f35533e42825"
strings:
$s1 = "Services.exe" fullword ascii
$s2 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" fullword ascii
$s3 = "l32.dll" fullword ascii
$s4 = "tProcess:" fullword ascii
$s5 = " InjectPr" ascii
$s6 = "Write$Error creating variant or safe array\x1fInvalid argument to time encode" fullword wide
$s7 = "on\\run /v " fullword ascii
$s8 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run" fullword ascii
$s9 = "ms1ng2d3d2.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them )
}
rule BronzeButler_Daserf_C_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "a4afd9df1b4cc014c3a89d7b4a560fa3e368b02286c42841762714b23e68cc05"
hash2 = "90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2"
hash3 = "331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b"
hash4 = "b1fdc6dc330e78a66757b77cc67a0e9931b777cd7af9f839911eecb74c04420a"
hash5 = "15abe7b1355cd35375de6dde57608f6d3481755fdc9e71d2bfc7c7288db4cd92"
hash6 = "85544d2bcaf8e6ca32bbc0a9e9583c9db1dce837043f555a7ff66363d5858439"
hash7 = "2dc24622c1e91642a21a64c0dd31cbe953e8f77bd3d6abcf2c4676c3b11bb162"
hash8 = "2bdb88fa24cffba240b60416835189c76a9920b6c3f6e09c3c4b171c2f57031c"
id = "62a5cc4a-7c58-5e4d-ac23-8d1f850a540a"
strings:
$s1 = "(c) 2010 DYAMAR EnGineerinG, All rights reserved, http://www.dyamar.com." fullword ascii
$s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)" fullword ascii
$a1 = "ndkkwqgcm" fullword ascii
$a2 = "RtlGetCo" fullword ascii
$a3 = "hutils" fullword ascii
$b1 = "%USERPROFILE%\\System" fullword ascii
$b2 = "msid.dat" fullword ascii
$b3 = "DRIVE_REMOTE" fullword wide
$b4 = "%s%s%s%s%s%s%s%s%s%s%s%s" fullword ascii
$b5 = "jcbhe.asp" fullword ascii
$b6 = "edset.asp" fullword ascii
$b7 = "bxcve.asp" fullword ascii
$b8 = "hcvery.php" fullword ascii
$b9 = "ynhkef.php" fullword ascii
$b10 = "dkgwey.php" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "088382f4887e3b2c4bd5157f2d72b618" or
all of ($a*) or
4 of them
)
}
rule BronzeButler_DGet_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "bd81521445639aaa5e3bcb5ece94f73feda3a91880a34a01f92639f8640251d6"
id = "d60fcc9f-0f17-5871-9e8e-71d26e2f46bc"
strings:
$s2 = "DGet Tool Made by XZ" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 10KB and 1 of them )
}
rule BronzeButler_UACBypass_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "fe06b99a0287e2b2d9f7faffbda3a4b328ecc05eab56a3e730cfc99de803b192"
id = "01853352-58fc-56a3-8c20-08405c71e251"
strings:
$x1 = "\\Release\\BypassUacDll.pdb" ascii
$x2 = "%programfiles%internet exploreriexplore.exe" fullword wide
$x3 = "Elevation:Administrator!new:{3ad055" fullword wide
$x4 = "BypassUac.pdb" fullword ascii
$x5 = "[bypassUAC] started X64" fullword wide
$x6 = "[bypassUAC] started X86" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them )
}
rule BronzeButler_xxmm_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "7197de18bc5a4c854334ff979f3e4dafa16f43d7bf91edfe46f03e6cc88f7b73"
id = "0e413e3a-fb61-58bc-9ecb-4ef76e83a7f3"
strings:
$x1 = "\\Release\\ReflectivLoader.pdb" ascii
$x3 = "\\Projects\\xxmm2\\Release\\" ascii
$x5 = "http://127.0.0.1/phptunnel.php" fullword ascii
$s1 = "xxmm2.exe" fullword ascii
$s2 = "\\AvUpdate.exe" wide
$s3 = "stdapi_fs_file_download" fullword ascii
$s4 = "stdapi_syncshell_open" fullword ascii
$s5 = "stdapi_execute_sleep" fullword ascii
$s6 = "stdapi_syncshell_kill" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and (
1 of ($x*) or
4 of them
)
}
rule BronzeButler_RarStar_1 {
meta:
description = "Detects malware / hacktool sample from Bronze Butler incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
date = "2017-10-14"
hash1 = "0fc1b4fdf0dc5373f98de8817da9380479606f775f5aa0b9b0e1a78d4b49e5f4"
id = "770270b3-6743-5efb-84d8-b63f1df800d9"
strings:
$s1 = "Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.0;+SV1)" fullword wide
$s2 = "http://www.google.co.jp" fullword wide
$s3 = "16D73E22-873D-D58E-4F42-E6055BC9825E" fullword ascii
$s4 = "\\*.rar" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 2 of them )
}
rule Daserf_Nov1_BronzeButler {
meta:
description = "Detects Daserf malware used by Bronze Butler"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/ffeCfd"
date = "2017-11-08"
hash1 = "5ede6f93f26ccd6de2f93c9bd0f834279df5f5cfe3457915fae24a3aec46961b"
id = "58c4d3dc-c516-567b-8746-4e185c3cd328"
strings:
$x1 = "mstmp1845234.exe" fullword ascii
/* Bronce Butler UA String - see google search */
$x2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)" fullword ascii
$x3 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" fullword ascii
$s1 = "Content-Type: */*" fullword ascii
$s2 = "ProxyEnable" ascii fullword
$s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer" ascii fullword
$s4 = "iexplore.exe" ascii fullword
/* Looks random but present in many samples */
$s5 = "\\SOFTWARE\\Microsoft\\Windows\\Cu" ascii
$s6 = "rrentVersion\\Internet Settings" fullword ascii
$s7 = "ws\\CurrentVersion\\Inter" fullword ascii
$s8 = "Documents an" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and ( 1 of ($x*) or 5 of them )
}
rule OPCLEAVER_zhCat
{
meta:
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = 70
id = "e1f1bc48-b895-5e23-8ffd-b6ea9c8eb26f"
strings:
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
$s2 = "ABC ( A Big Company )" wide fullword
condition:
all of them
}
rule ALFA_SHELL {
meta:
description = "Detects web shell often used by Iranian APT groups"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - APT33"
date = "2017-09-21"
hash1 = "a39d8823d54c55e60a7395772e50d116408804c1a5368391a1e5871dbdc83547"
id = "f0be44ec-bff0-5d01-aabd-df7aa05383e3"
strings:
$x1 = "$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64')" ascii
$x2 = "#solevisible@gmail.com" fullword ascii
$x3 = "'login_page' => '500',//gui or 500 or 403 or 404" fullword ascii
$x4 = "$GLOBALS['__ALFA__']" fullword ascii
$x5 = "if(!function_exists('b'.'as'.'e6'.'4_'.'en'.'co'.'de')" ascii
$f1 = { 76 2F 38 76 2F 36 76 2F 2B 76 2F 2F 66 38 46 27 29 3B 3F 3E 0D 0A }
condition:
( filesize < 900KB and 2 of ($x*) or $f1 at (filesize-22) )
}
rule APT_MAL_IR_DruidFly_Wiper_Jun25 {
meta:
description = "Detects Wiper used by the Iranian DruidFly group"
author = "Florian Roth"
reference = "https://x.com/threatintel/status/1936049254432231444"
date = "2025-06-21"
score = 80
hash1 = "81eb22828306f3197b35fef2035cef2c548f587f8511902852964850023389d7"
strings:
$xc1 = { 2E 62 61 63 6B 75 70 00 2E 63 6F 6E 66 69 67 00 // .backup .config
2E 64 62 00 00 00 00 00 2E 73 71 6C 69 74 65 00 } // // .db.... .sqlite
$xc2 = { 00 5C 5C 2E 5C 25 63 3A 00 25 63 3A 5C 00 00 00
00 4E 54 46 53 00 00 00 00 5C } // \\.\%c: %c:\0\0\0 NTFS\0\0\0\
$x1 = "%s:%d:%s(): [+] Overwriting \"%s\" \"..." ascii
$s1 = "C:\\Windows\\System32\\drivers\\beep.sys" ascii fullword
$s2 = "\\DosDevices\\sectorio" wide fullword
condition:
uint16(0) == 0x5a4d
and filesize < 2000KB
and (
1 of ($x*)
or 2 of them
)
or 3 of them
}
rule APT_HKTL_Wiper_WhisperGate_Stage3_Jan22 {
meta:
description = "Detects reversed stage3 related to Ukrainian wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/juanandres_gs/status/1482827018404257792"
date = "2022-01-16"
hash1 = "9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d"
id = "d5d562cd-03ef-5450-8044-3f538cea32d0"
strings:
$xc1 = { 65 31 63 70 00 31 79 72 61 72 62 69 4c 73 73 61 6c 43 00 6e 69 61 4d }
$s1 = "lld." wide
condition:
uint16(filesize-2) == 0x4d5a and
filesize < 5000KB and all of them
}
rule MAL_OBFUSC_Unknown_Jan22_1 {
meta:
description = "Detects samples similar to reversed stage3 found in Ukrainian wiper incident named WhisperGate"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/juanandres_gs/status/1482827018404257792"
date = "2022-01-16"
hash1 = "9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d"
id = "647c0092-b03d-5627-8568-ddaa982c73a1"
strings:
$xc1 = { 37 00 63 00 38 00 63 00 62 00 35 00 35 00 39 00
38 00 65 00 37 00 32 00 34 00 64 00 33 00 34 00
33 00 38 00 34 00 63 00 63 00 65 00 37 00 34 00
30 00 32 00 62 00 31 00 31 00 66 00 30 00 65 }
$xc2 = { 4D 61 69 6E 00 43 6C 61 73 73 4C 69 62 72 61 72
79 31 00 70 63 31 65 }
$s1 = ".dll" wide
$s2 = "%&%,%s%" ascii fullword
$op1 = { a2 87 fa b1 44 a5 f5 12 da a7 49 11 5c 8c 26 d4 75 }
$op2 = { d7 af 52 38 c7 47 95 c8 0e 88 f3 d5 0b }
$op3 = { 6c 05 df d6 b8 ac 11 f2 67 16 cb b7 34 4d b6 91 }
condition:
uint16(0) == 0x5a4d and
filesize < 1000KB and ( 1 of ($x*) or 3 of them )
}
rule APT_ME_BigBang_Gen_Jul18_1 {
meta:
description = "Detects malware from Big Bang campaign against Palestinian authorities"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
date = "2018-07-09"
hash1 = "4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b"
hash2 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224"
hash3 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc"
id = "f1097998-9414-511c-b177-ff09154964a8"
strings:
$x2 = "%@W@%S@c@ri%@p@%t.S@%he@%l%@l" ascii
$x3 = "S%@h%@e%l%@l." ascii
$x4 = "(\"S@%t@%a%@rt%@up\")" ascii
$x5 = "aW5zdGFsbCBwcm9nOiBwcm9nIHdpbGwgZGVsZXRlIG9sZCB0bXAgZmlsZQ==" fullword ascii /* base64 encoded string 'install prog: prog will delete old tmp file' */
$x6 = "aW5zdGFsbCBwcm9nOiBUaGVyZSBpcyBubyBvbGQgZmlsZSBpbiB0ZW1wLg==" fullword ascii /* base64 encoded string 'install prog: There is no old file in temp.' */
$x7 = "VXBkYXRlIHByb2c6IFRoZXJlIGlzIG5vIG9sZCBmaWxlIGluIHRlbXAu" fullword ascii /* base64 encoded string 'Update prog: There is no old file in temp.' */
$x8 = "aW5zdGFsbCBwcm9nOiBDcmVhdGUgVGFzayBhZnRlciA1IG1pbiB0byBydW4gRmlsZSBmcm9tIHRtcA==" fullword ascii /* base64 encoded string 'install prog: Create Task after 5 min to run File from tmp' */
$x9 = "UnVuIEZpbGU6IE15IHByb2cgaXMgRXhpdC4=" fullword ascii /* base64 encoded string 'Run File: My prog is Exit.' */
$x10 = "li%@%@nk.W%@%@indo@%%@%@%wS%@%@tyle = 3" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
1 of them or
pe.imphash() == "0f09ea2a68d04f331df9a5d0f8641332"
)
}