YARA rules for Turla
157 rules · scoped to actor · back to Turla
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule Empire_Out_Minidump {
meta:
description = "Detects Empire component - file Out-Minidump.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1"
id = "8c53d2ab-afc5-5d7b-97e1-496425b9664f"
strings:
$s1 = "$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle," fullword ascii
$s2 = "$ProcessFileName = \"$($ProcessName)_$($ProcessId).dmp\"" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_Invoke_PostExfil {
meta:
description = "Detects Empire component - file Invoke-PostExfil.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e"
id = "58d9e057-efde-56ab-9b7e-982342a910e2"
strings:
$s1 = "# upload to a specified exfil URI" fullword ascii
$s2 = "Server path to exfil to." fullword ascii
condition:
( uint16(0) == 0x490a and filesize < 2KB and 1 of them ) or all of them
}
rule Empire_Invoke_SMBAutoBrute {
meta:
description = "Detects Empire component - file Invoke-SMBAutoBrute.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2"
id = "a6b402ac-0925-5bc6-9d6a-b2b811496f9e"
strings:
$s1 = "[*] PDC: LAB-2008-DC1.lab.com" fullword ascii
$s2 = "$attempts = Get-UserBadPwdCount $userid $dcs" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Get_Keystrokes {
meta:
description = "Detects Empire component - file Get-Keystrokes.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad"
id = "7fb57a0d-6b65-5ee8-96ef-9af303f15007"
strings:
$s1 = "$RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Invoke_DllInjection {
meta:
description = "Detects Empire component - file Invoke-DllInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
id = "6aa14e8f-9801-5cd3-beb0-955e19d25503"
strings:
$s1 = "-Dll evil.dll" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 40KB and 1 of them ) or all of them
}
rule Empire_KeePassConfig {
meta:
description = "Detects Empire component - file KeePassConfig.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
id = "814a6ff9-a6ac-55e7-bb3f-597351ce421d"
strings:
$s1 = "$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )" fullword ascii
condition:
( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}
rule Empire_Invoke_SSHCommand {
meta:
description = "Detects Empire component - file Invoke-SSHCommand.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242"
id = "b06b507f-b6b8-5f4b-8d6d-920f141e9ac1"
strings:
$s1 = "$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA" ascii
$s2 = "Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \"id\"" fullword ascii
$s3 = "Write-Verbose \"[*] Error loading dll\"" fullword ascii
condition:
( uint16(0) == 0x660a and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen1 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash3 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash4 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash5 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "8fdb48a0-5d40-55be-ae23-e9c8c4c2ecea"
strings:
$s1 = "Write-BytesToMemory -Bytes $Shellcode" ascii
$s2 = "$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_PowerUp_Gen {
meta:
description = "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
id = "ae6b0462-7193-54a4-8fb9-befc1b461b15"
strings:
$s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" fullword ascii
$s2 = "$Result = sc.exe pause $($TargetService.Name)" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen2 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash3 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash5 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash6 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash8 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "eab277ca-0dd4-5035-82aa-1ac2120bac94"
strings:
$x1 = "$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)" fullword ascii
$s20 = "#Shellcode: CallDllMain.asm" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Agent_Gen {
meta:
description = "Detects Empire component - from files agent.ps1, agent.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
hash2 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
id = "0fac915c-2502-50da-93d1-f81e9282aa9a"
strings:
$s1 = "$wc.Headers.Add(\"User-Agent\",$script:UserAgent)" fullword ascii
$s2 = "$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)" fullword ascii
$s3 = "if ($script:AgentDelay -ne 0){" fullword ascii
condition:
( uint16(0) == 0x660a and filesize < 100KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen3 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash3 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash4 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "b0f7ed41-be65-5e43-aeb1-56e5e7384e8f"
strings:
$s1 = "if (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))" fullword ascii
$s2 = "remote DLL injection" ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_InveighRelay_Gen {
meta:
description = "Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41"
id = "0adebf6f-99e1-5461-8efc-e4660faf6d5d"
strings:
$s1 = "$inveigh.SMBRelay_failed_list.Add(\"$HTTP_NTLM_domain_string\\$HTTP_NTLM_user_string $SMBRelayTarget\")" fullword ascii
$s2 = "$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 200KB and 1 of them ) or all of them
}
rule Empire_KeePassConfig_Gen {
meta:
description = "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
id = "e2bc88c5-50f8-5ddc-a449-41929b1d0528"
strings:
$s1 = "$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)" fullword ascii
condition:
( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}
rule Empire_Invoke_Portscan_Gen {
meta:
description = "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3"
id = "c2e01780-02d2-57d1-b38e-5c345ebccad6"
strings:
$s1 = "Test-Port -h $h -p $Port -timeout $Timeout" fullword ascii
$s2 = "1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 100KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen4 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "743c51334f17751cfd881be84b56f648edbdaf31f8186de88d094892edc644a9"
hash2 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash3 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash4 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash5 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
hash6 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash7 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
hash8 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash9 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
hash10 = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438"
id = "c390638a-0eb1-576d-a08c-203c31d414f3"
strings:
$s1 = "Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }" fullword ascii
$s2 = "# Get a handle to the module specified" fullword ascii
$s3 = "$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))" fullword ascii
$s4 = "$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_Gen {
meta:
description = "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "913f971d-e4e3-55e9-904b-82b25a4e6f0f"
strings:
$s1 = "$Shellcode1 += 0x48" fullword ascii
$s2 = "$PEHandle = [IntPtr]::Zero" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 3000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen5 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "4c23592e-5788-5b84-995a-028142cbc52f"
strings:
$s1 = "if ($ExeArgs -ne $null -and $ExeArgs -ne '')" fullword ascii
$s2 = "$ExeArgs = \"ReflectiveExe $ExeArgs\"" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 1000KB and 1 of them ) or all of them
}
rule MAL_RANSOM_Stealbit_Aug21 {
meta:
description = "Detects Stealbit used by Lockbit 2.0 Ransomware Gang"
author = "Frank Boldewin (@r3c0nst)"
reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Lockbit2.Stealbit.yar"
date = "2021-08-12"
hash1 = "3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d"
hash2 = "bd14872dd9fdead89fc074fdc5832caea4ceac02983ec41f814278130b3f943e"
id = "07b466cb-92b3-51f2-a702-2930bb7038c6"
strings:
$C2Decryption = {33 C9 8B C1 83 E0 0F 8A 80 ?? ?? ?? ?? 30 81 ?? ?? ?? ?? 41 83 F9 7C 72 E9 E8}
condition:
uint16(0) == 0x5A4D and filesize < 100KB and $C2Decryption
}
rule Turla_APT_srsvc {
meta:
description = "Detects Turla malware (based on sample used in the RUAG APT case)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
family = "Turla"
reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
date = "2016-06-09"
hash1 = "65996f266166dbb479a42a15a236e6564f0b322d5d68ee546244d7740a21b8f7"
hash2 = "25c7ff1eb16984a741948f2ec675ab122869b6edea3691b01d69842a53aa3bac"
id = "951ee9f8-1ab0-5fd5-be9b-053ec82f6ea2"
strings:
$x1 = "SVCHostServiceDll.dll" fullword ascii
$s2 = "msimghlp.dll" fullword wide
$s3 = "srservice" fullword wide
$s4 = "ModStart" fullword ascii
$s5 = "ModStop" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 20KB and ( 1 of ($x*) or all of ($s*) ) )
or ( all of them )
}
rule Turla_APT_Malware_Gen1 {
meta:
description = "Detects Turla malware (based on sample used in the RUAG APT case)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
family = "Turla"
reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
date = "2016-06-09"
hash1 = "0e1bf347c37fb199886f1e675e372ba55ac4627e8be2f05a76c2c64f9b6ed0e4"
hash2 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
hash3 = "fe3ffd7438c0d38484bf02a78a19ea81a6f51b4b3f2b2228bd21974c2538bbcd"
hash4 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
hash5 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4"
hash6 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
hash7 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a"
hash8 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98"
hash9 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f"
hash10 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"
id = "7ead2da1-3544-5a26-8767-6d3f29de8b96"
strings:
$x1 = "too long data for this type of transport" fullword ascii
$x2 = "not enough server resources to complete operation" fullword ascii
$x3 = "Task not execute. Arg file failed." fullword ascii
$x4 = "Global\\MSCTF.Shared.MUTEX.ZRX" fullword ascii
$s1 = "peer has closed the connection" fullword ascii
$s2 = "tcpdump.exe" fullword ascii
$s3 = "windump.exe" fullword ascii
$s4 = "dsniff.exe" fullword ascii
$s5 = "wireshark.exe" fullword ascii
$s6 = "ethereal.exe" fullword ascii
$s7 = "snoop.exe" fullword ascii
$s8 = "ettercap.exe" fullword ascii
$s9 = "miniport.dat" fullword ascii
$s10 = "net_password=%s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 2 of ($x*) or 8 of ($s*) ) )
or ( 12 of them )
}
rule Turla_APT_Malware_Gen3 {
meta:
description = "Detects Turla malware (based on sample used in the RUAG APT case)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
family = "Turla"
reference = "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case"
date = "2016-06-09"
hash1 = "c49111af049dd9746c6b1980db6e150b2a79ca1569b23ed2cba81c85c00d82b4"
hash2 = "b62a643c96e2e41f639d2a8ce11d61e6b9d7fb3a9baf011120b7fec1b4ee3cf4"
hash3 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
hash4 = "8f2ea0f916fda1dfb771f5441e919c561da5b6334b9f2fffcbf53db14063b24a"
hash5 = "8dddc744bbfcf215346c812aa569e49523996f73a1f22fe4e688084ce1225b98"
hash6 = "0c69258adcc97632b729e55664c22cd942812336d41e8ea0cff9ddcafaded20f"
hash7 = "2b4fba1ef06f85d1395945db40a9f2c3b3ed81b56fb9c2d5e5bb693c230215e2"
hash8 = "7206075cd8f1004e8f1f759d46e98bfad4098b8642412811a214c0155a1f08b9"
hash9 = "edb12790b5cd959bc2e53a4b369a4fd747153e6c9d50f6a69ff047f7857a4348"
id = "8cb7d873-e4f9-553e-84e8-dbc0d31f65ab"
strings:
$x1 = "\\\\.\\pipe\\sdlrpc" fullword ascii
$x2 = "WaitMutex Abandoned %p" fullword ascii
$x3 = "OPER|Wrong config: no port|" fullword ascii
$x4 = "OPER|Wrong config: no lastconnect|" fullword ascii
$x5 = "OPER|Wrong config: empty address|" fullword ascii
$x6 = "Trans task %d obj %s ACTIVE fail robj %s" fullword ascii
$x7 = "OPER|Wrong config: no auth|" fullword ascii
$x8 = "OPER|Sniffer '%s' running... ooopppsss...|" fullword ascii
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform" fullword ascii
$s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platform" fullword ascii
$s3 = "www.yahoo.com" fullword ascii
$s4 = "MSXIML.DLL" fullword wide
$s5 = "www.bing.com" fullword ascii
$s6 = "%s: http://%s%s" fullword ascii
$s7 = "/javascript/view.php" fullword ascii
$s8 = "Task %d failed %s,%d" fullword ascii
$s9 = "Mozilla/4.0 (compatible; MSIE %d.0; " fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 6 of ($s*) ) )
or ( 10 of them )
}
rule Turla_Mal_Script_Jan18_1 {
meta:
description = "Detects Turla malicious script"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://ghostbin.com/paste/jsph7"
date = "2018-01-19"
hash1 = "180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc"
id = "4b550b3c-182c-5dc0-b2d2-13925c22be81"
strings:
$s1 = ".charCodeAt(i % " ascii
$s2 = "{WScript.Quit();}" fullword ascii
$s3 = ".charAt(i)) << 10) |" ascii
$s4 = " = WScript.Arguments;var " ascii
$s5 = "= \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";var i;" ascii
condition:
filesize < 200KB and 2 of them
}
rule MAL_Turla_Agent_BTZ {
meta:
description = "Detects Turla Agent.BTZ"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified"
date = "2018-04-12"
modified = "2023-01-06"
score = 90
hash1 = "c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8"
id = "bd642f11-19f6-5178-b978-1215215fea86"
strings:
$x1 = "1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s" fullword ascii
$x3 = "mstotreg.dat" fullword ascii
$x4 = "Bisuninst.bin" fullword ascii
$x5 = "mfc42l00.pdb" fullword ascii
$x6 = "ielocal~f.tmp" fullword ascii
$s1 = "%s\\1.txt" fullword ascii
$s2 = "%windows%" fullword ascii
$s3 = "%s\\system32" fullword ascii
$s4 = "\\Help\\SYSTEM32\\" ascii
$s5 = "%windows%\\mfc42l00.pdb" ascii
$s6 = "Size of log(%dB) is too big, stop write." fullword ascii
$s7 = "Log: Size of log(%dB) is too big, stop write." fullword ascii
$s8 = "%02d.%02d.%04d Log begin:" fullword ascii
$s9 = "\\system32\\win.com" ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
1 of ($x*) or
4 of them
)
}
rule MAL_Turla_Sample_May18_1 {
meta:
description = "Detects Turla samples"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/omri9741/status/991942007701598208"
date = "2018-05-03"
hash1 = "4c49c9d601ebf16534d24d2dd1cab53fde6e03902758ef6cff86be740b720038"
hash2 = "77cbd7252a20f2d35db4f330b9c4b8aa7501349bc06bbcc8f40ae13d01ae7f8f"
id = "5052838f-a895-55cb-abcf-813465074127"
strings:
$x1 = "sc %s create %s binPath= \"cmd.exe /c start %%SystemRoot%%\\%s\">>%s" fullword ascii
$x2 = "cmd.exe /c start %%SystemRoot%%\\%s" fullword ascii
$x3 = "cmd.exe /c %s\\%s -s %s:%s:%s -c \"%s %s /wait 1\">>%s" fullword ascii
$x4 = "Read InjectLog[%dB]********************************" fullword ascii
$x5 = "%s\\System32\\011fe-3420f-ff0ea-ff0ea.tmp" fullword ascii
$x6 = "**************************** Begin ini %s [%d]***********************************************" fullword ascii
$x7 = "%s -o %s -i %s -d exec2 -f %s" fullword ascii
$x8 = "Logon to %s failed: code %d(User:%s,Pass:%s)" fullword ascii
$x9 = "system32\\dxsnd32x.exe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 1 of them
}
rule APT_MAL_LNX_Turla_Apr20_1 {
meta:
description = "Detects Turla Linux malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/Int2e_/status/1246115636331319309"
date = "2020-04-05"
hash1 = "67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502"
hash2 = "8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc"
id = "f21e7793-a7dd-5195-805d-963827b35808"
strings:
$s1 = "/root/.hsperfdata" ascii fullword
$s2 = "Desc| Filename | size |state|" ascii fullword
$s3 = "IPv6 address %s not supported" ascii fullword
$s4 = "File already exist on remote filesystem !" ascii fullword
$s5 = "/tmp/.sync.pid" ascii fullword
$s6 = "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel" ascii fullword
condition:
uint16(0) == 0x457f and
filesize < 5000KB and
4 of them
}
rule APT_MAL_TinyTurla_Sep21_1 {
meta:
author = "Cisco Talos"
description = "Detects Tiny Turla backdoor DLL"
reference = "https://blog.talosintelligence.com/2021/09/tinyturla.html"
hash1 = "030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01"
date = "2021-09-21"
id = "19659ac7-310a-52dd-a94c-022c7add752b"
strings:
$a = "Title: " fullword wide
$b = "Hosts" fullword wide
$c = "Security" fullword wide
$d = "TimeLong" fullword wide
$e = "TimeShort" fullword wide
$f = "MachineGuid" fullword wide
$g = "POST" fullword wide
$h = "WinHttpSetOption" fullword ascii
$i = "WinHttpQueryDataAvailable" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 25KB and all of them
}
rule APT_MAL_LNX_Turla_Apr202004_1 {
meta:
description = "Detects Turla Linux malware x64 x32"
date = "2020-04-24"
author = "Leonardo S.p.A."
reference = "https://www.leonardocompany.com/en/news-and-stories-detail/-/detail/knowledge-the-basis-of-protection"
hash1 = "67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502"
hash2 = "8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc"
hash3 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
hash4 = "1d5e4466a6c5723cd30caf8b1c3d33d1a3d4c94c25e2ebe186c02b8b41daf905"
hash5 = "2dabb2c5c04da560a6b56dbaa565d1eab8189d1fa4a85557a22157877065ea08"
hash6 = "3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4"
hash7 = "5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8"
hash8 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
hash9 = "d49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0"
id = "2da75433-b1c1-51b3-8f7a-a4442ca3de96"
strings:
$ = "/root/.hsperfdata" ascii fullword
$ = "Desc| Filename | size |state|" ascii fullword
$ = "VS filesystem: %s" ascii fullword
$ = "File already exist on remote filesystem !" ascii fullword
$ = "/tmp/.sync.pid" ascii fullword
$ = "rem_fd: ssl " ascii fullword
$ = "TREX_PID=%u" ascii fullword
$ = "/tmp/.xdfg" ascii fullword
$ = "__we_are_happy__" ascii
$ = "/root/.sess" ascii fullword
/* $ = "ZYSZLRTS^Z@@NM@@G_Y_FE" ascii fullword */
condition:
uint16(0) == 0x457f and filesize < 5000KB and
4 of them
}
rule APT_MAL_LNX_Turla_Apr202004_1_opcode {
meta:
description = "Detects Turla Linux malware x64 x32"
date = "2020-04-24"
author = "Leonardo S.p.A."
reference = "https://www.leonardocompany.com/en/news-and-stories-detail/-/detail/knowledge-the-basis-of-protection"
hash1 = "67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502"
hash2 = "8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc"
hash3 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
hash4 = "1d5e4466a6c5723cd30caf8b1c3d33d1a3d4c94c25e2ebe186c02b8b41daf905"
hash5 = "2dabb2c5c04da560a6b56dbaa565d1eab8189d1fa4a85557a22157877065ea08"
hash6 = "3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4"
hash7 = "5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8"
hash8 = "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667"
hash9 = "d49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0"
id = "03043f59-c81a-5423-bec1-6cd88f6e3c52"
strings:
$op0 = { 8D 41 05 32 06 48 FF C6 88 81 E0 80 69 00 } /* Xor string loop_p1 x32*/
$op1 = { 48FFC14883F94975E9 } /*Xorstringloop_p2x32*/
$op2 = { C7 05 9B 7D 29 00 1D 00 00 00 C7 05 2D 7B 29 00 65 74 68 30 C6 05 2A 7B 29 00 00 E8 }
/* Load eth0 interface*/
$op3 = { BF FF FF FF FF E8 96 9D 0A 00 90 90 90 90 90 90 90 90 90 90 89 F0}
/* Opcode exceptions*/
$op4 = { 88D380C305329AC1D60C08889A60A10F084283FA0876E9 }
/* Xor string loop x64*/
$op5 = { 8B 8D 50 DF FF FF B8 09 00 00 00 89 44 24 04 89 0C 24 E8 DD E5 02 00 } /* Kill call x32 */
$op6 = { 8D 5A 05 32 9A 60 26 0C 08 88 9A 20 F4 0E 08 42 83 FA 48 76 EB } /* Decrypt init str */
$op7 = { 8D 4A 05 32 8A 25 26 0C 08 88 8A 20 F4 0E 08 42 83 FA 08 76 EB} /* Decrypt init str */
condition:
uint16(0) == 0x457f and filesize < 5000KB and
2 of them
}
rule SnakeTurla_Malware_May17_1 {
meta:
description = "Detects Snake / Turla Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QaOh4V"
date = "2017-05-04"
modified = "2023-01-06"
hash1 = "5b7792a16c6b7978fca389882c6aeeb2c792352076bf6a064e7b8b90eace8060"
id = "ddbbd602-b7f0-5e14-be0f-0c84bb22ddeb"
strings:
$s1 = "/Users/vlad/Desktop/install/install/" ascii
condition:
( uint16(0) == 0xfacf and filesize < 200KB and all of them )
}
rule SnakeTurla_Malware_May17_2 {
meta:
description = "Detects Snake / Turla Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QaOh4V"
date = "2017-05-04"
hash1 = "b8ee4556dc09b28826359b98343a4e00680971a6f8c6602747bd5d723d26eaea"
id = "b3e94016-591c-5e39-b5e7-328e0761e535"
strings:
$s1 = "b_openssl: oops - number of mutexes is 0" fullword ascii
$s2 = "networksetup -get%sproxy Ethernet" fullword ascii
$s3 = "012A04DECBC441e49C527B2798F54CA7LOG_NAMED_PIPE_NAME" fullword ascii
condition:
( uint16(0) == 0xfacf and filesize < 6000KB and all of them )
}
rule SnakeTurla_Malware_May17_4 {
meta:
description = "Detects Snake / Turla Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QaOh4V"
date = "2017-05-04"
hash1 = "d5ea79632a1a67abbf9fb1c2813b899c90a5fb9442966ed4f530e92715087ee2"
id = "797dedd6-a13e-529f-bae4-4043294672c4"
strings:
$s1 = "Install Adobe Flash Player.app/com.adobe.updatePK" fullword ascii
condition:
( uint16(0) == 0x4b50 and filesize < 5000KB and all of them )
}
rule SnakeTurla_Installd_SH {
meta:
description = "Detects Snake / Turla Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QaOh4V"
date = "2017-05-04"
id = "65a97c0d-5c69-5e58-9a18-10e5684bc218"
strings:
$s1 = "PIDS=`ps cax | grep installdp" ascii
$s2 = "${SCRIPT_DIR}/installdp ${FILE}" ascii
condition:
( uint16(0) == 0x2123 and filesize < 20KB and all of them )
}
rule SnakeTurla_Install_SH {
meta:
description = "Detects Snake / Turla Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/QaOh4V"
date = "2017-05-04"
id = "68775c54-46f8-5d44-ba63-6726d2bb8016"
strings:
$s1 = "${TARGET_PATH}/installd.sh" ascii
$s2 = "$TARGET_PATH2/com.adobe.update.plist" ascii
condition:
( uint16(0) == 0x2123 and filesize < 20KB and all of them )
}
rule WaterBug_turla_dropper {
meta:
description = "Symantec Waterbug Attack - Trojan Turla Dropper"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
id = "f9683ac7-36f3-5a2a-8b76-e8e2527f4e0d"
strings:
$a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34}
$b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8}
condition:
all of them
}
rule WaterBug_turla_dll {
meta:
description = "Symantec Waterbug Attack - Trojan Turla DLL"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
strings:
$a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
condition:
pe.exports("ee") and $a
}
rule turla_png_dropper {
meta:
author = "Ben Humphrey"
description = "Detects the PNG Dropper used by the Turla group"
reference = "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
date = "2018/11/23"
hash1 = "6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27"
id = "459f17c8-0eae-5736-8c7c-286625dc158f"
strings:
$api0 = "GdiplusStartup"
$api1 = "GdipAlloc"
$api2 = "GdipCreateBitmapFromStreamICM"
$api3 = "GdipBitmapLockBits"
$api4 = "GdipGetImageWidth"
$api5 = "GdipGetImageHeight"
$api6 = "GdiplusShutdown"
$code32 = {
8B 46 3C // mov eax, [esi+3Ch]
B9 0B 01 00 00 // mov ecx, 10Bh
66 39 4C 30 18 // cmp [eax+esi+18h], cx
8B 44 30 28 // mov eax, [eax+esi+28h]
6A 00 // push 0
B9 AF BE AD DE // mov ecx, 0DEADBEAFh
51 // push ecx
51 // push ecx
03 C6 // add eax, esi
56 // push esi
FF D0 // call eax
}
$code64 = {
48 63 43 3C // movsxd rax, dword ptr [rbx+3Ch]
B9 0B 01 00 00 // mov ecx, 10Bh
BA AF BE AD DE // mov edx, 0DEADBEAFh
66 39 4C 18 18 // cmp [rax+rbx+18h], cx
8B 44 18 28 // mov eax, [rax+rbx+28h]
45 33 C9 // xor r9d, r9d
44 8B C2 // mov r8d, edx
48 8B CB // mov rcx, rbx
48 03 C3 // add rax, rbx
FF D0 // call rax
}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
all of ($api*) and
1 of ($code*)
}
rule turla_png_reg_enum_payload {
meta:
author = "Ben Humphrey"
description = "Payload that has most recently been dropped by the Turla PNG Dropper"
reference = "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
date = "2018/11/23"
hash1 = "fea27eb2e939e930c8617dcf64366d1649988f30555f6ee9cd09fe54e4bc22b3"
id = "413bb315-3c01-56ab-92db-00342a11438a"
strings:
$crypt00 = "Microsoft Software Key Storage Provider" wide
$crypt01 = "ChainingModeCBC" wide
/* $crypt02 = "AES" wide */ /* disabled due to performance reasons */
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and
pe.imports("advapi32.dll", "StartServiceCtrlDispatcherA") and
pe.imports("advapi32.dll", "RegEnumValueA") and
pe.imports("advapi32.dll", "RegEnumKeyExA") and
pe.imports("ncrypt.dll", "NCryptOpenStorageProvider") and
pe.imports("ncrypt.dll", "NCryptEnumKeys") and
pe.imports("ncrypt.dll", "NCryptOpenKey") and
pe.imports("ncrypt.dll", "NCryptDecrypt") and
pe.imports("ncrypt.dll", "BCryptGenerateSymmetricKey") and
pe.imports("ncrypt.dll", "BCryptGetProperty") and
pe.imports("ncrypt.dll", "BCryptDecrypt") and
pe.imports("ncrypt.dll", "BCryptEncrypt") and
all of them
}
rule APT_Turla_Agent_BTZ_Gen_1 {
meta:
description = "Detects Turla Agent.BTZ"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-06-16"
score = 80
hash1 = "c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615"
id = "d5e1dd3d-4f03-5f79-898b-e612d2758b60"
strings:
$x1 = "1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s" fullword ascii
$s1 = "release mutex - %u (%u)(%u)" fullword ascii
$s2 = "\\system32\\win.com" ascii
$s3 = "Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)" fullword ascii
$s4 = "MakeFile Error(%d) copy file to temp file %s" fullword ascii
$s5 = "%s%%s08x.tmp" fullword ascii
$s6 = "Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)" fullword ascii
$s7 = "Mutex_Log" fullword ascii
$s8 = "%s\\system32\\winview.ocx" fullword ascii
$s9 = "Microsoft(R) Windows (R) Operating System" fullword wide
$s10 = "Error: pos(%d) > CmdSize(%d)" fullword ascii
$s11 = "\\win.com" ascii
$s12 = "Error(%d) run %s " fullword ascii
$s13 = "%02d.%02d.%04d Log begin:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and (
pe.imphash() == "9d0d6daa47d6e6f2d80eb05405944f87" or
( pe.exports("Entry") and pe.exports("InstallM") and pe.exports("InstallS") ) or
$x1 or 3 of them
) or ( 5 of them )
}
rule WaterBug_wipbot_2013_core_PDF {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
id = "2e8ccce9-d8ba-573d-b532-76d8e2ed5442"
strings:
$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
condition:
uint32(0) == 0x46445025 and #a > 150 and #b > 200
}
rule WaterBug_wipbot_2013_dll {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
id = "2aae09a3-6e59-5951-941e-c1f82aada979"
strings:
$string1 = "/%s?rank=%s"
$string2 = "ModuleStart\x00ModuleStop\x00start"
$string3 = "1156fd22-3443-4344-c4ffff"
//read file... error..
$string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
condition:
2 of them
}
rule WaterBug_wipbot_2013_core {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
author = "Symantec Security Response"
date = "2015-01-22"
modified = "2023-01-27"
reference = "http://t.co/rF35OaAXrl"
id = "2e8ccce9-d8ba-573d-b532-76d8e2ed5442"
strings:
$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
$code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
$code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
condition:
uint16(0) == 0x5A4D and (($code1 or $code2) or ($code3 and $code4))
}
rule WaterBug_fa_malware {
meta:
description = "Symantec Waterbug Attack - FA malware variant"
author = "Symantec Security Response"
date = "2015-01-22"
modified = "2023-01-27"
reference = "http://t.co/rF35OaAXrl"
id = "b09f798a-2875-59ca-b880-971d8f973c76"
strings:
$string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb"
$string2 = "d:\\proj\\cn\\fa64\\"
$string3 = "sengoku_Win32.sys\x00"
$string4 = "rk_ntsystem.c"
$string5 = "\\uroboros\\"
$string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}"
condition:
uint16(0) == 0x5A4D and (any of ($string*))
}
rule WaterBug_sav_dropper {
meta:
description = "Symantec Waterbug Attack - SAV Dropper"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
id = "685849de-9892-56bf-8215-21b08d8b2d7c"
strings:
$mz = "MZ"
$a = /[a-z]{,10}_x64.sys\x00hMZ\x00/
condition:
($mz at 0) and uint32(0x400) == 0x000000c3 and pe.number_of_sections == 6 and $a
}
rule WaterBug_sav {
meta:
description = "Symantec Waterbug Attack - SAV Malware"
author = "Symantec Security Response"
date = "2015-01-22"
modified = "2023-01-27"
reference = "http://t.co/rF35OaAXrl"
id = "685849de-9892-56bf-8215-21b08d8b2d7c"
strings:
$code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 }
$code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 }
$code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5 }
$code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B}
condition:
uint16(0) == 0x5A4D and (($code1a or $code1b or $code1c) and $code2)
}
rule APT_MAL_RU_WIN_Snake_Malware_PeIconSizes_May23_1 {
meta:
description = "Detects Comadmin file that houses Snake's kernel driver and the driver's loader"
author = "CSA"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 75
condition:
uint16(0) == 0x5a4d
and (
filename == "WerFault.exe"
or filename == "werfault.exe"
)
and filepath contains "\\WinSxS\\"
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 3240
)
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 1384
)
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 7336
)
}
rule APT_MAL_RU_Snake_Malware_Queue_File_May23_1 {
meta:
description = "Detects Queue files used by Snake malware"
author = "Florian Roth"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 80
id = "c7ed554e-b55e-5c3f-aa8b-231cb1073f34"
condition:
filename matches /(\{[0-9A-Fa-f]{8}\-([0-9A-Fa-f]{4}\-){3}[0-9A-Fa-f]{12}\}\.){2}crmlog/
/* and filepath contains "\\Registration\\" // not needed - already specific enough */
// we reduce the range for the entropy calculation to the first 1024 for performance
// reasons. In a fully encrypted file - as used by Snake - this should already be specific enough
//and math.entropy(0, filesize) >= 7.0
and math.entropy(0, 1024) >= 7.0
}
rule APT_MAL_RU_WIN_Snake_Malware_May23_1 {
meta:
author = "Matt Suiche (Magnet Forensics)"
description = "Hunting Russian Intelligence Snake Malware"
date = "2023-05-10"
modified = "2025-03-21"
threat_name = "Windows.Malware.Snake"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
score = 70
scan_context = "memory"
license = "MIT"
/* The original search only query those bytes in PAGE_EXECUTE_WRITECOPY VADs */
id = "53d2de3c-350c-5090-84bb-b6cde16a80ad"
strings:
$a = { 25 73 23 31 }
$b = { 25 73 23 32 }
$c = { 25 73 23 33 }
$d = { 25 73 23 34 }
$e = { 2e 74 6d 70 }
/* $f = { 2e 74 6d 70 } */
$g = { 2e 73 61 76 }
$h = { 2e 75 70 64 }
condition:
all of them
}
rule APT_MAL_RU_Snake_Indicators_May23_1 {
meta:
description = "Detects indicators found in Snake malware samples"
author = "Florian Roth"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 85
hash1 = "10b854d66240d9ee1ce4296d2f7857d2b1c6f062ca836d13d777930d678b3ca6"
hash2 = "15ac5a61fb3e751045de2d7f5ff26c673f3883e326cd1b3a63889984a4fb2a8f"
hash3 = "315ec991709eb45eccf724dfe31bccb7affcac7f8e8007e688ba8d02827205e0"
hash4 = "417eb4fb9ada270af35562ff317807ac5ca9ee26181fe89990858f0944d3a6a7"
hash5 = "48112970de6ea0f925f0657b30adcd0723df94afc98cfafdc991d70ad3602119"
hash6 = "55ea557bcf4c143f20c616abe9075f7faafbf825aeef9ddb4f2b201acc44414b"
hash7 = "6568bbeeb417e1111bf284e73152d90fe17e5497da7630ccddcbc666730dccef"
hash8 = "81d620cb645006ffc9ac1b9d98a53aa286ae92b025bda075962079633f020482"
hash9 = "888a3029b1b8b664eb1fc77dd511c4088a1e28ae5535a8683642bb3dca011d00"
hash10 = "9027b4fef50b36289d630059425dc1137c88328329c3ea9dbc348dccd001adc0"
hash11 = "9ac199572cab67433726976a0e9ba39d6feed1d567d6d230ebe3133df8dcb7fa"
hash12 = "a64e5d872421991226ee040b4cd49a89ca681bdef4c10c4798b6c7b5c832c6df"
hash13 = "b5d2da5eb57b5ab26edb927469552629f3cf43bbce2b1a128f6daac7cf57f6f7"
hash14 = "bc15de1d1c6c62c0bf856e0368adabc4941e7b687a969912494c173233e6d28d"
hash15 = "bdf94311313c39a3413464f623bd75a3db2eb05cc01090acd6dcd462a605eb4a"
hash16 = "e4311892ae00bf8148a94fa900fc8e2c279a2acd3b4b4b4c3d0c99dd1d32353c"
hash17 = "ed74288b367a93c6b47343bc696e751b9c465761ce9c4208901726baa758b234"
hash18 = "ef1f1c7692b92a730f76b6227643b2d02a6e353af6e930166e3b48e3903e4ffd"
hash19 = "f5e982b76af7f447742753f0b57eec3d7dd2e3c8e5506c35d4cf6c860b829f45"
id = "0d4fa8a7-447c-5905-bab9-b63de6209036"
strings:
$s1 = "\\\\.\\%s\\\\" ascii fullword
$s2 = "read_peer_nfo" ascii fullword
$s3 = "rcv_buf=%d%c" ascii fullword
$s4 = "%s: (0x%08x)" ascii fullword
$s5 = "no_impersonate" ascii fullword
condition:
all of them
}
rule Agent_BTZ_Aug17 {
meta:
description = "Detects Agent.BTZ"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
date = "2017-08-07"
hash1 = "6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96"
hash2 = "49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e"
hash3 = "e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49"
id = "31804208-3edb-554b-8820-e682db647435"
strings:
$s1 = "stdole2.tlb" fullword ascii
$s2 = "UnInstallW" fullword ascii
condition:
(
uint16(0) == 0x5a4d and filesize < 900KB and
all of them and
pe.exports("Entry") and pe.exports("InstallW") and pe.exports("UnInstallW")
)
}