Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_LimeLogger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LimeLogger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/LimeLogger"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "068d14ef-f0a1-4f9d-8e27-58b4317830c6" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LimeUSB_Csharp
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LimeUSB_Csharp {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/LimeUSB-Csharp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "dfa96b36-e84c-510b-b16b-bd686777b83d"
strings:
$typelibguid0lo = "94ea43ab-7878-4048-a64e-2b21b3b4366d" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LimeUSB_Csharp
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LimeUSB_Csharp {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/LimeUSB-Csharp"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "94ea43ab-7878-4048-a64e-2b21b3b4366d" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_Crypter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Lime_Crypter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Lime-Crypter"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "484c7a15-7ab2-57d3-848c-0fddff753d52"
strings:
$typelibguid0lo = "f93c99ed-28c9-48c5-bb90-dd98f18285a6" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_Crypter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Lime_Crypter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Lime-Crypter"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "f93c99ed-28c9-48c5-bb90-dd98f18285a6" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_Downloader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Lime_Downloader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Lime-Downloader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "bfb0f97c-6d95-5e11-ad11-5297bcf7c3df"
strings:
$typelibguid0lo = "ec7afd4c-fbc4-47c1-99aa-6ebb05094173" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_Downloader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Lime_Downloader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Lime-Downloader"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "ec7afd4c-fbc4-47c1-99aa-6ebb05094173" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_Miner
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Lime_Miner {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Lime-Miner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-30"
modified = "2025-08-15"
id = "d0631817-10a2-55bf-a41d-226fa0dcb9f9"
strings:
$typelibguid0lo = "13958fb9-dfc1-4e2c-8a8d-a5e68abdbc66" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_Miner
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Lime_Miner {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Lime-Miner"
author = "Arnim Rupp"
date = "2020-12-30"
strings:
$typelibguid0 = "13958fb9-dfc1-4e2c-8a8d-a5e68abdbc66" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_RAT
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Lime_RAT {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Lime-RAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-30"
modified = "2025-08-15"
id = "31a0e9ca-9da1-557a-bcc5-1351fa90a0e1"
strings:
$typelibguid0lo = "e58ac447-ab07-402a-9c96-95e284a76a8d" ascii wide
$typelibguid1lo = "8fb35dab-73cd-4163-8868-c4dbcbdf0c17" ascii wide
$typelibguid2lo = "37845f5b-35fe-4dce-bbec-2d07c7904fb0" ascii wide
$typelibguid3lo = "83c453cf-0d29-4690-b9dc-567f20e63894" ascii wide
$typelibguid4lo = "8b1f0a69-a930-42e3-9c13-7de0d04a4add" ascii wide
$typelibguid5lo = "eaaeccf6-75d2-4616-b045-36eea09c8b28" ascii wide
$typelibguid6lo = "5b2ec674-0aa4-4209-94df-b6c995ad59c4" ascii wide
$typelibguid7lo = "e2cc7158-aee6-4463-95bf-fb5295e9e37a" ascii wide
$typelibguid8lo = "d04ecf62-6da9-4308-804a-e789baa5cc38" ascii wide
$typelibguid9lo = "8026261f-ac68-4ccf-97b2-3b55b7d6684d" ascii wide
$typelibguid10lo = "212cdfac-51f1-4045-a5c0-6e638f89fce0" ascii wide
$typelibguid11lo = "c1b608bb-7aed-488d-aa3b-0c96625d26c0" ascii wide
$typelibguid12lo = "4c84e7ec-f197-4321-8862-d5d18783e2fe" ascii wide
$typelibguid13lo = "3fc17adb-67d4-4a8d-8770-ecfd815f73ee" ascii wide
$typelibguid14lo = "f1ab854b-6282-4bdf-8b8b-f2911a008948" ascii wide
$typelibguid15lo = "aef6547e-3822-4f96-9708-bcf008129b2b" ascii wide
$typelibguid16lo = "a336f517-bca9-465f-8ff8-2756cfd0cad9" ascii wide
$typelibguid17lo = "5de018bd-941d-4a5d-bed5-fbdd111aba76" ascii wide
$typelibguid18lo = "bbfac1f9-cd4f-4c44-af94-1130168494d0" ascii wide
$typelibguid19lo = "1c79cea1-ebf3-494c-90a8-51691df41b86" ascii wide
$typelibguid20lo = "927104e1-aa17-4167-817c-7673fe26d46e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_RAT
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Lime_RAT {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Lime-RAT"
author = "Arnim Rupp"
date = "2020-12-30"
strings:
$typelibguid0 = "e58ac447-ab07-402a-9c96-95e284a76a8d" ascii nocase wide
$typelibguid1 = "8fb35dab-73cd-4163-8868-c4dbcbdf0c17" ascii nocase wide
$typelibguid2 = "37845f5b-35fe-4dce-bbec-2d07c7904fb0" ascii nocase wide
$typelibguid3 = "83c453cf-0d29-4690-b9dc-567f20e63894" ascii nocase wide
$typelibguid4 = "8b1f0a69-a930-42e3-9c13-7de0d04a4add" ascii nocase wide
$typelibguid5 = "eaaeccf6-75d2-4616-b045-36eea09c8b28" ascii nocase wide
$typelibguid6 = "5b2ec674-0aa4-4209-94df-b6c995ad59c4" ascii nocase wide
$typelibguid7 = "e2cc7158-aee6-4463-95bf-fb5295e9e37a" ascii nocase wide
$typelibguid8 = "d04ecf62-6da9-4308-804a-e789baa5cc38" ascii nocase wide
$typelibguid9 = "8026261f-ac68-4ccf-97b2-3b55b7d6684d" ascii nocase wide
$typelibguid10 = "212cdfac-51f1-4045-a5c0-6e638f89fce0" ascii nocase wide
$typelibguid11 = "c1b608bb-7aed-488d-aa3b-0c96625d26c0" ascii nocase wide
$typelibguid12 = "4c84e7ec-f197-4321-8862-d5d18783e2fe" ascii nocase wide
$typelibguid13 = "3fc17adb-67d4-4a8d-8770-ecfd815f73ee" ascii nocase wide
$typelibguid14 = "f1ab854b-6282-4bdf-8b8b-f2911a008948" ascii nocase wide
$typelibguid15 = "aef6547e-3822-4f96-9708-bcf008129b2b" ascii nocase wide
$typelibguid16 = "a336f517-bca9-465f-8ff8-2756cfd0cad9" ascii nocase wide
$typelibguid17 = "5de018bd-941d-4a5d-bed5-fbdd111aba76" ascii nocase wide
$typelibguid18 = "bbfac1f9-cd4f-4c44-af94-1130168494d0" ascii nocase wide
$typelibguid19 = "1c79cea1-ebf3-494c-90a8-51691df41b86" ascii nocase wide
$typelibguid20 = "927104e1-aa17-4167-817c-7673fe26d46e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LockLess
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LockLess {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/LockLess"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "f9b31f57-d721-5b6c-be63-b8309cba788a"
strings:
$typelibguid0lo = "a91421cb-7909-4383-ba43-c2992bbbac22" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LockLess
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LockLess {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/LockLess"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "a91421cb-7909-4383-ba43-c2992bbbac22" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MalSCCM
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MalSCCM {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/nettitude/MalSCCM"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "4a88532b-e2bc-5ce9-828d-6ef62d91f6b9"
strings:
$typelibguid0lo = "5439cecd-3bb3-4807-b33f-e4c299b71ca2" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ManagedInjection
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ManagedInjection {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malcomvetter/ManagedInjection"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "c66e7666-b54f-532d-90e1-870292047aec"
strings:
$typelibguid0lo = "e5182bff-9562-40ff-b864-5a6b30c3b13b" ascii wide
$typelibguid1lo = "fdedde0d-e095-41c9-93fb-c2219ada55b1" ascii wide
$typelibguid2lo = "0dd00561-affc-4066-8c48-ce950788c3c8" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ManagedInjection
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ManagedInjection {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malcomvetter/ManagedInjection"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "e5182bff-9562-40ff-b864-5a6b30c3b13b" ascii nocase wide
$typelibguid1 = "fdedde0d-e095-41c9-93fb-c2219ada55b1" ascii nocase wide
$typelibguid2 = "0dd00561-affc-4066-8c48-ce950788c3c8" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Manager
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Manager {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TheWover/Manager"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "eef65d2c-ddbc-50c3-a6a0-e7032a55e92d"
strings:
$typelibguid0lo = "dda73ee9-0f41-4c09-9cad-8215abd60b33" ascii wide
$typelibguid1lo = "6a0f2422-d4d1-4b7e-84ad-56dc0fd2dfc5" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Manager
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Manager {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TheWover/Manager"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "dda73ee9-0f41-4c09-9cad-8215abd60b33" ascii nocase wide
$typelibguid1 = "6a0f2422-d4d1-4b7e-84ad-56dc0fd2dfc5" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Marauder
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Marauder {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/maraudershell/Marauder"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "f2783477-2853-5dcd-95f5-9f1e07a4a6e8"
strings:
$typelibguid0lo = "fff0a9a3-dfd4-402b-a251-6046d765ad78" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Marauder
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Marauder {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/maraudershell/Marauder"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "fff0a9a3-dfd4-402b-a251-6046d765ad78" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Mass_RAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Mass_RAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Mass-RAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "90b742da-6fd7-5c72-96cf-7a37a3e5d808"
strings:
$typelibguid0lo = "6c43a753-9565-48b2-a372-4210bb1e0d75" ascii wide
$typelibguid1lo = "92ba2a7e-c198-4d43-929e-1cfe54b64d95" ascii wide
$typelibguid2lo = "4cb9bbee-fb92-44fa-a427-b7245befc2f3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Mass_RAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Mass_RAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Mass-RAT"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "6c43a753-9565-48b2-a372-4210bb1e0d75" ascii nocase wide
$typelibguid1 = "92ba2a7e-c198-4d43-929e-1cfe54b64d95" ascii nocase wide
$typelibguid2 = "4cb9bbee-fb92-44fa-a427-b7245befc2f3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MemeVM
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MemeVM {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TobitoFatitoRE/MemeVM"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "c98d84d5-4b0a-53df-b8d4-0b360930eb0c"
strings:
$typelibguid0lo = "ef18f7f2-1f03-481c-98f9-4a18a2f12c11" ascii wide
$typelibguid1lo = "77b2c83b-ca34-4738-9384-c52f0121647c" ascii wide
$typelibguid2lo = "14d5d12e-9a32-4516-904e-df3393626317" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MemeVM
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MemeVM {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TobitoFatitoRE/MemeVM"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "ef18f7f2-1f03-481c-98f9-4a18a2f12c11" ascii nocase wide
$typelibguid1 = "77b2c83b-ca34-4738-9384-c52f0121647c" ascii nocase wide
$typelibguid2 = "14d5d12e-9a32-4516-904e-df3393626317" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MemoryMapper
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MemoryMapper {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jasondrawdy/MemoryMapper"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "c978be10-315c-54e7-afea-f97e9a5f2d18"
strings:
$typelibguid0lo = "b9fbf3ac-05d8-4cd5-9694-b224d4e6c0ea" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MemoryMapper
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MemoryMapper {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jasondrawdy/MemoryMapper"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "b9fbf3ac-05d8-4cd5-9694-b224d4e6c0ea" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MinerDropper
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MinerDropper {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/DylanAlloy/MinerDropper"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "607f72df-b0c1-53df-bf2c-592f55cbfcb7"
strings:
$typelibguid0lo = "46a7af83-1da7-40b2-9d86-6fd6223f6791" ascii wide
$typelibguid1lo = "8433a693-f39d-451b-955b-31c3e7fa6825" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MinerDropper
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MinerDropper {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/DylanAlloy/MinerDropper"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "46a7af83-1da7-40b2-9d86-6fd6223f6791" ascii nocase wide
$typelibguid1 = "8433a693-f39d-451b-955b-31c3e7fa6825" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Minidump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Minidump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/3xpl01tc0d3r/Minidump"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "51f64c64-f3fa-5543-83fc-5f0bf881ef03"
strings:
$typelibguid0lo = "15c241aa-e73c-4b38-9489-9a344ac268a3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Minidump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Minidump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/3xpl01tc0d3r/Minidump"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "15c241aa-e73c-4b38-9489-9a344ac268a3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MiscTools
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MiscTools {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/MiscTools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "ce49cc7b-a5a5-52b7-a7bf-bbb0c5b29b8a"
strings:
$typelibguid0lo = "384e9647-28a9-4835-8fa7-2472b1acedc0" ascii wide
$typelibguid1lo = "d7ec0ef5-157c-4533-bbcd-0fe070fbf8d9" ascii wide
$typelibguid2lo = "10085d98-48b9-42a8-b15b-cb27a243761b" ascii wide
$typelibguid3lo = "6aacd159-f4e7-4632-bad1-2ae8526a9633" ascii wide
$typelibguid4lo = "49a6719e-11a8-46e6-ad7a-1db1be9fea37" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MiscTools
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MiscTools {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/MiscTools"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "384e9647-28a9-4835-8fa7-2472b1acedc0" ascii nocase wide
$typelibguid1 = "d7ec0ef5-157c-4533-bbcd-0fe070fbf8d9" ascii nocase wide
$typelibguid2 = "10085d98-48b9-42a8-b15b-cb27a243761b" ascii nocase wide
$typelibguid3 = "6aacd159-f4e7-4632-bad1-2ae8526a9633" ascii nocase wide
$typelibguid4 = "49a6719e-11a8-46e6-ad7a-1db1be9fea37" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Misc_CSharp
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Misc_CSharp {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/Misc-CSharp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "d25fa706-2254-5a82-a961-f57a0daa447c"
strings:
$typelibguid0lo = "d1421ba3-c60b-42a0-98f9-92ba4e653f3d" ascii wide
$typelibguid1lo = "2afac0dd-f46f-4f95-8a93-dc17b4f9a3a1" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Misc_CSharp
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Misc_CSharp {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/Misc-CSharp"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "d1421ba3-c60b-42a0-98f9-92ba4e653f3d" ascii nocase wide
$typelibguid1 = "2afac0dd-f46f-4f95-8a93-dc17b4f9a3a1" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MultiOS_ReverseShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MultiOS_ReverseShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/belane/MultiOS_ReverseShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "f54bcb1a-b0cd-5988-bf1d-4fa6c012d6b9"
strings:
$typelibguid0lo = "df0dd7a1-9f6b-4b0f-801e-e17e73b0801d" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MultiOS_ReverseShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_MultiOS_ReverseShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/belane/MultiOS_ReverseShell"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "df0dd7a1-9f6b-4b0f-801e-e17e73b0801d" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Mythic
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Mythic {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/its-a-feature/Mythic"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-29"
modified = "2025-08-15"
id = "44237fac-1526-5587-83a1-61d7a54f7da9"
strings:
$typelibguid0lo = "91f7a9da-f045-4239-a1e9-487ffdd65986" ascii wide
$typelibguid1lo = "0405205c-c2a0-4f9a-a221-48b5c70df3b6" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Mythic
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Mythic {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/its-a-feature/Mythic"
author = "Arnim Rupp"
date = "2020-12-29"
strings:
$typelibguid0 = "91f7a9da-f045-4239-a1e9-487ffdd65986" ascii nocase wide
$typelibguid1 = "0405205c-c2a0-4f9a-a221-48b5c70df3b6" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Naga
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Naga {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/byt3bl33d3r/Naga"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "3a9d3154-a8f1-57a4-8b61-498e2ebdfa42"
strings:
$typelibguid0lo = "99428732-4979-47b6-a323-0bb7d6d07c95" ascii wide
$typelibguid1lo = "a2c9488f-6067-4b17-8c6f-2d464e65c535" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Naga
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Naga {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/byt3bl33d3r/Naga"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "99428732-4979-47b6-a323-0bb7d6d07c95" ascii nocase wide
$typelibguid1 = "a2c9488f-6067-4b17-8c6f-2d464e65c535" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_NashaVM
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_NashaVM {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/Mrakovic-ORG/NashaVM"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "3abbf636-01f4-547a-98c0-d7bfec07e31a"
strings:
$typelibguid0lo = "f9e63498-6e92-4afd-8c13-4f63a3d964c3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_NashaVM
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_NashaVM {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/Mrakovic-ORG/NashaVM"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "f9e63498-6e92-4afd-8c13-4f63a3d964c3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Net_GPPPassword
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Net_GPPPassword {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/outflanknl/Net-GPPPassword"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "a718f9fc-acf5-536e-81d6-d393cebe8f77"
strings:
$typelibguid0lo = "00fcf72c-d148-4dd0-9ca4-0181c4bd55c3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Net_GPPPassword
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Net_GPPPassword {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/outflanknl/Net-GPPPassword"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "00fcf72c-d148-4dd0-9ca4-0181c4bd55c3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_NoAmci
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_NoAmci {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/med0x2e/NoAmci"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "5fab1551-9d35-53cf-a04f-c14370119553"
strings:
$typelibguid0lo = "352e80ec-72a5-4aa6-aabe-4f9a20393e8e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_NoAmci
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_NoAmci {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/med0x2e/NoAmci"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "352e80ec-72a5-4aa6-aabe-4f9a20393e8e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_NoMSBuild
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_NoMSBuild {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/NoMSBuild"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "9bc0661d-c60f-582b-8f88-87e3dfa13ddd"
strings:
$typelibguid0lo = "034a7b9f-18df-45da-b870-0e1cef500215" ascii wide
$typelibguid1lo = "59b449d7-c1e8-4f47-80b8-7375178961db" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_NoMSBuild
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_NoMSBuild {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/NoMSBuild"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "034a7b9f-18df-45da-b870-0e1cef500215" ascii nocase wide
$typelibguid1 = "59b449d7-c1e8-4f47-80b8-7375178961db" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Nuages
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Nuages {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/p3nt4/Nuages"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-29"
modified = "2025-08-15"
id = "5ad947e2-bd71-50d4-9bbf-4d018c7ff36a"
strings:
$typelibguid0lo = "e9e80ac7-4c13-45bd-9bde-ca89aadf1294" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Nuages
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Nuages {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/p3nt4/Nuages"
author = "Arnim Rupp"
date = "2020-12-29"
strings:
$typelibguid0 = "e9e80ac7-4c13-45bd-9bde-ca89aadf1294" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 651-700 of 18,880