Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_SharpWitness
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpWitness {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/SharpWitness"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "b9f6ec34-4ccc-4247-bcef-c1daab9b4469" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Sharp_SMBExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Sharp_SMBExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/checkymander/Sharp-SMBExec"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "6a1024af-734c-5974-af50-db51dbd694ff"
strings:
$typelibguid0lo = "344ee55a-4e32-46f2-a003-69ad52b55945" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Sharp_SMBExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Sharp_SMBExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/checkymander/Sharp-SMBExec"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "344ee55a-4e32-46f2-a003-69ad52b55945" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Sharp_Suite
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Sharp_Suite {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FuzzySecurity/Sharp-Suite"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
modified = "2025-08-15"
id = "ab3cf358-a41d-584d-baaf-5e8f7232ca85"
strings:
$typelibguid0lo = "19657be4-51ca-4a85-8ab1-f6666008b1f3" ascii wide
$typelibguid1lo = "0a382d9a-897f-431a-81c2-a4e08392c587" ascii wide
$typelibguid2lo = "467ee2a9-2f01-4a71-9647-2a2d9c31e608" ascii wide
$typelibguid3lo = "eacaa2b8-43e5-4888-826d-2f6902e16546" ascii wide
$typelibguid4lo = "629f86e6-44fe-4c9c-b043-1c9b64be6d5a" ascii wide
$typelibguid5lo = "ecf2ffe4-1744-4745-8693-5790d66bb1b8" ascii wide
$typelibguid6lo = "0a621f4c-8082-4c30-b131-ba2c98db0533" ascii wide
$typelibguid7lo = "72019dfe-608e-4ab2-a8f1-66c95c425620" ascii wide
$typelibguid8lo = "f0d28809-b712-4380-9a59-407b7b2badd5" ascii wide
$typelibguid9lo = "956a5a4d-2007-4857-9259-51cd0fb5312a" ascii wide
$typelibguid10lo = "a3b7c697-4bb6-455d-9fda-4ab54ae4c8d2" ascii wide
$typelibguid11lo = "a5f883ce-1f96-4456-bb35-40229191420c" ascii wide
$typelibguid12lo = "28978103-d90d-4618-b22e-222727f40313" ascii wide
$typelibguid13lo = "0c70c839-9565-4881-8ea1-408c1ebe38ce" ascii wide
$typelibguid14lo = "fa1d9a36-415a-4855-8c01-54b6e9fc6965" ascii wide
$typelibguid15lo = "252676f8-8a19-4664-bfb8-5a947e48c32a" ascii wide
$typelibguid16lo = "447edefc-b429-42bc-b3bc-63a9af19dbd6" ascii wide
$typelibguid17lo = "04d0b3a6-eaab-413d-b9e2-512fa8ebd02f" ascii wide
$typelibguid18lo = "5611236e-2557-45b8-be29-5d1f074d199e" ascii wide
$typelibguid19lo = "53f622eb-0ca3-4e9b-9dc8-30c832df1c7b" ascii wide
$typelibguid20lo = "414187db-5feb-43e5-a383-caa48b5395f1" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Sharp_Suite
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Sharp_Suite {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FuzzySecurity/Sharp-Suite"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "467ee2a9-2f01-4a71-9647-2a2d9c31e608" ascii nocase wide
$typelibguid1 = "5611236e-2557-45b8-be29-5d1f074d199e" ascii nocase wide
$typelibguid2 = "447edefc-b429-42bc-b3bc-63a9af19dbd6" ascii nocase wide
$typelibguid3 = "eacaa2b8-43e5-4888-826d-2f6902e16546" ascii nocase wide
$typelibguid4 = "a3b7c697-4bb6-455d-9fda-4ab54ae4c8d2" ascii nocase wide
$typelibguid5 = "a5f883ce-1f96-4456-bb35-40229191420c" ascii nocase wide
$typelibguid6 = "28978103-d90d-4618-b22e-222727f40313" ascii nocase wide
$typelibguid7 = "252676f8-8a19-4664-bfb8-5a947e48c32a" ascii nocase wide
$typelibguid8 = "414187db-5feb-43e5-a383-caa48b5395f1" ascii nocase wide
$typelibguid9 = "0c70c839-9565-4881-8ea1-408c1ebe38ce" ascii nocase wide
$typelibguid10 = "0a382d9a-897f-431a-81c2-a4e08392c587" ascii nocase wide
$typelibguid11 = "629f86e6-44fe-4c9c-b043-1c9b64be6d5a" ascii nocase wide
$typelibguid12 = "f0d28809-b712-4380-9a59-407b7b2badd5" ascii nocase wide
$typelibguid13 = "956a5a4d-2007-4857-9259-51cd0fb5312a" ascii nocase wide
$typelibguid14 = "53f622eb-0ca3-4e9b-9dc8-30c832df1c7b" ascii nocase wide
$typelibguid15 = "72019dfe-608e-4ab2-a8f1-66c95c425620" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Sharp_WMIExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Sharp_WMIExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/checkymander/Sharp-WMIExec"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "ae08a5a2-06d5-55fe-803a-7f4696220904"
strings:
$typelibguid0lo = "0a63b0a1-7d1a-4b84-81c3-bbbfe9913029" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Sharp_WMIExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Sharp_WMIExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/checkymander/Sharp-WMIExec"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "0a63b0a1-7d1a-4b84-81c3-bbbfe9913029" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Sharpcat
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Sharpcat {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/theart42/Sharpcat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-11-30"
id = "450d13c6-93ae-5bf5-bdde-d874ab6c0cd5"
strings:
$typelibguid0 = "d16fd95f-23ce-4f8d-8763-b9f5a9cdd0c3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Sharpire
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Sharpire {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/Sharpire"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "32bdaa0f-3afc-5e0e-a20f-e21f33909af7"
strings:
$typelibguid0lo = "39b75120-07fe-4833-a02e-579ff8b68331" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Sharpire
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Sharpire {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/Sharpire"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "39b75120-07fe-4833-a02e-579ff8b68331" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ShellCodeRunner
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ShellCodeRunner {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/antman1p/ShellCodeRunner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "949364e7-dcb6-5afd-ade9-cc34a6e15e97"
strings:
$typelibguid0lo = "634874b7-bf85-400c-82f0-7f3b4659549a" ascii wide
$typelibguid1lo = "2f9c3053-077f-45f2-b207-87c3c7b8f054" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ShellCodeRunner
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ShellCodeRunner {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/antman1p/ShellCodeRunner"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "634874b7-bf85-400c-82f0-7f3b4659549a" ascii nocase wide
$typelibguid1 = "2f9c3053-077f-45f2-b207-87c3c7b8f054" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ShellGen
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ShellGen {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jasondrawdy/ShellGen"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "538a4f12-5020-5c76-9208-363f435ed9a9"
strings:
$typelibguid0lo = "c6894882-d29d-4ae1-aeb7-7d0a9b915013" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ShellGen
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ShellGen {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jasondrawdy/ShellGen"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "c6894882-d29d-4ae1-aeb7-7d0a9b915013" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ShellcodeLoader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ShellcodeLoader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Hzllaga/ShellcodeLoader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "b8787dac-48a3-5711-86ba-0fda86b6224e"
strings:
$typelibguid0lo = "a48fe0e1-30de-46a6-985a-3f2de3c8ac96" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ShellcodeLoader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ShellcodeLoader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Hzllaga/ShellcodeLoader"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "a48fe0e1-30de-46a6-985a-3f2de3c8ac96" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Simple_Loader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Simple_Loader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cribdragg3r/Simple-Loader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "4c26aaf9-187d-5990-b956-1bbf630411f0"
strings:
$typelibguid0lo = "035ae711-c0e9-41da-a9a2-6523865e8694" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Simple_Loader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Simple_Loader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cribdragg3r/Simple-Loader"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "035ae711-c0e9-41da-a9a2-6523865e8694" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Snaffler
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Snaffler {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SnaffCon/Snaffler"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "d4b9a8c5-e0d9-5c85-af81-05f6e0f52bff"
strings:
$typelibguid0lo = "2aa060b4-de88-4d2a-a26a-760c1cefec3e" ascii wide
$typelibguid1lo = "b118802d-2e46-4e41-aac7-9ee890268f8b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Snaffler
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Snaffler {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SnaffCon/Snaffler"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "2aa060b4-de88-4d2a-a26a-760c1cefec3e" ascii nocase wide
$typelibguid1 = "b118802d-2e46-4e41-aac7-9ee890268f8b" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SneakyExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SneakyExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/HackingThings/SneakyExec"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "853b630d-77ba-5847-a129-c9fa0538f81b"
strings:
$typelibguid0lo = "612590aa-af68-41e6-8ce2-e831f7fe4ccc" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SneakyExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SneakyExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/HackingThings/SneakyExec"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "612590aa-af68-41e6-8ce2-e831f7fe4ccc" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SneakyService
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SneakyService {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malcomvetter/SneakyService"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "d02d34f0-7aa1-5110-b7ea-670b5fb98150"
strings:
$typelibguid0lo = "897819d5-58e0-46a0-8e1a-91ea6a269d84" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SneakyService
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SneakyService {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malcomvetter/SneakyService"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "897819d5-58e0-46a0-8e1a-91ea6a269d84" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SolarFlare
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SolarFlare {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mubix/solarflare"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-15"
modified = "2025-08-15"
id = "3645e14c-6025-59fa-a5a2-d8dacba8cd94"
strings:
$typelibguid0lo = "ca60e49e-eee9-409b-8d1a-d19f1d27b7e4" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SolarFlare
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SolarFlare {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mubix/solarflare"
author = "Arnim Rupp"
date = "2020-12-15"
strings:
$typelibguid0 = "ca60e49e-eee9-409b-8d1a-d19f1d27b7e4" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SpoolSample
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SpoolSample {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/leechristensen/SpoolSample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "38346575-cf5b-59bf-b2b2-21aacf05b8a4"
strings:
$typelibguid0lo = "640c36b4-f417-4d85-b031-83a9d23c140b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_StandIn
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_StandIn {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FuzzySecurity/StandIn"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-21"
modified = "2025-08-15"
id = "2af3c28a-ce5d-5dea-9abe-ff54b180049e"
strings:
$typelibguid0lo = "01c142ba-7af1-48d6-b185-81147a2f7db7" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_StandIn
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_StandIn {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FuzzySecurity/StandIn"
author = "Arnim Rupp"
date = "2020-12-21"
strings:
$typelibguid0 = "01c142ba-7af1-48d6-b185-81147a2f7db7" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Stealer
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Stealer {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malwares/Stealer"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-29"
modified = "2025-08-15"
id = "c721a0ac-e898-52aa-9bdf-a19bc0bd783d"
strings:
$typelibguid0lo = "8fcd4931-91a2-4e18-849b-70de34ab75df" ascii wide
$typelibguid1lo = "e48811ca-8af8-4e73-85dd-2045b9cca73a" ascii wide
$typelibguid2lo = "d3d8a1cc-e123-4905-b3de-374749122fcf" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Stealer
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Stealer {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malwares/Stealer"
author = "Arnim Rupp"
date = "2020-12-29"
strings:
$typelibguid0 = "8fcd4931-91a2-4e18-849b-70de34ab75df" ascii nocase wide
$typelibguid1 = "e48811ca-8af8-4e73-85dd-2045b9cca73a" ascii nocase wide
$typelibguid2 = "d3d8a1cc-e123-4905-b3de-374749122fcf" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Stealth_Kid_RAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Stealth_Kid_RAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ctsecurity/Stealth-Kid-RAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "f26e040a-dcc7-518f-89f2-3333f83fa14a"
strings:
$typelibguid0lo = "bf43cd33-c259-4711-8a0e-1a5c6c13811d" ascii wide
$typelibguid1lo = "e5b9df9b-a9e4-4754-8731-efc4e2667d88" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Stealth_Kid_RAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Stealth_Kid_RAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ctsecurity/Stealth-Kid-RAT"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "bf43cd33-c259-4711-8a0e-1a5c6c13811d" ascii nocase wide
$typelibguid1 = "e5b9df9b-a9e4-4754-8731-efc4e2667d88" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_StormKitty
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_StormKitty {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/LimerBoy/StormKitty"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "09d66661-5b67-5846-9bea-ec682afb62cf"
strings:
$typelibguid0lo = "a16abbb4-985b-4db2-a80c-21268b26c73d" ascii wide
$typelibguid1lo = "98075331-1f86-48c8-ae29-29da39a8f98b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_StormKitty
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_StormKitty {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/LimerBoy/StormKitty"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "a16abbb4-985b-4db2-a80c-21268b26c73d" ascii nocase wide
$typelibguid1 = "98075331-1f86-48c8-ae29-29da39a8f98b" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Stracciatella
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Stracciatella {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mgeeky/Stracciatella"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "5b1a8102-6d59-5f2f-8ae2-b3c1f75a561d"
strings:
$typelibguid0lo = "eaafa0ac-e464-4fc4-9713-48aa9a6716fb" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Stracciatella
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Stracciatella {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mgeeky/Stracciatella"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "eaafa0ac-e464-4fc4-9713-48aa9a6716fb" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SuperSQLInjectionV1
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SuperSQLInjectionV1 {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/shack2/SuperSQLInjectionV1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "247bef0d-7873-51c7-97b8-1be6dfe7708d"
strings:
$typelibguid0lo = "d5688068-fc89-467d-913f-037a785caca7" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SuperSQLInjectionV1
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SuperSQLInjectionV1 {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/shack2/SuperSQLInjectionV1"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "d5688068-fc89-467d-913f-037a785caca7" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SweetPotato
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SweetPotato {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/CCob/SweetPotato"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "0e347d94-51eb-5589-93d8-b19fec7f2365"
strings:
$typelibguid0lo = "6aeb5004-6093-4c23-aeae-911d64cacc58" ascii wide
$typelibguid1lo = "1bf9c10f-6f89-4520-9d2e-aaf17d17ba5e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SweetPotato
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SweetPotato {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/CCob/SweetPotato"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "6aeb5004-6093-4c23-aeae-911d64cacc58" ascii nocase wide
$typelibguid1 = "1bf9c10f-6f89-4520-9d2e-aaf17d17ba5e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SyscallPOC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SyscallPOC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SolomonSklash/SyscallPOC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "1ed5e226-0dcd-5397-b5e8-41f8a14981a1"
strings:
$typelibguid0lo = "1e54637b-c887-42a9-af6a-b4bd4e28cda9" ascii wide
$typelibguid1lo = "198d5599-d9fc-4a74-87f4-5077318232ad" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SyscallPOC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SyscallPOC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SolomonSklash/SyscallPOC"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "1e54637b-c887-42a9-af6a-b4bd4e28cda9" ascii nocase wide
$typelibguid1 = "198d5599-d9fc-4a74-87f4-5077318232ad" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TeleShadow2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TeleShadow2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ParsingTeam/TeleShadow2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "5b22f2c4-0bd1-5a5a-8867-8fbc773d2b44"
strings:
$typelibguid0lo = "42c5c356-39cf-4c07-96df-ebb0ccf78ca4" ascii wide
$typelibguid1lo = "0242b5b1-4d26-413e-8c8c-13b4ed30d510" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TeleShadow2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TeleShadow2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ParsingTeam/TeleShadow2"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "42c5c356-39cf-4c07-96df-ebb0ccf78ca4" ascii nocase wide
$typelibguid1 = "0242b5b1-4d26-413e-8c8c-13b4ed30d510" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Telegra_Csharp_C2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Telegra_Csharp_C2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/sf197/Telegra_Csharp_C2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "495a5f3e-cf05-5a66-b01c-8176ded88768"
strings:
$typelibguid0lo = "1d79fabc-2ba2-4604-a4b6-045027340c85" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Telegra_Csharp_C2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Telegra_Csharp_C2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/sf197/Telegra_Csharp_C2"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "1d79fabc-2ba2-4604-a4b6-045027340c85" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TellMeYourSecrets
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TellMeYourSecrets {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/TellMeYourSecrets"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "b00c353b-0446-5faa-87e5-0a7ba6ec2286"
strings:
$typelibguid0lo = "9b448062-7219-4d82-9a0a-e784c4b3aa27" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TellMeYourSecrets
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TellMeYourSecrets {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/TellMeYourSecrets"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "9b448062-7219-4d82-9a0a-e784c4b3aa27" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TheHackToolBoxTeek
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TheHackToolBoxTeek {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/teeknofil/TheHackToolBoxTeek"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "ad8cf2c8-f70e-5f46-92fa-46e1fa5e683c"
strings:
$typelibguid0lo = "2aa8c254-b3b3-469c-b0c9-dcbe1dd101c0" ascii wide
$typelibguid1lo = "afeff505-14c1-4ecf-b714-abac4fbd48e7" ascii wide
$typelibguid2lo = "4cf42167-a5cf-4b2d-85b4-8e764c08d6b3" ascii wide
$typelibguid3lo = "118a90b7-598a-4cfc-859e-8013c8b9339c" ascii wide
$typelibguid4lo = "3075dd9a-4283-4d38-a25e-9f9845e5adcb" ascii wide
$typelibguid5lo = "295655e8-2348-4700-9ebc-aa57df54887e" ascii wide
$typelibguid6lo = "74efe601-9a93-46c3-932e-b80ab6570e42" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 901-950 of 18,880