Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_NAME_shellcodeTester
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_shellcodeTester {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/tophertimzen/shellcodeTester"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "shellcodeTester" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_trevorc2
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_trevorc2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/trustedsec/trevorc2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "d1634a0d-6964-5886-b836-85c3ce6b8a17"
strings:
$name = "trevorc2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_trevorc2
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_trevorc2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/trustedsec/trevorc2"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "trevorc2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_tvasion
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_tvasion {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/loadenmb/tvasion"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "324cddc6-36d9-5670-827e-24e80dcc66a9"
strings:
$name = "tvasion" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_tvasion
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_tvasion {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/loadenmb/tvasion"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "tvasion" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_weevely3
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_weevely3 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/epinna/weevely3"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "6bf766b6-d065-5a84-8258-3be448b9cbb8"
strings:
$name = "weevely3" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_weevely3
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_weevely3 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/epinna/weevely3"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "weevely3" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_xbapAppWhitelistBypassPOC
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_xbapAppWhitelistBypassPOC {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/jpginc/xbapAppWhitelistBypassPOC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "b05253ce-cba4-531d-8f39-d8fae71b114d"
strings:
$name = "xbapAppWhitelistBypassPOC" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_xbapAppWhitelistBypassPOC
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_xbapAppWhitelistBypassPOC {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/jpginc/xbapAppWhitelistBypassPOC"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "xbapAppWhitelistBypassPOC" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_Win_CobaltStrike
The CobaltStrike malware family.
view YARA rule
rule HKTL_Win_CobaltStrike: Commodity {
meta:
author = "[email protected]"
date = "2021-05-25"
description = "The CobaltStrike malware family."
hash = "b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c"
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
id = "113ba304-261f-5c59-bc56-57515c239b6d"
strings:
$s1 = "%s (admin)" fullword
$s2 = { 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00 }
$s3 = "%02d/%02d/%02d %02d:%02d:%02d" fullword
$s4 = "%s as %s\\%s: %d" fullword
$s5 = "%s&%s=%s" fullword
$s6 = "rijndael" fullword
$s7 = "(null)"
condition:
all of them
}
HP_48sx_graphics_format
view YARA rule
rule HP_48sx_graphics_format: PEiD
{
strings:
$a = { 48 50 48 50 34 38 2D 41 }
condition:
$a at pe.entry_point
}
HP_48sx_graphics_format_Hint_FILE_START
view YARA rule
rule HP_48sx_graphics_format_Hint_FILE_START: PEiD
{
strings:
$a = { 48 50 48 50 34 38 2D 41 }
condition:
$a at pe.entry_point
}
ID_Application_Protector_12_ID_Security_Suite
view YARA rule
rule ID_Application_Protector_12_ID_Security_Suite: PEiD
{
strings:
$a = { 60 E8 00 00 00 00 5D 81 ED F2 0B 47 00 B9 19 22 47 00 81 E9 EA 0E 47 00 89 EA 81 C2 EA 0E 47 00 8D 3A 89 FE 31 C0 E9 D3 02 00 00 CC CC CC CC E9 CA 02 00 00 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 6F 66 74 57 61 72 65 50 72 6F 74 65 63 74 6F 72 5C }
condition:
$a at pe.entry_point
}
ID_Application_Protector_V12_ID_Security_Suite
view YARA rule
rule ID_Application_Protector_V12_ID_Security_Suite: PEiD
{
strings:
$a = { 60 E8 00 00 00 00 5D 81 ED F2 0B 47 00 B9 19 22 47 00 81 E9 EA 0E 47 00 89 EA 81 C2 EA 0E 47 00 8D 3A 89 FE 31 C0 E9 D3 02 00 00 CC CC CC CC E9 CA 02 00 00 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 6F 66 74 57 61 72 65 50 72 6F 74 65 63 74 6F 72 5C }
condition:
$a at pe.entry_point
}
ID_Application_Protector_V12_ID_Security_Suite_Sign_by_fly
view YARA rule
rule ID_Application_Protector_V12_ID_Security_Suite_Sign_by_fly: PEiD
{
strings:
$a = { 60 E8 00 00 00 00 5D 81 ED F2 0B 47 00 B9 19 22 47 00 81 E9 EA 0E 47 00 89 EA 81 C2 EA 0E 47 00 8D 3A 89 FE 31 C0 E9 D3 02 00 00 CC CC CC CC E9 CA 02 00 00 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 6F 66 74 57 61 72 65 50 72 6F 74 65 63 74 6F 72 5C }
condition:
$a at pe.entry_point
}
ID_Application_Protector_V12_ID_Security_Suite_Sign_by_fly_additional
view YARA rule
rule ID_Application_Protector_V12_ID_Security_Suite_Sign_by_fly_additional: PEiD
{
strings:
$a = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 70 3B 00 10 E8 3C FA FF FF 33 C0 55 68 6C 3C 00 10 64 FF 30 64 89 20 6A 0A 68 7C 3C 00 10 A1 50 56 00 10 50 E8 D8 FA FF FF 8B D8 53 A1 50 56 00 10 50 E8 0A FB FF FF 8B F8 53 A1 50 56 00 10 50 E8 D4 FA FF FF 8B }
condition:
$a at pe.entry_point
}
IMPLANT_10_v1
CozyDuke / CozyCar / CozyBear Implant by APT29
view YARA rule
rule IMPLANT_10_v1 {
meta:
description = "CozyDuke / CozyCar / CozyBear Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {33 ?? 83 F2 ?? 81 E2 FF 00 00 00}
$STR2 = {0F BE 14 01 33 D0 ?? F2 [1-4] 81 E2 FF 00 00 00 66 89 [6] 40 83
F8 ?? 72}
condition:
uint16(0) == 0x5A4D and ($STR1 or $STR2)
}
IMPLANT_10_v1
CozyDuke / CozyCar / CozyBear Implant by APT29
view YARA rule
rule IMPLANT_10_v1 {
meta:
description = "CozyDuke / CozyCar / CozyBear Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {33 ?? 83 F2 ?? 81 E2 FF 00 00 00}
$STR2 = {0F BE 14 01 33 D0 ?? F2 [1-4] 81 E2 FF 00 00 00 66 89 [6] 40 83
F8 ?? 72}
condition:
uint16(0) == 0x5A4D and ($STR1 or $STR2)
}
IMPLANT_10_v2
CozyDuke / CozyCar / CozyBear Implant by APT29
view YARA rule
rule IMPLANT_10_v2 {
meta:
description = "CozyDuke / CozyCar / CozyBear Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "9c6d4eb9-98a5-5c6d-ba3a-0ce7524c5d2a"
strings:
$xor = { 34 ?? 66 33 C1 48 FF C1 }
$nop = { 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00}
condition:
uint16(0) == 0x5A4D and $xor and $nop
}
IMPLANT_10_v2
CozyDuke / CozyCar / CozyBear Implant by APT29
view YARA rule
rule IMPLANT_10_v2 {
meta:
description = "CozyDuke / CozyCar / CozyBear Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$xor = { 34 ?? 66 33 C1 48 FF C1 }
$nop = { 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00}
condition:
uint16(0) == 0x5A4D and $xor and $nop
}
IMPLANT_11_v12
Mini Duke Implant by APT29
view YARA rule
rule IMPLANT_11_v12 {
meta:
description = "Mini Duke Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {63 74 00 00} // ct
$STR2 = {72 6F 74 65} // rote
$STR3 = {75 61 6C 50} // triV
$STR4 = {56 69 72 74} // Plau
$STR5 = { e8 00 00 00 00 }
$STR6 = { 64 FF 35 00 00 00 00 }
$STR7 = {D2 C0}
$STR8 = /\x63\x74\x00\x00.{3,20}\x72\x6F\x74\x65.{3,20}\x75\x61\x6C\x50.{3,20}\x56\x69\x72\x74/
condition:
(uint16(0) == 0x5A4D) and #STR5 > 4 and all of them
}
IMPLANT_11_v12
Mini Duke Implant by APT29
view YARA rule
rule IMPLANT_11_v12 {
meta:
description = "Mini Duke Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {63 74 00 00} // ct
$STR2 = {72 6F 74 65} // rote
$STR3 = {75 61 6C 50} // triV
$STR4 = {56 69 72 74} // Plau
$STR5 = { e8 00 00 00 00 }
$STR6 = { 64 FF 35 00 00 00 00 }
$STR7 = {D2 C0}
$STR8 = /\x63\x74\x00\x00.{3,20}\x72\x6F\x74\x65.{3,20}\x75\x61\x6C\x50.{3,20}\x56\x69\x72\x74/
condition:
(uint16(0) == 0x5A4D) and #STR5 > 4 and all of them
}
IMPLANT_12_v1
Cosmic Duke Implant by APT29
view YARA rule
rule IMPLANT_12_v1 {
meta:
description = "Cosmic Duke Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$FUNC = {A1 [3-5] 33 C5 89 [2-3] 56 57 83 [4-6] 64}
condition:
(uint16(0) == 0x5A4D) and $FUNC
}
IMPLANT_12_v1
Cosmic Duke Implant by APT29
view YARA rule
rule IMPLANT_12_v1 {
meta:
description = "Cosmic Duke Implant by APT29"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$FUNC = {A1 [3-5] 33 C5 89 [2-3] 56 57 83 [4-6] 64}
condition:
(uint16(0) == 0x5A4D) and $FUNC
}
IMPLANT_1_v1
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v1 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "eb3fc39b-08ca-51df-a9b4-7b28b107b700"
strings:
$STR1 = {6A ?? E8 ?? ?? FF FF 59 85 C0 74 0B 8B C8 E8 ?? ?? FF FF 8B F0
EB 02 33 F6 8B CE E8 ?? ?? FF FF 85 F6 74 0E 8B CE E8 ?? ?? FF FF 56
E8 ?? ?? FF FF 59}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_1_v1
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v1 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {6A ?? E8 ?? ?? FF FF 59 85 C0 74 0B 8B C8 E8 ?? ?? FF FF 8B F0
EB 02 33 F6 8B CE E8 ?? ?? FF FF 85 F6 74 0E 8B CE E8 ?? ?? FF FF 56
E8 ?? ?? FF FF 59}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_1_v2
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v2 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "c7beab50-8e73-5161-be7e-bc3f8351873a"
strings:
$STR1 = {83 3E 00 53 74 4F 8B 46 04 85 C0 74 48 83 C0 02 50 E8 ?? ?? 00
00 8B D8 59 85 DB 74 38 8B 4E 04 83 F9 FF 7E 21 57 }
$STR2 = {55 8B EC 8B 45 08 3B 41 08 72 04 32 C0 EB 1B 8B 49 04 8B 04 81
80 78 19 01 75 0D FF 70 10 FF [5] 85 C0 74 E3 }
condition:
(uint16(0) == 0x5A4D) and any of them
}
IMPLANT_1_v2
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v2 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {83 3E 00 53 74 4F 8B 46 04 85 C0 74 48 83 C0 02 50 E8 ?? ?? 00
00 8B D8 59 85 DB 74 38 8B 4E 04 83 F9 FF 7E 21 57 }
$STR2 = {55 8B EC 8B 45 08 3B 41 08 72 04 32 C0 EB 1B 8B 49 04 8B 04 81
80 78 19 01 75 0D FF 70 10 FF [5] 85 C0 74 E3 }
condition:
(uint16(0) == 0x5A4D) and any of them
}
IMPLANT_1_v3
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v3 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "517133d2-813d-5f44-84c2-a53c62d7a688"
strings:
$rol7encode = { 0F B7 C9 C1 C0 07 83 C2 02 33 C1 0F B7 0A 47 66 85 C9 75 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
IMPLANT_1_v3
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v3 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$rol7encode = { 0F B7 C9 C1 C0 07 83 C2 02 33 C1 0F B7 0A 47 66 85 C9 75 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
IMPLANT_1_v4
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v4 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "0362b885-de59-5715-80f2-106e5e91d1fa"
strings:
$XOR_LOOP = { 8B 45 FC 8D 0C 06 33 D2 6A 0B 8B C6 5B F7 F3 8A 82 ?? ??
?? ?? 32 04 0F 46 88 01 3B 75 0C 7C E0 }
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_1_v4
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v4 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$XOR_LOOP = { 8B 45 FC 8D 0C 06 33 D2 6A 0B 8B C6 5B F7 F3 8A 82 ?? ??
?? ?? 32 04 0F 46 88 01 3B 75 0C 7C E0 }
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_1_v5
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v5 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "ac1c6175-3a8b-524b-bb18-243c52f7dba1"
strings:
$drivername = { 6A 30 ?? 6A 33 [5] 6A 37 [5] 6A 32 [5] 6A 31 [5] 6A 77
[5] 6A 69 [5] 6A 6E [5] 6A 2E [5] 6A 73 [5-9] 6A 79 [5] 6A 73 }
$mutexname = { C7 45 ?? 2F 2F 64 66 C7 45 ?? 63 30 31 65 C7 45 ?? 6C 6C
36 7A C7 45 ?? 73 71 33 2D C7 45 ?? 75 66 68 68 66 C7 45 ?? 66 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
}
IMPLANT_1_v5
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v5 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$drivername = { 6A 30 ?? 6A 33 [5] 6A 37 [5] 6A 32 [5] 6A 31 [5] 6A 77
[5] 6A 69 [5] 6A 6E [5] 6A 2E [5] 6A 73 [5-9] 6A 79 [5] 6A 73 }
$mutexname = { C7 45 ?? 2F 2F 64 66 C7 45 ?? 63 30 31 65 C7 45 ?? 6C 6C
36 7A C7 45 ?? 73 71 33 2D C7 45 ?? 75 66 68 68 66 C7 45 ?? 66 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
}
IMPLANT_1_v6
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v6 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$XORopcodes_eax = { 35 (22 07 15 0e|56 d7 a7 0a) }
$XORopcodes_others = { 81 (F1|F2|F3|F4|F5|F6|F7) (22 07 15 0E|56 D7 A7 0A) }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025) and any of them
}
IMPLANT_1_v6
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v6 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$XORopcodes_eax = { 35 (22 07 15 0e|56 d7 a7 0a) }
$XORopcodes_others = { 81 (F1|F2|F3|F4|F5|F6|F7) (22 07 15 0E|56 D7 A7 0A) }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025) and any of them
}
IMPLANT_1_v7
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v7 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "2a28273f-d9a1-5e80-bef1-b488eb0326bd"
strings:
$XOR_FUNCT = { C7 45 ?? ?? ?? 00 10 8B 0E 6A ?? FF 75 ?? E8 ?? ?? FF FF }
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_1_v7
Downrage Implant by APT28
view YARA rule
rule IMPLANT_1_v7 {
meta:
description = "Downrage Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$XOR_FUNCT = { C7 45 ?? ?? ?? 00 10 8B 0E 6A ?? FF 75 ?? E8 ?? ?? FF FF }
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_2_v1
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v1 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "058266d4-8dc5-5a26-9bc6-4c55ac646e9b"
strings:
$STR1 = { 8d ?? fa [2] e8 [2] FF FF C7 [2-5] 00 00 00 00 8D [2-5] 5? 6a 00 6a 01}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_2_v1
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v1 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = { 8d ?? fa [2] e8 [2] FF FF C7 [2-5] 00 00 00 00 8D [2-5] 5? 6a 00 6a 01}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_2_v10
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v10 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "cb88ae0c-19e2-590c-9c13-78ac1dcc8c9f"
strings:
$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8]
48 8d [3] 48 89 [3] 45 [2] 4? [1-2] 01}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_2_v10
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v10 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8]
48 8d [3] 48 89 [3] 45 [2] 4? [1-2] 01}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_2_v11
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v11 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "570d6996-ab16-556e-b790-e4c73d7bbffc"
strings:
$STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53
56 57 A1 [4] 31 45 F8 33 C5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68
[4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_2_v11
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v11 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53
56 57 A1 [4] 31 45 F8 33 C5 50 8D 45 F0 64 A3 00 00 00 00 [8-14] 68
[4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_2_v12
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v12 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {48 83 [2] 48 89 [3] c7 44 [6] 4c 8d 05 [3] 00 BA 01 00 00 00
33 C9 ff 15 [2] 00 00 ff 15 [2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15
?? 00 00 00 48 8B CC E8}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_2_v13
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v13 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF
[6-8] 48 8d [3] 48 89 [3] 45 [2] 4? [1-2] 01}
condition:
(uint16(0) == 0x5A4D) and all of them
}
IMPLANT_2_v14
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v14 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "1e4958e7-e136-5600-bc16-36cdeeb3ea18"
strings:
$STR1 = {8B ?? 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA C1 EE 02 89
74 24 58 44 8B ?? 41 F7 ?? 8B CA BA 03 00 00 00 C1 E9 02 89 0C 24 8D
04 49 03 C0 44 2B ?? 44 89 ?? 24 04 3B F1 0F 83 ?? 01 00 00 8D 1C 76
4C 89 6C 24 }
$STR2 = {C5 41 F7 E0 ?? ?? ?? ?? ?? ?? 8D 0C 52 03 C9 2B C1 8B C8 ?? 8D
04 ?? 46 0F B6 0C ?? 40 02 C7 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7
E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA 46 22 0C ?? 41 8D 48
FE F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 8B C1 }
$STR3 = {41 F7 E0 C1 EA 02 41 8B C0 8D 0C 52 03 C9 2B C1 8B C8 42 8D 04
1B 46 0F B6 0C ?? 40 02 C6 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1
C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA }
$STR4 = {46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 8B 54 24 58 03
C0 2B C8 8B C1 0F B6 4F FF 42 0F B6 04 ?? 41 0F AF CB C1 }
condition:
(uint16(0) == 0x5A4D) and any of them
}
IMPLANT_2_v14
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v14 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$STR1 = {8B ?? 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA C1 EE 02 89
74 24 58 44 8B ?? 41 F7 ?? 8B CA BA 03 00 00 00 C1 E9 02 89 0C 24 8D
04 49 03 C0 44 2B ?? 44 89 ?? 24 04 3B F1 0F 83 ?? 01 00 00 8D 1C 76
4C 89 6C 24 }
$STR2 = {C5 41 F7 E0 ?? ?? ?? ?? ?? ?? 8D 0C 52 03 C9 2B C1 8B C8 ?? 8D
04 ?? 46 0F B6 0C ?? 40 02 C7 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7
E1 C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA 46 22 0C ?? 41 8D 48
FE F7 E1 C1 EA 02 8D 04 52 03 C0 2B C8 8B C1 }
$STR3 = {41 F7 E0 C1 EA 02 41 8B C0 8D 0C 52 03 C9 2B C1 8B C8 42 8D 04
1B 46 0F B6 0C ?? 40 02 C6 41 8D 48 FF 44 32 C8 B8 AB AA AA AA F7 E1
C1 EA 02 8D 04 52 03 C0 2B C8 B8 AB AA AA AA }
$STR4 = {46 22 0C ?? 41 8D 48 FE F7 E1 C1 EA 02 8D 04 52 8B 54 24 58 03
C0 2B C8 8B C1 0F B6 4F FF 42 0F B6 04 ?? 41 0F AF CB C1 }
condition:
(uint16(0) == 0x5A4D) and any of them
}
IMPLANT_2_v15
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v15 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
id = "9bdaebc1-86a0-5c21-b752-d69cdb70f082"
strings:
$XOR_LOOP1 = { 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 }
$XOR_LOOP2 = { 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 }
$XOR_LOOP3 = { 02 C3 30 06 8B 5D F0 8D 41 FE 83 F8 06 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
IMPLANT_2_v15
CORESHELL/SOURFACE Implant by APT28
view YARA rule
rule IMPLANT_2_v15 {
meta:
description = "CORESHELL/SOURFACE Implant by APT28"
author = "US CERT"
reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
date = "2017-02-10"
score = 85
strings:
$XOR_LOOP1 = { 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 }
$XOR_LOOP2 = { 32 1C 02 8B C1 33 D2 B9 06 00 00 00 F7 F1 }
$XOR_LOOP3 = { 02 C3 30 06 8B 5D F0 8D 41 FE 83 F8 06 }
condition:
(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
Showing 1151-1200 of 18,880