Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880CC_v261_Beta_Hint_DOS_EP
view YARA rule
rule CC_v261_Beta_Hint_DOS_EP: PEiD
{
strings:
$a = { BA ?? ?? B4 30 CD 21 3C 02 73 ?? 33 C0 06 50 CB }
condition:
$a at pe.entry_point
}
CC_v261_Beta_additional
view YARA rule
rule CC_v261_Beta_additional: PEiD
{
strings:
$a = { BA ?? ?? B4 30 CD 21 3C 02 73 ?? 33 C0 06 50 CB }
condition:
$a at pe.entry_point
}
CD_Cops_II
view YARA rule
rule CD_Cops_II: PEiD
{
strings:
$a = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }
condition:
$a at pe.entry_point
}
CD_Cops_II_additional
view YARA rule
rule CD_Cops_II_additional: PEiD
{
strings:
$a = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }
condition:
$a at pe.entry_point
}
CI_Crypt_V01_FearlesS
view YARA rule
rule CI_Crypt_V01_FearlesS: PEiD
{
strings:
$a = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
$b = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
CI_Crypt_V01_FearlesS_additional
view YARA rule
rule CI_Crypt_V01_FearlesS_additional: PEiD
{
strings:
$a = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
condition:
$a at pe.entry_point
}
CI_Crypt_V02_FearlesS
view YARA rule
rule CI_Crypt_V02_FearlesS: PEiD
{
strings:
$a = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
$b = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
CI_Crypt_V02_FearlesS_additional
view YARA rule
rule CI_Crypt_V02_FearlesS_additional: PEiD
{
strings:
$a = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 }
condition:
$a at pe.entry_point
}
CN_APT_ZeroT_extracted_Go
Chinese APT by Proofpoint ZeroT RAT - file Go.exe
view YARA rule
rule CN_APT_ZeroT_extracted_Go {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Go.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
modified = "2023-01-06"
hash1 = "83ddc69fe0d3f3d2f46df7e72995d59511c1bfcca1a4e14c330cb71860b4806b"
id = "ba929e6d-4162-58e7-b8a8-bcb066b64522"
strings:
$x1 = "%s\\cmd.exe /c %s\\Zlh.exe" fullword ascii
$x2 = "\\BypassUAC.VS2010\\Release\\" ascii
$s1 = "Zjdsf.exe" fullword ascii
$s2 = "SS32prep.exe" fullword ascii
$s3 = "windowsgrep.exe" fullword ascii
$s4 = "Sysdug.exe" fullword ascii
$s5 = "Proessz.exe" fullword ascii
$s6 = "%s\\Zlh.exe" fullword ascii
$s7 = "/C %s\\%s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( 7 of them )
}
CN_APT_ZeroT_extracted_Mcutil
Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll
view YARA rule
rule CN_APT_ZeroT_extracted_Mcutil {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500"
id = "c887d36b-8aeb-54f1-a683-727561723238"
strings:
$s1 = "LoaderDll.dll" fullword ascii
$s2 = "QageBox1USER" fullword ascii
$s3 = "xhmowl" fullword ascii
$s4 = "?KEYKY" fullword ascii
$s5 = "HH:mm:_s" fullword ascii
$s6 = "=licni] has maX0t" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 90KB and 3 of them ) or ( all of them )
}
CN_APT_ZeroT_extracted_Zlh
Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe
view YARA rule
rule CN_APT_ZeroT_extracted_Zlh {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "711f0a635bbd6bf1a2890855d0bd51dff79021db45673541972fe6e1288f5705"
id = "4c8b9a90-6cb3-5aba-a993-f73207341d0e"
strings:
$s1 = "nflogger.dll" fullword wide
$s2 = "%s %d: CreateProcess('%s', '%s') failed. Windows error code is 0x%08x" fullword ascii
$s3 = "_StartZlhh(): Executed \"%s\"" ascii
$s4 = "Executable: '%s' (%s) %i" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
}
CN_APT_ZeroT_nflogger
Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll
view YARA rule
rule CN_APT_ZeroT_nflogger {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "946adbeb017616d56193a6d43fe9c583be6ad1c7f6a22bab7df9db42e6e8ab10"
id = "0d23f312-e3b6-5c23-855b-25ae54265512"
strings:
$x1 = "\\LoaderDll.VS2010\\Release\\" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
CN_Actor_AmmyyAdmin
Detects Ammyy Admin Downloader
view YARA rule
rule CN_Actor_AmmyyAdmin {
meta:
description = "Detects Ammyy Admin Downloader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - CN Actor"
date = "2017-06-22"
score = 60
hash1 = "1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed"
id = "08ffb61a-e2de-538e-9d9f-040276324af9"
strings:
$x2 = "\\Ammyy\\sources\\main\\Downloader.cpp" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}
CN_Actor_RA_Tool_Ammyy_mscorsvw
Detects Ammyy remote access tool
view YARA rule
rule CN_Actor_RA_Tool_Ammyy_mscorsvw {
meta:
description = "Detects Ammyy remote access tool"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - CN Actor"
date = "2017-06-22"
hash1 = "1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed"
hash2 = "d9ec0a1be7cd218042c54bfbc12000662b85349a6b78731a09ed336e5d3cf0b4"
id = "71a0c5a9-b4dc-508d-a6b7-4b85b75bc34b"
strings:
$s1 = "Please enter password for accessing remote computer" fullword ascii
$s2 = "Die Zugriffsanforderung wurde vom Remotecomputer abgelehnt" fullword ascii
$s3 = "It will automatically be run the next time this computer is restart or you can start it manually" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and 3 of them )
}
CN_GUI_Scanner
Detects an unknown GUI scanner tool - CN background
view YARA rule
rule CN_GUI_Scanner {
meta:
description = "Detects an unknown GUI scanner tool - CN background"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "3c67bbb1911cdaef5e675c56145e1112"
score = 65
date = "04.10.2014"
id = "ca88d4d3-5d18-5856-874f-e50deceef54f"
strings:
$s1 = "good.txt" fullword ascii
$s2 = "IP.txt" fullword ascii
$s3 = "xiaoyuer" fullword ascii
$s0w = "ssh(" wide
$s1w = ").exe" fullword wide
condition:
all of them
}
CN_GUI_Scanner
Detects an unknown GUI scanner tool - CN background
view YARA rule
rule CN_GUI_Scanner {
meta:
description = "Detects an unknown GUI scanner tool - CN background"
author = "Florian Roth"
hash = "3c67bbb1911cdaef5e675c56145e1112"
score = 65
date = "04.10.2014"
strings:
$s1 = "good.txt" fullword ascii
$s2 = "IP.txt" fullword ascii
$s3 = "xiaoyuer" fullword ascii
$s0w = "ssh(" fullword wide
$s1w = ").exe" fullword wide
condition:
all of them
}
CN_Hacktool_1433_Scanner
Detects a chinese MSSQL scanner
view YARA rule
rule CN_Hacktool_1433_Scanner {
meta:
description = "Detects a chinese MSSQL scanner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 40
date = "12.10.2014"
id = "77712d29-1a32-59e7-999a-a2ef02212886"
strings:
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "del Weak1.txt" ascii fullword
$s3 = "del Attack.txt" ascii fullword
$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" ascii
$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
condition:
uint16(0) == 0x5a4d and all of ($s*)
}
CN_Hacktool_1433_Scanner
Detects a chinese MSSQL scanner
view YARA rule
rule CN_Hacktool_1433_Scanner {
meta:
description = "Detects a chinese MSSQL scanner"
author = "Florian Roth"
score = 40
date = "12.10.2014"
strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "del Weak1.txt" ascii fullword
$s3 = "del Attack.txt" ascii fullword
$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii
$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
condition:
( $magic at 0 ) and all of ($s*)
}
CN_Hacktool_1433_Scanner_Comp2
Detects a chinese MSSQL scanner - component 2
view YARA rule
rule CN_Hacktool_1433_Scanner_Comp2 {
meta:
description = "Detects a chinese MSSQL scanner - component 2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 40
date = "12.10.2014"
id = "7d707be5-dad0-5d91-965b-908a8603b6c0"
strings:
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
condition:
uint16(0) == 0x5a4d and all of ($s*)
}
CN_Hacktool_1433_Scanner_Comp2
Detects a chinese MSSQL scanner - component 2
view YARA rule
rule CN_Hacktool_1433_Scanner_Comp2 {
meta:
description = "Detects a chinese MSSQL scanner - component 2"
author = "Florian Roth"
score = 40
date = "12.10.2014"
strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
condition:
( $magic at 0 ) and all of ($s*)
}
CN_Hacktool_BAT_PortsOpen
Detects a chinese BAT hacktool for local port evaluation
view YARA rule
rule CN_Hacktool_BAT_PortsOpen {
meta:
description = "Detects a chinese BAT hacktool for local port evaluation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "12.10.2014"
id = "55c3f678-ba70-5a4a-b288-9d0953eff968"
strings:
$s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
$s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
$s2 = "@echo off" ascii
condition:
all of them
}
CN_Hacktool_BAT_PortsOpen
Detects a chinese BAT hacktool for local port evaluation
view YARA rule
rule CN_Hacktool_BAT_PortsOpen {
meta:
description = "Detects a chinese BAT hacktool for local port evaluation"
author = "Florian Roth"
score = 60
date = "12.10.2014"
strings:
$s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
$s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
$s2 = "@echo off" ascii
condition:
all of them
}
CN_Hacktool_MilkT_BAT
Detects a chinese Portscanner named MilkT - shipped BAT
view YARA rule
rule CN_Hacktool_MilkT_BAT {
meta:
description = "Detects a chinese Portscanner named MilkT - shipped BAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
date = "12.10.2014"
id = "d680a5f1-6182-5bc8-99de-c3cba1a61903"
strings:
$s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
$s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
condition:
all of them
}
CN_Hacktool_MilkT_BAT
Detects a chinese Portscanner named MilkT - shipped BAT
view YARA rule
rule CN_Hacktool_MilkT_BAT {
meta:
description = "Detects a chinese Portscanner named MilkT - shipped BAT"
author = "Florian Roth"
score = 70
date = "12.10.2014"
strings:
$s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
$s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
condition:
all of them
}
CN_Hacktool_MilkT_Scanner
Detects a chinese Portscanner named MilkT
view YARA rule
rule CN_Hacktool_MilkT_Scanner {
meta:
description = "Detects a chinese Portscanner named MilkT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "12.10.2014"
id = "aa83c983-25c2-5051-88a1-fbc70d947d6e"
strings:
$s0 = "Bf **************" ascii fullword
$s1 = "forming Time: %d/" ascii
$s2 = "KERNEL32.DLL" ascii fullword
$s3 = "CRTDLL.DLL" ascii fullword
$s4 = "WS2_32.DLL" ascii fullword
$s5 = "GetProcAddress" ascii fullword
$s6 = "atoi" ascii fullword
condition:
all of them
}
CN_Hacktool_MilkT_Scanner
Detects a chinese Portscanner named MilkT
view YARA rule
rule CN_Hacktool_MilkT_Scanner {
meta:
description = "Detects a chinese Portscanner named MilkT"
author = "Florian Roth"
score = 60
date = "12.10.2014"
strings:
$s0 = "Bf **************" ascii fullword
$s1 = "forming Time: %d/" ascii
$s2 = "KERNEL32.DLL" ascii fullword
$s3 = "CRTDLL.DLL" ascii fullword
$s4 = "WS2_32.DLL" ascii fullword
$s5 = "GetProcAddress" ascii fullword
$s6 = "atoi" ascii fullword
condition:
all of them
}
CN_Hacktool_SSPort_Portscanner
Detects a chinese Portscanner named SSPort
view YARA rule
rule CN_Hacktool_SSPort_Portscanner {
meta:
description = "Detects a chinese Portscanner named SSPort"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
date = "12.10.2014"
id = "38cc8830-efd3-51b7-8ac6-c9bf468212cb"
strings:
$s0 = "Golden Fox" fullword wide
$s1 = "Syn Scan Port" fullword wide
$s2 = "CZ88.NET" fullword wide
condition:
all of them
}
CN_Hacktool_SSPort_Portscanner
Detects a chinese Portscanner named SSPort
view YARA rule
rule CN_Hacktool_SSPort_Portscanner {
meta:
description = "Detects a chinese Portscanner named SSPort"
author = "Florian Roth"
score = 70
date = "12.10.2014"
strings:
$s0 = "Golden Fox" fullword wide
$s1 = "Syn Scan Port" fullword wide
$s2 = "CZ88.NET" fullword wide
condition:
all of them
}
CN_Hacktool_S_EXE_Portscanner
Detects a chinese Portscanner named s.exe
view YARA rule
rule CN_Hacktool_S_EXE_Portscanner {
meta:
description = "Detects a chinese Portscanner named s.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
date = "12.10.2014"
id = "d6b35d4f-7e25-50dd-bef2-08f7033312e8"
strings:
$s0 = "\\Result.txt" ascii
$s1 = "By:ZT QQ:376789051" fullword ascii
$s2 = "(http://www.eyuyan.com)" fullword wide
condition:
all of them
}
CN_Hacktool_S_EXE_Portscanner
Detects a chinese Portscanner named s.exe
view YARA rule
rule CN_Hacktool_S_EXE_Portscanner {
meta:
description = "Detects a chinese Portscanner named s.exe"
author = "Florian Roth"
score = 70
date = "12.10.2014"
strings:
$s0 = "\\Result.txt" fullword ascii
$s1 = "By:ZT QQ:376789051" fullword ascii
$s2 = "(http://www.eyuyan.com)" fullword wide
condition:
all of them
}
CN_Hacktool_ScanPort_Portscanner
Detects a chinese Portscanner named ScanPort
view YARA rule
rule CN_Hacktool_ScanPort_Portscanner {
meta:
description = "Detects a chinese Portscanner named ScanPort"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
date = "12.10.2014"
id = "a708283e-339c-599f-9321-3b063d0076a9"
strings:
$s0 = "LScanPort" fullword wide
$s1 = "LScanPort Microsoft" fullword wide
$s2 = "www.yupsoft.com" fullword wide
condition:
all of them
}
CN_Hacktool_ScanPort_Portscanner
Detects a chinese Portscanner named ScanPort
view YARA rule
rule CN_Hacktool_ScanPort_Portscanner {
meta:
description = "Detects a chinese Portscanner named ScanPort"
author = "Florian Roth"
score = 70
date = "12.10.2014"
strings:
$s0 = "LScanPort" fullword wide
$s1 = "LScanPort Microsoft" fullword wide
$s2 = "www.yupsoft.com" fullword wide
condition:
all of them
}
CN_Honker_ACCESS_brute
Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe
view YARA rule
rule CN_Honker_ACCESS_brute {
meta:
description = "Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f552e05facbeb21cb12f23c34bb1881c43e24c34"
id = "7ceaea93-4f23-50a3-ab39-8149b10ffdad"
strings:
$s1 = ".dns166.co" ascii /* PEStudio Blacklist: strings */
$s2 = "SExecuteA" ascii /* PEStudio Blacklist: strings */
$s3 = "ality/clsCom" ascii
$s4 = "NT_SINK_AddRef" ascii
$s5 = "WINDOWS\\Syswm" ascii
condition:
uint16(0) == 0x5a4d and filesize < 20KB and all of them
}
CN_Honker_ASP_wshell
Sample from CN Honker Pentest Toolset - file wshell.txt
view YARA rule
rule CN_Honker_ASP_wshell {
meta:
description = "Sample from CN Honker Pentest Toolset - file wshell.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3ae33c835e7ea6d9df74fe99fcf1e2fb9490c978"
id = "028136cd-129b-5d58-a4c2-ba730a798c06"
strings:
$s0 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "UserPass="
$s2 = "VerName="
$s3 = "StateName="
condition:
uint16(0) == 0x253c and filesize < 200KB and all of them
}
CN_Honker_Alien_D
Script from disclosed CN Honker Pentest Toolset - file D.ASP
view YARA rule
rule CN_Honker_Alien_D {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file D.ASP"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "de9cd4bd72b1384b182d58621f51815a77a5f07d"
id = "88529577-0dea-5aa8-b763-79a69397ddd5"
strings:
$s0 = "Paths_str=\"c:\\windows\\\"&chr(13)&chr(10)&\"c:\\Documents and Settings\\\"&chr" ascii /* PEStudio Blacklist: strings */
$s1 = "CONST_FSO=\"Script\"&\"ing.Fil\"&\"eSyst\"&\"emObject\"" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Response.Write \"<form id='form1' name='form1' method='post' action=''>\"" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "set getAtt=FSO.GetFile(filepath)" fullword ascii
$s4 = "Response.Write \"<input name='NoCheckTemp' type='checkbox' id='NoCheckTemp' chec" ascii
condition:
filesize < 30KB and 2 of them
}
CN_Honker_Alien_command
Script from disclosed CN Honker Pentest Toolset - file command.txt
view YARA rule
rule CN_Honker_Alien_command {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file command.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5896b74158ef153d426fba76c2324cd9c261c709"
id = "55dd10c9-f7dc-5ee2-a47d-dab8cc7b60e6"
strings:
$s0 = "for /d %i in (E:\\freehost\\*) do @echo %i" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "/c \"C:\\windows\\temp\\cscript\" C:\\windows\\temp\\iis.vbs" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 8KB and all of them
}
CN_Honker_Alien_ee
Sample from CN Honker Pentest Toolset - file ee.exe
view YARA rule
rule CN_Honker_Alien_ee {
meta:
description = "Sample from CN Honker Pentest Toolset - file ee.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "15a7211154ee7aca29529bd5c2500e0d33d7f0b3"
id = "03540f82-6662-55e3-97f8-38776271f08b"
strings:
$s1 = "GetIIS UserName and PassWord." fullword wide /* PEStudio Blacklist: strings */
$s2 = "Read IIS ID For FreeHost." fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
CN_Honker_Alien_iispwd
Sample from CN Honker Pentest Toolset - file iispwd.vbs
view YARA rule
rule CN_Honker_Alien_iispwd {
meta:
description = "Sample from CN Honker Pentest Toolset - file iispwd.vbs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5d157a1b9644adbe0b28c37d4022d88a9f58cedb"
id = "e561c548-c656-5528-a2a8-2798a59ac6bf"
strings:
$s0 = "set IIs=objservice.GetObject(\"IIsWebServer\",childObjectName)" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "wscript.echo \"from : http://www.xxx.com/\" &vbTab&vbCrLf" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 3KB and all of them
}
CN_Honker_Arp_EMP_v1_0
Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe
view YARA rule
rule CN_Honker_Arp_EMP_v1_0 {
meta:
description = "Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee"
id = "03782e94-4fac-529f-b235-19cdb124d53b"
strings:
$s0 = "Arp EMP v1.0.exe" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
CN_Honker_AspxClient
Sample from CN Honker Pentest Toolset - file AspxClient.exe
view YARA rule
rule CN_Honker_AspxClient {
meta:
description = "Sample from CN Honker Pentest Toolset - file AspxClient.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2022-12-21"
score = 70
hash = "67569a89128f503a459eab3daa2032261507f2d2"
id = "7e38365c-ffe5-5fcd-8bd6-948d255d6e10"
strings:
$s1 = "\\tools\\hashq\\hashq.exe" wide
$s2 = "\\Release\\CnCerT.CCdoor.Client.pdb" ascii
$s3 = "\\myshell.mdb" wide /* PEStudio Blacklist: strings */
$s4 = "injectfile" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them
}
CN_Honker_Baidu_Extractor_Ver1_0
Sample from CN Honker Pentest Toolset - file Baidu_Extractor_Ver1.0.exe
view YARA rule
rule CN_Honker_Baidu_Extractor_Ver1_0 {
meta:
description = "Sample from CN Honker Pentest Toolset - file Baidu_Extractor_Ver1.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "1899f979360e96245d31082e7e96ccedbdbe1413"
id = "94f3c3d8-aa68-5589-b26f-42315634ff30"
strings:
$s3 = "\\Users\\Admin" wide /* PEStudio Blacklist: strings */
$s11 = "soso.com" fullword wide
$s12 = "baidu.com" fullword wide
$s19 = "cmd /c ping " fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them
}
CN_Honker_COOKIE_CooKie
Sample from CN Honker Pentest Toolset - file CooKie.exe
view YARA rule
rule CN_Honker_COOKIE_CooKie {
meta:
description = "Sample from CN Honker Pentest Toolset - file CooKie.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f7727160257e0e716e9f0cf9cdf9a87caa986cde"
id = "5f85bb0f-6df2-512c-ba1a-8a74c1a55563"
strings:
$s4 = "-1 union select 1,username,password,4,5,6,7,8,9,10 from admin" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "CooKie.exe" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 360KB and all of them
}
CN_Honker_ChinaChopper
Sample from CN Honker Pentest Toolset - file ChinaChopper.exe
view YARA rule
rule CN_Honker_ChinaChopper {
meta:
description = "Sample from CN Honker Pentest Toolset - file ChinaChopper.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "fa347fdb23ab0b8d0560a0d20c434549d78e99b5"
id = "9f7fbaac-65b5-5162-87d1-96ccd9711adb"
strings:
$s1 = "$m=get_magic_quotes_gpc();$sid=$m?stripslashes($_POST[\"z1\"]):$_POST[\"z1\"];$u" wide /* PEStudio Blacklist: strings */
$s3 = "SETP c:\\windows\\system32\\cmd.exe " fullword wide /* PEStudio Blacklist: strings */
$s4 = "Ev al (\"Exe cute(\"\"On+Error+Resume+Next:%s:Response.Write(\"\"\"\"->|\"\"\"\"" wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}
CN_Honker_ChinaChopper_db
Script from disclosed CN Honker Pentest Toolset - file db.mdb
view YARA rule
rule CN_Honker_ChinaChopper_db {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file db.mdb"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "af79ff2689a6b7a90a5d3c0ebe709e42f2a15597"
id = "1314e204-d3f5-5f0a-bb74-dc774fef3d3c"
strings:
$s1 = "http://www.maicaidao.com/server.phpcaidao" fullword wide /* PEStudio Blacklist: strings */
$s2 = "<O>act=login</O>" fullword wide /* PEStudio Blacklist: strings */
$s3 = "<H>localhost</H>" fullword wide /* PEStudio Blacklist: strings */
condition:
filesize < 340KB and 2 of them
}
CN_Honker_Churrasco
Sample from CN Honker Pentest Toolset - file Churrasco.exe
view YARA rule
rule CN_Honker_Churrasco {
meta:
description = "Sample from CN Honker Pentest Toolset - file Churrasco.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5a3c935d82a5ff0546eff51bb2ef21c88198f5b8"
id = "58873cd6-0c9e-58a0-923a-aca8a1d42017"
strings:
$s0 = "HEAD9 /" ascii
$s1 = "logic_er" fullword ascii
$s6 = "proggam" fullword ascii
$s16 = "DtcGetTransactionManagerExA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 12 times */
$s17 = "GetUserNameA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 305 times */
$s18 = "OLEAUT" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1276KB and all of them
}
CN_Honker_CleanIISLog
Sample from CN Honker Pentest Toolset - file CleanIISLog.exe
view YARA rule
rule CN_Honker_CleanIISLog {
meta:
description = "Sample from CN Honker Pentest Toolset - file CleanIISLog.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094"
id = "3931ba63-faf5-5b44-879c-105cd2812712"
strings:
$s1 = "Usage: CleanIISLog <LogFile>|<.> <CleanIP>|<.>" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_CnCerT_CCdoor_CMD
Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll
view YARA rule
rule CN_Honker_CnCerT_CCdoor_CMD {
meta:
description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "1c6ed7d817fa8e6534a5fd36a94f4fc2f066c9cd"
id = "ddd328a8-7ad8-5b26-9deb-3e5da801cd1b"
strings:
$s2 = "CnCerT.CCdoor.CMD.dll" fullword wide
$s3 = "cmdpath" fullword ascii
$s4 = "Get4Bytes" fullword ascii
$s5 = "ExcuteCmd" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 22KB and all of them
}
CN_Honker_CnCerT_CCdoor_CMD_2
Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2
view YARA rule
rule CN_Honker_CnCerT_CCdoor_CMD_2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "7f3a6fb30845bf366e14fa21f7e05d71baa1215a"
id = "2681a989-6504-5ac7-abc9-e6dad2a052c5"
strings:
$s0 = "cmd.dll" fullword wide
$s1 = "cmdpath" fullword ascii
$s2 = "Get4Bytes" fullword ascii
$s3 = "ExcuteCmd" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 22KB and all of them
}
CN_Honker_Codeeer_Explorer
Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe
view YARA rule
rule CN_Honker_Codeeer_Explorer {
meta:
description = "Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f32e05f3fefbaa2791dd750e4a3812581ce0f205"
id = "d4a88ae7-c0b2-57d2-a070-3dd748a30a3a"
strings:
$s2 = "Codeeer Explorer.exe" fullword wide /* PEStudio Blacklist: strings */
$s12 = "webBrowser1_ProgressChanged" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 470KB and all of them
}
CN_Honker_CookiesView
Sample from CN Honker Pentest Toolset - file CookiesView.exe
view YARA rule
rule CN_Honker_CookiesView {
meta:
description = "Sample from CN Honker Pentest Toolset - file CookiesView.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "c54e1f16d79066edfa0f84e920ed1f4873958755"
id = "71a43797-4b5b-5f87-a70e-ebabc00d9319"
strings:
$s0 = "V1.0 Http://www.darkst.com Code:New4" fullword ascii
$s1 = "[email protected]" fullword ascii
$s2 = "www.baidu.com" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 640KB and all of them
}
Showing 101-150 of 18,880