Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880CN_Honker__lcx_HTran2_4_htran20
Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe
view YARA rule
rule CN_Honker__lcx_HTran2_4_htran20 {
meta:
description = "Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
super_rule = 1
hash0 = "0c8779849d53d0772bbaa1cedeca150c543ebf38"
hash1 = "524f986692f55620013ab5a06bf942382e64d38a"
hash2 = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
id = "c6851e7b-ab64-5578-896e-4d92fb3b2000"
strings:
$s1 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "[+] OK! I Closed The Two Socket." fullword ascii /* PEStudio Blacklist: strings */
$s3 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 440KB and all of them
}
CN_Honker__wwwscan_wwwscan_wwwscan_gui
Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe
view YARA rule
rule CN_Honker__wwwscan_wwwscan_wwwscan_gui {
meta:
description = "Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
super_rule = 1
hash0 = "6dbffa916d0f0be2d34c8415592b9aba690634c7"
hash1 = "6bed45629c5e54986f2d27cbfc53464108911026"
hash2 = "897b66a34c58621190cb88e9b2a2a90bf9b71a53"
id = "02f80151-4dfb-5b14-9145-312a9bd2c609"
strings:
$s1 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
$s2 = "<Usage>: %s <HostName|Ip> [Options]" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_arp3_7_arp3_7
Sample from CN Honker Pentest Toolset - file arp3.7.exe
view YARA rule
rule CN_Honker_arp3_7_arp3_7 {
meta:
description = "Sample from CN Honker Pentest Toolset - file arp3.7.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "db641a9dfec103b98548ac7f6ca474715040f25c"
id = "a4aeefaf-a097-5ba3-a18f-54a1b9752883"
strings:
$s1 = "CnCerT.Net.SKiller.exe" fullword wide /* PEStudio Blacklist: strings */
$s2 = "www.80sec.com" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 4000KB and all of them
}
CN_Honker_cleaner_cl_2
Sample from CN Honker Pentest Toolset - file cl.exe
view YARA rule
rule CN_Honker_cleaner_cl_2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file cl.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "523084e8975b16e255b56db9af0f9eecf174a2dd"
id = "9aa36c0a-9e0f-5274-bebe-9179d81b05f7"
strings:
$s0 = "cl -eventlog All/Application/System/Security" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "clear iislog error!" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
CN_Honker_cleaniis
Sample from CN Honker Pentest Toolset - file cleaniis.exe
view YARA rule
rule CN_Honker_cleaniis {
meta:
description = "Sample from CN Honker Pentest Toolset - file cleaniis.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "372bc64c842f6ff0d9a1aa2a2a44659d8b88cb40"
id = "75f3c33a-e3b8-57bc-a3fd-f8b6491388d8"
strings:
$s1 = "iisantidote <logfile dir> <ip or string to hide>" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "IIS log file cleaner by Scurt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_clearlogs
Sample from CN Honker Pentest Toolset - file clearlogs.exe
view YARA rule
rule CN_Honker_clearlogs {
meta:
description = "Sample from CN Honker Pentest Toolset - file clearlogs.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2023-01-27"
score = 70
hash = "490f3bc318f415685d7e32176088001679b0da1b"
id = "bfbc339e-5530-5984-94de-be1002f09ca1"
strings:
$s2 = "- http://ntsecurity.nu/toolbox/clearlogs/" ascii /* PEStudio Blacklist: strings */
$s4 = "Error: Unable to clear log - " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 140KB and all of them
}
CN_Honker_dedecms5_7
Sample from CN Honker Pentest Toolset - file dedecms5.7.exe
view YARA rule
rule CN_Honker_dedecms5_7 {
meta:
description = "Sample from CN Honker Pentest Toolset - file dedecms5.7.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f9cbb25883828ca266e32ff4faf62f5a9f92c5fb"
id = "b037862d-2821-5e96-996b-13ab241575ba"
strings:
$s1 = "/data/admin/ver.txt" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "SkinH_EL.dll" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 830KB and all of them
}
CN_Honker_dirdown_dirdown
Sample from CN Honker Pentest Toolset - file dirdown.exe
view YARA rule
rule CN_Honker_dirdown_dirdown {
meta:
description = "Sample from CN Honker Pentest Toolset - file dirdown.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2022-12-21"
score = 70
hash = "7b8d51c72841532dded5fec7e7b0005855b8a051"
id = "80f98131-79bf-580d-87ad-a54a3f14b301"
strings:
$s0 = "\\Decompress\\obj\\Release\\Decompress.pdb" ascii /* PEStudio Blacklist: strings */
$s1 = "Decompress.exe" fullword wide
$s5 = "Get8Bytes" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 45KB and all of them
}
CN_Honker_exp_iis7
Sample from CN Honker Pentest Toolset - file iis7.exe
view YARA rule
rule CN_Honker_exp_iis7 {
meta:
description = "Sample from CN Honker Pentest Toolset - file iis7.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978"
id = "edfafc9a-032a-5ccb-9a1f-faeab0dfa31d"
strings:
$s0 = "\\\\localhost" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "iis.run" fullword ascii
$s3 = ">Could not connecto %s" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "WinSta0\\Default" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 22 times */
condition:
uint16(0) == 0x5a4d and filesize < 60KB and all of them
}
CN_Honker_exp_ms11011
Sample from CN Honker Pentest Toolset - file ms11011.exe
view YARA rule
rule CN_Honker_exp_ms11011 {
meta:
description = "Sample from CN Honker Pentest Toolset - file ms11011.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5ad7a4962acbb6b0e3b73d77385eb91feb88b386"
id = "fc092166-73cd-58f6-b034-a2fe2c5fb859"
strings:
$s0 = "\\i386\\Hello.pdb" ascii /* PEStudio Blacklist: strings */
$s1 = "OS not supported." fullword ascii /* PEStudio Blacklist: strings */
$s2 = ".Rich5" fullword ascii
$s3 = "Not supported." fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 3 times */
$s5 = "cmd.exe" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 120 times */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
CN_Honker_exp_ms11046
Sample from CN Honker Pentest Toolset - file ms11046.exe
view YARA rule
rule CN_Honker_exp_ms11046 {
meta:
description = "Sample from CN Honker Pentest Toolset - file ms11046.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f8414a374011fd239a6c6d9c6ca5851cd8936409"
id = "aafb45f4-3b42-5c8f-8c25-40fd01217e9d"
strings:
$s0 = "[*] Token system command" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "[*] command add user 90sec 90sec" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "[*] Add to Administrators success" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 3 times */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Honker_exp_ms11080
Sample from CN Honker Pentest Toolset - file ms11080.exe
view YARA rule
rule CN_Honker_exp_ms11080 {
meta:
description = "Sample from CN Honker Pentest Toolset - file ms11080.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f0854c49eddf807f3a7381d3b20f9af4a3024e9f"
id = "2f5ce2f3-3595-5729-be0c-3f6486cb94fd"
strings:
$s2 = "[*] command add user 90sec 90sec" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "[*] Add to Administrators success" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 840KB and all of them
}
CN_Honker_exp_win2003
Sample from CN Honker Pentest Toolset - file win2003.exe
view YARA rule
rule CN_Honker_exp_win2003 {
meta:
description = "Sample from CN Honker Pentest Toolset - file win2003.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "47164c8efe65d7d924753fadf6cdfb897a1c03db"
id = "f64e14dd-714c-5a0f-923d-23a584fe605f"
strings:
$s1 = "Usage:system_exp.exe \"cmd\"" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "The shell \"cmd\" success!" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Not Windows NT family OS." fullword ascii /* PEStudio Blacklist: os */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
CN_Honker_getlsasrvaddr
Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security
view YARA rule
rule CN_Honker_getlsasrvaddr {
meta:
description = "Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2022-12-21"
score = 70
hash = "a897d5da98dae8d80f3c0a0ef6a07c4b42fb89ce"
id = "fa0c0376-c5c3-5b48-b03e-86cefb547479"
strings:
$s8 = "pingme.txt" fullword ascii /* PEStudio Blacklist: strings */
$s16 = ".\\lsasrv.pdb" ascii
$s20 = "Addresses Found: " fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
CN_Honker_hashq_Hashq
Sample from CN Honker Pentest Toolset - file Hashq.exe
view YARA rule
rule CN_Honker_hashq_Hashq {
meta:
description = "Sample from CN Honker Pentest Toolset - file Hashq.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "7518b647db5275e8a9e0bf4deda3d853cc9d5661"
id = "4f435edf-28bf-5195-bc22-0d2a7302b312"
strings:
$s1 = "Hashq.exe" fullword wide
$s5 = "CnCert.Net" fullword wide
$s6 = "Md5 query tool" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 600KB and all of them
}
CN_Honker_hkmjjiis6
Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe
view YARA rule
rule CN_Honker_hkmjjiis6 {
meta:
description = "Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2023-01-27"
score = 70
hash = "4cbc6344c6712fa819683a4bd7b53f78ea4047d7"
id = "badf8224-4f09-57aa-ab16-0d70e0b3f88c"
strings:
$s14 = "* FROM IIsWebInfo/r" fullword ascii
$s19 = "ltithread4ck/" ascii
$s20 = "LookupAcc=Sid#" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 175KB and all of them
}
CN_Honker_hxdef100
Sample from CN Honker Pentest Toolset - file hxdef100.exe
view YARA rule
rule CN_Honker_hxdef100 {
meta:
description = "Sample from CN Honker Pentest Toolset - file hxdef100.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "bf30ccc565ac40073b867d4c7f5c33c6bc1920d6"
id = "3b931752-85ae-52d0-9deb-1a1b03b39e32"
strings:
$s6 = "BACKDOORSHELL" fullword ascii /* PEStudio Blacklist: strings */
$s15 = "%tmpdir%" fullword ascii
$s16 = "%cmddir%" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_lcx_lcx
Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe
view YARA rule
rule CN_Honker_lcx_lcx {
meta:
description = "Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0c8779849d53d0772bbaa1cedeca150c543ebf38"
id = "6c2e1e85-6387-5be2-b7b2-5ae8a5cca6df"
strings:
$s1 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "=========== Code by lion & bkbll" ascii
$s3 = "Welcome to [url]http://www.cnhonker.com[/url] " ascii
$s4 = "-tran <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 30KB and 1 of them
}
CN_Honker_linux_bin
Script from disclosed CN Honker Pentest Toolset - file linux_bin
view YARA rule
rule CN_Honker_linux_bin {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file linux_bin"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "26e71e6ebc6a3bdda9467ce929610c94de8a7ca0"
id = "3c56a4a8-6392-517c-a16e-63785799acb9"
strings:
$s1 = "client.sin_port = htons(atoi(argv[3]));" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "printf(\"\\n\\n*********Waiting Client connect*****\\n\\n\");" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 20KB and all of them
}
CN_Honker_mafix_root
Script from disclosed CN Honker Pentest Toolset - file root
view YARA rule
rule CN_Honker_mafix_root {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file root"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "826778ef9c22177d41698b467586604e001fed19"
id = "ae08b2e9-4d81-5f15-88d2-e2ace20626bf"
strings:
$s0 = "echo \"# vbox (voice box) getty\" >> /tmp/.init1" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog" fullword ascii
$s2 = "if [ -f /sbin/xlogin ]; then" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 96KB and all of them
}
CN_Honker_mempodipper2_6
Sample from CN Honker Pentest Toolset - file mempodipper2.6.39
view YARA rule
rule CN_Honker_mempodipper2_6 {
meta:
description = "Sample from CN Honker Pentest Toolset - file mempodipper2.6.39"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "ba2c79911fe48660898039591e1742b3f1a9e923"
id = "43a27968-adab-5f27-9b8c-8f0f895f0576"
strings:
$s0 = "objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 30KB and all of them
}
CN_Honker_ms10048_x64
Sample from CN Honker Pentest Toolset - file ms10048-x64.exe
view YARA rule
rule CN_Honker_ms10048_x64 {
meta:
description = "Sample from CN Honker Pentest Toolset - file ms10048-x64.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "418bec3493c85e3490e400ecaff5a7760c17a0d0"
id = "b65b0bad-d74c-5e7a-a613-69ef80585c23"
strings:
$s1 = "[ ] Creating evil window" fullword ascii
$s2 = "[+] Set to %d exploit half succeeded" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 125KB and all of them
}
CN_Honker_ms10048_x86
Sample from CN Honker Pentest Toolset - file ms10048-x86.exe
view YARA rule
rule CN_Honker_ms10048_x86 {
meta:
description = "Sample from CN Honker Pentest Toolset - file ms10048-x86.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e57b453966e4827e2effa4e153f2923e7d058702"
id = "5d572d35-d2e5-5457-89d9-fbce8f8fa552"
strings:
$s1 = "[+] Set to %d exploit half succeeded" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and all of them
}
CN_Honker_ms11080_withcmd
Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe
view YARA rule
rule CN_Honker_ms11080_withcmd {
meta:
description = "Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "745e5058acff27b09cfd6169caf6e45097881a49"
id = "38c12697-7e52-5713-a566-6047abfa229b"
strings:
$s1 = "Usage : ms11-080.exe cmd.exe Command " fullword ascii /* PEStudio Blacklist: strings */
$s3 = "[>] create pipe error" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 340KB and all of them
}
CN_Honker_mssqlpw_scan
Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt
view YARA rule
rule CN_Honker_mssqlpw_scan {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e49def9d72bfef09a639ef3f7329083a0b8b151c"
id = "7dc29d06-e1e7-527f-b9e5-d75f660fd73e"
strings:
$s0 = "response.Write(\"I Get it ! Password is <font color=red>\" & str & \"</font><BR>" ascii /* PEStudio Blacklist: strings */
$s1 = "response.Write \"Done!<br>Process \" & tTime & \" s\"" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 6KB and all of them
}
CN_Honker_mysql_injectV1_1_Creak
Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe
view YARA rule
rule CN_Honker_mysql_injectV1_1_Creak {
meta:
description = "Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "a1f066789f48a76023598c5777752c15f91b76b0"
id = "39025a57-557a-53c0-bfdb-81fe83f824af"
strings:
$s0 = "1http://192.169.200.200:2217/mysql_inject.php?id=1" fullword ascii /* PEStudio Blacklist: strings */
$s12 = "OnGetPassword" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 5890KB and all of them
}
CN_Honker_nc_MOVE
Script from disclosed CN Honker Pentest Toolset - file MOVE.txt
view YARA rule
rule CN_Honker_nc_MOVE {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file MOVE.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "4195370c103ca467cddc8f2724a8e477635be424"
id = "115d1ec9-6c4f-587e-977c-cd24ada89ab6"
strings:
$s0 = "Destination: http://202.113.20.235/gj/images/2.asp" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "HOST: 202.113.20.235" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "MOVE /gj/images/A.txt HTTP/1.1" fullword ascii
condition:
filesize < 1KB and all of them
}
CN_Honker_net_packet_capt
Sample from CN Honker Pentest Toolset - file net_packet_capt.exe
view YARA rule
rule CN_Honker_net_packet_capt {
meta:
description = "Sample from CN Honker Pentest Toolset - file net_packet_capt.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "2d45a2bd9e74cf14c1d93fff90c2b0665f109c52"
id = "16e19be7-3805-5e2b-baa6-20554fb7a5cf"
strings:
$s1 = "(*.sfd)" fullword ascii
$s2 = "GetLaBA" fullword ascii
$s3 = "GAIsProcessorFeature" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1 times */
$s4 = "- Gablto " ascii
$s5 = "PaneWyedit" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
CN_Honker_net_priv_esc2
Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe
view YARA rule
rule CN_Honker_net_priv_esc2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "4851e0088ad38ac5b3b1c75302a73698437f7f17"
id = "b4fa3129-57a3-55ee-8ca6-ecbcc135184e"
strings:
$s1 = "Usage:%s username password" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<www.darkst.com>" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 17KB and all of them
}
CN_Honker_no_net_priv_esc_AddUser
Sample from CN Honker Pentest Toolset - file AddUser.dll
view YARA rule
rule CN_Honker_no_net_priv_esc_AddUser {
meta:
description = "Sample from CN Honker Pentest Toolset - file AddUser.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "4c95046be6ae40aee69a433e9a47f824598db2d4"
id = "0f99914c-9349-5870-a3e0-3a5079efdecf"
strings:
$s0 = "PECompact2" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "adduser" fullword ascii
$s5 = "OagaBoxA" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 115KB and all of them
}
CN_Honker_passwd_dict_3389
Script from disclosed CN Honker Pentest Toolset - file 3389.txt
view YARA rule
rule CN_Honker_passwd_dict_3389 {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file 3389.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "2897e909e48a9f56ce762244c3a3e9319e12362f"
id = "9418f0e5-7bf0-5df3-8857-dea90fae5a54"
strings:
$s0 = "654321" fullword ascii /* reversed goodware string '123456' */
$s1 = "admin123" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "admin123456" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "administrator" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 2 times */
$s4 = "passwd" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 42 times */
$s5 = "password" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 244 times */
$s7 = "12345678" fullword ascii /* Goodware String - occured 29 times */
condition:
filesize < 1KB and all of them
}
CN_Honker_portRecall_bc
Script from disclosed CN Honker Pentest Toolset - file bc.pl
view YARA rule
rule CN_Honker_portRecall_bc {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file bc.pl"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "2084990406398afd856b2309c7f579d7d61c3767"
id = "ea74f260-87e6-5027-b558-628949cae32a"
strings:
$s0 = "print \"[*] Connected to remote host \\n\"; " fullword ascii /* PEStudio Blacklist: strings */
$s1 = "print \"Usage: $0 [Host] [Port] \\n\\n\"; " fullword ascii /* PEStudio Blacklist: strings */
$s5 = "print \"[*] Resolving HostName\\n\"; " fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 10KB and all of them
}
CN_Honker_portRecall_pr
Script from disclosed CN Honker Pentest Toolset - file pr
view YARA rule
rule CN_Honker_portRecall_pr {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file pr"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "583cf6dc2304121d835f2879803a22fea76930f3"
id = "1e137ed0-3af6-5b01-a27b-87bf42359887"
strings:
$s1 = "Usage: Same as lcx.exe in win32 :)" fullword ascii
$s2 = "connect to client" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "PR(Packet redirection) for linux " fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 70KB and all of them
}
CN_Honker_pr_debug
Sample from CN Honker Pentest Toolset - file debug.exe
view YARA rule
rule CN_Honker_pr_debug {
meta:
description = "Sample from CN Honker Pentest Toolset - file debug.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "d11e6c6f675b3be86e37e50184dadf0081506a89"
id = "6d759818-b762-56f4-8475-82a7d18a659c"
strings:
$s1 = "-->Got WMI process Pid: %d " ascii /* PEStudio Blacklist: strings */
$s2 = "This exploit will execute \"net user temp 123456 /add & net localg" ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 820KB and all of them
}
CN_Honker_safe3wvs_cgiscan
Sample from CN Honker Pentest Toolset - file cgiscan.exe
view YARA rule
rule CN_Honker_safe3wvs_cgiscan {
meta:
description = "Sample from CN Honker Pentest Toolset - file cgiscan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f94bbf2034ad9afa43cca3e3a20f142e0bb54d75"
id = "a9f7a195-deb8-5887-bc55-d1b0cac43182"
strings:
$s2 = "httpclient.exe" fullword wide
$s3 = "www.safe3.com.cn" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 357KB and all of them
}
CN_Honker_shell_brute_tool
Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe
view YARA rule
rule CN_Honker_shell_brute_tool {
meta:
description = "Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f6903a15453698c35dce841e4d09c542f9480f01"
id = "80fd0c9f-0ed9-5308-ac72-65b9b3b47ed1"
strings:
$s0 = "http://24hack.com/xyadmin.asp" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
CN_Honker_sig_3389_2_3389
Sample from CN Honker Pentest Toolset - file 3389.exe
view YARA rule
rule CN_Honker_sig_3389_2_3389 {
meta:
description = "Sample from CN Honker Pentest Toolset - file 3389.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "48d1974215e5cb07d1faa57e37afa91482b5a376"
id = "8b2f5f6d-4d7b-561c-bd77-2de351e5aca8"
strings:
$s1 = "C:\\Documents and Settings\\Administrator\\" ascii /* PEStudio Blacklist: strings */
$s2 = "net user guest /active:yes" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "\\Microsoft Word.exe" ascii
condition:
uint16(0) == 0x5a4d and filesize < 80KB and all of them
}
CN_Honker_sig_3389_3389
Script from disclosed CN Honker Pentest Toolset - file 3389.vbs
view YARA rule
rule CN_Honker_sig_3389_3389 {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file 3389.vbs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f92b74f41a2138cc05c6b6993bcc86c706017e49"
id = "6d385820-befe-5e2b-8c48-ad90564d5f42"
strings:
$s1 = "success = obj.run(\"cmd /c takeown /f %SystemRoot%\\system32\\sethc.exe&echo y| " ascii /* PEStudio Blacklist: strings */
condition:
filesize < 10KB and all of them
}
CN_Honker_sig_3389_3389_2
Script from disclosed CN Honker Pentest Toolset - file 3389.bat
view YARA rule
rule CN_Honker_sig_3389_3389_2 {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5ff92f39ade12f8ba6cb75dfdc9bb907e49f0ebd"
id = "f449f632-3102-5e62-b790-5546698dd663"
strings:
$s1 = "@del c:\\termsrvhack.dll" fullword ascii
$s2 = "@del c:\\3389.txt" fullword ascii
condition:
filesize < 3KB and all of them
}
CN_Honker_sig_3389_3389_3
Script from disclosed CN Honker Pentest Toolset - file 3389.bat
view YARA rule
rule CN_Honker_sig_3389_3389_3 {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "cfedec7bd327897694f83501d76063fe16b13450"
id = "ff61a5cb-6089-5632-a65d-09f4ffd99857"
strings:
$s1 = "echo \"fDenyTSConnections\"=dword:00000000>>3389.reg " fullword ascii /* PEStudio Blacklist: strings */
$s2 = "echo \"PortNumber\"=dword:00000d3d>>3389.reg " fullword ascii /* PEStudio Blacklist: strings */
$s3 = "echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server]>>" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 2KB and all of them
}
CN_Honker_sig_3389_80_AntiFW
Sample from CN Honker Pentest Toolset - file AntiFW.exe
view YARA rule
rule CN_Honker_sig_3389_80_AntiFW {
meta:
description = "Sample from CN Honker Pentest Toolset - file AntiFW.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5fbc75900e48f83d0e3592ea9fa4b70da72ccaa3"
id = "761bed41-e8e6-585b-8fde-a6b6a56445d6"
strings:
$s1 = "Set TS to port:80 Successfully!" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Now,set TS to port 80" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "echo. >>amethyst.reg" fullword ascii
$s4 = "del amethyst.reg" fullword ascii
$s5 = "AntiFW.cpp" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and 2 of them
}
CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0
Sample from CN Honker Pentest Toolset - file 2.0.exe
view YARA rule
rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0 {
meta:
description = "Sample from CN Honker Pentest Toolset - file 2.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e8ee982421ccff96121ffd24a3d84e3079f3750f"
id = "dda5eea9-da79-5f1f-bbac-9f05ba7e71c9"
strings:
$s0 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Create %d IP@Loginl;Password" fullword ascii /* PEStudio Blacklist: strings */
$s15 = "UBrute.com" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 980KB and 2 of them
}
CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0
Sample from CN Honker Pentest Toolset - file 3.0.exe
view YARA rule
rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0 {
meta:
description = "Sample from CN Honker Pentest Toolset - file 3.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "49b311add0940cf183e3c7f3a41ea6e516bf8992"
id = "994ad7e9-2019-54b3-84e6-2762a700c939"
strings:
$s0 = "explorer.exe http://bbs.yesmybi.net" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */
$s9 = "CryptGenRandom" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 581 times */
condition:
uint16(0) == 0x5a4d and filesize < 395KB and all of them
}
CN_Honker_sig_3389_mstsc_MSTSCAX
Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL
view YARA rule
rule CN_Honker_sig_3389_mstsc_MSTSCAX {
meta:
description = "Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "2fa006158b2d87b08f1778f032ab1b8e139e02c6"
id = "9508b613-f897-5277-97e0-30e36fb5d747"
strings:
$s1 = "ResetPasswordWWWx" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Terminal Server Redirected Printer Doc" fullword wide /* PEStudio Blacklist: strings */
$s3 = "Cleaning temp directory" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
CN_Honker_sig_3389_xp3389
Sample from CN Honker Pentest Toolset - file xp3389.exe
view YARA rule
rule CN_Honker_sig_3389_xp3389 {
meta:
description = "Sample from CN Honker Pentest Toolset - file xp3389.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "d776eb7596803b5b94098334657667d34b60d880"
id = "75d23c63-ba9e-55fd-90fe-5e054d28a777"
strings:
$s1 = "echo \"fdenytsconnections\"=dword:00000000 >> c:\\reg.reg" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server] >" ascii /* PEStudio Blacklist: strings */
$s3 = "echo \"Tsenabled\"=dword:00000001 >> c:\\reg.reg" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 20KB and all of them
}
CN_Honker_smsniff_smsniff
Sample from CN Honker Pentest Toolset - file smsniff.exe
view YARA rule
rule CN_Honker_smsniff_smsniff {
meta:
description = "Sample from CN Honker Pentest Toolset - file smsniff.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "8667a785a8ced76d0284d225be230b5f1546f140"
id = "fef242d5-b274-5217-a5d1-1a6ec38d0fdd"
strings:
$s1 = "smsniff.exe" fullword wide
$s5 = "SmartSniff" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 267KB and all of them
}
CN_Honker_struts2_catbox
Sample from CN Honker Pentest Toolset - file catbox.exe
view YARA rule
rule CN_Honker_struts2_catbox {
meta:
description = "Sample from CN Honker Pentest Toolset - file catbox.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "ee8fbd91477e056aef34fce3ade474cafa1a4304"
id = "24df7a11-5ec4-5e7b-86f6-6195ca01b8f9"
strings:
$s6 = "'Toolmao box by gainover www.toolmao.com" fullword ascii
$s20 = "{external.exeScript(_toolmao_bgscript[i],'javascript',false);}}" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 8160KB and all of them
}
CN_Honker_super_Injection1
Sample from CN Honker Pentest Toolset - file super Injection1.exe
view YARA rule
rule CN_Honker_super_Injection1 {
meta:
description = "Sample from CN Honker Pentest Toolset - file super Injection1.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "8ff2df40c461f6c42b92b86095296187f2b59b14"
id = "ad84c5a0-4f03-5040-bdf7-819b40a08ad2"
strings:
$s2 = "Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL" fullword wide /* PEStudio Blacklist: strings */
$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
$s4 = "ScanInject.log" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
CN_Honker_syconfig
Script from disclosed CN Honker Pentest Toolset - file syconfig.dll
view YARA rule
rule CN_Honker_syconfig {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file syconfig.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "ff75353df77d610d3bccfbffb2c9dfa258b2fac9"
id = "3850007d-20d5-5b10-a549-dc4655877c6e"
strings:
$s9 = "Hashq.CrackHost+FormUnit" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x0100 and filesize < 18KB and all of them
}
CN_Honker_termsrvhack
Sample from CN Honker Pentest Toolset - file termsrvhack.dll
view YARA rule
rule CN_Honker_termsrvhack {
meta:
description = "Sample from CN Honker Pentest Toolset - file termsrvhack.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "1c456520a7b7faf71900c71167038185f5a7d312"
id = "4fd582a1-3c6d-57a1-bba0-f775bb61ef00"
strings:
$s1 = "The terminal server cannot issue a client license. It was unable to issue the" wide /* PEStudio Blacklist: strings */
$s6 = "%s\\%s\\%d\\%d" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1052KB and all of them
}
Showing 301-350 of 18,880