Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880CN_Honker_windows_exp
Sample from CN Honker Pentest Toolset - file exp.exe
view YARA rule
rule CN_Honker_windows_exp {
meta:
description = "Sample from CN Honker Pentest Toolset - file exp.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "04334c396b165db6e18e9b76094991d681e6c993"
id = "148900d0-cf62-5cb0-adbc-52fa8ce8832e"
strings:
$s0 = "c:\\windows\\system32\\command.com /c " fullword ascii /* PEStudio Blacklist: strings */
$s8 = "OH,Sry.Too long command." fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 220KB and all of them
}
CN_Honker_windows_mstsc_enhanced_RMDSTC
Sample from CN Honker Pentest Toolset - file RMDSTC.exe
view YARA rule
rule CN_Honker_windows_mstsc_enhanced_RMDSTC {
meta:
description = "Sample from CN Honker Pentest Toolset - file RMDSTC.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3ca2b1b6f31219baf172abcc8f00f07f560e465f"
id = "f6e94327-cb79-5a7a-88bb-850177558978"
strings:
$s0 = "zava [email protected]" fullword wide
$s1 = "By newccc" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
CN_Honker_wwwscan_1_wwwscan
Sample from CN Honker Pentest Toolset - file wwwscan.exe
view YARA rule
rule CN_Honker_wwwscan_1_wwwscan {
meta:
description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "6bed45629c5e54986f2d27cbfc53464108911026"
id = "8b6a94a3-6f9c-59b2-931b-c06701b95d59"
strings:
$s0 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
CN_Honker_wwwscan_gui
Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe
view YARA rule
rule CN_Honker_wwwscan_gui {
meta:
description = "Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "897b66a34c58621190cb88e9b2a2a90bf9b71a53"
id = "fffed806-4394-505a-96bd-50bf6f24aefc"
strings:
$s1 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "/eye2007Admin_login.aspx" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 280KB and all of them
}
CN_Packed_Scanner
Suspiciously packed executable
view YARA rule
rule CN_Packed_Scanner {
meta:
description = "Suspiciously packed executable"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
score = 40
date = "06.10.2014"
id = "a11c4ee6-7244-5601-af26-a45f9fdc8e1b"
strings:
$s1 = "kernel32.dll" fullword ascii
$s2 = "CRTDLL.DLL" fullword ascii
$s3 = "__GetMainArgs" fullword ascii
$s4 = "WS2_32.DLL" fullword ascii
condition:
all of them and filesize < 180KB and filesize > 70KB
}
CN_Packed_Scanner
Suspiciously packed executable
view YARA rule
rule CN_Packed_Scanner {
meta:
description = "Suspiciously packed executable"
author = "Florian Roth"
hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
score = 40
date = "06.10.2014"
strings:
$s1 = "kernel32.dll" fullword ascii
$s2 = "CRTDLL.DLL" fullword ascii
$s3 = "__GetMainArgs" fullword ascii
$s4 = "WS2_32.DLL" fullword ascii
condition:
all of them and filesize < 180KB and filesize > 70KB
}
CN_Portscan
CN Port Scanner
view YARA rule
rule CN_Portscan: APT {
meta:
description = "CN Port Scanner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2013-11-29"
confidential = false
score = 70
id = "fb52a89a-2270-5170-9874-9278a0177454"
strings:
$s2 = "TCP 12.12.12.12"
condition:
uint16(0) == 0x5A4D and $s2
}
CN_Portscan
CN Port Scanner
view YARA rule
rule CN_Portscan : APT
{
meta:
description = "CN Port Scanner"
author = "Florian Roth"
release_date = "2013-11-29"
confidential = false
score = 70
strings:
$s1 = "MZ"
$s2 = "TCP 12.12.12.12"
condition:
($s1 at 0) and $s2
}
CN_Tools_MyUPnP
Chinese Hacktool Set - file MyUPnP.exe
view YARA rule
rule CN_Tools_MyUPnP {
meta:
description = "Chinese Hacktool Set - file MyUPnP.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "15b6fca7e42cd2800ba82c739552e7ffee967000"
id = "394e19d3-882e-5a7c-a3a0-e662bd67955c"
strings:
$s1 = "<description>BYTELINKER.COM</description>" fullword ascii
$s2 = "myupnp.exe" fullword ascii
$s3 = "LOADER ERROR" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and all of them
}
CN_Tools_MyUPnP
Chinese Hacktool Set - file MyUPnP.exe
view YARA rule
rule CN_Tools_MyUPnP {
meta:
description = "Chinese Hacktool Set - file MyUPnP.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "15b6fca7e42cd2800ba82c739552e7ffee967000"
strings:
$s1 = "<description>BYTELINKER.COM</description>" fullword ascii
$s2 = "myupnp.exe" fullword ascii
$s3 = "LOADER ERROR" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and all of them
}
CN_Tools_PcShare
Chinese Hacktool Set - file PcShare.exe
view YARA rule
rule CN_Tools_PcShare {
meta:
description = "Chinese Hacktool Set - file PcShare.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ee7ba9784fae413d644cdf5a093bd93b73537652"
id = "0c4e9f9b-9839-56a0-be21-a4e9f19cdfdb"
strings:
$s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
$s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide
$s5 = "port=%s;name=%s;pass=%s;" fullword wide
$s16 = "%s\\ini\\*.dat" fullword wide
$s17 = "pcinit.exe" fullword wide
$s18 = "http://www.pcshare.cn" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them
}
CN_Tools_PcShare
Chinese Hacktool Set - file PcShare.exe
view YARA rule
rule CN_Tools_PcShare {
meta:
description = "Chinese Hacktool Set - file PcShare.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ee7ba9784fae413d644cdf5a093bd93b73537652"
strings:
$s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
$s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide
$s5 = "port=%s;name=%s;pass=%s;" fullword wide
$s16 = "%s\\ini\\*.dat" fullword wide
$s17 = "pcinit.exe" fullword wide
$s18 = "http://www.pcshare.cn" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them
}
CN_Tools_Shiell
Chinese Hacktool Set - file Shiell.exe
view YARA rule
rule CN_Tools_Shiell {
meta:
description = "Chinese Hacktool Set - file Shiell.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b432d80c37abe354d344b949c8730929d8f9817a"
id = "7ac7d79d-3f4e-54e7-bb97-ce94cbbb40a2"
strings:
$s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii
$s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide
$s3 = "Shift shell.exe" fullword wide
$s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and 2 of them
}
CN_Tools_Shiell
Chinese Hacktool Set - file Shiell.exe
view YARA rule
rule CN_Tools_Shiell {
meta:
description = "Chinese Hacktool Set - file Shiell.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b432d80c37abe354d344b949c8730929d8f9817a"
strings:
$s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii
$s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide
$s3 = "Shift shell.exe" fullword wide
$s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and 2 of them
}
CN_Tools_Temp
Chinese Hacktool Set - file Temp.war
view YARA rule
rule CN_Tools_Temp {
meta:
description = "Chinese Hacktool Set - file Temp.war"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "c3327ef63b0ed64c4906e9940ef877c76ebaff58"
id = "4fbaabd0-fbf2-56a0-94af-9deba1e7cc81"
strings:
$s0 = "META-INF/context.xml<?xml version=\"1.0\" encoding=\"UTF-8\"?>" fullword ascii
$s1 = "browser.jsp" fullword ascii
$s3 = "cmd.jsp" fullword ascii
$s4 = "index.jsp" fullword ascii
condition:
uint16(0) == 0x4b50 and filesize < 203KB and all of them
}
CN_Tools_VNCLink
Chinese Hacktool Set - file VNCLink.exe
view YARA rule
rule CN_Tools_VNCLink {
meta:
description = "Chinese Hacktool Set - file VNCLink.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "cafb531822cbc0cfebbea864489eebba48081aa1"
id = "270dc14c-ac8f-58c2-b4ac-c10981e20a07"
strings:
$s1 = "C:\\temp\\vncviewer4.log" fullword ascii
$s2 = "[BL4CK] Patched by redsand || http://blacksecurity.org" fullword ascii
$s3 = "fake release extendedVkey 0x%x, keysym 0x%x" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 580KB and 2 of them
}
CN_Tools_VNCLink
Chinese Hacktool Set - file VNCLink.exe
view YARA rule
rule CN_Tools_VNCLink {
meta:
description = "Chinese Hacktool Set - file VNCLink.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "cafb531822cbc0cfebbea864489eebba48081aa1"
strings:
$s1 = "C:\\temp\\vncviewer4.log" fullword ascii
$s2 = "[BL4CK] Patched by redsand || http://blacksecurity.org" fullword ascii
$s3 = "fake release extendedVkey 0x%x, keysym 0x%x" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 580KB and 2 of them
}
CN_Tools_Vscan
Chinese Hacktool Set - file Vscan.exe
view YARA rule
rule CN_Tools_Vscan {
meta:
description = "Chinese Hacktool Set - file Vscan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "0365fe05e2de0f327dfaa8cd0d988dbb7b379612"
id = "2d73d9c9-62cd-592f-a44e-0a0456c85a3c"
strings:
$s1 = "[+] Usage: VNC_bypauth <target> <scantype> <option>" fullword ascii
$s2 = "========RealVNC <= 4.1.1 Bypass Authentication Scanner=======" fullword ascii
$s3 = "[+] Type VNC_bypauth <target>,<scantype> or <option> for more informations" fullword ascii
$s4 = "VNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,..." fullword ascii
$s5 = "-vn:%-15s:%-7d connection closed" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 60KB and 2 of them
}
CN_Tools_Vscan
Chinese Hacktool Set - file Vscan.exe
view YARA rule
rule CN_Tools_Vscan {
meta:
description = "Chinese Hacktool Set - file Vscan.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "0365fe05e2de0f327dfaa8cd0d988dbb7b379612"
strings:
$s1 = "[+] Usage: VNC_bypauth <target> <scantype> <option>" fullword ascii
$s2 = "========RealVNC <= 4.1.1 Bypass Authentication Scanner=======" fullword ascii
$s3 = "[+] Type VNC_bypauth <target>,<scantype> or <option> for more informations" fullword ascii
$s4 = "VNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,..." fullword ascii
$s5 = "-vn:%-15s:%-7d connection closed" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 60KB and 2 of them
}
CN_Tools_hscan
Chinese Hacktool Set - file hscan.exe
view YARA rule
rule CN_Tools_hscan {
meta:
description = "Chinese Hacktool Set - file hscan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"
id = "82d9cd61-8cef-56b4-8dfe-a28edaa781b8"
strings:
$s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" fullword ascii
$s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" fullword ascii
$s3 = "%s -h www.target.com -all" fullword ascii
$s4 = ".\\report\\%s-%s.html" fullword ascii
$s5 = ".\\log\\Hscan.log" fullword ascii
$s6 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii
$s7 = "%s@ftpscan#FTP Account: %s/[null]" fullword ascii
$s8 = ".\\conf\\mysql_pass.dic" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Tools_hscan
Chinese Hacktool Set - file hscan.exe
view YARA rule
rule CN_Tools_hscan {
meta:
description = "Chinese Hacktool Set - file hscan.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"
strings:
$s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" fullword ascii
$s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" fullword ascii
$s3 = "%s -h www.target.com -all" fullword ascii
$s4 = ".\\report\\%s-%s.html" fullword ascii
$s5 = ".\\log\\Hscan.log" fullword ascii
$s6 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii
$s7 = "%s@ftpscan#FTP Account: %s/[null]" fullword ascii
$s8 = ".\\conf\\mysql_pass.dic" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Tools_item
Chinese Hacktool Set - file item.php
view YARA rule
rule CN_Tools_item {
meta:
description = "Chinese Hacktool Set - file item.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "a584db17ad93f88e56fd14090fae388558be08e4"
id = "954f24c9-d7d5-56d3-86f0-0cf8832640dd"
strings:
$s1 = "$sURL = \"http://\".$sServer.\"/\".$sWget;" fullword ascii
$s2 = "$sURL = \"301:http://\".$sServer.\"/\".$sWget;" fullword ascii
$s3 = "$sWget=\"index.asp\";" fullword ascii
$s4 = "$aURL += array(\"scheme\" => \"\", \"host\" => \"\", \"path\" => \"\");" fullword ascii
condition:
filesize < 4KB and all of them
}
CN_Tools_old
Chinese Hacktool Set - file old.php
view YARA rule
rule CN_Tools_old {
meta:
description = "Chinese Hacktool Set - file old.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "f8a007758fda8aa1c0af3c43f3d7e3186a9ff307"
id = "bfdb84e8-e5a8-53a4-ae71-e0d1b38d38ef"
strings:
$s0 = "$sCmd = \"wget -qc \".escapeshellarg($sURL).\" -O \".$sFile;" fullword ascii
$s1 = "$sURL = \"http://\".$sServer.\"/\".$sFile;" fullword ascii
$s2 = "chmod(\"/\".substr($sHash, 0, 2), 0777);" fullword ascii
$s3 = "$sCmd = \"echo 123> \".$sFileOut;" fullword ascii
condition:
filesize < 6KB and all of them
}
CN_Tools_pc
Chinese Hacktool Set - file pc.exe
view YARA rule
rule CN_Tools_pc {
meta:
description = "Chinese Hacktool Set - file pc.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5cf8caba170ec461c44394f4058669d225a94285"
id = "11cc6c46-33c0-5c53-88f8-700be9ca8add"
strings:
$s0 = "\\svchost.exe" ascii
$s2 = "%s%08x.001" fullword ascii
$s3 = "Qy001Service" fullword ascii
$s4 = "/.MIKY" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Tools_pc
Chinese Hacktool Set - file pc.exe
view YARA rule
rule CN_Tools_pc {
meta:
description = "Chinese Hacktool Set - file pc.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5cf8caba170ec461c44394f4058669d225a94285"
strings:
$s0 = "\\svchost.exe" fullword ascii
$s2 = "%s%08x.001" fullword ascii
$s3 = "Qy001Service" fullword ascii
$s4 = "/.MIKY" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Tools_srss
Chinese Hacktool Set - file srss.bat
view YARA rule
rule CN_Tools_srss {
meta:
description = "Chinese Hacktool Set - file srss.bat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "092ab0797947692a247fe80b100fb4df0f9c37a0"
id = "13191e2e-fbcd-5e0b-af55-cc10f2583c1b"
strings:
$s0 = "srss.exe -idx 0 -ip"
$s1 = "-port 21 -logfilter \"_USER ,_P" ascii
condition:
filesize < 100 and all of them
}
CN_Tools_srss_2
Chinese Hacktool Set - file srss.exe
view YARA rule
rule CN_Tools_srss_2 {
meta:
description = "Chinese Hacktool Set - file srss.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "c418b30d004051bbf1b2d3be426936b95b5fea6f"
id = "3a84fa58-ccd0-5cf0-b1e0-a8f2ca04fd3f"
strings:
$x1 = "used pepack!" fullword ascii
$s1 = "KERNEL32.dll" fullword ascii
$s2 = "KERNEL32.DLL" fullword ascii
$s3 = "LoadLibraryA" fullword ascii
$s4 = "GetProcAddress" fullword ascii
$s5 = "VirtualProtect" fullword ascii
$s6 = "VirtualAlloc" fullword ascii
$s7 = "VirtualFree" fullword ascii
$s8 = "ExitProcess" fullword ascii
condition:
uint16(0) == 0x5a4d and ( $x1 at 0 ) and filesize < 14KB and all of ($s*)
}
CN_Tools_srss_2
Chinese Hacktool Set - file srss.exe
view YARA rule
rule CN_Tools_srss_2 {
meta:
description = "Chinese Hacktool Set - file srss.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "c418b30d004051bbf1b2d3be426936b95b5fea6f"
strings:
$x1 = "used pepack!" fullword ascii
$s1 = "KERNEL32.dll" fullword ascii
$s2 = "KERNEL32.DLL" fullword ascii
$s3 = "LoadLibraryA" fullword ascii
$s4 = "GetProcAddress" fullword ascii
$s5 = "VirtualProtect" fullword ascii
$s6 = "VirtualAlloc" fullword ascii
$s7 = "VirtualFree" fullword ascii
$s8 = "ExitProcess" fullword ascii
condition:
uint16(0) == 0x5a4d and ( $x1 at 0 ) and filesize < 14KB and all of ($s*)
}
CN_Tools_xbat
Chinese Hacktool Set - file xbat.vbs
view YARA rule
rule CN_Tools_xbat {
meta:
description = "Chinese Hacktool Set - file xbat.vbs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "a7005acda381a09803b860f04d4cae3fdb65d594"
id = "5b2f0d2e-a7fb-5f5a-94a9-28e851c9756e"
strings:
$s0 = "ws.run \"srss.bat /start\",0 " fullword ascii
$s1 = "Set ws = Wscript.CreateObject(\"Wscript.Shell\")" fullword ascii
condition:
uint16(0) == 0x6553 and filesize < 0KB and all of them
}
CN_Tools_xsniff
Chinese Hacktool Set - file xsniff.exe
view YARA rule
rule CN_Tools_xsniff {
meta:
description = "Chinese Hacktool Set - file xsniff.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d61d7329ac74f66245a92c4505a327c85875c577"
id = "a0fdac88-a7b8-5d24-9012-2bfe7b07e675"
strings:
$s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
$s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii
$s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
$s10 = "Code by glacier <[email protected]>" fullword ascii
$s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
}
CN_Tools_xsniff
Chinese Hacktool Set - file xsniff.exe
view YARA rule
rule CN_Tools_xsniff {
meta:
description = "Chinese Hacktool Set - file xsniff.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d61d7329ac74f66245a92c4505a327c85875c577"
strings:
$s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
$s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii
$s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
$s10 = "Code by glacier <[email protected]>" fullword ascii
$s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
}
CN_Toolset_LScanPortss_2
Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe
view YARA rule
rule CN_Toolset_LScanPortss_2 {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
date = "2015/03/30"
score = 70
hash = "4631ec57756466072d83d49fbc14105e230631a0"
id = "0a796585-5fc8-5b55-acfc-3fe87308b681"
strings:
$s1 = "LScanPort.EXE" fullword wide
$s3 = "www.honker8.com" fullword wide
$s4 = "DefaultPort.lst" fullword ascii
$s5 = "Scan over.Used %dms!" fullword ascii
$s6 = "www.hf110.com" fullword wide
$s15 = "LScanPort Microsoft " fullword wide
$s18 = "L-ScanPort2.0 CooFly" fullword wide
condition:
4 of them
}
CN_Toolset_LScanPortss_2
Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe
view YARA rule
rule CN_Toolset_LScanPortss_2 {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "4631ec57756466072d83d49fbc14105e230631a0"
strings:
$s1 = "LScanPort.EXE" fullword wide
$s3 = "www.honker8.com" fullword wide
$s4 = "DefaultPort.lst" fullword ascii
$s5 = "Scan over.Used %dms!" fullword ascii
$s6 = "www.hf110.com" fullword wide
$s15 = "LScanPort Microsoft " fullword wide
$s18 = "L-ScanPort2.0 CooFly" fullword wide
condition:
4 of them
}
CN_Toolset_NTscan_PipeCmd
Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe
view YARA rule
rule CN_Toolset_NTscan_PipeCmd {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
date = "2015/03/30"
score = 70
hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
id = "056ee42d-23f4-5b03-b240-392bc92b90b0"
strings:
$s2 = "Please Use NTCmd.exe Run This Program." fullword ascii
$s3 = "PipeCmd.exe" fullword wide
$s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii
$s5 = "%s\\pipe\\%s%s%d" fullword ascii
$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
$s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii
$s9 = "PipeCmdSrv.exe" fullword ascii
$s10 = "This is a service executable! Couldn't start directly." fullword ascii
$s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii
$s14 = "PIPECMDSRV" fullword wide
$s15 = "PipeCmd Service" fullword ascii
condition:
4 of them
}
CN_Toolset_NTscan_PipeCmd
Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe
view YARA rule
rule CN_Toolset_NTscan_PipeCmd {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
strings:
$s2 = "Please Use NTCmd.exe Run This Program." fullword ascii
$s3 = "PipeCmd.exe" fullword wide
$s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii
$s5 = "%s\\pipe\\%s%s%d" fullword ascii
$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
$s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii
$s9 = "PipeCmdSrv.exe" fullword ascii
$s10 = "This is a service executable! Couldn't start directly." fullword ascii
$s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii
$s14 = "PIPECMDSRV" fullword wide
$s15 = "PipeCmd Service" fullword ascii
condition:
4 of them
}
CN_Toolset__XScanLib_XScanLib_XScanLib
Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll
view YARA rule
rule CN_Toolset__XScanLib_XScanLib_XScanLib {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
date = "2015/03/30"
score = 70
super_rule = 1
hash0 = "af419603ac28257134e39683419966ab3d600ed2"
hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
id = "c32415f4-044c-50ef-9c4c-b9327cbcef69"
strings:
$s1 = "Plug-in thread causes an exception, failed to alert user." fullword
$s2 = "PlugGetUdpPort" fullword
$s3 = "XScanLib.dll" fullword
$s4 = "PlugGetTcpPort" fullword
$s11 = "PlugGetVulnNum" fullword
condition:
all of them
}
CN_Toolset__XScanLib_XScanLib_XScanLib
Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll
view YARA rule
rule CN_Toolset__XScanLib_XScanLib_XScanLib {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
super_rule = 1
hash0 = "af419603ac28257134e39683419966ab3d600ed2"
hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
strings:
$s1 = "Plug-in thread causes an exception, failed to alert user." fullword
$s2 = "PlugGetUdpPort" fullword
$s3 = "XScanLib.dll" fullword
$s4 = "PlugGetTcpPort" fullword
$s11 = "PlugGetVulnNum" fullword
condition:
all of them
}
CN_Toolset_sig_1433_135_sqlr
Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe
view YARA rule
rule CN_Toolset_sig_1433_135_sqlr {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
date = "2015/03/30"
score = 70
hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
id = "74038975-ef06-53d6-bdcc-02706408b596"
strings:
$s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii
$s11 = ";DATABASE=master" fullword ascii
$s12 = "xp_cmdshell '" fullword ascii
$s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
condition:
all of them
}
CN_Toolset_sig_1433_135_sqlr
Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe
view YARA rule
rule CN_Toolset_sig_1433_135_sqlr {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
strings:
$s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii
$s11 = ";DATABASE=master" fullword ascii
$s12 = "xp_cmdshell '" fullword ascii
$s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
condition:
all of them
}
CN_disclosed_20180208_KeyLogger_1
Detects malware from disclosed CN malware set
view YARA rule
rule CN_disclosed_20180208_KeyLogger_1 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
date = "2018-02-08"
hash1 = "c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf"
id = "12eff9b6-1a65-5efc-b39c-88297bdae9c3"
strings:
$x2 = "Process already elevated." fullword wide
$x3 = "GetKeyloggErLogsResponse" fullword ascii
$x4 = "get_encryptedPassword" fullword ascii
$x5 = "DoDownloadAndExecute" fullword ascii
$x6 = "GetKeyloggeRLogs" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
}
CN_disclosed_20180208_Mal1
Detects malware from disclosed CN malware set
view YARA rule
rule CN_disclosed_20180208_Mal1 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
date = "2018-02-08"
hash1 = "173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e"
id = "8516bbfb-a2ad-565d-bf6c-71629b1831a1"
strings:
$x1 = "%SystemRoot%\\system32\\termsrvhack.dll" fullword ascii
$x2 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii
$a1 = "taskkill /f /im cmd.exe" fullword ascii
$a2 = "taskkill /f /im mstsc.exe" fullword ascii
$a3 = "taskkill /f /im taskmgr.exe" fullword ascii
$a4 = "taskkill /f /im regedit.exe" fullword ascii
$a5 = "taskkill /f /im mmc.exe" fullword ascii
$s1 = "K7TSecurity.exe" fullword ascii
$s2 = "ServUDaemon.exe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (
pe.imphash() == "28e3a58132364197d7cb29ee104004bf" or
1 of ($x*) or
3 of them
)
}
CN_disclosed_20180208_Mal4
Detects malware from disclosed CN malware set
view YARA rule
rule CN_disclosed_20180208_Mal4 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
date = "2018-02-08"
hash1 = "f7549c74f09be7e4dbfb64006e535b9f6d17352e236edc2cdb102ec3035cf66e"
id = "6165caf5-157f-5381-a77e-6ed775187ab1"
strings:
$s1 = "Microsoft .Net Framework COM+ Support" fullword ascii
$s2 = "Microsoft .NET and Windows XP COM+ Integration with SOAP" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them and pe.exports("SPACE")
}
CN_disclosed_20180208_Mal5
Detects malware from disclosed CN malware set
view YARA rule
rule CN_disclosed_20180208_Mal5 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
date = "2018-02-08"
hash1 = "24c05cd8a1175fbd9aca315ec67fb621448d96bd186e8d5e98cb4f3a19482af4"
hash2 = "05696db46144dab3355dcefe0408f906a6d43fced04cb68334df31c6dfd12720"
id = "b1933610-9e6d-5eed-ba30-ccdd0d3a6124"
strings:
$s1 = "4System.Web.Services.Protocols.SoapHttpClientProtocol" fullword ascii
$s2 = "Server.exe" fullword ascii
$s3 = "System.Windows.Forms.Form" fullword ascii
$s4 = "Stub.Resources.resources" fullword ascii
$s5 = "My.Computer" fullword ascii
$s6 = "MyTemplate" fullword ascii
$s7 = "Stub.My.Resources" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_disclosed_20180208_System3
Detects malware from disclosed CN malware set
view YARA rule
rule CN_disclosed_20180208_System3 {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyberintproject/status/961714165550342146"
date = "2018-02-08"
hash1 = "73fa84cff51d384c2d22d9e53fc5d42cb642172447b07e796c81dd403fb010c2"
id = "097f4506-295d-5066-8895-2148436731c1"
strings:
$a1 = "WmiPrvSE.exe" fullword wide
$s1 = "C:\\Users\\sgl\\AppData\\Local\\" ascii
$s2 = "Temporary Projects\\WmiPrvSE\\" ascii
$s3 = "$15a32a5d-4906-458a-8f57-402311afc1c1" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and $a1 and 1 of ($s*)
}
CN_disclosed_20180208_c
Detects malware from disclosed CN malware set
view YARA rule
rule CN_disclosed_20180208_c {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyberintproject/status/961714165550342146"
date = "2018-02-08"
hash1 = "17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7"
id = "cb0bcdc4-7eca-59b7-a947-85c232d4e599"
strings:
$x1 = "cmd.exe /c ping 0 -n 2 & del \"" fullword wide
$x2 = "schtasks /create /sc minute /mo 1 /tn Server /tr " fullword wide
$x3 = "www.upload.ee/image/" wide
$s1 = "winmgmts:\\\\.\\root\\SecurityCenter2" fullword wide
$s2 = "/Server.exe" fullword wide
$s3 = "Executed As " fullword wide
$s4 = "WmiPrvSE.exe" fullword wide
$s5 = "Stub.exe" fullword ascii
$s6 = "Download ERROR" fullword wide
$s7 = "shutdown -r -t 00" fullword wide
$s8 = "Select * From AntiVirusProduct" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and (
1 of ($x*) or
4 of them
)
}
CN_disclosed_20180208_lsls
Detects malware from disclosed CN malware set
view YARA rule
rule CN_disclosed_20180208_lsls {
meta:
description = "Detects malware from disclosed CN malware set"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/cyberintproject/status/961714165550342146"
date = "2018-02-08"
hash1 = "94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9"
id = "c6c4aa72-1a84-552f-bea0-38b332a74233"
strings:
$x1 = "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" fullword ascii
condition:
uint16(0) == 0x457f and filesize < 3000KB and $x1
}
C_Cpp_Library_file
view YARA rule
rule C_Cpp_Library_file: PEiD
{
strings:
$a = { F0 0D 00 00 }
condition:
$a at pe.entry_point
}
C_Cpp_Library_file_Hint_FILE_START
view YARA rule
rule C_Cpp_Library_file_Hint_FILE_START: PEiD
{
strings:
$a = { F0 0D 00 00 }
condition:
$a at pe.entry_point
}
C_Crypt_v102_Hint_DOS_EP
view YARA rule
rule C_Crypt_v102_Hint_DOS_EP: PEiD
{
strings:
$a = { E9 ?? ?? E8 ?? ?? 5D 83 ?? ?? 55 D9 D0 9C 58 25 ?? ?? 50 9D 50 57 BF ?? ?? B0 ?? AA 5F 58 66 51 }
condition:
$a at pe.entry_point
}
DK_Brute
PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe
view YARA rule
rule DK_Brute {
meta:
description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "22.11.14"
score = 70
reference = "http://goo.gl/xiIphp"
hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"
id = "c9ea0dcf-10f3-5161-aebc-2db04c24b0a5"
strings:
$s6 = "get_CrackedCredentials" fullword ascii
$s13 = "Same port used for two different protocols:" fullword wide
$s18 = "coded by fLaSh" fullword ascii
$s19 = "get_grbToolsScaningCracking" fullword ascii
condition:
all of them
}
Showing 351-400 of 18,880