Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880DK_Brute
PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe
view YARA rule
rule DK_Brute {
meta:
description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"
author = "Florian Roth"
date = "22.11.14"
score = 70
reference = "http://goo.gl/xiIphp"
hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"
strings:
$s6 = "get_CrackedCredentials" fullword ascii
$s13 = "Same port used for two different protocols:" fullword wide
$s18 = "coded by fLaSh" fullword ascii
$s19 = "get_grbToolsScaningCracking" fullword ascii
condition:
all of them
}
Dx_php_php
Semi-Auto-generated - file Dx.php.php.txt
view YARA rule
rule Dx_php_php {
meta:
description = "Semi-Auto-generated - file Dx.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
id = "67d0bccb-d39a-5e30-bdc0-801525ebddd7"
strings:
$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
$s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
condition:
1 of them
}
Dx_php_php
Semi-Auto-generated - file Dx.php.php.txt
view YARA rule
rule Dx_php_php {
meta:
description = "Semi-Auto-generated - file Dx.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
strings:
$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
$s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
condition:
1 of them
}
EP_10
view YARA rule
rule EP_10: PEiD
{
strings:
$a = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 }
condition:
$a at pe.entry_point
}
EP_ExE_Pack_V10_Elite_Coding_Group
view YARA rule
rule EP_ExE_Pack_V10_Elite_Coding_Group: PEiD
{
strings:
$a = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 }
condition:
$a at pe.entry_point
}
EP_ExE_Pack_V10_Elite_Coding_Group_additional
view YARA rule
rule EP_ExE_Pack_V10_Elite_Coding_Group_additional: PEiD
{
strings:
$a = { 60 68 54 ?? ?? ?? B8 48 ?? ?? ?? FF 10 68 B3 ?? ?? ?? 50 B8 44 ?? ?? ?? FF 10 68 00 ?? ?? ?? 6A 40 FF D0 89 05 CA ?? ?? ?? 89 C7 BE 00 10 ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 }
condition:
$a at pe.entry_point
}
EP_v01_CoDe_Inside
view YARA rule
rule EP_v01_CoDe_Inside: PEiD
{
strings:
$a = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC AA 86 C4 }
condition:
$a at pe.entry_point
}
EP_v02_CoDe_Inside
view YARA rule
rule EP_v02_CoDe_Inside: PEiD
{
strings:
$a = { 6A 00 60 E9 01 01 00 00 }
condition:
$a at pe.entry_point
}
EP_v10
view YARA rule
rule EP_v10: PEiD
{
strings:
$a = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 }
$b = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 C0 30 ?? 68 ?? ?? F3 00 C3 AA }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
EP_v10_additional
view YARA rule
rule EP_v10_additional: PEiD
{
strings:
$a = { 81 EB 2A 01 8B 0F 1E 5B 03 CB 0E 51 B9 10 01 51 CB }
condition:
$a at pe.entry_point
}
EP_v20
view YARA rule
rule EP_v20: PEiD
{
strings:
$a = { 60 BE ?? B0 42 ?? 8D BE ?? 60 FD FF C7 87 B0 E4 02 ?? 31 3C 4B DF 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 ?? ?? ?? 01 DB ?? ?? ?? }
$b = { 6A ?? 60 E9 01 01 }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
EP_v20_additional
view YARA rule
rule EP_v20_additional: PEiD
{
strings:
$a = { 6A ?? 60 E9 01 01 }
condition:
$a at pe.entry_point
}
EXPL_SUSP_JS_Exploitation_Payloads_Dec25
Detects RCE indicators related to the exploitation attempts of the React Server Remote Code Execution Vulnerability (CVE-2025-55182) as observed in the wild
view YARA rule
rule EXPL_SUSP_JS_Exploitation_Payloads_Dec25 {
meta:
description = "Detects RCE indicators related to the exploitation attempts of the React Server Remote Code Execution Vulnerability (CVE-2025-55182) as observed in the wild"
author = "Florian Roth"
reference = "https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far"
date = "2025-12-06"
score = 70
id = "91220a9b-bb97-5fdf-b14d-fac36d6bed3a"
strings:
$a1 = "process.mainModule.require('child_process')"
$x1 = ".execSync('powershell -enc SQBFAFgAIAA"
$sa1 = ".execSync('powershell"
$sa2 = ".execSync('curl "
$sa3 = ".execSync('wget "
$sb01 = " -e "
$sb02 = " -ec "
$sb03 = " -en "
$sb04 = " -enc "
$sb05 = " -enco "
$sb06 = " -encodedcommand "
$sb07 = " | bash"
$sb08 = " | sh"
$sb09 = "|bash"
$sb10 = "|sh"
$sc1 = ").DownloadString(" ascii wide base64
$sc2 = "IEX (New-Object " ascii wide base64
condition:
$a1
and (
1 of ($x*)
or (
1 of ($sa*)
and 1 of ($sb*)
)
or 1 of ($sc*)
)
}
EXPL_SUSP_JS_POC_RSC_Detector_Payloads_Dec25
Detects RCE indicators related to the proof-of-concept code for the React Server Remote Code Execution Vulnerability (CVE-2025-55182) as used in the RSC Detector browser extension but could be used in other JavaScript based PoC code as well
view YARA rule
rule EXPL_SUSP_JS_POC_RSC_Detector_Payloads_Dec25 {
meta:
description = "Detects RCE indicators related to the proof-of-concept code for the React Server Remote Code Execution Vulnerability (CVE-2025-55182) as used in the RSC Detector browser extension but could be used in other JavaScript based PoC code as well"
author = "Florian Roth"
reference = "https://github.com/mrknow001/RSC_Detector"
date = "2025-12-06"
score = 70
id = "98887e97-2dd4-5777-9fab-02805035de14"
strings:
$s1 = "process.mainModule.require('child_process').execSync("
$s2 = ").toString('base64');"
// harmless test cases - we only want to match real command execution attempts
$f1 = "echo vulnerability_test"
condition:
all of ($s*)
and not 1 of ($f*)
}
E_
view YARA rule
rule E_: PEiD
{
strings:
$a = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A7 1A 00 00 B9 6C 1A 00 00 BA 20 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD EC 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
$b = { 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 0F 31 8B D8 0F 31 8B D0 2B D3 C1 EA 10 B8 ?? ?? ?? ?? 0F 6E C0 B8 ?? ?? ?? ?? 0F 6E C8 0F F5 C1 0F 7E C0 0F 77 03 C2 ?? ?? ?? ?? ?? FF E0 }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
E_Language_WuTao
view YARA rule
rule E_Language_WuTao: PEiD
{
strings:
$a = { E8 06 00 00 00 50 E8 ?? 01 00 00 55 8B EC 81 C4 F0 FE FF FF }
condition:
$a at pe.entry_point
}
E_additional
view YARA rule
rule E_additional: PEiD
{
strings:
$a = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A7 1A 00 00 B9 6C 1A 00 00 BA 20 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD EC 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 }
condition:
$a at pe.entry_point
}
E_language
view YARA rule
rule E_language: PEiD
{
strings:
$a = { E8 06 00 00 00 50 E8 ?? 01 00 00 55 8B EC 81 C4 F0 FE FF FF }
condition:
$a at pe.entry_point
}
E_language_additional
view YARA rule
rule E_language_additional: PEiD
{
strings:
$a = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? ?? EB 02 CD 20 03 D3 8D 35 F4 00 }
condition:
$a at pe.entry_point
}
FE_APT_9002
Strings inside
view YARA rule
rule FE_APT_9002
{
meta:
Author = "FireEye Labs"
Date = "2013/11/10"
Description = "Strings inside"
Reference = "Useful link"
strings:
$mz = { 4d 5a }
$a = "rat_UnInstall" wide ascii
condition:
($mz at 0) and $a
}
FE_APT_Backdoor_Linux32_SLOWPULSE_1
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Backdoor_Linux32_SLOWPULSE_1
{
meta:
author = "Mandiant"
date = "2021-04-16"
sha256 = "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "dd35257f-5b6f-55a6-a709-873ded1f4b72"
strings:
$sb1 = {FC b9 [4] e8 00 00 00 00 5? 8d b? [4] 8b}
$sb2 = {f3 a6 0f 85 [4] b8 03 00 00 00 5? 5? 5?}
$sb3 = {9c 60 e8 00 00 00 00 5? 8d [5] 85 ?? 0f 8?}
$sb4 = {89 13 8b 51 04 89 53 04 8b 51 08 89 53 08}
$sb5 = {8d [5] b9 [4] f3 a6 0f 8?}
condition:
((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them
}
FE_APT_Backdoor_Linux32_SLOWPULSE_2
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Backdoor_Linux32_SLOWPULSE_2
{
meta:
author = "Strozfriedberg"
date = "2021-04-16"
sha256 = "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
strings:
$sig = /[\x20-\x7F]{16}([\x20-\x7F\x00]+)\x00.{1,32}\xE9.{3}\xFF\x00+[\x20-\x7F][\x20-\x7F\x00]{16}/
// TOI_MAGIC_STRING
$exc1 = /\xED\xC3\x02\xE9\x98\x56\xE5\x0C/
condition:
uint32(0) == 0x464C457F and (1 of ($sig*)) and (not (1 of ($exc*)))
}
FE_APT_Trojan_Linux32_LOCKPICK_1
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Trojan_Linux32_LOCKPICK_1
{
meta:
author = "Mandiant"
date = "2021-04-16"
hash = "e8bfd3f5a2806104316902bbe1195ee8"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "00c09378-25a0-55f1-8d93-7b22d98bd8c2"
strings:
$sb1 = { 83 ?? 63 0F 84 [4] 8B 45 ?? 83 ?? 01 89 ?? 24 89 44 24 04 E8 [4] 85 C0 }
$sb2 = { 83 [2] 63 74 ?? 89 ?? 24 04 89 ?? 24 E8 [4] 83 [2] 01 85 C0 0F [5] EB 00 8B ?? 04 83 F8 02 7? ?? 83 E8 01 C1 E0 02 83 C0 00 89 44 24 08 8D 83 [4] 89 44 24 04 8B ?? 89 04 24 E8 }
condition:
((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and (@sb1[1] < @sb2[1])
}
FE_APT_Trojan_Linux32_PACEMAKER
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Trojan_Linux32_PACEMAKER
{
meta:
author = "Mandiant"
date = "2021-04-16"
hash = "d7881c4de4d57828f7e1cab15687274b"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "459e26f1-4ea9-56dd-ad71-0ed2c7499aea"
strings:
$s1 = "\x00/proc/%d/mem\x00"
$s2 = "\x00/proc/%s/maps\x00"
$s3 = "\x00/proc/%s/cmdline\x00"
$sb1 = { C7 44 24 08 10 00 00 00 C7 44 24 04 00 00 00 00 8D 45 E0 89 04 24 E8 [4] 8B 45 F4 83 C0 0B C7 44 24 08 10 00 00 00 89 44 24 04 8D 45 E0 89 04 24 E8 [4] 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] EB }
$sb2 = { 8B 95 [4] B8 [4] 8D 8D [4] 89 4C 24 10 8D 8D [4] 89 4C 24 0C 89 54 24 08 89 44 24 04 8D 85 [4] 89 04 24 E8 [4] C7 44 24 08 02 00 00 00 C7 44 24 04 00 00 00 00 8B 45 ?? 89 04 24 E8 [4] 89 45 ?? 8D 85 [4] 89 04 24 E8 [4] 89 44 24 08 8D 85 [4] 89 44 24 04 8B 45 ?? 89 04 24 E8 [4] 8B 45 ?? 89 45 ?? C7 45 ?? 00 00 00 00 [0-16] 83 45 ?? 01 8B 45 ?? 3B 45 0C }
condition:
((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them
}
FE_APT_Trojan_Linux_PACEMAKER
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Trojan_Linux_PACEMAKER
{
meta:
author = "Mandiant"
date = "2021-04-16"
hash = "d7881c4de4d57828f7e1cab15687274b"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "5a20260a-5389-57da-956c-97063fed5015"
strings:
$s1 = "\x00Name:%s || Pwd:%s || AuthNum:%s\x0a\x00"
$s2 = "\x00/proc/%d/mem\x00"
$s3 = "\x00/proc/%s/maps\x00"
$s4 = "\x00/proc/%s/cmdline\x00"
condition:
(uint32(0) == 0x464c457f) and all of them
}
FE_APT_Trojan_PL_PULSEJUMP_1
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Trojan_PL_PULSEJUMP_1
{
meta:
author = "Mandiant"
date = "2021-04-16"
hash = "91ee23ee24e100ba4a943bb4c15adb4c"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "690cc347-e60f-5cac-b65d-367ecee69251"
strings:
$s1 = "open("
$s2 = ">>/tmp/"
$s3 = "syswrite("
$s4 = /\}
FE_APT_Trojan_PL_RADIALPULSE_1
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Trojan_PL_RADIALPULSE_1
{
meta:
author = "Mandiant"
date = "2021-04-16"
sha256 = "d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "1fab6d2f-96e8-5def-a93e-2bddd04e7ec8"
strings:
$s1 = "->getRealmInfo()->{name}"
$s2 = /open\(\*fd,[\x09\x20]{0,32}[\x22\x27]>>/
$s3 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27]realm=\$/
$s4 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27]username=\$/
$s5 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27]password=\$/
condition:
(@s1[1] < @s2[1]) and (@s2[1] < @s3[1]) and $s4 and $s5
}
FE_APT_Trojan_PL_RADIALPULSE_2
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Trojan_PL_RADIALPULSE_2
{
meta:
author = "Mandiant"
date = "2021-04-16"
hash = "4a2a7cbc1c8855199a27a7a7b51d0117"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "dc941935-aec7-54b6-a278-f1453b9785df"
strings:
$s1 = "open(*fd,"
$s2 = "syswrite(*fd,"
$s3 = "close(*fd);"
$s4 = /open\(\*fd,[\x09\x20]{0,32}[\x22\x27]>>\/tmp\/[\w.]{1,128}[\x22\x27]\);[\x09\x20]{0,32}syswrite\(\*fd,[\x09\x20]{0,32}/
$s5 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27][\w]{1,128}=\$\w{1,128} ?[\x22\x27],[\x09\x20]{0,32}5000\)/
condition:
all of them
}
FE_APT_Trojan_PL_RADIALPULSE_3
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Trojan_PL_RADIALPULSE_3
{
meta:
author = "Mandiant"
date = "2021-04-16"
hash = "4a2a7cbc1c8855199a27a7a7b51d0117"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "8a597521-c873-5bcc-85e6-5a0a061fffb7"
strings:
$s1 = "open(*fd,"
$s2 = "syswrite(*fd,"
$s3 = "close(*fd);"
$s4 = /open\(\*fd,[\x09\x20]{0,32}[\x22\x27]>>\/tmp\/dsstartssh\.statementcounters[\x22\x27]\);[\x09\x20]{0,32}syswrite\(\*fd,[\x09\x20]{0,32}/
$s5 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27][\w]{1,128}=\$username ?[\x22\x27],[\x09\x20]{0,32}\d{4}\)/
condition:
all of them
}
FE_APT_Webshell_PL_PULSECHECK_1
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Webshell_PL_PULSECHECK_1
{
meta:
author = "Mandiant"
date = "2021-04-16"
sha256 = "a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "f375fdd8-567b-569b-85f4-af54a35d2a93"
strings:
$r1 = /while[\x09\x20]{0,32}\(<\w{1,64}>\)[\x09\x20]{0,32}\{\s{1,256}\$\w{1,64}[\x09\x20]{0,32}\.=[\x09\x20]{0,32}\$_;\s{0,256}\}/
$s1 = "use Crypt::RC4;"
$s2 = "use MIME::Base64"
$s3 = "MIME::Base64::decode("
$s4 = "popen("
$s5 = " .= $_;"
$s6 = "print MIME::Base64::encode(RC4("
$s7 = "HTTP_X_"
condition:
$s1 and $s2 and (@s3[1] < @s4[1]) and (@s4[1] < @s5[1]) and (@s5[1] < @s6[1]) and (#s7 > 2) and $r1
}
FE_APT_Webshell_PL_STEADYPULSE_1
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_APT_Webshell_PL_STEADYPULSE_1
{
meta:
author = "Mandiant"
date = "2021-04-16"
sha256 = "168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "49457fbb-9288-565f-909d-e8228c21c1e4"
strings:
$s1 = "parse_parameters"
$s2 = "s/\\+/ /g"
$s3 = "s/%(..)/pack("
$s4 = "MIME::Base64::encode($"
$s5 = "$|=1;"
$s6 = "RC4("
$s7 = "$FORM{'cmd'}"
condition:
all of them
}
FE_CPE_MS17_010_RANSOMWARE
Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec
view YARA rule
rule FE_CPE_MS17_010_RANSOMWARE {
meta:version="1.1"
//filetype="PE"
author="[email protected] @TekDefense, [email protected] @ItsReallyNick"
date="2017-06-27"
description="Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec"
reference = "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html"
strings:
// DRIVE USAGE
$dmap01 = "\\\\.\\PhysicalDrive" nocase ascii wide
$dmap02 = "\\\\.\\PhysicalDrive0" nocase ascii wide
$dmap03 = "\\\\.\\C:" nocase ascii wide
$dmap04 = "TERMSRV" nocase ascii wide
$dmap05 = "\\admin$" nocase ascii wide
$dmap06 = "GetLogicalDrives" nocase ascii wide
$dmap07 = "GetDriveTypeW" nocase ascii wide
// RANSOMNOTE
$msg01 = "WARNING: DO NOT TURN OFF YOUR PC!" nocase ascii wide
$msg02 = "IF YOU ABORT THIS PROCESS" nocase ascii wide
$msg03 = "DESTROY ALL OF YOUR DATA!" nocase ascii wide
$msg04 = "PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" nocase ascii wide
$msg05 = "your important files are encrypted" ascii wide
$msg06 = "Your personal installation key" nocase ascii wide
$msg07 = "worth of Bitcoin to following address" nocase ascii wide
$msg08 = "CHKDSK is repairing sector" nocase ascii wide
$msg09 = "Repairing file system on " nocase ascii wide
$msg10 = "Bitcoin wallet ID" nocase ascii wide
$msg11 = "[email protected]" nocase ascii wide
$msg12 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" nocase ascii wide
$msg_pcre = /(en|de)crypt(ion|ed\.)/
// FUNCTIONALITY, APIS
$functions01 = "need dictionary" nocase ascii wide
$functions02 = "comspec" nocase ascii wide
$functions03 = "OpenProcessToken" nocase ascii wide
$functions04 = "CloseHandle" nocase ascii wide
$functions05 = "EnterCriticalSection" nocase ascii wide
$functions06 = "ExitProcess" nocase ascii wide
$functions07 = "GetCurrentProcess" nocase ascii wide
$functions08 = "GetProcAddress" nocase ascii wide
$functions09 = "LeaveCriticalSection" nocase ascii wide
$functions10 = "MultiByteToWideChar" nocase ascii wide
$functions11 = "WideCharToMultiByte" nocase ascii wide
$functions12 = "WriteFile" nocase ascii wide
$functions13 = "CoTaskMemFree" nocase ascii wide
$functions14 = "NamedPipe" nocase ascii wide
$functions15 = "Sleep" nocase ascii wide // imported, not in strings
// COMMANDS
// -- Clearing event logs & USNJrnl
$cmd01 = "wevtutil cl Setup" ascii wide nocase
$cmd02 = "wevtutil cl System" ascii wide nocase
$cmd03 = "wevtutil cl Security" ascii wide nocase
$cmd04 = "wevtutil cl Application" ascii wide nocase
$cmd05 = "fsutil usn deletejournal" ascii wide nocase
// -- Scheduled task
$cmd06 = "schtasks " nocase ascii wide
$cmd07 = "/Create /SC " nocase ascii wide
$cmd08 = " /TN " nocase ascii wide
$cmd09 = "at %02d:%02d %ws" nocase ascii wide
$cmd10 = "shutdown.exe /r /f" nocase ascii wide
// -- Sysinternals/PsExec and WMIC
$cmd11 = "-accepteula -s" nocase ascii wide
$cmd12 = "wmic"
$cmd13 = "/node:" nocase ascii wide
$cmd14 = "process call create" nocase ascii wide
condition:
// (uint16(0) == 0x5A4D)
3 of ($dmap*)
and 2 of ($msg*)
and 9 of ($functions*)
and 7 of ($cmd*)
}
FE_LEGALSTRIKE_MACRO
This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7.
view YARA rule
rule FE_LEGALSTRIKE_MACRO {
meta:
version=".1"
filetype="MACRO"
author="[email protected] @TekDefense - modified by Florian Roth"
date="2017-06-02"
description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
id = "eb15e5aa-16e5-5c07-a293-ad15c0c09d8e"
strings:
// OBSFUCATION
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
// wscript
$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
$wsobj2 = "Obj.Run " ascii wide
condition:
all of them
}
FE_LEGALSTRIKE_MACRO
This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7.
view YARA rule
rule FE_LEGALSTRIKE_MACRO {
meta:version=".1"
filetype="MACRO"
author="[email protected] @TekDefense"
date="2017-06-02"
description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
strings:
// OBSFUCATION
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
$ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide
$ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide
$ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide
$ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide
$ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide
$ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide
$ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide
$obreg1 = /(\w{5}\s&\s){7}\w{5}/
$obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/
// wscript
$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
$wsobj2 = "Obj.Run " ascii wide
condition:
(
(
(uint16(0) != 0x5A4D)
)
and
(
all of ($wsobj*) and 3 of ($ob*)
or
all of ($wsobj*) and all of ($obreg*)
)
)
}
FE_LEGALSTRIKE_RTF
Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom
view YARA rule
rule FE_LEGALSTRIKE_RTF {
meta:
version=".1"
filetype="MACRO"
author="joshua.kim@FireEye. - modified by Florian Roth"
date="2017-06-02"
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
id = "b62ceffa-445f-517e-b86b-56e47876c6c0"
strings:
$lnkinfo = "4c0069006e006b0049006e0066006f"
$encoded1 = "4f4c45324c696e6b"
$encoded2 = "52006f006f007400200045006e007400720079"
$encoded3 = "4f0062006a0049006e0066006f"
$encoded4 = "4f006c0065"
$datastore = "\\*\\datastore"
condition:
uint32be(0) == 0x7B5C7274 and all of them
}
FE_LEGALSTRIKE_RTF
Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom
view YARA rule
rule FE_LEGALSTRIKE_RTF {
meta:
version=".1"
filetype="MACRO"
author="[email protected]"
date="2017-06-02"
description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
strings:
$header = "{\\rt"
$lnkinfo = "4c0069006e006b0049006e0066006f"
$encoded1 = "4f4c45324c696e6b"
$encoded2 = "52006f006f007400200045006e007400720079"
$encoded3 = "4f0062006a0049006e0066006f"
$encoded4 = "4f006c0065"
$http1 = "68{"
$http2 = "74{"
$http3 = "07{"
// 2bunny.com
$domain1 = "32{\\"
$domain2 = "62{\\"
$domain3 = "75{\\"
$domain4 = "6e{\\"
$domain5 = "79{\\"
$domain6 = "2e{\\"
$domain7 = "63{\\"
$domain8 = "6f{\\"
$domain9 = "6d{\\"
$datastore = "\\*\\datastore"
condition:
$header at 0 and all of them
}
FE_PCAPs
All pcaps uploaded to VT
view YARA rule
rule FE_PCAPs
{
meta:
author = "@abhinavbom"
maltype = "NA"
version = "0.1"
description = "All pcaps uploaded to VT"
date = "29/07/2015"
strings:
$magic = {D4 C3 B2 A1}
condition:
$magic at 0
}
FE_Trojan_SH_ATRIUM_1
Detects samples mentioned in PulseSecure report
view YARA rule
rule FE_Trojan_SH_ATRIUM_1
{
meta:
author = "Mandiant"
date = "2021-04-16"
hash = "a631b7a8a11e6df3fccb21f4d34dbd8a"
description = "Detects samples mentioned in PulseSecure report"
reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
id = "c49441f4-a138-534c-a858-a7462ed865c9"
strings:
$s1 = "CGI::param("
$s2 = "Cache-Control: no-cache"
$s3 = "system("
$s4 = /sed -i [^\r\n]{1,128}CGI::param\([^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Cache-Control: no-cache[^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Content-type: text\/html[^\r\n]{1,128}my [^\r\n]{1,128}=[\x09\x20]{0,32}CGI::param\([^\r\n]{1,128}system\(/
condition:
all of them
}
F_Xlock_116
view YARA rule
rule F_Xlock_116: PEiD
{
strings:
$a = { 50 50 50 53 51 52 56 1E 8B DC 8C D8 05 00 00 36 89 47 0E 36 C7 47 0C 00 00 8E 1E 2C 00 33 DB 8B 07 43 3D 00 00 74 02 75 F6 43 83 3F 01 75 45 43 43 8B D3 B8 00 3D CD 21 72 3A 8B D8 0E 1F 33 D2 8B F2 B9 1B 00 B4 3F CD 21 83 7C 14 00 75 30 81 }
condition:
$a at pe.entry_point
}
GH_PM32
view YARA rule
rule GH_PM32 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "2f2c5b3f3b1f97908074f526ac90a28d"
}
GH_PM64
view YARA rule
rule GH_PM64 {
meta:
author = "Jaume Martin"
condition:
hash.md5(0, filesize) == "fe6c0097412b2c7b7f4b8a489004dd14"
}
GP_Install_v50332
view YARA rule
rule GP_Install_v50332: PEiD
{
strings:
$a = { 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 B8 C4 1C 41 00 E8 6B 3E FF FF 33 C0 55 68 76 20 41 00 64 FF 30 64 89 20 BA A0 47 41 00 33 C0 E8 31 0A FF FF 33 D2 A1 A0 }
condition:
$a at pe.entry_point
}
GP_Install_v50332_additional
view YARA rule
rule GP_Install_v50332_additional: PEiD
{
strings:
$a = { 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 B8 C4 1C 41 00 E8 6B 3E FF FF 33 C0 55 68 76 20 41 00 64 FF 30 64 89 20 BA A0 47 41 00 33 C0 E8 31 0A FF FF 33 D2 A1 A0 }
condition:
$a at pe.entry_point
}
GX_Protector_12_GurueXe
view YARA rule
rule GX_Protector_12_GurueXe: PEiD
{
strings:
$a = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 }
condition:
$a at pe.entry_point
}
GX_Protector_12_GurueXe_additional
view YARA rule
rule GX_Protector_12_GurueXe_additional: PEiD
{
strings:
$a = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 }
condition:
$a at pe.entry_point
}
HA_Archive
view YARA rule
rule HA_Archive: PEiD
{
strings:
$a = { 48 41 }
condition:
$a at pe.entry_point
}
HA_Archive_Hint_FILE_START
view YARA rule
rule HA_Archive_Hint_FILE_START: PEiD
{
strings:
$a = { 48 41 }
condition:
$a at pe.entry_point
}
HKTL_CN_Dos_GetPass
Chinese Hacktool Set - file GetPass.exe
view YARA rule
rule HKTL_CN_Dos_GetPass {
meta:
description = "Chinese Hacktool Set - file GetPass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "Dos_GetPass"
hash = "d18d952b24110b83abd17e042f9deee679de6a1a"
id = "08635096-474c-5fdf-825e-6c7c8c8d4061"
strings:
$s0 = "GetLogonS" ascii
$s3 = "/showthread.php?t=156643" ascii
$s8 = "To Run As Administ" ascii
$s18 = "EnableDebugPrivileg" fullword ascii
$s19 = "sedebugnameValue" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 890KB and all of them
}
HKTL_CN_Dos_sys
Chinese Hacktool Set - file sys.exe
view YARA rule
rule HKTL_CN_Dos_sys {
meta:
description = "Chinese Hacktool Set - file sys.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "Dos_sys"
hash = "b5837047443f8bc62284a0045982aaae8bab6f18"
id = "c4b740f2-f4f8-59ff-ad1f-c06718040b50"
strings:
$s0 = "'SeDebugPrivilegeOpen " fullword ascii
$s6 = "Author: Cyg07*2" fullword ascii
$s12 = "from golds7n[LAG]'J" fullword ascii
$s14 = "DAMAGE" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 150KB and all of them
}
HKTL_CN_ProcHook_May19_1
Detects hacktool used by Chinese threat groups
view YARA rule
rule HKTL_CN_ProcHook_May19_1 {
meta:
description = "Detects hacktool used by Chinese threat groups"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
date = "2019-05-31"
hash1 = "02ebdc1ff6075c15a44711ccd88be9d6d1b47607fea17bef7e5e17f8da35293e"
id = "ae4e2613-8254-5ea6-af88-2f08ebe4da33"
condition:
uint16(0) == 0x5a4d and filesize < 300KB and
pe.imphash() == "343d580dd50ee724746a5c28f752b709"
}
Showing 401-450 of 18,880