Malware / file
YARA rules
12,928 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 12,928APT_WIN_Gh0st_ver
view YARA rule
rule APT_WIN_Gh0st_ver : RAT
{
meta:
author = "@BryanNolen"
date = "2012-12"
type = "APT"
version = "1.1"
ref = "Detection of Gh0st RAT server DLL component"
ref1 = "http://www.mcafee.com/au/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf"
strings:
$library = "deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly"
$capability = "GetClipboardData"
$capability1 = "capCreateCaptureWindowA"
$capability2 = "CreateRemoteThread"
$capability3 = "WriteProcessMemory"
$capability4 = "LsaRetrievePrivateData"
$capability5 = "AdjustTokenPrivileges"
$function = "ResetSSDT"
$window = "WinSta0\\Default"
$magic = {47 6C 6F 62 61 6C 5C [5-9] 20 25 64} /* $magic = "Gh0st" */
condition:
all of them
}
APT_Win_Pipcreat
APT backdoor Pipcreat
view YARA rule
rule APT_Win_Pipcreat
{
meta:
author = "chort (@chort0)"
description = "APT backdoor Pipcreat"
filetype = "pe,dll"
date = "2013-03"
MD5 = "f09d832bea93cf320986b53fce4b8397" // (incorrectly?) identified as Hupigon by many AV on VT
Reference = "http://www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/"
version = "1.0"
strings:
$strA = "pip creat failed" wide fullword
$strB = "CraatePipe" ascii fullword
$strC = "are you there? " wide fullword
$strD = "success kill process ok" wide fullword
$strE = "Vista|08|Win7" wide fullword
$rut = "are you there!@#$%^&*()_+" ascii fullword
condition:
$rut or (2 of ($str*))
}
A_program_by_Jupiter_
view YARA rule
rule A_program_by_Jupiter_: PEiD
{
strings:
$a = { 2B C0 74 05 68 ?? ?? ?? ?? 50 }
condition:
$a at pe.entry_point
}
A_program_by_Jupiter_additional
view YARA rule
rule A_program_by_Jupiter_additional: PEiD
{
strings:
$a = { 2B C0 74 05 68 ?? ?? ?? ?? 50 }
condition:
$a at pe.entry_point
}
CA_Visual_Objects_20_25
view YARA rule
rule CA_Visual_Objects_20_25: PEiD
{
strings:
$a = { 87 FE E8 02 00 00 00 98 CC 5F BB 80 ?? ?? 00 EB 02 CD 20 68 F4 00 00 00 E8 01 00 00 00 E3 }
$b = { 89 25 ?? ?? ?? ?? 33 ED 55 8B EC E8 ?? ?? ?? ?? 8B D0 81 E2 FF 00 00 00 89 15 ?? ?? ?? ?? 8B D0 C1 EA 08 81 E2 FF 00 00 00 A3 ?? ?? ?? ?? D1 E0 0F 93 C3 33 C0 8A C3 A3 ?? ?? ?? ?? 68 FF 00 00 00 E8 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? BB }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
CA_Visual_Objects_20_25_
view YARA rule
rule CA_Visual_Objects_20_25_: PEiD
{
strings:
$a = { 89 25 ?? ?? ?? ?? 33 ED 55 8B EC E8 ?? ?? ?? ?? 8B D0 81 E2 FF 00 00 00 89 15 ?? ?? ?? ?? 8B D0 C1 EA 08 81 E2 FF 00 00 00 A3 ?? ?? ?? ?? D1 E0 0F 93 C3 33 C0 8A C3 A3 ?? ?? ?? ?? 68 FF 00 00 00 E8 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? BB ?? ?? ?? ?? C7 03 44 00 00 00 }
condition:
$a at pe.entry_point
}
CA_Visual_Objects_20_25_additional
view YARA rule
rule CA_Visual_Objects_20_25_additional: PEiD
{
strings:
$a = { 87 FE E8 02 00 00 00 98 CC 5F BB 80 ?? ?? 00 EB 02 CD 20 68 F4 00 00 00 E8 01 00 00 00 E3 }
condition:
$a at pe.entry_point
}
CA_Visual_Objects_V20_25
view YARA rule
rule CA_Visual_Objects_V20_25: PEiD
{
strings:
$a = { 89 25 ?? ?? ?? ?? 33 ED 55 8B EC E8 ?? ?? ?? ?? 8B D0 81 E2 FF 00 00 00 89 15 ?? ?? ?? ?? 8B D0 C1 EA 08 81 E2 FF 00 00 00 A3 ?? ?? ?? ?? D1 E0 0F 93 C3 33 C0 8A C3 A3 ?? ?? ?? ?? 68 FF 00 00 00 E8 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? BB ?? ?? ?? ?? C7 03 44 00 00 00 }
condition:
$a at pe.entry_point
}
CC_261b
view YARA rule
rule CC_261b: PEiD
{
strings:
$a = { BA 00 00 B4 30 CD 21 3C 02 73 05 33 C0 06 50 CB B9 EB 09 B8 05 FE EB FC 80 C4 3B EB F4 8D 9D 29 01 CD 21 B0 01 CD 21 EB 02 EB FE E8 00 00 5B C6 47 06 82 B0 80 E6 21 BB 20 FF BE 50 01 8B FB B9 B6 00 F3 A4 8B C3 C1 E8 04 8C CD 03 C5 50 51 CB }
condition:
$a at pe.entry_point
}
CC_v261_Beta
view YARA rule
rule CC_v261_Beta: PEiD
{
strings:
$a = { BA ?? ?? B4 30 CD 21 3C 02 73 ?? 33 C0 06 50 CB }
condition:
$a at pe.entry_point
}
CC_v261_Beta_Hint_DOS_EP
view YARA rule
rule CC_v261_Beta_Hint_DOS_EP: PEiD
{
strings:
$a = { BA ?? ?? B4 30 CD 21 3C 02 73 ?? 33 C0 06 50 CB }
condition:
$a at pe.entry_point
}
CC_v261_Beta_additional
view YARA rule
rule CC_v261_Beta_additional: PEiD
{
strings:
$a = { BA ?? ?? B4 30 CD 21 3C 02 73 ?? 33 C0 06 50 CB }
condition:
$a at pe.entry_point
}
CD_Cops_II
view YARA rule
rule CD_Cops_II: PEiD
{
strings:
$a = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }
condition:
$a at pe.entry_point
}
CD_Cops_II_additional
view YARA rule
rule CD_Cops_II_additional: PEiD
{
strings:
$a = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }
condition:
$a at pe.entry_point
}
CI_Crypt_V01_FearlesS
view YARA rule
rule CI_Crypt_V01_FearlesS: PEiD
{
strings:
$a = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
$b = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
CI_Crypt_V01_FearlesS_additional
view YARA rule
rule CI_Crypt_V01_FearlesS_additional: PEiD
{
strings:
$a = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
condition:
$a at pe.entry_point
}
CI_Crypt_V02_FearlesS
view YARA rule
rule CI_Crypt_V02_FearlesS: PEiD
{
strings:
$a = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
$b = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
CI_Crypt_V02_FearlesS_additional
view YARA rule
rule CI_Crypt_V02_FearlesS_additional: PEiD
{
strings:
$a = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 }
condition:
$a at pe.entry_point
}
CN_GUI_Scanner
Detects an unknown GUI scanner tool - CN background
view YARA rule
rule CN_GUI_Scanner {
meta:
description = "Detects an unknown GUI scanner tool - CN background"
author = "Florian Roth"
hash = "3c67bbb1911cdaef5e675c56145e1112"
score = 65
date = "04.10.2014"
strings:
$s1 = "good.txt" fullword ascii
$s2 = "IP.txt" fullword ascii
$s3 = "xiaoyuer" fullword ascii
$s0w = "ssh(" fullword wide
$s1w = ").exe" fullword wide
condition:
all of them
}
CN_Hacktool_1433_Scanner
Detects a chinese MSSQL scanner
view YARA rule
rule CN_Hacktool_1433_Scanner {
meta:
description = "Detects a chinese MSSQL scanner"
author = "Florian Roth"
score = 40
date = "12.10.2014"
strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "del Weak1.txt" ascii fullword
$s3 = "del Attack.txt" ascii fullword
$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" fullword ascii
$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
condition:
( $magic at 0 ) and all of ($s*)
}
CN_Hacktool_1433_Scanner_Comp2
Detects a chinese MSSQL scanner - component 2
view YARA rule
rule CN_Hacktool_1433_Scanner_Comp2 {
meta:
description = "Detects a chinese MSSQL scanner - component 2"
author = "Florian Roth"
score = 40
date = "12.10.2014"
strings:
$magic = { 4d 5a }
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
condition:
( $magic at 0 ) and all of ($s*)
}
CN_Hacktool_BAT_PortsOpen
Detects a chinese BAT hacktool for local port evaluation
view YARA rule
rule CN_Hacktool_BAT_PortsOpen {
meta:
description = "Detects a chinese BAT hacktool for local port evaluation"
author = "Florian Roth"
score = 60
date = "12.10.2014"
strings:
$s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
$s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
$s2 = "@echo off" ascii
condition:
all of them
}
CN_Hacktool_MilkT_BAT
Detects a chinese Portscanner named MilkT - shipped BAT
view YARA rule
rule CN_Hacktool_MilkT_BAT {
meta:
description = "Detects a chinese Portscanner named MilkT - shipped BAT"
author = "Florian Roth"
score = 70
date = "12.10.2014"
strings:
$s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
$s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
condition:
all of them
}
CN_Hacktool_MilkT_Scanner
Detects a chinese Portscanner named MilkT
view YARA rule
rule CN_Hacktool_MilkT_Scanner {
meta:
description = "Detects a chinese Portscanner named MilkT"
author = "Florian Roth"
score = 60
date = "12.10.2014"
strings:
$s0 = "Bf **************" ascii fullword
$s1 = "forming Time: %d/" ascii
$s2 = "KERNEL32.DLL" ascii fullword
$s3 = "CRTDLL.DLL" ascii fullword
$s4 = "WS2_32.DLL" ascii fullword
$s5 = "GetProcAddress" ascii fullword
$s6 = "atoi" ascii fullword
condition:
all of them
}
CN_Hacktool_SSPort_Portscanner
Detects a chinese Portscanner named SSPort
view YARA rule
rule CN_Hacktool_SSPort_Portscanner {
meta:
description = "Detects a chinese Portscanner named SSPort"
author = "Florian Roth"
score = 70
date = "12.10.2014"
strings:
$s0 = "Golden Fox" fullword wide
$s1 = "Syn Scan Port" fullword wide
$s2 = "CZ88.NET" fullword wide
condition:
all of them
}
CN_Hacktool_S_EXE_Portscanner
Detects a chinese Portscanner named s.exe
view YARA rule
rule CN_Hacktool_S_EXE_Portscanner {
meta:
description = "Detects a chinese Portscanner named s.exe"
author = "Florian Roth"
score = 70
date = "12.10.2014"
strings:
$s0 = "\\Result.txt" fullword ascii
$s1 = "By:ZT QQ:376789051" fullword ascii
$s2 = "(http://www.eyuyan.com)" fullword wide
condition:
all of them
}
CN_Hacktool_ScanPort_Portscanner
Detects a chinese Portscanner named ScanPort
view YARA rule
rule CN_Hacktool_ScanPort_Portscanner {
meta:
description = "Detects a chinese Portscanner named ScanPort"
author = "Florian Roth"
score = 70
date = "12.10.2014"
strings:
$s0 = "LScanPort" fullword wide
$s1 = "LScanPort Microsoft" fullword wide
$s2 = "www.yupsoft.com" fullword wide
condition:
all of them
}
CN_Packed_Scanner
Suspiciously packed executable
view YARA rule
rule CN_Packed_Scanner {
meta:
description = "Suspiciously packed executable"
author = "Florian Roth"
hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
score = 40
date = "06.10.2014"
strings:
$s1 = "kernel32.dll" fullword ascii
$s2 = "CRTDLL.DLL" fullword ascii
$s3 = "__GetMainArgs" fullword ascii
$s4 = "WS2_32.DLL" fullword ascii
condition:
all of them and filesize < 180KB and filesize > 70KB
}
CN_Portscan
CN Port Scanner
view YARA rule
rule CN_Portscan : APT
{
meta:
description = "CN Port Scanner"
author = "Florian Roth"
release_date = "2013-11-29"
confidential = false
score = 70
strings:
$s1 = "MZ"
$s2 = "TCP 12.12.12.12"
condition:
($s1 at 0) and $s2
}
CN_Tools_MyUPnP
Chinese Hacktool Set - file MyUPnP.exe
view YARA rule
rule CN_Tools_MyUPnP {
meta:
description = "Chinese Hacktool Set - file MyUPnP.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "15b6fca7e42cd2800ba82c739552e7ffee967000"
strings:
$s1 = "<description>BYTELINKER.COM</description>" fullword ascii
$s2 = "myupnp.exe" fullword ascii
$s3 = "LOADER ERROR" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and all of them
}
CN_Tools_PcShare
Chinese Hacktool Set - file PcShare.exe
view YARA rule
rule CN_Tools_PcShare {
meta:
description = "Chinese Hacktool Set - file PcShare.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "ee7ba9784fae413d644cdf5a093bd93b73537652"
strings:
$s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide
$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
$s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide
$s5 = "port=%s;name=%s;pass=%s;" fullword wide
$s16 = "%s\\ini\\*.dat" fullword wide
$s17 = "pcinit.exe" fullword wide
$s18 = "http://www.pcshare.cn" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them
}
CN_Tools_Shiell
Chinese Hacktool Set - file Shiell.exe
view YARA rule
rule CN_Tools_Shiell {
meta:
description = "Chinese Hacktool Set - file Shiell.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "b432d80c37abe354d344b949c8730929d8f9817a"
strings:
$s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii
$s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide
$s3 = "Shift shell.exe" fullword wide
$s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 1500KB and 2 of them
}
CN_Tools_VNCLink
Chinese Hacktool Set - file VNCLink.exe
view YARA rule
rule CN_Tools_VNCLink {
meta:
description = "Chinese Hacktool Set - file VNCLink.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "cafb531822cbc0cfebbea864489eebba48081aa1"
strings:
$s1 = "C:\\temp\\vncviewer4.log" fullword ascii
$s2 = "[BL4CK] Patched by redsand || http://blacksecurity.org" fullword ascii
$s3 = "fake release extendedVkey 0x%x, keysym 0x%x" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 580KB and 2 of them
}
CN_Tools_Vscan
Chinese Hacktool Set - file Vscan.exe
view YARA rule
rule CN_Tools_Vscan {
meta:
description = "Chinese Hacktool Set - file Vscan.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "0365fe05e2de0f327dfaa8cd0d988dbb7b379612"
strings:
$s1 = "[+] Usage: VNC_bypauth <target> <scantype> <option>" fullword ascii
$s2 = "========RealVNC <= 4.1.1 Bypass Authentication Scanner=======" fullword ascii
$s3 = "[+] Type VNC_bypauth <target>,<scantype> or <option> for more informations" fullword ascii
$s4 = "VNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,..." fullword ascii
$s5 = "-vn:%-15s:%-7d connection closed" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 60KB and 2 of them
}
CN_Tools_hscan
Chinese Hacktool Set - file hscan.exe
view YARA rule
rule CN_Tools_hscan {
meta:
description = "Chinese Hacktool Set - file hscan.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"
strings:
$s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" fullword ascii
$s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" fullword ascii
$s3 = "%s -h www.target.com -all" fullword ascii
$s4 = ".\\report\\%s-%s.html" fullword ascii
$s5 = ".\\log\\Hscan.log" fullword ascii
$s6 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii
$s7 = "%s@ftpscan#FTP Account: %s/[null]" fullword ascii
$s8 = ".\\conf\\mysql_pass.dic" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Tools_pc
Chinese Hacktool Set - file pc.exe
view YARA rule
rule CN_Tools_pc {
meta:
description = "Chinese Hacktool Set - file pc.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "5cf8caba170ec461c44394f4058669d225a94285"
strings:
$s0 = "\\svchost.exe" fullword ascii
$s2 = "%s%08x.001" fullword ascii
$s3 = "Qy001Service" fullword ascii
$s4 = "/.MIKY" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Tools_srss_2
Chinese Hacktool Set - file srss.exe
view YARA rule
rule CN_Tools_srss_2 {
meta:
description = "Chinese Hacktool Set - file srss.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "c418b30d004051bbf1b2d3be426936b95b5fea6f"
strings:
$x1 = "used pepack!" fullword ascii
$s1 = "KERNEL32.dll" fullword ascii
$s2 = "KERNEL32.DLL" fullword ascii
$s3 = "LoadLibraryA" fullword ascii
$s4 = "GetProcAddress" fullword ascii
$s5 = "VirtualProtect" fullword ascii
$s6 = "VirtualAlloc" fullword ascii
$s7 = "VirtualFree" fullword ascii
$s8 = "ExitProcess" fullword ascii
condition:
uint16(0) == 0x5a4d and ( $x1 at 0 ) and filesize < 14KB and all of ($s*)
}
CN_Tools_xsniff
Chinese Hacktool Set - file xsniff.exe
view YARA rule
rule CN_Tools_xsniff {
meta:
description = "Chinese Hacktool Set - file xsniff.exe"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "d61d7329ac74f66245a92c4505a327c85875c577"
strings:
$s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
$s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii
$s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
$s10 = "Code by glacier <[email protected]>" fullword ascii
$s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
}
CN_Toolset_LScanPortss_2
Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe
view YARA rule
rule CN_Toolset_LScanPortss_2 {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "4631ec57756466072d83d49fbc14105e230631a0"
strings:
$s1 = "LScanPort.EXE" fullword wide
$s3 = "www.honker8.com" fullword wide
$s4 = "DefaultPort.lst" fullword ascii
$s5 = "Scan over.Used %dms!" fullword ascii
$s6 = "www.hf110.com" fullword wide
$s15 = "LScanPort Microsoft " fullword wide
$s18 = "L-ScanPort2.0 CooFly" fullword wide
condition:
4 of them
}
CN_Toolset_NTscan_PipeCmd
Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe
view YARA rule
rule CN_Toolset_NTscan_PipeCmd {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
strings:
$s2 = "Please Use NTCmd.exe Run This Program." fullword ascii
$s3 = "PipeCmd.exe" fullword wide
$s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii
$s5 = "%s\\pipe\\%s%s%d" fullword ascii
$s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
$s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii
$s9 = "PipeCmdSrv.exe" fullword ascii
$s10 = "This is a service executable! Couldn't start directly." fullword ascii
$s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii
$s14 = "PIPECMDSRV" fullword wide
$s15 = "PipeCmd Service" fullword ascii
condition:
4 of them
}
CN_Toolset__XScanLib_XScanLib_XScanLib
Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll
view YARA rule
rule CN_Toolset__XScanLib_XScanLib_XScanLib {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
super_rule = 1
hash0 = "af419603ac28257134e39683419966ab3d600ed2"
hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
strings:
$s1 = "Plug-in thread causes an exception, failed to alert user." fullword
$s2 = "PlugGetUdpPort" fullword
$s3 = "XScanLib.dll" fullword
$s4 = "PlugGetTcpPort" fullword
$s11 = "PlugGetVulnNum" fullword
condition:
all of them
}
CN_Toolset_sig_1433_135_sqlr
Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe
view YARA rule
rule CN_Toolset_sig_1433_135_sqlr {
meta:
description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
author = "Florian Roth"
reference = "http://qiannao.com/ls/905300366/33834c0c/"
reference2 = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
date = "2015/03/30"
score = 70
hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
strings:
$s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii
$s11 = ";DATABASE=master" fullword ascii
$s12 = "xp_cmdshell '" fullword ascii
$s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
condition:
all of them
}
C_Cpp_Library_file
view YARA rule
rule C_Cpp_Library_file: PEiD
{
strings:
$a = { F0 0D 00 00 }
condition:
$a at pe.entry_point
}
C_Cpp_Library_file_Hint_FILE_START
view YARA rule
rule C_Cpp_Library_file_Hint_FILE_START: PEiD
{
strings:
$a = { F0 0D 00 00 }
condition:
$a at pe.entry_point
}
C_Crypt_v102_Hint_DOS_EP
view YARA rule
rule C_Crypt_v102_Hint_DOS_EP: PEiD
{
strings:
$a = { E9 ?? ?? E8 ?? ?? 5D 83 ?? ?? 55 D9 D0 9C 58 25 ?? ?? 50 9D 50 57 BF ?? ?? B0 ?? AA 5F 58 66 51 }
condition:
$a at pe.entry_point
}
DK_Brute
PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe
view YARA rule
rule DK_Brute {
meta:
description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"
author = "Florian Roth"
date = "22.11.14"
score = 70
reference = "http://goo.gl/xiIphp"
hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"
strings:
$s6 = "get_CrackedCredentials" fullword ascii
$s13 = "Same port used for two different protocols:" fullword wide
$s18 = "coded by fLaSh" fullword ascii
$s19 = "get_grbToolsScaningCracking" fullword ascii
condition:
all of them
}
Dx_php_php
Semi-Auto-generated - file Dx.php.php.txt
view YARA rule
rule Dx_php_php {
meta:
description = "Semi-Auto-generated - file Dx.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
strings:
$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
$s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
condition:
1 of them
}
EP_10
view YARA rule
rule EP_10: PEiD
{
strings:
$a = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 }
condition:
$a at pe.entry_point
}
EP_ExE_Pack_V10_Elite_Coding_Group
view YARA rule
rule EP_ExE_Pack_V10_Elite_Coding_Group: PEiD
{
strings:
$a = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 }
condition:
$a at pe.entry_point
}
EP_ExE_Pack_V10_Elite_Coding_Group_additional
view YARA rule
rule EP_ExE_Pack_V10_Elite_Coding_Group_additional: PEiD
{
strings:
$a = { 60 68 54 ?? ?? ?? B8 48 ?? ?? ?? FF 10 68 B3 ?? ?? ?? 50 B8 44 ?? ?? ?? FF 10 68 00 ?? ?? ?? 6A 40 FF D0 89 05 CA ?? ?? ?? 89 C7 BE 00 10 ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 }
condition:
$a at pe.entry_point
}
Showing 1-50 of 12,928