YARA
YARA rules
5,947 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
◈
Rules
50 shown of 5,947APT_MAL_RU_Snake_Indicators_May23_1
Detects indicators found in Snake malware samples
view YARA rule
rule APT_MAL_RU_Snake_Indicators_May23_1 {
meta:
description = "Detects indicators found in Snake malware samples"
author = "Florian Roth"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 85
hash1 = "10b854d66240d9ee1ce4296d2f7857d2b1c6f062ca836d13d777930d678b3ca6"
hash2 = "15ac5a61fb3e751045de2d7f5ff26c673f3883e326cd1b3a63889984a4fb2a8f"
hash3 = "315ec991709eb45eccf724dfe31bccb7affcac7f8e8007e688ba8d02827205e0"
hash4 = "417eb4fb9ada270af35562ff317807ac5ca9ee26181fe89990858f0944d3a6a7"
hash5 = "48112970de6ea0f925f0657b30adcd0723df94afc98cfafdc991d70ad3602119"
hash6 = "55ea557bcf4c143f20c616abe9075f7faafbf825aeef9ddb4f2b201acc44414b"
hash7 = "6568bbeeb417e1111bf284e73152d90fe17e5497da7630ccddcbc666730dccef"
hash8 = "81d620cb645006ffc9ac1b9d98a53aa286ae92b025bda075962079633f020482"
hash9 = "888a3029b1b8b664eb1fc77dd511c4088a1e28ae5535a8683642bb3dca011d00"
hash10 = "9027b4fef50b36289d630059425dc1137c88328329c3ea9dbc348dccd001adc0"
hash11 = "9ac199572cab67433726976a0e9ba39d6feed1d567d6d230ebe3133df8dcb7fa"
hash12 = "a64e5d872421991226ee040b4cd49a89ca681bdef4c10c4798b6c7b5c832c6df"
hash13 = "b5d2da5eb57b5ab26edb927469552629f3cf43bbce2b1a128f6daac7cf57f6f7"
hash14 = "bc15de1d1c6c62c0bf856e0368adabc4941e7b687a969912494c173233e6d28d"
hash15 = "bdf94311313c39a3413464f623bd75a3db2eb05cc01090acd6dcd462a605eb4a"
hash16 = "e4311892ae00bf8148a94fa900fc8e2c279a2acd3b4b4b4c3d0c99dd1d32353c"
hash17 = "ed74288b367a93c6b47343bc696e751b9c465761ce9c4208901726baa758b234"
hash18 = "ef1f1c7692b92a730f76b6227643b2d02a6e353af6e930166e3b48e3903e4ffd"
hash19 = "f5e982b76af7f447742753f0b57eec3d7dd2e3c8e5506c35d4cf6c860b829f45"
id = "0d4fa8a7-447c-5905-bab9-b63de6209036"
strings:
$s1 = "\\\\.\\%s\\\\" ascii fullword
$s2 = "read_peer_nfo" ascii fullword
$s3 = "rcv_buf=%d%c" ascii fullword
$s4 = "%s: (0x%08x)" ascii fullword
$s5 = "no_impersonate" ascii fullword
condition:
all of them
}
APT_MAL_RU_Snake_Malware_Queue_File_May23_1
Detects Queue files used by Snake malware
view YARA rule
rule APT_MAL_RU_Snake_Malware_Queue_File_May23_1 {
meta:
description = "Detects Queue files used by Snake malware"
author = "Florian Roth"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 80
id = "c7ed554e-b55e-5c3f-aa8b-231cb1073f34"
condition:
filename matches /(\{[0-9A-Fa-f]{8}\-([0-9A-Fa-f]{4}\-){3}[0-9A-Fa-f]{12}\}\.){2}crmlog/
/* and filepath contains "\\Registration\\" // not needed - already specific enough */
// we reduce the range for the entropy calculation to the first 1024 for performance
// reasons. In a fully encrypted file - as used by Snake - this should already be specific enough
//and math.entropy(0, filesize) >= 7.0
and math.entropy(0, 1024) >= 7.0
}
APT_MAL_RU_Turla_Kazuar_May20_1
Detects Turla Kazuar malware
view YARA rule
rule APT_MAL_RU_Turla_Kazuar_May20_1 {
meta:
description = "Detects Turla Kazuar malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.epicturla.com/blog/sysinturla"
date = "2020-05-28"
hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
hash2 = "1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa"
hash3 = "2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f"
hash4 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
id = "cd0d1fa2-5303-55f8-90a7-4a699ec79230"
strings:
$s1 = "Sysinternals" ascii fullword
$s2 = "Test Copyright" wide fullword
$op1 = { 0d 01 00 08 34 2e 38 30 2e 30 2e 30 00 00 13 01 }
condition:
uint16(0) == 0x5a4d and
filesize < 2000KB and
all of them
}
APT_MAL_RU_WIN_Snake_Malware_May23_1
Hunting Russian Intelligence Snake Malware
view YARA rule
rule APT_MAL_RU_WIN_Snake_Malware_May23_1 {
meta:
author = "Matt Suiche (Magnet Forensics)"
description = "Hunting Russian Intelligence Snake Malware"
date = "2023-05-10"
modified = "2025-03-21"
threat_name = "Windows.Malware.Snake"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
score = 70
scan_context = "memory"
license = "MIT"
/* The original search only query those bytes in PAGE_EXECUTE_WRITECOPY VADs */
id = "53d2de3c-350c-5090-84bb-b6cde16a80ad"
strings:
$a = { 25 73 23 31 }
$b = { 25 73 23 32 }
$c = { 25 73 23 33 }
$d = { 25 73 23 34 }
$e = { 2e 74 6d 70 }
/* $f = { 2e 74 6d 70 } */
$g = { 2e 73 61 76 }
$h = { 2e 75 70 64 }
condition:
all of them
}
APT_MAL_RU_WIN_Snake_Malware_PeIconSizes_May23_1
Detects Comadmin file that houses Snake's kernel driver and the driver's loader
view YARA rule
rule APT_MAL_RU_WIN_Snake_Malware_PeIconSizes_May23_1 {
meta:
description = "Detects Comadmin file that houses Snake's kernel driver and the driver's loader"
author = "CSA"
reference = "https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF"
date = "2023-05-10"
score = 75
condition:
uint16(0) == 0x5a4d
and (
filename == "WerFault.exe"
or filename == "werfault.exe"
)
and filepath contains "\\WinSxS\\"
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 3240
)
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 1384
)
and for any rsrc in pe.resources: (
rsrc.type == pe.RESOURCE_TYPE_ICON and rsrc.length == 7336
)
}
APT_MAL_Win_BlueLight
The BLUELIGHT malware family. Leverages Microsoft OneDrive for network communications.
view YARA rule
rule APT_MAL_Win_BlueLight : InkySquid {
meta:
author = "[email protected]"
date = "2021-04-23"
description = "The BLUELIGHT malware family. Leverages Microsoft OneDrive for network communications."
hash1 = "7c40019c1d4cef2ffdd1dd8f388aaba537440b1bffee41789c900122d075a86d"
hash2 = "94b71ee0861cc7cfbbae53ad2e411a76f296fd5684edf6b25ebe79bf6a2a600a"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
id = "3ec2d44c-4c08-514d-a839-acef3f53f7dc"
strings:
$pdb1 = "\\Development\\BACKDOOR\\ncov\\"
$pdb2 = "Release\\bluelight.pdb"
$msg0 = "https://ipinfo.io" fullword
$msg1 = "country" fullword
$msg5 = "\"UserName\":\"" fullword
$msg7 = "\"ComName\":\"" fullword
$msg8 = "\"OS\":\"" fullword
$msg9 = "\"OnlineIP\":\"" fullword
$msg10 = "\"LocalIP\":\"" fullword
$msg11 = "\"Time\":\"" fullword
$msg12 = "\"Compiled\":\"" fullword
$msg13 = "\"Process Level\":\"" fullword
$msg14 = "\"AntiVirus\":\"" fullword
$msg15 = "\"VM\":\"" fullword
condition:
any of ($pdb*) or
all of ($msg*)
}
APT_MAL_Win_BlueLight_B
North Korean origin malware which uses a custom Google App for c2 communications.
view YARA rule
rule APT_MAL_Win_BlueLight_B : InkySquid
{
meta:
author = "[email protected]"
description = "North Korean origin malware which uses a custom Google App for c2 communications."
date = "2021-06-21"
hash1 = "837eaf7b736583497afb8bbdb527f70577901eff04cc69d807983b233524bfed"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
id = "3ec2d44c-4c08-514d-a839-acef3f53f7dc"
strings:
$magic = "host_name: %ls, cookie_name: %s, cookie: %s, CT: %llu, ET: %llu, value: %s, path: %ls, secu: %d, http: %d, last: %llu, has: %d"
$f1 = "%ls.INTEG.RAW" wide
$f2 = "edb.chk" ascii
$f3 = "edb.log" ascii
$f4 = "edbres00001.jrs" ascii
$f5 = "edbres00002.jrs" ascii
$f6 = "edbtmp.log" ascii
$f7 = "cheV01.dat" ascii
$chrome1 = "Failed to get chrome cookie"
$chrome2 = "mail.google.com, cookie_name: OSID"
$chrome3 = ".google.com, cookie_name: SID,"
$chrome4 = ".google.com, cookie_name: __Secure-3PSID,"
$chrome5 = "Failed to get Edge cookie"
$chrome6 = "google.com, cookie_name: SID,"
$chrome7 = "google.com, cookie_name: __Secure-3PSID,"
$chrome8 = "Failed to get New Edge cookie"
$chrome9 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
$chrome10 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8"
$chrome11 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s"
$chrome12 = "https://mail.google.com"
$chrome13 = "result.html"
$chrome14 = "GM_ACTION_TOKEN"
$chrome15 = "GM_ID_KEY="
$chrome16 = "/mail/u/0/?ik=%s&at=%s&view=up&act=prefs"
$chrome17 = "p_bx_ie=1"
$chrome18 = "myaccount.google.com, cookie_name: OSID"
$chrome19 = "Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3"
$chrome20 = "Content-Type: application/x-www-form-urlencoded;charset=utf-8"
$chrome21 = "Cookie: SID=%s; OSID=%s; __Secure-3PSID=%s"
$chrome22 = "https://myaccount.google.com"
$chrome23 = "result.html"
$chrome24 = "myaccount.google.com"
$chrome25 = "/_/AccountSettingsUi/data/batchexecute"
$chrome26 = "f.req=%5B%5B%5B%22BqLdsd%22%2C%22%5Btrue%5D%22%2Cnull%2C%22generic%22%5D%5D%5D&at="
$chrome27 = "response.html"
$msg1 = "https_status is %s"
$msg2 = "Success to find GM_ACTION_TOKEN and GM_ID_KEY"
$msg3 = "Failed to find GM_ACTION_TOKEN and GM_ID_KEY"
$msg4 = "Failed HttpSendRequest to mail.google.com"
$msg5 = "Success to enable imap"
$msg6 = "Failed to enable imap"
$msg7 = "Success to find SNlM0e"
$msg8 = "Failed to find SNlM0e"
$msg9 = "Failed HttpSendRequest to myaccount.google.com"
$msg10 = "Success to enable thunder access"
$msg11 = "Failed to enable thunder access"
$keylogger_component1 = "[TAB]"
$keylogger_component2 = "[RETURN]"
$keylogger_component3 = "PAUSE"
$keylogger_component4 = "[ESC]"
$keylogger_component5 = "[PAGE UP]"
$keylogger_component6 = "[PAGE DOWN]"
$keylogger_component7 = "[END]"
$keylogger_component8 = "[HOME]"
$keylogger_component9 = "[ARROW LEFT]"
$keylogger_component10 = "[ARROW UP]"
$keylogger_component11 = "[ARROW RIGHT]"
$keylogger_component12 = "[ARROW DOWN]"
$keylogger_component13 = "[INS]"
$keylogger_component14 = "[DEL]"
$keylogger_component15 = "[WIN]"
$keylogger_component16 = "[NUM *]"
$keylogger_component17 = "[NUM +]"
$keylogger_component18 = "[NUM ,]"
$keylogger_component19 = "[NUM -]"
$keylogger_component20 = "[NUM .]"
$keylogger_component21 = "NUM /]"
$keylogger_component22 = "[NUMLOCK]"
$keylogger_component23 = "[SCROLLLOCK]"
$keylogger_component24 = "Time: "
$keylogger_component25 = "Window: "
$keylogger_component26 = "CAPSLOCK+"
$keylogger_component27 = "SHIFT+"
$keylogger_component28 = "CTRL+"
$keylogger_component29 = "ALT+"
condition:
$magic or
(
all of ($f*) and
5 of ($keylogger_component*)
) or
24 of ($chrome*) or
4 of ($msg*) or
27 of ($keylogger_component*)
}
APT_MAL_Win_DecRok
The DECROK malware family, which uses the victim's hostname to decrypt and execute an embedded payload.
view YARA rule
rule APT_MAL_Win_DecRok : InkySquid
{
meta:
author = "[email protected]"
date = "2021-06-23"
description = "The DECROK malware family, which uses the victim's hostname to decrypt and execute an embedded payload."
hash = "6a452d088d60113f623b852f33f8f9acf0d4197af29781f889613fed38f57855"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
id = "dc83843d-fd2a-52f1-82e8-8e36b135a0c5"
strings:
$v1 = {C7 ?? ?? ?? 01 23 45 67 [2-20] C7 ?? ?? ?? 89 AB CD EF C7 ?? ?? ?? FE DC BA 98}
$av1 = "Select * From AntiVirusProduct" wide
$av2 = "root\\SecurityCenter2" wide
/* CreateThread..%02x */
$funcformat = { 25 30 32 78 [0-10] 43 72 65 61 74 65 54 68 72 65 61 64 }
condition:
all of them
}
APT_MAL_Win_RokLoad_Loader
A shellcode loader used to decrypt and run an embedded executable.
view YARA rule
rule APT_MAL_Win_RokLoad_Loader : InkySquid
{
meta:
author = "[email protected]"
date = "2021-06-23"
description = "A shellcode loader used to decrypt and run an embedded executable."
hash = "85cd5c3bb028fe6931130ccd5d0b0c535c01ce2bcda660a3b72581a1a5382904"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
id = "229dbf3c-1538-5ecd-b5f8-8c9a9c81c515"
strings:
$bytes00 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 57 41 54 41 55 41 56 41 57 48 ?? ?? ?? b9 ?? ?? ?? ?? 33 ff e8 ?? ?? ?? ?? b9 ?? ?? ?? ?? 4c 8b e8 e8 ?? ?? ?? ?? 4c 8b f0 41 ff d6 b9 ?? ?? ?? ?? 44 8b f8 e8 ?? ?? ?? ?? 4c 8b e0 e8 ?? ?? ?? ?? 48 }
condition:
$bytes00 at 0
}
APT_ME_BigBang_Gen_Jul18_1
Detects malware from Big Bang campaign against Palestinian authorities
view YARA rule
rule APT_ME_BigBang_Gen_Jul18_1 {
meta:
description = "Detects malware from Big Bang campaign against Palestinian authorities"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
date = "2018-07-09"
hash1 = "4db68522600f2d8aabd255e2da999a9d9c9f1f18491cfce9dadf2296269a172b"
hash2 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224"
hash3 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc"
id = "f1097998-9414-511c-b177-ff09154964a8"
strings:
$x2 = "%@W@%S@c@ri%@p@%t.S@%he@%l%@l" ascii
$x3 = "S%@h%@e%l%@l." ascii
$x4 = "(\"S@%t@%a%@rt%@up\")" ascii
$x5 = "aW5zdGFsbCBwcm9nOiBwcm9nIHdpbGwgZGVsZXRlIG9sZCB0bXAgZmlsZQ==" fullword ascii /* base64 encoded string 'install prog: prog will delete old tmp file' */
$x6 = "aW5zdGFsbCBwcm9nOiBUaGVyZSBpcyBubyBvbGQgZmlsZSBpbiB0ZW1wLg==" fullword ascii /* base64 encoded string 'install prog: There is no old file in temp.' */
$x7 = "VXBkYXRlIHByb2c6IFRoZXJlIGlzIG5vIG9sZCBmaWxlIGluIHRlbXAu" fullword ascii /* base64 encoded string 'Update prog: There is no old file in temp.' */
$x8 = "aW5zdGFsbCBwcm9nOiBDcmVhdGUgVGFzayBhZnRlciA1IG1pbiB0byBydW4gRmlsZSBmcm9tIHRtcA==" fullword ascii /* base64 encoded string 'install prog: Create Task after 5 min to run File from tmp' */
$x9 = "UnVuIEZpbGU6IE15IHByb2cgaXMgRXhpdC4=" fullword ascii /* base64 encoded string 'Run File: My prog is Exit.' */
$x10 = "li%@%@nk.W%@%@indo@%%@%@%wS%@%@tyle = 3" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
1 of them or
pe.imphash() == "0f09ea2a68d04f331df9a5d0f8641332"
)
}
APT_ME_BigBang_Mal_Jul18_1
Detects malware from Big Bang report
view YARA rule
rule APT_ME_BigBang_Mal_Jul18_1 {
meta:
description = "Detects malware from Big Bang report"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://research.checkpoint.com/apt-attack-middle-east-big-bang/"
date = "2018-07-09"
hash1 = "ac6462e9e26362f711783b9874d46fefce198c4c3ca947a5d4df7842a6c51224"
hash2 = "e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc"
id = "f30b2e11-f90a-5068-8eaa-25f11218ec6c"
strings:
$s1 = "%Y%m%d-%I-%M-%S" fullword ascii
$s2 = "/api/serv/requests/%s/runfile/delete" fullword ascii
$s3 = "\\part.txt" ascii
$s4 = "\\ALL.txt" ascii
$s5 = "\\sat.txt" ascii
$s6 = "runfile.proccess_name" fullword ascii
$s7 = "%s%s%p%s%zd%s%d%s%s%s%s%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and 4 of them
}
APT_NK_AR18_165A_1
Detects APT malware from AR18-165A report by US CERT
view YARA rule
rule APT_NK_AR18_165A_1 {
meta:
description = "Detects APT malware from AR18-165A report by US CERT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
date = "2018-06-15"
hash1 = "089e49de61701004a5eff6de65476ed9c7632b6020c2c0f38bb5761bca897359"
id = "45f5205d-7f69-5646-aef8-f95d139f9720"
strings:
$s1 = "netsh.exe advfirewall firewall add rule name=\"PortOpenning\" dir=in protocol=tcp localport=%d action=allow enable=yes" fullword wide
$s2 = "netsh.exe firewall add portopening TCP %d \"PortOpenning\" enable" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}
APT_NK_AR18_165A_HiddenCobra_import_deob
Hidden Cobra - Detects installed proxy module as a service
view YARA rule
rule APT_NK_AR18_165A_HiddenCobra_import_deob {
meta:
author = "NCCIC trusted 3rd party - Edit: Tobias Michalski"
incident = "10135536"
date = "2018-04-12"
category = "hidden_cobra"
family = "TYPEFRAME"
md5 = "ae769e62fef4a1709c12c9046301aa5d"
md5 = "e48fe20eblf5a5887f2ac631fed9ed63"
reference = "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
description = "Hidden Cobra - Detects installed proxy module as a service"
id = "f403d589-be35-57a7-9675-f92657c11acc"
strings:
$ = { 8a 01 3c 62 7c 0a 3c 79 7f 06 b2 db 2a d0 88 11 8a 41 01 41 84 c0 75 e8}
$ = { 8A 08 80 F9 62 7C 0B 80 F9 79 7F 06 82 DB 2A D1 88 10 8A 48 01 40 84 C9 75 E6}
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
}
APT_NK_BabyShark_KimJoingRAT_Apr19_1
Detects BabyShark KimJongRAT
view YARA rule
rule APT_NK_BabyShark_KimJoingRAT_Apr19_1 {
meta:
description = "Detects BabyShark KimJongRAT"
author = "Florian Roth (Nextron Systems)"
reference = "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/"
date = "2019-04-27"
hash1 = "d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712"
id = "c6bd1e1a-68f2-5a2d-a159-b16ea0d33987"
strings:
$x1 = "%s\\Microsoft\\ttmp.log" fullword wide
$a1 = "logins.json" fullword ascii
$s1 = "https://www.google.com/accounts/servicelogin" fullword ascii
$s2 = "https://login.yahoo.com/config/login" fullword ascii
$s3 = "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login" ascii
$s4 = "\\mozsqlite3.dll" ascii
$s5 = "SMTP Password" fullword ascii
$s6 = "Yandex\\YandexBrowser\\User Data\\Default\\Login Data" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and (
1 of ($x*) or
( $a1 and 3 of ($s*) )
)
}
APT_NK_Lazarus_Network_Backdoor_Unpacked
Detects unpacked variant of Lazarus Group network backdoor
view YARA rule
rule APT_NK_Lazarus_Network_Backdoor_Unpacked {
meta:
author = "f-secure"
description = "Detects unpacked variant of Lazarus Group network backdoor"
date = "2020-06-10"
reference = "https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical"
id = "8eda9e74-1a19-5510-82d8-cd2eb324629c"
strings:
$str_netsh_1 = "netsh firewall add portopening TCP %d" ascii wide nocase
$str_netsh_2 = "netsh firewall delete portopening TCP %d" ascii wide nocase
$str_mask_1 = "cmd.exe /c \"%s >> %s 2>&1\"" ascii wide
$str_mask_2 = "cmd.exe /c \"%s 2>> %s\"" ascii wide
$str_mask_3 = "%s\\%s\\%s" ascii wide
$str_other_1 = "perflog.dat" ascii wide nocase
$str_other_2 = "perflog.evt" ascii wide nocase
$str_other_3 = "cbstc.log" ascii wide nocase
$str_other_4 = "LdrGetProcedureAddress" ascii
$str_other_5 = "NtProtectVirtualMemory" ascii
condition:
int16(0) == 0x5a4d
and filesize < 3000KB
and 1 of ($str_netsh*)
and 1 of ($str_mask*)
and 1 of ($str_other*)
}
APT_NK_Lazarus_RC4_Loop
Detects RC4 loop in Lazarus Group implant
view YARA rule
rule APT_NK_Lazarus_RC4_Loop {
meta:
author = "f-secure "
description = "Detects RC4 loop in Lazarus Group implant"
date = "2020-06-10"
reference = "https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical"
id = "a9503795-b4b8-505e-a1bf-df64ec8c1c32"
strings:
$str_rc4_loop = { 41 FE 8? 00 01 00 00 45 0F B6 ?? 00 01 00 00 48
FF C? 43 0F B6 0? ?? 41 00 8? 01 01 00 00 41 0F
B6 ?? 01 01 00 00 }
condition:
int16(0) == 0x5a4d and filesize < 3000KB and $str_rc4_loop
}
APT_NK_MAL_DLL_Apr23_1
Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)
view YARA rule
rule APT_NK_MAL_DLL_Apr23_1 {
meta:
description = "Detects DLLs loaded by shellcode loader (6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad) (relation to Lazarus group)"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/"
date = "2023-04-03"
score = 75
hash1 = "69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf"
hash3 = "bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9"
hash4 = "dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9"
hash5 = "fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e"
id = "c2abe266-0c21-51aa-9426-46a4f59df937"
strings:
$x1 = "vG2eZ1KOeGd2n5fr" ascii fullword
$s1 = "Windows %d(%d)-%s" ascii fullword
$s2 = "auth_timestamp: " ascii fullword
$s3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" wide fullword
$op1 = { b8 c8 00 00 00 83 fb 01 44 0f 47 e8 41 8b c5 48 8b b4 24 e0 18 00 00 4c 8b a4 24 e8 18 00 00 48 8b 8d a0 17 00 00 48 33 cc }
$op2 = { 33 d2 46 8d 04 b5 00 00 00 00 66 0f 1f 44 00 00 49 63 c0 41 ff c0 8b 4c 84 70 31 4c 94 40 48 ff c2 }
$op3 = { 89 5c 24 50 0f 57 c0 c7 44 24 4c 04 00 00 00 c7 44 24 48 40 00 00 00 0f 11 44 24 60 0f 11 44 24 70 0f 11 45 80 0f 11 45 90 }
condition:
uint16(0) == 0x5a4d and
filesize < 500KB and (
1 of ($x*)
or 2 of them
)
or (
$x1 and 1 of ($s*)
or 3 of them
)
}
APT_NK_MAL_Keylogger_Unknown_Nov19_1
Detects unknown keylogger reported by CNMF in November 2019
view YARA rule
rule APT_NK_MAL_Keylogger_Unknown_Nov19_1 {
meta:
description = "Detects unknown keylogger reported by CNMF in November 2019"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/CNMF_VirusAlert/status/1192131508007505921"
date = "2019-11-06"
hash1 = "04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30"
hash2 = "618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6"
id = "5311d883-52e0-5503-9494-c583fabbedfe"
strings:
$x1 = "CKeyLogDlg::Keylogger_WriteFile" ascii
$x2 = "Keylog file is saved >>>>>> %s" fullword ascii
$x3 = "MicCap file is saved >>>>>> %s" fullword ascii
$x4 = "cr5cr33nc4p.dat" fullword ascii
$xc1 = { 73 74 61 74 75 73 00 00 5C 4B 65 79 6C 6F 67 }
$xc2 = { 5B 43 4D 69 63 43 61 70 44 6C 67 5D 2E 00 00 00
25 30 34 64 25 30 32 64 25 30 32 64 25 30 32 64
25 30 32 64 2E 77 61 76 }
$xc3 = { 25 73 00 00 25 73 5C 2A 2E 2A 00 00 61 62 00 00
5B 25 73 5D 20 75 70 6C 6F 61 64 20 66 61 69 6C
65 64 2E 00 72 62 00 00 5B 25 73 5D 20 6F 70 65
6E 20 66 61 69 6C 65 64 2E 00 00 00 2E 2E 00 00
5B 25 73 20 2D 3E 20 25 73 5D 20 63 6F 70 79 20
66 61 69 6C 65 64 }
$s1 = "%s\\cmd.exe /c %s" fullword ascii
$s2 = "File upload error occured in [CFSDlg::ProcessResultMessage]." fullword ascii
$s3 = "\\SAM\\Domains\\Account\\Users\\Names" ascii
$s4 = "%s_hist%d:%d:%s:%s:::" fullword ascii
$s5 = "CARAT_Ws2_32.dll" fullword ascii
$s6 = "PID [%s], open process failed." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize <= 40000KB and ( 1 of ($x*) or 4 of them )
}
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_1
Detects VEILEDSIGNAL malware
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_1 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "404b09def6054a281b41d309d809a428"
hash2 = "c6441c961dcad0fe127514a918eaabd4"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "3e7c92fe-a7bd-5180-9935-4f98f2b64e2b"
strings:
$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81 77 54 17 80 29 3C 14 81 77 54 11 80 AB 3C 14 81 D4 4C 11 80 33 3C 14 81 D4 4C 10 80 22 3C 14 81 D4 4C 17 80 25 3C 14 81 77 54 15 80 27 3C 14 81 2C 3C 15 81 4B 3C 14 81 94 4D 1D 80 28 3C 14 81 94 4D 14 80 2D 3C 14 81 94 4D 16 80 2D 3C 14 81 }
$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78 1F EC CD 79 41 84 CE 78 1F EC CB 79 C8 84 CE 78 BC F4 CA 79 4A 84 CE 78 BC F4 CD 79 4D 84 CE 78 BC F4 CB 79 65 84 CE 78 1F EC CF 79 43 84 CE 78 44 84 CF 78 22 84 CE 78 FC F5 C7 79 42 84 CE 78 FC F5 CE 79 45 84 CE 78 FC F5 CC 79 45 84 CE 78}
$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71 C5 DB 4A 70 15 B3 4F 71 C5 DB 4B 70 8C B3 4F 71 66 C3 4B 70 8C B3 4F 71 66 C3 4C 70 8F B3 4F 71 C5 DB 49 70 9F B3 4F 71 66 C3 4A 70 B0 B3 4F 71 C5 DB 4E 70 97 B3 4F 71 9E B3 4E 71 F9 B3 4F 71 26 C2 46 70 9F B3 4F 71 26 C2 B0 71 9F B3 4F 71 9E B3 D8 71 9F B3 4F 71 26 C2 4D 70 9F B3 4F 71 }
$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35 D4 83 58 34 8A EB 5B 35 D4 83 5E 34 09 EB 5B 35 77 9B 5E 34 92 EB 5B 35 77 9B 5F 34 81 EB 5B 35 77 9B 58 34 86 EB 5B 35 D4 83 5A 34 8C EB 5B 35 8F EB 5A 35 D3 EB 5B 35 37 9A 52 34 8C EB 5B 35 37 9A 58 34 8E EB 5B 35 37 9A 5B 34 8E EB 5B 35 37 9A 59 34 8E EB 5B 35 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)
}
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_2
Detects VEILEDSIGNAL malware
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_2 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "404b09def6054a281b41d309d809a428"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "1b96c2f0-1c57-593e-9630-a72d43eb857e"
strings:
$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07 33 D0 8B C2 C1 E0 16 41 81 C0 87 D6 12 00 }
$si1 = "CryptBinaryToStringA" fullword
$si2 = "BCryptGenerateSymmetricKey" fullword
$si3 = "CreateThread" fullword
$ss1 = "ChainingModeGCM" wide
$ss2 = "__tutma" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_3
Detects VEILEDSIGNAL malware
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_3 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
md5 = "c6441c961dcad0fe127514a918eaabd4"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "82790c65-1d93-509b-95df-841543943c30"
strings:
$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 2C 20 2A 2F 2A 3B 20 71 3D 30 2E 30 31 00 00 61 63 63 65 70 74 00 00 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 39 00 00 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 00 63 6F 6F 6B 69 65 00 00 }
$si1 = "HttpSendRequestW" fullword
$si2 = "CreateNamedPipeW" fullword
$si3 = "CreateThread" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_4
Detects VEILEDSIGNAL malware
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_4 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "404b09def6054a281b41d309d809a428"
hash2 = "c6441c961dcad0fe127514a918eaabd4"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "379e6471-3c4f-5c72-b8fd-17f481e89ac6"
strings:
$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8 48 85 C0 74 ?? 89 ?? 24 28 44 8B CD 4C 8B C? 48 89 44 24 20 }
$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89 74 24 20 33 D2 33 C9 FF 15 }
$si1 = "CreateThread" fullword
$si2 = "MultiByteToWideChar" fullword
$si3 = "LocalAlloc" fullword
$se1 = "DllGetClassObject" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_5
Detects VEILEDSIGNAL malware
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_5 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "6727284586ecf528240be21bb6e97f88"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "7d0718fc-4f1c-5293-8dc4-81a5783fbfb2"
strings:
$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D [3] 48 8B CB FF 15 [4] EB }
$ss1 = "chrome.exe" wide fullword
$ss2 = "firefox.exe" wide fullword
$ss3 = "msedge.exe" wide fullword
$ss4 = "\\\\.\\pipe\\*" ascii fullword
$ss5 = "FindFirstFileA" ascii fullword
$ss6 = "Process32FirstW" ascii fullword
$ss7 = "RtlAdjustPrivilege" ascii fullword
$ss8 = "GetCurrentProcess" ascii fullword
$ss9 = "NtWaitForSingleObject" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them
}
APT_NK_MAL_M_Hunting_VEILEDSIGNAL_6
Detects VEILEDSIGNAL malware
view YARA rule
rule APT_NK_MAL_M_Hunting_VEILEDSIGNAL_6 {
meta:
description = "Detects VEILEDSIGNAL malware"
author = "Mandiant"
score = 75
disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
hash1 = "00a43d64f9b5187a1e1f922b99b09b77"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
id = "2cbedbc0-d465-5674-bf9c-9362003eb8d2"
strings:
$ss1 = "C:\\Programdata\\" wide
$ss2 = "devobj.dll" wide fullword
$ss3 = "msvcr100.dll" wide fullword
$ss4 = "TpmVscMgrSvr.exe" wide fullword
$ss5 = "\\Microsoft\\Windows\\TPM" wide fullword
$ss6 = "CreateFileW" ascii fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
}
APT_NK_Methodology_Artificial_UserAgent_IE_Win7
Detects hard-coded User-Agent string that has been present in several APT37 malware families.
view YARA rule
rule APT_NK_Methodology_Artificial_UserAgent_IE_Win7 {
meta:
author = "Steve Miller aka @stvemillertime"
description = "Detects hard-coded User-Agent string that has been present in several APT37 malware families."
hash1 = "e63efbf8624a531bb435b7446dbbfc25"
score = 45
id = "a747c908-7af7-5c29-8386-a71db7648061"
strings:
$a1 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
$a2 = {4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 00 00 00 00}
$fp1 = "Esumsoft" wide
$fp2 = "Acunetix" wide ascii
$fp3 = "TASER SYNC" ascii
condition:
uint16(0) == 0x5A4D and all of ($a*) and not 1 of ($fp*)
}
APT_NK_Scarcruft_RUBY_Shellcode_XOR_Routine
Detects Ruby ShellCode XOR routine used by ScarCruft APT group
view YARA rule
rule APT_NK_Scarcruft_RUBY_Shellcode_XOR_Routine {
meta:
author = "S2WLAB_TALON_JACK2"
description = "Detects Ruby ShellCode XOR routine used by ScarCruft APT group"
type = "APT"
version = "0.1"
date = "2021-05-20"
reference = "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48"
id = "c393f2db-8ade-5083-9cec-f62f23056f8b"
strings:
/*
8B 4C 18 08 mov ecx, [eax+ebx+8]
C1 C7 0D rol edi, 0Dh
40 inc eax
F6 C7 01 test bh, 1
74 06 jz short loc_D0
81 F7 97 EA AE 78 xor edi, 78AEEA97h
*/
$hex1 = {C1 C7 0D 40 F6 C7 01 74 ?? 81 F7}
/*
41 C1 C2 0D rol r10d, 0Dh
41 8B C2 mov eax, r10d
44 8B CA mov r9d, edx
41 8B CA mov ecx, r10d
41 81 F2 97 EA AE 78 xor r10d, 78AEEA97h
*/
$hex2 = {41 C1 C2 0D 41 8B C2 44 8B CA 41 8B CA 41 81 F2}
condition:
1 of them
}
APT_NK_Scarcruft_evolved_ROKRAT
Detects RokRAT malware used by ScarCruft APT group
view YARA rule
rule APT_NK_Scarcruft_evolved_ROKRAT {
meta:
author = "S2WLAB_TALON_JACK2"
description = "Detects RokRAT malware used by ScarCruft APT group"
type = "APT"
version = "0.1"
date = "2021-07-09"
reference = "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48"
id = "53cabf41-0154-5372-b667-60d8a7cb9806"
strings:
/*
0x140130f25 C744242032311223 mov dword ptr [rsp + 0x20], 0x23123132
0x140130f2d C744242434455667 mov dword ptr [rsp + 0x24], 0x67564534
0x140130f35 C744242878899AAB mov dword ptr [rsp + 0x28], 0xab9a8978
0x140130f3d C744242C0CBDCEDF mov dword ptr [rsp + 0x2c], 0xdfcebd0c
0x140130f45 C745F02B7EA516 mov dword ptr [rbp - 0x10], 0x16a57e2b
0x140130f4c C745F428AED2A6 mov dword ptr [rbp - 0xc], 0xa6d2ae28
0x140130f53 C745F8ABF71588 mov dword ptr [rbp - 8], 0x8815f7ab
0x140130f5a C745FC09CF4F3C mov dword ptr [rbp - 4], 0x3c4fcf09
*/
$AES_IV_KEY = {
C7 44 24 ?? 32 31 12 23
C7 44 24 ?? 34 45 56 67
C7 44 24 ?? 78 89 9A AB
C7 44 24 ?? 0C BD CE DF
C7 45 ?? 2B 7E A5 16
C7 45 ?? 28 AE D2 A6
C7 45 ?? AB F7 15 88
C7 45 ?? 09 CF 4F 3C
}
/*
0x14012b637 80E90F sub cl, 0xf
0x14012b63a 80F1C8 xor cl, 0xc8
0x14012b63d 8848FF mov byte ptr [rax - 1], cl
0x14012b640 4883EA01 sub rdx, 1
*/
$url_deocde = {
80 E9 0F
80 F1 C8
88 48 ??
48 83 EA 01 }
condition:
uint16(0) == 0x5A4D and
any of them
}
APT_NK_TradingTech_ForensicArtifacts_Apr23_1
Detects forensic artifacts, file names and keywords related the Trading Technologies compromise UNC4736
view YARA rule
rule APT_NK_TradingTech_ForensicArtifacts_Apr23_1 {
meta:
description = "Detects forensic artifacts, file names and keywords related the Trading Technologies compromise UNC4736"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
date = "2023-04-20"
modified = "2023-04-21"
score = 60
id = "f79a5321-4f22-52d9-aa83-4aa750ecc036"
strings:
$x1 = "www.tradingtechnologies.com/trading/order-management" ascii wide
$xf1 = "X_TRADER_r7.17.90p608.exe" ascii wide
$xf2 = "\\X_TRADER-ja.mst" ascii wide
$xf3 = "C:\\Programdata\\TPM\\TpmVscMgrSvr.exe" ascii wide
$xf4 = "C:\\Programdata\\TPM\\winscard.dll" ascii wide
$fp1 = "<html"
condition:
not uint16(0) == 0x5025
and 1 of ($x*) and not 1 of ($fp*)
}
APT_PY_BlueLight_Loader
Python Loader used to execute the BLUELIGHT malware family.
view YARA rule
rule APT_PY_BlueLight_Loader : InkySquid
{
meta:
author = "[email protected]"
description = "Python Loader used to execute the BLUELIGHT malware family."
date = "2021-06-22"
hash1 = "80269413be6ad51b8b19631b2f5559c9572842e789bbce031babe6e879d2e120"
license = "See license at https://github.com/volexity/threat-intel/LICENSE.txt"
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
id = "f8da3e40-c3b0-5b7f-8ece-81874993d8cd"
strings:
$s1 = "\"\".join(chr(ord(" ascii
$s2 = "import ctypes " ascii
$s3 = "ctypes.CFUNCTYPE(ctypes.c_int)" ascii
$s4 = "ctypes.memmove" ascii
$s5 = "python ended" ascii
condition:
all of them
}
APT_PY_ESXi_Backdoor_Dec22
Detects Python backdoor found on ESXi servers
view YARA rule
rule APT_PY_ESXi_Backdoor_Dec22 {
meta:
description = "Detects Python backdoor found on ESXi servers"
author = "Florian Roth"
reference = "https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers"
date = "2022-12-14"
score = 85
id = "f0a3b9b9-0031-5d9f-97f8-70f83863ee63"
strings:
$x1 = "cmd = str(base64.b64decode(encoded_cmd), " ascii
$x2 = "sh -i 2>&1 | nc %s %s > /tmp/" ascii
condition:
filesize < 10KB and 1 of them or all of them
}
APT_RU_APT27_HyperBro_Vftrace_Loader_Jan22_1
Yara rule to detect first Hyperbro Loader Stage, often called vftrace.dll. Detects decoding function.
view YARA rule
rule APT_RU_APT27_HyperBro_Vftrace_Loader_Jan22_1 {
meta:
description = "Yara rule to detect first Hyperbro Loader Stage, often called vftrace.dll. Detects decoding function."
author = "Bundesamt fuer Verfassungsschutz (modified by Florian Roth)"
date = "2022-01-14"
sharing = "TLP:WHITE"
reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf"
hash1 = "333B52C2CFAC56B86EE9D54AEF4F0FF4144528917BC1AA1FE1613EFC2318339A"
id = "b049e163-2694-5fb9-a3a3-98cc77bcd0ca"
strings:
$decoder_routine = { 8A ?? 41 10 00 00 8B ?? 28 ?? ?? 4? 3B ?? 72 ?? }
condition:
uint16(0) == 0x5a4d and
filesize < 5MB and
$decoder_routine and
pe.exports("D_C_Support_SetD_File")
}
APT_RU_Sandworm_PY_May20_1
Detects Sandworm Python loader
view YARA rule
rule APT_RU_Sandworm_PY_May20_1 {
meta:
description = "Detects Sandworm Python loader"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/billyleonard/status/1266054881225236482"
date = "2020-05-28"
hash1 = "c025008463fdbf44b2f845f2d82702805d931771aea4b506573b83c8f58bccca"
id = "a392d800-1fe8-5ae9-b813-e1dfcedecda6"
strings:
$x1 = "o.addheaders=[('User-Agent','Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko')]" ascii fullword
$s1 = "exec(o.open('http://" ascii
$s2 = "__import__({2:'urllib2',3:'urllib.request'}"
condition:
uint16(0) == 0x6d69 and
filesize < 1KB and
1 of ($x*) or 2 of them
}
APT_RU_Sandworm_PY_May20_2
Detects Sandworm Python loader
view YARA rule
rule APT_RU_Sandworm_PY_May20_2 {
meta:
description = "Detects Sandworm Python loader"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/billyleonard/status/1266054881225236482"
date = "2020-05-28"
hash1 = "abfa83cf54db8fa548942acd845b4f34acc94c46d4e1fb5ce7e97cc0c6596676"
id = "5b32ad64-d959-5632-a03c-17aa055b213f"
strings:
$x1 = "import sys;import re, subprocess;cmd" ascii fullword
$x2 = "UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http"
$x3 = "';t='/admin/get.php';req" ascii
$x4 = "ps -ef | grep Little\\ Snitch | grep " ascii fullword
condition:
uint16(0) == 0x6d69 and
filesize < 2KB and
1 of them
}
APT_SH_CodeCov_Hack_Apr21_1
Detects manipulated Codecov bash uploader tool that has been manipulated by an unknown actor during March / April 2021
view YARA rule
rule APT_SH_CodeCov_Hack_Apr21_1 {
meta:
description = "Detects manipulated Codecov bash uploader tool that has been manipulated by an unknown actor during March / April 2021"
author = "Florian Roth (Nextron Systems)"
reference = "https://about.codecov.io/security-update/"
date = "2021-04-16"
id = "b5fb74c4-073e-53af-a207-1672e63c9a64"
strings:
$a1 = "Global report uploading tool for Codecov"
$s1 = "curl -sm 0.5 -d"
condition:
uint16(0) == 0x2123 and
filesize < 70KB and
all of them
}
APT_SH_ESXi_Backdoor_Dec22
Detects malicious script found on ESXi servers
view YARA rule
rule APT_SH_ESXi_Backdoor_Dec22 {
meta:
description = "Detects malicious script found on ESXi servers"
author = "Florian Roth"
reference = "https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers"
date = "2022-12-14"
score = 75
id = "983ac20c-2e61-5365-8849-b3aeb999f909"
strings:
$x1 = "mv /bin/hostd-probe.sh /bin/hostd-probe.sh.1" ascii fullword
$x2 = "/bin/nohup /bin/python -u /store/packages/vmtools.py" ascii
$x3 = "/bin/rm /bin/hostd-probe.sh.1"
condition:
filesize < 10KB and 1 of them
}
APT_SH_Sandworm_Shell_Script_May20_1
Detects shell script used by Sandworm in attack against Exim mail server
view YARA rule
rule APT_SH_Sandworm_Shell_Script_May20_1 {
meta:
description = "Detects shell script used by Sandworm in attack against Exim mail server"
author = "Florian Roth (Nextron Systems)"
reference = "https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf"
date = "2020-05-28"
hash1 = "dc074464e50502459038ac127b50b8c68ed52817a61c2f97f0add33447c8f730"
hash2 = "538d713cb47a6b5ec6a3416404e0fc1ebcbc219a127315529f519f936420c80e"
id = "21cf2c89-5511-5eb6-a2dd-4ad54ebfa2d1"
strings:
$x1 = "echo \"GRANT ALL PRIVILEGES ON * . * TO 'mysqldb'@'localhost';\" >> init-file.txt" ascii fullword
$x2 = "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version" ascii fullword
$x3 = "sed -i -e '/PasswordAuthentication/s/no/yes/g; /PermitRootLogin/s/no/yes/g;" ascii fullword
$x4 = "useradd -M -l -g root -G root -b /root -u 0 -o mysql_db" ascii fullword
$s1 = "/ip.php?port=${PORT}\"" ascii fullword
$s2 = "sed -i -e '/PasswordAuthentication" ascii fullword
$s3 = "PATH_KEY=/root/.ssh/authorized_keys" ascii fullword
$s4 = "CREATE USER" ascii fullword
$s5 = "crontab -l | { cat; echo" ascii fullword
$s6 = "mysqld --user=mysql --init-file=/etc/opt/init-file.txt --console" ascii fullword
$s7 = "sshkey.php" ascii fullword
condition:
uint16(0) == 0x2123 and
filesize < 20KB and
1 of ($x*) or 4 of them
}
APT_SUSP_NK_3CX_Malicious_Samples_Mar23_1
Detects indicator (event name) found in samples related to 3CX compromise
view YARA rule
rule APT_SUSP_NK_3CX_Malicious_Samples_Mar23_1 {
meta:
description = "Detects indicator (event name) found in samples related to 3CX compromise"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/"
date = "2023-03-30"
score = 70
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
id = "b233846a-19df-579b-a674-233d66824008"
strings:
$a1 = "AVMonitorRefreshEvent" wide fullword
condition:
1 of them
}
APT_SUSP_NK_3CX_RC4_Key_Mar23_1
Detects RC4 key used in 3CX binaries known to be malicious
view YARA rule
rule APT_SUSP_NK_3CX_RC4_Key_Mar23_1 {
meta:
description = "Detects RC4 key used in 3CX binaries known to be malicious"
author = "Florian Roth (Nextron Systems)"
date = "2023-03-29"
reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
score = 70
hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983"
hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02"
id = "18ea2185-11a1-51ad-a51a-df9e6357bb58"
strings:
$x1 = "3jB(2bsG#@c7"
condition:
( uint16(0) == 0xcfd0 or uint16(0) == 0x5a4d )
and $x1
}
APT_UA_Hermetic_Wiper_Feb22_1
Detects Hermetic Wiper malware
view YARA rule
rule APT_UA_Hermetic_Wiper_Feb22_1 {
meta:
description = "Detects Hermetic Wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/"
date = "2022-02-24"
score = 75
hash1 = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
hash2 = "3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767"
hash3 = "2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf"
hash4 = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
id = "2cbe4a69-e31a-5f5f-ab1a-9d71d16fb30f"
strings:
$xc1 = { 00 5C 00 5C 00 2E 00 5C 00 50 00 68 00 79 00 73
00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76
00 65 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56
00 5C 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 00 00 00 00 25 00 73 00 25 00 2E 00 32 00 73
00 00 00 00 00 24 00 42 00 69 00 74 00 6D 00 61
00 70 00 00 00 24 00 4C 00 6F 00 67 00 46 00 69
00 6C 00 65 }
$sc1 = { 00 44 00 72 00 69 00 76 00 65 00 72 00 73 00 00
00 64 00 72 00 76 00 00 00 53 00 79 00 73 00 74
00 65 00 6D 00 33 00 32 }
$s1 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
$s2 = "\\\\.\\EPMNTDRV\\%u" wide fullword
$s3 = "DRV_XP_X64" wide fullword
$s4 = "%ws%.2ws" wide fullword
$op1 = { 8b 7e 08 0f 57 c0 8b 46 0c 83 ef 01 66 0f 13 44 24 20 83 d8 00 89 44 24 18 0f 88 3b 01 00 00 }
$op2 = { 13 fa 8b 55 f4 4e 3b f3 7f e6 8a 45 0f 01 4d f0 0f 57 c0 }
condition:
( uint16(0) == 0x5a53 or uint16(0) == 0x5a4d ) and
filesize < 400KB and ( 1 of ($x*) or 3 of them )
}
APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1
Detects scheduled task pattern found in Hermetic Wiper malware related intrusions
view YARA rule
rule APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1 {
meta:
description = "Detects scheduled task pattern found in Hermetic Wiper malware related intrusions"
author = "Florian Roth (Nextron Systems)"
reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia"
date = "2022-02-25"
score = 85
id = "a628f773-9c71-5979-a4db-37b6b6bd6a56"
strings:
$a0 = "<Task version=" ascii wide
$sa1 = "CSIDL_SYSTEM_DRIVE\\temp" ascii wide
$sa2 = "postgresql.exe 1> \\\\127.0.0.1\\ADMIN$" ascii wide
$sa3 = "cmd.exe /Q /c move CSIDL_SYSTEM_DRIVE" ascii wide
condition:
$a0 and 1 of ($s*)
}
CN_APT_ZeroT_extracted_Go
Chinese APT by Proofpoint ZeroT RAT - file Go.exe
view YARA rule
rule CN_APT_ZeroT_extracted_Go {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Go.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
modified = "2023-01-06"
hash1 = "83ddc69fe0d3f3d2f46df7e72995d59511c1bfcca1a4e14c330cb71860b4806b"
id = "ba929e6d-4162-58e7-b8a8-bcb066b64522"
strings:
$x1 = "%s\\cmd.exe /c %s\\Zlh.exe" fullword ascii
$x2 = "\\BypassUAC.VS2010\\Release\\" ascii
$s1 = "Zjdsf.exe" fullword ascii
$s2 = "SS32prep.exe" fullword ascii
$s3 = "windowsgrep.exe" fullword ascii
$s4 = "Sysdug.exe" fullword ascii
$s5 = "Proessz.exe" fullword ascii
$s6 = "%s\\Zlh.exe" fullword ascii
$s7 = "/C %s\\%s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( 7 of them )
}
CN_APT_ZeroT_extracted_Mcutil
Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll
view YARA rule
rule CN_APT_ZeroT_extracted_Mcutil {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500"
id = "c887d36b-8aeb-54f1-a683-727561723238"
strings:
$s1 = "LoaderDll.dll" fullword ascii
$s2 = "QageBox1USER" fullword ascii
$s3 = "xhmowl" fullword ascii
$s4 = "?KEYKY" fullword ascii
$s5 = "HH:mm:_s" fullword ascii
$s6 = "=licni] has maX0t" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 90KB and 3 of them ) or ( all of them )
}
CN_APT_ZeroT_extracted_Zlh
Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe
view YARA rule
rule CN_APT_ZeroT_extracted_Zlh {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "711f0a635bbd6bf1a2890855d0bd51dff79021db45673541972fe6e1288f5705"
id = "4c8b9a90-6cb3-5aba-a993-f73207341d0e"
strings:
$s1 = "nflogger.dll" fullword wide
$s2 = "%s %d: CreateProcess('%s', '%s') failed. Windows error code is 0x%08x" fullword ascii
$s3 = "_StartZlhh(): Executed \"%s\"" ascii
$s4 = "Executable: '%s' (%s) %i" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
}
CN_APT_ZeroT_nflogger
Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll
view YARA rule
rule CN_APT_ZeroT_nflogger {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "946adbeb017616d56193a6d43fe9c583be6ad1c7f6a22bab7df9db42e6e8ab10"
id = "0d23f312-e3b6-5c23-855b-25ae54265512"
strings:
$x1 = "\\LoaderDll.VS2010\\Release\\" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
CN_Actor_AmmyyAdmin
Detects Ammyy Admin Downloader
view YARA rule
rule CN_Actor_AmmyyAdmin {
meta:
description = "Detects Ammyy Admin Downloader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - CN Actor"
date = "2017-06-22"
score = 60
hash1 = "1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed"
id = "08ffb61a-e2de-538e-9d9f-040276324af9"
strings:
$x2 = "\\Ammyy\\sources\\main\\Downloader.cpp" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}
CN_Actor_RA_Tool_Ammyy_mscorsvw
Detects Ammyy remote access tool
view YARA rule
rule CN_Actor_RA_Tool_Ammyy_mscorsvw {
meta:
description = "Detects Ammyy remote access tool"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research - CN Actor"
date = "2017-06-22"
hash1 = "1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed"
hash2 = "d9ec0a1be7cd218042c54bfbc12000662b85349a6b78731a09ed336e5d3cf0b4"
id = "71a0c5a9-b4dc-508d-a6b7-4b85b75bc34b"
strings:
$s1 = "Please enter password for accessing remote computer" fullword ascii
$s2 = "Die Zugriffsanforderung wurde vom Remotecomputer abgelehnt" fullword ascii
$s3 = "It will automatically be run the next time this computer is restart or you can start it manually" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 4000KB and 3 of them )
}
CN_GUI_Scanner
Detects an unknown GUI scanner tool - CN background
view YARA rule
rule CN_GUI_Scanner {
meta:
description = "Detects an unknown GUI scanner tool - CN background"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "3c67bbb1911cdaef5e675c56145e1112"
score = 65
date = "04.10.2014"
id = "ca88d4d3-5d18-5856-874f-e50deceef54f"
strings:
$s1 = "good.txt" fullword ascii
$s2 = "IP.txt" fullword ascii
$s3 = "xiaoyuer" fullword ascii
$s0w = "ssh(" wide
$s1w = ").exe" fullword wide
condition:
all of them
}
CN_Hacktool_1433_Scanner
Detects a chinese MSSQL scanner
view YARA rule
rule CN_Hacktool_1433_Scanner {
meta:
description = "Detects a chinese MSSQL scanner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 40
date = "12.10.2014"
id = "77712d29-1a32-59e7-999a-a2ef02212886"
strings:
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "del Weak1.txt" ascii fullword
$s3 = "del Attack.txt" ascii fullword
$s4 = "del /s /Q C:\\Windows\\system32\\doors\\" ascii
$s5 = "!&start iexplore http://www.crsky.com/soft/4818.html)" fullword ascii
condition:
uint16(0) == 0x5a4d and all of ($s*)
}
CN_Hacktool_1433_Scanner_Comp2
Detects a chinese MSSQL scanner - component 2
view YARA rule
rule CN_Hacktool_1433_Scanner_Comp2 {
meta:
description = "Detects a chinese MSSQL scanner - component 2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 40
date = "12.10.2014"
id = "7d707be5-dad0-5d91-965b-908a8603b6c0"
strings:
$s0 = "1433" wide fullword
$s1 = "1433V" wide
$s2 = "UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU" ascii fullword
condition:
uint16(0) == 0x5a4d and all of ($s*)
}
CN_Hacktool_BAT_PortsOpen
Detects a chinese BAT hacktool for local port evaluation
view YARA rule
rule CN_Hacktool_BAT_PortsOpen {
meta:
description = "Detects a chinese BAT hacktool for local port evaluation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "12.10.2014"
id = "55c3f678-ba70-5a4a-b288-9d0953eff968"
strings:
$s0 = "for /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (" ascii
$s1 = "in ('tasklist /fi \"PID eq %%b\" /FO CSV') do " ascii
$s2 = "@echo off" ascii
condition:
all of them
}
Showing 51-100 of 5,947