YARA rules for pwdump
8 rules · scoped to tool · back to pwdump
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule EquationGroup_pwdump_Implant {
meta:
description = "EquationGroup Malware - file pwdump_Implant.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
hash1 = "dfd5768a4825d1c7329c2e262fde27e2b3d9c810653585b058fcf9efa9815964"
id = "55984c20-539e-5e51-b3c4-caa6157c993d"
strings:
$s1 = ".?AVFeFinallyFailure@@" fullword ascii
$s8 = ".?AVFeFinallySuccess@@" fullword ascii
$s3 = "\\system32\\win32k.sys" wide
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
}
rule EquationGroup_pwdump_Lp {
meta:
description = "EquationGroup Malware - file pwdump_Lp.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/tcSoiJ"
date = "2017-01-13"
hash1 = "fda57a2ba99bc610d3ff71b2d0ea2829915eabca168df99709a8fdd24288c5e5"
id = "6f356f13-9ec1-5dd9-91b2-6a3071398e81"
strings:
$x1 = "PWDUMP - - ERROR - -" wide
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}
rule PwDump {
meta:
description = "PwDump 6 variant"
author = "Marc Stroebel"
date = "2014-04-24"
score = 70
id = "e557e548-53e8-5098-93d4-8e899384e67c"
strings:
$s5 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNa"
$s6 = "Unable to query service status. Something is wrong, please manually check the st"
$s7 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword
condition:
1 of them
}
rule PwDump_B {
meta:
description = "Detects a tool used by APT groups - file PwDump.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/igxLyF"
date = "2016-09-08"
hash1 = "3c796092f42a948018c3954f837b4047899105845019fce75a6e82bc99317982"
id = "aad974f1-76bf-5aae-8376-a4fd3f27b345"
strings:
$x1 = "Usage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineName" fullword ascii
$x2 = "pwdump6 Version %s by fizzgig and the mighty group at foofus.net" fullword ascii
$x3 = "where -x targets a 64-bit host" fullword ascii
$x4 = "Couldn't delete target executable from remote machine: %d" fullword ascii
$s1 = "lsremora64.dll" fullword ascii
$s2 = "lsremora.dll" fullword ascii
$s3 = "servpw.exe" fullword ascii
condition:
(uint16(0) == 0x5a4d and filesize < 400KB and 1 of ($x*)) or (3 of them)
}
rule MAL_Unknown_PWDumper_Apr18_3 {
meta:
description = "Detects sample from unknown sample set - IL origin"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-04-06"
hash1 = "d435e7b6f040a186efeadb87dd6d9a14e038921dc8b8658026a90ae94b4c8b05"
hash2 = "8c35c71838f34f7f7a40bf06e1d2e14d58d9106e6d4e6f6e9af732511a126276"
id = "2431d562-dcd8-5d21-8406-7d2567b6eca9"
strings:
$s1 = "loaderx86.dll" fullword ascii
$s2 = "tcpsvcs.exe" fullword wide
$s3 = "%Program Files, Common FOLDER%" fullword wide
$s4 = "%AllUsers, ApplicationData FOLDER%" fullword wide
$s5 = "loaderx86" fullword ascii
$s6 = "TNtDllHook$" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
rule QuarksPwDump_Gen {
meta:
description = "Detects all QuarksPWDump versions"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2015-09-29"
score = 80
hash1 = "2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa"
hash2 = "87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f"
hash3 = "a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9"
hash4 = "c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab"
hash5 = "677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa"
hash6 = "d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674"
hash7 = "8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819"
id = "7de4f59e-6cf5-5ad7-ae1f-8532d9e80c9e"
strings:
$s1 = "OpenProcessToken() error: 0x%08X" fullword ascii
$s2 = "%d dumped" fullword ascii
$s3 = "AdjustTokenPrivileges() error: 0x%08X" fullword ascii
$s4 = "\\SAM-%u.dmp" ascii
condition:
all of them
}
rule CN_Honker_Pwdump7_Pwdump7 {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "67d0e215c96370dcdc681bb2638703c2eeea188a"
id = "baf6ced6-4298-5453-a020-a384c923584c"
strings:
$s1 = "Pwdump7.exe >pass.txt" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 1KB and all of them
}
rule CN_Honker_HASH_PwDump7 {
meta:
description = "Sample from CN Honker Pentest Toolset - file PwDump7.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "93a2d7c3a9b83371d96a575c15fe6fce6f9d50d3"
id = "d61a1ac3-7c8a-5de2-a5a8-2a043b73f3b3"
strings:
$s1 = "%s\\SYSTEM32\\CONFIG\\SAM" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "No Users key!" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "NO PASSWORD*********************:" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Unable to dump file %S" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 380KB and all of them
}