Home/Elise/YARA rules
YARA

YARA rules for Elise

3 rules · scoped to tool · back to Elise
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

3 of 3
direct Elise
Elise_Jan18_1
Detects Elise malware samples - fake Norton Security NavShExt.dll
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule Elise_Jan18_1 {
   meta:
      description = "Detects Elise malware samples - fake Norton Security NavShExt.dll"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/blu3_team/status/955971742329135105"
      date = "2018-01-24"
      hash1 = "6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79"
      id = "8e4f4ec8-5d31-5990-8c14-861423571a79"
   strings:
      $s1 = "NavShExt.dll" fullword wide
      $s2 = "Norton Security" fullword wide

      $a1 = "donotbotherme" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 250KB and (
        pe.imphash() == "e9478ee4ebf085d1f14f64ba96ef082f" or
        ( 1 of ($s*) and $a1 )
      )
}
direct COZY
COZY_FANCY_BEAR_pagemgr_Hunt
Detects a pagemgr.exe as mentioned in the CrowdStrike report
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule COZY_FANCY_BEAR_pagemgr_Hunt {
	meta:
		description = "Detects a pagemgr.exe as mentioned in the CrowdStrike report"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
		date = "2016-06-14"
		id = "3c5c8843-81ba-510c-82ed-4b6e2286bdb2"
	strings:
		$s1 = "pagemgr.exe" wide fullword
	condition:
		uint16(0) == 0x5a4d and 1 of them
}
direct gen
gen_suspicious_InPage_dropper
license see source repo
view YARA rule 
rule gen_suspicious_InPage_dropper
{

    meta:
        hash1 = "013417bd5465d6362cd43c70015c7a74a1b8979785b842b7cfa543cb85985852"
        hash2 = "1d1e7a6175e6c514aaeca8a43dabefa017ddc5b166ccb636789b6a767181a022"
        hash3 = "bd293bdf3be0a44a92bdb21e5fa75c124ad1afed3c869697bf90c9732af0e994"
        hash4 = "d8edf3e69f006f85b9ee4e23704cd5e95e895eb286f9b749021d090448493b6f"
        url1 = "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/08/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets/"
        url2 = "https://twitter.com/Ahmedfshosha/status/1138138981521154049"

        id = "9144711a-e6ee-5c97-a5f4-3f6df1d630dc"
    strings:
        $s1 = "InPage Arabic Document"
        $c1 = {31 06 83 c6 04 e2 }
        $c2 = {90 90 90 90 90 90 90 e8 fb }

    condition:
        filesize < 3MB
        and uint32be(0) == 0xD0CF11E0
        and $s1 
        and 1 of ($c*)
}
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin