YARA rules for Epic
7 rules · scoped to tool · back to Epic
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule EQGRP_epicbanana_2_1_0_1 {
meta:
description = "EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Research"
date = "2016-08-16"
hash1 = "4b13cc183c3aaa8af43ef3721e254b54296c8089a0cd545ee3b867419bb66f61"
id = "cc3346bd-0347-5cf3-b946-5c017d68d93e"
strings:
$s1 = "failed to create version-specific payload" fullword ascii
$s2 = "(are you sure you did \"make [version]\" in versions?)" fullword ascii
condition:
1 of them
}
rule FVEY_ShadowBroker_user_tool_epichero {
meta:
description = "Auto-generated rule - file user.tool.epichero.COMMON"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://bit.no.com:43110/theshadowbrokers.bit/post/message6/"
date = "2016-12-17"
hash1 = "679d194c32cbaead7281df9afd17bca536ee9d28df917b422083ae8ed5b5c484"
id = "b1ca04e5-bac7-5247-b2d4-82c3515c92fc"
strings:
$x2 = "-irtun TARGET_IP ISH_CALLBACK_PORT"
$x3 = "-O REVERSE_SHELL_CALLBACK_PORT -w HIDDEN_DIR" fullword ascii
condition:
1 of them
}
rule Empire_ReflectivePick_x64_orig {
meta:
description = "Detects Empire component - file ReflectivePick_x64_orig.dll"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
modified = "2022-12-21"
hash1 = "a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2"
id = "cd69a149-d881-5f93-9647-84241bd96ba5"
strings:
$a1 = "\\PowerShellRunner.pdb" ascii
$a2 = "PowerShellRunner.dll" fullword wide
$s1 = "ReflectivePick" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 1 of ($a*) and $s1
}
rule RUAG_Tavdig_Malformed_Executable {
meta:
description = "Detects an embedded executable with a malformed header - known from Tavdig malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/N5MEj0"
score = 60
id = "da6357d4-0cdb-5f30-9919-59858963cc41"
condition:
uint16(0) == 0x5a4d and /* MZ Header */
uint32(uint32(0x3C)) == 0x0000AD0B /* malformed PE header > 0x0bad */
}
rule WaterBug_wipbot_2013_core_PDF {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
id = "2e8ccce9-d8ba-573d-b532-76d8e2ed5442"
strings:
$a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/
$b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/
condition:
uint32(0) == 0x46445025 and #a > 150 and #b > 200
}
rule WaterBug_wipbot_2013_dll {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component"
author = "Symantec Security Response"
date = "22.01.2015"
reference = "http://t.co/rF35OaAXrl"
id = "2aae09a3-6e59-5951-941e-c1f82aada979"
strings:
$string1 = "/%s?rank=%s"
$string2 = "ModuleStart\x00ModuleStop\x00start"
$string3 = "1156fd22-3443-4344-c4ffff"
//read file... error..
$string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00"
condition:
2 of them
}
rule WaterBug_wipbot_2013_core {
meta:
description = "Symantec Waterbug Attack - Trojan.Wipbot core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error"
author = "Symantec Security Response"
date = "2015-01-22"
modified = "2023-01-27"
reference = "http://t.co/rF35OaAXrl"
id = "2e8ccce9-d8ba-573d-b532-76d8e2ed5442"
strings:
$code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00}
$code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4}
$code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0}
condition:
uint16(0) == 0x5A4D and (($code1 or $code2) or ($code3 and $code4))
}