Home/Volgmer/YARA rules
YARA

YARA rules for Volgmer

2 rules · scoped to tool · back to Volgmer
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

2 of 2
direct TA17
TA17_318B_volgmer
Malformed User Agent in Volgmer malware
author US CERT license see source repo
view YARA rule 
rule TA17_318B_volgmer {
   meta:
      description = "Malformed User Agent in Volgmer malware"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/alerts/TA17-318B"
      date = "2017-11-15"
      id = "20a7f64b-0fee-5235-ac91-2fc811497ac6"
   strings:
      $s = "Mozillar/"
   condition:
      ( uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550 ) and $s
}
direct Volgmer
Volgmer_Malware
Detects Volgmer malware as reported in US CERT TA17-318B
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule Volgmer_Malware {
   meta:
      description = "Detects Volgmer malware as reported in US CERT TA17-318B"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.us-cert.gov/ncas/alerts/TA17-318B"
      date = "2017-11-15"
      hash1 = "ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd"
      hash2 = "8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b"
      hash3 = "eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5"
      hash4 = "e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11"
      hash5 = "6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1"
      hash6 = "fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9"
      hash7 = "53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d"
      hash8 = "1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d"
      id = "a8df5f70-69e7-5c95-8af7-7dda6bb9c77a"
   strings:
      $x1 = "User-Agent: Mozillar/5.0" fullword ascii
      $x2 = "[Cmd] - CMD_BOTCMD_CONNLOG_GET" fullword wide
      $x3 = "[TestConnect To Bot] - Port = %d" fullword ascii
      $x4 = "b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7" ascii

      $s1 = "%sigfx%c%c%c.exe" fullword wide
      $s2 = "H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT" fullword ascii
      $s3 = "cmd.exe /c %s > %s 2>&1" fullword wide
      $s4 = "%s\\dllcache\\%s.dll" fullword ascii
      $s5 = "Cond Fail." fullword ascii
      $s6 = "The %s %s%s" fullword ascii
      $s7 = "%s \"%s\"%s \"%s\" %s \"%s\"" fullword ascii
      $s8 = "DLL_Spider.dll" fullword ascii
   condition:
      filesize < 400KB and (
         1 of ($x*) or /* Very specific strings */
         ( uint16(0) == 0x5a4d and 2 of them ) /* Others combined with the MZ header */
      ) or
      /* Imphash */
      ( uint16(0) == 0x5a4d and pe.imphash() == "ea42395e901b33bad504798e0f0fd74b" )
}
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin