Home/Daserf/YARA rules
YARA

YARA rules for Daserf

3 rules · scoped to tool · back to Daserf
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

3 of 3
direct BronzeButler
BronzeButler_Daserf_Delphi_1
Detects malware / hacktool sample from Bronze Butler incident
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule BronzeButler_Daserf_Delphi_1 {
   meta:
      description = "Detects malware / hacktool sample from Bronze Butler incident"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
      date = "2017-10-14"
      hash1 = "89a80ca92600af64eb9c32cab4e936c7d675cf815424d72438973e2d6788ef64"
      hash2 = "b1bd03cd12638f44d9ace271f65645e7f9b707f86e9bcf790e0e5a96b755556b"
      hash3 = "22e1965154bdb91dd281f0e86c8be96bf1f9a1e5fe93c60a1d30b79c0c0f0d43"
      id = "88372e62-3bba-58dc-825c-f35533e42825"
   strings:
      $s1 = "Services.exe" fullword ascii
      $s2 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" fullword ascii
      $s3 = "l32.dll" fullword ascii
      $s4 = "tProcess:" fullword ascii
      $s5 = " InjectPr" ascii
      $s6 = "Write$Error creating variant or safe array\x1fInvalid argument to time encode" fullword wide
      $s7 = "on\\run /v " fullword ascii
      $s8 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run" fullword ascii
      $s9 = "ms1ng2d3d2.exe" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 400KB and 3 of them )
}
direct BronzeButler
BronzeButler_Daserf_C_1
Detects malware / hacktool sample from Bronze Butler incident
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule BronzeButler_Daserf_C_1 {
   meta:
      description = "Detects malware / hacktool sample from Bronze Butler incident"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
      date = "2017-10-14"
      hash1 = "a4afd9df1b4cc014c3a89d7b4a560fa3e368b02286c42841762714b23e68cc05"
      hash2 = "90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2"
      hash3 = "331ac0965b50958db49b7794cc819b2945d7b5e5e919c185d83e997e205f107b"
      hash4 = "b1fdc6dc330e78a66757b77cc67a0e9931b777cd7af9f839911eecb74c04420a"
      hash5 = "15abe7b1355cd35375de6dde57608f6d3481755fdc9e71d2bfc7c7288db4cd92"
      hash6 = "85544d2bcaf8e6ca32bbc0a9e9583c9db1dce837043f555a7ff66363d5858439"
      hash7 = "2dc24622c1e91642a21a64c0dd31cbe953e8f77bd3d6abcf2c4676c3b11bb162"
      hash8 = "2bdb88fa24cffba240b60416835189c76a9920b6c3f6e09c3c4b171c2f57031c"
      id = "62a5cc4a-7c58-5e4d-ac23-8d1f850a540a"
   strings:
      $s1 = "(c) 2010 DYAMAR EnGineerinG, All rights reserved, http://www.dyamar.com." fullword ascii
      $s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)" fullword ascii

      $a1 = "ndkkwqgcm" fullword ascii
      $a2 = "RtlGetCo" fullword ascii
      $a3 = "hutils" fullword ascii

      $b1 = "%USERPROFILE%\\System" fullword ascii
      $b2 = "msid.dat" fullword ascii
      $b3 = "DRIVE_REMOTE" fullword wide
      $b4 = "%s%s%s%s%s%s%s%s%s%s%s%s" fullword ascii
      $b5 = "jcbhe.asp" fullword ascii
      $b6 = "edset.asp" fullword ascii
      $b7 = "bxcve.asp" fullword ascii
      $b8 = "hcvery.php" fullword ascii
      $b9 = "ynhkef.php" fullword ascii
      $b10 = "dkgwey.php" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and (
         pe.imphash() == "088382f4887e3b2c4bd5157f2d72b618" or
         all of ($a*) or
         4 of them
      )
}
direct Daserf
Daserf_Nov1_BronzeButler
Detects Daserf malware used by Bronze Butler
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule Daserf_Nov1_BronzeButler {
   meta:
      description = "Detects Daserf malware used by Bronze Butler"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://goo.gl/ffeCfd"
      date = "2017-11-08"
      hash1 = "5ede6f93f26ccd6de2f93c9bd0f834279df5f5cfe3457915fae24a3aec46961b"
      id = "58c4d3dc-c516-567b-8746-4e185c3cd328"
   strings:
      $x1 = "mstmp1845234.exe" fullword ascii
      /* Bronce Butler UA String - see google search */
      $x2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)" fullword ascii
      $x3 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" fullword ascii

      $s1 = "Content-Type: */*" fullword ascii
      $s2 = "ProxyEnable" ascii fullword
      $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer" ascii fullword
      $s4 = "iexplore.exe" ascii fullword
      /* Looks random but present in many samples */
      $s5 = "\\SOFTWARE\\Microsoft\\Windows\\Cu" ascii
      $s6 = "rrentVersion\\Internet Settings" fullword ascii
      $s7 = "ws\\CurrentVersion\\Inter" fullword ascii
      $s8 = "Documents an" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 700KB and ( 1 of ($x*) or 5 of them )
}
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin