YARA rules for ZeroT
13 rules · scoped to tool · back to ZeroT
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule PP_CN_APT_ZeroT_1 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "09061c603a32ac99b664f7434febfc8c1f9fd7b6469be289bb130a635a6c47c0"
id = "c16f3abb-ac7e-5d5f-b8d7-b105cff3886e"
strings:
$s1 = "suprise.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}
rule PP_CN_APT_ZeroT_2 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "74eb592ef7f5967b14794acdc916686e061a43169f06e5be4dca70811b9815df"
id = "8433216e-1189-568c-bd18-051fb1fec215"
strings:
$s1 = "NO2-2016101902.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
}
rule PP_CN_APT_ZeroT_3 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "ee2e2937128dac91a11e9bf55babc1a8387eb16cebe676142c885b2fc18669b2"
id = "99aa29cf-d962-5a3d-bd28-6486c40822bb"
strings:
$s1 = "/svchost.exe" fullword ascii
$s2 = "RasTls.dll" fullword ascii
$s3 = "20160620.htm" fullword ascii
$s4 = "* $l&$" fullword ascii
$s5 = "dfjhmh" fullword ascii
$s6 = "/20160620.htm" fullword ascii
condition:
( uint16(0) == 0x5449 and filesize < 1000KB and 3 of them ) or ( all of them )
}
rule PP_CN_APT_ZeroT_4 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "a9519d2624a842d2c9060b64bb78ee1c400fea9e43d4436371a67cbf90e611b8"
id = "b21961ee-d346-51d3-bacd-02554240162d"
strings:
$s1 = "Mcutil.dll" fullword ascii
$s2 = "mcut.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}
rule PP_CN_APT_ZeroT_5 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "74dd52aeac83cc01c348528a9bcb20bbc34622b156f40654153e41817083ba1d"
id = "2a7c6a36-aace-562e-bbc4-425c1d93fab1"
strings:
$x1 = "dbozcb" fullword ascii
$s1 = "nflogger.dll" fullword ascii
$s2 = "/svchost.exe" fullword ascii
$s3 = "1207.htm" fullword ascii
$s4 = "/1207.htm" fullword ascii
condition:
( uint16(0) == 0x5449 and filesize < 1000KB and 1 of ($x*) and 1 of ($s*) ) or ( all of them )
}
rule PP_CN_APT_ZeroT_6 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3"
id = "2e3bb4bd-5e20-56e7-a82b-d717d83eaeeb"
strings:
$s1 = "jGetgQ|0h9=" fullword ascii
$s2 = "\\sfxrar32\\Release\\sfxrar.pdb"
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
rule PP_CN_APT_ZeroT_7 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "fc2d47d91ad8517a4a974c4570b346b41646fac333d219d2f1282c96b4571478"
id = "e9cdca86-84a8-5673-935c-c319b523674b"
strings:
$s1 = "RasTls.dll" fullword ascii
$s2 = "RasTls.exe" fullword ascii
$s4 = "LOADER ERROR" fullword ascii
$s5 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}
rule PP_CN_APT_ZeroT_8 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "4ef91c17b1415609a2394d2c6c353318a2503900e400aab25ab96c9fe7dc92ff"
id = "f9a4f092-c699-5e91-9667-64ffe1b02bc1"
strings:
$s1 = "/svchost.exe" fullword ascii
$s2 = "RasTls.dll" fullword ascii
$s3 = "20160620.htm" fullword ascii
$s4 = "/20160620.htm" fullword ascii
condition:
( uint16(0) == 0x5449 and filesize < 1000KB and 3 of them )
}
rule PP_CN_APT_ZeroT_9 {
meta:
description = "Detects malware from the Proofpoint CN APT ZeroT incident"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-03"
hash1 = "a685cf4dca6a58213e67d041bba637dca9cb3ea6bb9ad3eae3ba85229118bce0"
id = "e1c32993-409c-5a62-8239-cff99fb83a7f"
strings:
$x1 = "nflogger.dll" fullword ascii
$s7 = "Zlh.exe" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}
rule CN_APT_ZeroT_nflogger {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "946adbeb017616d56193a6d43fe9c583be6ad1c7f6a22bab7df9db42e6e8ab10"
id = "0d23f312-e3b6-5c23-855b-25ae54265512"
strings:
$x1 = "\\LoaderDll.VS2010\\Release\\" ascii
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and all of them )
}
rule CN_APT_ZeroT_extracted_Go {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Go.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
modified = "2023-01-06"
hash1 = "83ddc69fe0d3f3d2f46df7e72995d59511c1bfcca1a4e14c330cb71860b4806b"
id = "ba929e6d-4162-58e7-b8a8-bcb066b64522"
strings:
$x1 = "%s\\cmd.exe /c %s\\Zlh.exe" fullword ascii
$x2 = "\\BypassUAC.VS2010\\Release\\" ascii
$s1 = "Zjdsf.exe" fullword ascii
$s2 = "SS32prep.exe" fullword ascii
$s3 = "windowsgrep.exe" fullword ascii
$s4 = "Sysdug.exe" fullword ascii
$s5 = "Proessz.exe" fullword ascii
$s6 = "%s\\Zlh.exe" fullword ascii
$s7 = "/C %s\\%s" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 3 of ($s*) ) ) or ( 7 of them )
}
rule CN_APT_ZeroT_extracted_Mcutil {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "266c06b06abbed846ebabfc0e683f5d20dadab52241bc166b9d60e9b8493b500"
id = "c887d36b-8aeb-54f1-a683-727561723238"
strings:
$s1 = "LoaderDll.dll" fullword ascii
$s2 = "QageBox1USER" fullword ascii
$s3 = "xhmowl" fullword ascii
$s4 = "?KEYKY" fullword ascii
$s5 = "HH:mm:_s" fullword ascii
$s6 = "=licni] has maX0t" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 90KB and 3 of them ) or ( all of them )
}
rule CN_APT_ZeroT_extracted_Zlh {
meta:
description = "Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
date = "2017-02-04"
hash1 = "711f0a635bbd6bf1a2890855d0bd51dff79021db45673541972fe6e1288f5705"
id = "4c8b9a90-6cb3-5aba-a993-f73207341d0e"
strings:
$s1 = "nflogger.dll" fullword wide
$s2 = "%s %d: CreateProcess('%s', '%s') failed. Windows error code is 0x%08x" fullword ascii
$s3 = "_StartZlhh(): Executed \"%s\"" ascii
$s4 = "Executable: '%s' (%s) %i" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
}