Home/Bankshot/YARA rules
YARA

YARA rules for Bankshot

1 rules · scoped to tool · back to Bankshot
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

1 of 1
direct HiddenCobra
HiddenCobra_BANKSHOT_Gen
Detects Hidden Cobra BANKSHOT trojan
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule HiddenCobra_BANKSHOT_Gen {
   meta:
      description = "Detects Hidden Cobra BANKSHOT trojan"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity"
      date = "2017-12-26"
      modified = "2022-06-10"
      hash1 = "89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486"
      hash2 = "8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247"
      hash3 = "b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24"
      hash4 = "daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75"
      hash5 = "ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699"
      hash6 = "d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff"
      hash7 = "ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9"
      hash8 = "3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6"
      hash9 = "6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca"
      id = "fbf9dd32-cb9a-51f2-bd03-0387fbf44baa"
   strings:
      $s1 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" fullword wide
      $s2 = "rHTTP/1.1 200 Connection established" fullword wide
      $s3 = "Proxy-Connection: keep-alive" fullword wide
      $s4 = "\\msncf.dat" wide
      $s5 = "msvcru32.bat" fullword ascii
      $s6 = "reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"%s\" /f" fullword ascii
      $s7 = "MXINFO.DLL" fullword ascii
      $s8 = "usrvc32.bat" fullword ascii
      $s9 = "ping -n 1 127.0.0.1" fullword ascii
      $s10 = "%sd.e%sc \"%s > %s 2>&1\"" ascii fullword
      $s11 = "DWS*.tmp" ascii fullword
      $s12 = "CS*.tmp" fullword wide
      $s13 = "WM*.tmp" fullword wide

      $x1 = "CgpaipIddwspwe32Hnaehsdi" fullword ascii
      $x2 = "RpiPmtiCdopIsgpao" fullword ascii
      $x3 = "RpiLtnodlhOtgpcidgyA" fullword ascii
      $x4 = "LatiQdgHtnrwpDbupci" fullword ascii
      /* $x5 = "vchost.exe" fullword ascii */
      $x6 = "\\system32\\msncf.dat" ascii
      $x7 = "GprthipgHpgktcpCigwSanowpgA" fullword ascii

      $a1 = "live.dropbox.com" fullword ascii
      $a2 = "tatadocomo.yahoo.com" fullword ascii
      $a3 = "widgets.twimg.com" fullword ascii
      $a4 = "history.paypal.com" fullword ascii
      $a5 = "www.bitcoin.org" fullword ascii
      $a6 = "web.whatsapp.com" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 500KB and (
         1 of ($x*) or
         2 of ($s*) or
         4 of ($a*)
      )
}
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin