Home/Kazuar/YARA rules
YARA

YARA rules for Kazuar

3 rules · scoped to tool · back to Kazuar
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

3 of 3
direct apt
apt_RU_Turla_Kazuar_DebugView_peFeatures
Turla mimicking SysInternals Tools- peFeatures
author JAG-S license see source repo
view YARA rule 
rule apt_RU_Turla_Kazuar_DebugView_peFeatures
{
	meta:
		description = "Turla mimicking SysInternals Tools- peFeatures"
        reference = "https://www.epicturla.com/blog/sysinturla"
		version = "2.0"
		author = "JAG-S"
        score = 85
		hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
		hash2 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"

		id = "0a1675c0-8645-5288-9ef6-e68ffbfe0c3b"
	condition:
		uint16(0) == 0x5a4d
		and
		(
			pe.version_info["LegalCopyright"] == "Test Copyright" 
			and
			(
				(
				pe.version_info["ProductName"] == "Sysinternals DebugView"
				and
				pe.version_info["Description"] == "Sysinternals DebugView"
				)
			or
				(
				pe.version_info["FileVersion"] == "4.80.0.0"
				and
				pe.version_info["Comments"] == "Sysinternals DebugView"
				)
			or
				(
				pe.version_info["OriginalName"] contains "DebugView.exe"
				and
				pe.version_info["InternalName"] contains "DebugView.exe"
				)
			or
				(
				pe.version_info["OriginalName"] == "Agent.exe"
				and
				pe.version_info["InternalName"] == "Agent.exe"
				)
			)
		)
}
direct
APT_MAL_RU_Turla_Kazuar_May20_1
Detects Turla Kazuar malware
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule APT_MAL_RU_Turla_Kazuar_May20_1 {
   meta:
      description = "Detects Turla Kazuar malware"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.epicturla.com/blog/sysinturla"
      date = "2020-05-28"
      hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
      hash2 = "1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa"
      hash3 = "2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f"
      hash4 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
      id = "cd0d1fa2-5303-55f8-90a7-4a699ec79230"
   strings:
      $s1 = "Sysinternals" ascii fullword
	  $s2 = "Test Copyright" wide fullword

      $op1 = { 0d 01 00 08 34 2e 38 30 2e 30 2e 30 00 00 13 01 }
   condition:
      uint16(0) == 0x5a4d and
      filesize < 2000KB and
      all of them
}
direct Turla
Turla_KazuarRAT
Detects Turla Kazuar RAT described by DrunkBinary
author Markus Neis / Florian Roth license see source repo
view YARA rule 
rule Turla_KazuarRAT {
   meta:
      description = "Detects Turla Kazuar RAT described by DrunkBinary"
      author = "Markus Neis / Florian Roth"
      reference = "https://twitter.com/DrunkBinary/status/982969891975319553"
      date = "2018-04-08"
      hash1 = "6b5d9fca6f49a044fd94c816e258bf50b1e90305d7dab2e0480349e80ed2a0fa"
      hash2 = "7594fab1aadc4fb08fb9dbb27c418e8bc7f08dadb2acf5533dc8560241ecfc1d"
      hash3 = "4e5a86e33e53931afe25a8cb108f53f9c7e6c6a731b0ef4f72ce638d0ea5c198"
      id = "147cc7b7-6dbd-51a2-9501-bcbaec32e20e"
   strings:
      $x1 = "~1.EXE" wide
      $s2 = "dl32.dll" fullword ascii
      $s3 = "HookProc@" ascii
      $s4 = "0`.wtf" fullword ascii
   condition:
      uint16(0) == 0x5a4d and  filesize < 20KB and (
         pe.imphash() == "682156c4380c216ff8cb766a2f2e8817" or
         2 of them )
}
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin