Home/HOPLIGHT/YARA rules
YARA

YARA rules for HOPLIGHT

3 rules · scoped to tool · back to HOPLIGHT
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

3 of 3
direct HOPLIGHT
APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1
Detects HOPLIGHT malware used by HiddenCobra APT group
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1 {
   meta:
      description = "Detects HOPLIGHT malware used by HiddenCobra APT group"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
      date = "2019-04-13"
      hash1 = "d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39"
      id = "923a0812-f375-5c0c-a22c-fc71ddcad4e3"
   strings:
      $s1 = "www.naver.com" fullword ascii
      $s2 = "PolarSSL Test CA0" fullword ascii
   condition:
      filesize < 1000KB and all of them
}
direct HOPLIGHT
APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_2
Detects HOPLIGHT malware used by HiddenCobra APT group
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_2 {
   meta:
      description = "Detects HOPLIGHT malware used by HiddenCobra APT group"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
      date = "2019-04-13"
      hash1 = "70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3"
      id = "9c7fd381-272a-5cfc-a7ee-7f0f9221fa04"
   strings:
      $s1 = "%SystemRoot%\\System32\\svchost.exe -k mdnetuse" fullword ascii
      $s2 = "%s\\hid.dll" fullword ascii
      $s3 = "%Systemroot%\\System32\\" ascii
      $s4 = "SYSTEM\\CurrentControlSet\\services\\%s\\Parameters" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
direct HOPLIGHT
APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3
Detects HOPLIGHT malware used by HiddenCobra APT group
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 {
   meta:
      description = "Detects HOPLIGHT malware used by HiddenCobra APT group"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
      date = "2019-04-13"
      hash1 = "2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525"
      hash2 = "05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461"
      hash3 = "ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d"
      id = "683b4d64-575a-5bdb-9ad8-e10a60037032"
   strings:
      $s1 = "Oleaut32.dll" fullword ascii
      $s2 = "Process32NextA" fullword ascii
      $s3 = "Process32FirstA" fullword ascii
      $s4 = "%sRSA key size  : %d bits" fullword ascii
      $s5 = "emailAddress=" fullword ascii
      $s6 = "%scert. version : %d" fullword ascii
      $s7 = "www.naver.com" fullword ascii

      $x1 = "ztretrtireotreotieroptkierert" fullword ascii
      $x2 = "reykfgkodfgkfdskgdfogpdokgsdfpg" fullword ascii
      $x3 = "fjiejffndxklfsdkfjsaadiepwn" fullword ascii
      $x4 = "fgwljusjpdjah" fullword ascii
      $x5 = "udbcgiut.dat" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 800KB and (
            1 of ($x*) or
            6 of ($s*)
      )
}
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin