Home/WellMess/YARA rules
YARA

YARA rules for WellMess

1 rules · scoped to tool · back to WellMess
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

1 of 1
direct APT29
APT_APT29_wellmess_dotnet_unique_strings
Rule to detect WellMess .NET samples based on unique strings and function/variable names
author NCSC license see source repo
view YARA rule 
rule APT_APT29_wellmess_dotnet_unique_strings {
   meta:
      description = "Rule to detect WellMess .NET samples based on unique strings and function/variable names"
      author = "NCSC"
      reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
      hash = "2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41"
      id = "7a058ec7-f795-5226-b511-ff469a969ee6"
   strings:
      $s1 = "HealthInterval" wide
      $s2 = "Hello from Proxy" wide 
      $s3 = "Start bot:" wide
      $s4 = "FromNormalToBase64" ascii 
      $s5 = "FromBase64ToNormal" ascii 
      $s6 = "WellMess" ascii
   condition:
      uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550 and 3 of them
}
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin