YARA rules for Disco
4 rules · scoped to tool · back to Disco
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule VisualDiscovery_Lonovo_Superfish_SSL_Hijack {
meta:
description = "Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe"
author = "Florian Roth (Nextron Systems) / improved by kbandla"
reference = "https://twitter.com/4nc4p/status/568325493558272000"
date = "2015/02/19"
hash1 = "99af9cfc7ab47f847103b5497b746407dc566963"
hash2 = "f0b0cd0227ba302ac9ab4f30d837422c7ae66c46"
hash3 = "f12edf2598d8f0732009c5cd1df5d2c559455a0b"
hash4 = "343af97d47582c8150d63cbced601113b14fcca6"
id = "200c016e-7ad8-5b58-be5f-7866e91d60e9"
strings:
//$s1 = "VisualDiscovery.exe" fullword wide
$s2 = "Invalid key length used to initialize BlowFish." fullword ascii
$s3 = "GetPCProxyHandler" fullword ascii
$s4 = "StartPCProxy" fullword ascii
$s5 = "SetPCProxyHandler" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2MB and all of ($s*)
}
rule MAL_Unknown_Discord_Characteristics_Jan22_1 {
meta:
description = "Detects unknown malware with a few indicators also found in Wiper malware"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
date = "2022-01-16"
score = 75
hash1 = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78"
id = "23ee5319-6a72-517b-8ea0-55063b6b862c"
strings:
$x1 = "xownxloxadDxatxxax" wide
$s2 = "https://cdn.discordapp.com/attachments/" wide
condition:
uint16(0) == 0x5a4d and
filesize < 1000KB and all of them
}
rule SUSP_PE_Discord_Attachment_Oct21_1 {
meta:
description = "Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2021-10-12"
score = 70
id = "7c217350-4a35-505d-950d-1bc989c14bc2"
strings:
$x1 = "https://cdn.discordapp.com/attachments/" ascii wide
condition:
uint16(0) == 0x5a4d
and filesize < 5000KB
and 1 of them
}
rule SUSP_Encoded_Discord_Attachment_Oct21_1 {
meta:
description = "Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2021-10-12"
score = 70
id = "06c086f4-8b79-5506-9e3f-b5d099106157"
strings:
/* base64 encoded forms */
$enc_b01 = "Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz" ascii wide
$enc_b02 = "Nkbi5kaXNjb3JkYXBwLmNvbS9hdHRhY2htZW50c" ascii wide
$enc_b03 = "jZG4uZGlzY29yZGFwcC5jb20vYXR0YWNobWVudH" ascii wide
$enc_b04 = "AGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABz" ascii wide
$enc_b05 = "BjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAc" ascii wide
$enc_b06 = "AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AH" ascii wide
/* hex encoded forms */
$enc_h01 = "63646E2E646973636F72646170702E636F6D2F6174746163686D656E7473" ascii wide
$enc_h02 = "63646e2e646973636f72646170702e636f6d2f6174746163686d656e7473" ascii wide
/* reversed string */
$enc_r01 = "stnemhcatta/moc.ppadrocsid.ndc" ascii wide
condition:
filesize < 5000KB and 1 of them
}