Home/YARA rules
YARA

YARA rules

5,941 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.

Rules

50 shown of 5,941
CN_Honker_IIS6_iis6
Sample from CN Honker Pentest Toolset - file iis6.com
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_IIS6_iis6 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file iis6.com"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f0c9106d6d2eea686fd96622986b641968d0b864"
		id = "f5d49cbd-1aec-5126-ab5d-83e485fa6869"
	strings:
		$s0 = "GetMod;ul" fullword ascii
		$s1 = "excjpb" fullword ascii
		$s2 = "LEAUT1" fullword ascii
		$s3 = "EnumProcessModules" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 410 times */
	condition:
		uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
CN_Honker_IIS_logcleaner1_0_readme
Script from disclosed CN Honker Pentest Toolset - file readme.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_IIS_logcleaner1_0_readme {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file readme.txt"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "2ab47d876b49e9a693f602f3545381415e82a556"
        id = "6f3605ab-cf9d-5f6b-8d89-6269976c5b0b"
    strings:
        $s2 = "LogCleaner.exe <ip> [Logpath]" fullword ascii
        $s3 = "http://l-y.vicp.net" fullword ascii
    condition:
        filesize < 7KB and all of them
}
CN_Honker_Injection
Sample from CN Honker Pentest Toolset - file Injection.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Injection {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Injection.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "3484ed16e6f9e0d603cbc5cb44e46b8b7e775d35"
		id = "8600c86f-0da1-5ddb-bae5-69358cf53e7c"
	strings:
		$s0 = "http://127.0.0.1/6kbbs/bank.asp" fullword ascii /* PEStudio Blacklist: strings */
		$s7 = "jmPost.asp" fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 220KB and all of them
}
CN_Honker_Injection_Transit_jmCook
Script from disclosed CN Honker Pentest Toolset - file jmCook.asp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Injection_Transit_jmCook {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file jmCook.asp"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "5e1851c77ce922e682333a3cb83b8506e1d7395d"
        id = "468abb0e-a163-5fc5-b6a1-896fc04b8570"
    strings:
        $s1 = ".Open \"POST\",PostUrl,False" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "JmdcwName=request(\"jmdcw\")" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 9KB and all of them
}
CN_Honker_Injection_transit
Sample from CN Honker Pentest Toolset - file Injection_transit.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Injection_transit {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Injection_transit.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f4fef2e3d310494a3c3962a49c7c5a9ea072b2ea"
		id = "8600c86f-0da1-5ddb-bae5-69358cf53e7c"
	strings:
		$s0 = "<description>Your app description here</description> " fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "Copyright (C) 2003 ZYDSoft Corp." fullword wide /* PEStudio Blacklist: os */
		$s5 = "ScriptnackgBun" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 3175KB and all of them
}
CN_Honker_Interception
Sample from CN Honker Pentest Toolset - file Interception.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Interception {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Interception.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "ea813aed322e210ea6ae42b73b1250408bf40e7a"
		id = "40d350e5-c6af-58e2-a1d8-f9516af5f869"
	strings:
		$s2 = ".\\dat\\Hookmsgina.dll" fullword ascii /* PEStudio Blacklist: strings */
		$s5 = "WinlogonHackEx " fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 160KB and all of them
}
CN_Honker_Interception3389_setup
Sample from CN Honker Pentest Toolset - file setup.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Interception3389_setup {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file setup.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f5b2f86f8e7cdc00aa1cb1b04bc3d278eb17bf5c"
		id = "7250ff73-6b08-56a4-b2bc-081060d1fa2d"
	strings:
		$s0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\%s" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "%s\\temp\\temp%d.bat" fullword ascii /* PEStudio Blacklist: strings */
		$s5 = "EventStartShell" fullword ascii /* PEStudio Blacklist: strings */
		$s6 = "del /f /q \"%s\"" fullword ascii
		$s7 = "\\wminotify.dll" ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
CN_Honker_Intersect2_Beta
Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Intersect2_Beta {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "3ba5f720c4994cd4ad519b457e232365e66f37cc"
        id = "d20da18d-f8c9-5eb3-8d5d-c8816cff3200"
    strings:
        $s1 = "os.system(\"ls -alhR /home > AllUsers.txt\")" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "os.system('getent passwd > passwd.txt')" fullword ascii /* PEStudio Blacklist: strings */
        $s3 = "os.system(\"rm -rf credentials/\")" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        uint16(0) == 0x2123 and filesize < 50KB and 2 of them
}
CN_Honker_InvasionErasor
Sample from CN Honker Pentest Toolset - file InvasionErasor.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_InvasionErasor {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file InvasionErasor.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "b37ecd9ee6b137a29c9b9d2801473a521b168794"
		id = "03ccb643-9f92-5278-a358-65f56cf19ccc"
	strings:
		$s1 = "c:\\windows\\system32\\config\\*.*" fullword wide /* PEStudio Blacklist: strings */
		$s2 = "c:\\winnt\\*.txt" fullword wide /* PEStudio Blacklist: os */
		$s3 = "Command1" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "Win2003" fullword ascii /* PEStudio Blacklist: os */
		$s5 = "Win 2000" fullword ascii /* PEStudio Blacklist: os */
	condition:
		uint16(0) == 0x5a4d and filesize < 60KB and all of them
}
CN_Honker_LPK2_0_LPK
Sample from CN Honker Pentest Toolset - file LPK.DAT
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_LPK2_0_LPK {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file LPK.DAT"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "5a1226e73daba516c889328f295e728f07fdf1c3"
		id = "4aa40b78-5fe4-5312-881c-e5a292435ff0"
	strings:
		$s1 = "\\sethc.exe /G everyone:F" ascii /* PEStudio Blacklist: strings */
		$s2 = "net1 user guest guest123!@#" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "\\dllcache\\sethc.exe" ascii
		$s4 = "sathc.exe 211" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 1030KB and all of them
}
CN_Honker_Layer_Layer
Sample from CN Honker Pentest Toolset - file Layer.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Layer_Layer {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Layer.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		modified = "2022-12-21"
		score = 70
		hash = "0f4f27e842787cb854bd61f9aca86a63f653eb41"
		id = "48e27119-da7e-5921-8d4f-f8a1e3ac0439"
	strings:
		$s1 = "\\Release\\Layer.pdb" ascii
		$s2 = "Layer.exe" fullword wide
		$s3 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0" fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Honker_LogCleaner
Sample from CN Honker Pentest Toolset - file LogCleaner.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_LogCleaner {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file LogCleaner.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "ab77ed5804b0394d58717c5f844d9c0da5a9f03e"
		id = "63ec5e47-9f3e-547a-bbff-cac8b27ac8f7"
	strings:
		$s3 = ".exe <ip> [(path]" fullword ascii
		$s4 = "LogCleaner v" ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 250KB and all of them
}
CN_Honker_MAC_IPMAC
Sample from CN Honker Pentest Toolset - file IPMAC.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_MAC_IPMAC {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file IPMAC.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "24d55b6bec5c9fff4cd6f345bacac7abadce1611"
		id = "5424d3a7-765a-5dfb-9177-d5633f83079f"
	strings:
		$s1 = "Http://Www.YrYz.Net" fullword wide
		$s2 = "IpMac.txt" fullword ascii
		$s3 = "192.168.0.1" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 267KB and all of them
}
CN_Honker_MSTSC_can_direct_copy
Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_MSTSC_can_direct_copy {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		modified = "2022-12-21"
		score = 70
		hash = "2f3cbfd9f82f8abafdb1d33235fa6bfa1e1f71ae"
		id = "9155cb6f-14b6-524a-9cb9-1a88f7facf4e"
	strings:
		$s1 = "srv\\newclient\\lib\\win32\\obj\\i386\\mstsc.pdb" ascii
		$s2 = "Clear Password" fullword wide /* PEStudio Blacklist: strings */
		$s3 = "/migrate -- migrates legacy connection files that were created with " fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 600KB and all of them
}
CN_Honker_ManualInjection
Sample from CN Honker Pentest Toolset - file ManualInjection.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_ManualInjection {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file ManualInjection.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "e83d427f44783088a84e9c231c6816c214434526"
		id = "f0899003-824f-56ed-b653-9f7a77b9ec6a"
	strings:
		$s0 = "http://127.0.0.1/cookie.asp?fuck=" fullword ascii /* PEStudio Blacklist: strings */
		$s16 = "http://Www.cnhuker.com | http://www.0855.tv" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
CN_Honker_Master_beta_1_7
Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Master_beta_1_7 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "3be7a370791f29be89acccf3f2608fd165e8059e"
		id = "78f904ec-f7cb-5fd0-a117-925ebedd1d3e"
	strings:
		$s1 = "http://seo.chinaz.com/?host=" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "Location: getpass.asp?info=" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 312KB and all of them
}
CN_Honker_MatriXay1073
Sample from CN Honker Pentest Toolset - file MatriXay1073.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_MatriXay1073 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file MatriXay1073.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		modified = "2023-01-27"
		score = 70
		hash = "fef951e47524f827c7698f4508ba9551359578a5"
		id = "23e73b89-f60e-5bc3-8974-15be16d7c408"
	strings:
		$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1" ascii /* PEStudio Blacklist: strings */
		$s1 = "Policy\\Scan\\GetUserLen.ini" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "!YEL!Using http://127.0.0.1:%d/ to visiter https://%s:%d/" ascii /* PEStudio Blacklist: strings */
		$s3 = "getalluserpasswordhash" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 9100KB and all of them
}
CN_Honker_Md5CrackTools
Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Md5CrackTools {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "9dfd9c9923ae6f6fe4cbfa9eb69688269285939c"
		id = "16e04a66-0f6f-5b94-97c3-df62aa9406a9"
	strings:
		$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
		$s2 = ",<a href='index.php?c=1&type=md5&hash=" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 4580KB and all of them
}
CN_Honker_NBSI_3_0
Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_NBSI_3_0 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "93bf0f64bec926e9aa2caf4c28df9af27ec0e104"
		id = "be8d0dce-4f7f-5f18-9ed0-99fc1dc2b22f"
	strings:
		$s1 = ";use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamet" wide /* PEStudio Blacklist: strings */
		$s2 = "http://localhost/1.asp?id=16" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = " exec master.dbo.xp_cmdshell @Z--" fullword wide /* PEStudio Blacklist: strings */
		$s4 = ";use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamet" wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 2600KB and 2 of them
}
CN_Honker_NetFuke_NetFuke
Sample from CN Honker Pentest Toolset - file NetFuke.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_NetFuke_NetFuke {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file NetFuke.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f89e223fd4f6f5a3c2a2ea225660ef0957fc07ba"
		id = "833da5c7-e562-50e9-a2a9-54c36b0d1f61"
	strings:
		$s1 = "Mac Flood: Flooding %dT %d p/s " fullword ascii
		$s2 = "netfuke_%s.txt" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 1840KB and all of them
}
CN_Honker_Oracle_v1_0_Oracle
Sample from CN Honker Pentest Toolset - file Oracle.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Oracle_v1_0_Oracle {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Oracle.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "0264f4efdba09eaf1e681220ba96de8498ab3580"
		id = "0cebede9-f4ff-5efb-98bc-55df0ad656a3"
	strings:
		$s1 = "!http://localhost/index.asp?id=zhr" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "OnGetPassword" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 3455KB and all of them
}
CN_Honker_PHP_php11
Sample from CN Honker Pentest Toolset - file php11.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_PHP_php11 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file php11.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "dcc8226e7eb20e4d4bef9e263c14460a7ee5e030"
		id = "e20eaab1-9799-5e61-9a25-3ac0dcce5f7f"
	strings:
		$s1 = "<tr><td><b><?php if (!$win) {echo wordwrap(myshellexec('id'),90,'<br>',1);} else" ascii /* PEStudio Blacklist: strings */
		$s2 = "foreach (glob($_GET['pathtomass'].\"/*.htm\") as $injectj00) {" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "echo '[cPanel Found] '.$login.':'.$pass.\"  Success\\n\";" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 800KB and all of them
}
CN_Honker_Perl_serv_U
Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Perl_serv_U {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "f333c597ff746ebd5a641fbc248497d61e3ec17b"
        id = "d793227d-dd4d-5c92-bfdc-9662c3ed8933"
    strings:
        $s1 = "$dir = 'C:\\\\WINNT\\\\System32\\\\';" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "$sock = IO::Socket::INET->new(\"127.0.0.1:$adminport\") || die \"fail\";" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 8KB and all of them
}
CN_Honker_Pk_Pker
Sample from CN Honker Pentest Toolset - file Pker.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Pk_Pker {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Pker.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "631787f27f27c46f79e58e1accfcc9ecfb4d3a2f"
		id = "dff0e4fb-6b2e-5fa8-910d-63a9e5030b95"
	strings:
		$s1 = "/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe" fullword wide /* PEStudio Blacklist: strings */
		$s2 = "msadc/..\\..\\..\\..\\winnt/system32/cmd.exe" fullword wide /* PEStudio Blacklist: strings */
		$s3 = "--Made by VerKey&Only_Guest&Bincker" fullword wide /* PEStudio Blacklist: strings */
		$s4 = ";APPLET;EMBED;FRAMESET;HEAD;NOFRAMES;NOSCRIPT;OBJECT;SCRIPT;STYLE;" fullword wide /* PEStudio Blacklist: strings */
		$s5 = " --Welcome to Www.Pker.In Made by V.K" fullword wide
		$s6 = "Report.dat" fullword wide /* PEStudio Blacklist: strings */
		$s7 = ".\\Report.dat" fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 500KB and 5 of them
}
CN_Honker_PostgreSQL
Sample from CN Honker Pentest Toolset - file PostgreSQL.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_PostgreSQL {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file PostgreSQL.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "1ecfaa91aae579cfccb8b7a8607176c82ec726f4"
		id = "ae90d03c-ef67-5ece-81ae-86947196a81c"
	strings:
		$s1 = "&http://192.168.16.186/details.php?id=1" fullword ascii
		$s2 = "PostgreSQL_inject" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
CN_Honker_Pwdump7_Pwdump7
Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Pwdump7_Pwdump7 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "67d0e215c96370dcdc681bb2638703c2eeea188a"
        id = "baf6ced6-4298-5453-a020-a384c923584c"
    strings:
        $s1 = "Pwdump7.exe >pass.txt" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 1KB and all of them
}
CN_Honker_SAMInside
Sample from CN Honker Pentest Toolset - file SAMInside.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_SAMInside {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file SAMInside.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "707ba507f9a74d591f4f2e2f165ff9192557d6dd"
		id = "c5ac9f0a-d1af-59c3-9c13-91153180f3d8"
	strings:
		$s0 = "www.InsidePro.com" fullword wide
		$s1 = "SAMInside.exe" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 650KB and all of them
}
CN_Honker_SQLServer_inject_Creaked
Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_SQLServer_inject_Creaked {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "af3c41756ec8768483a4cf59b2e639994426e2c2"
		id = "9a8a77c2-9e06-5694-8055-4480ab932520"
	strings:
		$s1 = "http://localhost/index.asp?id=2" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "Email:zhaoxypass@yahoo.com.cn<br>" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 8110KB and all of them
}
CN_Honker_Safe3WVS
Sample from CN Honker Pentest Toolset - file Safe3WVS.EXE
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Safe3WVS {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Safe3WVS.EXE"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "fee3acacc763dc55df1373709a666d94c9364a7f"
		id = "035ecb73-3dbc-55d2-8d0c-b71308094d18"
	strings:
		$s0 = "2TerminateProcess" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "mscoreei.dll" fullword ascii /* reversed goodware string 'lld.ieerocsm' */
		$s7 = "SafeVS.exe" fullword wide
		$s8 = "www.safe3.com.cn" fullword wide
		$s20 = "SOFTWARE\\Classes\\Interface\\" ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 3000KB and all of them
}
CN_Honker_ScanHistory
Sample from CN Honker Pentest Toolset - file ScanHistory.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_ScanHistory {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file ScanHistory.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "14c31e238924ba3abc007dc5a3168b64d7b7de8d"
		id = "85585cd2-c5ed-5465-bcac-b61211570055"
	strings:
		$s1 = "ScanHistory.exe" fullword wide /* PEStudio Blacklist: strings */
		$s2 = ".\\Report.dat" fullword wide /* PEStudio Blacklist: strings */
		$s3 = "select  * from  Results order by scandate desc" fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_SegmentWeapon
Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_SegmentWeapon {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "494ef20067a7ce2cc95260e4abc16fcfa7177fdf"
		id = "e1b6f721-4c4d-50f2-9ed6-f38e8e7ea4ab"
	strings:
		$s0 = "C:\\WINDOWS\\system32\\msvbvm60.dll\\3" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "http://www.nforange.com/inc/1.asp?" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
CN_Honker_ShiftBackdoor_Server
Sample from CN Honker Pentest Toolset - file Server.dat
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_ShiftBackdoor_Server {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Server.dat"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "b24d761c6bbf216792c4833890460e8b37d86b37"
		id = "c53f4015-ad2b-5898-88b5-34b3bc2c65b6"
	strings:
		$s0 = "del /q /f %systemroot%system32sethc.exe" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "cacls %s /t /c /e /r administrators" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "\\dllcache\\sethc.exe" ascii
		$s3 = "\\ntvdm.exe" ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
}
CN_Honker_SkinHRootkit_SkinH
Sample from CN Honker Pentest Toolset - file SkinH.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_SkinHRootkit_SkinH {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file SkinH.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "d593f03ae06e54b653c7850c872c0eed459b301f"
		id = "8aedd01c-9dc8-537d-97ea-bc8de81edd3d"
	strings:
		$s0 = "(C)360.cn Inc.All Rights Reserved." fullword wide
		$s1 = "SDVersion.dll" fullword wide
		$s2 = "skinh.dll" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
CN_Honker_SqlMap_Python_Run
Sample from CN Honker Pentest Toolset - file Run.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_SqlMap_Python_Run {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Run.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "a51479a1c589f17c77d22f6cf90b97011c33145f"
		id = "308d929a-0f38-5db4-92c2-2a7bf25bb64f"
	strings:
		$s1 = ".\\Run.log" fullword ascii
		$s2 = "[root@Hacker~]# Sqlmap " fullword ascii
		$s3 = "%sSqlmap %s" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 30KB and all of them
}
CN_Honker_Sword1_5
Sample from CN Honker Pentest Toolset - file Sword1.5.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Sword1_5 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Sword1.5.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "96ee5c98e982aa8ed92cb4cedb85c7fda873740f"
		id = "832e4998-64fc-5f34-a46d-aeefde0ee763"
	strings:
		$s1 = "http://www.md5.com.cn" fullword wide
		$s2 = "ListBox_Command" fullword wide /* PEStudio Blacklist: strings */
		$s3 = "\\Set.ini" wide
		$s4 = "OpenFileDialog1" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 740KB and all of them
}
CN_Honker_SwordCollEdition
Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_SwordCollEdition {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "6e14f21cac6e2aa7535e45d81e8d1f6913fd6e8b"
		id = "4e8d4d48-c053-5579-be9c-af73ec0fe614"
	strings:
		$s0 = "YuJianScan.exe" fullword wide /* PEStudio Blacklist: strings */
		$s1 = "YuJianScan" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 225KB and all of them
}
CN_Honker_SwordHonkerEdition
Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_SwordHonkerEdition {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "3f9479151c2cada04febea45c2edcf5cece1df6c"
		id = "5688fa03-bcb0-545d-9fdf-7ab48a389424"
	strings:
		$s0 = "\\bin\\systemini\\MyPort.ini" wide /* PEStudio Blacklist: strings */
		$s1 = "PortThread=200 //" fullword wide /* PEStudio Blacklist: strings */
		$s2 = " Port Open -> " fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 375KB and all of them
}
CN_Honker_T00ls_Lpk_Sethc_v2
Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_T00ls_Lpk_Sethc_v2 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "a995451d9108687b8892ad630a79660a021d670a"
		id = "499b251a-e0e1-5550-825d-acab112be74b"
	strings:
		$s1 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "The procedure entry point %s could not be located in the dynamic link library %s" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "2011-2012 T00LS&RICES" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 800KB and all of them
}
CN_Honker_T00ls_Lpk_Sethc_v3_0
Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_T00ls_Lpk_Sethc_v3_0 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "fa47c4affbac01ba5606c4862fdb77233c1ef656"
		id = "7513a513-e8a3-58a8-8dd5-512ba33ff013"
	strings:
		$s1 = "http://127.0.0.1/1.exe" fullword wide /* PEStudio Blacklist: strings */
		$s2 = ":Rices  Forum:T00Ls.Net  [4 Fucker Te@m]" fullword wide
		$s3 = "SkinH_EL.dll" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
}
CN_Honker_T00ls_Lpk_Sethc_v3_LPK
Sample from CN Honker Pentest Toolset - file LPK.DAT
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_T00ls_Lpk_Sethc_v3_LPK {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file LPK.DAT"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "cf2549bbbbdb7aaf232d9783873667e35c8d96c1"
		id = "c5b806d9-74dc-5244-b1e0-9837abeaeaac"
	strings:
		$s1 = "FreeHostKillexe.exe" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "\\sethc.exe /G everyone:F" ascii /* PEStudio Blacklist: strings */
		$s3 = "c:\\1.exe" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "Set user Group Error! Username:" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
CN_Honker_T00ls_Lpk_Sethc_v4_0
Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_T00ls_Lpk_Sethc_v4_0 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "98f21f72c761e504814f0a7db835a24a2413a6c2"
		id = "d41cbed5-a6e3-5165-a8c3-e0375c1ed75d"
	strings:
		$s0 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */
		$s15 = "2011-2012 T00LS&RICES" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 2077KB and all of them
}
CN_Honker_T00ls_Lpk_Sethc_v4_LPK
Sample from CN Honker Pentest Toolset - file LPK.DAT
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_T00ls_Lpk_Sethc_v4_LPK {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file LPK.DAT"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "2b2ab50753006f62965bba83460e3960ca7e1926"
		id = "808f5de2-1360-521e-8939-b759e361507c"
	strings:
		$s1 = "http://127.0.0.1/1.exe" fullword wide /* PEStudio Blacklist: strings */
		$s2 = "FreeHostKillexe.exe" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "\\sethc.exe /G everyone:F" ascii /* PEStudio Blacklist: strings */
		$s4 = "c:\\1.exe" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 300KB and 1 of them
}
CN_Honker_T00ls_scanner
Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_T00ls_scanner {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "70b04b910d82b32b90cd7f355a0e3e17dd260cb3"
		id = "80d4a950-24cb-55c7-903f-8788a71be7ac"
	strings:
		$s0 = "http://cn.bing.com/search?first=1&count=50&q=ip:" fullword wide
		$s17 = "Team:www.t00ls.net" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 330KB and all of them
}
CN_Honker_Tuoku_script_MSSQL_
Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Tuoku_script_MSSQL_ {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "7097c21f92306983add3b5b29a517204cd6cd819"
        id = "35c4f119-6a57-580a-b5ee-c36af0ccc94a"
    strings:
        $s1 = "GetLoginCookie = Request.Cookies(Cookie_Login)" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "if ShellPath=\"\" Then ShellPath = \"c:\\\\windows\\\\system32\\\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
        $s8 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 100KB and all of them
}
CN_Honker_Tuoku_script_oracle_2
Sample from CN Honker Pentest Toolset - file oracle.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Tuoku_script_oracle_2 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file oracle.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "865dd591b552787eda18ee0ab604509bae18c197"
		id = "b88a0faa-1616-5f1b-80dc-6e6a2f0cb671"
	strings:
		$s0 = "webshell" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "Silic Group Hacker Army " fullword ascii
	condition:
		filesize < 3KB and all of them
}
CN_Honker_WebCruiserWVS
Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_WebCruiserWVS {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "6c90a9ed4c8a141a343dab1b115cc840a7190304"
		id = "16bed1e8-a1f0-5fcf-9c03-83625a388547"
	strings:
		$s0 = "id:uid:user:username:password:access:account:accounts:admin_id:admin_name:admin_" ascii /* PEStudio Blacklist: strings */
		$s1 = "Created By WebCruiser - Web Vulnerability Scanner http://sec4app.com" fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 700KB and all of them
}
CN_Honker_WebRobot
Sample from CN Honker Pentest Toolset - file WebRobot.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_WebRobot {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file WebRobot.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "af054994c911b4301490344fca4bb19a9f394a8f"
		id = "8b6350b6-17ea-5f44-a42a-875d55bb2de8"
	strings:
		$s1 = "%d-%02d-%02d %02d^%02d^%02d ScanReprot.htm" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "\\log\\ProgramDataFile.dat" ascii /* PEStudio Blacklist: strings */
		$s3 = "\\data\\FilterKeyword.txt" ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
CN_Honker_WebScan_WebScan
Sample from CN Honker Pentest Toolset - file WebScan.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_WebScan_WebScan {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file WebScan.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "a0b0e2422e0e9edb1aed6abb5d2e3d156b7c8204"
		id = "1545494b-9a74-5b2e-921c-e54dd5ac4b51"
	strings:
		$s1 = "wwwscan.exe" fullword wide /* PEStudio Blacklist: strings */
		$s2 = "WWWScan Gui" fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 700KB and all of them
}
CN_Honker_WebScan_wwwscan
Sample from CN Honker Pentest Toolset - file wwwscan.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_WebScan_wwwscan {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "6dbffa916d0f0be2d34c8415592b9aba690634c7"
		id = "defe0024-f94a-560a-a9f6-b3849b41f9bb"
	strings:
		$s1 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
		$s3 = "<Usage>:  %s <HostName|Ip> [Options]" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 60KB and all of them
}
CN_Honker_Webshell
Sample from CN Honker Pentest Toolset - file Webshell.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Webshell.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "c85bd09d241c2a75b4e4301091aa11ddd5ad6d59"
		id = "12870766-2b85-522d-9ad8-abba2786caaf"
	strings:
		$s1 = "Windows NT users: Please note that having the WinIce/SoftIce" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "Do you want to cancel the file download?" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "Downloading: %s" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 381KB and all of them
}
Showing 151-200 of 5,941
Prev 4 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin