Home/YARA rules
YARA

YARA rules

5,941 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.

Rules

50 shown of 5,941
CN_Honker_Webshell_cfm_xl
Webshell from CN Honker Pentest Toolset - file xl.cfm
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_cfm_xl {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file xl.cfm"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "49c3d16ee970945367a7d6ae86b7ade7cb3b5447"
		id = "5c8d1301-fe20-50e0-86ac-99a220cd4be1"
	strings:
		$s0 = "<input name=\"DESTINATION\" value=\"" ascii /* PEStudio Blacklist: strings */
		$s1 = "<CFFILE ACTION=\"Write\" FILE=\"#Form.path#\" OUTPUT=\"#Form.cmd#\">" fullword ascii
	condition:
		uint16(0) == 0x433c and filesize < 13KB and all of them
}
CN_Honker_Webshell_cmfshell
Webshell from CN Honker Pentest Toolset - file cmfshell.cmf
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_cmfshell {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file cmfshell.cmf"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "b9b2107c946431e4ad1a8f5e53ac05e132935c0e"
		id = "c5670deb-952c-5ba4-949a-097cc09bb108"
	strings:
		$s1 = "<cfexecute name=\"C:\\Winnt\\System32\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "<form action=\"<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>\" method=\"post\">" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 4KB and all of them
}
CN_Honker_Webshell_dz_phpcms_phpbb
Webshell from CN Honker Pentest Toolset - file dz_phpcms_phpbb.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_dz_phpcms_phpbb {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file dz_phpcms_phpbb.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "33f23c41df452f8ca2768545ac6e740f30c44d1f"
		id = "f7e5413f-a7c9-51d4-8422-30c3e2462be2"
	strings:
		$s1 = "if($pwd == md5(md5($password).$salt))" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "function test_1($password)" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = ":\".$pwd.\"\\n---------------------------------\\n\";exit;" fullword ascii
		$s4 = ":user=\".$user.\"\\n\";echo \"pwd=\".$pwd.\"\\n\";echo \"salt=\".$salt.\"\\n\";" fullword ascii
	condition:
		filesize < 22KB and all of them
}
CN_Honker_Webshell_jspshell
Webshell from CN Honker Pentest Toolset - file jspshell.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_jspshell {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file jspshell.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "d16af622f7688d4e0856a2678c4064d3d120e14b"
		id = "ff72f94b-1c0a-5615-b35f-35f69c920292"
	strings:
		$s1 = "else if(Z.equals(\"M\")){String[] c={z1.substring(2),z1.substring(0,2),z2};Proce" ascii /* PEStudio Blacklist: strings */
		$s2 = "String Z=EC(request.getParameter(Pwd)+\"\",cs);String z1=EC(request.getParameter" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 30KB and all of them
}
CN_Honker_Webshell_jspshell2
Webshell from CN Honker Pentest Toolset - file jspshell2.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_jspshell2 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file jspshell2.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "cc7bc1460416663012fc93d52e2078c0a277ff79"
		id = "ff72f94b-1c0a-5615-b35f-35f69c920292"
	strings:
		$s10 = "if (cmd == null) cmd = \"cmd.exe /c set\";" fullword ascii /* PEStudio Blacklist: strings */
		$s11 = "if (program == null) program = \"cmd.exe /c net start > \"+SHELL_DIR+\"/Log.txt" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 424KB and all of them
}
CN_Honker_Webshell_mycode12
Webshell from CN Honker Pentest Toolset - file mycode12.cfm
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_mycode12 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file mycode12.cfm"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "64be8760be5ab5c2dcf829e3f87d3e50b1922f17"
		id = "2ce7368c-7565-5b32-94d1-c87023404c5b"
	strings:
		$s1 = "<cfexecute name=\"cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "<cfoutput>#cmd#</cfoutput>" fullword ascii
	condition:
		filesize < 4KB and all of them
}
CN_Honker_Webshell_nc_1
Webshell from CN Honker Pentest Toolset - file 1.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_nc_1 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file 1.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "51d83961171db000fe4476f36d703ef3de409676"
		id = "fe83df79-f7cb-50b8-bb34-9bfc5fbe3de2"
	strings:
		$s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 " ascii /* PEStudio Blacklist: agent */
		$s2 = "<%if session(\"pw\")<>\"go\" then %>" fullword ascii
	condition:
		filesize < 11KB and all of them
}
CN_Honker_Webshell_offlibrary
Webshell from CN Honker Pentest Toolset - file offlibrary.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_offlibrary {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file offlibrary.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "eb5275f99211106ae10a23b7e565d208a94c402b"
		id = "c01f7c8b-a6bd-5094-9574-8cc853698607"
	strings:
		$s0 = "';$i=$g->query(\"SELECT SUBSTRING_INDEX(CURRENT_USER, '@', 1) AS User, SUBSTRING" ascii /* PEStudio Blacklist: strings */
		$s12 = "if(jushRoot){var script=document.createElement('script');script.src=jushRoot+'ju" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 1005KB and all of them
}
CN_Honker_Webshell_phpwebbackup
Webshell from CN Honker Pentest Toolset - file phpwebbackup.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_phpwebbackup {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file phpwebbackup.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "c788cb280b7ad0429313837082fe84e9a49efab6"
		id = "eb737ea6-231c-5e8d-b976-75f1044f9f54"
	strings:
		$s0 = "<?php // Code By isosky www.nbst.org" fullword ascii
		$s2 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x3f3c and filesize < 67KB and all of them
}
CN_Honker_Webshell_picloaked_1
Webshell from CN Honker Pentest Toolset - file 1.gif
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_picloaked_1 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file 1.gif"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "3eab1798cbc9ab3b2c67d3da7b418d07e775db70"
		id = "2ff44c4a-ed97-5635-9926-8d54a8364fab"
	strings:
		$s0 = "<?php eval($_POST[" ascii /* PEStudio Blacklist: strings */
		$s1 = ";<%execute(request(" ascii /* PEStudio Blacklist: strings */
		$s3 = "GIF89a" fullword ascii /* Goodware String - occured 318 times */
	condition:
		filesize < 6KB and 2 of them
}
CN_Honker_Webshell_portRecall_jsp
Webshell from CN Honker Pentest Toolset - file jsp.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_portRecall_jsp {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file jsp.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "65e8e4d13ad257c820cad12eef853c6d0134fce8"
		id = "cd34cb47-c5e0-5094-a501-6a8a00d94018"
	strings:
		$s0 = "lcx.jsp?localIP=202.91.246.59&localPort=88&remoteIP=218.232.111.187&remotePort=2" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 1KB and all of them
}
CN_Honker_Webshell_portRecall_jsp2
Webshell from CN Honker Pentest Toolset - file jsp2.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_portRecall_jsp2 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file jsp2.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "412ed15eb0d24298ba41731502018800ffc24bfc"
		id = "cd34cb47-c5e0-5094-a501-6a8a00d94018"
	strings:
		$s0 = "final String remoteIP =request.getParameter(\"remoteIP\");" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "final String localIP = request.getParameter(\"localIP\");" fullword ascii /* PEStudio Blacklist: strings */
		$s20 = "final String localPort = \"3390\";//request.getParameter(\"localPort\");" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 23KB and all of them
}
CN_Honker_Webshell_su7_x_9_x
Webshell from CN Honker Pentest Toolset - file su7.x-9.x.asp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_su7_x_9_x {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file su7.x-9.x.asp"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "808396b51023cc8356f8049cfe279b349ca08f1a"
		id = "5d546ce8-6f8f-5b0b-9472-23f283ef9f80"
	strings:
		$s0 = "returns=httpopen(\"LoginID=\"&user&\"&FullName=&Password=\"&pass&\"&ComboPasswor" ascii /* PEStudio Blacklist: strings */
		$s1 = "returns=httpopen(\"\",\"POST\",\"http://127.0.0.1:\"&port&\"/Admin/XML/User.xml?" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 59KB and all of them
}
CN_Honker_Webshell_test3693
Webshell from CN Honker Pentest Toolset - file test3693.war
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_test3693 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file test3693.war"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "246d629ae3ad980b5bfe7e941fe90b855155dbfc"
		id = "58fe4445-b2e1-5d5f-8c46-39c6ae78f845"
	strings:
		$s0 = "Process p=Runtime.getRuntime().exec(\"cmd /c \"+strCmd);" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "http://www.topronet.com </font>\",\" <font color=red> Thanks for your support - " ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x4b50 and filesize < 50KB and all of them
}
CN_Honker_Webshell_udf_udf
Webshell from CN Honker Pentest Toolset - file udf.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_udf_udf {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file udf.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "df63372ccab190f2f1d852f709f6b97a8d9d22b9"
		id = "07252f2d-1a99-5f21-940d-899a4821b511"
	strings:
		$s1 = "<?php // Source  My : Meiam  " fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 430KB and all of them
}
CN_Honker_Webshell_wshell_asp
Webshell from CN Honker Pentest Toolset - file wshell-asp.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_wshell_asp {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file wshell-asp.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "4a0afdf5a45a759c14e99eb5315964368ca53e9c"
		id = "294f0d00-7102-553d-92e2-c0a0e017385c"
	strings:
		$s1 = "file1.Write(\"<%response.clear:execute request(\\\"root\\\"):response.End%>\");" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "hello word !  " fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "root.asp " fullword ascii
	condition:
		filesize < 5KB and all of them
}
CN_Honker_Without_a_trace_Wywz
Sample from CN Honker Pentest Toolset - file Wywz.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Without_a_trace_Wywz {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Wywz.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f443c43fde643228ee95def5c8ed3171f16daad8"
		id = "1093c0c3-499f-5aec-ad4a-878d377296d5"
	strings:
		$s1 = "\\Symantec\\Norton Personal Firewall\\Log\\Content.log" ascii /* PEStudio Blacklist: strings */
		$s2 = "UpdateFile=d:\\tool\\config.ini,Option\\\\proxyIp=127.0.0.1\\r\\nproxyPort=808" ascii /* PEStudio Blacklist: strings */
		$s3 = "%s\\subinacl.exe /subkeyreg \"%s\" /Grant=%s=f /Grant=everyone=f" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 1800KB and all of them
}
CN_Honker_WordpressScanner
Sample from CN Honker Pentest Toolset - file WordpressScanner.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_WordpressScanner {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file WordpressScanner.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "0b3c5015ba3616cbc616fc9ba805fea73e98bc83"
		id = "79195823-f88b-5c28-8b99-a43a9d6c94af"
	strings:
		$s0 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
		$s1 = "(http://www.eyuyan.com)" fullword wide
		$s2 = "GetConnectString" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
CN_Honker_Xiaokui_conversion_tool
Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Xiaokui_conversion_tool {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "dccd163e94a774b01f90c1e79f186894e2f27de3"
		id = "26e30df6-b1d9-5d82-b368-a4a904939aa3"
	strings:
		$s1 = "update [dv_user] set usergroupid=1 where userid=2;--" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "To.exe" fullword wide
		$s3 = "by zj1244" ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
}
CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32
Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
		hash1 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
		hash2 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
		id = "79e9cd97-c070-5109-a0a0-bc88eea0dc37"
	strings:
		$s1 = "upfile.asp " fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "[wscript.shell]" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "XP_CMDSHELL" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "[XP_CMDSHELL]" fullword ascii /* PEStudio Blacklist: strings */
		$s5 = "http://d99net.3322.org" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 10000KB and 4 of them
}
CN_Honker__LPK_LPK_LPK
Sample from CN Honker Pentest Toolset - from files LPK.DAT, LPK.DAT, LPK.DAT
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__LPK_LPK_LPK {
	meta:
		description = "Sample from CN Honker Pentest Toolset - from files LPK.DAT, LPK.DAT, LPK.DAT"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "5a1226e73daba516c889328f295e728f07fdf1c3"
		hash1 = "2b2ab50753006f62965bba83460e3960ca7e1926"
		hash2 = "cf2549bbbbdb7aaf232d9783873667e35c8d96c1"
		id = "e1beb88b-d3e8-5868-affb-e59c26e4dc2e"
	strings:
		$s1 = "C:\\WINDOWS\\system32\\cmd.exe" fullword wide /* PEStudio Blacklist: strings */
		$s2 = "Password error!" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "\\sathc.exe" ascii
		$s4 = "\\sothc.exe" ascii
		$s5 = "\\lpksethc.bat" ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 1057KB and all of them
}
CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked
Sample from CN Honker Pentest Toolset
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked {
	meta:
		description = "Sample from CN Honker Pentest Toolset"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "1ecfaa91aae579cfccb8b7a8607176c82ec726f4"
		hash1 = "a1f066789f48a76023598c5777752c15f91b76b0"
		hash2 = "0264f4efdba09eaf1e681220ba96de8498ab3580"
		hash3 = "af3c41756ec8768483a4cf59b2e639994426e2c2"
		id = "0272776c-8dbe-5345-92c8-57593686a84c"
	strings:
		$s1 = "zhaoxypass@yahoo.com.cn" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "ProxyParams.ProxyPort" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and all of them
}
CN_Honker__builder_shift_SkinH
Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__builder_shift_SkinH {
	meta:
		description = "Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "6b5a84cdc3d27c435d49de3f68872d015a5aadfc"
		hash1 = "ee127c1ea1e3b5bf3d2f8754fabf9d1101ed0ee0"
		hash2 = "d593f03ae06e54b653c7850c872c0eed459b301f"
		id = "cb18aa4a-6eba-58ca-a6fc-e4160b90f4d7"
	strings:
		$s1 = "lipboard" fullword ascii
		$s2 = "uxthem" fullword ascii
		$s3 = "ENIGMA" fullword ascii
		$s4 = "UtilW0ndow" fullword ascii
		$s5 = "prog3am" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 6075KB and all of them
}
CN_Honker__lcx_HTran2_4_htran20
Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__lcx_HTran2_4_htran20 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "0c8779849d53d0772bbaa1cedeca150c543ebf38"
		hash1 = "524f986692f55620013ab5a06bf942382e64d38a"
		hash2 = "b992bf5b04d362ed3757e90e57bc5d6b2a04e65c"
		id = "c6851e7b-ab64-5578-896e-4d92fb3b2000"
	strings:
		$s1 = "[SERVER]connection to %s:%d error" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "[+] OK! I Closed The Two Socket." fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 440KB and all of them
}
CN_Honker__wwwscan_wwwscan_wwwscan_gui
Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__wwwscan_wwwscan_wwwscan_gui {
	meta:
		description = "Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "6dbffa916d0f0be2d34c8415592b9aba690634c7"
		hash1 = "6bed45629c5e54986f2d27cbfc53464108911026"
		hash2 = "897b66a34c58621190cb88e9b2a2a90bf9b71a53"
		id = "02f80151-4dfb-5b14-9145-312a9bd2c609"
	strings:
		$s1 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
		$s2 = "<Usage>:  %s <HostName|Ip> [Options]" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_arp3_7_arp3_7
Sample from CN Honker Pentest Toolset - file arp3.7.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_arp3_7_arp3_7 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file arp3.7.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "db641a9dfec103b98548ac7f6ca474715040f25c"
		id = "a4aeefaf-a097-5ba3-a18f-54a1b9752883"
	strings:
		$s1 = "CnCerT.Net.SKiller.exe" fullword wide /* PEStudio Blacklist: strings */
		$s2 = "www.80sec.com" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 4000KB and all of them
}
CN_Honker_cleaner_cl_2
Sample from CN Honker Pentest Toolset - file cl.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_cleaner_cl_2 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file cl.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "523084e8975b16e255b56db9af0f9eecf174a2dd"
		id = "9aa36c0a-9e0f-5274-bebe-9179d81b05f7"
	strings:
		$s0 = "cl -eventlog All/Application/System/Security" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "clear iislog error!" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
CN_Honker_cleaniis
Sample from CN Honker Pentest Toolset - file cleaniis.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_cleaniis {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file cleaniis.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "372bc64c842f6ff0d9a1aa2a2a44659d8b88cb40"
		id = "75f3c33a-e3b8-57bc-a3fd-f8b6491388d8"
	strings:
		$s1 = "iisantidote <logfile dir> <ip or string to hide>" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "IIS log file cleaner by Scurt" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_clearlogs
Sample from CN Honker Pentest Toolset - file clearlogs.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_clearlogs {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file clearlogs.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		modified = "2023-01-27"
		score = 70
		hash = "490f3bc318f415685d7e32176088001679b0da1b"
		id = "bfbc339e-5530-5984-94de-be1002f09ca1"
	strings:
		$s2 = "- http://ntsecurity.nu/toolbox/clearlogs/" ascii /* PEStudio Blacklist: strings */
		$s4 = "Error: Unable to clear log - " fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 140KB and all of them
}
CN_Honker_dedecms5_7
Sample from CN Honker Pentest Toolset - file dedecms5.7.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_dedecms5_7 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file dedecms5.7.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f9cbb25883828ca266e32ff4faf62f5a9f92c5fb"
		id = "b037862d-2821-5e96-996b-13ab241575ba"
	strings:
		$s1 = "/data/admin/ver.txt" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "SkinH_EL.dll" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 830KB and all of them
}
CN_Honker_dirdown_dirdown
Sample from CN Honker Pentest Toolset - file dirdown.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_dirdown_dirdown {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file dirdown.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		modified = "2022-12-21"
		score = 70
		hash = "7b8d51c72841532dded5fec7e7b0005855b8a051"
		id = "80f98131-79bf-580d-87ad-a54a3f14b301"
	strings:
		$s0 = "\\Decompress\\obj\\Release\\Decompress.pdb" ascii /* PEStudio Blacklist: strings */
		$s1 = "Decompress.exe" fullword wide
		$s5 = "Get8Bytes" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 45KB and all of them
}
CN_Honker_exp_iis7
Sample from CN Honker Pentest Toolset - file iis7.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_exp_iis7 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file iis7.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "0a173c5ece2fd4ac8ecf9510e48e95f43ab68978"
		id = "edfafc9a-032a-5ccb-9a1f-faeab0dfa31d"
	strings:
		$s0 = "\\\\localhost" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "iis.run" fullword ascii
		$s3 = ">Could not connecto %s" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "WinSta0\\Default" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 22 times */
	condition:
		uint16(0) == 0x5a4d and filesize < 60KB and all of them
}
CN_Honker_exp_ms11011
Sample from CN Honker Pentest Toolset - file ms11011.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_exp_ms11011 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file ms11011.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "5ad7a4962acbb6b0e3b73d77385eb91feb88b386"
		id = "fc092166-73cd-58f6-b034-a2fe2c5fb859"
	strings:
		$s0 = "\\i386\\Hello.pdb" ascii /* PEStudio Blacklist: strings */
		$s1 = "OS not supported." fullword ascii /* PEStudio Blacklist: strings */
		$s2 = ".Rich5" fullword ascii
		$s3 = "Not supported." fullword wide /* PEStudio Blacklist: strings */ /* Goodware String - occured 3 times */
		$s5 = "cmd.exe" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 120 times */
	condition:
		uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
CN_Honker_exp_ms11046
Sample from CN Honker Pentest Toolset - file ms11046.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_exp_ms11046 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file ms11046.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f8414a374011fd239a6c6d9c6ca5851cd8936409"
		id = "aafb45f4-3b42-5c8f-8c25-40fd01217e9d"
	strings:
		$s0 = "[*] Token system command" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "[*] command add user 90sec 90sec" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "[*] Add to Administrators success" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "Program: %s%s%s%s%s%s%s%s%s%s%s" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 3 times */
	condition:
		uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Honker_exp_ms11080
Sample from CN Honker Pentest Toolset - file ms11080.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_exp_ms11080 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file ms11080.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f0854c49eddf807f3a7381d3b20f9af4a3024e9f"
		id = "2f5ce2f3-3595-5729-be0c-3f6486cb94fd"
	strings:
		$s2 = "[*] command add user 90sec 90sec" fullword ascii /* PEStudio Blacklist: strings */
		$s6 = "[*] Add to Administrators success" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 840KB and all of them
}
CN_Honker_exp_win2003
Sample from CN Honker Pentest Toolset - file win2003.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_exp_win2003 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file win2003.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "47164c8efe65d7d924753fadf6cdfb897a1c03db"
		id = "f64e14dd-714c-5a0f-923d-23a584fe605f"
	strings:
		$s1 = "Usage:system_exp.exe \"cmd\"" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "The shell \"cmd\" success!" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "Not Windows NT family OS." fullword ascii /* PEStudio Blacklist: os */
	condition:
		uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
CN_Honker_getlsasrvaddr
Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_getlsasrvaddr {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		modified = "2022-12-21"
		score = 70
		hash = "a897d5da98dae8d80f3c0a0ef6a07c4b42fb89ce"
		id = "fa0c0376-c5c3-5b48-b03e-86cefb547479"
	strings:
		$s8 = "pingme.txt" fullword ascii /* PEStudio Blacklist: strings */
		$s16 = ".\\lsasrv.pdb" ascii
		$s20 = "Addresses Found: " fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
CN_Honker_hashq_Hashq
Sample from CN Honker Pentest Toolset - file Hashq.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_hashq_Hashq {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Hashq.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "7518b647db5275e8a9e0bf4deda3d853cc9d5661"
		id = "4f435edf-28bf-5195-bc22-0d2a7302b312"
	strings:
		$s1 = "Hashq.exe" fullword wide
		$s5 = "CnCert.Net" fullword wide
		$s6 = "Md5 query tool" fullword wide /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 600KB and all of them
}
CN_Honker_hkmjjiis6
Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_hkmjjiis6 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		modified = "2023-01-27"
		score = 70
		hash = "4cbc6344c6712fa819683a4bd7b53f78ea4047d7"
		id = "badf8224-4f09-57aa-ab16-0d70e0b3f88c"
	strings:
		$s14 = "* FROM IIsWebInfo/r" fullword ascii
		$s19 = "ltithread4ck/" ascii
		$s20 = "LookupAcc=Sid#" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 175KB and all of them
}
CN_Honker_hxdef100
Sample from CN Honker Pentest Toolset - file hxdef100.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_hxdef100 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file hxdef100.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "bf30ccc565ac40073b867d4c7f5c33c6bc1920d6"
		id = "3b931752-85ae-52d0-9deb-1a1b03b39e32"
	strings:
		$s6 = "BACKDOORSHELL" fullword ascii /* PEStudio Blacklist: strings */
		$s15 = "%tmpdir%" fullword ascii
		$s16 = "%cmddir%" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 200KB and all of them
}
CN_Honker_lcx_lcx
Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_lcx_lcx {
	meta:
		description = "Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "0c8779849d53d0772bbaa1cedeca150c543ebf38"
		id = "6c2e1e85-6387-5be2-b7b2-5ae8a5cca6df"
	strings:
		$s1 = "%s -<listen|tran|slave> <option> [-log logfile]" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "=========== Code by lion & bkbll" ascii
		$s3 = "Welcome to [url]http://www.cnhonker.com[/url] " ascii
		$s4 = "-tran   <ConnectPort> <TransmitHost> <TransmitPort>" fullword ascii /* PEStudio Blacklist: strings */
		$s5 = "[+] Start Transmit (%s:%d <-> %s:%d) ......" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 30KB and 1 of them
}
CN_Honker_linux_bin
Script from disclosed CN Honker Pentest Toolset - file linux_bin
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_linux_bin {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file linux_bin"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "26e71e6ebc6a3bdda9467ce929610c94de8a7ca0"
        id = "3c56a4a8-6392-517c-a16e-63785799acb9"
    strings:
        $s1 = "client.sin_port = htons(atoi(argv[3]));" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "printf(\"\\n\\n*********Waiting Client connect*****\\n\\n\");" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 20KB and all of them
}
CN_Honker_mafix_root
Script from disclosed CN Honker Pentest Toolset - file root
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_mafix_root {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file root"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "826778ef9c22177d41698b467586604e001fed19"
        id = "ae08b2e9-4d81-5f15-88d2-e2ace20626bf"
    strings:
        $s0 = "echo \"# vbox (voice box) getty\" >> /tmp/.init1" fullword ascii /* PEStudio Blacklist: strings */
        $s1 = "cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog" fullword ascii
        $s2 = "if [ -f /sbin/xlogin ]; then" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 96KB and all of them
}
CN_Honker_mempodipper2_6
Sample from CN Honker Pentest Toolset - file mempodipper2.6.39
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_mempodipper2_6 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file mempodipper2.6.39"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "ba2c79911fe48660898039591e1742b3f1a9e923"
		id = "43a27968-adab-5f27-9b8c-8f0f895f0576"
	strings:
		$s0 = "objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 30KB and all of them
}
CN_Honker_ms10048_x64
Sample from CN Honker Pentest Toolset - file ms10048-x64.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_ms10048_x64 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file ms10048-x64.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "418bec3493c85e3490e400ecaff5a7760c17a0d0"
		id = "b65b0bad-d74c-5e7a-a613-69ef80585c23"
	strings:
		$s1 = "[ ] Creating evil window" fullword ascii
		$s2 = "[+] Set to %d exploit half succeeded" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 125KB and all of them
}
CN_Honker_ms10048_x86
Sample from CN Honker Pentest Toolset - file ms10048-x86.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_ms10048_x86 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file ms10048-x86.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "e57b453966e4827e2effa4e153f2923e7d058702"
		id = "5d572d35-d2e5-5457-89d9-fbce8f8fa552"
	strings:
		$s1 = "[+] Set to %d exploit half succeeded" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 30KB and all of them
}
CN_Honker_ms11080_withcmd
Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_ms11080_withcmd {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "745e5058acff27b09cfd6169caf6e45097881a49"
		id = "38c12697-7e52-5713-a566-6047abfa229b"
	strings:
		$s1 = "Usage : ms11-080.exe cmd.exe Command " fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "[>] create pipe error" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 340KB and all of them
}
CN_Honker_mssqlpw_scan
Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_mssqlpw_scan {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "e49def9d72bfef09a639ef3f7329083a0b8b151c"
        id = "7dc29d06-e1e7-527f-b9e5-d75f660fd73e"
    strings:
        $s0 = "response.Write(\"I Get it ! Password is <font color=red>\" & str & \"</font><BR>" ascii /* PEStudio Blacklist: strings */
        $s1 = "response.Write \"Done!<br>Process \" & tTime & \" s\"" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 6KB and all of them
}
CN_Honker_mysql_injectV1_1_Creak
Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_mysql_injectV1_1_Creak {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "a1f066789f48a76023598c5777752c15f91b76b0"
		id = "39025a57-557a-53c0-bfdb-81fe83f824af"
	strings:
		$s0 = "1http://192.169.200.200:2217/mysql_inject.php?id=1" fullword ascii /* PEStudio Blacklist: strings */
		$s12 = "OnGetPassword" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 5890KB and all of them
}
CN_Honker_nc_MOVE
Script from disclosed CN Honker Pentest Toolset - file MOVE.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_nc_MOVE {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file MOVE.txt"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "4195370c103ca467cddc8f2724a8e477635be424"
        id = "115d1ec9-6c4f-587e-977c-cd24ada89ab6"
    strings:
        $s0 = "Destination: http://202.113.20.235/gj/images/2.asp" fullword ascii /* PEStudio Blacklist: strings */
        $s1 = "HOST: 202.113.20.235" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "MOVE /gj/images/A.txt HTTP/1.1" fullword ascii
    condition:
        filesize < 1KB and all of them
}
Showing 251-300 of 5,941
Prev 6 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin