Home/YARA rules
YARA

YARA rules

5,941 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.

Rules

50 shown of 5,941
CN_Honker_net_packet_capt
Sample from CN Honker Pentest Toolset - file net_packet_capt.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_net_packet_capt {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file net_packet_capt.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "2d45a2bd9e74cf14c1d93fff90c2b0665f109c52"
		id = "16e19be7-3805-5e2b-baa6-20554fb7a5cf"
	strings:
		$s1 = "(*.sfd)" fullword ascii
		$s2 = "GetLaBA" fullword ascii
		$s3 = "GAIsProcessorFeature" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 1 times */
		$s4 = "- Gablto " ascii
		$s5 = "PaneWyedit" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 50KB and all of them
}
CN_Honker_net_priv_esc2
Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_net_priv_esc2 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "4851e0088ad38ac5b3b1c75302a73698437f7f17"
		id = "b4fa3129-57a3-55ee-8ca6-ecbcc135184e"
	strings:
		$s1 = "Usage:%s username password" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "<www.darkst.com>" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 17KB and all of them
}
CN_Honker_no_net_priv_esc_AddUser
Sample from CN Honker Pentest Toolset - file AddUser.dll
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_no_net_priv_esc_AddUser {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file AddUser.dll"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "4c95046be6ae40aee69a433e9a47f824598db2d4"
		id = "0f99914c-9349-5870-a3e0-3a5079efdecf"
	strings:
		$s0 = "PECompact2" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "adduser" fullword ascii
		$s5 = "OagaBoxA" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 115KB and all of them
}
CN_Honker_passwd_dict_3389
Script from disclosed CN Honker Pentest Toolset - file 3389.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_passwd_dict_3389 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file 3389.txt"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "2897e909e48a9f56ce762244c3a3e9319e12362f"
        id = "9418f0e5-7bf0-5df3-8857-dea90fae5a54"
    strings:
        $s0 = "654321" fullword ascii /* reversed goodware string '123456' */
        $s1 = "admin123" fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "admin123456" fullword ascii /* PEStudio Blacklist: strings */
        $s3 = "administrator" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 2 times */
        $s4 = "passwd" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 42 times */
        $s5 = "password" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 244 times */
        $s7 = "12345678" fullword ascii /* Goodware String - occured 29 times */
    condition:
        filesize < 1KB and all of them
}
CN_Honker_portRecall_bc
Script from disclosed CN Honker Pentest Toolset - file bc.pl
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_portRecall_bc {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file bc.pl"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "2084990406398afd856b2309c7f579d7d61c3767"
        id = "ea74f260-87e6-5027-b558-628949cae32a"
    strings:
        $s0 = "print \"[*] Connected to remote host \\n\"; " fullword ascii /* PEStudio Blacklist: strings */
        $s1 = "print \"Usage: $0 [Host] [Port] \\n\\n\";  " fullword ascii /* PEStudio Blacklist: strings */
        $s5 = "print \"[*] Resolving HostName\\n\"; " fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 10KB and all of them
}
CN_Honker_portRecall_pr
Script from disclosed CN Honker Pentest Toolset - file pr
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_portRecall_pr {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file pr"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "583cf6dc2304121d835f2879803a22fea76930f3"
        id = "1e137ed0-3af6-5b01-a27b-87bf42359887"
    strings:
        $s1 = "Usage: Same as lcx.exe in win32 :)" fullword ascii
        $s2 = "connect to client" fullword ascii /* PEStudio Blacklist: strings */
        $s3 = "PR(Packet redirection) for linux " fullword ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 70KB and all of them
}
CN_Honker_pr_debug
Sample from CN Honker Pentest Toolset - file debug.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_pr_debug {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file debug.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "d11e6c6f675b3be86e37e50184dadf0081506a89"
		id = "6d759818-b762-56f4-8475-82a7d18a659c"
	strings:
		$s1 = "-->Got WMI process Pid: %d " ascii /* PEStudio Blacklist: strings */
		$s2 = "This exploit will execute \"net user temp 123456 /add & net localg" ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 820KB and all of them
}
CN_Honker_safe3wvs_cgiscan
Sample from CN Honker Pentest Toolset - file cgiscan.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_safe3wvs_cgiscan {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file cgiscan.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f94bbf2034ad9afa43cca3e3a20f142e0bb54d75"
		id = "a9f7a195-deb8-5887-bc55-d1b0cac43182"
	strings:
		$s2 = "httpclient.exe" fullword wide
		$s3 = "www.safe3.com.cn" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 357KB and all of them
}
CN_Honker_shell_brute_tool
Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_shell_brute_tool {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f6903a15453698c35dce841e4d09c542f9480f01"
		id = "80fd0c9f-0ed9-5308-ac72-65b9b3b47ed1"
	strings:
		$s0 = "http://24hack.com/xyadmin.asp" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
CN_Honker_sig_3389_2_3389
Sample from CN Honker Pentest Toolset - file 3389.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_sig_3389_2_3389 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file 3389.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "48d1974215e5cb07d1faa57e37afa91482b5a376"
		id = "8b2f5f6d-4d7b-561c-bd77-2de351e5aca8"
	strings:
		$s1 = "C:\\Documents and Settings\\Administrator\\" ascii /* PEStudio Blacklist: strings */
		$s2 = "net user guest /active:yes" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "\\Microsoft Word.exe" ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 80KB and all of them
}
CN_Honker_sig_3389_3389
Script from disclosed CN Honker Pentest Toolset - file 3389.vbs
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_sig_3389_3389 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file 3389.vbs"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "f92b74f41a2138cc05c6b6993bcc86c706017e49"
        id = "6d385820-befe-5e2b-8c48-ad90564d5f42"
    strings:
        $s1 = "success = obj.run(\"cmd /c takeown /f %SystemRoot%\\system32\\sethc.exe&echo y| " ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 10KB and all of them
}
CN_Honker_sig_3389_3389_2
Script from disclosed CN Honker Pentest Toolset - file 3389.bat
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_sig_3389_3389_2 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "5ff92f39ade12f8ba6cb75dfdc9bb907e49f0ebd"
        id = "f449f632-3102-5e62-b790-5546698dd663"
    strings:
        $s1 = "@del c:\\termsrvhack.dll" fullword ascii
        $s2 = "@del c:\\3389.txt" fullword ascii
    condition:
        filesize < 3KB and all of them
}
CN_Honker_sig_3389_3389_3
Script from disclosed CN Honker Pentest Toolset - file 3389.bat
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_sig_3389_3389_3 {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file 3389.bat"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "cfedec7bd327897694f83501d76063fe16b13450"
        id = "ff61a5cb-6089-5632-a65d-09f4ffd99857"
    strings:
        $s1 = "echo \"fDenyTSConnections\"=dword:00000000>>3389.reg " fullword ascii /* PEStudio Blacklist: strings */
        $s2 = "echo \"PortNumber\"=dword:00000d3d>>3389.reg " fullword ascii /* PEStudio Blacklist: strings */
        $s3 = "echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server]>>" ascii /* PEStudio Blacklist: strings */
    condition:
        filesize < 2KB and all of them
}
CN_Honker_sig_3389_80_AntiFW
Sample from CN Honker Pentest Toolset - file AntiFW.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_sig_3389_80_AntiFW {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file AntiFW.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "5fbc75900e48f83d0e3592ea9fa4b70da72ccaa3"
		id = "761bed41-e8e6-585b-8fde-a6b6a56445d6"
	strings:
		$s1 = "Set TS to port:80 Successfully!" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "Now,set TS to port 80" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "echo. >>amethyst.reg" fullword ascii
		$s4 = "del amethyst.reg" fullword ascii
		$s5 = "AntiFW.cpp" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 30KB and 2 of them
}
CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0
Sample from CN Honker Pentest Toolset - file 2.0.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file 2.0.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "e8ee982421ccff96121ffd24a3d84e3079f3750f"
		id = "dda5eea9-da79-5f1f-bbac-9f05ba7e71c9"
	strings:
		$s0 = "IP - %d; Login - %d; Password - %d; Combination - %d" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "Create %d IP@Loginl;Password" fullword ascii /* PEStudio Blacklist: strings */
		$s15 = "UBrute.com" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 980KB and 2 of them
}
CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0
Sample from CN Honker Pentest Toolset - file 3.0.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file 3.0.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "49b311add0940cf183e3c7f3a41ea6e516bf8992"
		id = "994ad7e9-2019-54b3-84e6-2762a700c939"
	strings:
		$s0 = "explorer.exe http://bbs.yesmybi.net" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "LOADER ERROR" fullword ascii /* PEStudio Blacklist: strings */
		$s9 = "CryptGenRandom" fullword ascii /* PEStudio Blacklist: strings */ /* Goodware String - occured 581 times */
	condition:
		uint16(0) == 0x5a4d and filesize < 395KB and all of them
}
CN_Honker_sig_3389_mstsc_MSTSCAX
Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_sig_3389_mstsc_MSTSCAX {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "2fa006158b2d87b08f1778f032ab1b8e139e02c6"
		id = "9508b613-f897-5277-97e0-30e36fb5d747"
	strings:
		$s1 = "ResetPasswordWWWx" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "Terminal Server Redirected Printer Doc" fullword wide /* PEStudio Blacklist: strings */
		$s3 = "Cleaning temp directory" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
CN_Honker_sig_3389_xp3389
Sample from CN Honker Pentest Toolset - file xp3389.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_sig_3389_xp3389 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file xp3389.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "d776eb7596803b5b94098334657667d34b60d880"
		id = "75d23c63-ba9e-55fd-90fe-5e054d28a777"
	strings:
		$s1 = "echo \"fdenytsconnections\"=dword:00000000 >> c:\\reg.reg" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server] >" ascii /* PEStudio Blacklist: strings */
		$s3 = "echo \"Tsenabled\"=dword:00000001 >> c:\\reg.reg" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 20KB and all of them
}
CN_Honker_smsniff_smsniff
Sample from CN Honker Pentest Toolset - file smsniff.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_smsniff_smsniff {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file smsniff.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "8667a785a8ced76d0284d225be230b5f1546f140"
		id = "fef242d5-b274-5217-a5d1-1a6ec38d0fdd"
	strings:
		$s1 = "smsniff.exe" fullword wide
		$s5 = "SmartSniff" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 267KB and all of them
}
CN_Honker_struts2_catbox
Sample from CN Honker Pentest Toolset - file catbox.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_struts2_catbox {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file catbox.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "ee8fbd91477e056aef34fce3ade474cafa1a4304"
		id = "24df7a11-5ec4-5e7b-86f6-6195ca01b8f9"
	strings:
		$s6 = "'Toolmao box by gainover www.toolmao.com" fullword ascii
		$s20 = "{external.exeScript(_toolmao_bgscript[i],'javascript',false);}}" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 8160KB and all of them
}
CN_Honker_super_Injection1
Sample from CN Honker Pentest Toolset - file super Injection1.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_super_Injection1 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file super Injection1.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "8ff2df40c461f6c42b92b86095296187f2b59b14"
		id = "ad84c5a0-4f03-5040-bdf7-819b40a08ad2"
	strings:
		$s2 = "Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL" fullword wide /* PEStudio Blacklist: strings */
		$s3 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
		$s4 = "ScanInject.log" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and all of them
}
CN_Honker_syconfig
Script from disclosed CN Honker Pentest Toolset - file syconfig.dll
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_syconfig {
    meta:
        description = "Script from disclosed CN Honker Pentest Toolset - file syconfig.dll"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "Disclosed CN Honker Pentest Toolset"
        date = "2015-06-23"
		score = 70
        hash = "ff75353df77d610d3bccfbffb2c9dfa258b2fac9"
        id = "3850007d-20d5-5b10-a549-dc4655877c6e"
    strings:
        $s9 = "Hashq.CrackHost+FormUnit" fullword ascii /* PEStudio Blacklist: strings */
    condition:
        uint16(0) == 0x0100 and filesize < 18KB and all of them
}
CN_Honker_termsrvhack
Sample from CN Honker Pentest Toolset - file termsrvhack.dll
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_termsrvhack {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file termsrvhack.dll"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "1c456520a7b7faf71900c71167038185f5a7d312"
		id = "4fd582a1-3c6d-57a1-bba0-f775bb61ef00"
	strings:
		$s1 = "The terminal server cannot issue a client license.  It was unable to issue the" wide /* PEStudio Blacklist: strings */
		$s6 = "%s\\%s\\%d\\%d" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 1052KB and all of them
}
CN_Honker_windows_exp
Sample from CN Honker Pentest Toolset - file exp.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_windows_exp {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file exp.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "04334c396b165db6e18e9b76094991d681e6c993"
		id = "148900d0-cf62-5cb0-adbc-52fa8ce8832e"
	strings:
		$s0 = "c:\\windows\\system32\\command.com /c " fullword ascii /* PEStudio Blacklist: strings */
		$s8 = "OH,Sry.Too long command." fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 220KB and all of them
}
CN_Honker_windows_mstsc_enhanced_RMDSTC
Sample from CN Honker Pentest Toolset - file RMDSTC.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_windows_mstsc_enhanced_RMDSTC {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file RMDSTC.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "3ca2b1b6f31219baf172abcc8f00f07f560e465f"
		id = "f6e94327-cb79-5a7a-88bb-850177558978"
	strings:
		$s0 = "zava zir5@163.com" fullword wide
		$s1 = "By newccc" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 400KB and all of them
}
CN_Honker_wwwscan_1_wwwscan
Sample from CN Honker Pentest Toolset - file wwwscan.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_wwwscan_1_wwwscan {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file wwwscan.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "6bed45629c5e54986f2d27cbfc53464108911026"
		id = "8b6a94a3-6f9c-59b2-931b-c06701b95d59"
	strings:
		$s0 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "GET /nothisexistpage.html HTTP/1.1" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 180KB and all of them
}
CN_Honker_wwwscan_gui
Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_wwwscan_gui {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "897b66a34c58621190cb88e9b2a2a90bf9b71a53"
		id = "fffed806-4394-505a-96bd-50bf6f24aefc"
	strings:
		$s1 = "%s www.target.com -p 8080 -m 10 -t 16" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "/eye2007Admin_login.aspx" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 280KB and all of them
}
CN_Packed_Scanner
Suspiciously packed executable
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Packed_Scanner {
   meta:
      description = "Suspiciously packed executable"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      hash = "6323b51c116a77e3fba98f7bb7ff4ac6"
      score = 40
      date = "06.10.2014"
      id = "a11c4ee6-7244-5601-af26-a45f9fdc8e1b"
   strings:
      $s1 = "kernel32.dll" fullword ascii
      $s2 = "CRTDLL.DLL" fullword ascii
      $s3 = "__GetMainArgs" fullword ascii
      $s4 = "WS2_32.DLL" fullword ascii
   condition:
      all of them and filesize < 180KB and filesize > 70KB
}
CN_Portscan
CN Port Scanner
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Portscan: APT {
   meta:
      description = "CN Port Scanner"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      date = "2013-11-29"
      confidential = false
      score = 70
      id = "fb52a89a-2270-5170-9874-9278a0177454"
   strings:
      $s2 = "TCP 12.12.12.12"
   condition:
      uint16(0) == 0x5A4D and $s2
}
CN_Tools_MyUPnP
Chinese Hacktool Set - file MyUPnP.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_MyUPnP {
	meta:
		description = "Chinese Hacktool Set - file MyUPnP.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		hash = "15b6fca7e42cd2800ba82c739552e7ffee967000"
		id = "394e19d3-882e-5a7c-a3a0-e662bd67955c"
	strings:
		$s1 = "<description>BYTELINKER.COM</description>" fullword ascii
		$s2 = "myupnp.exe" fullword ascii
		$s3 = "LOADER ERROR" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 1500KB and all of them
}
CN_Tools_PcShare
Chinese Hacktool Set - file PcShare.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_PcShare {
	meta:
		description = "Chinese Hacktool Set - file PcShare.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		hash = "ee7ba9784fae413d644cdf5a093bd93b73537652"
		id = "0c4e9f9b-9839-56a0-be21-a4e9f19cdfdb"
	strings:
		$s0 = "title=%s%s-%s;id=%s;hwnd=%d;mainhwnd=%d;mainprocess=%d;cmd=%d;" fullword wide
		$s1 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" fullword wide
		$s2 = "http://www.pcshares.cn/pcshare200/lostpass.asp" fullword wide
		$s5 = "port=%s;name=%s;pass=%s;" fullword wide
		$s16 = "%s\\ini\\*.dat" fullword wide
		$s17 = "pcinit.exe" fullword wide
		$s18 = "http://www.pcshare.cn" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 6000KB and 3 of them
}
CN_Tools_Shiell
Chinese Hacktool Set - file Shiell.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_Shiell {
	meta:
		description = "Chinese Hacktool Set - file Shiell.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		hash = "b432d80c37abe354d344b949c8730929d8f9817a"
		id = "7ac7d79d-3f4e-54e7-bb97-ce94cbbb40a2"
	strings:
		$s1 = "C:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shell" ascii
		$s2 = "C:\\Windows\\System32\\Shiell.exe" fullword wide
		$s3 = "Shift shell.exe" fullword wide
		$s4 = "\" /v debugger /t REG_SZ /d \"" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 1500KB and 2 of them
}
CN_Tools_Temp
Chinese Hacktool Set - file Temp.war
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_Temp {
    meta:
        description = "Chinese Hacktool Set - file Temp.war"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "c3327ef63b0ed64c4906e9940ef877c76ebaff58"
        id = "4fbaabd0-fbf2-56a0-94af-9deba1e7cc81"
    strings:
        $s0 = "META-INF/context.xml<?xml version=\"1.0\" encoding=\"UTF-8\"?>" fullword ascii 
        $s1 = "browser.jsp" fullword ascii 
        $s3 = "cmd.jsp" fullword ascii
        $s4 = "index.jsp" fullword ascii
    condition:
        uint16(0) == 0x4b50 and filesize < 203KB and all of them
}
CN_Tools_VNCLink
Chinese Hacktool Set - file VNCLink.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_VNCLink {
	meta:
		description = "Chinese Hacktool Set - file VNCLink.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		hash = "cafb531822cbc0cfebbea864489eebba48081aa1"
		id = "270dc14c-ac8f-58c2-b4ac-c10981e20a07"
	strings:
		$s1 = "C:\\temp\\vncviewer4.log" fullword ascii
		$s2 = "[BL4CK] Patched by redsand || http://blacksecurity.org" fullword ascii
		$s3 = "fake release extendedVkey 0x%x, keysym 0x%x" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 580KB and 2 of them
}
CN_Tools_Vscan
Chinese Hacktool Set - file Vscan.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_Vscan {
	meta:
		description = "Chinese Hacktool Set - file Vscan.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		hash = "0365fe05e2de0f327dfaa8cd0d988dbb7b379612"
		id = "2d73d9c9-62cd-592f-a44e-0a0456c85a3c"
	strings:
		$s1 = "[+] Usage: VNC_bypauth <target> <scantype> <option>" fullword ascii
		$s2 = "========RealVNC <= 4.1.1 Bypass Authentication Scanner=======" fullword ascii
		$s3 = "[+] Type VNC_bypauth <target>,<scantype> or <option> for more informations" fullword ascii
		$s4 = "VNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,..." fullword ascii
		$s5 = "-vn:%-15s:%-7d  connection closed" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 60KB and 2 of them
}
CN_Tools_hscan
Chinese Hacktool Set - file hscan.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_hscan {
	meta:
		description = "Chinese Hacktool Set - file hscan.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		hash = "17a743e40790985ececf5c66eaad2a1f8c4cffe8"
		id = "82d9cd61-8cef-56b4-8dfe-a28edaa781b8"
	strings:
		$s1 = "%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000" fullword ascii
		$s2 = "%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20" fullword ascii
		$s3 = "%s -h www.target.com -all" fullword ascii
		$s4 = ".\\report\\%s-%s.html" fullword ascii
		$s5 = ".\\log\\Hscan.log" fullword ascii
		$s6 = "[%s]: Found cisco Enable password: %s !!!" fullword ascii
		$s7 = "%s@ftpscan#FTP Account:  %s/[null]" fullword ascii
		$s8 = ".\\conf\\mysql_pass.dic" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Tools_item
Chinese Hacktool Set - file item.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_item {
    meta:
        description = "Chinese Hacktool Set - file item.php"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "a584db17ad93f88e56fd14090fae388558be08e4"
        id = "954f24c9-d7d5-56d3-86f0-0cf8832640dd"
    strings:
        $s1 = "$sURL = \"http://\".$sServer.\"/\".$sWget;" fullword ascii
        $s2 = "$sURL = \"301:http://\".$sServer.\"/\".$sWget;" fullword ascii
        $s3 = "$sWget=\"index.asp\";" fullword ascii
        $s4 = "$aURL += array(\"scheme\" => \"\", \"host\" => \"\", \"path\" => \"\");" fullword ascii
    condition:
        filesize < 4KB and all of them
}
CN_Tools_old
Chinese Hacktool Set - file old.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_old {
    meta:
        description = "Chinese Hacktool Set - file old.php"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "f8a007758fda8aa1c0af3c43f3d7e3186a9ff307"
        id = "bfdb84e8-e5a8-53a4-ae71-e0d1b38d38ef"
    strings:
        $s0 = "$sCmd = \"wget -qc \".escapeshellarg($sURL).\" -O \".$sFile;" fullword ascii
        $s1 = "$sURL = \"http://\".$sServer.\"/\".$sFile;" fullword ascii
        $s2 = "chmod(\"/\".substr($sHash, 0, 2), 0777);" fullword ascii
        $s3 = "$sCmd = \"echo 123> \".$sFileOut;" fullword ascii
    condition:
        filesize < 6KB and all of them
}
CN_Tools_pc
Chinese Hacktool Set - file pc.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_pc {
	meta:
		description = "Chinese Hacktool Set - file pc.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		hash = "5cf8caba170ec461c44394f4058669d225a94285"
		id = "11cc6c46-33c0-5c53-88f8-700be9ca8add"
	strings:
		$s0 = "\\svchost.exe" ascii
		$s2 = "%s%08x.001" fullword ascii
		$s3 = "Qy001Service" fullword ascii
		$s4 = "/.MIKY" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
CN_Tools_srss
Chinese Hacktool Set - file srss.bat
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_srss {
    meta:
        description = "Chinese Hacktool Set - file srss.bat"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "092ab0797947692a247fe80b100fb4df0f9c37a0"
        id = "13191e2e-fbcd-5e0b-af55-cc10f2583c1b"
    strings:
        $s0 = "srss.exe -idx 0 -ip"
        $s1 = "-port 21 -logfilter \"_USER ,_P" ascii 
    condition:
        filesize < 100 and all of them
}
CN_Tools_srss_2
Chinese Hacktool Set - file srss.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_srss_2 {
	meta:
		description = "Chinese Hacktool Set - file srss.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		hash = "c418b30d004051bbf1b2d3be426936b95b5fea6f"
		id = "3a84fa58-ccd0-5cf0-b1e0-a8f2ca04fd3f"
	strings:
		$x1 = "used pepack!" fullword ascii

		$s1 = "KERNEL32.dll" fullword ascii
		$s2 = "KERNEL32.DLL" fullword ascii
		$s3 = "LoadLibraryA" fullword ascii
		$s4 = "GetProcAddress" fullword ascii
		$s5 = "VirtualProtect" fullword ascii
		$s6 = "VirtualAlloc" fullword ascii
		$s7 = "VirtualFree" fullword ascii
		$s8 = "ExitProcess" fullword ascii
	condition:
		uint16(0) == 0x5a4d and ( $x1 at 0 ) and filesize < 14KB and all of ($s*)
}
CN_Tools_xbat
Chinese Hacktool Set - file xbat.vbs
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_xbat {
    meta:
        description = "Chinese Hacktool Set - file xbat.vbs"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
        reference = "http://tools.zjqhr.com/"
        date = "2015-06-13"
        hash = "a7005acda381a09803b860f04d4cae3fdb65d594"
        id = "5b2f0d2e-a7fb-5f5a-94a9-28e851c9756e"
    strings:
        $s0 = "ws.run \"srss.bat /start\",0 " fullword ascii 
        $s1 = "Set ws = Wscript.CreateObject(\"Wscript.Shell\")" fullword ascii 
    condition:
        uint16(0) == 0x6553 and filesize < 0KB and all of them
}
CN_Tools_xsniff
Chinese Hacktool Set - file xsniff.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Tools_xsniff {
	meta:
		description = "Chinese Hacktool Set - file xsniff.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		hash = "d61d7329ac74f66245a92c4505a327c85875c577"
		id = "a0fdac88-a7b8-5d24-9012-2bfe7b07e675"
	strings:
		$s0 = "xsiff.exe -pass -hide -log pass.log" fullword ascii
		$s1 = "HOST: %s USER: %s, PASS: %s" fullword ascii
		$s2 = "xsiff.exe -tcp -udp -asc -addr 192.168.1.1" fullword ascii
		$s10 = "Code by glacier <glacier@xfocus.org>" fullword ascii
		$s11 = "%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%d" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 220KB and 2 of them
}
CN_Toolset_LScanPortss_2
Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Toolset_LScanPortss_2 {
   meta:
      description = "Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "http://qiannao.com/ls/905300366/33834c0c/"
      date = "2015/03/30"
      score = 70
      hash = "4631ec57756466072d83d49fbc14105e230631a0"
      id = "0a796585-5fc8-5b55-acfc-3fe87308b681"
   strings:
      $s1 = "LScanPort.EXE" fullword wide
      $s3 = "www.honker8.com" fullword wide
      $s4 = "DefaultPort.lst" fullword ascii
      $s5 = "Scan over.Used %dms!" fullword ascii
      $s6 = "www.hf110.com" fullword wide
      $s15 = "LScanPort Microsoft " fullword wide
      $s18 = "L-ScanPort2.0 CooFly" fullword wide
   condition:
      4 of them
}
CN_Toolset_NTscan_PipeCmd
Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Toolset_NTscan_PipeCmd {
   meta:
      description = "Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "http://qiannao.com/ls/905300366/33834c0c/"
      date = "2015/03/30"
      score = 70
      hash = "a931d65de66e1468fe2362f7f2e0ee546f225c4e"
      id = "056ee42d-23f4-5b03-b240-392bc92b90b0"
   strings:
      $s2 = "Please Use NTCmd.exe Run This Program." fullword ascii
      $s3 = "PipeCmd.exe" fullword wide
      $s4 = "\\\\.\\pipe\\%s%s%d" fullword ascii
      $s5 = "%s\\pipe\\%s%s%d" fullword ascii
      $s6 = "%s\\ADMIN$\\System32\\%s%s" fullword ascii
      $s7 = "%s\\ADMIN$\\System32\\%s" fullword ascii
      $s9 = "PipeCmdSrv.exe" fullword ascii
      $s10 = "This is a service executable! Couldn't start directly." fullword ascii
      $s13 = "\\\\.\\pipe\\PipeCmd_communicaton" fullword ascii
      $s14 = "PIPECMDSRV" fullword wide
      $s15 = "PipeCmd Service" fullword ascii
   condition:
      4 of them
}
CN_Toolset__XScanLib_XScanLib_XScanLib
Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Toolset__XScanLib_XScanLib_XScanLib {
   meta:
      description = "Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "http://qiannao.com/ls/905300366/33834c0c/"
      date = "2015/03/30"
      score = 70
      super_rule = 1
      hash0 = "af419603ac28257134e39683419966ab3d600ed2"
      hash1 = "c5cb4f75cf241f5a9aea324783193433a42a13b0"
      hash2 = "135f6a28e958c8f6a275d8677cfa7cb502c8a822"
      id = "c32415f4-044c-50ef-9c4c-b9327cbcef69"
   strings:
      $s1 = "Plug-in thread causes an exception, failed to alert user." fullword
      $s2 = "PlugGetUdpPort" fullword
      $s3 = "XScanLib.dll" fullword
      $s4 = "PlugGetTcpPort" fullword
      $s11 = "PlugGetVulnNum" fullword
   condition:
      all of them
}
CN_Toolset_sig_1433_135_sqlr
Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Toolset_sig_1433_135_sqlr {
   meta:
      description = "Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "http://qiannao.com/ls/905300366/33834c0c/"
      date = "2015/03/30"
      score = 70
      hash = "8542c7fb8291b02db54d2dc58cd608e612bfdc57"
      id = "74038975-ef06-53d6-bdcc-02706408b596"
   strings:
      $s0 = "Connect to %s MSSQL server success. Type Command at Prompt." fullword ascii
      $s11 = ";DATABASE=master" fullword ascii
      $s12 = "xp_cmdshell '" fullword ascii
      $s14 = "SELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver" ascii
   condition:
      all of them
}
CN_disclosed_20180208_KeyLogger_1
Detects malware from disclosed CN malware set
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_disclosed_20180208_KeyLogger_1 {
   meta:
      description = "Detects malware from disclosed CN malware set"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
      date = "2018-02-08"
      hash1 = "c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf"
      id = "12eff9b6-1a65-5efc-b39c-88297bdae9c3"
   strings:
      $x2 = "Process already elevated." fullword wide
      $x3 = "GetKeyloggErLogsResponse" fullword ascii
      $x4 = "get_encryptedPassword" fullword ascii
      $x5 = "DoDownloadAndExecute" fullword ascii
      $x6 = "GetKeyloggeRLogs" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
}
CN_disclosed_20180208_Mal1
Detects malware from disclosed CN malware set
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_disclosed_20180208_Mal1 {
   meta:
      description = "Detects malware from disclosed CN malware set"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
      date = "2018-02-08"
      hash1 = "173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e"
      id = "8516bbfb-a2ad-565d-bf6c-71629b1831a1"
   strings:
      $x1 = "%SystemRoot%\\system32\\termsrvhack.dll" fullword ascii
      $x2 = "User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" fullword ascii

      $a1 = "taskkill /f /im cmd.exe" fullword ascii
      $a2 = "taskkill /f /im mstsc.exe" fullword ascii
      $a3 = "taskkill /f /im taskmgr.exe" fullword ascii
      $a4 = "taskkill /f /im regedit.exe" fullword ascii
      $a5 = "taskkill /f /im mmc.exe" fullword ascii
      $s1 = "K7TSecurity.exe" fullword ascii
      $s2 = "ServUDaemon.exe" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 2000KB and (
        pe.imphash() == "28e3a58132364197d7cb29ee104004bf" or
        1 of ($x*) or
        3 of them
      )
}
CN_disclosed_20180208_Mal4
Detects malware from disclosed CN malware set
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_disclosed_20180208_Mal4 {
   meta:
      description = "Detects malware from disclosed CN malware set"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
      date = "2018-02-08"
      hash1 = "f7549c74f09be7e4dbfb64006e535b9f6d17352e236edc2cdb102ec3035cf66e"
      id = "6165caf5-157f-5381-a77e-6ed775187ab1"
   strings:
      $s1 = "Microsoft .Net Framework COM+ Support" fullword ascii
      $s2 = "Microsoft .NET and Windows XP COM+ Integration with SOAP" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 3000KB and 1 of them and pe.exports("SPACE")
}
Showing 301-350 of 5,941
Prev 7 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin