Sneed-Reactivity/yara-Neo23x0/apt_greyenergy.yar

98 lines
4.2 KiB
Text
Raw Permalink Normal View History

/*
YARA Rule Set
Author: Florian Roth
Date: 2018-10-21
Identifier: Grey Energy
Reference: https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/
License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)
*/
import "pe"
rule APT_GreyEnergy_Malware_Oct18_1 {
meta:
description = "Detects samples from Grey Energy report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
date = "2018-10-17"
hash1 = "6c52a5850a57bea43a0a52ff0e2d2179653b97ae5406e884aee63e1cf340f58b"
id = "fc997540-075e-5f1c-9238-135c1572553b"
strings:
$x1 = "%SystemRoot%\\System32\\thinmon.dll" fullword ascii
$s2 = "'Cannot delete list entry (fatal error)!9The module %s cannot be executed on this system (0x%.4x).%Enumerate all sessions on TSE" wide
$s8 = "cbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbecbe" ascii
$s14 = "configure the service" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 700KB and
pe.imphash() == "98d1ad672d0db4b4abdcda73cc9835cb" and
all of them
}
rule APT_GreyEnergy_Malware_Oct18_2 {
meta:
description = "Detects samples from Grey Energy report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
date = "2018-10-17"
hash1 = "c6a54912f77a39c8f909a66a940350dcd8474c7a1d0e215a878349f1b038c58a"
id = "50830741-ba3d-505c-bb21-8cedc2162f96"
strings:
$s1 = "WioGLtonuaptWmrnttfepgetneemVsnygnV" fullword ascii
$s2 = "PnSenariopoeKerGEtxrcy" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 2 of them
}
rule APT_GreyEnergy_Malware_Oct18_3 {
meta:
description = "Detects samples from Grey Energy report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
date = "2018-10-17"
hash1 = "0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0"
id = "cc365dbf-1448-5219-95f5-d1154000f52d"
strings:
$x1 = "USQTUNPPQONOPOQUMSNUTRMRRLVPUOPMROPMPMQTPNPONVUOUQOMMNNSRSRQQVTPPRSSNVSTURTMMOPTONSQTOMONQVMQNUSONTQTUTSRRPVTONUQNORQMRRNRUSPS" fullword ascii
$x2 = "tEMPiuP" fullword ascii
$x3 = "sryCEMieye" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 1 of them
}
rule APT_GreyEnergy_Malware_Oct18_4 {
meta:
description = "Detects samples from Grey Energy report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
date = "2018-10-17"
hash1 = "6974b8acf6a8f7684673b01753c3a8248a1c491900cccf771db744ca0442f96a"
hash2 = "165a7853ef51e96ce3f88bb33f928925b24ca5336e49845fc5fc556812092740"
hash3 = "4470e40f63443aa27187a36bbb0c2f4def42b589b61433630df842b6e365ae3d"
hash4 = "c21cf6018c2ee0a90b9d2c401aae8071c90b5a4bc9848a94d678d77209464f79"
id = "1a2df257-a639-5868-a005-690d64cfbf2b"
strings:
$x1 = "iiodttd.eWt" fullword ascii
$x2 = "irnnaar-ite-ornaa-naa-asoeienaeaanlagoeas:acnuihaaa" fullword ascii
$x3 = "NURVNTURVORSMSPPRTQMPTTQOQRP" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and (
pe.imphash() == "279adfbd42308a07b3131ee57d067b3e" or
1 of them
)
}
rule APT_GreyEnergy_Malware_Oct18_5 {
meta:
description = "Detects samples from Grey Energy report"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/"
date = "2018-10-17"
hash1 = "037723bdb9100d19bf15c5c21b649db5f3f61e421e76abe9db86105f1e75847b"
hash2 = "b602ce32b7647705d68aedbaaf4485f1a68253f8f8132bd5d5f77284a6c2d8bb"
id = "a8c4517d-912d-5264-b9ab-acdf37fc4d56"
strings:
$s12 = "WespySSld.eQ" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 300KB and 1 of them
}