Sneed-Reactivity/yara-Neo23x0/apt_turla_kazuar.yar

import "pe"
/*
	"dbgsview.exe"
	Agent.exe
	"adflctlmon.exe"

	d3429016-d029-45b8-b260-85221265838e
	76b7b11a-4124-448b-9903-15524e321f3f
	2cde886e-ee24-496a-bb31-1ced6b766ced

	imphash
	f34d5f2d4577ed6d9ceec516c1f5a744
*/

rule apt_RU_Turla_Kazuar_DebugView_peFeatures
{
	meta:
		description = "Turla mimicking SysInternals Tools- peFeatures"
        reference = "https://www.epicturla.com/blog/sysinturla"
		version = "2.0"
		author = "JAG-S"
        score = 85
		hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
		hash2 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"

		id = "0a1675c0-8645-5288-9ef6-e68ffbfe0c3b"
	condition:
		uint16(0) == 0x5a4d
		and
		(
			pe.version_info["LegalCopyright"] == "Test Copyright" 
			and
			(
				(
				pe.version_info["ProductName"] == "Sysinternals DebugView"
				and
				pe.version_info["Description"] == "Sysinternals DebugView"
				)
			or
				(
				pe.version_info["FileVersion"] == "4.80.0.0"
				and
				pe.version_info["Comments"] == "Sysinternals DebugView"
				)
			or
				(
				pe.version_info["OriginalName"] contains "DebugView.exe"
				and
				pe.version_info["InternalName"] contains "DebugView.exe"
				)
			or
				(
				pe.version_info["OriginalName"] == "Agent.exe"
				and
				pe.version_info["InternalName"] == "Agent.exe"
				)
			)
		)
}

rule APT_MAL_RU_Turla_Kazuar_May20_1 {
   meta:
      description = "Detects Turla Kazuar malware"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.epicturla.com/blog/sysinturla"
      date = "2020-05-28"
      hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"
      hash2 = "1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa"
      hash3 = "2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f"
      hash4 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"
      id = "cd0d1fa2-5303-55f8-90a7-4a699ec79230"
   strings:
      $s1 = "Sysinternals" ascii fullword
	  $s2 = "Test Copyright" wide fullword

      $op1 = { 0d 01 00 08 34 2e 38 30 2e 30 2e 30 00 00 13 01 }
   condition:
      uint16(0) == 0x5a4d and
      filesize < 2000KB and
      all of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`import "pe"`
			`/*`
			`"dbgsview.exe"`
			`Agent.exe`
			`"adflctlmon.exe"`

			`d3429016-d029-45b8-b260-85221265838e`
			`76b7b11a-4124-448b-9903-15524e321f3f`
			`2cde886e-ee24-496a-bb31-1ced6b766ced`

			`imphash`
			`f34d5f2d4577ed6d9ceec516c1f5a744`
			`*/`

			`rule apt_RU_Turla_Kazuar_DebugView_peFeatures`
			`{`
			`meta:`
			`description = "Turla mimicking SysInternals Tools- peFeatures"`
			`reference = "https://www.epicturla.com/blog/sysinturla"`
			`version = "2.0"`
			`author = "JAG-S"`
			`score = 85`
			`hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"`
			`hash2 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"`

			`id = "0a1675c0-8645-5288-9ef6-e68ffbfe0c3b"`
			`condition:`
			`uint16(0) == 0x5a4d`
			`and`
			`(`
			`pe.version_info["LegalCopyright"] == "Test Copyright"`
			`and`
			`(`
			`(`
			`pe.version_info["ProductName"] == "Sysinternals DebugView"`
			`and`
			`pe.version_info["Description"] == "Sysinternals DebugView"`
			`)`
			`or`
			`(`
			`pe.version_info["FileVersion"] == "4.80.0.0"`
			`and`
			`pe.version_info["Comments"] == "Sysinternals DebugView"`
			`)`
			`or`
			`(`
			`pe.version_info["OriginalName"] contains "DebugView.exe"`
			`and`
			`pe.version_info["InternalName"] contains "DebugView.exe"`
			`)`
			`or`
			`(`
			`pe.version_info["OriginalName"] == "Agent.exe"`
			`and`
			`pe.version_info["InternalName"] == "Agent.exe"`
			`)`
			`)`
			`)`
			`}`

			`rule APT_MAL_RU_Turla_Kazuar_May20_1 {`
			`meta:`
			`description = "Detects Turla Kazuar malware"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://www.epicturla.com/blog/sysinturla"`
			`date = "2020-05-28"`
			`hash1 = "1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c"`
			`hash2 = "1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa"`
			`hash3 = "2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f"`
			`hash4 = "44cc7f6c2b664f15b499c7d07c78c110861d2cc82787ddaad28a5af8efc3daac"`
			`id = "cd0d1fa2-5303-55f8-90a7-4a699ec79230"`
			`strings:`
			`$s1 = "Sysinternals" ascii fullword`
			`$s2 = "Test Copyright" wide fullword`

			`$op1 = { 0d 01 00 08 34 2e 38 30 2e 30 2e 30 00 00 13 01 }`
			`condition:`
			`uint16(0) == 0x5a4d and`
			`filesize < 2000KB and`
			`all of them`
			`}`