Sneed-Reactivity/yara-ReversingLabs/certificate/blocklist.yara

17288 lines
614 KiB
Text
Raw Permalink Normal View History

/*
YARA doesn't perform complete digital certificate chain validation.
This can cause unwanted matches for:
a) Files that are signed with non-verified, self-issued, certificates
b) Files that fail integrity validation due to checksum mismatch
c) Files that have extra data appended after the certificate
It's also worth mentioning that the timestamp value in the condition is only
informative, since YARA doesn't extract timestamping certificate information.
This information could be used in combination with other tools to reduce
potential false positives.
ReversingLabs recommends using Titanium platform for best results with certificate-based classifications.
References on importance of certificate verification:
https://blog.reversinglabs.com/blog/tampering-with-signed-objects-without-breaking-the-integrity-seal
https://blog.reversinglabs.com/blog/breaking-the-windows-authenticode-security-model
https://blog.reversinglabs.com/blog/breaking-uefi-firmware-authenticode-security-model
https://blog.reversinglabs.com/blog/breaking-the-linux-authenticode-security-model
*/
import "pe"
rule cert_blocklist_05e2e6a4cd09ea54d665b075fe22A256 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "*.google.com" and
pe.signatures[i].serial == "05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_77019a082385e4b73f569569c9f87bb8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AND LLC" and
pe.signatures[i].serial == "77:01:9a:08:23:85:e4:b7:3f:56:95:69:c9:f8:7b:b8" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4f2ef29ca5f96e5777b82c62f34fd3a6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Bit9, Inc" and
pe.signatures[i].serial == "4f:2e:f2:9c:a5:f9:6e:57:77:b8:2c:62:f3:4f:d3:a6" and
1342051200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7cc1db2ad0a290a4bfe7a5f336d6800c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Bit9, Inc" and
pe.signatures[i].serial == "7c:c1:db:2a:d0:a2:90:a4:bf:e7:a5:f3:36:d6:80:0c" and
1342051200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_13c8351aece71c731158980f575f4133 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Opera Software ASA" and
pe.signatures[i].serial == "13:c8:35:1a:ec:e7:1c:73:11:58:98:0f:57:5f:41:33" and
1371513600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4531954f6265304055f66ce4f624f95b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "IDAutomation.com" and
pe.signatures[i].serial == "45:31:95:4f:62:65:30:40:55:f6:6c:e4:f6:24:f9:5b" and
1384819199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0e808f231515bc519eea1a73cdf3266f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Careto malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TecSystem Ltd." and
pe.signatures[i].serial == "0e:80:8f:23:15:15:bc:51:9e:ea:1a:73:cd:f3:26:6f" and
1468799999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_36be4ad457f062fa77d87595b8ccc8cf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Careto malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TecSystem Ltd." and
pe.signatures[i].serial == "36:be:4a:d4:57:f0:62:fa:77:d8:75:95:b8:cc:c8:cf" and
1372377599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_75a38507bf403b152125b8f5ce1b97ad {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Zeus malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "isonet ag" and
pe.signatures[i].serial == "75:a3:85:07:bf:40:3b:15:21:25:b8:f5:ce:1b:97:ad" and
1395359999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4effa8b216e24b16202940c1bc2fa8a5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Henan Maijiamai Technology Co., Ltd." and
pe.signatures[i].serial == "4e:ff:a8:b2:16:e2:4b:16:20:29:40:c1:bc:2f:a8:a5" and
1404691199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_57d7153a89bbf4729be87f3c927043aa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, zhenganjun" and
pe.signatures[i].serial == "57:d7:15:3a:89:bb:f4:72:9b:e8:7f:3c:92:70:43:aa" and
1469059200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_028e1deccf93d38ecf396118dfe908b4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Fortuna Games Co., Ltd." and
pe.signatures[i].serial == "02:8e:1d:ec:cf:93:d3:8e:cf:39:61:18:df:e9:08:b4" and
1392163199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_40575df73eaa1b6140c7ef62c08bf216 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Dali Feifang Tech Co.,LTD." and
pe.signatures[i].serial == "40:57:5d:f7:3e:aa:1b:61:40:c7:ef:62:c0:8b:f2:16" and
1394063999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_049ce8c47f1f0e650cb086f0cfa7ca53 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Select'Assistance Pro" and
pe.signatures[i].serial == "04:9c:e8:c4:7f:1f:0e:65:0c:b0:86:f0:cf:a7:ca:53" and
1393804799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_29f42680e653cf8fafd0e935553f7e86 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Wemade Entertainment co.,Ltd" and
pe.signatures[i].serial == "29:f4:26:80:e6:53:cf:8f:af:d0:e9:35:55:3f:7e:86" and
1390175999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0c15 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "William Richard John" and
pe.signatures[i].serial == "0c:15" and
1387324799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0c0f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Dmitry Vasilev" and
pe.signatures[i].serial == "0c:0f" and
1386719999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_06a164ec5978497741ee6cec9966871b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "JOHN WILLIAM RICHARD" and
pe.signatures[i].serial == "06:a1:64:ec:59:78:49:77:41:ee:6c:ec:99:66:87:1b" and
1385596799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1121ed568764e75be35574448feadefcd3bc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FRINORTE COMERCIO DE PECAS E SERVICOS LTDA - ME" and
pe.signatures[i].serial == "11:21:ed:56:87:64:e7:5b:e3:55:74:44:8f:ea:de:fc:d3:bc" and
1385337599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6ed2450ceac0f72e73fda1727e66e654 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Hohhot Handing Trade and Business Co., Ltd." and
pe.signatures[i].serial == "6e:d2:45:0c:ea:c0:f7:2e:73:fd:a1:72:7e:66:e6:54" and
1376092799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_32665079c5a5854a6833623ca77ff5ac {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ohanae" and
pe.signatures[i].serial == "32:66:50:79:c5:a5:85:4a:68:33:62:3c:a7:7f:f5:ac" and
1381967999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_01a90094c83412c00cf98dd2eb0d7042 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FreeVox SA" and
pe.signatures[i].serial == "01:a9:00:94:c8:34:12:c0:0c:f9:8d:d2:eb:0d:70:42" and
1376956799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_55efe24b9674855baf16e67716479c71 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "S2BVISIO BELGIQUE SA" and
pe.signatures[i].serial == "55:ef:e2:4b:96:74:85:5b:af:16:e6:77:16:47:9c:71" and
1374451199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_094bf19d509d3074913995160b195b6c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Porral Twinware S.L.L." and
pe.signatures[i].serial == "09:4b:f1:9d:50:9d:30:74:91:39:95:16:0b:19:5b:6c" and
1373241599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a77cf3ba49b64e6cbe5fb4a6a6aacc6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "I.ST.SAN. Srl" and
pe.signatures[i].serial == "0a:77:cf:3b:a4:9b:64:e6:cb:e5:fb:4a:6a:6a:ac:c6" and
1371081599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1f4c22da1107d20c1eda04569d58e573 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PlanView, Inc." and
pe.signatures[i].serial == "1f:4c:22:da:11:07:d2:0c:1e:da:04:56:9d:58:e5:73" and
1366156799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4fe68d48634893d18de040d8f1c289d2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xinghua Yile Network Tech Co.,Ltd." and
pe.signatures[i].serial == "4f:e6:8d:48:63:48:93:d1:8d:e0:40:d8:f1:c2:89:d2" and
1371081600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6767def972d6ea702d8c8a53af1832d3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Guangzhou typical corner Network Technology Co., Ltd." and
pe.signatures[i].serial == "67:67:de:f9:72:d6:ea:70:2d:8c:8a:53:af:18:32:d3" and
1361750400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_06477e3425f1448995ced539789e6842 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Karim Lammali" and
pe.signatures[i].serial == "06:47:7e:34:25:f1:44:89:95:ce:d5:39:78:9e:68:42" and
1334275199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0450a7c1c36951da09c8ad0e7f716ff2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PS Partnership" and
pe.signatures[i].serial == "04:50:a7:c1:c3:69:51:da:09:c8:ad:0e:7f:71:6f:f2" and
1362182399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0f9fbdab9b39645cf3211f87abb5ddb7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "The Motivo Group, Inc." and
pe.signatures[i].serial == "0f:9f:bd:ab:9b:39:64:5c:f3:21:1f:87:ab:b5:dd:b7" and
1361318399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4211d2e4f0e87127319302c55b85bcf2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "yinsheng xie" and
pe.signatures[i].serial == "42:11:d2:e4:f0:e8:71:27:31:93:02:c5:5b:85:bc:f2" and
1360713599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_07b44cdbfffb78de05f4261672a67312 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Buster Paper Comercial Ltda" and
pe.signatures[i].serial == "07:b4:4c:db:ff:fb:78:de:05:f4:26:16:72:a6:73:12" and
1359503999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4f8b9a1ba5e60c754dbb40ddee7905e2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "NOX Entertainment Co., Ltd" and
pe.signatures[i].serial == "4f:8b:9a:1b:a5:e6:0c:75:4d:bb:40:dd:ee:79:05:e2" and
1348617599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a389b95ee736dd13bc0ed743fd74d2f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BUSTER ASSISTENCIA TECNICA ELETRONICA LTDA - ME" and
pe.signatures[i].serial == "0a:38:9b:95:ee:73:6d:d1:3b:c0:ed:74:3f:d7:4d:2f" and
1351814399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1a3faaeb3a8b93b2394fec36345996e6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "salvatore macchiarella" and
pe.signatures[i].serial == "1a:3f:aa:eb:3a:8b:93:b2:39:4f:ec:36:34:59:96:e6" and
1468454400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1a35acce5b0c77206b1c3dc2a6a2417c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "cd ingegneri associati srl" and
pe.signatures[i].serial == "1a:35:ac:ce:5b:0c:77:20:6b:1c:3d:c2:a6:a2:41:7c" and
1166054399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6eb40ea11eaac847b050de9b59e25bdc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "My Free Internet Update" and
pe.signatures[i].serial == "6e:b4:0e:a1:1e:aa:c8:47:b0:50:de:9b:59:e2:5b:dc" and
1062201599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6724340ddbc7252f7fb714b812a5c04d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "YNK JAPAN Inc" and
pe.signatures[i].serial == "67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d" and
1306195199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0813ee9b7b9d7c46001d6bc8784df1dd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Les Garcons s'habillent" and
pe.signatures[i].serial == "08:13:ee:9b:7b:9d:7c:46:00:1d:6b:c8:78:4d:f1:dd" and
1334707199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_530591c61b5e1212f659138b7cea0a97 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE6\\x97\\xA5\\xE7\\x85\\xA7\\xE5\\xB3\\xB0\\xE5\\xB7\\x9D\\xE5\\x9B\\xBD\\xE9\\x99\\x85\\xE7\\x9F\\xBF\\xE4\\xB8\\x9A\\xE8\\xB4\\xB8\\xE6\\x98\\x93\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "53:05:91:c6:1b:5e:12:12:f6:59:13:8b:7c:ea:0a:97" and
1403654399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_07270ff9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar Cyber CA" and
pe.signatures[i].serial == "07:27:0f:f9" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0727100d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar Cyber CA" and
pe.signatures[i].serial == "07:27:10:0d" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_07271003 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar Cyber CA" and
pe.signatures[i].serial == "07:27:10:03" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_013134bf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar PKIoverheid CA Organisatie - G2" and
pe.signatures[i].serial == "01:31:34:bf" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_01314476 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar PKIoverheid CA Overheid" and
pe.signatures[i].serial == "01:31:44:76" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_013169b0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar PKIoverheid CA Overheid en Bedrijven" and
pe.signatures[i].serial == "01:31:69:b0" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0c76da9c910c4e2c9efe15d058933c4c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar Root CA" and
pe.signatures[i].serial == "0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_469c2caf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar Root CA" and
pe.signatures[i].serial == "46:9c:2c:af" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_469c3cc9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar Root CA" and
pe.signatures[i].serial == "46:9c:3c:c9" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a82bd1e144e8814d75b1a5527bebf3e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar Root CA G2" and
pe.signatures[i].serial == "0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3e" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_469c2cb0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DigiNotar Services 1024 CA" and
pe.signatures[i].serial == "46:9c:2c:b0" and
1308182400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4c0e636a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Digisign Server ID - (Enrich)" and
pe.signatures[i].serial == "4c:0e:63:6a" and
1320191999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_072714a9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Digisign Server ID (Enrich)" and
pe.signatures[i].serial == "07:27:14:a9" and
1320191999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_00d8f35f4eb7872b2dab0692e315382fb0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "global trustee" and (
pe.signatures[i].serial == "00:d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0" or
pe.signatures[i].serial == "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0"
) and
1300060800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_750e40ff97f047edf556c7084eb1abfd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Microsoft Corporation" and
pe.signatures[i].serial == "75:0e:40:ff:97:f0:47:ed:f5:56:c7:08:4e:b1:ab:fd" and
980899199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1b5190f73724399c9254cd424637996a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Microsoft Corporation" and
pe.signatures[i].serial == "1b:51:90:f7:37:24:39:9c:92:54:cd:42:46:37:99:6a" and
980812799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_00ebaa11d62e2481081820 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Microsoft Enforced Licensing Intermediate PCA" and (
pe.signatures[i].serial == "00:eb:aa:11:d6:2e:24:81:08:18:20" or
pe.signatures[i].serial == "eb:aa:11:d6:2e:24:81:08:18:20"
)
)
}
rule cert_blocklist_3aab11dee52f1b19d056 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Microsoft Enforced Licensing Intermediate PCA" and
pe.signatures[i].serial == "3a:ab:11:de:e5:2f:1b:19:d0:56"
)
}
rule cert_blocklist_6102b01900000000002f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Microsoft Enforced Licensing Registration Authority CA (SHA1)" and
pe.signatures[i].serial == "61:02:b0:19:00:00:00:00:00:2f"
)
}
rule cert_blocklist_01e2b4f759811c64379fca0be76d2dce {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Sony Pictures Entertainment Inc." and
pe.signatures[i].serial == "01:e2:b4:f7:59:81:1c:64:37:9f:ca:0b:e7:6d:2d:ce" and
1417651200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_03e5a010b05c9287f823c2585f547b80 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MOCOMSYS INC" and
pe.signatures[i].serial == "03:e5:a0:10:b0:5c:92:87:f8:23:c2:58:5f:54:7b:80" and
1385423999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0fe7df6c4b9a33b83d04e23e98a77cce {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PIXELPLUS CO., LTD." and
pe.signatures[i].serial == "0f:e7:df:6c:4b:9a:33:b8:3d:04:e2:3e:98:a7:7c:ce" and
1396310399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_065569a3e261409128a40affa90d6d10 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Police Mutual Aid Association" and
pe.signatures[i].serial == "06:55:69:a3:e2:61:40:91:28:a4:0a:ff:a9:0d:6d:10" and
1381795199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0979616733e062c544df0abd315e3b92 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Jessica Karam" and
pe.signatures[i].serial == "09:79:61:67:33:e0:62:c5:44:df:0a:bd:31:5e:3b:92" and
1408319999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7d3250b27e0547c77307030491b42802 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Banco do Brasil S.A." and
pe.signatures[i].serial == "7d:32:50:b2:7e:05:47:c7:73:07:03:04:91:b4:28:02" and
1412207999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_00d1836bd37c331a67 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MINDSTORM LLC" and (
pe.signatures[i].serial == "00:d1:83:6b:d3:7c:33:1a:67" or
pe.signatures[i].serial == "d1:83:6b:d3:7c:33:1a:67"
) and
1422835199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2ca028d1a4de0eb743135edecf74d7af {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "2c:a0:28:d1:a4:de:0e:b7:43:13:5e:de:cf:74:d7:af" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_dbb14dcf973eada14ece7ea79c895c11 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "db:b1:4d:cf:97:3e:ad:a1:4e:ce:7e:a7:9c:89:5c:11" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f8c2239de3977b8d4a3dcbedc9031a51 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "f8:c2:23:9d:e3:97:7b:8d:4a:3d:cb:ed:c9:03:1a:51" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_caad8222705d3fb3430e114a31c8c6a4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "ca:ad:82:22:70:5d:3f:b3:43:0e:11:4a:31:c8:c6:a4" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b191812516e6618d49e6ccf5e63dc343 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "b1:91:81:25:16:e6:61:8d:49:e6:cc:f5:e6:3d:c3:43" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4ba7fb8ee1deff8f4a1525e1e0580057 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "4b:a7:fb:8e:e1:de:ff:8f:4a:15:25:e1:e0:58:00:57" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2df9f7eb6cdc5ca243b33122e3941e25 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "2d:f9:f7:eb:6c:dc:5c:a2:43:b3:31:22:e3:94:1e:25" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_58a541d50f9e2fab4380c6a2ed433b82 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "58:a5:41:d5:0f:9e:2f:ab:43:80:c6:a2:ed:43:3b:82" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5f273626859ae4bc4becbbeb71e2ab2d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "5f:27:36:26:85:9a:e4:bc:4b:ec:bb:eb:71:e2:ab:2d" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b1ad46ce4db160b348c24f66c9663178 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Adobe Systems" and
pe.signatures[i].serial == "b1:ad:46:ce:4d:b1:60:b3:48:c2:4f:66:c9:66:31:78" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_256541e204619033f8b09f9eb7c88ef8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HON HAI PRECISION INDUSTRY CO. LTD." and
pe.signatures[i].serial == "25:65:41:e2:04:61:90:33:f8:b0:9f:9e:b7:c8:8e:f8" and
1424303999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_00e8cc18cf100b6b27443ef26319398734 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing GovRAT malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Syngenta" and (
pe.signatures[i].serial == "00:e8:cc:18:cf:10:0b:6b:27:44:3e:f2:63:19:39:87:34" or
pe.signatures[i].serial == "e8:cc:18:cf:10:0b:6b:27:44:3e:f2:63:19:39:87:34"
) and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_62af28a7657ba8ab10fa8e2d47250c69 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing GovRAT malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AFINA Fintek" and
pe.signatures[i].serial == "62:af:28:a7:65:7b:a8:ab:10:fa:8e:2d:47:25:0c:69" and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_04c8eca7243208a110dea926c7ad89ce {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing GovRAT malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, SINGH ADITYA" and
pe.signatures[i].serial == "04:c8:ec:a7:24:32:08:a1:10:de:a9:26:c7:ad:89:ce" and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_157c3a4a6bcf35cf8453e6b6c0072e1d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing GovRAT malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Favorite-III" and
pe.signatures[i].serial == "15:7c:3a:4a:6b:cf:35:cf:84:53:e6:b6:c0:07:2e:1d" and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_04422f12037bc2032521dbb6ae02ea0e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing GovRAT malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, Muhammad Lee" and
pe.signatures[i].serial == "04:42:2f:12:03:7b:c2:03:25:21:db:b6:ae:02:ea:0e" and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_65eae6c98111dc40bf4f962bf27227f2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing GovRAT malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, BHARATH KUCHANGI" and
pe.signatures[i].serial == "65:ea:e6:c9:81:11:dc:40:bf:4f:96:2b:f2:72:27:f2" and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_12d5a4b29fe6156d4195fba55ae0d9a9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing GovRAT malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, Marc Chapon" and
pe.signatures[i].serial == "12:d5:a4:b2:9f:e6:15:6d:41:95:fb:a5:5a:e0:d9:a9" and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0087d60d1e2b9374eb7a735dce4bbdae56 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing GovRAT malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AMO-K Limited Liability Company" and (
pe.signatures[i].serial == "00:87:d6:0d:1e:2b:93:74:eb:7a:73:5d:ce:4b:bd:ae:56" or
pe.signatures[i].serial == "87:d6:0d:1e:2b:93:74:eb:7a:73:5d:ce:4b:bd:ae:56"
) and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0860c8a7ed18c3f030a32722fd2b220c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, Tony Yeh" and
pe.signatures[i].serial == "08:60:c8:a7:ed:18:c3:f0:30:a3:27:22:fd:2b:22:0c" and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2fdadd0740572270203f8138692c4a83 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, William Zoltan" and
pe.signatures[i].serial == "2f:da:dd:07:40:57:22:70:20:3f:81:38:69:2c:4a:83" and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4fc13d6220c629043a26f81b1cad72d8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, meicun ge" and
pe.signatures[i].serial == "4f:c1:3d:62:20:c6:29:04:3a:26:f8:1b:1c:ad:72:d8" and
1404172799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3457a918c6d3701b2eaca6a92474a7cc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "KONSALTING PLUS OOO" and
pe.signatures[i].serial == "34:57:a9:18:c6:d3:70:1b:2e:ac:a6:a9:24:74:a7:cc" and
1432252799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_621ed8265b0ad872d9f4b4ed6d560513 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Fan Li" and
pe.signatures[i].serial == "62:1e:d8:26:5b:0a:d8:72:d9:f4:b4:ed:6d:56:05:13" and
1413183357 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_56e22b992b4c7f1afeac1d63b492bf54 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, Hetem Ramadani" and
pe.signatures[i].serial == "56:e2:2b:99:2b:4c:7f:1a:fe:ac:1d:63:b4:92:bf:54" and
1435622399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3bc3bae4118d46f3fdd9beeeab749fee {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE6\\x9D\\x8E\\xE9\\x9B\\xAA\\xE6\\xA2\\x85" and
pe.signatures[i].serial == "3b:c3:ba:e4:11:8d:46:f3:fd:d9:be:ee:ab:74:9f:ee" and
1442275199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0f0449f7691e5b4c8e74e71cae822179 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SBO INVEST" and
pe.signatures[i].serial == "0f:04:49:f7:69:1e:5b:4c:8e:74:e7:1c:ae:82:21:79" and
1432079999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_43db4448d870d7bdc275f36a01fba36f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "3-T TOV" and
pe.signatures[i].serial == "43:db:44:48:d8:70:d7:bd:c2:75:f3:6a:01:fb:a3:6f" and
1436227199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2880a7f7ff2d334aa08744a8754fab2c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Garena Online Pte Ltd" and
pe.signatures[i].serial == "28:80:a7:f7:ff:2d:33:4a:a0:87:44:a8:75:4f:ab:2c" and
1393891199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0492f5c18e26fa0cd7e15067674aff1c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ghada Saffarini" and
pe.signatures[i].serial == "04:92:f5:c1:8e:26:fa:0c:d7:e1:50:67:67:4a:ff:1c" and
1445990399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6aa668cd6a9de1fdd476ea8225326937 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BSCP LIMITED" and
pe.signatures[i].serial == "6a:a6:68:cd:6a:9d:e1:fd:d4:76:ea:82:25:32:69:37" and
1441583999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1cb06dccb482255728671ea12ac41620 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Fangzhen Li" and
pe.signatures[i].serial == "1c:b0:6d:cc:b4:82:25:57:28:67:1e:a1:2a:c4:16:20" and
1445126399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_370c2467c41d6019bbecd72e00c5d73d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "UNINFO SISTEMAS LTDA ME" and
pe.signatures[i].serial == "37:0c:24:67:c4:1d:60:19:bb:ec:d7:2e:00:c5:d7:3d" and
1445299199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5067339614c5cc219c489d40420f3bf9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "D-LINK CORPORATION" and
pe.signatures[i].serial == "50:67:33:96:14:c5:cc:21:9c:48:9d:40:42:0f:3b:f9" and
1441238400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6e32531ae83992f0573120a5e78de271 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "3 AM CHP" and
pe.signatures[i].serial == "6e:32:53:1a:e8:39:92:f0:57:31:20:a5:e7:8d:e2:71" and
1451606399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6967a89bcf6efef160aaeebbff376c0a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Chang Yucheng" and
pe.signatures[i].serial == "69:67:a8:9b:cf:6e:fe:f1:60:aa:ee:bb:ff:37:6c:0a" and
1451174399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7473d95405d2b0b3a8f28785ce6e74ca {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Dmitrij Emelyanov" and
pe.signatures[i].serial == "74:73:d9:54:05:d2:b0:b3:a8:f2:87:85:ce:6e:74:ca" and
1453939199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_04f380f97579f1702a85e0169bbdfd78 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "GRANIFLOR" and
pe.signatures[i].serial == "04:f3:80:f9:75:79:f1:70:2a:85:e0:16:9b:bd:fd:78" and
1454889599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_04d6b8cc6dce353fcf3ae8a532be7255 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MADERA" and
pe.signatures[i].serial == "04:d6:b8:cc:6d:ce:35:3f:cf:3a:e8:a5:32:be:72:55" and
1451692799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_191322a00200f793 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PRABHAKAR NARAYAN" and
pe.signatures[i].serial == "19:13:22:a0:02:00:f7:93" and
1442966399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_451c9d0b413e6e8df175 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PRASAD UPENDRA" and
pe.signatures[i].serial == "45:1c:9d:0b:41:3e:6e:8d:f1:75" and
1442275199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_03943858218f35adb7073a6027555621 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RuN APps FOrEver lld" and
pe.signatures[i].serial == "03:94:38:58:21:8f:35:ad:b7:07:3a:60:27:55:56:21" and
1480550399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_09813ee7318452c28a1f6426d1cee12d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Saly Younes" and
pe.signatures[i].serial == "09:81:3e:e7:31:84:52:c2:8a:1f:64:26:d1:ce:e1:2d" and
1455667199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_476bf24a4b1e9f4bc2a61b152115e1fe {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Derusbi malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Wemade Entertainment co.,Ltd" and
pe.signatures[i].serial == "47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" and
1414454399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7bd55818c5971b63dc45cf57cbeb950b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Derusbi malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "XL Games Co.,Ltd." and
pe.signatures[i].serial == "7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" and
1371513599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4c0b2e9d2ef909d15270d4dd7fa5a4a5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Derusbi malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Fuqing Dawu Technology Co.,Ltd." and
pe.signatures[i].serial == "4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" and
1372118399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5e3d76dc7e273e2f313fc0775847a2a2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Sakula and Derusbi malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "NexG" and
pe.signatures[i].serial == "5e:3d:76:dc:7e:27:3e:2f:31:3f:c0:77:58:47:a2:a2" and
1372723199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_47d5d5372bcb1562b4c9f4c2bdf13587 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Sakula malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DTOPTOOLZ Co.,Ltd." and
pe.signatures[i].serial == "47:d5:d5:37:2b:cb:15:62:b4:c9:f4:c2:bd:f1:35:87" and
1400803199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3ac10e68f1ce519e84ddcd28b11fa542 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Sakula malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "U-Tech IT service" and
pe.signatures[i].serial == "3a:c1:0e:68:f1:ce:51:9e:84:dd:cd:28:b1:1f:a5:42" and
1420156799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_31062e483e0106b18c982f0053185c36 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Sakula malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MICRO DIGITAL INC." and
pe.signatures[i].serial == "31:06:2e:48:3e:01:06:b1:8c:98:2f:00:53:18:5c:36" and
1332287999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_20d0ee42fc901e6b3a8fefe8c1e6087a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing Sakula malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SJ SYSTEM" and
pe.signatures[i].serial == "20:d0:ee:42:fc:90:1e:6b:3a:8f:ef:e8:c1:e6:08:7a" and
1391299199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_127251b32b9a50bd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing OSX DokSpy backdoor."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Developer ID Application: Edouard Roulet (W7J9LRHXTG)" and
pe.signatures[i].serial == "12:72:51:b3:2b:9a:50:bd" and
1493769599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_48cad4e6966e22d6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing OSX DokSpy backdoor."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Developer ID Application: Seven Muller (FUP9692NN6)" and
pe.signatures[i].serial == "48:ca:d4:e6:96:6e:22:d6" and
1492732799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5e15205f180442cc6c3c0f03e1a33d9f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ziber Ltd" and
pe.signatures[i].serial == "5e:15:20:5f:18:04:42:cc:6c:3c:0f:03:e1:a3:3d:9f" and
1498607999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4c8e3b1613f73542f7106f272094eb23 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ADD Audit" and
pe.signatures[i].serial == "4c:8e:3b:16:13:f7:35:42:f7:10:6f:27:20:94:eb:23" and
1472687999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2ce2bd0ad3cfde9ea73eec7ca30400da {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Media Lid" and
pe.signatures[i].serial == "2c:e2:bd:0a:d3:cf:de:9e:a7:3e:ec:7c:a3:04:00:da" and
1493337599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0fbc30db127a536c34d7a0fa81b48193 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Megabit, OOO" and
pe.signatures[i].serial == "0f:bc:30:db:12:7a:53:6c:34:d7:a0:fa:81:b4:81:93" and
1466121599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_08448bd6ee9105ae31228ea5fe496f63 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Raffaele Carnacina" and
pe.signatures[i].serial == "08:44:8b:d6:ee:91:05:ae:31:22:8e:a5:fe:49:6f:63" and
1445212799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_02f17566ef568dc06c9a379ea2f4faea {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "The digital certificate has leaked."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VALERIANO BEDESCHI" and
pe.signatures[i].serial == "02:f1:75:66:ef:56:8d:c0:6c:9a:37:9e:a2:f4:fa:ea" and
1441324799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7d824ba1f7f730319c50d64c9a7ed507 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "joaweb" and
pe.signatures[i].serial == "7d:82:4b:a1:f7:f7:30:31:9c:50:d6:4c:9a:7e:d5:07" and
1238025599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_77a64759f12766e363d779998c71bdc9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Beijing Gigabit Times Technology Co., Ltd" and
pe.signatures[i].serial == "77:a6:47:59:f1:27:66:e3:63:d7:79:99:8c:71:bd:c9" and
1301011199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0b0d17ec1449b4b2d38fcb0f20fbcd3a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "WEBPIC DESENVOLVIMENTO DE SOFTWARE LTDA" and
pe.signatures[i].serial == "0b:0d:17:ec:14:49:b4:b2:d3:8f:cb:0f:20:fb:cd:3a" and
1394150399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fe9404dc73cf1c2ba1450b8398305557 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE5\\x8E\\xA6\\xE9\\x97\\xA8\\xE7\\xBF\\x94\\xE9\\x80\\x9A\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE5\\x88\\x86\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (
pe.signatures[i].serial == "00:fe:94:04:dc:73:cf:1c:2b:a1:45:0b:83:98:30:55:57" or
pe.signatures[i].serial == "fe:94:04:dc:73:cf:1c:2b:a1:45:0b:83:98:30:55:57"
) and
1287360000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1cb2d523a6bf7a066642c578de1c9be4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Shenzhen Hua\\xE2\\x80\\x99nan Xingfa Electronic Equipment Firm" and
pe.signatures[i].serial == "1c:b2:d5:23:a6:bf:7a:06:66:42:c5:78:de:1c:9b:e4" and
1400889599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3a6ccabb1c62f3be3eb03869fa43dc4a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE5\\xB8\\xB8\\xE5\\xB7\\x9E\\xE9\\xAA\\x8F\\xE6\\x99\\xAF\\xE9\\x80\\x9A\\xE8\\x81\\x94\\xE6\\x95\\xB0\\xE5\\xAD\\x97\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "3a:6c:ca:bb:1c:62:f3:be:3e:b0:38:69:fa:43:dc:4a" and
1259798399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_864196f01971dbec7002b48642a7013a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "WLE DESENVOLVIMENTO DE SOFTWARE E ASSESSORIA LTDA EPP" and (
pe.signatures[i].serial == "00:86:41:96:f0:19:71:db:ec:70:02:b4:86:42:a7:01:3a" or
pe.signatures[i].serial == "86:41:96:f0:19:71:db:ec:70:02:b4:86:42:a7:01:3a"
) and
1384300799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4fda1e121b61adeca936a6aebe079303 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Laizhou wanlei stone Co., LTD" and
pe.signatures[i].serial == "4f:da:1e:12:1b:61:ad:ec:a9:36:a6:ae:be:07:93:03" and
1310687999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_03866deb183abfbf4ff458d4de7bd73a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE9\\x87\\x8D\\xE5\\xBA\\x86\\xE8\\xAF\\x9D\\xE8\\xAF\\xAD\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "03:86:6d:eb:18:3a:bf:bf:4f:f4:58:d4:de:7b:d7:3a" and
1371772799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1be41b34127ca9e6270830d2070db426 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE8\\x80\\x98\\xE5\\x8D\\x87\\xE5\\xA4\\xA9\\xE4\\xB8\\x8B\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "1b:e4:1b:34:12:7c:a9:e6:27:08:30:d2:07:0d:b4:26" and
1352764799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9b108b8a1daa0d5581f59fcee0447901 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CharacTell Ltd" and (
pe.signatures[i].serial == "00:9b:10:8b:8a:1d:aa:0d:55:81:f5:9f:ce:e0:44:79:01" or
pe.signatures[i].serial == "9b:10:8b:8a:1d:aa:0d:55:81:f5:9f:ce:e0:44:79:01"
) and
1380671999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5f8203c430fc7db4e61f6684f6829ffc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Haivision Network Video" and
pe.signatures[i].serial == "5f:82:03:c4:30:fc:7d:b4:e6:1f:66:84:f6:82:9f:fc" and
1382572799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6b6daef5be29f20ddce4b0f5e9fa6ea5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Calibration Consultants" and
pe.signatures[i].serial == "6b:6d:ae:f5:be:29:f2:0d:dc:e4:b0:f5:e9:fa:6e:a5" and
1280447999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_57d6dff1ef96f01b9430666b2733cc87 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Smart Plugin Ltda" and
pe.signatures[i].serial == "57:d6:df:f1:ef:96:f0:1b:94:30:66:6b:27:33:cc:87" and
1314575999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0166b65038d61e5435b48204cae4795a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TOLGA KAPLAN" and
pe.signatures[i].serial == "01:66:b6:50:38:d6:1e:54:35:b4:82:04:ca:e4:79:5a" and
1403999999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_784f226b45c3bd8e4089243d747d1f59 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FSPro Labs" and
pe.signatures[i].serial == "78:4f:22:6b:45:c3:bd:8e:40:89:24:3d:74:7d:1f:59" and
1242777599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_11690f05604445fae0de539eeeeec584 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Tera information Technology co.Ltd" and
pe.signatures[i].serial == "11:69:0f:05:60:44:45:fa:e0:de:53:9e:ee:ee:c5:84" and
1294703999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_aa146bff4b832bdbfe30b84580356763 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yancheng Peoples Information Technology Service Co., Ltd" and (
pe.signatures[i].serial == "00:aa:14:6b:ff:4b:83:2b:db:fe:30:b8:45:80:35:67:63" or
pe.signatures[i].serial == "aa:14:6b:ff:4b:83:2b:db:fe:30:b8:45:80:35:67:63"
) and
1295481599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e86f46b60142092aae81b8f6fa3d9c7c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Syncode Sistemas e Tecnologia Ltda" and (
pe.signatures[i].serial == "00:e8:6f:46:b6:01:42:09:2a:ae:81:b8:f6:fa:3d:9c:7c" or
pe.signatures[i].serial == "e8:6f:46:b6:01:42:09:2a:ae:81:b8:f6:fa:3d:9c:7c"
) and
1373932799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1a0fd2a4ef4c2a36ab9c5e8f792a35e2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE9\\x87\\x91\\xE5\\x88\\xA9\\xE5\\xAE\\x8F\\xE6\\x98\\x8C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "1a:0f:d2:a4:ef:4c:2a:36:ab:9c:5e:8f:79:2a:35:e2" and
1389311999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_53bb753b79a99e61a6e822ac52460c70 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xEB\\x8D\\xB0\\xEC\\x8A\\xA4\\xED\\x81\\xAC\\xED\\x83\\x91\\xEC\\x95\\x84\\xEC\\x9D\\xB4\\xEC\\xBD\\x98" and
pe.signatures[i].serial == "53:bb:75:3b:79:a9:9e:61:a6:e8:22:ac:52:46:0c:70" and
1400543999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_83f68fc6834bf8bd2c801a2d1f1acc76 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Helpful Technologies, Inc" and (
pe.signatures[i].serial == "00:83:f6:8f:c6:83:4b:f8:bd:2c:80:1a:2d:1f:1a:cc:76" or
pe.signatures[i].serial == "83:f6:8f:c6:83:4b:f8:bd:2c:80:1a:2d:1f:1a:cc:76"
) and
1407715199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f385e765acfb95605c9b35ca4c32f80e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CWI SOFTWARE LTDA" and (
pe.signatures[i].serial == "00:f3:85:e7:65:ac:fb:95:60:5c:9b:35:ca:4c:32:f8:0e" or
pe.signatures[i].serial == "f3:85:e7:65:ac:fb:95:60:5c:9b:35:ca:4c:32:f8:0e"
) and
1382313599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f62c9c4efc81caf0d5a2608009d48018 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE5\\x94\\x90\\xE5\\xB1\\xB1\\xE4\\xB8\\x87\\xE4\\xB8\\x9C\\xE6\\xB6\\xA6\\xE6\\x92\\xAD\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (
pe.signatures[i].serial == "00:f6:2c:9c:4e:fc:81:ca:f0:d5:a2:60:80:09:d4:80:18" or
pe.signatures[i].serial == "f6:2c:9c:4e:fc:81:ca:f0:d5:a2:60:80:09:d4:80:18"
) and
1292889599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_cc8d902da36587c9b2113cd76c3c3f8d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE9\\x87\\x91\\xE4\\xBF\\x8A\\xE5\\x9D\\xA4\\xE8\\xAE\\xA1\\xE7\\xAE\\x97\\xE6\\x9C\\xBA\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x8D\\xE5\\x8A\\xA1\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (
pe.signatures[i].serial == "00:cc:8d:90:2d:a3:65:87:c9:b2:11:3c:d7:6c:3c:3f:8d" or
pe.signatures[i].serial == "cc:8d:90:2d:a3:65:87:c9:b2:11:3c:d7:6c:3c:3f:8d"
) and
1292544000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_328bdcc0f679c4649147fbb3eb0e9bc6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Nooly Systems LTD" and
pe.signatures[i].serial == "32:8b:dc:c0:f6:79:c4:64:91:47:fb:b3:eb:0e:9b:c6" and
1204847999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE5\\x9F\\x9F\\xE8\\x81\\x94\\xE8\\xBD\\xAF\\xE4\\xBB\\xB6\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7" and
1303116124 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_629d120dd84f9c1688d4da40366fab7a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Delta Controls" and
pe.signatures[i].serial == "62:9d:12:0d:d8:4f:9c:16:88:d4:da:40:36:6f:ab:7a" and
1306799999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_039e5d0e3297f574db99e1d9503853d9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Cigam Software Corporativo LTDA" and
pe.signatures[i].serial == "03:9e:5d:0e:32:97:f5:74:db:99:e1:d9:50:38:53:d9" and
1378079999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_bc32bbe5bbb4f06f490c50651cd5da50 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Remedica Medical Education and Publishing Ltd" and (
pe.signatures[i].serial == "00:bc:32:bb:e5:bb:b4:f0:6f:49:0c:50:65:1c:d5:da:50" or
pe.signatures[i].serial == "bc:32:bb:e5:bb:b4:f0:6f:49:0c:50:65:1c:d5:da:50"
) and
1387151999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3e1656dfcaacfed7c2d2564355698aa3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "John W.Richard" and
pe.signatures[i].serial == "3e:16:56:df:ca:ac:fe:d7:c2:d2:56:43:55:69:8a:a3" and
1385251199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4bf1d68e926e2dd8966008c44f95ea1c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Technical and Commercial Consulting Pvt. Ltd." and
pe.signatures[i].serial == "4b:f1:d6:8e:92:6e:2d:d8:96:60:08:c4:4f:95:ea:1c" and
1322092799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_149c12083c145e28155510cfc19db0fe {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "3rd Eye Solutions Ltd" and
pe.signatures[i].serial == "14:9c:12:08:3c:14:5e:28:15:55:10:cf:c1:9d:b0:fe" and
1209340799 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_77e0117e8b2b8faa84bed961019d5ef8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Reiner Wodey Informationssysteme" and
pe.signatures[i].serial == "77:e0:11:7e:8b:2b:8f:aa:84:be:d9:61:01:9d:5e:f8" and
1383695999 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4f3feb4baf377aea90a463c5dee63884 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "F3D LIMITED" and
pe.signatures[i].serial == "4f:3f:eb:4b:af:37:7a:ea:90:a4:63:c5:de:e6:38:84" and
1526601599 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3d2580e89526f7852b570654efd9a8bf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing LockerGoga ransomware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MIKL LIMITED" and
pe.signatures[i].serial == "3d:25:80:e8:95:26:f7:85:2b:57:06:54:ef:d9:a8:bf" and
1529888400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0fffe432a53ff03b9223f88be1b83d9d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing BabyShark malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "EGIS Co., Ltd." and
pe.signatures[i].serial == "0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d" and
1498524050 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_832e161aea5206d815f973e5a1feb3e7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing SeedLocker ransomware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Project NSRM Ltd" and (
pe.signatures[i].serial == "00:83:2e:16:1a:ea:52:06:d8:15:f9:73:e5:a1:fe:b3:e7" or
pe.signatures[i].serial == "83:2e:16:1a:ea:52:06:d8:15:f9:73:e5:a1:fe:b3:e7"
) and
1549830060 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_09aecea45bfd40ce7d62d7d711916d7d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ALINA LTD" and
pe.signatures[i].serial == "09:ae:ce:a4:5b:fd:40:ce:7d:62:d7:d7:11:91:6d:7d" and
1551052800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4ff4eda5fa641e70162713426401f438 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DUHANEY LIMITED" and
pe.signatures[i].serial == "4f:f4:ed:a5:fa:64:1e:70:16:27:13:42:64:01:f4:38" and
1555349604 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_067dffc5e3026eb4c62971c98ac8a900 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DVERI FADO, TOV" and
pe.signatures[i].serial == "06:7d:ff:c5:e3:02:6e:b4:c6:29:71:c9:8a:c8:a9:00" and
1552176000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b1da219688e51fd0bfac2c891d56cbb8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FIRNEEZ EUROPE LIMITED" and (
pe.signatures[i].serial == "00:b1:da:21:96:88:e5:1f:d0:bf:ac:2c:89:1d:56:cb:b8" or
pe.signatures[i].serial == "b1:da:21:96:88:e5:1f:d0:bf:ac:2c:89:1d:56:cb:b8"
) and
1542931200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7289b0f9bd641e3e352dc3183f8de6be {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ICE ACTIVATION LIMITED" and
pe.signatures[i].serial == "72:89:b0:f9:bd:64:1e:3e:35:2d:c3:18:3f:8d:e6:be" and
1557933274 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fd7b7a8678a67181a54bc7499eba44da {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "IMRAN IT SERVICES LTD" and (
pe.signatures[i].serial == "00:fd:7b:7a:86:78:a6:71:81:a5:4b:c7:49:9e:ba:44:da" or
pe.signatures[i].serial == "fd:7b:7a:86:78:a6:71:81:a5:4b:c7:49:9e:ba:44:da"
) and
1548028800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ebbdd6cdeda40ca64513280ecd625c54 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "IT PUT LIMITED" and (
pe.signatures[i].serial == "00:eb:bd:d6:cd:ed:a4:0c:a6:45:13:28:0e:cd:62:5c:54" or
pe.signatures[i].serial == "eb:bd:d6:cd:ed:a4:0c:a6:45:13:28:0e:cd:62:5c:54"
) and
1549238400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_61da676c1dcfcf188276e2c70d68082e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "P2N ONLINE LTD" and
pe.signatures[i].serial == "61:da:67:6c:1d:cf:cf:18:82:76:e2:c7:0d:68:08:2e" and
1552723954 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_767436921b2698bd18400a24b01341b6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "REBROSE LEISURE LIMITED" and
pe.signatures[i].serial == "76:74:36:92:1b:26:98:bd:18:40:0a:24:b0:13:41:b6" and
1556284480 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3e795531b3265510f935187eca59920a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "sasha catering ltd" and
pe.signatures[i].serial == "3e:79:55:31:b3:26:55:10:f9:35:18:7e:ca:59:92:0a" and
1557243644 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8f40b1485309a064a28b96bfa3f55f36 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Singh Agile Content Design Limited" and (
pe.signatures[i].serial == "00:8f:40:b1:48:53:09:a0:64:a2:8b:96:bf:a3:f5:5f:36" or
pe.signatures[i].serial == "8f:40:b1:48:53:09:a0:64:a2:8b:96:bf:a3:f5:5f:36"
) and
1542585600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b2120facadbb92cc0a176759604c6a0f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SLON LTD" and (
pe.signatures[i].serial == "00:b2:12:0f:ac:ad:bb:92:cc:0a:17:67:59:60:4c:6a:0f" or
pe.signatures[i].serial == "b2:12:0f:ac:ad:bb:92:cc:0a:17:67:59:60:4c:6a:0f"
) and
1554249600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4f407eb50803845cc43937823e1344c0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SLOW COOKED VENTURES LTD" and
pe.signatures[i].serial == "4f:40:7e:b5:08:03:84:5c:c4:39:37:82:3e:13:44:c0" and
1556555362 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6922bb5de88e4127e1ac6969e6a199f5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SMACHNA PLITKA, TOV" and
pe.signatures[i].serial == "69:22:bb:5d:e8:8e:41:27:e1:ac:69:69:e6:a1:99:f5" and
1552692162 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_73065efa163b7901fa1ccb0a54e80540 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SOVA CONSULTANCY LTD" and
pe.signatures[i].serial == "73:06:5e:fa:16:3b:79:01:fa:1c:cb:0a:54:e8:05:40" and
1548115200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4842afad00904ed8c98811e652ccb3b7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\"VERY EXCLUSIVE LTD\"" and
pe.signatures[i].serial == "48:42:af:ad:00:90:4e:d8:c9:88:11:e6:52:cc:b3:b7" and
1545177600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5a59a686b4a904d0fca07153ea6db6cc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ABADAN PIZZA LTD" and
pe.signatures[i].serial == "5a:59:a6:86:b4:a9:04:d0:fc:a0:71:53:ea:6d:b6:cc" and
1563403380 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0b6d8152f4a06ba781c6677eea5ab74b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "GLARYSOFT LTD" and
pe.signatures[i].serial == "0b:6d:81:52:f4:a0:6b:a7:81:c6:67:7e:ea:5a:b7:4b" and
1568246400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3ad60cea73e1dd1a3e6c02d9b339c380 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CUS Software GmbH" and
pe.signatures[i].serial == "3a:d6:0c:ea:73:e1:dd:1a:3e:6c:02:d9:b3:39:c3:80" and
1567036800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7df2dfed47c6fd6542131847cffbc102 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AFVIMPEX SRL" and
pe.signatures[i].serial == "7d:f2:df:ed:47:c6:fd:65:42:13:18:47:cf:fb:c1:02" and
1567036800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_74fedf0f8398060fa8378c6d174465c8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DOCS PTY LTD" and
pe.signatures[i].serial == "74:fe:df:0f:83:98:06:0f:a8:37:8c:6d:17:44:65:c8" and
1566172800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3bd6a5bba28e7c1ca44880159dace237 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TECHNO BEAVERS LIMITED" and
pe.signatures[i].serial == "3b:d6:a5:bb:a2:8e:7c:1c:a4:48:80:15:9d:ac:e2:37" and
1563408000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c04f8f1e00c69e96a51bf14aab1c6ae0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CHAIKA, TOV" and (
pe.signatures[i].serial == "00:c0:4f:8f:1e:00:c6:9e:96:a5:1b:f1:4a:ab:1c:6a:e0" or
pe.signatures[i].serial == "c0:4f:8f:1e:00:c6:9e:96:a5:1b:f1:4a:ab:1c:6a:e0"
) and
1551398400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_23f537ce13c6cccdfd3f8ce81fb981cb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ISECURE GROUP PTY LTD" and
pe.signatures[i].serial == "23:f5:37:ce:13:c6:cc:cd:fd:3f:8c:e8:1f:b9:81:cb" and
1566086400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_73ecfdbb99aec176ddfcf7958d120e1a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MHOW PTY LTD" and
pe.signatures[i].serial == "73:ec:fd:bb:99:ae:c1:76:dd:fc:f7:95:8d:12:0e:1a" and
1566864000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_675129bb174a5b05e330cc09f8bbd70a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ALEX & CO PTY LIMITED" and
pe.signatures[i].serial == "67:51:29:bb:17:4a:5b:05:e3:30:cc:09:f8:bb:d7:0a" and
1565568000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_de13fe2dbb8f890287e1780aff6ffd22 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LAST TIME PTY LTD" and
pe.signatures[i].serial == "de:13:fe:2d:bb:8f:89:02:87:e1:78:0a:ff:6f:fd:22" and
1566259200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_da000d18949c247d4ddfc2585cc8bd0f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PORT-SERVIS LTD" and (
pe.signatures[i].serial == "00:da:00:0d:18:94:9c:24:7d:4d:df:c2:58:5c:c8:bd:0f" or
pe.signatures[i].serial == "da:00:0d:18:94:9c:24:7d:4d:df:c2:58:5c:c8:bd:0f"
) and
1564444800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_06e842d3ea6249d783d6b55e29c060c7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PORT-SERVIS LTD, TOV" and
pe.signatures[i].serial == "06:e8:42:d3:ea:62:49:d7:83:d6:b5:5e:29:c0:60:c7" and
1565568000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_06473c3c19d9e1a9429b58b6faec2967 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Digital Leadership Solutions Limited" and
pe.signatures[i].serial == "06:47:3c:3c:19:d9:e1:a9:42:9b:58:b6:fa:ec:29:67" and
1581984001 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_39f56251df2088223cc03494084e6081 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Inter Med Pty. Ltd." and
pe.signatures[i].serial == "39:f5:62:51:df:20:88:22:3c:c0:34:94:08:4e:60:81" and
1583539200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1362e56d34dc7b501e17fa1ac3c3e3d9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO \"Amaranth\"" and
pe.signatures[i].serial == "13:62:e5:6d:34:dc:7b:50:1e:17:fa:1a:c3:c3:e3:d9" and
1575936000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4b83593fc78d92cfaa9bdf3f97383964 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Kometa" and
pe.signatures[i].serial == "4b:83:59:3f:c7:8d:92:cf:aa:9b:df:3f:97:38:39:64" and
1579996800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c7505e7464e00ec1dccd8d1b466d15ff {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ltd. \"Eve Beauty\"" and (
pe.signatures[i].serial == "00:c7:50:5e:74:64:e0:0e:c1:dc:cd:8d:1b:46:6d:15:ff" or
pe.signatures[i].serial == "c7:50:5e:74:64:e0:0e:c1:dc:cd:8d:1b:46:6d:15:ff"
) and
1583824676 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_cbf91988fb83511de1b3a7a520712e9c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ltd. \"Eve Beauty\"" and (
pe.signatures[i].serial == "00:cb:f9:19:88:fb:83:51:1d:e1:b3:a7:a5:20:71:2e:9c" or
pe.signatures[i].serial == "cb:f9:19:88:fb:83:51:1d:e1:b3:a7:a5:20:71:2e:9c"
) and
1578786662 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ce3675ae4abfe688870bcacb63060f4f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO \"MPS\"" and (
pe.signatures[i].serial == "00:ce:36:75:ae:4a:bf:e6:88:87:0b:ca:cb:63:06:0f:4f" or
pe.signatures[i].serial == "ce:36:75:ae:4a:bf:e6:88:87:0b:ca:cb:63:06:0f:4f"
) and
1582675200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9813229efe0046d23542cc7569d5a403 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO \"MPS\"" and (
pe.signatures[i].serial == "00:98:13:22:9e:fe:00:46:d2:35:42:cc:75:69:d5:a4:03" or
pe.signatures[i].serial == "98:13:22:9e:fe:00:46:d2:35:42:cc:75:69:d5:a4:03"
) and
1575849600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_86e5a9b9e89e5075c475006d0ca03832 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BlueMarble GmbH" and (
pe.signatures[i].serial == "00:86:e5:a9:b9:e8:9e:50:75:c4:75:00:6d:0c:a0:38:32" or
pe.signatures[i].serial == "86:e5:a9:b9:e8:9e:50:75:c4:75:00:6d:0c:a0:38:32"
) and
1574791194 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_075dca9ca84b93e8a89b775128f90302 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "UAB GT-servis" and
pe.signatures[i].serial == "07:5d:ca:9c:a8:4b:93:e8:a8:9b:77:51:28:f9:03:02" and
1579305601 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0ddce8cdc91b5b649bb4b45ffbba6c6c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SLIM DOG GROUP SP Z O O" and
pe.signatures[i].serial == "0d:dc:e8:cd:c9:1b:5b:64:9b:b4:b4:5f:fb:ba:6c:6c" and
1580722435 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9bd614d5869bb66c96b67e154d517384 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\"CENTR MBP\"" and (
pe.signatures[i].serial == "00:9b:d6:14:d5:86:9b:b6:6c:96:b6:7e:15:4d:51:73:84" or
pe.signatures[i].serial == "9b:d6:14:d5:86:9b:b6:6c:96:b6:7e:15:4d:51:73:84"
) and
1581618180 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_540cea639d5d48669b7f2f64 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CENTR MBP LLC" and
pe.signatures[i].serial == "54:0c:ea:63:9d:5d:48:66:9b:7f:2f:64" and
1570871755 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_03a7748a4355020a652466b5e02e07de {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Teleneras MB" and
pe.signatures[i].serial == "03:a7:74:8a:43:55:02:0a:65:24:66:b5:e0:2e:07:de" and
1575244801 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b881a72d4117bbc38b81d3c65c792c1a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Red GmbH" and (
pe.signatures[i].serial == "00:b8:81:a7:2d:41:17:bb:c3:8b:81:d3:c6:5c:79:2c:1a" or
pe.signatures[i].serial == "b8:81:a7:2d:41:17:bb:c3:8b:81:d3:c6:5c:79:2c:1a"
) and
1581936420 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_08653ef2ed9e6ebb56ffa7e93f963235 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Haw Farm LIMITED" and
pe.signatures[i].serial == "08:65:3e:f2:ed:9e:6e:bb:56:ff:a7:e9:3f:96:32:35" and
1581465601 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9c4816d900a6ecdbe54adf72b19ebcf5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Datamingo Limited" and (
pe.signatures[i].serial == "00:9c:48:16:d9:00:a6:ec:db:e5:4a:df:72:b1:9e:bc:f5" or
pe.signatures[i].serial == "9c:48:16:d9:00:a6:ec:db:e5:4a:df:72:b1:9e:bc:f5"
) and
1557187200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_269174f9fe7c6ed4e1d19b26c3f5b35f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "GO ONLINE d.o.o." and
pe.signatures[i].serial == "26:91:74:f9:fe:7c:6e:d4:e1:d1:9b:26:c3:f5:b3:5f" and
1586386919 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_523fb4036368dc26192d68827f2d889b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO MEDUZA SERVICE GROUP" and
pe.signatures[i].serial == "52:3f:b4:03:63:68:dc:26:19:2d:68:82:7f:2d:88:9b" and
1586847880 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_84f842f6d33cd2f25b88dd1710e21137 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DataNext s.r.o." and (
pe.signatures[i].serial == "00:84:f8:42:f6:d3:3c:d2:f2:5b:88:dd:17:10:e2:11:37" or
pe.signatures[i].serial == "84:f8:42:f6:d3:3c:d2:f2:5b:88:dd:17:10:e2:11:37"
) and
1586775720 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4fbcaa289ba925b4e247809b6b028202 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Kimjac ApS" and
pe.signatures[i].serial == "4f:bc:aa:28:9b:a9:25:b4:e2:47:80:9b:6b:02:82:02" and
1588227220 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1f2e8effbb08c7dbcc7a7f2d835457b5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RTI, OOO" and
pe.signatures[i].serial == "1f:2e:8e:ff:bb:08:c7:db:cc:7a:7f:2d:83:54:57:b5" and
1581382360 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_aeba4c39306fdd022849867801645814 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SK AI MAS GmbH" and (
pe.signatures[i].serial == "00:ae:ba:4c:39:30:6f:dd:02:28:49:86:78:01:64:58:14" or
pe.signatures[i].serial == "ae:ba:4c:39:30:6f:dd:02:28:49:86:78:01:64:58:14"
) and
1579478400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_028d50ae0c554b49148e82db5b1c2699 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VAS CO PTY LTD" and
pe.signatures[i].serial == "02:8d:50:ae:0c:55:4b:49:14:8e:82:db:5b:1c:26:99" and
1579478400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_684f478c7259dde0cfe2260112ca9846 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LLC \"IP EM\"" and
pe.signatures[i].serial == "68:4f:47:8c:72:59:dd:e0:cf:e2:26:01:12:ca:98:46" and
1584981648 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0b7c32208a954a483dd102e1be094867 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Win Sp Z O O" and
pe.signatures[i].serial == "0b:7c:32:20:8a:95:4a:48:3d:d1:02:e1:be:09:48:67" and
1583884800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3e72daf2b9a4449e946009e5084a8e76 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Infoteh63" and
pe.signatures[i].serial == "3e:72:da:f2:b9:a4:44:9e:94:60:09:e5:08:4a:8e:76" and
1591787570 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_11edd343e21c36ac985555d85c16135f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Pribyl Handels GmbH" and
pe.signatures[i].serial == "11:ed:d3:43:e2:1c:36:ac:98:55:55:d8:5c:16:13:5f" and
1589925600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_093fe63d1a5f68f14ecaac871a03f7a3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SPECTACLE IMAGE LTD" and
pe.signatures[i].serial == "09:3f:e6:3d:1a:5f:68:f1:4e:ca:ac:87:1a:03:f7:a3" and
1562716800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_bb26b7b6634d5db548c437b5085b01c1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO \"IT Mott\"" and (
pe.signatures[i].serial == "00:bb:26:b7:b6:63:4d:5d:b5:48:c4:37:b5:08:5b:01:c1" or
pe.signatures[i].serial == "bb:26:b7:b6:63:4d:5d:b5:48:c4:37:b5:08:5b:01:c1"
) and
1591919307 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_29128a56e7b3bfb230742591ac8b4718 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Programavimo paslaugos, MB" and
pe.signatures[i].serial == "29:12:8a:56:e7:b3:bf:b2:30:74:25:91:ac:8b:47:18" and
1590900909 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7bfbfdfef43608730ee14779ee3ee2cb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CSTech Software Inc." and
pe.signatures[i].serial == "7b:fb:fd:fe:f4:36:08:73:0e:e1:47:79:ee:3e:e2:cb" and
1590537600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_62205361a758b00572d417cba014f007 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "UNITEKH-S, OOO" and
pe.signatures[i].serial == "62:20:53:61:a7:58:b0:05:72:d4:17:cb:a0:14:f0:07" and
1590470683 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4b47d18dbea57abd1563ddf89f87a6c2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "KBK, OOO" and
pe.signatures[i].serial == "4b:47:d1:8d:be:a5:7a:bd:15:63:dd:f8:9f:87:a6:c2" and
1590485607 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_be41e2c7bb2493044b9241abb732599d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Company Babylon" and (
pe.signatures[i].serial == "00:be:41:e2:c7:bb:24:93:04:4b:92:41:ab:b7:32:59:9d" or
pe.signatures[i].serial == "be:41:e2:c7:bb:24:93:04:4b:92:41:ab:b7:32:59:9d"
) and
1589146251 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_15c5af15afecf1c900cbab0ca9165629 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Kompaniya Auttek" and
pe.signatures[i].serial == "15:c5:af:15:af:ec:f1:c9:00:cb:ab:0c:a9:16:56:29" and
1586091840 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_476de2f108d20b43ba3bae6f331af8f1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Digiwill Limited" and
pe.signatures[i].serial == "47:6d:e2:f1:08:d2:0b:43:ba:3b:ae:6f:33:1a:f8:f1" and
1588135722 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_08ddcc67f8cad6929607e4cda29b3503 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FAN-CHAI, TOV" and
pe.signatures[i].serial == "08:dd:cc:67:f8:ca:d6:92:96:07:e4:cd:a2:9b:35:03" and
1564310268 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_052242ace583adf2a3b96adcb04d0812 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FAN-CHAI, TOV" and
pe.signatures[i].serial == "05:22:42:ac:e5:83:ad:f2:a3:b9:6a:dc:b0:4d:08:12" and
1573603200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_bebef5c533ce92efc402fab8605c43ec {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO VEKTOR" and (
pe.signatures[i].serial == "00:be:be:f5:c5:33:ce:92:ef:c4:02:fa:b8:60:5c:43:ec" or
pe.signatures[i].serial == "be:be:f5:c5:33:ce:92:ef:c4:02:fa:b8:60:5c:43:ec"
) and
1587513600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1d3f39f481fe067f8a9289bb49e05a04 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LOGIKA, OOO" and
pe.signatures[i].serial == "1d:3f:39:f4:81:fe:06:7f:8a:92:89:bb:49:e0:5a:04" and
1592553220 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7be35d025e65cc7a4ee01f72 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Logika OOO" and
pe.signatures[i].serial == "7b:e3:5d:02:5e:65:cc:7a:4e:e0:1f:72" and
1594976445 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_351fe2efdc0ac56a0c822cf8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Logika OOO" and
pe.signatures[i].serial == "35:1f:e2:ef:dc:0a:c5:6a:0c:82:2c:f8" and
1594976475 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9cfbb4c69008821aaacecde97ee149ab {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Kivaliz Prest s.r.l." and (
pe.signatures[i].serial == "00:9c:fb:b4:c6:90:08:82:1a:aa:ce:cd:e9:7e:e1:49:ab" or
pe.signatures[i].serial == "9c:fb:b4:c6:90:08:82:1a:aa:ce:cd:e9:7e:e1:49:ab"
) and
1592363914 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c04f5d17af872cb2c37e3367fe761d0d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DES SP Z O O" and (
pe.signatures[i].serial == "00:c0:4f:5d:17:af:87:2c:b2:c3:7e:33:67:fe:76:1d:0d" or
pe.signatures[i].serial == "c0:4f:5d:17:af:87:2c:b2:c3:7e:33:67:fe:76:1d:0d"
) and
1594590024 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_02c5351936abe405ac760228a40387e8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RESURS-RM OOO" and
pe.signatures[i].serial == "02:c5:35:19:36:ab:e4:05:ac:76:02:28:a4:03:87:e8" and
1589932801 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1ecd829adcc55d9d6afe30dc371ebda6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Komp.IT" and (
pe.signatures[i].serial == "00:1e:cd:82:9a:dc:c5:5d:9d:6a:fe:30:dc:37:1e:bd:a6" or
pe.signatures[i].serial == "1e:cd:82:9a:dc:c5:5d:9d:6a:fe:30:dc:37:1e:bd:a6"
) and
1588723200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b0167124ca59149e64d292eb4b142014 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Euro May SP Z O O" and (
pe.signatures[i].serial == "00:b0:16:71:24:ca:59:14:9e:64:d2:92:eb:4b:14:20:14" or
pe.signatures[i].serial == "b0:16:71:24:ca:59:14:9e:64:d2:92:eb:4b:14:20:14"
) and
1585267200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_112613b7b5f696cf377680f6463fcc8c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Infoware Cloud Limited" and
pe.signatures[i].serial == "11:26:13:b7:b5:f6:96:cf:37:76:80:f6:46:3f:cc:8c" and
1566518400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b3f906e5e6b2cf61c5e51be79b4e8777 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Accelerate Technologies Ltd" and (
pe.signatures[i].serial == "00:b3:f9:06:e5:e6:b2:cf:61:c5:e5:1b:e7:9b:4e:87:77" or
pe.signatures[i].serial == "b3:f9:06:e5:e6:b2:cf:61:c5:e5:1b:e7:9b:4e:87:77"
) and
1594900020 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_566ac16a57b132d3f64dced14de790ee {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Unirad LLC" and
pe.signatures[i].serial == "56:6a:c1:6a:57:b1:32:d3:f6:4d:ce:d1:4d:e7:90:ee" and
1562889600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d2caf7908aaebfa1a8f3e2136fece024 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FANATOR, OOO" and (
pe.signatures[i].serial == "00:d2:ca:f7:90:8a:ae:bf:a1:a8:f3:e2:13:6f:ec:e0:24" or
pe.signatures[i].serial == "d2:ca:f7:90:8a:ae:bf:a1:a8:f3:e2:13:6f:ec:e0:24"
) and
1599041760 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e04a344b397f752a45b128a594a3d6b5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Highweb Ireland Operations Limited" and (
pe.signatures[i].serial == "00:e0:4a:34:4b:39:7f:75:2a:45:b1:28:a5:94:a3:d6:b5" or
pe.signatures[i].serial == "e0:4a:34:4b:39:7f:75:2a:45:b1:28:a5:94:a3:d6:b5"
) and
1597708800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3bcaed3ef678f2f9bf38d09e149b8d70 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "StarY Media Inc." and
pe.signatures[i].serial == "3b:ca:ed:3e:f6:78:f2:f9:bf:38:d0:9e:14:9b:8d:70" and
1599091200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_56d576a062491ea0a5877ced418203a1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Silvo LLC" and
pe.signatures[i].serial == "56:d5:76:a0:62:49:1e:a0:a5:87:7c:ed:41:82:03:a1" and
1596249885 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0fcba260df7da602ecf4d4d6fc89d5dd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Gold Stroy SP Z O O" and
pe.signatures[i].serial == "0f:cb:a2:60:df:7d:a6:02:ec:f4:d4:d6:fc:89:d5:dd" and
1593388801 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4152169f22454ed604d03555b7afb175 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SMACKTECH SOFTWARE LIMITED" and
pe.signatures[i].serial == "41:52:16:9f:22:45:4e:d6:04:d0:35:55:b7:af:b1:75" and
1595808000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_01c88ccbd219500139d1af138a9e898e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Raymond Yanagita" and
pe.signatures[i].serial == "01:c8:8c:cb:d2:19:50:01:39:d1:af:13:8a:9e:89:8e" and
1593041280 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_41d05676e0d31908be4dead3486aeae3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Rov SP Z O O" and
pe.signatures[i].serial == "41:d0:56:76:e0:d3:19:08:be:4d:ea:d3:48:6a:ea:e3" and
1594857600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8cff807edaf368a60e4106906d8df319 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "KRAFT BOKS OOO" and (
pe.signatures[i].serial == "00:8c:ff:80:7e:da:f3:68:a6:0e:41:06:90:6d:8d:f3:19" or
pe.signatures[i].serial == "8c:ff:80:7e:da:f3:68:a6:0e:41:06:90:6d:8d:f3:19"
) and
1598334455 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a3e62be1572293ad618f58a8aa32857f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ISIDA, TOV" and (
pe.signatures[i].serial == "00:a3:e6:2b:e1:57:22:93:ad:61:8f:58:a8:aa:32:85:7f" or
pe.signatures[i].serial == "a3:e6:2b:e1:57:22:93:ad:61:8f:58:a8:aa:32:85:7f"
) and
1596585600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_672d4428450afcc24fc60969a5063a3e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MEP, OOO" and
pe.signatures[i].serial == "67:2d:44:28:45:0a:fc:c2:4f:c6:09:69:a5:06:3a:3e" and
1597381260 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_df479e14a70c7970a4de3dd3e4bb0318 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SOFTWARE HUB IT LTD" and (
pe.signatures[i].serial == "00:df:47:9e:14:a7:0c:79:70:a4:de:3d:d3:e4:bb:03:18" or
pe.signatures[i].serial == "df:47:9e:14:a7:0c:79:70:a4:de:3d:d3:e4:bb:03:18"
) and
1591660800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2924785fd7990b2d510675176dae2bed {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Neoopt LLC" and
pe.signatures[i].serial == "29:24:78:5f:d7:99:0b:2d:51:06:75:17:6d:ae:2b:ed" and
1595000258 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f4d2def53bccb0dd2b7d54e4853a2fc5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PETROYL GROUP, TOV" and (
pe.signatures[i].serial == "00:f4:d2:de:f5:3b:cc:b0:dd:2b:7d:54:e4:85:3a:2f:c5" or
pe.signatures[i].serial == "f4:d2:de:f5:3b:cc:b0:dd:2b:7d:54:e4:85:3a:2f:c5"
) and
1598347687 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_03bf9ef4cf037a2385649026c3da9d3e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "COLLECTIVE SOFTWARE INC." and
pe.signatures[i].serial == "03:bf:9e:f4:cf:03:7a:23:85:64:90:26:c3:da:9d:3e" and
1595371955 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_790177a54209d55560a55db97c5900d6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MAK GmbH" and
pe.signatures[i].serial == "79:01:77:a5:42:09:d5:55:60:a5:5d:b9:7c:59:00:d6" and
1594080000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_048f7b5f67d8e2b3030f75eb7be2713d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RITEIL SERVIS, OOO" and
pe.signatures[i].serial == "04:8f:7b:5f:67:d8:e2:b3:03:0f:75:eb:7b:e2:71:3d" and
1591142400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_082023879112289bf351d297cc8efcfc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "STA-R TOV" and
pe.signatures[i].serial == "08:20:23:87:91:12:28:9b:f3:51:d2:97:cc:8e:fc:fc" and
1573430400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0d53690631dd186c56be9026eb931ae2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "STA-R TOV" and
pe.signatures[i].serial == "0d:53:69:06:31:dd:18:6c:56:be:90:26:eb:93:1a:e2" and
1592190240 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_32119925a6ce4710aecc4006c28e749f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Maxiol" and
pe.signatures[i].serial == "32:11:99:25:a6:ce:47:10:ae:cc:40:06:c2:8e:74:9f" and
1592438400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2c90eaf4de3afc03ba924c719435c2a3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AntiFIX s.r.o." and (
pe.signatures[i].serial == "00:2c:90:ea:f4:de:3a:fc:03:ba:92:4c:71:94:35:c2:a3" or
pe.signatures[i].serial == "2c:90:ea:f4:de:3a:fc:03:ba:92:4c:71:94:35:c2:a3"
) and
1586293430 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_aff762e907f0644e76ed8a7485fb12a1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Lets Start SP Z O O" and (
pe.signatures[i].serial == "00:af:f7:62:e9:07:f0:64:4e:76:ed:8a:74:85:fb:12:a1" or
pe.signatures[i].serial == "af:f7:62:e9:07:f0:64:4e:76:ed:8a:74:85:fb:12:a1"
) and
1594882330 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d8530214ca0f512946496b5164c61201 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DJ ONLINE MARKETING LIMITED" and (
pe.signatures[i].serial == "00:d8:53:02:14:ca:0f:51:29:46:49:6b:51:64:c6:12:01" or
pe.signatures[i].serial == "d8:53:02:14:ca:0f:51:29:46:49:6b:51:64:c6:12:01"
) and
1595485920 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_661ba8f3c9d1b348413484e9a49502f7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Unique Digital Services Ltd." and (
pe.signatures[i].serial == "00:66:1b:a8:f3:c9:d1:b3:48:41:34:84:e9:a4:95:02:f7" or
pe.signatures[i].serial == "66:1b:a8:f3:c9:d1:b3:48:41:34:84:e9:a4:95:02:f7"
) and
1594942800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_51aead5a9ab2d841b449fa82de3a8a00 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Corsair Software Solution Inc." and
pe.signatures[i].serial == "51:ae:ad:5a:9a:b2:d8:41:b4:49:fa:82:de:3a:8a:00" and
1501577475 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_03b630f9645531f8868dae8ac0f8cfe6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Geksan LLC" and
pe.signatures[i].serial == "03:b6:30:f9:64:55:31:f8:86:8d:ae:8a:c0:f8:cf:e6" and
1594252801 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6f8373cf89f1b49138f4328118487f9e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "30 PTY LTD" and
pe.signatures[i].serial == "6f:83:73:cf:89:f1:b4:91:38:f4:32:81:18:48:7f:9e" and
1572566400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e38259cf24cc702ce441b683ad578911 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Akhirah Technologies Inc." and (
pe.signatures[i].serial == "00:e3:82:59:cf:24:cc:70:2c:e4:41:b6:83:ad:57:89:11" or
pe.signatures[i].serial == "e3:82:59:cf:24:cc:70:2c:e4:41:b6:83:ad:57:89:11"
) and
1597276800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_bdc81bc76090dae0eee2e1eb744a4f9a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ALM4U GmbH" and (
pe.signatures[i].serial == "00:bd:c8:1b:c7:60:90:da:e0:ee:e2:e1:eb:74:4a:4f:9a" or
pe.signatures[i].serial == "bd:c8:1b:c7:60:90:da:e0:ee:e2:e1:eb:74:4a:4f:9a"
) and
1579824000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b2e730b0526f36faf7d093d48d6d9997 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Bamboo Connect s.r.o." and (
pe.signatures[i].serial == "00:b2:e7:30:b0:52:6f:36:fa:f7:d0:93:d4:8d:6d:99:97" or
pe.signatures[i].serial == "b2:e7:30:b0:52:6f:36:fa:f7:d0:93:d4:8d:6d:99:97"
) and
1597276800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7156ec47ef01ab8359ef4304e5af1a05 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BOREC, OOO" and
pe.signatures[i].serial == "71:56:ec:47:ef:01:ab:83:59:ef:43:04:e5:af:1a:05" and
1597363200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_13794371c052ec0559e9b492abb25c26 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Carmel group LLC" and
pe.signatures[i].serial == "13:79:43:71:c0:52:ec:05:59:e9:b4:92:ab:b2:5c:26" and
1599177600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5c7e78f53c31d6aa5b45de14b47eb5c4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Cubic Information Systems, UAB" and
pe.signatures[i].serial == "5c:7e:78:f5:3c:31:d6:aa:5b:45:de:14:b4:7e:b5:c4" and
1579824000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_dadf44e4046372313ee97b8e394c4079 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Digital Capital Management Ireland Limited" and (
pe.signatures[i].serial == "00:da:df:44:e4:04:63:72:31:3e:e9:7b:8e:39:4c:40:79" or
pe.signatures[i].serial == "da:df:44:e4:04:63:72:31:3e:e9:7b:8e:39:4c:40:79"
) and
1600244736 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f8c2e08438bb0e9adc955e4b493e5821 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DocsGen Software Solutions Inc." and (
pe.signatures[i].serial == "00:f8:c2:e0:84:38:bb:0e:9a:dc:95:5e:4b:49:3e:58:21" or
pe.signatures[i].serial == "f8:c2:e0:84:38:bb:0e:9a:dc:95:5e:4b:49:3e:58:21"
) and
1599523200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_70e1ebd170db8102d8c28e58392e5632 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Equal Cash Technologies Limited" and
pe.signatures[i].serial == "70:e1:eb:d1:70:db:81:02:d8:c2:8e:58:39:2e:56:32" and
1599264000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_09c89de6f64a7fdf657e69353c5fdd44 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "EXON RENTAL SP Z O O" and
pe.signatures[i].serial == "09:c8:9d:e6:f6:4a:7f:df:65:7e:69:35:3c:5f:dd:44" and
1601337601 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ffff2ce862378b26440df49ca9175b70 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "F & A.TIM d.o.o." and (
pe.signatures[i].serial == "00:ff:ff:2c:e8:62:37:8b:26:44:0d:f4:9c:a9:17:5b:70" or
pe.signatures[i].serial == "ff:ff:2c:e8:62:37:8b:26:44:0d:f4:9c:a9:17:5b:70"
) and
1576195200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3223b4616c2687c04865bee8321726a8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FORTUNE STAR TRADING, INC." and
pe.signatures[i].serial == "32:23:b4:61:6c:26:87:c0:48:65:be:e8:32:17:26:a8" and
1601337600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7709d2df39e9a4f7db2f3cbc29b49743 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Grina LLC" and
pe.signatures[i].serial == "77:09:d2:df:39:e9:a4:f7:db:2f:3c:bc:29:b4:97:43" and
1556353331 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e29690e14518874d2dcf00234ae94f1f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "GRIND & TAMP ENTERPRISES PTY LTD" and (
pe.signatures[i].serial == "00:e2:96:90:e1:45:18:87:4d:2d:cf:00:23:4a:e9:4f:1f" or
pe.signatures[i].serial == "e2:96:90:e1:45:18:87:4d:2d:cf:00:23:4a:e9:4f:1f"
) and
1570838400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_cfac705c7e6845904f99995324f7562c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HMWOCFPSDLAFMFZIVD" and (
pe.signatures[i].serial == "cf:ac:70:5c:7e:68:45:90:4f:99:99:53:24:f7:56:2c" or
pe.signatures[i].serial == "30:53:8f:a3:81:97:ba:6f:b0:66:66:ac:db:08:a9:d4"
) and
1601918720 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a7989f8be0c82d35a19e7b3dd4be30e5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Instamix Limited" and (
pe.signatures[i].serial == "00:a7:98:9f:8b:e0:c8:2d:35:a1:9e:7b:3d:d4:be:30:e5" or
pe.signatures[i].serial == "a7:98:9f:8b:e0:c8:2d:35:a1:9e:7b:3d:d4:be:30:e5"
) and
1598054400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0fa13ae98e17ae23fcfe7ae873d0c120 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "KLAKSON, LLC" and
pe.signatures[i].serial == "0f:a1:3a:e9:8e:17:ae:23:fc:fe:7a:e8:73:d0:c1:20" and
1597276801 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3696883055975d571199c6b5d48f3cd5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Korist Networks Incorporated" and
pe.signatures[i].serial == "36:96:88:30:55:97:5d:57:11:99:c6:b5:d4:8f:3c:d5" and
1600069289 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ee678930d5bdfaa2ab0172fa4c10ae07 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LEX CORPORATION PTY LTD" and (
pe.signatures[i].serial == "00:ee:67:89:30:d5:bd:fa:a2:ab:01:72:fa:4c:10:ae:07" or
pe.signatures[i].serial == "ee:67:89:30:d5:bd:fa:a2:ab:01:72:fa:4c:10:ae:07"
) and
1571011200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d7c432e8d4edef515bfb9d1c214ff0f5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LLC \"MILKY PUT\"" and (
pe.signatures[i].serial == "00:d7:c4:32:e8:d4:ed:ef:51:5b:fb:9d:1c:21:4f:f0:f5" or
pe.signatures[i].serial == "d7:c4:32:e8:d4:ed:ef:51:5b:fb:9d:1c:21:4f:f0:f5"
) and
1601596800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5b440a47e8ce3dd202271e5c7a666c78 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Master Networking s.r.o." and
pe.signatures[i].serial == "5b:44:0a:47:e8:ce:3d:d2:02:27:1e:5c:7a:66:6c:78" and
1601895571 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b82c6553b2186c219797621aaa233edb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MC Commerce SP Z o o" and (
pe.signatures[i].serial == "00:b8:2c:65:53:b2:18:6c:21:97:97:62:1a:aa:23:3e:db" or
pe.signatures[i].serial == "b8:2c:65:53:b2:18:6c:21:97:97:62:1a:aa:23:3e:db"
) and
1585785600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f360f7ad0ed065fec0b44f98e04481a0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MEHANIKUM OOO" and (
pe.signatures[i].serial == "00:f3:60:f7:ad:0e:d0:65:fe:c0:b4:4f:98:e0:44:81:a0" or
pe.signatures[i].serial == "f3:60:f7:ad:0e:d0:65:fe:c0:b4:4f:98:e0:44:81:a0"
) and
1599031121 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fe41941464b9992a69b7317418ae8eb7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Milsean Software Limited" and (
pe.signatures[i].serial == "00:fe:41:94:14:64:b9:99:2a:69:b7:31:74:18:ae:8e:b7" or
pe.signatures[i].serial == "fe:41:94:14:64:b9:99:2a:69:b7:31:74:18:ae:8e:b7"
) and
1599523200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0c14b611a44a1bae0e8c7581651845b6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "NEEDCODE SP Z O O" and
pe.signatures[i].serial == "0c:14:b6:11:a4:4a:1b:ae:0e:8c:75:81:65:18:45:b6" and
1600300801 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_690910dc89d7857c3500fb74bed2b08d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OLIMP STROI, OOO" and
pe.signatures[i].serial == "69:09:10:dc:89:d7:85:7c:35:00:fb:74:be:d2:b0:8d" and
1597276800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fd41e6bd7428d3008c8a05f68c9ac6f2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OM-FAS d.o.o." and (
pe.signatures[i].serial == "00:fd:41:e6:bd:74:28:d3:00:8c:8a:05:f6:8c:9a:c6:f2" or
pe.signatures[i].serial == "fd:41:e6:bd:74:28:d3:00:8c:8a:05:f6:8c:9a:c6:f2"
) and
1575590400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c7079866c0e48b01246ba0c148e70d4d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO GARANT" and (
pe.signatures[i].serial == "00:c7:07:98:66:c0:e4:8b:01:24:6b:a0:c1:48:e7:0d:4d" or
pe.signatures[i].serial == "c7:07:98:66:c0:e4:8b:01:24:6b:a0:c1:48:e7:0d:4d"
) and
1588679105 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d591da22f33c800a7024aecff2cd6c6d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO T2 Soft" and (
pe.signatures[i].serial == "00:d5:91:da:22:f3:3c:80:0a:70:24:ae:cf:f2:cd:6c:6d" or
pe.signatures[i].serial == "d5:91:da:22:f3:3c:80:0a:70:24:ae:cf:f2:cd:6c:6d"
) and
1588679107 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b36e0f2053caee9c3b966f7be0b40fc3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PARTS-JEST d.o.o." and (
pe.signatures[i].serial == "00:b3:6e:0f:20:53:ca:ee:9c:3b:96:6f:7b:e0:b4:0f:c3" or
pe.signatures[i].serial == "b3:6e:0f:20:53:ca:ee:9c:3b:96:6f:7b:e0:b4:0f:c3"
) and
1600172855 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5b320a2f46c99c1ba1357bee {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "REGION TOURISM LLC" and
pe.signatures[i].serial == "5b:32:0a:2f:46:c9:9c:1b:a1:35:7b:ee" and
1602513116 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_08d4352185317271c1cec9d05c279af7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Retalit LLC" and
pe.signatures[i].serial == "08:d4:35:21:85:31:72:71:c1:ce:c9:d0:5c:27:9a:f7" and
1596585601 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b514e4c5309ef9f27add05bedd4339a0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SCABONE PTY LTD" and (
pe.signatures[i].serial == "00:b5:14:e4:c5:30:9e:f9:f2:7a:dd:05:be:dd:43:39:a0" or
pe.signatures[i].serial == "b5:14:e4:c5:30:9e:f9:f2:7a:dd:05:be:dd:43:39:a0"
) and
1572566400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_13c7b92282aae782bfb00baf879935f4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "THE WIZARD GIFT CORPORATION" and
pe.signatures[i].serial == "13:c7:b9:22:82:aa:e7:82:bf:b0:0b:af:87:99:35:f4" and
1603130510 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d627f1000d12485995514bfbdefc55d9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "THREE D CORPORATION PTY LTD" and (
pe.signatures[i].serial == "00:d6:27:f1:00:0d:12:48:59:95:51:4b:fb:de:fc:55:d9" or
pe.signatures[i].serial == "d6:27:f1:00:0d:12:48:59:95:51:4b:fb:de:fc:55:d9"
) and
1597622400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5fb6bae8834edd8d3d58818edc86d7d7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Tramplink LLC" and
pe.signatures[i].serial == "5f:b6:ba:e8:83:4e:dd:8d:3d:58:81:8e:dc:86:d7:d7" and
1600781989 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e5ad42c509a7c24605530d35832c091e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VESNA, OOO" and (
pe.signatures[i].serial == "00:e5:ad:42:c5:09:a7:c2:46:05:53:0d:35:83:2c:09:1e" or
pe.signatures[i].serial == "e5:ad:42:c5:09:a7:c2:46:05:53:0d:35:83:2c:09:1e"
) and
1600786458 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8e3d89c682f7c0dad70110cb7b7c8263 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "WORK PLACEMENTS INTERNATIONAL LIMITED" and (
pe.signatures[i].serial == "00:8e:3d:89:c6:82:f7:c0:da:d7:01:10:cb:7b:7c:82:63" or
pe.signatures[i].serial == "8e:3d:89:c6:82:f7:c0:da:d7:01:10:cb:7b:7c:82:63"
) and
1570626662 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ef2d35f2ae82a767a16be582ab0d1ba0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Workstage Limited" and (
pe.signatures[i].serial == "00:ef:2d:35:f2:ae:82:a7:67:a1:6b:e5:82:ab:0d:1b:a0" or
pe.signatures[i].serial == "ef:2d:35:f2:ae:82:a7:67:a1:6b:e5:82:ab:0d:1b:a0"
) and
1567123200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_039668034826df47e6207ec9daed57c3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CHOO FSP, LLC" and
pe.signatures[i].serial == "03:96:68:03:48:26:df:47:e6:20:7e:c9:da:ed:57:c3" and
1601424001 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_07bb6a9d1c642c5973c16d5353b17ca4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MADAS d.o.o." and
pe.signatures[i].serial == "07:bb:6a:9d:1c:64:2c:59:73:c1:6d:53:53:b1:7c:a4" and
1601856001 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a1dc99e4d5264c45a5090f93242a30a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "K & D KOMPANI d.o.o." and
pe.signatures[i].serial == "0a:1d:c9:9e:4d:52:64:c4:5a:50:90:f9:32:42:a3:0a" and
1600905601 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_018093cfad72cdf402eecbe18b33ec71 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FAT11 d.o.o." and
pe.signatures[i].serial == "01:80:93:cf:ad:72:cd:f4:02:ee:cb:e1:8b:33:ec:71" and
1602000390 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_569e03988af60d80ce60728940850d9b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OORT inc." and (
pe.signatures[i].serial == "00:56:9e:03:98:8a:f6:0d:80:ce:60:72:89:40:85:0d:9b" or
pe.signatures[i].serial == "56:9e:03:98:8a:f6:0d:80:ce:60:72:89:40:85:0d:9b"
) and
1601006510 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_418f6d959a8a0f82bef07ceba3603e52 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OORT inc." and (
pe.signatures[i].serial == "00:41:8f:6d:95:9a:8a:0f:82:be:f0:7c:eb:a3:60:3e:52" or
pe.signatures[i].serial == "41:8f:6d:95:9a:8a:0f:82:be:f0:7c:eb:a3:60:3e:52"
) and
1601928240 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5378c5bbeba0d3309a35bb47f63037f7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OORT inc." and (
pe.signatures[i].serial == "00:53:78:c5:bb:eb:a0:d3:30:9a:35:bb:47:f6:30:37:f7" or
pe.signatures[i].serial == "53:78:c5:bb:eb:a0:d3:30:9a:35:bb:47:f6:30:37:f7"
) and
1601427420 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0bab6a2aa84b495d9e554a4c42c0126d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "NOSOV SP Z O O" and
pe.signatures[i].serial == "0b:ab:6a:2a:a8:4b:49:5d:9e:55:4a:4c:42:c0:12:6d" and
1597971600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6314001c3235cd59bcc3f5278c518804 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "GIE-MUTUALISTE" and
pe.signatures[i].serial == "63:14:00:1c:32:35:cd:59:bc:c3:f5:27:8c:51:88:04" and
1600304400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0ed8ade5d73b73dade6943d557ff87e5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Rumikon LLC" and
pe.signatures[i].serial == "0e:d8:ad:e5:d7:3b:73:da:de:69:43:d5:57:ff:87:e5" and
1597885200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0292c7d574132ba5c0441d1c7ffcb805 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TES LOGISTIKA d.o.o." and
pe.signatures[i].serial == "02:92:c7:d5:74:13:2b:a5:c0:44:1d:1c:7f:fc:b8:05" and
1602183720 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1f23f001458716d435cca1a55d660ec5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Ringen" and
pe.signatures[i].serial == "1f:23:f0:01:45:87:16:d4:35:cc:a1:a5:5d:66:0e:c5" and
1603176940 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6e0ccbdfb4777e10ea6221b90dc350c2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TRAUMALAB INTERNATIONAL APS" and
pe.signatures[i].serial == "6e:0c:cb:df:b4:77:7e:10:ea:62:21:b9:0d:c3:50:c2" and
1603046620 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0ed1847a2ae5d71def1e833fddd33d38 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SNAB-RESURS, OOO" and
pe.signatures[i].serial == "0e:d1:84:7a:2a:e5:d7:1d:ef:1e:83:3f:dd:d3:3d:38" and
1598662800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_97df46acb26b7c81a13cc467b47688c8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Information Civilized System Oy" and (
pe.signatures[i].serial == "00:97:df:46:ac:b2:6b:7c:81:a1:3c:c4:67:b4:76:88:c8" or
pe.signatures[i].serial == "97:df:46:ac:b2:6b:7c:81:a1:3c:c4:67:b4:76:88:c8"
) and
1602636910 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_186d49fac34ce99775b8e7ffbf50679d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Hairis LLC" and
pe.signatures[i].serial == "18:6d:49:fa:c3:4c:e9:97:75:b8:e7:ff:bf:50:67:9d" and
1602234590 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b1aea98bf0ce789b6c952310f14edde0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Absolut LLC" and (
pe.signatures[i].serial == "00:b1:ae:a9:8b:f0:ce:78:9b:6c:95:23:10:f1:4e:dd:e0" or
pe.signatures[i].serial == "b1:ae:a9:8b:f0:ce:78:9b:6c:95:23:10:f1:4e:dd:e0"
) and
1602612570 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2dcd0699da08915dde6d044cb474157c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VENTE DE TOUT" and
pe.signatures[i].serial == "2d:cd:06:99:da:08:91:5d:de:6d:04:4c:b4:74:15:7c" and
1601830010 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4b03cabe6a0481f17a2dbeb9aefad425 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RASSVET, OOO" and
pe.signatures[i].serial == "4b:03:ca:be:6a:04:81:f1:7a:2d:be:b9:ae:fa:d4:25" and
1603230930 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_64cd303fa289790afa03c403e9240002 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MAITLAND TRIFECTA, INC." and
pe.signatures[i].serial == "64:cd:30:3f:a2:89:79:0a:fa:03:c4:03:e9:24:00:02" and
1602723600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_07cef66a71c35bc3aed6d100c6493863 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Fubon Technologies Ltd" and
pe.signatures[i].serial == "07:ce:f6:6a:71:c3:5b:c3:ae:d6:d1:00:c6:49:38:63" and
1602740890 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_be77fe5c58b7a360add6a3fced4e8334 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Incar LLC" and (
pe.signatures[i].serial == "00:be:77:fe:5c:58:b7:a3:60:ad:d6:a3:fc:ed:4e:83:34" or
pe.signatures[i].serial == "be:77:fe:5c:58:b7:a3:60:ad:d6:a3:fc:ed:4e:83:34"
) and
1602530730 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f097e59809ae2e771b7b9ae5fc3408d7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ABEL RENOVATIONS, INC." and (
pe.signatures[i].serial == "00:f0:97:e5:98:09:ae:2e:77:1b:7b:9a:e5:fc:34:08:d7" or
pe.signatures[i].serial == "f0:97:e5:98:09:ae:2e:77:1b:7b:9a:e5:fc:34:08:d7"
) and
1602542033 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0cf1ed2a6ff4bee621efdf725ea174b7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LEVEL LIST SP Z O O" and
pe.signatures[i].serial == "0c:f1:ed:2a:6f:f4:be:e6:21:ef:df:72:5e:a1:74:b7" and
1603036100 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1249aa2ada4967969b71ce63bf187c38 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Umbrella LLC" and
pe.signatures[i].serial == "12:49:aa:2a:da:49:67:96:9b:71:ce:63:bf:18:7c:38" and
1599181200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d59a05955a4a421500f9561ce983aac4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Olymp LLC" and (
pe.signatures[i].serial == "00:d5:9a:05:95:5a:4a:42:15:00:f9:56:1c:e9:83:aa:c4" or
pe.signatures[i].serial == "d5:9a:05:95:5a:4a:42:15:00:f9:56:1c:e9:83:aa:c4"
) and
1601895290 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_539015999e304a5952985a994f9c3a53 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Service lab LLC" and
pe.signatures[i].serial == "53:90:15:99:9e:30:4a:59:52:98:5a:99:4f:9c:3a:53" and
1599181200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0b1926a5e8ae50a0efa504f005f93869 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Nordkod LLC" and
pe.signatures[i].serial == "0b:19:26:a5:e8:ae:50:a0:ef:a5:04:f0:05:f9:38:69" and
1600650000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a23b660e7322e54d7bd0e5acc890966 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ARTBUD RADOM SP Z O O" and
pe.signatures[i].serial == "0a:23:b6:60:e7:32:2e:54:d7:bd:0e:5a:cc:89:09:66" and
1601254800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6cfa5050c819c4acbb8fa75979688dff {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Elite Web Development Ltd." and (
pe.signatures[i].serial == "00:6c:fa:50:50:c8:19:c4:ac:bb:8f:a7:59:79:68:8d:ff" or
pe.signatures[i].serial == "6c:fa:50:50:c8:19:c4:ac:bb:8f:a7:59:79:68:8d:ff"
) and
1600176940 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_044e05bb1a01a1cbb50cfb6cd24e5d6b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MUSTER PLUS SP Z O O" and
pe.signatures[i].serial == "04:4e:05:bb:1a:01:a1:cb:b5:0c:fb:6c:d2:4e:5d:6b" and
1601427600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b7f19b13de9bee8a52ff365ced6f67fa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ALEXIS SECURITY GROUP, LLC" and (
pe.signatures[i].serial == "00:b7:f1:9b:13:de:9b:ee:8a:52:ff:36:5c:ed:6f:67:fa" or
pe.signatures[i].serial == "b7:f1:9b:13:de:9b:ee:8a:52:ff:36:5c:ed:6f:67:fa"
) and
1574914319 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b61b8e71514059adc604da05c283e514 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "APP DIVISION ApS" and (
pe.signatures[i].serial == "00:b6:1b:8e:71:51:40:59:ad:c6:04:da:05:c2:83:e5:14" or
pe.signatures[i].serial == "b6:1b:8e:71:51:40:59:ad:c6:04:da:05:c2:83:e5:14"
) and
1603328400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ece6cbf67dc41635a5e5d075f286af23 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "THRANE AGENTUR ApS" and (
pe.signatures[i].serial == "00:ec:e6:cb:f6:7d:c4:16:35:a5:e5:d0:75:f2:86:af:23" or
pe.signatures[i].serial == "ec:e6:cb:f6:7d:c4:16:35:a5:e5:d0:75:f2:86:af:23"
) and
1603369254 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_014a98d697b44f43ded21f18eb6ad0ba {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Hillcoe Software Inc." and
pe.signatures[i].serial == "01:4a:98:d6:97:b4:4f:43:de:d2:1f:18:eb:6a:d0:ba" and
1605364760 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_063a7d09107eddd8aa1f733634c6591b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Smart Line Logistics" and
pe.signatures[i].serial == "06:3a:7d:09:10:7e:dd:d8:aa:1f:73:36:34:c6:59:1b" and
1605712706 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1e74cfe7de8c5f57840a61034414ca9f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Insta Software Solution Inc." and (
pe.signatures[i].serial == "00:1e:74:cf:e7:de:8c:5f:57:84:0a:61:03:44:14:ca:9f" or
pe.signatures[i].serial == "1e:74:cf:e7:de:8c:5f:57:84:0a:61:03:44:14:ca:9f"
) and
1601733106 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_75cf729f8a740bbdef183a1c4d86a02f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Umbor LLC" and
pe.signatures[i].serial == "75:cf:72:9f:8a:74:0b:bd:ef:18:3a:1c:4d:86:a0:2f" and
1604223894 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2f64677254d3844efdac2922123d05d1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ORGANICUP ApS" and
pe.signatures[i].serial == "2f:64:67:72:54:d3:84:4e:fd:ac:29:22:12:3d:05:d1" and
1605640092 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_32fbf8cfa43dca3f85efabe96dfefa49 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Foxstyle LLC" and
pe.signatures[i].serial == "32:fb:f8:cf:a4:3d:ca:3f:85:ef:ab:e9:6d:fe:fa:49" and
1598255906 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ef9d0cf071d463cd63d13083046a7b8d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Rubin LLC" and (
pe.signatures[i].serial == "00:ef:9d:0c:f0:71:d4:63:cd:63:d1:30:83:04:6a:7b:8d" or
pe.signatures[i].serial == "ef:9d:0c:f0:71:d4:63:cd:63:d1:30:83:04:6a:7b:8d"
) and
1605358307 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_115cf1353a0e33e19099a4867a4c750a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "212 NY Gifts, Inc." and (
pe.signatures[i].serial == "00:11:5c:f1:35:3a:0e:33:e1:90:99:a4:86:7a:4c:75:0a" or
pe.signatures[i].serial == "11:5c:f1:35:3a:0e:33:e1:90:99:a4:86:7a:4c:75:0a"
) and
1605515909 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5cf3778bb11115a884e192a7cb807599 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SLOMATIC d.o.o." and (
pe.signatures[i].serial == "00:5c:f3:77:8b:b1:11:15:a8:84:e1:92:a7:cb:80:75:99" or
pe.signatures[i].serial == "5c:f3:77:8b:b1:11:15:a8:84:e1:92:a7:cb:80:75:99"
) and
1605006199 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_82cb93593b658100cdd7a00c874287f2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Sportsonline24 B.V." and (
pe.signatures[i].serial == "00:82:cb:93:59:3b:65:81:00:cd:d7:a0:0c:87:42:87:f2" or
pe.signatures[i].serial == "82:cb:93:59:3b:65:81:00:cd:d7:a0:0c:87:42:87:f2"
) and
1605117874 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9a8bcfd05f86b15d0c99f50cf414bd00 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AI Software a.s." and (
pe.signatures[i].serial == "00:9a:8b:cf:d0:5f:86:b1:5d:0c:99:f5:0c:f4:14:bd:00" or
pe.signatures[i].serial == "9a:8b:cf:d0:5f:86:b1:5d:0c:99:f5:0c:f4:14:bd:00"
) and
1592442000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_95e5793f2abe0b4ec9be54fd24f76ae5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Kommservice LLC" and (
pe.signatures[i].serial == "00:95:e5:79:3f:2a:be:0b:4e:c9:be:54:fd:24:f7:6a:e5" or
pe.signatures[i].serial == "95:e5:79:3f:2a:be:0b:4e:c9:be:54:fd:24:f7:6a:e5"
) and
1604933746 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_133565779808c3b79d8e3f70a9c3ffac {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Istok" and
pe.signatures[i].serial == "13:35:65:77:98:08:c3:b7:9d:8e:3f:70:a9:c3:ff:ac" and
1605019819 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7e0ccda0ef37acef6c2ebe4538627e5c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Orangetree B.V." and (
pe.signatures[i].serial == "00:7e:0c:cd:a0:ef:37:ac:ef:6c:2e:be:45:38:62:7e:5c" or
pe.signatures[i].serial == "7e:0c:cd:a0:ef:37:ac:ef:6c:2e:be:45:38:62:7e:5c"
) and
1606159604 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_bad35fd70025d46c56b89e32b1a3954c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Fort LLC" and (
pe.signatures[i].serial == "00:ba:d3:5f:d7:00:25:d4:6c:56:b8:9e:32:b1:a3:95:4c" or
pe.signatures[i].serial == "ba:d3:5f:d7:00:25:d4:6c:56:b8:9e:32:b1:a3:95:4c"
) and
1604937337 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7b91468122273aa32b7cfc80c331ea13 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO KBI" and
pe.signatures[i].serial == "7b:91:46:81:22:27:3a:a3:2b:7c:fc:80:c3:31:ea:13" and
1586942863 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3e267b5d14cdf1f645c1ec545cec3aee {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO KBI" and
pe.signatures[i].serial == "3e:26:7b:5d:14:cd:f1:f6:45:c1:ec:54:5c:ec:3a:ee" and
1579825892 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ae6d3c0269ef6497e14379c51a8507ba {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VELES PROPERTIES LIMITED" and (
pe.signatures[i].serial == "00:ae:6d:3c:02:69:ef:64:97:e1:43:79:c5:1a:85:07:ba" or
pe.signatures[i].serial == "ae:6d:3c:02:69:ef:64:97:e1:43:79:c5:1a:85:07:ba"
) and
1578566034 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fd8c468cc1b45c9cfb41cbd8c835cc9e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Pivo ZLoun s.r.o." and (
pe.signatures[i].serial == "00:fd:8c:46:8c:c1:b4:5c:9c:fb:41:cb:d8:c8:35:cc:9e" or
pe.signatures[i].serial == "fd:8c:46:8c:c1:b4:5c:9c:fb:41:cb:d8:c8:35:cc:9e"
) and
1604019600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7c061baa3118327255161f6a7fa4e21d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "YUTAKS, OOO" and (
pe.signatures[i].serial == "00:7c:06:1b:aa:31:18:32:72:55:16:1f:6a:7f:a4:e2:1d" or
pe.signatures[i].serial == "7c:06:1b:aa:31:18:32:72:55:16:1f:6a:7f:a4:e2:1d"
) and
1599611338 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_04332c16724ffeda5868d22af56aea43 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Bespoke Software Solutions Limited" and
pe.signatures[i].serial == "04:33:2c:16:72:4f:fe:da:58:68:d2:2a:f5:6a:ea:43" and
1597971601 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_030012f134e64347669f3256c7d050c5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Futumarket LLC" and
pe.signatures[i].serial == "03:00:12:f1:34:e6:43:47:66:9f:32:56:c7:d0:50:c5" and
1604036657 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fa3dcac19b884b44ef4f81541184d6b0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Unicom Ltd" and (
pe.signatures[i].serial == "00:fa:3d:ca:c1:9b:88:4b:44:ef:4f:81:54:11:84:d6:b0" or
pe.signatures[i].serial == "fa:3d:ca:c1:9b:88:4b:44:ef:4f:81:54:11:84:d6:b0"
) and
1603958571 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0e6f4cb8b06e01c3bd296ace3a95f814 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "EVATON, s.r.o." and
pe.signatures[i].serial == "0e:6f:4c:b8:b0:6e:01:c3:bd:29:6a:ce:3a:95:f8:14" and
1603957781 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_085b70224253486624fc36fa658a1e32 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Best Fud, OOO" and
pe.signatures[i].serial == "08:5b:70:22:42:53:48:66:24:fc:36:fa:65:8a:1e:32" and
1597971601 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_51cd5393514f7ace2b407c3dbfb09d8d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "APPI CZ a.s" and
pe.signatures[i].serial == "51:cd:53:93:51:4f:7a:ce:2b:40:7c:3d:bf:b0:9d:8d" and
1605299467 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b72179c027b9037ee220e81ab18fe56d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Planeta, TOV" and (
pe.signatures[i].serial == "00:b7:21:79:c0:27:b9:03:7e:e2:20:e8:1a:b1:8f:e5:6d" or
pe.signatures[i].serial == "b7:21:79:c0:27:b9:03:7e:e2:20:e8:1a:b1:8f:e5:6d"
) and
1603381300 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_07b74c70c4aa092648b7f0d1a8a3a28f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Rad-Grad D.O.O." and
pe.signatures[i].serial == "07:b7:4c:70:c4:aa:09:26:48:b7:f0:d1:a8:a3:a2:8f" and
1603240965 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4c8def294478b7d59ee95c61fae3d965 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DREAM SECURITY USA INC" and
pe.signatures[i].serial == "4c:8d:ef:29:44:78:b7:d5:9e:e9:5c:61:fa:e3:d9:65" and
1592961292 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7d36cbb64bc9add17ba71737d3ecceca {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LTD SERVICES LIMITED" and
pe.signatures[i].serial == "7d:36:cb:b6:4b:c9:ad:d1:7b:a7:17:37:d3:ec:ce:ca" and
1616025600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ad255d4ebefa751f3782587396c08629 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Ornitek" and (
pe.signatures[i].serial == "00:ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29" or
pe.signatures[i].serial == "ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29"
) and
1614643200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_262ca7ae19d688138e75932832b18f9d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Bisoyetutu Ltd Ltd" and
pe.signatures[i].serial == "26:2c:a7:ae:19:d6:88:13:8e:75:93:28:32:b1:8f:9d" and
1616025600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_59a57e8ba3dcf2b6f59981fda14b03 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Medium LLC" and
pe.signatures[i].serial == "59:a5:7e:8b:a3:dc:f2:b6:f5:99:81:fd:a1:4b:03" and
1609113600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_aebe117a13b8bca21685df48c74f584d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "NANAX d.o.o." and (
pe.signatures[i].serial == "00:ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d" or
pe.signatures[i].serial == "ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d"
) and
1613520000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7dcd19a94535f034ee36af4676740633 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Toko Saya ApS" and
pe.signatures[i].serial == "7d:cd:19:a9:45:35:f0:34:ee:36:af:46:76:74:06:33" and
1609200000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ca4822e6905aa4fca9e28523f04f14a3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ELISTREID, OOO" and (
pe.signatures[i].serial == "00:ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3" or
pe.signatures[i].serial == "ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3"
) and
1614643200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_24c1ef800f275ab2780280c595de3464 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HOLGAN LIMITED" and
pe.signatures[i].serial == "24:c1:ef:80:0f:27:5a:b2:78:02:80:c5:95:de:34:64" and
1614729600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6401831b46588b9d872b02076c3a7b00 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ACTIV GROUP ApS" and
pe.signatures[i].serial == "64:01:83:1b:46:58:8b:9d:87:2b:02:07:6c:3a:7b:00" and
1615507200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a01a91cce63ede5eaa3dac4883aea05 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Seacloud Technologies Pte. Ltd." and
pe.signatures[i].serial == "0a:01:a9:1c:ce:63:ed:e5:ea:a3:da:c4:88:3a:ea:05" and
1618876800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_54cd7ae1c27f1421136ed25088f4979a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ABBYMAJUTA LTD LIMITED" and
pe.signatures[i].serial == "54:cd:7a:e1:c2:7f:14:21:13:6e:d2:50:88:f4:97:9a" and
1616371200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f2d693aad63e6920782a0027dfc97d91 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "EKO-KHIM TOV" and (
pe.signatures[i].serial == "00:f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91" or
pe.signatures[i].serial == "f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91"
) and
1598989763 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f8e8f6c92ba666b0688a8cacce9acccf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "5 th Dimension LTD Oy" and (
pe.signatures[i].serial == "00:f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf" or
pe.signatures[i].serial == "f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf"
) and
1618531200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e3d5089d4b8f01aadce2731062fb0cce {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DEVELOP - Residence s. r. o." and (
pe.signatures[i].serial == "00:e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce" or
pe.signatures[i].serial == "e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce"
) and
1618358400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7ed801843fa001b8add52d3a97b25931 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AM El-Teknik ApS" and
pe.signatures[i].serial == "7e:d8:01:84:3f:a0:01:b8:ad:d5:2d:3a:97:b2:59:31" and
1614297600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d9e834182dec62c654e775e809ac1d1b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FoodLehto Oy" and (
pe.signatures[i].serial == "00:d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b" or
pe.signatures[i].serial == "d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b"
) and
1614297600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_801689896ed339237464a41a2900a969 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "GLG Rental ApS" and (
pe.signatures[i].serial == "00:80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69" or
pe.signatures[i].serial == "80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69"
) and
1615507200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3fd3661533eef209153c9afec3ba4d8a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SFB Regnskabsservice ApS" and
pe.signatures[i].serial == "3f:d3:66:15:33:ee:f2:09:15:3c:9a:fe:c3:ba:4d:8a" and
1614816000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0ced87bd70b092cb93b182fac32655f6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Creator Soft Limited" and
pe.signatures[i].serial == "0c:ed:87:bd:70:b0:92:cb:93:b1:82:fa:c3:26:55:f6" and
1614816000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_047801d5b55c800b48411fd8c320ca5b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LICHFIELD STUDIO GLASS LIMITED" and
pe.signatures[i].serial == "04:78:01:d5:b5:5c:80:0b:48:41:1f:d8:c3:20:ca:5b" and
1614297600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0f0ed5318848703405d40f7c62d0f39a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SIES UPRAVLENIE PROTSESSAMI, OOO" and
pe.signatures[i].serial == "0f:0e:d5:31:88:48:70:34:05:d4:0f:7c:62:d0:f3:9a" and
1614729600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4e7545c9fc5938f5198ab9f1749ca31c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "For M d.o.o." and
pe.signatures[i].serial == "4e:75:45:c9:fc:59:38:f5:19:8a:b9:f1:74:9c:a3:1c" and
1614297600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7ddd3796a427b42f2e52d7c7af0ca54f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Fobos" and
pe.signatures[i].serial == "7d:dd:37:96:a4:27:b4:2f:2e:52:d7:c7:af:0c:a5:4f" and
1612915200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_03b27d7f4ee21a462a064a17eef70d6c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CCL TRADING LIMITED" and
pe.signatures[i].serial == "03:b2:7d:7f:4e:e2:1a:46:2a:06:4a:17:ee:f7:0d:6c" and
1613952000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b0a308fc2e71ac4ac40677b9c27ccbad {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Volpayk LLC" and (
pe.signatures[i].serial == "00:b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad" or
pe.signatures[i].serial == "b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad"
) and
1611705600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_61b11ef9726ab2e78132e01bd791b336 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Skalari" and
pe.signatures[i].serial == "61:b1:1e:f9:72:6a:b2:e7:81:32:e0:1b:d7:91:b3:36" and
1609372800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8fe807310d98357a59382090634b93f0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MAVE MEDIA" and (
pe.signatures[i].serial == "00:8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0" or
pe.signatures[i].serial == "8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0"
) and
1613433600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b97f66bb221772dc07ef1d4bed8f6085 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "S-PRO d.o.o." and (
pe.signatures[i].serial == "00:b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85" or
pe.signatures[i].serial == "b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85"
) and
1614556800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fed006fbf85cd1c6ba6b4345b198e1e6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LoL d.o.o." and (
pe.signatures[i].serial == "00:fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6" or
pe.signatures[i].serial == "fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6"
) and
1614297600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_aa28c9bd16d9d304f18af223b27bfa1e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Tecno trade d.o.o." and (
pe.signatures[i].serial == "00:aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e" or
pe.signatures[i].serial == "aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e"
) and
1611705600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_19beff8a6c129663e5e8c18953dc1f67 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CULNADY LTD LTD" and
pe.signatures[i].serial == "19:be:ff:8a:6c:12:96:63:e5:e8:c1:89:53:dc:1f:67" and
1608163200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_029685cda1c8233d2409a31206f78f9f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "KOTO TRADE, dru\\xC5\\xBEba za posredovanje, d.o.o." and
pe.signatures[i].serial == "02:96:85:cd:a1:c8:23:3d:24:09:a3:12:06:f7:8f:9f" and
1612396800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d609b6c95428954a999a8a99d4f198af {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Fudl" and (
pe.signatures[i].serial == "00:d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af" or
pe.signatures[i].serial == "d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af"
) and
1612828800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d3356318924c8c42959bf1d1574e6482 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ADV TOURS d.o.o." and (
pe.signatures[i].serial == "00:d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82" or
pe.signatures[i].serial == "d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82"
) and
1613001600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_31d852f5fca1a5966b5ed08a14825c54 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BBT KLA d.o.o." and
pe.signatures[i].serial == "31:d8:52:f5:fc:a1:a5:96:6b:5e:d0:8a:14:82:5c:54" and
1612396800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_17d99cc2f5b29522d422332e681f3e18 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PKV Trading ApS" and
pe.signatures[i].serial == "17:d9:9c:c2:f5:b2:95:22:d4:22:33:2e:68:1f:3e:18" and
1613088000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6a568f85de2061f67ded98707d4988df {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Apladis" and
pe.signatures[i].serial == "6a:56:8f:85:de:20:61:f6:7d:ed:98:70:7d:49:88:df" and
1613001600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_038fc745523b41b40d653b83aa381b80 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Optima" and
pe.signatures[i].serial == "03:8f:c7:45:52:3b:41:b4:0d:65:3b:83:aa:38:1b:80" and
1606143708 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_30af0d0e6d8201a5369664c5ebbb010f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "3N-\\xC5\\xA0PORT podjetje za in\\xC5\\xBEeniring, storitve in trgovino d.o.o." and
pe.signatures[i].serial == "30:af:0d:0e:6d:82:01:a5:36:96:64:c5:eb:bb:01:0f" and
1613433600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ac0a7b9420b369af3ddb748385b981 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Tochka" and (
pe.signatures[i].serial == "00:ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81" or
pe.signatures[i].serial == "ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81"
) and
1604620800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c167f04b338b1e8747b92c2197403c43 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FORTUNE STAR TRADING, INC." and (
pe.signatures[i].serial == "00:c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43" or
pe.signatures[i].serial == "c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43"
) and
1604361600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9272607cfc982b782a5d36c4b78f5e7b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Rada SP Z o o" and (
pe.signatures[i].serial == "00:92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b" or
pe.signatures[i].serial == "92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b"
) and
1605139200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_45eb9187a2505d8e6c842e6d366ad0c8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BAKERA s.r.o." and
pe.signatures[i].serial == "45:eb:91:87:a2:50:5d:8e:6c:84:2e:6d:36:6a:d0:c8" and
1607040000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_56fff139df5ae7e788e5d72196dd563a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Cifromatika LLC" and
pe.signatures[i].serial == "56:ff:f1:39:df:5a:e7:e7:88:e5:d7:21:96:dd:56:3a" and
1606435200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e161f76da3b5e4623892c8e6fda1ea3d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TGN Nedelica d.o.o." and (
pe.signatures[i].serial == "00:e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d" or
pe.signatures[i].serial == "e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d"
) and
1604966400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9ae5b177ac3a7ce2aadf1c891b574924 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Kolorit" and (
pe.signatures[i].serial == "00:9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24" or
pe.signatures[i].serial == "9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24"
) and
1608076800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a03ea3a4fa772b17037a0b80f1f968aa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DREVOKAPITAL, s.r.o." and (
pe.signatures[i].serial == "00:a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa" or
pe.signatures[i].serial == "a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa"
) and
1608076800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_333ca7d100b139b0d9c1a97cb458e226 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FSE, d.o.o." and
pe.signatures[i].serial == "33:3c:a7:d1:00:b1:39:b0:d9:c1:a9:7c:b4:58:e2:26" and
1608076800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9245d1511923f541844faa3c6bfebcbe {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LEHTEH d.o.o., Ljubljana" and (
pe.signatures[i].serial == "00:92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be" or
pe.signatures[i].serial == "92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be"
) and
1607040000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2888cf0f953a4a3640ee4cfc6304d9d4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Lotte Schmidt" and
pe.signatures[i].serial == "28:88:cf:0f:95:3a:4a:36:40:ee:4c:fc:63:04:d9:d4" and
1608024974 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c8edcfe8be174c2f204d858c5b91dea5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Paarcopy Oy" and (
pe.signatures[i].serial == "00:c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5" or
pe.signatures[i].serial == "c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5"
) and
1608076800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9faf8705a3eaef9340800cc4fd38597c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Tekhnokod LLC" and (
pe.signatures[i].serial == "00:9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c" or
pe.signatures[i].serial == "9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c"
) and
1605744000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0940fa9a4080f35052b2077333769c2f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PROFF LAIN, OOO" and
pe.signatures[i].serial == "09:40:fa:9a:40:80:f3:50:52:b2:07:73:33:76:9c:2f" and
1603497600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ea720222d92dc8d48e3b3c3b0fc360a6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CAVANAGH NETS LIMITED" and (
pe.signatures[i].serial == "00:ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6" or
pe.signatures[i].serial == "ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6"
) and
1608640280 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4743e140c05b33f0449023946bd05acb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "STROI RENOV SARL" and
pe.signatures[i].serial == "47:43:e1:40:c0:5b:33:f0:44:90:23:94:6b:d0:5a:cb" and
1607644800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a496bc774575c31abec861b68c36dcb6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ORGLE DVORSAK, d.o.o" and (
pe.signatures[i].serial == "00:a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6" or
pe.signatures[i].serial == "a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6"
) and
1606867200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a55c15f733bf1633e9ffae8a6e3b37d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Osnova OOO" and
pe.signatures[i].serial == "0a:55:c1:5f:73:3b:f1:63:3e:9f:fa:e8:a6:e3:b3:7d" and
1604016000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c650ae531100a91389a7f030228b3095 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "POKEROWA STRUNA SP Z O O" and (
pe.signatures[i].serial == "00:c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95" or
pe.signatures[i].serial == "c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95"
) and
1606089600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3990362c34015ce4c23ecc3377fd3c06 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RZOH ApS" and
pe.signatures[i].serial == "39:90:36:2c:34:01:5c:e4:c2:3e:cc:33:77:fd:3c:06" and
1606780800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_121fca3cfa4bd011669f5cc4e053aa3f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Kymijoen Projektipalvelut Oy" and
pe.signatures[i].serial == "12:1f:ca:3c:fa:4b:d0:11:66:9f:5c:c4:e0:53:aa:3f" and
1606953600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d338f8a490e37e6c2be80a0e349929fa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SAGUARO ApS" and (
pe.signatures[i].serial == "00:d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa" or
pe.signatures[i].serial == "d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa"
) and
1607558400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2c1ee9b583310b5e34a1ee6945a34b26 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Artmarket" and
pe.signatures[i].serial == "2c:1e:e9:b5:83:31:0b:5e:34:a1:ee:69:45:a3:4b:26" and
1607558400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d875b3e3f2db6c3eb426e24946066111 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Kubit LLC" and (
pe.signatures[i].serial == "00:d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11" or
pe.signatures[i].serial == "d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11"
) and
1606953600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ad0a958cdf188bed43154a54bf23afba {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RHM Ltd" and (
pe.signatures[i].serial == "00:ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba" or
pe.signatures[i].serial == "ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba"
) and
1612915200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3cee26c125b8c188f316c3fa78d9c2f1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Bitubit LLC" and
pe.signatures[i].serial == "3c:ee:26:c1:25:b8:c1:88:f3:16:c3:fa:78:d9:c2:f1" and
1606435200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4c687a0022c36f89e253f91d1f6954e2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HETCO ApS" and
pe.signatures[i].serial == "4c:68:7a:00:22:c3:6f:89:e2:53:f9:1d:1f:69:54:e2" and
1606780800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ca646b4275406df639cf603756f63d77 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SHOECORP LIMITED" and (
pe.signatures[i].serial == "00:ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77" or
pe.signatures[i].serial == "ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77"
) and
1605830400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_addbec454b5479cabd940a72df4500af {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SHAT LIMITED" and (
pe.signatures[i].serial == "00:ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af" or
pe.signatures[i].serial == "ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af"
) and
1612828800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ac307e5257bb814b818d3633b630326f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Aqua Direct s.r.o." and (
pe.signatures[i].serial == "00:ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f" or
pe.signatures[i].serial == "ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f"
) and
1606089600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0d83e7f47189cdbfc7fa3e5f58882329 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "THE WIZARD GIFT CORPORATION" and
pe.signatures[i].serial == "0d:83:e7:f4:71:89:cd:bf:c7:fa:3e:5f:58:88:23:29" and
1605830400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_58aa64564a50e8b2d6e31d5cd6250fde {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Foreground" and
pe.signatures[i].serial == "58:aa:64:56:4a:50:e8:b2:d6:e3:1d:5c:d6:25:0f:de" and
1609002028 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2aa0ae245b487c8926c88ee6d736d1ca {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PILOTE SPRL" and
pe.signatures[i].serial == "2a:a0:ae:24:5b:48:7c:89:26:c8:8e:e6:d7:36:d1:ca" and
1612262280 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1aec3d3f752a38617c1d7a677d0b5591 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SILVER d.o.o." and
pe.signatures[i].serial == "1a:ec:3d:3f:75:2a:38:61:7c:1d:7a:67:7d:0b:55:91" and
1611705600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a7e1dc5352c3852c5523030f57f2425c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Pushka LLC" and (
pe.signatures[i].serial == "00:a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c" or
pe.signatures[i].serial == "a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c"
) and
1611792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_bbd4dc3768a51aa2b3059c1bad569276 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "JJ ELECTRICAL SERVICES LIMITED" and (
pe.signatures[i].serial == "00:bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76" or
pe.signatures[i].serial == "bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76"
) and
1607472000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_08622b9dd9d78e67678ecc21e026522e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Kayak Republic af 2015 APS" and
pe.signatures[i].serial == "08:62:2b:9d:d9:d7:8e:67:67:8e:cc:21:e0:26:52:2e" and
1611619200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e69a6de0074ece38c2f30f0d4a808456 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Semantic" and (
pe.signatures[i].serial == "00:e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56" or
pe.signatures[i].serial == "e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56"
) and
1611532800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8385684419ab26a3f2640b1496e1fe94 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CAUSE FOR CHANGE LTD" and (
pe.signatures[i].serial == "00:83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94" or
pe.signatures[i].serial == "83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94"
) and
1612137600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_21e3cae5b77c41528658ada08509c392 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Network Design International Holdings Limited" and
pe.signatures[i].serial == "21:e3:ca:e5:b7:7c:41:52:86:58:ad:a0:85:09:c3:92" and
1609233559 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2abd2eef14d480dfea9ca9fdd823cf03 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BE SOL d.o.o." and
pe.signatures[i].serial == "2a:bd:2e:ef:14:d4:80:df:ea:9c:a9:fd:d8:23:cf:03" and
1611100800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_86909b91f07f9316984d888d1e28ab76 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Dantherm Intelligent Monitoring A/S" and (
pe.signatures[i].serial == "00:86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76" or
pe.signatures[i].serial == "86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76"
) and
1611273600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d1b8f1fe56381befdb2e73ffef2a4b28 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Sein\\xC3\\xA4joen Squash ja Bowling Oy" and (
pe.signatures[i].serial == "00:d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28" or
pe.signatures[i].serial == "d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28"
) and
1617667200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d4ef1ab6ab5d3cb35e4efb7984def7a2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "REIGN BROS ApS" and (
pe.signatures[i].serial == "00:d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2" or
pe.signatures[i].serial == "d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2"
) and
1611187200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_066276af2f2c7e246d3b1cab1b4aa42e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "IQ Trade ApS" and
pe.signatures[i].serial == "06:62:76:af:2f:2c:7e:24:6d:3b:1c:ab:1b:4a:a4:2e" and
1616630400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_65cd323c2483668b90a44a711d2a6b98 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Giperion" and
pe.signatures[i].serial == "65:cd:32:3c:24:83:66:8b:90:a4:4a:71:1d:2a:6b:98" and
1602547200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5a17d5de74fd8f09df596df3123139bb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ACTA FIS d.o.o." and
pe.signatures[i].serial == "5a:17:d5:de:74:fd:8f:09:df:59:6d:f3:12:31:39:bb" and
1611273600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_15da61d7e1a631803431561674fb9b90 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "JAY DANCE STUDIO d.o.o." and
pe.signatures[i].serial == "15:da:61:d7:e1:a6:31:80:34:31:56:16:74:fb:9b:90" and
1610668800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7ab21306b11ff280a93fc445876988ab {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ABC BIOS d.o.o." and
pe.signatures[i].serial == "7a:b2:13:06:b1:1f:f2:80:a9:3f:c4:45:87:69:88:ab" and
1611014400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_634e16e38f12e9a71aca08e4c6b2dbb9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AUTO RESPONSE LTD CYF" and
pe.signatures[i].serial == "63:4e:16:e3:8f:12:e9:a7:1a:ca:08:e4:c6:b2:db:b9" and
1616112000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_289051a83f350a2c600187c99b6c0a73 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HALL HAULAGE LTD LTD" and
pe.signatures[i].serial == "28:90:51:a8:3f:35:0a:2c:60:01:87:c9:9b:6c:0a:73" and
1616716800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_818631110b5d14331dac7e6ad998b902 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "2 TOY GUYS LLC" and (
pe.signatures[i].serial == "00:81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02" or
pe.signatures[i].serial == "81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02"
) and
1571616000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_277cd16de5d61b9398b645afe41c09c7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "THE SIGN COMPANY LIMITED" and
pe.signatures[i].serial == "27:7c:d1:6d:e5:d6:1b:93:98:b6:45:af:e4:1c:09:c7" and
1619049600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d0eda76c13d30c97015708790bb94214 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LAEN ApS" and (
pe.signatures[i].serial == "00:d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14" or
pe.signatures[i].serial == "d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14"
) and
1619136000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6333ed618f88a05b4d82ad7bf66cb0fa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RHM LIMITED" and
pe.signatures[i].serial == "63:33:ed:61:8f:88:a0:5b:4d:82:ad:7b:f6:6c:b0:fa" and
1616457600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3b777165b125bccc181d0bac3f5b55b3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "STAND ALONE MUSIC LTD" and
pe.signatures[i].serial == "3b:77:71:65:b1:25:bc:cc:18:1d:0b:ac:3f:5b:55:b3" and
1607299200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5b37ac3479283b6f9d75ddf0f8742d06 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ART BOOK PHOTO s.r.o." and
pe.signatures[i].serial == "5b:37:ac:34:79:28:3b:6f:9d:75:dd:f0:f8:74:2d:06" and
1619740800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3112c69d460c781fd649c71e61bfec82 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "KREATURHANDLER BJARNE ANDERSEN ApS" and
pe.signatures[i].serial == "31:12:c6:9d:46:0c:78:1f:d6:49:c7:1e:61:bf:ec:82" and
1614902400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a5b4f67ad8b22afc2debe6ce5f8f679 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Farad LLC" and
pe.signatures[i].serial == "0a:5b:4f:67:ad:8b:22:af:c2:de:be:6c:e5:f8:f6:79" and
1607472000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_df45b36c9d0bd248c3f9494e7ca822 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MPO STORITVE d.o.o." and (
pe.signatures[i].serial == "00:df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22" or
pe.signatures[i].serial == "df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22"
) and
1619740800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1ae3c4eccecda2127d43be390a850dda {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PARTYNET LIMITED" and
pe.signatures[i].serial == "1a:e3:c4:ec:ce:cd:a2:12:7d:43:be:39:0a:85:0d:da" and
1614902400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2e36360538624c9b1afd78a2fb756028 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ts Trade ApS" and
pe.signatures[i].serial == "2e:36:36:05:38:62:4c:9b:1a:fd:78:a2:fb:75:60:28" and
1615766400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_addb899f8229fd53e6435e08bbd3a733 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "U.K. STEEL EXPORTS LIMITED" and (
pe.signatures[i].serial == "00:ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33" or
pe.signatures[i].serial == "ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33"
) and
1616630400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c1a1db95d7bf80290aa6e82d8f8f996a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Software Two Pty Ltd" and (
pe.signatures[i].serial == "00:c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a" or
pe.signatures[i].serial == "c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a"
) and
1615334400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c667ffe3a5b0a5ae7cf3a9e41682e91b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "NAILS UNLIMITED LIMITED" and (
pe.signatures[i].serial == "00:c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b" or
pe.signatures[i].serial == "c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b"
) and
1616976000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e0a83917660d05cf476374659d3c7b85 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PIK MOTEL S.R.L." and (
pe.signatures[i].serial == "00:e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85" or
pe.signatures[i].serial == "e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85"
) and
1621468800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_afc5522898143aafaab7fd52304cf00c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "YAN CHING LIMITED" and (
pe.signatures[i].serial == "00:af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c" or
pe.signatures[i].serial == "af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c"
) and
1622419200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8b3333d32b2c2a1d33b41ba5db9d4d2d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BOOK CAF\\xC3\\x89, s.r.o." and (
pe.signatures[i].serial == "00:8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d" or
pe.signatures[i].serial == "8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d"
) and
1620000000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fbb1198bd8bddb0d693eb72a8613fe3f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Trade Hunters, s. r. o." and (
pe.signatures[i].serial == "00:fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f" or
pe.signatures[i].serial == "fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f"
) and
1620000000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_846f77d9919fc4405aefe1701309bd67 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "IPM Skupina d.o.o." and (
pe.signatures[i].serial == "00:84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67" or
pe.signatures[i].serial == "84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67"
) and
1621382400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0939c2bad859c0432e8e98a6c0162c02 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Activ Expeditions ApS" and
pe.signatures[i].serial == "09:39:c2:ba:d8:59:c0:43:2e:8e:98:a6:c0:16:2c:02" and
1615939200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7fba0e19919ac50d700ba60250d02c8b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Diamartis" and
pe.signatures[i].serial == "7f:ba:0e:19:91:9a:c5:0d:70:0b:a6:02:50:d0:2c:8b" and
1623196800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a758504e7971869d0aec2775fffa03d5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Amcert LLC" and (
pe.signatures[i].serial == "00:a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5" or
pe.signatures[i].serial == "a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5"
) and
1623628800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_37a67cf754ee5ae284b4cf8b9d651604 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FORTH PROPERTY LTD" and
pe.signatures[i].serial == "37:a6:7c:f7:54:ee:5a:e2:84:b4:cf:8b:9d:65:16:04" and
1617321600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_119acead668bad57a48b4f42f294f8f0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PB03 TRANSPORT LTD." and
pe.signatures[i].serial == "11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0" and
1619654400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7a6d30a6eb2fa0c3369283725704ac4c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Trade By International ApS" and
pe.signatures[i].serial == "7a:6d:30:a6:eb:2f:a0:c3:36:92:83:72:57:04:ac:4c" and
1619568000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_670c3494206b9f0c18714fdcffaaa42f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ADRIATIK PORT SERVIS, d.o.o." and
pe.signatures[i].serial == "67:0c:34:94:20:6b:9f:0c:18:71:4f:dc:ff:aa:a4:2f" and
1622160000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0e8aa328af207ce8bcae1dc15c626188 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PRO SAT SRL" and
pe.signatures[i].serial == "0e:8a:a3:28:af:20:7c:e8:bc:ae:1d:c1:5c:62:61:88" and
1627344000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_cfad6be1d823b4eacb803b720f525a7d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Sistema LLC" and (
pe.signatures[i].serial == "00:cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d" or
pe.signatures[i].serial == "cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d"
) and
1627430400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7ebcb54b7e0e6410b28610de0743d4dd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SIA \"MWorx\"" and
pe.signatures[i].serial == "7e:bc:b5:4b:7e:0e:64:10:b2:86:10:de:07:43:d4:dd" and
1625616000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_01106cc293772ca905a2b6eff02bf0f5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DMR Consulting Ltd." and
pe.signatures[i].serial == "01:10:6c:c2:93:77:2c:a9:05:a2:b6:ef:f0:2b:f0:f5" and
1627084800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_05bb162f6efe852b7bd4712fd737a61e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Wellpro Impact Solutions Oy" and
pe.signatures[i].serial == "05:bb:16:2f:6e:fe:85:2b:7b:d4:71:2f:d7:37:a6:1e" and
1628726400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6171990ba1c8e71049ebb296a35bd160 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OWLNET LIMITED" and
pe.signatures[i].serial == "61:71:99:0b:a1:c8:e7:10:49:eb:b2:96:a3:5b:d1:60" and
1620000000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2114ca3bd2afd63d7fa29d744992b043 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MATCH CONSULTANTS LTD" and
pe.signatures[i].serial == "21:14:ca:3b:d2:af:d6:3d:7f:a2:9d:74:49:92:b0:43" and
1625097600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6aaa62208a3a78bfac1443007d031e61 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Solar LLC" and
pe.signatures[i].serial == "6a:aa:62:20:8a:3a:78:bf:ac:14:43:00:7d:03:1e:61" and
1608163200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_09450b8f73ea43e39d2cdd56049dbe40 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE4\\xB9\\x9D\\xE6\\xB1\\x9F\\xE5\\xAE\\x8F\\xE5\\x9B\\xBE\\xE6\\x97\\xA0\\xE5\\xBF\\xA7\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "09:45:0b:8f:73:ea:43:e3:9d:2c:dd:56:04:9d:be:40" and
1561602110 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0efd9bd4b4281c6522d96011df46c9c4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "0e:fd:9b:d4:b4:28:1c:65:22:d9:60:11:df:46:c9:c4" and
1586249095 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0dd7d4a785990584d8c0837659173272 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "0d:d7:d4:a7:85:99:05:84:d8:c0:83:76:59:17:32:72" and
1586249095 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0c59d46580f039af2c4ab6ba0ffed197 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "0c:59:d4:65:80:f0:39:af:2c:4a:b6:ba:0f:fe:d1:97" and
1585108595 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0448ec8d26597f99912138500cc41c1b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "04:48:ec:8d:26:59:7f:99:91:21:38:50:0c:c4:1c:1b" and
1585108595 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0108cbaee60728f5bf06e45a56d6f170 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE4\\xB8\\x9C\\xE6\\xB9\\x96\\xE6\\x96\\xB0\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE5\\xBC\\x80\\xE5\\x8F\\x91\\xE5\\x8C\\xBA" and
pe.signatures[i].serial == "01:08:cb:ae:e6:07:28:f5:bf:06:e4:5a:56:d6:f1:70" and
1605680260 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_038d56a12153e8b5c74c69bff65cbe3f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE5\\x86\\x85\\xE7\\x91\\x9F\\xE6\\x96\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "03:8d:56:a1:21:53:e8:b5:c7:4c:69:bf:f6:5c:be:3f" and
1605680260 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_060d94e2ccae84536654d9daf39fef1e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HasCred ApS" and
pe.signatures[i].serial == "06:0d:94:e2:cc:ae:84:53:66:54:d9:da:f3:9f:ef:1e" and
1627948800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0bc9b800f480691bd6b60963466b0c75 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HasCred ApS" and
pe.signatures[i].serial == "0b:c9:b8:00:f4:80:69:1b:d6:b6:09:63:46:6b:0c:75" and
1629158400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0c4324ff41f0a7b16ffcc93dffa8fa99 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE7\\xA6\\x8F\\xE5\\xBB\\xBA\\xE7\\x9C\\x81\\xE4\\xBA\\x94\\xE6\\x98\\x9F\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "0c:43:24:ff:41:f0:a7:b1:6f:fc:c9:3d:ff:a8:fa:99" and
1600300800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0b980fc8783e4f158e41829ab21bab81 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Idris Kanchwala Holding Corp." and
pe.signatures[i].serial == "0b:98:0f:c8:78:3e:4f:15:8e:41:82:9a:b2:1b:ab:81" and
1631750400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d8f515715aeffef0a0e4e37f16c254fa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HOLDING LA LTD" and (
pe.signatures[i].serial == "00:d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa" or
pe.signatures[i].serial == "d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa"
) and
1619136000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d79739187c585e453c00afc11d77b523 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SAN MARINO INVESTMENTS PTY LTD" and (
pe.signatures[i].serial == "00:d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23" or
pe.signatures[i].serial == "d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23"
) and
1631059200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_961cecb0227845317549e9343a980e91 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AmiraCo Oy" and (
pe.signatures[i].serial == "00:96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91" or
pe.signatures[i].serial == "96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91"
) and
1615248000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1ef6392b2993a6f67578299659467ea8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ALUSEN d. o. o." and
pe.signatures[i].serial == "1e:f6:39:2b:29:93:a6:f6:75:78:29:96:59:46:7e:a8" and
1618531200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a918455c0d4da7ca474f41f11a7cf38c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MIDDRA INTERNATIONAL CORP." and (
pe.signatures[i].serial == "00:a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c" or
pe.signatures[i].serial == "a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c"
) and
1618963200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_936bc256d2057ca9b9ec3034c3ed0ee6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SALES & MAINTENANCE LIMITED" and (
pe.signatures[i].serial == "00:93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6" or
pe.signatures[i].serial == "93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6"
) and
1616889600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_afe8fee94b41422e01e4897bcd52d0a4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TLGM ApS" and (
pe.signatures[i].serial == "00:af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4" or
pe.signatures[i].serial == "af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4"
) and
1617062400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_718e89ddb33257ea77ba74be7f2baf1d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Trap Capital ApS" and
pe.signatures[i].serial == "71:8e:89:dd:b3:32:57:ea:77:ba:74:be:7f:2b:af:1d" and
1635462927 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4d3e38f4aebbc32257450726b29be117 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "POLE & AERIAL FITNESS LIMITED" and
pe.signatures[i].serial == "4d:3e:38:f4:ae:bb:c3:22:57:45:07:26:b2:9b:e1:17" and
1636123882 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8f4c49dae1f1ff0ebe9104c6f73242bd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Contact Merger Holding ApS" and (
pe.signatures[i].serial == "00:8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd" or
pe.signatures[i].serial == "8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd"
) and
1636039748 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ac3c05f1cb9453de8e7110f589fb32c0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TRAIN BUILDING TEAM s.r.o." and (
pe.signatures[i].serial == "00:ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0" or
pe.signatures[i].serial == "ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0"
) and
1635854205 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fbb96a90b6718810311767ca25ab1e48 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Rakurs LLC" and (
pe.signatures[i].serial == "00:fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48" or
pe.signatures[i].serial == "fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48"
) and
1636046757 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_cfd38423aef875a10b16644d058297e2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TRUST DANMARK ApS" and (
pe.signatures[i].serial == "00:cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2" or
pe.signatures[i].serial == "cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2"
) and
1632884040 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e6c05c5a2222bf92818324a3a7374ad3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ANAQA EVENTS LTD" and (
pe.signatures[i].serial == "00:e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3" or
pe.signatures[i].serial == "e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3"
) and
1634720407 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_75ce08bdbad44123299dbe9d7c1d20de {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Rose Holm International ApS" and
pe.signatures[i].serial == "75:ce:08:bd:ba:d4:41:23:29:9d:be:9d:7c:1d:20:de" and
1631007095 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_333705c20b56e57f60b5eb191eef0d90 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TASK Holding ApS" and
pe.signatures[i].serial == "33:37:05:c2:0b:56:e5:7f:60:b5:eb:19:1e:ef:0d:90" and
1634233052 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a2a0ba281262acce7a00119e25564386 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Sopiteks LLC" and (
pe.signatures[i].serial == "00:a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86" or
pe.signatures[i].serial == "a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86"
) and
1631908320 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_338483cc174c16ebc454a3803ffd4217 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Lpr:n Laatu-Ravintolat Oy" and
pe.signatures[i].serial == "33:84:83:cc:17:4c:16:eb:c4:54:a3:80:3f:fd:42:17" and
1635208206 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_be89936c26cd0d845074f6b7b47f480c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Argus Security Maintenance Systems Inc." and (
pe.signatures[i].serial == "00:be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c" or
pe.signatures[i].serial == "be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c"
) and
1634235015 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0f20a5155e53ce20bb644f646ed6a2fd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CB CAM SP Z O O" and
pe.signatures[i].serial == "0f:20:a5:15:5e:53:ce:20:bb:64:4f:64:6e:d6:a2:fd" and
1635196200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ea734e1dfb6e69ed2bc55e513bf95b5e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Postmarket LLC" and (
pe.signatures[i].serial == "00:ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e" or
pe.signatures[i].serial == "ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e"
) and
1635153791 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ba67b0de51ebb9b1179804e75357ab26 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Fjordland Bike Wear ApS" and (
pe.signatures[i].serial == "00:ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26" or
pe.signatures[i].serial == "ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26"
) and
1636145940 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_cff2b275ba8a1dde83ac7ff858399a62 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "XL-FORCE ApS" and (
pe.signatures[i].serial == "00:cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62" or
pe.signatures[i].serial == "cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62"
) and
1636111842 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d22e026c5b5966f1cf6ef00a7c06682e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AMCERT, LLC" and (
pe.signatures[i].serial == "00:d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e" or
pe.signatures[i].serial == "d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e"
) and
1636456620 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3054f940c931bad7b238a24376c6a5cc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "POLE CLEAN LTD" and
pe.signatures[i].serial == "30:54:f9:40:c9:31:ba:d7:b2:38:a2:43:76:c6:a5:cc" and
1637030220 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a617e23d6ca8f34e2f7413cd299fc72b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "EXPRESS BOOKS LTD" and (
pe.signatures[i].serial == "00:a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b" or
pe.signatures[i].serial == "a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b"
) and
1636971821 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_387eeb89b8bf626bbf4c7c9f5b998b40 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ULTRA ACADEMY LTD" and
pe.signatures[i].serial == "38:7e:eb:89:b8:bf:62:6b:bf:4c:7c:9f:5b:99:8b:40" and
1637141034 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_292eb1133507f42e6f36c5549c189d5e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Affairs-case s.r.o." and
pe.signatures[i].serial == "29:2e:b1:13:35:07:f4:2e:6f:36:c5:54:9c:18:9d:5e" and
1638832273 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5fbf16a33d26390a15f046c310030cf0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MACHINES SATU MARE SRL" and
pe.signatures[i].serial == "5f:bf:16:a3:3d:26:39:0a:15:f0:46:c3:10:03:0c:f0" and
1638390070 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0f007898afcba5f8af8ae65d01803617 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TechnoElek s.r.o." and
pe.signatures[i].serial == "0f:00:78:98:af:cb:a5:f8:af:8a:e6:5d:01:80:36:17" and
1638372946 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e55be88ddbd93c423220468d430905dd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VALVE ACTUATION LTD" and (
pe.signatures[i].serial == "00:e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd" or
pe.signatures[i].serial == "e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd"
) and
1637712000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_06bcb74291d96096577bdb1e165dce85 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Revo Security SRL" and
pe.signatures[i].serial == "06:bc:b7:42:91:d9:60:96:57:7b:db:1e:16:5d:ce:85" and
1637971201 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c8442a8185082ef1ed7dc3fff2176aa7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ambidekstr LLC" and (
pe.signatures[i].serial == "00:c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7" or
pe.signatures[i].serial == "c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7"
) and
1616976000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0406c4a1521a38c8d0c4aa214388e4dc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Venezia Design SRL" and
pe.signatures[i].serial == "04:06:c4:a1:52:1a:38:c8:d0:c4:aa:21:43:88:e4:dc" and
1641859201 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_12705fb66bc22c68372a1c4e5fa662e2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "APRIL BROTHERS LTD" and
pe.signatures[i].serial == "12:70:5f:b6:6b:c2:2c:68:37:2a:1c:4e:5f:a6:62:e2" and
1642464000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3b0914e2982be8980aa23f49848555e5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Office Rat s.r.o." and
pe.signatures[i].serial == "3b:09:14:e2:98:2b:e8:98:0a:a2:3f:49:84:85:55:e5" and
1643155200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_029bf7e1cb09fe277564bd27c267de5a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SAMOYAJ LIMITED" and
pe.signatures[i].serial == "02:9b:f7:e1:cb:09:fe:27:75:64:bd:27:c2:67:de:5a" and
1637712001 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d3aee8abb9948844a3ac1c04cc7e6bdf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HOUSE 9A s.r.o" and (
pe.signatures[i].serial == "00:d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df" or
pe.signatures[i].serial == "d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df"
) and
1640822400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_734819463c1195bd6e135ce4d5bf49bc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "videoalarm s. r. o." and
pe.signatures[i].serial == "73:48:19:46:3c:11:95:bd:6e:13:5c:e4:d5:bf:49:bc" and
1637884800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_db95b22362d46a73c39e0ac924883c5b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SPSLTD PLYMOUTH LTD" and (
pe.signatures[i].serial == "00:db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b" or
pe.signatures[i].serial == "db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b"
) and
1621296000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0c48732873ac8ccebaf8f0e1e8329cec {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Hermetica Digital Ltd" and
pe.signatures[i].serial == "0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec" and
1618272000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c51f4cf4d82bc920421e1ad93e39d490 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CUT AHEAD LTD" and (
pe.signatures[i].serial == "00:c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90" or
pe.signatures[i].serial == "c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90"
) and
1644624000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c96086f1894e6420d2b4bdeea834c4d7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "THE FAITH SP Z O O" and (
pe.signatures[i].serial == "00:c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7" or
pe.signatures[i].serial == "c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7"
) and
1644969600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_06fa27a121cc82230c3013ee634b6c62 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Zimmi Consulting Inc" and
pe.signatures[i].serial == "06:fa:27:a1:21:cc:82:23:0c:30:13:ee:63:4b:6c:62" and
1645142401 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9dd3b2f7957ba99f4b04fcdbe03b7aac {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DOD MEDIA LIMITED" and (
pe.signatures[i].serial == "00:9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac" or
pe.signatures[i].serial == "9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac"
) and
1646438400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_061051ff2a8afab10347a6f1ff08ecb6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TACHOPARTS SP Z O O" and
pe.signatures[i].serial == "06:10:51:ff:2a:8a:fa:b1:03:47:a6:f1:ff:08:ec:b6" and
1606435200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_eda2429083bfafb04e6e7bdda1b08834 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OWLNET LIMITED" and (
pe.signatures[i].serial == "00:ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34" or
pe.signatures[i].serial == "ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34"
) and
1625011200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a590154b5980e566314122987dea548 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Maya logistika d.o.o." and
pe.signatures[i].serial == "0a:59:01:54:b5:98:0e:56:63:14:12:29:87:de:a5:48" and
1636416000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_69a72f5591ad78a0825fbb9402ab9543 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PUSH BANK LIMITED" and
pe.signatures[i].serial == "69:a7:2f:55:91:ad:78:a0:82:5f:bb:94:02:ab:95:43" and
1581811200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0883db137021b51f3a2a08a76a4bc066 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Divertida Creative Limited" and
pe.signatures[i].serial == "08:83:db:13:70:21:b5:1f:3a:2a:08:a7:6a:4b:c0:66" and
1627430400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2b921aaaba777b5a99507196c6f1c46c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Python Software Foundation" and
pe.signatures[i].serial == "2b:92:1a:aa:ba:77:7b:5a:99:50:71:96:c6:f1:c4:6c" and
1648425600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0332d5c942869bdcabf5a8266197cd14 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "JAWRO SP Z O O" and
pe.signatures[i].serial == "03:32:d5:c9:42:86:9b:dc:ab:f5:a8:26:61:97:cd:14" and
1622160000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4679c5398a279318365fd77a84445699 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HURT GROUP HOLDINGS LIMITED" and
pe.signatures[i].serial == "46:79:c5:39:8a:27:93:18:36:5f:d7:7a:84:44:56:99" and
1643846400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_101d6a5a29d9a77807553ceac669d853 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIC GROUP LIMITED" and
pe.signatures[i].serial == "10:1d:6a:5a:29:d9:a7:78:07:55:3c:ea:c6:69:d8:53" and
1646352000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6000f8c02b0a15b1e53b8399845faddf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SAY LIMITED" and
pe.signatures[i].serial == "60:00:f8:c0:2b:0a:15:b1:e5:3b:83:99:84:5f:ad:df" and
1644278400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_121070be1e782f206985543bc7bc58b6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Prod Can Holdings Inc." and
pe.signatures[i].serial == "12:10:70:be:1e:78:2f:20:69:85:54:3b:c7:bc:58:b6" and
1647820800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5226a724cfa0b4bc0164ecda3f02a3dc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VALENTE SP Z O O" and
pe.signatures[i].serial == "52:26:a7:24:cf:a0:b4:bc:01:64:ec:da:3f:02:a3:dc" and
1647302400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a7be7722b65a866ebcd3bd7f8f10825 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Rebound Infotech Limited" and
pe.signatures[i].serial == "0a:7b:e7:72:2b:65:a8:66:eb:cd:3b:d7:f8:f1:08:25" and
1637971200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_05634456dbedb3556ca8415e64815c5d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Walden Intertech Inc." and
pe.signatures[i].serial == "05:63:44:56:db:ed:b3:55:6c:a8:41:5e:64:81:5c:5d" and
1648425600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2e07a8d6e3b25ae010c8ed2c4ab0fb37 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Emurasoft, Inc." and
pe.signatures[i].serial == "2e:07:a8:d6:e3:b2:5a:e0:10:c8:ed:2c:4a:b0:fb:37" and
1650499200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_30b4eeebd88fd205acc8577bbaed8655 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Enforcer Srl" and
pe.signatures[i].serial == "30:b4:ee:eb:d8:8f:d2:05:ac:c8:57:7b:ba:ed:86:55" and
1646179200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b3391a6c1b3c6836533959e2384ab4ca {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VERIFIED SOFTWARE LLC" and (
pe.signatures[i].serial == "00:b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca" or
pe.signatures[i].serial == "b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca"
) and
1595462400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_05d50a0e09bb9a836ffb90a3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Toliz Info Tech Solutions INC." and
pe.signatures[i].serial == "05:d5:0a:0e:09:bb:9a:83:6f:fb:90:a3" and
1643892810 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a2787fbb4627c91611573e323584113 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "exxon.com" and
pe.signatures[i].serial == "0a:27:87:fb:b4:62:7c:91:61:15:73:e3:23:58:41:13" and
1640822400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1d36c4f439d651503589318f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "REDWOOD MARKETING SOLUTIONS INC." and
pe.signatures[i].serial == "1d:36:c4:f4:39:d6:51:50:35:89:31:8f" and
1651518469 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_26f855a25890b749578f13e4b9459768 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Boo\\xE2\\x80\\x99s Q & Sweets Corporation" and
pe.signatures[i].serial == "26:f8:55:a2:58:90:b7:49:57:8f:13:e4:b9:45:97:68" and
1645401600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0f1ae2239bb96c5aef49d0ae50266912 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Aarav Consulting Inc." and
pe.signatures[i].serial == "0f:1a:e2:23:9b:b9:6c:5a:ef:49:d0:ae:50:26:69:12" and
1653004800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1deea179f5757fe529043577762419df {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SPIRIT CONSULTING s. r. o." and
pe.signatures[i].serial == "1d:ee:a1:79:f5:75:7f:e5:29:04:35:77:76:24:19:df" and
1645401600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5b1f9ec88d185631ab032dbfd5166c0d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TOPFLIGHT GROUP LIMITED" and
pe.signatures[i].serial == "5b:1f:9e:c8:8d:18:56:31:ab:03:2d:bf:d5:16:6c:0d" and
1656028800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_58af00ce542760fc116b41fa92e18589 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DICKIE MUSDALE WINDFARM LIMITED" and
pe.signatures[i].serial == "58:af:00:ce:54:27:60:fc:11:6b:41:fa:92:e1:85:89" and
1654819200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_25ba18a267d6d8e08ebc6e2457d58d1e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "5Y TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "25:ba:18:a2:67:d6:d8:e0:8e:bc:6e:24:57:d5:8d:1e" and
1648684800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_12df5ff3460979cec1288d874a9fbf83 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FORWARD MUSIC AGENCY SRL" and
pe.signatures[i].serial == "12:df:5f:f3:46:09:79:ce:c1:28:8d:87:4a:9f:bf:83" and
1599091200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_df2547b2cab5689a81d61de80eaaa3a2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FORWARD MUSIC AGENCY SRL" and (
pe.signatures[i].serial == "00:df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2" or
pe.signatures[i].serial == "df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2"
) and
1657756800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_28b691272719b1ee {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "2021945 Ontario Inc." and
pe.signatures[i].serial == "28:b6:91:27:27:19:b1:ee" and
1616410532 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1c897216e58e83cbe74ad03284e1fb82 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "M-Trans Maciej Caban" and
pe.signatures[i].serial == "1c:89:72:16:e5:8e:83:cb:e7:4a:d0:32:84:e1:fb:82" and
1639119705 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5a364c4957d93406f76321c2316f42f0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Board Game Bucket Ltd" and
pe.signatures[i].serial == "5a:36:4c:49:57:d9:34:06:f7:63:21:c2:31:6f:42:f0" and
1661337307 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e7e7f7180666546ce7a8da32119f5ce1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "C\\xC3\\x94NG TY TNHH PDF SOFTWARE" and (
pe.signatures[i].serial == "00:e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1" or
pe.signatures[i].serial == "e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1"
) and
1661558399 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_062b2827500c5df35a83f661b3af5dd3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "*.eos.com" and
pe.signatures[i].serial == "06:2b:28:27:50:0c:5d:f3:5a:83:f6:61:b3:af:5d:d3" and
1651449600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7bf27695fd20b588f2b2f173b6caf2ba {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Game Warriors Limited" and
pe.signatures[i].serial == "7b:f2:76:95:fd:20:b5:88:f2:b2:f1:73:b6:ca:f2:ba" and
1662112800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1b248c8508042d36bbd5d92d189c61d8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Digital Robin Limited" and
pe.signatures[i].serial == "1b:24:8c:85:08:04:2d:36:bb:d5:d9:2d:18:9c:61:d8" and
1663171218 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_032660ee1d49ad35086027473e2614e5e724 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "sunshine.com" and
pe.signatures[i].serial == "03:26:60:ee:1d:49:ad:35:08:60:27:47:3e:26:14:e5:e7:24" and
1660238245 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_043052956e1e6dbd5f6ae3d8b82cad2a2ed8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ok.com" and
pe.signatures[i].serial == "04:30:52:95:6e:1e:6d:bd:5f:6a:e3:d8:b8:2c:ad:2a:2e:d8" and
1662149613 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_dbc03ca7e6ae6db6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SPIDER DEVELOPMENTS PTY LTD" and (
pe.signatures[i].serial == "00:db:c0:3c:a7:e6:ae:6d:b6" or
pe.signatures[i].serial == "db:c0:3c:a7:e6:ae:6d:b6"
) and
1600826873 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7d27332c3cb3a382a4fd232c5c66a2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MALVINA RECRUITMENT LIMITED" and
pe.signatures[i].serial == "7d:27:33:2c:3c:b3:a3:82:a4:fd:23:2c:5c:66:a2" and
1655424000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_82d224323efa65060b641f51fadfef02 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SAVAS INVESTMENTS PTY LTD" and (
pe.signatures[i].serial == "00:82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02" or
pe.signatures[i].serial == "82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02"
) and
1665100800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_890570b6b0e2868a53be3f8f904a88ee {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "JESEN LESS d.o.o." and (
pe.signatures[i].serial == "00:89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee" or
pe.signatures[i].serial == "89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee"
) and
1636588800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2642fe865f7566ce3123a5142c207094 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "C.W.D. INSTAL LTD" and
pe.signatures[i].serial == "26:42:fe:86:5f:75:66:ce:31:23:a5:14:2c:20:70:94" and
1666310400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4a2e337fff23e5b2a1321ffde56d1759 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Karolina Klimowska" and
pe.signatures[i].serial == "4a:2e:33:7f:ff:23:e5:b2:a1:32:1f:fd:e5:6d:17:59" and
1660314070 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_92d9b92f8cf7a1ba8b2c025be730c300 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "UPLagga Systems s.r.o." and (
pe.signatures[i].serial == "00:92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00" or
pe.signatures[i].serial == "92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00"
) and
1598054400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b8164f7143e1a313003ab0c834562f1f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ekitai Data Inc." and (
pe.signatures[i].serial == "00:b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f" or
pe.signatures[i].serial == "b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f"
) and
1598313600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_24e4a2b3db6be1007b9ddc91995bc0c8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FLY BETTER s.r.o." and
pe.signatures[i].serial == "24:e4:a2:b3:db:6b:e1:00:7b:9d:dc:91:99:5b:c0:c8" and
1645142400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_881573fc67ff7395dde5bccfbce5b088 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Trade in Brasil s.r.o." and (
pe.signatures[i].serial == "00:88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88" or
pe.signatures[i].serial == "88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88"
) and
1620000000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_53e1f226cb77574f8fbeb5682da091bb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OdyLab Inc" and
pe.signatures[i].serial == "53:e1:f2:26:cb:77:57:4f:8f:be:b5:68:2d:a0:91:bb" and
1654020559 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0772b4d1d63233d2b8771997bc8da5c4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Maya logistika d.o.o." and
pe.signatures[i].serial == "07:72:b4:d1:d6:32:33:d2:b8:77:19:97:bc:8d:a5:c4" and
1637971201 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_02b6656292310b84022db5541bc48faf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DILA d.o.o." and
pe.signatures[i].serial == "02:b6:65:62:92:31:0b:84:02:2d:b5:54:1b:c4:8f:af" and
1613865600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_64c2505c7306639fc8eae544b0305338 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MANILA Solution as" and
pe.signatures[i].serial == "64:c2:50:5c:73:06:63:9f:c8:ea:e5:44:b0:30:53:38" and
1609418043 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2f96a89bfec6e44dd224e8fd7e72d9bb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "NAILS UNLIMITED LIMITED" and
pe.signatures[i].serial == "2f:96:a8:9b:fe:c6:e4:4d:d2:24:e8:fd:7e:72:d9:bb" and
1625529600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b649a966410f62999c939384af553919 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "F.A.T. SARL" and (
pe.signatures[i].serial == "00:b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19" or
pe.signatures[i].serial == "b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19"
) and
1590537600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_45245eef53fcf38169c715cf68f44452 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PAPER AND CORE SUPPLIES LTD" and
pe.signatures[i].serial == "45:24:5e:ef:53:fc:f3:81:69:c7:15:cf:68:f4:44:52" and
1639958400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1895433ee9e2bd48619d75132262616f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Evetrans Ltd" and
pe.signatures[i].serial == "18:95:43:3e:e9:e2:bd:48:61:9d:75:13:22:62:61:6f" and
1619789516 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1ffc9825644caf5b1f521780c5c7f42c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ACTIVUS LIMITED" and
pe.signatures[i].serial == "1f:fc:98:25:64:4c:af:5b:1f:52:17:80:c5:c7:f4:2c" and
1615507200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8d52fb12a2511e86bbb0ba75c517eab0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VThink Software Consulting Inc." and (
pe.signatures[i].serial == "00:8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0" or
pe.signatures[i].serial == "8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0"
) and
1599177600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_332bd5801e8415585e72c87e0e2ec71d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Elite Marketing Strategies, Inc." and
pe.signatures[i].serial == "33:2b:d5:80:1e:84:15:58:5e:72:c8:7e:0e:2e:c7:1d" and
1662616824 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e3b80c0932b52a708477939b0d32186f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BISOYETUTU LTD LIMITED" and (
pe.signatures[i].serial == "00:e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f" or
pe.signatures[i].serial == "e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f"
) and
1617062400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c79f817f082986bef3209f6723c8da97 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Al-Faris group d.o.o." and (
pe.signatures[i].serial == "00:c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97" or
pe.signatures[i].serial == "c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97"
) and
1616371200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1e5efa53a14599cc82f56f0790e20b17 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Storeks LLC" and
pe.signatures[i].serial == "1e:5e:fa:53:a1:45:99:cc:82:f5:6f:07:90:e2:0b:17" and
1623196800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0cf2d0b5bfdd68cf777a0c12f806a569 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PROTIP d.o.o. - v ste\\xC4\\x8Daju" and
pe.signatures[i].serial == "0c:f2:d0:b5:bf:dd:68:cf:77:7a:0c:12:f8:06:a5:69" and
1611705600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f675139ea68b897a865a98f8e4611f00 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BS TEHNIK d.o.o." and (
pe.signatures[i].serial == "00:f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00" or
pe.signatures[i].serial == "f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00"
) and
1606953600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4728189fa0f57793484cdf764f5e283d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Power Save Systems s.r.o." and
pe.signatures[i].serial == "47:28:18:9f:a0:f5:77:93:48:4c:df:76:4f:5e:28:3d" and
1647302400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9bd81a9adaf71f1ff081c1f4a05d7fd7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SMART TOYS AND GAMES, INC" and (
pe.signatures[i].serial == "00:9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7" or
pe.signatures[i].serial == "9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7"
) and
1601683200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c81319d20c6f1f1aec3398522189d90c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AMCERT,LLC" and (
pe.signatures[i].serial == "00:c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c" or
pe.signatures[i].serial == "c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c"
) and
1643500800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c318d876768258a696ab9dd825e27acd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Genezis" and (
pe.signatures[i].serial == "00:c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd" or
pe.signatures[i].serial == "c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd"
) and
1615161600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_06df5c318759d6ea9d090bfb2faf1d94 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SpiffyTech Inc." and
pe.signatures[i].serial == "06:df:5c:31:87:59:d6:ea:9d:09:0b:fb:2f:af:1d:94" and
1634515201 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_02de1cc6c487954592f1bf574ca2b000 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Orca System" and
pe.signatures[i].serial == "02:de:1c:c6:c4:87:95:45:92:f1:bf:57:4c:a2:b0:00" and
1613735394 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a32b8b4f1be43c23eb2848ab4ef06bb2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Pak El AB" and (
pe.signatures[i].serial == "00:a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2" or
pe.signatures[i].serial == "a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2"
) and
1673395200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_626735ed30e50e3e0553986d806bfc54 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FISH ACCOUNTING & TRANSLATING LIMITED" and
pe.signatures[i].serial == "62:67:35:ed:30:e5:0e:3e:05:53:98:6d:80:6b:fc:54" and
1666742400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_34d42e871ddb1c92fa20b55b384e1259 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VENS CORP" and
pe.signatures[i].serial == "34:d4:2e:87:1d:db:1c:92:fa:20:b5:5b:38:4e:12:59" and
1630368000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_08d4dc90047b8470ccaf3924dfbd8b5f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Dibies" and
pe.signatures[i].serial == "08:d4:dc:90:04:7b:84:70:cc:af:39:24:df:bd:8b:5f" and
1619136000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c2fc83d458e653837fcfc132c9b03062 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Vertical" and (
pe.signatures[i].serial == "00:c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62" or
pe.signatures[i].serial == "c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62"
) and
1602201600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_54c793d2224bdd6ca527bb2b7b9dfe9d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CODE - HANDLE, s. r. o." and
pe.signatures[i].serial == "54:c7:93:d2:22:4b:dd:6c:a5:27:bb:2b:7b:9d:fe:9d" and
1629676800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8cece6df54cf6ad63596546d77ba3581 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Mikael LLC" and (
pe.signatures[i].serial == "00:8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81" or
pe.signatures[i].serial == "8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81"
) and
1613088000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_984e84cfe362e278f558e2c70aaafac2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Arctic Nights \\xC3\\x84k\\xC3\\xA4slompolo Oy" and (
pe.signatures[i].serial == "00:98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2" or
pe.signatures[i].serial == "98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2"
) and
1640304000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ff52eb011bb748fee75153cbe1e50dd6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TASK ANNA LIMITED" and (
pe.signatures[i].serial == "00:ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6" or
pe.signatures[i].serial == "ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6"
) and
1647388800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_84a4a0d0657e217b176b455e2465aee0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AATB ApS" and (
pe.signatures[i].serial == "00:84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0" or
pe.signatures[i].serial == "84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0"
) and
1616457600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b8f726508cf1d7b7913bf4bbd1e5c19c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Merkuri LLC" and (
pe.signatures[i].serial == "00:b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c" or
pe.signatures[i].serial == "b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c"
) and
1619568000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6a241ffe96a6349df608d22c02942268 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HELP, d.o.o." and
pe.signatures[i].serial == "6a:24:1f:fe:96:a6:34:9d:f6:08:d2:2c:02:94:22:68" and
1605052800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_aa1d84779792b57f91fe7a4bde041942 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AXIUM NORTHWESTERN HYDRO INC." and (
pe.signatures[i].serial == "00:aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42" or
pe.signatures[i].serial == "aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42"
) and
1639872000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3c98b6872fbb1f4ae37a4caa749d24c2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO SMART" and
pe.signatures[i].serial == "3c:98:b6:87:2f:bb:1f:4a:e3:7a:4c:aa:74:9d:24:c2" and
1613370100 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e4e795fd1fd25595b869ce22aa7dc49f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OASIS COURT LIMITED" and (
pe.signatures[i].serial == "00:e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f" or
pe.signatures[i].serial == "e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f"
) and
1608508800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e953ada7e8f1438e5f7680ff599ae43e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "KULBYT LLC" and (
pe.signatures[i].serial == "00:e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e" or
pe.signatures[i].serial == "e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e"
) and
1614729600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_28c57df09ce7cc3fde2243beb4d00101 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "WATER, s.r.o." and
pe.signatures[i].serial == "28:c5:7d:f0:9c:e7:cc:3f:de:22:43:be:b4:d0:01:01" and
1622678400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2d8cfcf04209dc7f771d8d18e462c35a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AA PLUS INVEST d.o.o." and
pe.signatures[i].serial == "2d:8c:fc:f0:42:09:dc:7f:77:1d:8d:18:e4:62:c3:5a" and
1631491200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_016836311fc39fbb8e6f308bb03cc2b3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SERVICE STREAM LIMITED" and
pe.signatures[i].serial == "01:68:36:31:1f:c3:9f:bb:8e:6f:30:8b:b0:3c:c2:b3" and
1602547200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_435abf46053a0a445c54217a8c233a7f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Kodemika" and
pe.signatures[i].serial == "43:5a:bf:46:05:3a:0a:44:5c:54:21:7a:8c:23:3a:7f" and
1616976000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b2f9c693a2e6634565f63c79b01dd8f8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PHL E STATE ApS" and (
pe.signatures[i].serial == "00:b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8" or
pe.signatures[i].serial == "b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8"
) and
1620000000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_54a6d33f73129e0ef059ccf51be0c35e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "STAFFORD MEAT COMPANY, INC." and
pe.signatures[i].serial == "54:a6:d3:3f:73:12:9e:0e:f0:59:cc:f5:1b:e0:c3:5e" and
1607100127 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_142aac4217e22b525c8587589773ba9b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "A.B. gostinstvo trgovina posredni\\xC5\\xA1tvo in druge storitve, d.o.o." and
pe.signatures[i].serial == "14:2a:ac:42:17:e2:2b:52:5c:85:87:58:97:73:ba:9b" and
1614124800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_239664c12baeb5a6d787912888051392 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "FORTH PROPERTY LTD" and
pe.signatures[i].serial == "23:96:64:c1:2b:ae:b5:a6:d7:87:91:28:88:05:13:92" and
1618272000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0218ebfd5a9bfd55d2f661f0d18d1d71 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "REI LUX UK LIMITED" and
pe.signatures[i].serial == "02:18:eb:fd:5a:9b:fd:55:d2:f6:61:f0:d1:8d:1d:71" and
1608508800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_35590ebe4a02dc23317d8ce47a947a9b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OOO Largos" and
pe.signatures[i].serial == "35:59:0e:be:4a:02:dc:23:31:7d:8c:e4:7a:94:7a:9b" and
1602201600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_aa07d4f2857119cee514a0bd412f8201 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HANGA GIP d.o.o." and (
pe.signatures[i].serial == "00:aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01" or
pe.signatures[i].serial == "aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01"
) and
1615766400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_40f5660a90301e7a8a8c3b42 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Booz Allen Hamilton Inc." and
pe.signatures[i].serial == "40:f5:66:0a:90:30:1e:7a:8a:8c:3b:42" and
1641833688 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0400c7614f86d75fe4ee3f6192b6feda {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "StackUp ApS" and
pe.signatures[i].serial == "04:00:c7:61:4f:86:d7:5f:e4:ee:3f:61:92:b6:fe:da" and
1626393601 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e573d9c8b403c41bd59ffa0a8efd4168 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\"VERONIKA 2\" OOO" and (
pe.signatures[i].serial == "00:e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68" or
pe.signatures[i].serial == "e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68"
) and
1563148800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b06bc166fc765dacd2f7448c8cdd9205 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "GAS Avto, d.o.o." and (
pe.signatures[i].serial == "00:b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05" or
pe.signatures[i].serial == "b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05"
) and
1615507200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e9268ed63a7d7e9dfd40a664ddfbaf18 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Casta, s.r.o." and (
pe.signatures[i].serial == "00:e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18" or
pe.signatures[i].serial == "e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18"
) and
1647302400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_425dc3e0ca8bcdce19d00d87e3f0ba28 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Protover LLC" and
pe.signatures[i].serial == "42:5d:c3:e0:ca:8b:cd:ce:19:d0:0d:87:e3:f0:ba:28" and
1621900800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_afc0ddb7bdc8207e8c3b7204018eecd3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE9\\x83\\xB4\\xE5\\xB7\\x9E\\xE8\\x9C\\x97\\xE7\\x89\\x9B\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (
pe.signatures[i].serial == "00:af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3" or
pe.signatures[i].serial == "af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3"
) and
1629676800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_38989ec61ecdb7391ff5647f7d58ad18 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RotA Games ApS" and
pe.signatures[i].serial == "38:98:9e:c6:1e:cd:b7:39:1f:f5:64:7f:7d:58:ad:18" and
1613088000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_bc6c43d206a360f2d6b58537c456b709 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ANKADA GROUP, d.o.o." and (
pe.signatures[i].serial == "00:bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09" or
pe.signatures[i].serial == "bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09"
) and
1616630400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4929ab561c812af93ddb9758b545f546 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Everything Wow s.r.o." and
pe.signatures[i].serial == "49:29:ab:56:1c:81:2a:f9:3d:db:97:58:b5:45:f5:46" and
1594252800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_25c6dbce3d5499f65d9df16e9007465d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AMCERT,LLC" and
pe.signatures[i].serial == "25:c6:db:ce:3d:54:99:f6:5d:9d:f1:6e:90:07:46:5d" and
1626566400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_bc6a1812e001362469541108973bbd52 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AMCERT,LLC" and (
pe.signatures[i].serial == "00:bc:6a:18:12:e0:01:36:24:69:54:11:08:97:3b:bd:52" or
pe.signatures[i].serial == "bc:6a:18:12:e0:01:36:24:69:54:11:08:97:3b:bd:52"
) and
1623801600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_bde1d6dc3622724f427a39e6a34f5124 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AMCERT,LLC" and (
pe.signatures[i].serial == "00:bd:e1:d6:dc:36:22:72:4f:42:7a:39:e6:a3:4f:51:24" or
pe.signatures[i].serial == "bd:e1:d6:dc:36:22:72:4f:42:7a:39:e6:a3:4f:51:24"
) and
1628553600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5c9f5f96726a6e6fc3b8bb153ac82af2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "1105 SOFTWARE LLC" and
pe.signatures[i].serial == "5c:9f:5f:96:72:6a:6e:6f:c3:b8:bb:15:3a:c8:2a:f2" and
1679061408 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6e889bb3b7f7194b674c6a0335a608e0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CLEVERCONTROL LLC" and
pe.signatures[i].serial == "6e:88:9b:b3:b7:f7:19:4b:67:4c:6a:03:35:a6:08:e0" and
1646956800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0f62f760704bdf8dc30c7baa7376f484 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Shanghai XuSong investment partnership Enterprise(Limited)" and
pe.signatures[i].serial == "0f:62:f7:60:70:4b:df:8d:c3:0c:7b:aa:73:76:f4:84" and
1659398400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_071202dbfda40b629c5e7acac947c2d3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Crossfire Industries, LLC" and
pe.signatures[i].serial == "07:12:02:db:fd:a4:0b:62:9c:5e:7a:ca:c9:47:c2:d3" and
1658620801 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_98ab9585c04d7f0e4cf4de98c14b684d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AMCERT,LLC" and (
pe.signatures[i].serial == "00:98:ab:95:85:c0:4d:7f:0e:4c:f4:de:98:c1:4b:68:4d" or
pe.signatures[i].serial == "98:ab:95:85:c0:4d:7f:0e:4c:f4:de:98:c1:4b:68:4d"
) and
1656547200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4631713e66e91347f0388b98cf747794 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE5\\xB9\\xBF\\xE5\\xB7\\x9E\\xE6\\x98\\x8A\\xE5\\x8A\\xA8\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "46:31:71:3e:66:e9:13:47:f0:38:8b:98:cf:74:77:94" and
1488240000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e963f8983d21b4c1a69c66a9d37498e5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Max Steinhard" and (
pe.signatures[i].serial == "00:e9:63:f8:98:3d:21:b4:c1:a6:9c:66:a9:d3:74:98:e5" or
pe.signatures[i].serial == "e9:63:f8:98:3d:21:b4:c1:a6:9c:66:a9:d3:74:98:e5"
) and
1656288000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6e44fcedd49f22f7a28cecc99104f61a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "M-Trans Maciej Caban" and
pe.signatures[i].serial == "6e:44:fc:ed:d4:9f:22:f7:a2:8c:ec:c9:91:04:f6:1a" and
1672923378 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_35b49ee870aea532e6ef0a4987105c8f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Kancelaria Adwokacka Adwokat Aleksandra Krzemi\\xC5\\x84ska" and
pe.signatures[i].serial == "35:b4:9e:e8:70:ae:a5:32:e6:ef:0a:49:87:10:5c:8f" and
1663151018 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_063dcd7d7b0bc77cac844c7213be3989 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "HANNAH SISK LIMITED" and
pe.signatures[i].serial == "06:3d:cd:7d:7b:0b:c7:7c:ac:84:4c:72:13:be:39:89" and
1656892801 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6f8777aa866142ad7120e5e1c9321e37 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CLOUD SOFTWARE LINE CO., LTD." and
pe.signatures[i].serial == "6f:87:77:aa:86:61:42:ad:71:20:e5:e1:c9:32:1e:37" and
1629676800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4a7f07c5d4ad2e23f9e8e03f0e229dd4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Danalis LLC" and
pe.signatures[i].serial == "4a:7f:07:c5:d4:ad:2e:23:f9:e8:e0:3f:0e:22:9d:d4" and
1608681600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f5f9c8f8c33e4ce84dd48fcb03ccb075 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Abdulkadir \\xC5\\x9Eahin" and (
pe.signatures[i].serial == "00:f5:f9:c8:f8:c3:3e:4c:e8:4d:d4:8f:cb:03:cc:b0:75" or
pe.signatures[i].serial == "f5:f9:c8:f8:c3:3e:4c:e8:4d:d4:8f:cb:03:cc:b0:75"
) and
1545004800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_57fc55239f21f139978609e323097132 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Aidem Media Limited" and
pe.signatures[i].serial == "57:fc:55:23:9f:21:f1:39:97:86:09:e3:23:09:71:32" and
1501632000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_eeefec4308abe63323600e1608f5e6f2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "YUPITER-STROI, OOO" and (
pe.signatures[i].serial == "00:ee:ef:ec:43:08:ab:e6:33:23:60:0e:16:08:f5:e6:f2" or
pe.signatures[i].serial == "ee:ef:ec:43:08:ab:e6:33:23:60:0e:16:08:f5:e6:f2"
) and
1491177600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0ecd460ce14bd8ef2926da2cd9a44176 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Rabah Azrarak" and
pe.signatures[i].serial == "0e:cd:46:0c:e1:4b:d8:ef:29:26:da:2c:d9:a4:41:76" and
1463035153 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5e75e997f3d70bb8c182d56b25b7d836 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Primetech Ltd." and
pe.signatures[i].serial == "5e:75:e9:97:f3:d7:0b:b8:c1:82:d5:6b:25:b7:d8:36" and
1324252800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d5690d94f15315e143db10af35497dc5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PET SERVICES d.o.o." and (
pe.signatures[i].serial == "00:d5:69:0d:94:f1:53:15:e1:43:db:10:af:35:49:7d:c5" or
pe.signatures[i].serial == "d5:69:0d:94:f1:53:15:e1:43:db:10:af:35:49:7d:c5"
) and
1576195200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_8223c74185add0927246f5e33ebac467 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TOV Virikton" and (
pe.signatures[i].serial == "00:82:23:c7:41:85:ad:d0:92:72:46:f5:e3:3e:ba:c4:67" or
pe.signatures[i].serial == "82:23:c7:41:85:ad:d0:92:72:46:f5:e3:3e:ba:c4:67"
) and
1463616000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_dd9e9e1d7c573714e3f567c5380ae6d0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CREA&COM d.o.o." and (
pe.signatures[i].serial == "00:dd:9e:9e:1d:7c:57:37:14:e3:f5:67:c5:38:0a:e6:d0" or
pe.signatures[i].serial == "dd:9e:9e:1d:7c:57:37:14:e3:f5:67:c5:38:0a:e6:d0"
) and
1575849600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3d5e71 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "OF.PL sp. z o.o." and
pe.signatures[i].serial == "3d:5e:71" and
1066997730 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c33187fe848a65e8484ea492cb2cbb18 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SELCUK GUNDOGDU" and (
pe.signatures[i].serial == "00:c3:31:87:fe:84:8a:65:e8:48:4e:a4:92:cb:2c:bb:18" or
pe.signatures[i].serial == "c3:31:87:fe:84:8a:65:e8:48:4e:a4:92:cb:2c:bb:18"
) and
1426204800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6fc143ba34cabf1de7a4c7f8f4cdad6d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "World Telecom International Inc." and
pe.signatures[i].serial == "6f:c1:43:ba:34:ca:bf:1d:e7:a4:c7:f8:f4:cd:ad:6d" and
1147046400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6ac6268b2e431a2c1369346d175d0e30 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Install Sync" and
pe.signatures[i].serial == "6a:c6:26:8b:2e:43:1a:2c:13:69:34:6d:17:5d:0e:30" and
1436140800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0fc4d9178b8df2c19e269ac6f43dd708 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PK Partnership, OOO" and
pe.signatures[i].serial == "0f:c4:d9:17:8b:8d:f2:c1:9e:26:9a:c6:f4:3d:d7:08" and
1466553600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e01407871e2146c9baab1ae7ab8ab172 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TOV Intalev Ukraina" and (
pe.signatures[i].serial == "00:e0:14:07:87:1e:21:46:c9:ba:ab:1a:e7:ab:8a:b1:72" or
pe.signatures[i].serial == "e0:14:07:87:1e:21:46:c9:ba:ab:1a:e7:ab:8a:b1:72"
) and
1464220800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_effc6d19d6fc85872e4e5b3ccee6d301 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "C\\xC3\\x93IR IP LIMITED" and (
pe.signatures[i].serial == "00:ef:fc:6d:19:d6:fc:85:87:2e:4e:5b:3c:ce:e6:d3:01" or
pe.signatures[i].serial == "ef:fc:6d:19:d6:fc:85:87:2e:4e:5b:3c:ce:e6:d3:01"
) and
1572307200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2f4a25d52b16eb4c9dfe71ebbd8121bb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Blist LLC" and
pe.signatures[i].serial == "2f:4a:25:d5:2b:16:eb:4c:9d:fe:71:eb:bd:81:21:bb" and
1629763200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6889aab6202bcc5f11caedf4d04f435b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "C4DL Media" and
pe.signatures[i].serial == "68:89:aa:b6:20:2b:cc:5f:11:ca:ed:f4:d0:4f:43:5b" and
1231891200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3be63083fbb1787b445da97583721419 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\"SMART GREY\" LLC" and
pe.signatures[i].serial == "3b:e6:30:83:fb:b1:78:7b:44:5d:a9:75:83:72:14:19" and
1493942400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6e2d3449272b6b96b8b9f728e87580d5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RADIANT, OOO" and
pe.signatures[i].serial == "6e:2d:34:49:27:2b:6b:96:b8:b9:f7:28:e8:75:80:d5" and
1421107200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_268c0d7028a154ac3b6349c5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "26:8c:0d:70:28:a1:54:ac:3b:63:49:c5" and
1474266712 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2daa8d629cc0410a9482e62a0f8bf8fc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DON'T MISS A WORD LIMITED" and
pe.signatures[i].serial == "2d:aa:8d:62:9c:c0:41:0a:94:82:e6:2a:0f:8b:f8:fc" and
1543449600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_9a727e200ea76570 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Alexsandro Da Rosa - ME" and (
pe.signatures[i].serial == "00:9a:72:7e:20:0e:a7:65:70" or
pe.signatures[i].serial == "9a:72:7e:20:0e:a7:65:70"
) and
1539056530 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0954a3c876df9262cde5817f9870f0c6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Dialer Access" and
pe.signatures[i].serial == "09:54:a3:c8:76:df:92:62:cd:e5:81:7f:98:70:f0:c6" and
1160438400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3c30930e53bb026f9a5d7440155f7118 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CPM Media, Ltd." and
pe.signatures[i].serial == "3c:30:93:0e:53:bb:02:6f:9a:5d:74:40:15:5f:71:18" and
1064534400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_432eefc0d4dc0326eb277a518cc4310a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and
pe.signatures[i].serial == "43:2e:ef:c0:d4:dc:03:26:eb:27:7a:51:8c:c4:31:0a" and
1466121600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_470d6ce21a6940320261f09e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "47:0d:6c:e2:1a:69:40:32:02:61:f0:9e" and
1474523038 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7e6bc7e5a49e2c28e6f5d042 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Shang Hai Jian Ji Wang Luo Ke Ji You Xian Gong Si" and
pe.signatures[i].serial == "7e:6b:c7:e5:a4:9e:2c:28:e6:f5:d0:42" and
1560995284 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4c5020899147c850196c4ebf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "4c:50:20:89:91:47:c8:50:19:6c:4e:bf" and
1476693792 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4efcf7adc21f070e590d49ddb8081397 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ding Ruan" and
pe.signatures[i].serial == "4e:fc:f7:ad:c2:1f:07:0e:59:0d:49:dd:b8:08:13:97" and
1476921600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_cbd37c0a651913ee25a6860d7d5ccdf2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Amma" and (
pe.signatures[i].serial == "00:cb:d3:7c:0a:65:19:13:ee:25:a6:86:0d:7d:5c:cd:f2" or
pe.signatures[i].serial == "cb:d3:7c:0a:65:19:13:ee:25:a6:86:0d:7d:5c:cd:f2"
) and
1431734400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5fe0ad6b03c57ab67a352159004ca3db {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SpectorSoft Corp." and
pe.signatures[i].serial == "5f:e0:ad:6b:03:c5:7a:b6:7a:35:21:59:00:4c:a3:db" and
1402272000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_642ad8e5ef8b3ac767f0d5c1a999bdaa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Itgms Ltd" and
pe.signatures[i].serial == "64:2a:d8:e5:ef:8b:3a:c7:67:f0:d5:c1:a9:99:bd:aa" and
1447804800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5333d3079d8afda715703775e1389991 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Trambambon LLC" and
pe.signatures[i].serial == "53:33:d3:07:9d:8a:fd:a7:15:70:37:75:e1:38:99:91" and
1239148800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_139a7ee1f1a7735c151089755df5d373 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yongli Li" and
pe.signatures[i].serial == "13:9a:7e:e1:f1:a7:73:5c:15:10:89:75:5d:f5:d3:73" and
1476057600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_74dbe83082e1b3dfa29f9c24 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "EVANGEL TECHNOLOGY(HK) LIMITED" and
pe.signatures[i].serial == "74:db:e8:30:82:e1:b3:df:a2:9f:9c:24" and
1468817578 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a466553a6391aafd181b400266c7b18 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PhaseQ Limited" and
pe.signatures[i].serial == "0a:46:65:53:a6:39:1a:af:d1:81:b4:00:26:6c:7b:18" and
1555545600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0d3dec8794fa7228d1ee40eeb8187149 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Financial Security Institute, Inc." and
pe.signatures[i].serial == "0d:3d:ec:87:94:fa:72:28:d1:ee:40:ee:b8:18:71:49" and
1582675200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_24af70b5d17a63ad053e5821 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "24:af:70:b5:d1:7a:63:ad:05:3e:58:21" and
1474179615 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_402e9fcba61e5eaf9c0c7b3bfd6259d9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yongli Li" and
pe.signatures[i].serial == "40:2e:9f:cb:a6:1e:5e:af:9c:0c:7b:3b:fd:62:59:d9" and
1477440000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2c84f9136059e96134f8766670eacd52 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, DIEGO MANUEL RODRIGUEZ" and
pe.signatures[i].serial == "2c:84:f9:13:60:59:e9:61:34:f8:76:66:70:ea:cd:52" and
1442215311 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6716a9c195987d5cfe53a094779461e7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Inter Technologies Ltd." and
pe.signatures[i].serial == "67:16:a9:c1:95:98:7d:5c:fe:53:a0:94:77:94:61:e7" and
1169424000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_876c00bd665df98b35554f67a5c1c32a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Lossera-M, OOO" and (
pe.signatures[i].serial == "00:87:6c:00:bd:66:5d:f9:8b:35:55:4f:67:a5:c1:c3:2a" or
pe.signatures[i].serial == "87:6c:00:bd:66:5d:f9:8b:35:55:4f:67:a5:c1:c3:2a"
) and
1493078400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4b093cb60d4b992266f550934a4ac7d0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LCB SISTEMAS LTDA ME" and
pe.signatures[i].serial == "4b:09:3c:b6:0d:4b:99:22:66:f5:50:93:4a:4a:c7:d0" and
1478649600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2050b54146b011ed30f60f61 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "20:50:b5:41:46:b0:11:ed:30:f6:0f:61" and
1476773926 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_73e2f34c9c2435f29bbe0a3c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "73:e2:f3:4c:9c:24:35:f2:9b:be:0a:3c" and
1480312984 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_68c457d7495d2a8d0d7b9042836135c2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Zhang" and
pe.signatures[i].serial == "68:c4:57:d7:49:5d:2a:8d:0d:7b:90:42:83:61:35:c2" and
1476921600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6b72ca367d40fbef16e73e6eba6a9a59 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "6b:72:ca:36:7d:40:fb:ef:16:e7:3e:6e:ba:6a:9a:59" and
1476748800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_736b7663d322533413f36e3e7e55f920 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Net Technology" and
pe.signatures[i].serial == "73:6b:76:63:d3:22:53:34:13:f3:6e:3e:7e:55:f9:20" and
1159488000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_54a170102461fdc967acfafe4bbbc7f0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "54:a1:70:10:24:61:fd:c9:67:ac:fa:fe:4b:bb:c7:f0" and
1476748800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0c501b8b113209c96c8119cf7a6b8b79 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Zhang" and
pe.signatures[i].serial == "0c:50:1b:8b:11:32:09:c9:6c:81:19:cf:7a:6b:8b:79" and
1474329600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0300ee4a4c52443147821a8186d04309 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Buster Ind Com Imp e Exp de Acessorios P Autos Ltda" and
pe.signatures[i].serial == "03:00:ee:4a:4c:52:44:31:47:82:1a:81:86:d0:43:09" and
1494892800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_202cf8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DATALINE LTD." and
pe.signatures[i].serial == "20:2c:f8" and
1087841761 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6651cc8b4850d4dec61961503ea7956b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "NUSAAPPINSTALL(APPS INSTALLER S.L.)" and
pe.signatures[i].serial == "66:51:cc:8b:48:50:d4:de:c6:19:61:50:3e:a7:95:6b" and
1436175828 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_25bef28467e4750331d2f403458113b8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and
pe.signatures[i].serial == "25:be:f2:84:67:e4:75:03:31:d2:f4:03:45:81:13:b8" and
1474156800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0296cf3314f434c5b74d0c3e36616dd1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "02:96:cf:33:14:f4:34:c5:b7:4d:0c:3e:36:61:6d:d1" and
1474934400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_045d57d63e13775c8f812e1864797f5a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Mei" and
pe.signatures[i].serial == "04:5d:57:d6:3e:13:77:5c:8f:81:2e:18:64:79:7f:5a" and
1485043200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6d633df9bb6015fc3ecea99dff309ee7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Zhang" and
pe.signatures[i].serial == "6d:63:3d:f9:bb:60:15:fc:3e:ce:a9:9d:ff:30:9e:e7" and
1474156800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_22e2a66e63b8cb4ec6989bf7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Sivi Technology Limited" and
pe.signatures[i].serial == "22:e2:a6:6e:63:b8:cb:4e:c6:98:9b:f7" and
1466995365 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_654b406de388ec2aec253ff2ba4c4bbd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yijiajian (Amoy) Jiankan Tech Co.,LTD." and
pe.signatures[i].serial == "65:4b:40:6d:e3:88:ec:2a:ec:25:3f:f2:ba:4c:4b:bd" and
1398902400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_78d1817ebcf338b4e9c810f9740a726b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CONSTRUTORA NOVO PARQUE LTDA - ME" and
pe.signatures[i].serial == "78:d1:81:7e:bc:f3:38:b4:e9:c8:10:f9:74:0a:72:6b" and
1431734400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_45fbcdb1fbd3d702fb77257b45d8c58e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ding Ruan" and
pe.signatures[i].serial == "45:fb:cd:b1:fb:d3:d7:02:fb:77:25:7b:45:d8:c5:8e" and
1476662400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4b5d8ed5ca011679f141f124 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "4b:5d:8e:d5:ca:01:16:79:f1:41:f1:24" and
1480644725 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_33671f1bcbd0f5e231fc386f4895000e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ALAIS, OOO" and
pe.signatures[i].serial == "33:67:1f:1b:cb:d0:f5:e2:31:fc:38:6f:48:95:00:0e" and
1491868800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_32bc299f0694c19ec21e71265b1d7e17 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "32:bc:29:9f:06:94:c1:9e:c2:1e:71:26:5b:1d:7e:17" and
1474416000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7b75c6b0a09afdb9787f6dff75ae7844 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Zhang" and
pe.signatures[i].serial == "7b:75:c6:b0:a0:9a:fd:b9:78:7f:6d:ff:75:ae:78:44" and
1476662400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_167fd1295b3bb102dbb37292c838e7cd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "16:7f:d1:29:5b:3b:b1:02:db:b3:72:92:c8:38:e7:cd" and
1476921600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_253ad25e39abe8f8fda9fcf6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DVERI FADO, TOV" and
pe.signatures[i].serial == "25:3a:d2:5e:39:ab:e8:f8:fd:a9:fc:f6" and
1538662130 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a9c1523cb2c73a82771d318124963e87 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ULTERA" and (
pe.signatures[i].serial == "00:a9:c1:52:3c:b2:c7:3a:82:77:1d:31:81:24:96:3e:87" or
pe.signatures[i].serial == "a9:c1:52:3c:b2:c7:3a:82:77:1d:31:81:24:96:3e:87"
) and
1499731200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_68e1b2c210b19bb1f2a24176709b165b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "68:e1:b2:c2:10:b1:9b:b1:f2:a2:41:76:70:9b:16:5b" and
1474502400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5c88313bd98bde99c9b9ac1408a63249 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "5c:88:31:3b:d9:8b:de:99:c9:b9:ac:14:08:a6:32:49" and
1474243200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7a632a6ecfc6c49ec1f42f76 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "7a:63:2a:6e:cf:c6:c4:9e:c1:f4:2f:76" and
1474959780 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_f57df6a6eee3854d513d0ba8585049b7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "smnetworks" and (
pe.signatures[i].serial == "00:f5:7d:f6:a6:ee:e3:85:4d:51:3d:0b:a8:58:50:49:b7" or
pe.signatures[i].serial == "f5:7d:f6:a6:ee:e3:85:4d:51:3d:0b:a8:58:50:49:b7"
) and
1277769600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0ac5ac5d323122e6d8e92d6e191b1432 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Certified Software" and
pe.signatures[i].serial == "0a:c5:ac:5d:32:31:22:e6:d8:e9:2d:6e:19:1b:14:32" and
1140134400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2433d9df7efbccb870ee5904d62a0101 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Conpavi AG" and
pe.signatures[i].serial == "24:33:d9:df:7e:fb:cc:b8:70:ee:59:04:d6:2a:01:01" and
1322438400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_462baada57570f70df76d10b9e7bf2b7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DVERI FADO, TOV" and
pe.signatures[i].serial == "46:2b:aa:da:57:57:0f:70:df:76:d1:0b:9e:7b:f2:b7" and
1551744000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_83320d93dd8cf16d11f99b1078b0a7cb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TRANS LTD" and (
pe.signatures[i].serial == "00:83:32:0d:93:dd:8c:f1:6d:11:f9:9b:10:78:b0:a7:cb" or
pe.signatures[i].serial == "83:32:0d:93:dd:8c:f1:6d:11:f9:9b:10:78:b0:a7:cb"
) and
1524614400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_10bae1d20cb4cc36a0ffac86 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "10:ba:e1:d2:0c:b4:cc:36:a0:ff:ac:86" and
1476773830 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_230716bfe915dd6203b2e2a35674c2ee {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Jiang Liu" and
pe.signatures[i].serial == "23:07:16:bf:e9:15:dd:62:03:b2:e2:a3:56:74:c2:ee" and
1472169600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_36a77d37e68e02fd3d043c7197e044ca {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Direct Systems Ltd" and
pe.signatures[i].serial == "36:a7:7d:37:e6:8e:02:fd:3d:04:3c:71:97:e0:44:ca" and
1515542400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_73bff2fb714f986c1707165f0b0f2e0e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Tecnopolis Consulting Ltd" and
pe.signatures[i].serial == "73:bf:f2:fb:71:4f:98:6c:17:07:16:5f:0b:0f:2e:0e" and
1090886400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_33b24170694ca0cf4d2bdf4aadf475a3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "33:b2:41:70:69:4c:a0:cf:4d:2b:df:4a:ad:f4:75:a3" and
1474934400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3a9bdec10e00e780316baaebfe7a772c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "PLAN ALPHA LIMITED" and
pe.signatures[i].serial == "3a:9b:de:c1:0e:00:e7:80:31:6b:aa:eb:fe:7a:77:2c" and
1556582400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7cad9c37f7affa8f4d8229f97607e265 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Funbit" and
pe.signatures[i].serial == "7c:ad:9c:37:f7:af:fa:8f:4d:82:29:f9:76:07:e2:65" and
1122508800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_098a57 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ELECTRONIC GROUP" and
pe.signatures[i].serial == "09:8a:57" and
1032855179 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5389cc6286da3bfa1dc4df498bf68361 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Joerm.com" and
pe.signatures[i].serial == "53:89:cc:62:86:da:3b:fa:1d:c4:df:49:8b:f6:83:61" and
1495497600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ed9caeb7911b31bd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE5\\xA4\\xA9\\xE6\\xB8\\xB8\\xE8\\xBD\\xAF\\xE4\\xBB\\xB6\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and (
pe.signatures[i].serial == "00:ed:9c:ae:b7:91:1b:31:bd" or
pe.signatures[i].serial == "ed:9c:ae:b7:91:1b:31:bd"
) and
1506001740 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0fd2b19a941b7009cc728a37cb1b10b9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BEAR AND CILLA LTD" and
pe.signatures[i].serial == "0f:d2:b1:9a:94:1b:70:09:cc:72:8a:37:cb:1b:10:b9" and
1560470400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2d88c0af1fe2609961c171213c03bd23 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Zhuzhou Lizhong Precision Manufacturing Technology Co., Ltd." and
pe.signatures[i].serial == "2d:88:c0:af:1f:e2:60:99:61:c1:71:21:3c:03:bd:23" and
1683676800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6e7cc176062d91225cfdcbdf5b5f0ea5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SG Internet" and
pe.signatures[i].serial == "6e:7c:c1:76:06:2d:91:22:5c:fd:cb:df:5b:5f:0e:a5" and
1317945600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_cecedd2efc985c2dbf0019669d270079 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TRANS LTD" and (
pe.signatures[i].serial == "00:ce:ce:dd:2e:fc:98:5c:2d:bf:00:19:66:9d:27:00:79" or
pe.signatures[i].serial == "ce:ce:dd:2e:fc:98:5c:2d:bf:00:19:66:9d:27:00:79"
) and
1527811200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_61fe6f00bd79684210534050ff46bc92 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xingning Dexin Network Technology Co., Ltd." and
pe.signatures[i].serial == "61:fe:6f:00:bd:79:68:42:10:53:40:50:ff:46:bc:92" and
1512000000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0323cc4e38735b0e6efba76ea25c73b7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xingning Dexin Network Technology Co., Ltd." and
pe.signatures[i].serial == "03:23:cc:4e:38:73:5b:0e:6e:fb:a7:6e:a2:5c:73:b7" and
1512000000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1f9aca069ac1b6bfb0e14861ec857bf6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Zhang" and
pe.signatures[i].serial == "1f:9a:ca:06:9a:c1:b6:bf:b0:e1:48:61:ec:85:7b:f6" and
1477440000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3e9d26dcf703ca3b140d7e7ad48312e2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Dong Qian" and
pe.signatures[i].serial == "3e:9d:26:dc:f7:03:ca:3b:14:0d:7e:7a:d4:83:12:e2" and
1440580240 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4e2523e76ea455941e75fb8240474a75 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "4e:25:23:e7:6e:a4:55:94:1e:75:fb:82:40:47:4a:75" and
1476403200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6102468293ba7308d17efb43ad6bfb58 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and
pe.signatures[i].serial == "61:02:46:82:93:ba:73:08:d1:7e:fb:43:ad:6b:fb:58" and
1470960000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6ded1a7ff6da152a98a57a2f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "6d:ed:1a:7f:f6:da:15:2a:98:a5:7a:2f" and
1479094343 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3ce65ea057b975d2c17eaf2c2297b1eb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TRANS LTD" and
pe.signatures[i].serial == "3c:e6:5e:a0:57:b9:75:d2:c1:7e:af:2c:22:97:b1:eb" and
1528243200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5d085a9a288549d09edc4941 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "5d:08:5a:9a:28:85:49:d0:9e:dc:49:41" and
1478757821 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7d20dec3797a1ac30649ebb184265b79 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Jiang Liu" and
pe.signatures[i].serial == "7d:20:de:c3:79:7a:1a:c3:06:49:eb:b1:84:26:5b:79" and
1474156800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_187d92861076e469b5b7a19e2a9fd4ba {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "18:7d:92:86:10:76:e4:69:b5:b7:a1:9e:2a:9f:d4:ba" and
1476748800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_199a9476feca3c004ff889d34545de07 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Funcall" and
pe.signatures[i].serial == "19:9a:94:76:fe:ca:3c:00:4f:f8:89:d3:45:45:de:07" and
1138060800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1efe65 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Software Plugin Ltd." and
pe.signatures[i].serial == "1e:fe:65" and
1063224491 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0af7e2b6a3deb99291dcaf66 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "0a:f7:e2:b6:a3:de:b9:92:91:dc:af:66" and
1474523112 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_45e27c4dfa5e6175566a13b1b6ddf3f5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Selig Michael Irfan" and
pe.signatures[i].serial == "45:e2:7c:4d:fa:5e:61:75:56:6a:13:b1:b6:dd:f3:f5" and
1465474542 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_37d36a4e61c0ac68ceb8bfcef2dbf283 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ANAVERIS LIMITED" and
pe.signatures[i].serial == "37:d3:6a:4e:61:c0:ac:68:ce:b8:bf:ce:f2:db:f2:83" and
1532476800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4321de10738278b93683ca542407f103 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "We Build Toolbars LLC" and
pe.signatures[i].serial == "43:21:de:10:73:82:78:b9:36:83:ca:54:24:07:f1:03" and
1367884800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2a6b2df210be14f4e18e10c7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "2a:6b:2d:f2:10:be:14:f4:e1:8e:10:c7" and
1472095404 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_412ab2a50e8028ddcbc499ddf45f2045 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Ding Ruan" and
pe.signatures[i].serial == "41:2a:b2:a5:0e:80:28:dd:cb:c4:99:dd:f4:5f:20:45" and
1479340800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0747f6a8c3542f954b113fd98c7607cf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "07:47:f6:a8:c3:54:2f:95:4b:11:3f:d9:8c:76:07:cf" and
1474329600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2572b484fa0a61be7288d785d7bda7d3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "SILVA, OOO" and
pe.signatures[i].serial == "25:72:b4:84:fa:0a:61:be:72:88:d7:85:d7:bd:a7:d3" and
1495152000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6726bd04204746c46857887f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "67:26:bd:04:20:47:46:c4:68:57:88:7f" and
1474352405 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4463d8b31e0f87c14233d4d0d2c487a0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "44:63:d8:b3:1e:0f:87:c1:42:33:d4:d0:d2:c4:87:a0" and
1477612800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_387982605e542d6d52f231ca6f5657cc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Jiang Liu" and
pe.signatures[i].serial == "38:79:82:60:5e:54:2d:6d:52:f2:31:ca:6f:56:57:cc" and
1475884800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e0134c41e7eda6863c4eee5b003976dd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "5000 LIMITED" and (
pe.signatures[i].serial == "00:e0:13:4c:41:e7:ed:a6:86:3c:4e:ee:5b:00:39:76:dd" or
pe.signatures[i].serial == "e0:13:4c:41:e7:ed:a6:86:3c:4e:ee:5b:00:39:76:dd"
) and
1528070400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5b47a4739dd8ffe81d9b5307 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "5b:47:a4:73:9d:d8:ff:e8:1d:9b:53:07" and
1476953007 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4f5a9bf75da76b949645475473793a7d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "EXEC CONTROL LIMITED" and
pe.signatures[i].serial == "4f:5a:9b:f7:5d:a7:6b:94:96:45:47:54:73:79:3a:7d" and
1553817600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_081df56c9a48d02571f08907 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "08:1d:f5:6c:9a:48:d0:25:71:f0:89:07" and
1474870728 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_77d5c1a3e623575999c74409dc19753c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "77:d5:c1:a3:e6:23:57:59:99:c7:44:09:dc:19:75:3c" and
1475884800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e9756b3f38b1172ea89fdbdfdba5f979 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Kreamer Ltd" and (
pe.signatures[i].serial == "00:e9:75:6b:3f:38:b1:17:2e:a8:9f:db:df:db:a5:f9:79" or
pe.signatures[i].serial == "e9:75:6b:3f:38:b1:17:2e:a8:9f:db:df:db:a5:f9:79"
) and
1492732800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_09fb28 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "New Dial spa" and
pe.signatures[i].serial == "09:fb:28" and
1046968418 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_197dc32d915458953562d2fe78bf2468 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Y.L. Knafo, Ltd." and
pe.signatures[i].serial == "19:7d:c3:2d:91:54:58:95:35:62:d2:fe:78:bf:24:68" and
1575331200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7c0be3d14787351e3156f5f37f2b3663 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Apex Tech, SIA" and
pe.signatures[i].serial == "7c:0b:e3:d1:47:87:35:1e:31:56:f5:f3:7f:2b:36:63" and
1523318400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_05054fdea356f3dd7db479fa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "05:05:4f:de:a3:56:f3:dd:7d:b4:79:fa" and
1474436511 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_08aaa069e92517f21ce67ca713f6ea63 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "pioneersoft" and
pe.signatures[i].serial == "08:aa:a0:69:e9:25:17:f2:1c:e6:7c:a7:13:f6:ea:63" and
1368403200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1b7b54e0dd4d7e45a0b46834de52658d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "1b:7b:54:e0:dd:4d:7e:45:a0:b4:68:34:de:52:65:8d" and
1476662400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b63e4299d0b0e2dcdaeb976167a23235 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Baltservis LLC" and (
pe.signatures[i].serial == "00:b6:3e:42:99:d0:b0:e2:dc:da:eb:97:61:67:a2:32:35" or
pe.signatures[i].serial == "b6:3e:42:99:d0:b0:e2:dc:da:eb:97:61:67:a2:32:35"
) and
1604102400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1dabae616705f5a51152eac48423f354 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "1d:ab:ae:61:67:05:f5:a5:11:52:ea:c4:84:23:f3:54" and
1470960000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_50d08f3c9bf86fba52cf592b4fe6eacf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CLEVERCYBER LTD" and
pe.signatures[i].serial == "50:d0:8f:3c:9b:f8:6f:ba:52:cf:59:2b:4f:e6:ea:cf" and
1518134400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7c7fc3616f3157a28f702cc1df275dcd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CFES Projects Ltd" and
pe.signatures[i].serial == "7c:7f:c3:61:6f:31:57:a2:8f:70:2c:c1:df:27:5d:cd" and
1522972800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_73ed1b2f4bf8dd37a8ad9bb775774592 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "5000 LIMITED" and
pe.signatures[i].serial == "73:ed:1b:2f:4b:f8:dd:37:a8:ad:9b:b7:75:77:45:92" and
1528243200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_211b5dfe65bc6f34bc9d3a54 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RAFO TECHNOLOGY INC" and
pe.signatures[i].serial == "21:1b:5d:fe:65:bc:6f:34:bc:9d:3a:54" and
1526717931 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5400d1c1406528b1ef625976 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "54:00:d1:c1:40:65:28:b1:ef:62:59:76" and
1474266628 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_013472d7d665557bfa0dc21b350a361b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yongli Zhang" and
pe.signatures[i].serial == "01:34:72:d7:d6:65:55:7b:fa:0d:c2:1b:35:0a:36:1b" and
1470960000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_66c758a22bfbbce327616815616ddd07 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TIM Konstrakshn, TOV" and
pe.signatures[i].serial == "66:c7:58:a2:2b:fb:bc:e3:27:61:68:15:61:6d:dd:07" and
1469404800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_e61b0366d940896430bcfe3e93baac5b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TRANS LTD" and (
pe.signatures[i].serial == "00:e6:1b:03:66:d9:40:89:64:30:bc:fe:3e:93:ba:ac:5b" or
pe.signatures[i].serial == "e6:1b:03:66:d9:40:89:64:30:bc:fe:3e:93:ba:ac:5b"
) and
1528156800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6294b8acc35dea7d32a95ac5d4536f8f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE9\\x87\\x8D\\xE5\\xBA\\x86\\xE6\\x8E\\xA2\\xE9\\x95\\xBF\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "62:94:b8:ac:c3:5d:ea:7d:32:a9:5a:c5:d4:53:6f:8f" and
1517443200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_485e4626c32493c16283cfd9e30d17ad {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "48:5e:46:26:c3:24:93:c1:62:83:cf:d9:e3:0d:17:ad" and
1473292800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d0312f9177cd46b943df3ef22db4608b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "United Systems Technology, Inc." and (
pe.signatures[i].serial == "00:d0:31:2f:91:77:cd:46:b9:43:df:3e:f2:2d:b4:60:8b" or
pe.signatures[i].serial == "d0:31:2f:91:77:cd:46:b9:43:df:3e:f2:2d:b4:60:8b"
) and
1341273600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_202702 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RDCTO Ltd" and
pe.signatures[i].serial == "20:27:02" and
1087391361 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_369a02e5d90b2649040e7f87 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "36:9a:02:e5:d9:0b:26:49:04:0e:7f:87" and
1479094204 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_60497070ff4a83bc87bdea24da5b431d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "60:49:70:70:ff:4a:83:bc:87:bd:ea:24:da:5b:43:1d" and
1477008000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a333e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Coulomb Limited" and
pe.signatures[i].serial == "0a:33:3e" and
1052750648 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1cb6519b2528d006d1da987153dad2b3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "D and D Internet Services" and
pe.signatures[i].serial == "1c:b6:51:9b:25:28:d0:06:d1:da:98:71:53:da:d2:b3" and
1012780800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_621e696c3a6371e77a678cbf0ee34ab2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "62:1e:69:6c:3a:63:71:e7:7a:67:8c:bf:0e:e3:4a:b2" and
1467072000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_21b991 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Web Nexus d.o.o." and
pe.signatures[i].serial == "21:b9:91" and
1125477041 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1cc37de5dbed097f98f56dbc {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "1c:c3:7d:e5:db:ed:09:7f:98:f5:6d:bc" and
1476693977 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_50f66ab0d7ed19b69d48f635e69572fa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Wei Liu" and
pe.signatures[i].serial == "50:f6:6a:b0:d7:ed:19:b6:9d:48:f6:35:e6:95:72:fa" and
1467158400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_11212f502836a784752160351defb136cf09 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "EVANGEL TECHNOLOGY(HK) LIMITED" and
pe.signatures[i].serial == "11:21:2f:50:28:36:a7:84:75:21:60:35:1d:ef:b1:36:cf:09" and
1463726573 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2c16be9a7ce2a23ab7a4b4eb7da3400c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Prince city music bar" and
pe.signatures[i].serial == "2c:16:be:9a:7c:e2:a2:3a:b7:a4:b4:eb:7d:a3:40:0c" and
1371081600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_22accad235fb1ac7422ebe5ea7ac9bc5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "IMS INTERACTIVE MEDIA SOLUTIONS" and
pe.signatures[i].serial == "22:ac:ca:d2:35:fb:1a:c7:42:2e:be:5e:a7:ac:9b:c5" and
1019001600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4d29757c4fbfc32b97091d96e3723002 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "4d:29:75:7c:4f:bf:c3:2b:97:09:1d:96:e3:72:30:02" and
1474848000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3a949ef03d9dd2d150b24b274ff6d7b4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "3a:94:9e:f0:3d:9d:d2:d1:50:b2:4b:27:4f:f6:d7:b4" and
1474156800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_954d0577d5ce8999e0387a5364829f66 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Soblosol Limited" and (
pe.signatures[i].serial == "00:95:4d:05:77:d5:ce:89:99:e0:38:7a:53:64:82:9f:66" or
pe.signatures[i].serial == "95:4d:05:77:d5:ce:89:99:e0:38:7a:53:64:82:9f:66"
) and
1543968000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_df5121dc99d1ab6b7e5229f6832123ef {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "INC SALYUT" and (
pe.signatures[i].serial == "00:df:51:21:dc:99:d1:ab:6b:7e:52:29:f6:83:21:23:ef" or
pe.signatures[i].serial == "df:51:21:dc:99:d1:ab:6b:7e:52:29:f6:83:21:23:ef"
) and
1613433600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_760cef386b63406751ae83a9eae92342 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Gidrokon LLC" and
pe.signatures[i].serial == "76:0c:ef:38:6b:63:40:67:51:ae:83:a9:ea:e9:23:42" and
1601942400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5c2625fa836a64f4882c56cc7a45f0ed {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "5c:26:25:fa:83:6a:64:f4:88:2c:56:cc:7a:45:f0:ed" and
1474416000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7df6fa580f84493c414ee0e431086737 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "7d:f6:fa:58:0f:84:49:3c:41:4e:e0:e4:31:08:67:37" and
1477440000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_309d2e115f1fe2993ee2e063 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "30:9d:2e:11:5f:1f:e2:99:3e:e2:e0:63" and
1467102525 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_90e33c1068f54913315b6ce9311141b9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "GERMES, OOO" and (
pe.signatures[i].serial == "00:90:e3:3c:10:68:f5:49:13:31:5b:6c:e9:31:11:41:b9" or
pe.signatures[i].serial == "90:e3:3c:10:68:f5:49:13:31:5b:6c:e9:31:11:41:b9"
) and
1487635200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3f15c3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Certified Software" and
pe.signatures[i].serial == "3f:15:c3" and
1110577130 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_285eccbd1d0000e640b84307ef88cd9f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DRAGON BUSINESS EQUIPMENT LIMITED" and
pe.signatures[i].serial == "28:5e:cc:bd:1d:00:00:e6:40:b8:43:07:ef:88:cd:9f" and
1611619200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_55ab71a3f9dde3ef20c788dd1d5ff6c3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Zhengzhoushi Tiekelian Information Technology Co.,Ltd" and
pe.signatures[i].serial == "55:ab:71:a3:f9:dd:e3:ef:20:c7:88:dd:1d:5f:f6:c3" and
1323907200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4beca26210737a5442ff8b47 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "4b:ec:a2:62:10:73:7a:54:42:ff:8b:47" and
1476437049 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0f203839a9c63b8798a7cb31 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "0f:20:38:39:a9:c6:3b:87:98:a7:cb:31" and
1480923809 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_dc992ea8e6bb4926931df656d5eef8a0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MEGAPOLISELIT, OOO" and (
pe.signatures[i].serial == "00:dc:99:2e:a8:e6:bb:49:26:93:1d:f6:56:d5:ee:f8:a0" or
pe.signatures[i].serial == "dc:99:2e:a8:e6:bb:49:26:93:1d:f6:56:d5:ee:f8:a0"
) and
1497916800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_41bd49bb456644d8183b3dae72ec8f22 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "41:bd:49:bb:45:66:44:d8:18:3b:3d:ae:72:ec:8f:22" and
1468454400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a8d40da6708679c08aebddea6d3f6b8a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VELES LTD." and (
pe.signatures[i].serial == "00:a8:d4:0d:a6:70:86:79:c0:8a:eb:dd:ea:6d:3f:6b:8a" or
pe.signatures[i].serial == "a8:d4:0d:a6:70:86:79:c0:8a:eb:dd:ea:6d:3f:6b:8a"
) and
1547424000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_307642e1f3a92c6cc2e7fb6e18f2ddcb {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "IBM" and
pe.signatures[i].serial == "30:76:42:e1:f3:a9:2c:6c:c2:e7:fb:6e:18:f2:dd:cb" and
1500422400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_52379131a1c69263c795a7d398db0997 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and
pe.signatures[i].serial == "52:37:91:31:a1:c6:92:63:c7:95:a7:d3:98:db:09:97" and
1476748800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_44312cb9a927b4111360762b4d4bdd6d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BEAR ADAMS CONSULTING LIMITED" and
pe.signatures[i].serial == "44:31:2c:b9:a9:27:b4:11:13:60:76:2b:4d:4b:dd:6d" and
1554768000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_123a5074069162f4ed68fc7d48f464c2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "12:3a:50:74:06:91:62:f4:ed:68:fc:7d:48:f4:64:c2" and
1472428800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_64eb04b8def382b5efa75f63e0e85ad0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "TOV \"MARIYA\"" and
pe.signatures[i].serial == "64:eb:04:b8:de:f3:82:b5:ef:a7:5f:63:e0:e8:5a:d0" and
1535587200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_76d8d908eed2f9857dc5676a680ceac9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "76:d8:d9:08:ee:d2:f9:85:7d:c5:67:6a:68:0c:ea:c9" and
1467158400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_083e3f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Telefonicasa" and
pe.signatures[i].serial == "08:3e:3f" and
999002664 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_79227311acdd575759198dbd3544cca7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "79:22:73:11:ac:dd:57:57:59:19:8d:bd:35:44:cc:a7" and
1478131200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_13ae38c9ae21a8576c0d024d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "13:ae:38:c9:ae:21:a8:57:6c:0d:02:4d" and
1475062802 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_557b0abf44045827f1f36efbc96271ec {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Zhang" and
pe.signatures[i].serial == "55:7b:0a:bf:44:04:58:27:f1:f3:6e:fb:c9:62:71:ec" and
1480291200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7903870184e18a80899740845a15e2b2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Qool Aid, LLC" and
pe.signatures[i].serial == "79:03:87:01:84:e1:8a:80:89:97:40:84:5a:15:e2:b2" and
1079654400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5fba9b373f812c16aef531d4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "5f:ba:9b:37:3f:81:2c:16:ae:f5:31:d4" and
1473329076 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_616a5205238590b01d7b761e444e4ad9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Lerges" and
pe.signatures[i].serial == "61:6a:52:05:23:85:90:b0:1d:7b:76:1e:44:4e:4a:d9" and
1421452800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_29be2278113dd062eadca32de6b242d0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BLADES" and
pe.signatures[i].serial == "29:be:22:78:11:3d:d0:62:ea:dc:a3:2d:e6:b2:42:d0" and
1536883200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_05f70a557afd4a443f44d0baf0bc8c60 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "05:f7:0a:55:7a:fd:4a:44:3f:44:d0:ba:f0:bc:8c:60" and
1477440000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4e0665d61997072294a70c662f72eae3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Zhang" and
pe.signatures[i].serial == "4e:06:65:d6:19:97:07:22:94:a7:0c:66:2f:72:ea:e3" and
1474502400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_74702dff5d4056b847d009a2265fb1b3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Shulan Hou" and
pe.signatures[i].serial == "74:70:2d:ff:5d:40:56:b8:47:d0:09:a2:26:5f:b1:b3" and
1469664000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_353b1cf7866ee0b0acdd532d0bb1a220 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Network Freak Limited" and
pe.signatures[i].serial == "35:3b:1c:f7:86:6e:e0:b0:ac:dd:53:2d:0b:b1:a2:20" and
1558915200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_093ff2870fa33eaf47259457ee58c2e0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AEEPZ Limited" and
pe.signatures[i].serial == "09:3f:f2:87:0f:a3:3e:af:47:25:94:57:ee:58:c2:e0" and
1503532800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_719c17a823839dca813ee85888b3b39a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Zhang" and
pe.signatures[i].serial == "71:9c:17:a8:23:83:9d:ca:81:3e:e8:58:88:b3:b3:9a" and
1479686400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6dc86ebf5863568e2237b2d89582d705 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Dening Hu" and
pe.signatures[i].serial == "6d:c8:6e:bf:58:63:56:8e:22:37:b2:d8:95:82:d7:05" and
1471305600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_214df59fe53874cc011dd45727035f51 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "21:4d:f5:9f:e5:38:74:cc:01:1d:d4:57:27:03:5f:51" and
1468800000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_37ca4f66fdcc8732992723199859886c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Aleman Ltd" and
pe.signatures[i].serial == "37:ca:4f:66:fd:cc:87:32:99:27:23:19:98:59:88:6c" and
1505952000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_be2f22c152bb218b898c4029056816a9 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Marts GmbH" and (
pe.signatures[i].serial == "00:be:2f:22:c1:52:bb:21:8b:89:8c:40:29:05:68:16:a9" or
pe.signatures[i].serial == "be:2f:22:c1:52:bb:21:8b:89:8c:40:29:05:68:16:a9"
) and
1676246400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_fc7065abf8303fb472b8af85918f5c24 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DIG IN VISION SP Z O O" and (
pe.signatures[i].serial == "00:fc:70:65:ab:f8:30:3f:b4:72:b8:af:85:91:8f:5c:24" or
pe.signatures[i].serial == "fc:70:65:ab:f8:30:3f:b4:72:b8:af:85:91:8f:5c:24"
) and
1604361600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_698ff388adb50b88afb832e76b0a0ad1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BELLAP LIMITED" and
pe.signatures[i].serial == "69:8f:f3:88:ad:b5:0b:88:af:b8:32:e7:6b:0a:0a:d1" and
1675070541 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_391ae38670ab188a5de26e07 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "DVERI FADO, TOV" and
pe.signatures[i].serial == "39:1a:e3:86:70:ab:18:8a:5d:e2:6e:07" and
1540832872 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_d08d83ff118df3777e371c5c482cce7b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "AMO-K Limited Liability Company" and (
pe.signatures[i].serial == "00:d0:8d:83:ff:11:8d:f3:77:7e:37:1c:5c:48:2c:ce:7b" or
pe.signatures[i].serial == "d0:8d:83:ff:11:8d:f3:77:7e:37:1c:5c:48:2c:ce:7b"
) and
1444780800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_06ce209477f1ac19a2049bdc5846a831 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Select'Assistance Pro" and
pe.signatures[i].serial == "06:ce:20:94:77:f1:ac:19:a2:04:9b:dc:58:46:a8:31" and
1426710344 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_447f449121b883211663b7b7e2ead868 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "3 AM CHP" and
pe.signatures[i].serial == "44:7f:44:91:21:b8:83:21:16:63:b7:b7:e2:ea:d8:68" and
1443052800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6366a9ac97df4de17366943c9b291aaa {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "xlgames" and
pe.signatures[i].serial == "63:66:a9:ac:97:df:4d:e1:73:66:94:3c:9b:29:1a:aa" and
1326796477 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_66e3f0b4459f15ac7f2a2b44990dd709 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "KOG Co., Ltd." and
pe.signatures[i].serial == "66:e3:f0:b4:45:9f:15:ac:7f:2a:2b:44:99:0d:d7:09" and
1320288125 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_610039d6349ee531e4caa3a65d100c7d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Wemade Entertainment" and
pe.signatures[i].serial == "61:00:39:d6:34:9e:e5:31:e4:ca:a3:a6:5d:10:0c:7d" and
1341792000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1caa0d0dadf32a2404a75195ae47820a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LivePlex Corp" and
pe.signatures[i].serial == "1c:aa:0d:0d:ad:f3:2a:24:04:a7:51:95:ae:47:82:0a" and
1324425600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_140d2c515e8ee9739bb5f1b2637dc478 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Guangzhou YuanLuo Technology Co.,Ltd" and
pe.signatures[i].serial == "14:0d:2c:51:5e:8e:e9:73:9b:b5:f1:b2:63:7d:c4:78" and
1386806400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_58015acd501fc9c344264eace2ce5730 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Nanjing Ranyi Technology Co., Ltd. " and
pe.signatures[i].serial == "58:01:5a:cd:50:1f:c9:c3:44:26:4e:ac:e2:ce:57:30" and
1352246400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0b7279068beb15ffe8060d2c56153c35 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Guangzhou YuanLuo Technology Co.,Ltd" and
pe.signatures[i].serial == "0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35" and
1350864000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0bc0f18da36702e302db170d91dc9202 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Foresee Consulting Inc." and
pe.signatures[i].serial == "0b:c0:f1:8d:a3:67:02:e3:02:db:17:0d:91:dc:92:02" and
1637712000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ca9b6f49b8b41204a174c751c73dc393 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "CodeDance Ltd" and (
pe.signatures[i].serial == "00:ca:9b:6f:49:b8:b4:12:04:a1:74:c7:51:c7:3d:c3:93" or
pe.signatures[i].serial == "ca:9b:6f:49:b8:b4:12:04:a1:74:c7:51:c7:3d:c3:93"
) and
1654646400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_aaf65b8e7a2e68bc8c9e8f27331b795c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ALISA L LIMITED" and (
pe.signatures[i].serial == "00:aa:f6:5b:8e:7a:2e:68:bc:8c:9e:8f:27:33:1b:79:5c" or
pe.signatures[i].serial == "aa:f6:5b:8e:7a:2e:68:bc:8c:9e:8f:27:33:1b:79:5c"
) and
1549324800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_c6ed0efe2844fa44aae350c6845c3331 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "THE COMPANY OF WORDS LTD" and (
pe.signatures[i].serial == "00:c6:ed:0e:fe:28:44:fa:44:aa:e3:50:c6:84:5c:33:31" or
pe.signatures[i].serial == "c6:ed:0e:fe:28:44:fa:44:aa:e3:50:c6:84:5c:33:31"
) and
1549324800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_ede6cfbf9fa18337b0fdb49c1f693020 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "START ARCHITECTURE LTD" and (
pe.signatures[i].serial == "00:ed:e6:cf:bf:9f:a1:83:37:b0:fd:b4:9c:1f:69:30:20" or
pe.signatures[i].serial == "ed:e6:cf:bf:9f:a1:83:37:b0:fd:b4:9c:1f:69:30:20"
) and
1554940800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_eda0f47b3b38e781cdf6ef6be5d3f6ee {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ADVANCED ACCESS SERVICES LTD" and (
pe.signatures[i].serial == "00:ed:a0:f4:7b:3b:38:e7:81:cd:f6:ef:6b:e5:d3:f6:ee" or
pe.signatures[i].serial == "ed:a0:f4:7b:3b:38:e7:81:cd:f6:ef:6b:e5:d3:f6:ee"
) and
1650931200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5da173eb1ac76340ac058e1ff4bf5e1b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ALISA LTD" and
pe.signatures[i].serial == "5d:a1:73:eb:1a:c7:63:40:ac:05:8e:1f:f4:bf:5e:1b" and
1550793600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1380a7ccf2bf36bc496b00d8 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "13:80:a7:cc:f2:bf:36:bc:49:6b:00:d8" and
1478069976 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_02eaf27e6f1575e365fc7fe4e0be43f7 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Theravada Solutions Ltd" and
pe.signatures[i].serial == "02:ea:f2:7e:6f:15:75:e3:65:fc:7f:e4:e0:be:43:f7" and
1562889600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6eb02ac2beb9611ed57eb12e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE6\\x9D\\xA8\\xE5\\x87\\x8C\\xE4\\xBC\\xAF\\xE4\\xB9\\x90\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "6e:b0:2a:c2:be:b9:61:1e:d5:7e:b1:2e" and
1585023767 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_010000000001297dba69dd {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ROSSO INDEX K.K." and
pe.signatures[i].serial == "01:00:00:00:00:01:29:7d:ba:69:dd" and
1277713154 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_7def22ef4c645b1decfb36b6d3539dbf {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and
pe.signatures[i].serial == "7d:ef:22:ef:4c:64:5b:1d:ec:fb:36:b6:d3:53:9d:bf" and
1474416000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3e39c2ccc494438bb8c2560f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "3e:39:c2:cc:c4:94:43:8b:b8:c2:56:0f" and
1466142876 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6e3b09f43c3a0fd53b7d600f08fae2b5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Divisible Limited" and
pe.signatures[i].serial == "6e:3b:09:f4:3c:3a:0f:d5:3b:7d:60:0f:08:fa:e2:b5" and
1507248000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_21220646c639d62c16992f46 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Sivi Technology Limited" and
pe.signatures[i].serial == "21:22:06:46:c6:39:d6:2c:16:99:2f:46" and
1466130984 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_738663f2c9e4adb3ad5306aa5e7cc548 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "GIN-Konsalt" and
pe.signatures[i].serial == "73:86:63:f2:c9:e4:ad:b3:ad:53:06:aa:5e:7c:c5:48" and
1498435200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_4280f2c8ce1d98e5f8da7ecb005eeae5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and
pe.signatures[i].serial == "42:80:f2:c8:ce:1d:98:e5:f8:da:7e:cb:00:5e:ea:e5" and
1476316800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2946397be9c5ae44e95c99af {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "29:46:39:7b:e9:c5:ae:44:e9:5c:99:af" and
1476092708 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2df453588177cf1c0c297ff4 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Shenzhen Yunhuitianxia Technology Co.,Ltd." and
pe.signatures[i].serial == "2d:f4:53:58:81:77:cf:1c:0c:29:7f:f4" and
1479735173 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0619c5e39a4fc60a32f9b07f6a4ca328 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yuanyuan Zhang" and
pe.signatures[i].serial == "06:19:c5:e3:9a:4f:c6:0a:32:f9:b0:7f:6a:4c:a3:28" and
1475884800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_2bffef48e6a321b418041310fdb9b0d0 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "A&D DOMUS LIMITED" and
pe.signatures[i].serial == "2b:ff:ef:48:e6:a3:21:b4:18:04:13:10:fd:b9:b0:d0" and
1554681600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_34ec9565805f34204c6966fb81e36ba1 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "34:ec:95:65:80:5f:34:20:4c:69:66:fb:81:e3:6b:a1" and
1476921600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_b2b934b7f01e0ac1e577814992243709 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "MS CORP SOFTWARE LTD" and (
pe.signatures[i].serial == "00:b2:b9:34:b7:f0:1e:0a:c1:e5:77:81:49:92:24:37:09" or
pe.signatures[i].serial == "b2:b9:34:b7:f0:1e:0a:c1:e5:77:81:49:92:24:37:09"
) and
1590710400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3a1b397fd9451e3b5891fc69681ed73d {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yongli Zhang" and
pe.signatures[i].serial == "3a:1b:39:7f:d9:45:1e:3b:58:91:fc:69:68:1e:d7:3d" and
1470614400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1eb816aa49e4894d9e9f78729e53cd48 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE5\\x96\\x84\\xE5\\x90\\x9B \\xE9\\x9F\\xA6" and
pe.signatures[i].serial == "1e:b8:16:aa:49:e4:89:4d:9e:9f:78:72:9e:53:cd:48" and
1429056000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_383ca88d6d9379c740609560 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "38:3c:a8:8d:6d:93:79:c7:40:60:95:60" and
1478250214 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6731cb1430f18b8c0c43ab40e1154169 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "3 AM CHP" and
pe.signatures[i].serial == "67:31:cb:14:30:f1:8b:8c:0c:43:ab:40:e1:15:41:69" and
1436313600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_159505e6456b9a9352f7c47168d89b96 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Shan Feng" and
pe.signatures[i].serial == "15:95:05:e6:45:6b:9a:93:52:f7:c4:71:68:d8:9b:96" and
1469404800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_04a0e92b0b9ebbb797df6ef52bd5ad05 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and
pe.signatures[i].serial == "04:a0:e9:2b:0b:9e:bb:b7:97:df:6e:f5:2b:d5:ad:05" and
1479081600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_25f222ab2613dc4270b2aabc2519a101 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Aeroscan TOV" and
pe.signatures[i].serial == "25:f2:22:ab:26:13:dc:42:70:b2:aa:bc:25:19:a1:01" and
1445299200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_212ca239866f88c3d5b000b3004a569c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "XECURE LAB CO., LTD." and
pe.signatures[i].serial == "21:2c:a2:39:86:6f:88:c3:d5:b0:00:b3:00:4a:56:9c" and
1347840000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_18b700a319aa98ae71b279d4e8030b82 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "18:b7:00:a3:19:aa:98:ae:71:b2:79:d4:e8:03:0b:82" and
1479686400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_169138a86954be1d9b264f47 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "16:91:38:a8:69:54:be:1d:9b:26:4f:47" and
1477636474 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_33412168eeb3c0e4c7dd0508a9ffecd5 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and
pe.signatures[i].serial == "33:41:21:68:ee:b3:c0:e4:c7:dd:05:08:a9:ff:ec:d5" and
1467590400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_422ab71ac7fb125ad7171b0c99510b0e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "42:2a:b7:1a:c7:fb:12:5a:d7:17:1b:0c:99:51:0b:0e" and
1475193600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_6f18946e5b773b7e32d9e7b4fb8d434c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VECTOR LLC (VEKTOR, OOO)" and
pe.signatures[i].serial == "6f:18:94:6e:5b:77:3b:7e:32:d9:e7:b4:fb:8d:43:4c" and
1454716800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3596dfc23b9a42c66700982250da2906 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Open Source Developer, Song WU" and
pe.signatures[i].serial == "35:96:df:c2:3b:9a:42:c6:67:00:98:22:50:da:29:06" and
1397219344 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_486bbddc8c5ee99f051ecaeb3f99d2a3 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "48:6b:bd:dc:8c:5e:e9:9f:05:1e:ca:eb:3f:99:d2:a3" and
1473292800 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_11211eea9d0d1d1a325b5eae1b2b1951120f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "LLC HERMES" and
pe.signatures[i].serial == "11:21:1e:ea:9d:0d:1d:1a:32:5b:5e:ae:1b:2b:19:51:12:0f" and
1460147212 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_172fea8cb06ffced6bfac7f2f6b77754 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Xin Zhou" and
pe.signatures[i].serial == "17:2f:ea:8c:b0:6f:fc:ed:6b:fa:c7:f2:f6:b7:77:54" and
1467936000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_3ee50bb98fadca2d662a0920e76685a2 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ABDULKADIR SAHIN" and
pe.signatures[i].serial == "3e:e5:0b:b9:8f:ad:ca:2d:66:2a:09:20:e7:66:85:a2" and
1330041600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_21bfddb6a66435d1adce2ceb23ed7c9a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE6\\x9D\\xA8\\xE6\\xB7\\x87\\xE6\\x99\\xBA" and
pe.signatures[i].serial == "21:bf:dd:b6:a6:64:35:d1:ad:ce:2c:eb:23:ed:7c:9a" and
1395297334 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_5b1c3f7bbaa91ca49b06a5c1004ee5be {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Jin Yuguang" and
pe.signatures[i].serial == "5b:1c:3f:7b:ba:a9:1c:a4:9b:06:a5:c1:00:4e:e5:be" and
1440643213 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0a2089 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "RocketMedia S.r.l." and
pe.signatures[i].serial == "0a:20:89" and
1050073884 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_1f84e030a0ed10d5ffe2b81b {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and
pe.signatures[i].serial == "1f:84:e0:30:a0:ed:10:d5:ff:e2:b8:1b" and
1476869735 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_88346267057c0a82e2f39851d1b9694c {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Hudson LLC" and (
pe.signatures[i].serial == "00:88:34:62:67:05:7c:0a:82:e2:f3:98:51:d1:b9:69:4c" or
pe.signatures[i].serial == "88:34:62:67:05:7c:0a:82:e2:f3:98:51:d1:b9:69:4c"
) and
1595376000 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_a46f9d8784778baa48167c48bbc56f30 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Mapping OOO" and (
pe.signatures[i].serial == "00:a4:6f:9d:87:84:77:8b:aa:48:16:7c:48:bb:c5:6f:30" or
pe.signatures[i].serial == "a4:6f:9d:87:84:77:8b:aa:48:16:7c:48:bb:c5:6f:30"
) and
1618963200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_525b5529db20d17a85be284d6b7952ea {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Buster Ind Com Imp e Exp de Acessorios P Autos Ltda" and
pe.signatures[i].serial == "52:5b:55:29:db:20:d1:7a:85:be:28:4d:6b:79:52:ea" and
1508198400 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_70ae0e517d2ef6d5eed06b56730a1a9a {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Yu Bao" and
pe.signatures[i].serial == "70:ae:0e:51:7d:2e:f6:d5:ee:d0:6b:56:73:0a:1a:9a" and
1475193600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_57c3717c5e2ce9a2e0cf0340c03f458e {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Citizen Travel Ltd" and
pe.signatures[i].serial == "57:c3:71:7c:5e:2c:e9:a2:e0:cf:03:40:c0:3f:45:8e" and
1450915200 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_0761110efe0b688c469d687512828c1f {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "ENP Games Co., Ltd." and
pe.signatures[i].serial == "07:61:11:0e:fe:0b:68:8c:46:9d:68:75:12:82:8c:1f" and
1433721600 <= pe.signatures[i].not_after
)
}
rule cert_blocklist_08aa03f385f870e3a6d243b74b1dadf6 {
meta:
author = "ReversingLabs"
source = "ReversingLabs"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "INFO"
description = "Certificate used for digitally signing malware."
condition:
uint16(0) == 0x5A4D and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "\\xE4\\xB8\\x9C\\xE8\\x8E\\x9E\\xE5\\xB8\\x82\\xE8\\x85\\xBE\\xE4\\xBA\\x91\\xE8\\xAE\\xA1\\xE7\\xAE\\x97\\xE6\\x9C\\xBA\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and
pe.signatures[i].serial == "08:aa:03:f3:85:f8:70:e3:a6:d2:43:b7:4b:1d:ad:f6" and
1352678400 <= pe.signatures[i].not_after
)
}