Sneed-Reactivity/yara-Neo23x0/hktl_natbypass.yar


rule HKTL_NATBypass_Dec22_1 : T1090 {
   meta:
      description = "Detects NatBypass tool (also used by APT41)"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://github.com/cw1997/NATBypass"
      date = "2022-12-27"
      score = 80
      hash1 = "4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff"
      id = "54af4d84-72f7-5ec4-b0bf-7ba228fdf508"
   strings:
      $x1 = "nb -slave 127.0.0.1:3389 8.8.8.8:1997" ascii
      $x2 = "| Welcome to use NATBypass Ver" ascii

      $s1 = "main.port2host.func1" ascii fullword
      $s2 = "start to transmit address:" ascii
      $s3 = "^(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])"
   condition:
      filesize < 8000KB 
      and (
         1 of ($x*)
         or 2 of them
      ) or 3 of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule HKTL_NATBypass_Dec22_1 : T1090 {`
			`meta:`
			`description = "Detects NatBypass tool (also used by APT41)"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://github.com/cw1997/NATBypass"`
			`date = "2022-12-27"`
			`score = 80`
			`hash1 = "4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff"`
			`id = "54af4d84-72f7-5ec4-b0bf-7ba228fdf508"`
			`strings:`
			`$x1 = "nb -slave 127.0.0.1:3389 8.8.8.8:1997" ascii`
			`$x2 = "\| Welcome to use NATBypass Ver" ascii`

			`$s1 = "main.port2host.func1" ascii fullword`
			`$s2 = "start to transmit address:" ascii`
			`$s3 = "^(\\d{1,2}\|1\\d\\d\|2[0-4]\\d\|25[0-5])\\.(\\d{1,2}\|1\\d\\d\|2[0-4]\\d\|25[0-5])\\.(\\d{1,2}\|1\\d\\d\|2[0-4]\\d\|25[0-5])\\.(\\d{1,2}\|1\\d\\d\|2[0-4]\\d\|25[0-5])"`
			`condition:`
			`filesize < 8000KB`
			`and (`
			`1 of ($x*)`
			`or 2 of them`
			`) or 3 of them`
			`}`