Sneed-Reactivity/yara-mikesxrs/Vinsula/Vinsula_index.yara

rule Vinsula_Sayad_Binder : infostealer
{
	meta: 
		copyright = "Vinsula, Inc" 
		description = "Sayad Infostealer Binder" 
		version = "1.0" 
		actor = "Sayad Binder" 
		in_the_wild = true 
		reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"

    strings: 
		$pdbstr = "\\Projects\\C#\\Sayad\\Source\\Binder\\obj\\Debug\\Binder.pdb" 
		$delphinativestr = "DelphiNative.dll" nocase
		$sqlite3str = "sqlite3.dll" nocase
		$winexecstr = "WinExec" 
		$sayadconfig = "base.dll" wide

     condition:
        all of them
}

rule Vinsula_Sayad_Client : infostealer
{
	meta: 
		copyright = "Vinsula, Inc" 
		description = "Sayad Infostealer Client" 
		version = "1.0" 
		actor = "Sayad Client" 
		in_the_wild = true 
		reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"

    strings: 
		$pdbstr = "\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb" 
		$sayadconfig = "base.dll" wide
		$sqlite3str = "sqlite3.dll" nocase
		$debugstr01 = "Config loaded" wide
		$debugstr02 = "Config parsed" wide
		$debugstr03 = "storage uploader" wide
		$debugstr04 = "updater" wide
		$debugstr05 = "keylogger" wide
		$debugstr06 = "Screenshot" wide
		$debugstr07 = "sqlite found & start collectiong data" wide
		$debugstr08 = "Machine info collected" wide
		$debugstr09 = "browser ok" wide
		$debugstr10 = "messenger ok" wide
		$debugstr11 = "vpn ok" wide
		$debugstr12 = "ftp client ok" wide
		$debugstr13 = "ftp server ok" wide
		$debugstr14 = "rdp ok" wide
		$debugstr15 = "kerio ok" wide
		$debugstr16 = "skype ok" wide
		$debugstr17 = "serialize data ok" wide
		$debugstr18 = "Keylogged" wide

     condition:
        all of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule Vinsula_Sayad_Binder : infostealer`
			`{`
			`meta:`
			`copyright = "Vinsula, Inc"`
			`description = "Sayad Infostealer Binder"`
			`version = "1.0"`
			`actor = "Sayad Binder"`
			`in_the_wild = true`
			`reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"`

			`strings:`
			`$pdbstr = "\\Projects\\C#\\Sayad\\Source\\Binder\\obj\\Debug\\Binder.pdb"`
			`$delphinativestr = "DelphiNative.dll" nocase`
			`$sqlite3str = "sqlite3.dll" nocase`
			`$winexecstr = "WinExec"`
			`$sayadconfig = "base.dll" wide`

			`condition:`
			`all of them`
			`}`

			`rule Vinsula_Sayad_Client : infostealer`
			`{`
			`meta:`
			`copyright = "Vinsula, Inc"`
			`description = "Sayad Infostealer Client"`
			`version = "1.0"`
			`actor = "Sayad Client"`
			`in_the_wild = true`
			`reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"`

			`strings:`
			`$pdbstr = "\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb"`
			`$sayadconfig = "base.dll" wide`
			`$sqlite3str = "sqlite3.dll" nocase`
			`$debugstr01 = "Config loaded" wide`
			`$debugstr02 = "Config parsed" wide`
			`$debugstr03 = "storage uploader" wide`
			`$debugstr04 = "updater" wide`
			`$debugstr05 = "keylogger" wide`
			`$debugstr06 = "Screenshot" wide`
			`$debugstr07 = "sqlite found & start collectiong data" wide`
			`$debugstr08 = "Machine info collected" wide`
			`$debugstr09 = "browser ok" wide`
			`$debugstr10 = "messenger ok" wide`
			`$debugstr11 = "vpn ok" wide`
			`$debugstr12 = "ftp client ok" wide`
			`$debugstr13 = "ftp server ok" wide`
			`$debugstr14 = "rdp ok" wide`
			`$debugstr15 = "kerio ok" wide`
			`$debugstr16 = "skype ok" wide`
			`$debugstr17 = "serialize data ok" wide`
			`$debugstr18 = "Keylogged" wide`

			`condition:`
			`all of them`
			`}`