Sneed-Reactivity/yara-mikesxrs/srozb/kronos.yar

108 lines
5.4 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: YarGen Rule Generator
Date: 2016-11-14
Identifier:
*/
/* Rule Set ----------------------------------------------------------------- */
rule sig_0056246214368c7c7d6181727fdab487 {
meta:
description = "Auto-generated rule - file 0056246214368c7c7d6181727fdab487"
author = "YarGen Rule Generator"
reference = "not set"
date = "2016-11-14"
hash1 = "4322880fee6fbc5d54583027e34cb99713147d87b4ff27c1d0e5bcd71c078156"
strings:
$s1 = "Resonated.exe" fullword wide /* score: '22.00' */
$s2 = "tAHpvfWFh" fullword ascii /* base64 encoded string 'zo}aa' */ /* score: '14.00' */
$s3 = "3-V:\\`" fullword ascii /* score: '11.00' */
$s4 = "wxANdsvRQVY.Properties.Resources.resources" fullword ascii /* score: '11.00' */
$s5 = "get_lotqcrsyhUXr" fullword ascii /* score: '10.01' */
$s6 = "wxANdsvRQVY.Properties.Resources" fullword wide /* score: '10.00' */
$s7 = "ListViewVirtualItemsSelectionRangeChangedEventHandler" fullword ascii /* score: '9.00' */
$s8 = "DebuggerTypeProxyAttribute" fullword ascii /* score: '9.00' */
$s9 = "ListViewVirtualItemsSelectionRangeChangedEventArgs" fullword ascii /* score: '9.00' */
$s10 = "iRcKifmjuub" fullword ascii /* score: '9.00' */
$s11 = "MRkget" fullword ascii /* score: '8.00' */
$s12 = "8.9.6.3" fullword wide /* score: '8.00' */
$s13 = "4.1.2.9" fullword wide /* score: '8.00' */
$s14 = "wxANdsvRQVY.Resources" fullword ascii /* score: '8.00' */
$s15 = "wxANdsvRQVY.Properties" fullword ascii /* score: '8.00' */
$s16 = "nvxugd" fullword ascii /* score: '7.00' */
$s17 = "fedapl" fullword ascii /* score: '7.00' */
$s18 = "tKKORunuy" fullword ascii /* score: '7.00' */
$s19 = "nhukomi" fullword ascii /* score: '7.00' */
$s20 = "xuwvhp" fullword ascii /* score: '7.00' */
condition:
( uint16(0) == 0x5a4d and filesize < 700KB and ( 10 of ($s*) ) ) or ( all of them )
}
rule b02ecc516834373f753b4a56428780f1 {
meta:
description = "Auto-generated rule - file b02ecc516834373f753b4a56428780f1"
author = "YarGen Rule Generator"
reference = "not set"
date = "2016-11-14"
hash1 = "c3b3fcc4d911d24473bf0a1b42e93de250b4ecf1b74632158a54c68013403613"
strings:
$s1 = "ProcessHostFactoryHelper" fullword ascii /* score: '22.00' */
$s2 = "Astray.exe" fullword wide /* score: '22.00' */
$s3 = "System.Web.Profile" fullword ascii /* score: '14.00' */
$s4 = "X509KeyUsageExtension" fullword ascii /* score: '13.00' */
$s5 = "DrawListViewColumnHeaderEventArgs" fullword ascii /* score: '12.00' */
$s6 = "Ascriptions Cheapest Inc Colleague Economised" fullword wide /* score: '11.00' */
$s7 = "-Ascriptions Cheapest Inc Colleague Economised" fullword ascii /* score: '11.00' */
$s8 = "jPuZOXwFDv.Properties.Resources.resources" fullword ascii /* score: '11.00' */
$s9 = "System.IO.Ports" fullword ascii /* score: '10.00' */
$s10 = "ShowSaveAsDialog" fullword ascii /* score: '10.00' */
$s11 = "HostingEnvironment" fullword ascii /* score: '10.00' */
$s12 = "DataGridViewComboBoxEditingControl" fullword ascii /* score: '10.00' */
$s13 = "get_jOMloqc" fullword ascii /* score: '9.01' */
$s14 = "jPuZOXwFDv.Properties.Resources" fullword wide /* score: '9.00' */
$s15 = "8.7.9.5" fullword wide /* score: '8.00' */
$s16 = "IPAddressCollection" fullword ascii /* score: '8.00' */
$s17 = "tgmFGETJ" fullword ascii /* score: '8.00' */
$s18 = "6.1.4.2" fullword wide /* score: '8.00' */
$s19 = "Competitive Containable" fullword wide /* score: '8.00' */
$s20 = "jPuZOXwFDv.Properties" fullword ascii /* score: '8.00' */
condition:
( uint16(0) == 0x5a4d and filesize < 800KB and ( 10 of ($s*) ) ) or ( all of them )
}
rule sig_2edb9e91d43f669148c004e0faed8c3a {
meta:
description = "Auto-generated rule - file 2edb9e91d43f669148c004e0faed8c3a"
author = "YarGen Rule Generator"
reference = "not set"
date = "2016-11-14"
hash1 = "0e15715b82f4d59a376c9e5e5842d43fae01fdf4408e3453a4b1771bb80c9159"
strings:
$s1 = "Toe.exe" fullword wide /* score: '21.00' */
$s2 = "System.Web.UI.WebControls.WebParts" fullword ascii /* score: '16.00' */
$s3 = "Selenology Protactinium Slapper" fullword wide /* score: '11.00' */
$s4 = "x:\\kEZ" fullword ascii /* score: '11.00' */
$s5 = "uJGRaoEzf.Properties.Resources.resources" fullword ascii /* score: '11.00' */
$s6 = "get_IcfXzSYMdZCj" fullword ascii /* score: '10.01' */
$s7 = "uJGRaoEzf.Properties.Resources" fullword wide /* score: '9.00' */
$s8 = "iFhosTkhl" fullword ascii /* score: '9.00' */
$s9 = "AsyncCompletedEventHandler" fullword ascii /* score: '9.00' */
$s10 = "Tonsillitis Prevalence Inc Sextants Recliner" fullword wide /* score: '8.00' */
$s11 = ",Tonsillitis Prevalence Inc Sextants Recliner" fullword ascii /* score: '8.00' */
$s12 = "uJGRaoEzf.Properties" fullword ascii /* score: '8.00' */
$s13 = "1.6.6.4" fullword wide /* score: '8.00' */
$s14 = "Selenology Protactinium Slapper" fullword ascii /* score: '8.00' */
$s15 = "5.1.8.9" fullword wide /* score: '8.00' */
$s16 = "uJGRaoEzf.Resources" fullword ascii /* score: '8.00' */
$s17 = "lfzotn" fullword ascii /* score: '7.00' */
$s18 = "MemoryFailPoint" fullword ascii /* score: '7.00' */
$s19 = "EncoderFallbackException" fullword ascii /* score: '6.00' */
$s20 = "HasCopySemanticsAttribute" fullword ascii /* score: '6.00' */
condition:
( uint16(0) == 0x5a4d and filesize < 700KB and ( 10 of ($s*) ) ) or ( all of them )
}
/* Super Rules ------------------------------------------------------------- */