From 2c6af7acb105f02ef70c13042b41744d2779b953 Mon Sep 17 00:00:00 2001 From: Sam Sneed <163201376+sam-sneed@users.noreply.github.com> Date: Thu, 25 Jul 2024 13:12:20 -0500 Subject: [PATCH] more fixing, re-add thread count --- main.py | 14 +- yara-Neo23x0/configured_vulns_ext_vars.yar | 241 - ...tscaler_adc_exploitation_cve_2023_3519.yar | 102 - ...l_connectwise_screenconnect_vuln_feb24.yar | 328 - yara-Neo23x0/gen_fake_amsi_dll.yar | 68 - yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar | 428 - .../gen_vcruntime140_dll_sideloading.yar | 30 - yara-Neo23x0/gen_webshells_ext_vars.yar | 103 - yara-Neo23x0/general_cloaking.yar | 153 - yara-Neo23x0/generic_anomalies.yar | 518 - yara-Neo23x0/thor_inverse_matches.yar | 581 - ...yara-rules_vuln_drivers_strict_renamed.yar | 6831 --- yara-Neo23x0/yara_mixed_ext_vars.yar | 556 - .../Lazarus_wipe_file_routine.yar | 28 - .../Anomali Labs/PyInstaller_Binary.yar | 16 - .../archives_w_chinapic.yar | 18 - .../Brian Carter -carterb/demuzacert.yar | 20 - .../injector_panel_sqlite.yar | 21 - .../Brian Carter -carterb/mal_pdf.yar | 19 - .../Brian Carter -carterb/panelzips.yar | 128 - .../Brian Carter -carterb/pony_config.yar | 21 - .../tables_inject_panel.yar | 21 - .../vt_pony_post2gate.yar | 14 - yara-mikesxrs/CISA/CADDYWIPER.yar | 27 - .../CISA/HAFIUM_webshell_CVE_2021_27065.yar | 23 - ...IUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar | 21 - yara-mikesxrs/CISA/HERMETICWIZARD.yar | 34 - yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar | 24 - .../CISA/HERMETICWIZARD_WORM_CODE.yar | 21 - yara-mikesxrs/CISA/ISAACWIPER.yar | 29 - yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar | 30 - yara-mikesxrs/Checkpoint/ElMachete_doc.yar | 14 - yara-mikesxrs/Checkpoint/ElMachete_msi.yar | 17 - yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar | 11 - .../Checkpoint/Russia_Detector_rules.yar | 7777 ---- .../Checkpoint/TeamViwer_backdoor.yar | 16 - .../Checkpoint/ZZ_breakwin_config.yar | 14 - .../ZZ_breakwin_meteor_batch_files.yar | 23 - .../Checkpoint/ZZ_breakwin_stardust_vbs.yar | 20 - .../Checkpoint/ZZ_breakwin_wiper.yar | 120 - .../apt3_bemstour_implant_byte_patch.yar | 39 - ...emstour_implant_command_stack_variable.yar | 169 - .../Checkpoint/apt3_bemstour_strings.yar | 68 - .../apt_CN_TwistedPanda_64bit_Loader.yar | 34 - .../apt_CN_TwistedPanda_SPINNER_1.yar | 33 - .../apt_CN_TwistedPanda_SPINNER_2.yar | 35 - .../apt_CN_TwistedPanda_droppers.yar | 36 - .../Checkpoint/apt_CN_TwistedPanda_loader.yar | 42 - .../apt_WebAssistant_TcahfUpdate.yar | 17 - .../Checkpoint/apt_nazar_component_guids.yar | 32 - .../Checkpoint/apt_nazar_svchost_commands.yar | 19 - .../Checkpoint/checkpoint_index.yara | 206 - yara-mikesxrs/Checkpoint/explosive_dll.yar | 15 - yara-mikesxrs/Checkpoint/explosive_exe.yar | 15 - yara-mikesxrs/Checkpoint/goziv3_trojan.yar | 11 - .../Checkpoint/injector_ZZ_dotRunpeX.yar | 58 - .../injector_ZZ_dotRunpeX_oldnew.yar | 45 - .../Checkpoint/lyceum_dotnet_dns_backdoor.yar | 29 - .../lyceum_dotnet_http_backdoor.yar | 52 - .../Checkpoint/lyceum_golang_backdoor.yar | 37 - .../Checkpoint/malware_bumblebee_packed.yar | 31 - .../Checkpoint/nazar_component_guids.yar | 32 - yara-mikesxrs/Checkpoint/qbot_vbs.yar | 16 - .../Checkpoint/ransomware_ZZ_azov_wiper.yar | 18 - yara-mikesxrs/CyberDefenses/installmonstr.yar | 22 - yara-mikesxrs/CyberDefenses/u34.yar | 15 - .../CyberDefenses/wirenet_dropper.yar | 16 - yara-mikesxrs/Fidelis/AlienSpy.yar | 34 - yara-mikesxrs/Fidelis/DarkComet.yar | 18 - yara-mikesxrs/Fidelis/DarkCometDownloader.yar | 12 - yara-mikesxrs/Fidelis/Scanbox.yar | 44 - .../Fidelis/Ursnif_report_variant_memory.yar | 20 - yara-mikesxrs/Fidelis/XenonCrypter.yar | 12 - ...ix_elf_Derusbi_Linux_SharedMemCreation.yar | 13 - .../apt_nix_elf_Derusbi_Linux_Strings.yar | 28 - yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar | 48 - .../apt_nix_elf_derusbi_kernelModule.yar | 30 - ...apt_win32_dll_bergard_pgv_pvid_variant.yar | 40 - .../Fidelis/apt_win32_dll_rat_hiZorRAT.yar | 30 - .../Fidelis/apt_win_exe_trojan_derusbi.yar | 61 - .../Fidelis/crime_win32_exe_rat_netwire.yar | 51 - .../Fidelis/crime_win_PWS_Fareit.yar | 28 - .../Fidelis/network_traffic_njRAT.yar | 47 - yara-mikesxrs/Fidelis/win_exe_njRAT.yar | 45 - yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara | 128 - .../Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara | 113 - .../Fireeye/APT32_ActiveMime_Lure.yar | 18 - .../Fireeye/APT_DeputyDog_Strings.yar | 20 - yara-mikesxrs/Fireeye/BadRabbit.yar | 120 - yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar | 19 - yara-mikesxrs/Fireeye/FE_petya_ransomware,yar | 75 - .../Fireeye_red_team_tool_countermeasures.yar | 2947 -- yara-mikesxrs/Fireeye/Fireye_index.yara | 141 - yara-mikesxrs/Fireeye/MACROCHECK.YAR | 20 - yara-mikesxrs/Fireeye/Molerats_certs.yar | 25 - yara-mikesxrs/Fireeye/TRITON_Framework.yar | 63 - .../Fireeye/callTogether_certificate.yar | 26 - yara-mikesxrs/Fireeye/hastati.yar | 25 - yara-mikesxrs/Fireeye/qti_certificate.yar | 25 - .../Florian Roth/Florian_Roth_index.yara | 34866 ---------------- yara-mikesxrs/Florian Roth/Havex_Trojan.yar | 24 - .../Florian Roth/Havex_Trojan_PHP_Server.yar | 14 - .../Florian Roth/POSCardStealer_SpyBot.yar | 23 - .../Florian Roth/apt_alienspy_rat.yar | 49 - .../Florian Roth/apt_apt17_malware.yar | 34 - yara-mikesxrs/Florian Roth/apt_apt28.yar | 94 - .../Florian Roth/apt_apt30_backspace.yar | 1142 - .../Florian Roth/apt_apt6_malware.yar | 53 - .../Florian Roth/apt_backdoor_ssh_python.yar | 18 - yara-mikesxrs/Florian Roth/apt_backspace.yar | 18 - .../Florian Roth/apt_beepservice.yar | 29 - .../Florian Roth/apt_between-hk-and-burma.yar | 215 - .../Florian Roth/apt_blackenergy.yar | 171 - .../apt_blackenergy_installer.yar | 15 - .../Florian Roth/apt_bluetermite_emdivi.yar | 136 - yara-mikesxrs/Florian Roth/apt_buckeye.yar | 68 - yara-mikesxrs/Florian Roth/apt_casper.yar | 97 - .../Florian Roth/apt_cheshirecat.yar | 102 - yara-mikesxrs/Florian Roth/apt_cloudduke.yar | 77 - yara-mikesxrs/Florian Roth/apt_codoso.yar | 335 - .../Florian Roth/apt_coreimpact_agent.yar | 44 - .../Florian Roth/apt_cve2015_5119.yar | 19 - .../Florian Roth/apt_danti_svcmondr.yar | 70 - yara-mikesxrs/Florian Roth/apt_deeppanda.yar | 92 - yara-mikesxrs/Florian Roth/apt_derusbi.yar | 115 - yara-mikesxrs/Florian Roth/apt_dubnium.yar | 138 - yara-mikesxrs/Florian Roth/apt_duqu2.yar | 94 - yara-mikesxrs/Florian Roth/apt_emissary.yar | 41 - yara-mikesxrs/Florian Roth/apt_eqgrp.yar | 1213 - .../Florian Roth/apt_fakem_backdoor.yar | 46 - .../Florian Roth/apt_fancybear_dnc.yar | 54 - .../apt_fidelis_phishing_plain_sight.yar | 27 - .../Florian Roth/apt_four_element_sword.yar | 161 - yara-mikesxrs/Florian Roth/apt_furtim.yar | 53 - .../apt_ghostdragon_gh0st_rat.yar | 87 - yara-mikesxrs/Florian Roth/apt_glassRAT.yar | 69 - .../Florian Roth/apt_hackingteam_rules.yar | 82 - .../Florian Roth/apt_hellsing_kaspersky.yar | 137 - yara-mikesxrs/Florian Roth/apt_hizor_rat.yar | 27 - .../Florian Roth/apt_indetectables_rat.yar | 52 - yara-mikesxrs/Florian Roth/apt_inocnation.yar | 29 - yara-mikesxrs/Florian Roth/apt_irongate.yar | 96 - yara-mikesxrs/Florian Roth/apt_irontiger.yar | 146 - .../Florian Roth/apt_irontiger_trendmicro.yar | 289 - .../Florian Roth/apt_kaspersky_duqu2.yar | 147 - .../Florian Roth/apt_keylogger_cn.yar | 33 - .../Florian Roth/apt_korplug_fast.yar | 25 - .../Florian Roth/apt_laudanum_webshells.yar | 309 - yara-mikesxrs/Florian Roth/apt_miniasp.yar | 36 - yara-mikesxrs/Florian Roth/apt_minidionis.yar | 81 - yara-mikesxrs/Florian Roth/apt_mofang.yar | 47 - .../Florian Roth/apt_ms_platinum.yara | 398 - yara-mikesxrs/Florian Roth/apt_naikon.yar | 36 - .../Florian Roth/apt_nanocore_rat.yar | 72 - .../Florian Roth/apt_onhat_proxy.yar | 29 - yara-mikesxrs/Florian Roth/apt_op_cleaver.yar | 329 - .../Florian Roth/apt_passthehashtoolkit.yar | 142 - yara-mikesxrs/Florian Roth/apt_plugx.yar | 35 - yara-mikesxrs/Florian Roth/apt_poisonivy.yar | 215 - .../Florian Roth/apt_poisonivy_gen3.yar | 30 - .../Florian Roth/apt_poseidon_group.yar | 82 - yara-mikesxrs/Florian Roth/apt_prikormka.yar | 141 - yara-mikesxrs/Florian Roth/apt_project_m.yar | 46 - .../Florian Roth/apt_project_sauron.yara | 137 - .../apt_project_sauron_extras.yar | 224 - .../Florian Roth/apt_putterpanda.yar | 258 - .../Florian Roth/apt_quarkspwdump.yar | 22 - .../apt_rocketkitten_keylogger.yar | 33 - yara-mikesxrs/Florian Roth/apt_ruag.yar | 85 - .../apt_rwmc_powershell_creddump.yar | 39 - yara-mikesxrs/Florian Roth/apt_sakula.yar | 78 - .../Florian Roth/apt_scanbox_deeppanda.yar | 32 - .../Florian Roth/apt_seaduke_unit42.yar | 26 - yara-mikesxrs/Florian Roth/apt_shamoon.yar | 12 - .../Florian Roth/apt_skeletonkey.yar | 44 - .../Florian Roth/apt_snowglobe_babar.yar | 36 - .../Florian Roth/apt_sofacy_dec15.yar | 129 - .../Florian Roth/apt_sofacy_fysbis.yar | 50 - .../Florian Roth/apt_sofacy_jun16.yar | 59 - .../apt_sofacy_xtunnel_bundestag.yar | 98 - .../Florian Roth/apt_sphinx_moth.yar | 114 - yara-mikesxrs/Florian Roth/apt_strider.yara | 84 - yara-mikesxrs/Florian Roth/apt_stuxnet.yar | 172 - yara-mikesxrs/Florian Roth/apt_suckfly.yar | 73 - yara-mikesxrs/Florian Roth/apt_sysscan.yar | 37 - yara-mikesxrs/Florian Roth/apt_terracotta.yar | 98 - .../Florian Roth/apt_terracotta_liudoor.yar | 24 - .../Florian Roth/apt_threatgroup_3390.yar | 307 - yara-mikesxrs/Florian Roth/apt_tidepool.yar | 30 - .../Florian Roth/apt_turbo_campaign.yar | 192 - yara-mikesxrs/Florian Roth/apt_turla.yar | 142 - .../Florian Roth/apt_unit78020_malware.yar | 129 - .../Florian Roth/apt_volatile_cedar.yar | 115 - yara-mikesxrs/Florian Roth/apt_waterbug.yar | 123 - .../apt_webshell_chinachopper.yar | 13 - .../Florian Roth/apt_wildneutron.yar | 297 - yara-mikesxrs/Florian Roth/apt_win_plugx.yar | 58 - yara-mikesxrs/Florian Roth/apt_winnti.yar | 130 - .../Florian Roth/apt_woolengoldfish.yar | 103 - .../Florian Roth/cn_pentestset_scripts.yar | 336 - .../Florian Roth/cn_pentestset_tools.yar | 2225 - .../Florian Roth/cn_pentestset_webshells.yar | 1038 - yara-mikesxrs/Florian Roth/cridex.yar | 14 - .../Florian Roth/crime_antifw_installrex.yar | 17 - .../Florian Roth/crime_bernhard_pos.yar | 17 - .../Florian Roth/crime_buzus_softpulse.yar | 24 - yara-mikesxrs/Florian Roth/crime_cmstar.yar | 19 - .../Florian Roth/crime_cryptowall_svg.yar | 22 - .../Florian Roth/crime_dexter_trojan.yar | 15 - .../Florian Roth/crime_dridex_xml.yar | 22 - yara-mikesxrs/Florian Roth/crime_enfal.yar | 53 - yara-mikesxrs/Florian Roth/crime_fareit.yar | 28 - .../Florian Roth/crime_kins_dropper.yar | 46 - .../Florian Roth/crime_kraken_bot1.yar | 25 - yara-mikesxrs/Florian Roth/crime_locky.yar | 20 - yara-mikesxrs/Florian Roth/crime_malumpos.yar | 32 - .../Florian Roth/crime_malware_generic.yar | 39 - .../Florian Roth/crime_mikey_trojan.yar | 20 - .../Florian Roth/crime_petya_ransom.yar | 31 - .../Florian Roth/crime_phish_gina_dec15.yar | 67 - .../crime_rombertik_carbongrabber.yar | 107 - .../Florian Roth/crime_shifu_trojan.yar | 59 - .../Florian Roth/crime_upatre_oct15.yar | 43 - .../Florian Roth/exploit_cve_2015_1674.yar | 27 - .../Florian Roth/exploit_cve_2015_1701.yar | 27 - .../Florian Roth/exploit_cve_2015_2426.yar | 53 - .../Florian Roth/exploit_uac_elevators.yar | 131 - .../Florian Roth/gen_ace_with_exe.yar | 21 - .../Florian Roth/gen_b374k_extra.yar | 22 - .../Florian Roth/gen_cn_hacktool_scripts.yar | 129 - .../Florian Roth/gen_cn_hacktools.yar | 2471 -- .../Florian Roth/gen_cn_webshells.yar | 701 - .../Florian Roth/gen_deviceguard_evasion.yar | 13 - .../Florian Roth/gen_faked_versions.yar | 29 - .../Florian Roth/gen_gpp_cpassword.yar | 19 - .../Florian Roth/gen_invoke_mimikatz.yar | 20 - yara-mikesxrs/Florian Roth/gen_kerberoast.yar | 53 - .../Florian Roth/gen_kirbi_mimkatz.yar | 22 - .../Florian Roth/gen_malware_set_qa.yar | 189 - .../gen_metasploit_loader_rsmudge.yar | 25 - .../Florian Roth/gen_mimikittenz.yar | 27 - .../Florian Roth/gen_nopowershell.yar | 21 - yara-mikesxrs/Florian Roth/gen_pirpi.yar | 61 - yara-mikesxrs/Florian Roth/gen_powerkatz.yar | 30 - .../Florian Roth/gen_powershell_empire.yar | 168 - .../Florian Roth/gen_powershell_toolkit.yar | 226 - .../Florian Roth/gen_regsrv32_issue.yar | 23 - yara-mikesxrs/Florian Roth/gen_sharpcat.yar | 21 - yara-mikesxrs/Florian Roth/gen_tempracer.yar | 25 - .../Florian Roth/gen_thumbs_cloaking.yar | 10 - .../Florian Roth/gen_transformed_strings.yar | 54 - .../Florian Roth/gen_win_privesc.yar | 56 - yara-mikesxrs/Florian Roth/gen_winshells.yar | 112 - .../Florian Roth/general_cloaking.yar | 84 - .../Florian Roth/general_officemacros.yar | 46 - .../Florian Roth/generic_anomalies.yar | 268 - .../Florian Roth/generic_cryptors.yar | 22 - yara-mikesxrs/Florian Roth/generic_dumps.yar | 27 - .../Florian Roth/generic_exe2hex_payload.yar | 26 - yara-mikesxrs/Florian Roth/pup_lightftp.yar | 37 - .../Florian Roth/spy_equation_fiveeyes.yar | 575 - .../Florian Roth/spy_querty_fiveeyes.yar | 233 - .../Florian Roth/spy_regin_fiveeyes.yar | 353 - yara-mikesxrs/Florian Roth/thor-hacktools.yar | 3324 -- yara-mikesxrs/Florian Roth/thor-webshells.yar | 8723 ---- .../Florian Roth/thor_inverse_matches.yar | 356 - .../Florian Roth/threat_lenovo_superfish.yar | 23 - .../Adobe_Flash_DRM_Use_After_Free.yar | 35 - yara-mikesxrs/InQuest/AgentTesla.yar | 54 - .../InQuest/CVE_2018_4878_0day_ITW.yar | 62 - yara-mikesxrs/InQuest/Embedded_PE_File.yar | 14 - yara-mikesxrs/InQuest/Excel_IQY_File.yar | 20 - .../Excel_IQY_File_Suspicious_Request.yar | 69 - .../Excel_IQY_File_With_file_extension.yar | 26 - yara-mikesxrs/InQuest/Hiddenbee.yar | 58 - yara-mikesxrs/InQuest/MC_Office_DDE.yar | 91 - ...fice_Document_with_Embedded_Flash_File.yar | 19 - .../InQuest/NTLM_Credential_Theft_via_PDF.yar | 59 - .../RTF_Byte_Nibble_Obfuscation_method.yar | 96 - .../Kevin Falcoz/BlackShades_Trojan.yar | 17 - .../Kevin Falcoz/Bublik_Downloader.yar | 14 - .../Kevin Falcoz/Grozlex_Stealer.yar | 13 - .../Kevin Falcoz/Kevin_Falcoz_index.yara | 437 - yara-mikesxrs/Kevin Falcoz/Packers.yar | 216 - yara-mikesxrs/Kevin Falcoz/Wabot_Worm.yar | 14 - yara-mikesxrs/Kevin Falcoz/YahLover_Worm.yar | 13 - yara-mikesxrs/Kevin Falcoz/Zegost_Trojan.yar | 14 - yara-mikesxrs/Kevin Falcoz/compilers.yar | 88 - .../Kevin Falcoz/lost_door_Trojan.yar | 13 - .../universal_1337_stealer_serveur.yar | 16 - yara-mikesxrs/Kevin Falcoz/xtreme_rat.yar | 13 - yara-mikesxrs/Koodous/ASSDdeveloper.yar | 24 - yara-mikesxrs/Koodous/Android.yar | 16 - .../Koodous/Android_VirusPolicia.yar | 43 - yara-mikesxrs/Koodous/Android_adware.yar | 22 - yara-mikesxrs/Koodous/Android_mapin.yar | 44 - .../Koodous/BatteryBot_ClickFraud.yar | 25 - yara-mikesxrs/Koodous/ChinesePorn.yar | 75 - yara-mikesxrs/Koodous/Drendoid_RAT.yar | 48 - yara-mikesxrs/Koodous/FakeApps.yar | 103 - yara-mikesxrs/Koodous/Fake_MosKow.yar | 27 - yara-mikesxrs/Koodous/HackingTeam.yar | 51 - yara-mikesxrs/Koodous/Koodous_index.yara | 99 - yara-mikesxrs/Koodous/MalwareCertificates.yar | 27 - yara-mikesxrs/Koodous/Ramsonware.yar | 111 - yara-mikesxrs/Koodous/SMSsender.yar | 99 - yara-mikesxrs/Koodous/Tinhvan.yar | 24 - yara-mikesxrs/Koodous/generic_adware.yar | 20 - yara-mikesxrs/Koodous/generic_smsfraud.yar | 38 - yara-mikesxrs/Koodous/koler_ransomware.yar | 62 - yara-mikesxrs/Koodous/malware_Advertising.yar | 22 - yara-mikesxrs/Koodous/malware_Dropper.yar | 16 - yara-mikesxrs/Koodous/mobidash.yar | 25 - yara-mikesxrs/Koodous/realshell.yar | 10 - yara-mikesxrs/Koodous/xbot007.yar | 16 - yara-mikesxrs/McAfee/APT_KimSuky_dllbckdr.yar | 43 - yara-mikesxrs/McAfee/BadRabbit_Ransomware.yar | 39 - .../McAfee/CTB_Locker_Ransomware.yar | 16 - yara-mikesxrs/McAfee/CredStealer.yar | 25 - yara-mikesxrs/McAfee/CryptoLocker_rule2.yar | 27 - yara-mikesxrs/McAfee/CryptoLocker_set1.yar | 29 - yara-mikesxrs/McAfee/GPGQwerty_ransomware.yar | 27 - yara-mikesxrs/McAfee/McAfee_index.yara | 57 - yara-mikesxrs/McAfee/NionSpy.yar | 19 - yara-mikesxrs/McAfee/OLE_JSRAT.yar | 18 - yara-mikesxrs/McAfee/SAmSAmRansom2016,yar | 50 - .../McAfee/SamSam_Ransomware_Latest.yar | 47 - yara-mikesxrs/McAfee/Spygate_2.9_RAT.yar | 17 - yara-mikesxrs/McAfee/W97M_Vawtrak_dropper.yar | 20 - yara-mikesxrs/McAfee/WannaCry.yar | 59 - yara-mikesxrs/McAfee/kraken_ransomware.yar | 78 - yara-mikesxrs/McAfee/rovnix_downloader.yar | 29 - yara-mikesxrs/McAfee/shifu.yar | 17 - yara-mikesxrs/NCCGroup/APT15.yar | 214 - yara-mikesxrs/NCCGroup/ISMRAT.yar | 15 - yara-mikesxrs/NCCGroup/Sakula.yar | 121 - .../NCCGroup/authenticode_anomalies.yara | 16 - yara-mikesxrs/NCCGroup/badwinmail.yara | 33 - yara-mikesxrs/NCCGroup/heartbleed.yar | 12 - yara-mikesxrs/NCCGroup/metaStealer_memory.yar | 14 - yara-mikesxrs/NCCGroup/package_manager.yara | 121 - yara-mikesxrs/NCCGroup/redleaves.yar | 51 - .../NCCGroup/turla_neuron_nautilus.yar | 176 - yara-mikesxrs/NCSC/SparrowDoor_apipatch.yar | 17 - yara-mikesxrs/NCSC/SparrowDoor_clipshot.yar | 20 - yara-mikesxrs/NCSC/SparrowDoor_config.yar | 14 - yara-mikesxrs/NCSC/SparrowDoor_loader.yar | 15 - yara-mikesxrs/NCSC/SparrowDoor_shellcode.yar | 15 - .../NCSC/SparrowDoor_sleep_routine.yar | 12 - yara-mikesxrs/NCSC/SparrowDoor_strings.yar | 23 - yara-mikesxrs/NCSC/SparrowDoor_xor.yar | 14 - yara-mikesxrs/NCSC/turla_neuron_nautilus.yar | 176 - yara-mikesxrs/PL CERT/Madprotect_packer.yar | 27 - .../PL CERT/Polish_Bankbot_mobile.yar | 42 - yara-mikesxrs/PL CERT/cryptomix_packer.yar | 17 - yara-mikesxrs/PL CERT/cryptomix_payload.yar | 19 - yara-mikesxrs/PL CERT/kbot.yar | 17 - yara-mikesxrs/PL CERT/necurs.yar | 31 - yara-mikesxrs/PL CERT/nymaim.yar | 26 - yara-mikesxrs/PL CERT/ramnit.yar | 62 - yara-mikesxrs/PL CERT/sage.yar | 26 - yara-mikesxrs/PL CERT/tofsee.yar | 35 - .../TEMP.Periscope_Spearphish.yar | 19 - .../Recorded Future/ext4_linuxlistener.yar | 19 - yara-mikesxrs/SenseCy/ORXLocker.yar | 23 - yara-mikesxrs/SenseCy/njrat_08d.yar | 23 - yara-mikesxrs/Seth Hardy/3102.yar | 40 - yara-mikesxrs/Seth Hardy/9002.yar | 47 - yara-mikesxrs/Seth Hardy/APT_NGO_wuaclt.yar | 26 - yara-mikesxrs/Seth Hardy/Babar.yar | 33 - yara-mikesxrs/Seth Hardy/GeorBot.yar | 17 - yara-mikesxrs/Seth Hardy/Scieron.yar | 27 - .../Seth Hardy/Seth_Hardy_index.yara | 2381 -- yara-mikesxrs/Seth Hardy/Swisyn.yar | 83 - yara-mikesxrs/Seth Hardy/Waterbug.yar | 160 - yara-mikesxrs/Seth Hardy/apt1.yar | 1182 - yara-mikesxrs/Seth Hardy/bangat.yar | 45 - yara-mikesxrs/Seth Hardy/boouset.yar | 42 - yara-mikesxrs/Seth Hardy/comfoo.yar | 43 - yara-mikesxrs/Seth Hardy/cookies.yar | 38 - yara-mikesxrs/Seth Hardy/cxpid.yar | 43 - yara-mikesxrs/Seth Hardy/enfal.yar | 69 - yara-mikesxrs/Seth Hardy/ezcob.yar | 28 - yara-mikesxrs/Seth Hardy/f0xy.yar | 14 - yara-mikesxrs/Seth Hardy/fakem.yar | 42 - yara-mikesxrs/Seth Hardy/favorite.yar | 42 - yara-mikesxrs/Seth Hardy/glasses.yar | 43 - yara-mikesxrs/Seth Hardy/hangover.yar | 307 - yara-mikesxrs/Seth Hardy/iexpl0re.yar | 58 - yara-mikesxrs/Seth Hardy/imuler.yar | 61 - yara-mikesxrs/Seth Hardy/insta11.yar | 43 - yara-mikesxrs/Seth Hardy/kins.yar | 44 - yara-mikesxrs/Seth Hardy/leverage.yar | 18 - yara-mikesxrs/Seth Hardy/luckycat.yar | 46 - yara-mikesxrs/Seth Hardy/lurk0+cctv0.yar | 121 - yara-mikesxrs/Seth Hardy/maccontrol.yar | 47 - yara-mikesxrs/Seth Hardy/mask.yar | 85 - yara-mikesxrs/Seth Hardy/mirage.yar | 25 - yara-mikesxrs/Seth Hardy/mongal.yar | 41 - yara-mikesxrs/Seth Hardy/naikon.yar | 45 - yara-mikesxrs/Seth Hardy/naspyupdate.yar | 42 - yara-mikesxrs/Seth Hardy/nettraveler.yar | 88 - yara-mikesxrs/Seth Hardy/nsfree.yar | 44 - yara-mikesxrs/Seth Hardy/olyx.yar | 38 - yara-mikesxrs/Seth Hardy/plugx.yar | 52 - yara-mikesxrs/Seth Hardy/pubsab.yar | 40 - yara-mikesxrs/Seth Hardy/quarian.yar | 64 - yara-mikesxrs/Seth Hardy/regsubdat.yar | 47 - yara-mikesxrs/Seth Hardy/remote.yar | 81 - yara-mikesxrs/Seth Hardy/rookie.yar | 43 - yara-mikesxrs/Seth Hardy/rooter.yar | 44 - yara-mikesxrs/Seth Hardy/safenet.yar | 42 - yara-mikesxrs/Seth Hardy/scarhikn.yar | 41 - yara-mikesxrs/Seth Hardy/shell_crew.yar | 32 - yara-mikesxrs/Seth Hardy/surtr.yar | 51 - yara-mikesxrs/Seth Hardy/t5000.yar | 37 - yara-mikesxrs/Seth Hardy/urausy_skypedat.yar | 14 - yara-mikesxrs/Seth Hardy/vidgrab.yar | 46 - yara-mikesxrs/Seth Hardy/warp.yar | 42 - yara-mikesxrs/Seth Hardy/wimmie.yar | 45 - yara-mikesxrs/Seth Hardy/xtreme.yar | 42 - yara-mikesxrs/Seth Hardy/yayih.yar | 42 - .../ThreatStreamLabs/PyInstaller_Binary.yar | 17 - yara-mikesxrs/Trend Micro/FighterPOS.yar | 92 - .../Trend Micro/PoS_Malware_MalumPOS.yar | 17 - .../PoS_Malware_NewPOSThings2015.yar | 23 - .../PoS_Malware_RawPOS2015_dumper.yar | 22 - .../PoS_Malware_RawPOS2015_dumper_old.yar | 24 - .../PoS_Malware_RawPOS2015_service.yar | 24 - yara-mikesxrs/Trend Micro/VBS.yar | 22 - yara-mikesxrs/Trend Micro/cracked_loki.yar | 19 - .../crime_linux_umbreon _ rootkit.yar | 60 - yara-mikesxrs/US CERT/APT10 Dropper.yar | 12 - .../US CERT/APT10 Redleaves Plugx.yar | 29 - .../US CERT/APT10 Redleaves loader.yar | 13 - yara-mikesxrs/US CERT/APT10 Redleaves.yar | 14 - .../US CERT/APT10 redleaves handkerchief.yar | 12 - yara-mikesxrs/US CERT/APT28_IMPLANT_1.yara | 93 - yara-mikesxrs/US CERT/APT28_IMPLANT_2.yara | 311 - yara-mikesxrs/US CERT/APT28_IMPLANT_3.yara | 49 - yara-mikesxrs/US CERT/APT28_IMPLANT_5.yara | 192 - yara-mikesxrs/US CERT/APT28_IMPLANT_6.yara | 125 - yara-mikesxrs/US CERT/APT28_implant_4.yara | 420 - yara-mikesxrs/US CERT/APT29_IMPLANT_10.yara | 31 - yara-mikesxrs/US CERT/APT29_IMPLANT_11.yara | 20 - yara-mikesxrs/US CERT/APT29_IMPLANT_12.yara | 13 - yara-mikesxrs/US CERT/APT29_IMPLANT_7.yara | 15 - yara-mikesxrs/US CERT/APT29_IMPLANT_8.yara | 40 - yara-mikesxrs/US CERT/APT29_IMPLANT_9.yara | 15 - yara-mikesxrs/US CERT/APT29_unidentified.yara | 23 - .../US CERT/Destructive_Hard_Drive_Tool.yar | 21 - .../Destructive_Target_Cleaning_Tool.yar | 15 - .../Destructive_Target_Cleaning_Tool_2.yar | 15 - .../Destructive_Target_Cleaning_Tool_3.yar | 17 - .../Destructive_Target_Cleaning_Tool_5.yar | 14 - .../Destructive_Target_Cleaning_Tool_6.yar | 19 - .../Destructive_Target_Cleaning_Tool_7.yar | 15 - .../Destructive_Target_Cleaning_Tool_8.yar | 14 - yara-mikesxrs/US CERT/Dragonfly.yar | 118 - yara-mikesxrs/US CERT/Dragonfly2.0.yar | 305 - .../US CERT/HIDDENCOBRA_RSA_MODULUS.yar | 14 - yara-mikesxrs/US CERT/HIDDEN_COBRA.yar | 69 - yara-mikesxrs/US CERT/Hidden Cobra Enfal.yar | 29 - .../US CERT/Hidden_Cobra_DPRK_DDoS_Tool.yara | 40 - .../US CERT/Lightweight_Backdoor.yar | 14 - .../US CERT/Lightweight_Backdoor_2.yar | 15 - .../US CERT/Lightweight_Backdoor_3.yar | 15 - .../US CERT/Lightweight_Backdoor_4.yar | 16 - .../US CERT/Lightweight_Backdoor_5.yar | 15 - .../US CERT/Lightweight_Backdoor_6.yar | 15 - .../Malware_used_by_cyber_threat_actor_1.yar | 16 - .../Malware_used_by_cyber_threat_actor_2.yar | 20 - .../Malware_used_by_cyber_threat_actor_3.yar | 13 - .../US CERT/PAS_TOOL_PHP_WEB_KIT.yar | 18 - yara-mikesxrs/US CERT/Proxy Tool.yar | 14 - yara-mikesxrs/US CERT/Proxy_Tool_2.yar | 14 - yara-mikesxrs/US CERT/Proxy_Tool_3.yar | 12 - yara-mikesxrs/US CERT/SMB_Worm_Tool.yar | 18 - yara-mikesxrs/US CERT/US_CERT_index.yara | 369 - yara-mikesxrs/US CERT/WannaCry.yara | 46 - yara-mikesxrs/US CERT/fallchill.yar | 25 - yara-mikesxrs/US CERT/hatman.yar | 111 - yara-mikesxrs/WithSecure/SILKLOADER.yar | 21 - .../WithSecure/ducktail_artifacts.yar | 21 - .../ducktail_dotnet_core_infostealer.yar | 104 - .../WithSecure/ducktail_exceldna_packed.yar | 28 - .../WithSecure/ducktail_nativeaot.yar | 23 - yara-mikesxrs/Xylitol/Malware.yar | 26 - yara-mikesxrs/Xylitol/Zeus_1134.yar | 18 - yara-mikesxrs/Xylitol/ibanking.yar | 19 - yara-mikesxrs/Xylitol/malware_banker.yar | 42 - yara-mikesxrs/alienvault/APT1_GDOCUPLOAD.yar | 14 - yara-mikesxrs/alienvault/APT1_GETMAIL.yar | 17 - yara-mikesxrs/alienvault/APT1_HACKSFASE1.yar | 12 - yara-mikesxrs/alienvault/APT1_HACKSFASE2.yar | 13 - yara-mikesxrs/alienvault/APT1_LIGHTBOLT.yar | 14 - yara-mikesxrs/alienvault/APT1_MAPIGET.yar | 16 - .../alienvault/APT1_RARSilent_EXE_PDF.yar | 16 - yara-mikesxrs/alienvault/APT1_Revird_svc.yar | 19 - .../alienvault/APT1_TARSIP_ECLIPSE.yar | 14 - yara-mikesxrs/alienvault/APT1_TARSIP_MOON.yar | 19 - yara-mikesxrs/alienvault/APT1_WARP.yar | 15 - .../alienvault/APT1_WEBC2_ADSPACE.yar | 12 - yara-mikesxrs/alienvault/APT1_WEBC2_AUSOV.yar | 15 - yara-mikesxrs/alienvault/APT1_WEBC2_BOLID.yar | 12 - .../alienvault/APT1_WEBC2_CLOVER.yar | 17 - yara-mikesxrs/alienvault/APT1_WEBC2_CSON.yar | 16 - yara-mikesxrs/alienvault/APT1_WEBC2_DIV.yar | 14 - .../alienvault/APT1_WEBC2_GREENCAT.yar | 14 - yara-mikesxrs/alienvault/APT1_WEBC2_HEAD.yar | 14 - yara-mikesxrs/alienvault/APT1_WEBC2_KT3.yar | 13 - yara-mikesxrs/alienvault/APT1_WEBC2_QBP.yar | 15 - yara-mikesxrs/alienvault/APT1_WEBC2_RAVE.yar | 14 - yara-mikesxrs/alienvault/APT1_WEBC2_TABLE.yar | 14 - yara-mikesxrs/alienvault/APT1_WEBC2_TOCK.yar | 13 - yara-mikesxrs/alienvault/APT1_WEBC2_UGX.yar | 16 - yara-mikesxrs/alienvault/APT1_WEBC2_Y21K.yar | 15 - yara-mikesxrs/alienvault/APT1_WEBC2_YAHOO.yar | 13 - yara-mikesxrs/alienvault/APT1_dbg_mess.yar | 17 - .../APT1_known_malicious_RARSilent.yar | 14 - yara-mikesxrs/alienvault/APT1_letusgo.yar | 11 - yara-mikesxrs/alienvault/AURIGA_APT1.yar | 16 - .../alienvault/AURIGA_driver_APT1.yar | 16 - yara-mikesxrs/alienvault/BANGAT_APT1.yar | 21 - .../alienvault/BISCUIT_GREENCAT_APT1.yar | 16 - yara-mikesxrs/alienvault/BOUNCER_APT1.yar | 16 - yara-mikesxrs/alienvault/BOUNCER_DLL_APT1.yar | 12 - yara-mikesxrs/alienvault/CALENDAR_APT1.yar | 21 - yara-mikesxrs/alienvault/CCREWBACK1.yar | 22 - yara-mikesxrs/alienvault/COMBOS_APT1.yar | 18 - yara-mikesxrs/alienvault/CVE2012XXXX.yar | 19 - yara-mikesxrs/alienvault/CaptainWord.yar | 17 - .../Careto generic malware signature.yar | 32 - yara-mikesxrs/alienvault/Careto_CnC.yar | 13 - .../alienvault/Careto_CnC_domains.yar | 12 - yara-mikesxrs/alienvault/Careto_OSX_SBD.yar | 11 - yara-mikesxrs/alienvault/Careto_SGH.yar | 14 - yara-mikesxrs/alienvault/DAIRY_APT1.yar | 16 - .../alienvault/DownloaderPossibleCCrew.yar | 16 - .../alienvault/EclipseSunCloudRAT.yar | 17 - yara-mikesxrs/alienvault/Elise.yar | 12 - yara-mikesxrs/alienvault/EzuriLoader.yar | 16 - yara-mikesxrs/alienvault/EzuriLoaderOSX.yar | 22 - .../alienvault/FatalRAT_unpacked.yar | 16 - yara-mikesxrs/alienvault/GEN_CCREW1.yar | 13 - yara-mikesxrs/alienvault/GLOOXMAIL_APT1.yar | 16 - yara-mikesxrs/alienvault/GOGGLES_APT1.yar | 16 - yara-mikesxrs/alienvault/GeorBotBinary.yar | 11 - yara-mikesxrs/alienvault/GeorBotMemory.yar | 12 - yara-mikesxrs/alienvault/HACKSFASE1_APT1.yar | 11 - yara-mikesxrs/alienvault/HACKSFASE2_APT1.yar | 13 - .../alienvault/Hangover2_Downloader.yar | 22 - .../alienvault/Hangover2_Keylogger.yar | 20 - .../alienvault/Hangover2_backdoor_shell.yar | 19 - .../alienvault/Hangover2_stealer.yar | 18 - .../alienvault/Hangover_Appinbot.yar | 17 - yara-mikesxrs/alienvault/Hangover_Auspo.yar | 14 - yara-mikesxrs/alienvault/Hangover_Deksila.yar | 14 - yara-mikesxrs/alienvault/Hangover_Foler.yar | 14 - yara-mikesxrs/alienvault/Hangover_Fuddol.yar | 12 - yara-mikesxrs/alienvault/Hangover_Gimwlog.yar | 15 - yara-mikesxrs/alienvault/Hangover_Gimwup.yar | 14 - .../alienvault/Hangover_Iconfall.yar | 14 - yara-mikesxrs/alienvault/Hangover_Linog.yar | 16 - .../alienvault/Hangover_Slidewin.yar | 26 - .../Hangover_Smackdown_Downloader.yar | 25 - .../alienvault/Hangover_Smackdown_various.yar | 20 - .../alienvault/Hangover_Tymtin_Degrab.yar | 14 - .../alienvault/Hangover_UpdateEx.yar | 17 - .../Hangover_Vacrhan_Downloader.yar | 17 - .../alienvault/Hangover_ron_babylon.yar | 43 - .../Java0daycve2012xxxx_generic.yar | 19 - yara-mikesxrs/alienvault/KINS_DLL_zeus.yar | 19 - yara-mikesxrs/alienvault/KINS_dropper.yar | 24 - yara-mikesxrs/alienvault/KURTON_APT1.yar | 14 - .../alienvault/Keyboy_document_ppsx_sct.yar | 29 - .../alienvault/Keyboy_mobile_titan.yar | 29 - yara-mikesxrs/alienvault/LIGHTDART_APT1.yar | 14 - yara-mikesxrs/alienvault/LONGRUN_APT1.yar | 14 - yara-mikesxrs/alienvault/MACROMAIL_APT1.yar | 14 - yara-mikesxrs/alienvault/MANITSME_APT1.yar | 22 - yara-mikesxrs/alienvault/MINIASP_APT1.yar | 16 - yara-mikesxrs/alienvault/MiniASP.yar | 13 - yara-mikesxrs/alienvault/MoonProject.yar | 15 - yara-mikesxrs/alienvault/NEWSREELS_APT1.yar | 19 - yara-mikesxrs/alienvault/NKRivts.yar | 12 - yara-mikesxrs/alienvault/OSX_Dok.yar | 34 - yara-mikesxrs/alienvault/OSX_MacSpy.yar | 15 - yara-mikesxrs/alienvault/OSX_Proton.B.yar | 30 - .../alienvault/OSX_Proton_B_systemd.1.yar | 35 - yara-mikesxrs/alienvault/PRISM.yar | 69 - .../alienvault/PrismaticSuccessor.yar | 105 - yara-mikesxrs/alienvault/SEASALT_APT1.yar | 16 - yara-mikesxrs/alienvault/STARSYPOUND_APT1.yar | 15 - yara-mikesxrs/alienvault/SWORD_APT1.yar | 15 - yara-mikesxrs/alienvault/TABMSGSQL_APT1.yar | 15 - .../alienvault/TrojanCookies_CCREW.yar | 17 - .../alienvault/alienvault_index.yara | 2168 - yara-mikesxrs/alienvault/avdetect_procs.yar | 210 - yara-mikesxrs/alienvault/ccrewDownloader1.yar | 12 - yara-mikesxrs/alienvault/ccrewDownloader2.yar | 14 - yara-mikesxrs/alienvault/ccrewDownloader3.yar | 17 - yara-mikesxrs/alienvault/ccrewMiniasp.yar | 13 - yara-mikesxrs/alienvault/ccrewQAZ.yar | 12 - yara-mikesxrs/alienvault/ccrewSSLBack1.yar | 13 - yara-mikesxrs/alienvault/ccrewSSLBack2.yar | 12 - yara-mikesxrs/alienvault/ccrewSSLBack3.yar | 12 - yara-mikesxrs/alienvault/dbgdetect_files.yar | 15 - yara-mikesxrs/alienvault/dbgdetect_funcs.yar | 23 - yara-mikesxrs/alienvault/dbgdetect_procs.yar | 23 - yara-mikesxrs/alienvault/leverage_a.yar | 18 - yara-mikesxrs/alienvault/metaxcd.yar | 12 - yara-mikesxrs/alienvault/nkminer_monero.yar | 35 - .../alienvault/oceanlotus_constants.yar | 14 - .../alienvault/oceanlotus_xor_decode.yar | 12 - .../alienvault/sandboxdetect_misc.yar | 21 - .../alienvault/thequickbrow_APT1.yar | 12 - yara-mikesxrs/alienvault/urasay skype.yar | 14 - yara-mikesxrs/alienvault/vmdetect_misc.yar | 83 - yara-mikesxrs/bluecoat/Bluecoat_index.yara | 123 - yara-mikesxrs/bluecoat/InceptionAndroid.yar | 13 - .../bluecoat/InceptionBlackberry.yar | 17 - yara-mikesxrs/bluecoat/InceptionDLL.yar | 27 - yara-mikesxrs/bluecoat/InceptionIOS.yar | 15 - yara-mikesxrs/bluecoat/InceptionMips.yar | 14 - yara-mikesxrs/bluecoat/InceptionRTF.yar | 14 - yara-mikesxrs/bluecoat/InceptionVBS.yar | 15 - yara-mikesxrs/blueliv/WannaCryptor.yar | 118 - yara-mikesxrs/blueliv/banswift.yar | 45 - yara-mikesxrs/blueliv/banswift_wiper.yar | 12 - yara-mikesxrs/blueliv/petya_eternalblue.yar | 18 - .../codewatchorg/angler_ek_checkpoint.yar | 10 - .../codewatchorg/angler_ek_redirector.yar | 18 - yara-mikesxrs/codewatchorg/angler_flash.yar | 28 - yara-mikesxrs/codewatchorg/angler_flash2.yar | 28 - yara-mikesxrs/codewatchorg/angler_flash4.yar | 30 - yara-mikesxrs/codewatchorg/angler_flash5.yar | 26 - .../angler_flash_uncompressed.yar | 31 - yara-mikesxrs/codewatchorg/angler_html.yar | 32 - yara-mikesxrs/codewatchorg/angler_html2.yar | 32 - yara-mikesxrs/codewatchorg/angler_jar.yar | 23 - yara-mikesxrs/codewatchorg/angler_js.yar | 31 - yara-mikesxrs/codewatchorg/blackhole1_jar.yar | 26 - yara-mikesxrs/codewatchorg/blackhole2_css.yar | 22 - yara-mikesxrs/codewatchorg/blackhole2_htm.yar | 36 - .../codewatchorg/blackhole2_htm10.yar | 37 - .../codewatchorg/blackhole2_htm11.yar | 33 - .../codewatchorg/blackhole2_htm12.yar | 36 - .../codewatchorg/blackhole2_htm3.yar | 19 - .../codewatchorg/blackhole2_htm5.yar | 34 - .../codewatchorg/blackhole2_htm6.yar | 30 - .../codewatchorg/blackhole2_htm8.yar | 28 - yara-mikesxrs/codewatchorg/blackhole2_jar.yar | 27 - .../codewatchorg/blackhole2_jar2.yar | 26 - .../codewatchorg/blackhole2_jar3.yar | 26 - yara-mikesxrs/codewatchorg/blackhole2_pdf.yar | 32 - .../codewatchorg/blackhole_basic.yar | 7 - .../bleedinglife2_adobe_2010_1297_exploit.yar | 31 - .../bleedinglife2_adobe_2010_2884_exploit.yar | 31 - .../codewatchorg/bleedinglife2_jar2.yar | 23 - .../bleedinglife2_java_2010_0842_exploit.yar | 23 - .../codewatchorg/codewatchorg_index.yar | 2883 -- yara-mikesxrs/codewatchorg/crimepack_jar.yar | 20 - yara-mikesxrs/codewatchorg/crimepack_jar3.yar | 25 - yara-mikesxrs/codewatchorg/cve_2013_0074.yar | 17 - yara-mikesxrs/codewatchorg/cve_2013_0422.yar | 21 - yara-mikesxrs/codewatchorg/eleonore_jar.yar | 26 - yara-mikesxrs/codewatchorg/eleonore_jar2.yar | 28 - yara-mikesxrs/codewatchorg/eleonore_jar3.yar | 26 - yara-mikesxrs/codewatchorg/eleonore_js.yar | 25 - yara-mikesxrs/codewatchorg/eleonore_js2.yar | 29 - yara-mikesxrs/codewatchorg/eleonore_js3.yar | 31 - yara-mikesxrs/codewatchorg/fragus_htm.yar | 30 - yara-mikesxrs/codewatchorg/fragus_js.yar | 32 - yara-mikesxrs/codewatchorg/fragus_js2.yar | 31 - .../codewatchorg/fragus_js_flash.yar | 29 - yara-mikesxrs/codewatchorg/fragus_js_java.yar | 31 - .../codewatchorg/fragus_js_quicktime.yar | 29 - yara-mikesxrs/codewatchorg/fragus_js_vml.yar | 28 - .../codewatchorg/malicious_office.yar | 145 - yara-mikesxrs/codewatchorg/malicious_pdf.yar | 456 - yara-mikesxrs/codewatchorg/phoenix_html.yar | 23 - yara-mikesxrs/codewatchorg/phoenix_html10.yar | 31 - yara-mikesxrs/codewatchorg/phoenix_html11.yar | 32 - yara-mikesxrs/codewatchorg/phoenix_html2.yar | 31 - yara-mikesxrs/codewatchorg/phoenix_html3.yar | 32 - yara-mikesxrs/codewatchorg/phoenix_html4.yar | 27 - yara-mikesxrs/codewatchorg/phoenix_html5.yar | 30 - yara-mikesxrs/codewatchorg/phoenix_html6.yar | 31 - yara-mikesxrs/codewatchorg/phoenix_html7.yar | 31 - yara-mikesxrs/codewatchorg/phoenix_html8.yar | 30 - yara-mikesxrs/codewatchorg/phoenix_html9.yar | 32 - yara-mikesxrs/codewatchorg/phoenix_jar.yar | 24 - yara-mikesxrs/codewatchorg/phoenix_jar2.yar | 28 - yara-mikesxrs/codewatchorg/phoenix_jar3.yar | 23 - yara-mikesxrs/codewatchorg/phoenix_pdf.yar | 26 - yara-mikesxrs/codewatchorg/phoenix_pdf2.yar | 27 - yara-mikesxrs/codewatchorg/phoenix_pdf3.yar | 25 - .../codewatchorg/redkit_bin_basic.yar | 7 - yara-mikesxrs/codewatchorg/sakura_jar.yar | 31 - yara-mikesxrs/codewatchorg/sakura_jar2.yar | 31 - yara-mikesxrs/codewatchorg/zeroaccess_css.yar | 32 - .../codewatchorg/zeroaccess_css2.yar | 25 - yara-mikesxrs/codewatchorg/zeroaccess_htm.yar | 30 - yara-mikesxrs/codewatchorg/zeroaccess_js.yar | 32 - yara-mikesxrs/codewatchorg/zeroaccess_js2.yar | 32 - yara-mikesxrs/codewatchorg/zeroaccess_js3.yar | 29 - yara-mikesxrs/codewatchorg/zeroaccess_js4.yar | 31 - yara-mikesxrs/codewatchorg/zerox88_js2.yar | 25 - yara-mikesxrs/codewatchorg/zerox88_js3.yar | 30 - yara-mikesxrs/codewatchorg/zeus_js.yar | 28 - yara-mikesxrs/crowdstrike/CVE_2014_4113.yar | 15 - ...terPanda _02 - rc4_dropper putterpanda.yar | 32 - ...3 - threepara_para_implant putterpanda.yar | 20 - ...tterPanda _05 _ httpclient putterpanda.yar | 16 - ...terPanda _06 _ xor_dropper putterpanda.yar | 16 - .../crowdstrike/CrowdStrike_CSIT_14003_03.yar | 31 - .../crowdstrike/CrowdStrike_CSIT_14004_02.yar | 19 - .../crowdstrike/CrowdStrike_FlyingKitten.yar | 37 - ...a_01 - fourh_stack_strings putterpanda.yar | 59 - .../crowdstrike/Crowdstrike_index.yara | 293 - .../crowdstrike/Crowdstrike_target_breach.yar | 88 - yara-mikesxrs/crowdstrike/gameover zeus.yar | 39 - ..._PutterPanda_04_ pngdowner putterpanda.yar | 19 - yara-mikesxrs/cylance/BackDoorLogger.yar | 12 - yara-mikesxrs/cylance/Hkdoor_DLL.yar | 22 - yara-mikesxrs/cylance/Hkdoor_backdoor.yar | 24 - yara-mikesxrs/cylance/Hkdoor_driver.yar | 19 - yara-mikesxrs/cylance/Hkdoor_dropper.yar | 28 - yara-mikesxrs/cylance/Jasus.yar | 13 - yara-mikesxrs/cylance/LoggerModule.yar | 12 - .../cylance/MiSType_Backdoor_Packed.yar | 14 - yara-mikesxrs/cylance/Misdat_Backdoor.yar | 28 - .../cylance/Misdat_Backdoor_Packed.yar | 15 - yara-mikesxrs/cylance/NetC.yar | 12 - yara-mikesxrs/cylance/SType_Backdoor.yar | 33 - yara-mikesxrs/cylance/ShellCreator2.yar | 12 - yara-mikesxrs/cylance/SmartCopy2.yar | 12 - yara-mikesxrs/cylance/StreamEX.yar | 18 - yara-mikesxrs/cylance/SynFlooder.yar | 13 - yara-mikesxrs/cylance/TinyZBot.yar | 20 - yara-mikesxrs/cylance/WannaCryptor.yar | 41 - yara-mikesxrs/cylance/ZhoupinExploitCrew.yar | 11 - yara-mikesxrs/cylance/Zlib_Backdoor.yar | 43 - yara-mikesxrs/cylance/antivirusdetector.yar | 13 - yara-mikesxrs/cylance/baijiu.yar | 57 - yara-mikesxrs/cylance/csext.yar | 12 - yara-mikesxrs/cylance/cylance_index.yara | 392 - yara-mikesxrs/cylance/kagent.yar | 12 - yara-mikesxrs/cylance/mimikatzWrapper.yar | 12 - yara-mikesxrs/cylance/pvz_in.yar | 12 - yara-mikesxrs/cylance/pvz_out.yar | 12 - yara-mikesxrs/cylance/snakewine.yar | 24 - yara-mikesxrs/cylance/wndTest.yar | 12 - yara-mikesxrs/cylance/zhCat.yar | 11 - yara-mikesxrs/cylance/zhLookUp.yar | 11 - yara-mikesxrs/cylance/zhmimikatz.yar | 11 - yara-mikesxrs/eset/Animal_Farm.yar | 96 - yara-mikesxrs/eset/ESET_index.yara | 3788 -- yara-mikesxrs/eset/Gazer.yar | 41 - yara-mikesxrs/eset/InvisiMole.yar | 297 - yara-mikesxrs/eset/Linux_Moose.yar | 76 - yara-mikesxrs/eset/Mumblehard_packer.yar | 47 - yara-mikesxrs/eset/OSX_Keydnap_backdoor.yar | 50 - yara-mikesxrs/eset/OSX_Keydnap_packer.yar | 51 - yara-mikesxrs/eset/OSX_keydnap_downloader.yar | 49 - yara-mikesxrs/eset/Operation Potao.yar | 108 - yara-mikesxrs/eset/Operation Windigo.yar | 59 - yara-mikesxrs/eset/PotaoNew.yara | 108 - yara-mikesxrs/eset/Prikormka.yar | 165 - yara-mikesxrs/eset/SparklingGoblin.yar | 489 - yara-mikesxrs/eset/Turla_Carbon.yar | 28 - yara-mikesxrs/eset/badiis.yar | 552 - yara-mikesxrs/eset/kobalos.yar | 57 - .../eset/kobalos_ssh_credential_stealer.yar | 50 - yara-mikesxrs/eset/linux_rakos.yar | 53 - yara-mikesxrs/eset/skip20_sqllang_hook.yar | 69 - yara-mikesxrs/eset/sshdoor.yar | 572 - yara-mikesxrs/eset/stantinko.yar | 255 - yara-mikesxrs/eset/ta410.yar | 741 - yara-mikesxrs/eset/turla-outlook.yar | 169 - yara-mikesxrs/g00dv1n/Adware.AdGazelle.yar | 20 - yara-mikesxrs/g00dv1n/Adware.Adpeak.yar | 14 - yara-mikesxrs/g00dv1n/Adware.Agent.yar | 24 - yara-mikesxrs/g00dv1n/Adware.BetterSurf.yar | 16 - yara-mikesxrs/g00dv1n/Adware.BrowseFox.yar | 31 - yara-mikesxrs/g00dv1n/Adware.Conduit.yar | 37 - yara-mikesxrs/g00dv1n/Adware.ConvertAd.yar | 15 - yara-mikesxrs/g00dv1n/Adware.Crossrider.yar | 54 - yara-mikesxrs/g00dv1n/Adware.DealPly.yar | 13 - yara-mikesxrs/g00dv1n/Adware.Dlhelper.yar | 27 - yara-mikesxrs/g00dv1n/Adware.Downloader.yar | 18 - yara-mikesxrs/g00dv1n/Adware.ELEX.yar | 65 - yara-mikesxrs/g00dv1n/Adware.Gen.yar | 16 - yara-mikesxrs/g00dv1n/Adware.Genieo.yar | 27 - yara-mikesxrs/g00dv1n/Adware.Imali.yar | 13 - yara-mikesxrs/g00dv1n/Adware.InstallCore.yar | 18 - yara-mikesxrs/g00dv1n/Adware.Linkury.yar | 41 - yara-mikesxrs/g00dv1n/Adware.MyWebSearch.yar | 17 - yara-mikesxrs/g00dv1n/Adware.NextLive.yar | 15 - yara-mikesxrs/g00dv1n/Adware.ObronaAds.yar | 35 - yara-mikesxrs/g00dv1n/Adware.OpenCandy.yar | 13 - yara-mikesxrs/g00dv1n/Adware.OutBrowse.yar | 17 - yara-mikesxrs/g00dv1n/Adware.PullUpdate.yar | 73 - yara-mikesxrs/g00dv1n/Adware.SProtect.yar | 38 - yara-mikesxrs/g00dv1n/Adware.SearchSuite.yar | 26 - yara-mikesxrs/g00dv1n/Adware.Sendori.yar | 34 - yara-mikesxrs/g00dv1n/Adware.SimplyTech.yar | 16 - yara-mikesxrs/g00dv1n/Adware.SmartApps.yar | 23 - yara-mikesxrs/g00dv1n/Adware.Solimbda.yar | 13 - yara-mikesxrs/g00dv1n/Adware.Trioris.yar | 17 - yara-mikesxrs/g00dv1n/Adware.Vitruvian.yar | 18 - yara-mikesxrs/g00dv1n/Adware.Wajam.yar | 27 - yara-mikesxrs/g00dv1n/Adware.WebTools.yar | 40 - yara-mikesxrs/g00dv1n/Adware.WebWatcher.yar | 16 - yara-mikesxrs/g00dv1n/Adware.iBryte.yar | 14 - yara-mikesxrs/g00dv1n/Adware.uKor.yar | 25 - yara-mikesxrs/g00dv1n/Backdoor.Bladabindi.yar | 26 - yara-mikesxrs/g00dv1n/Backdoor.Dedipros.yar | 16 - yara-mikesxrs/g00dv1n/Backdoor.Fynloski.yar | 33 - yara-mikesxrs/g00dv1n/Backdoor.Gen.yar | 16 - yara-mikesxrs/g00dv1n/Backdoor.Liudoor.yar | 27 - yara-mikesxrs/g00dv1n/Backdoor.Mirage.yar | 14 - yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar | 49 - yara-mikesxrs/g00dv1n/Backdoor.Zegost.yar | 17 - .../g00dv1n/Malware.BitCoinMiner.yar | 16 - yara-mikesxrs/g00dv1n/Malware.Downloader.yar | 13 - yara-mikesxrs/g00dv1n/Malware.PWS.yar | 15 - yara-mikesxrs/g00dv1n/PUP.SystemOptimizer.yar | 14 - yara-mikesxrs/g00dv1n/PUP.Systweak.yar | 14 - yara-mikesxrs/g00dv1n/Ransom.Crypters.yar | 230 - yara-mikesxrs/g00dv1n/Risk.DetectAnalysis.yar | 343 - yara-mikesxrs/g00dv1n/Risk.NetFilter.yar | 26 - yara-mikesxrs/g00dv1n/Rogue.AVSoft.yar | 40 - yara-mikesxrs/g00dv1n/Rogue.Braviax.yar | 39 - yara-mikesxrs/g00dv1n/Rogue.FakePAV.yar | 31 - yara-mikesxrs/g00dv1n/Rogue.FakeRean.yar | 128 - yara-mikesxrs/g00dv1n/Rogue.FakeSysDef.yar | 38 - yara-mikesxrs/g00dv1n/Rogue.LiveSP.yar | 59 - yara-mikesxrs/g00dv1n/Rogue.SDef.yar | 20 - yara-mikesxrs/g00dv1n/Rogue.SysDoc.yar | 49 - yara-mikesxrs/g00dv1n/Rogue.Winwebsec.yar | 25 - yara-mikesxrs/g00dv1n/Trojan.Antivar.yar | 11 - yara-mikesxrs/g00dv1n/Trojan.Cbeplay.yar | 58 - yara-mikesxrs/g00dv1n/Trojan.ChStartPage.yar | 24 - yara-mikesxrs/g00dv1n/Trojan.Citadel.yar | 15 - yara-mikesxrs/g00dv1n/Trojan.Comfoo.yar | 38 - yara-mikesxrs/g00dv1n/Trojan.Cutwail.yar | 18 - yara-mikesxrs/g00dv1n/Trojan.Dllpatcher.yar | 15 - yara-mikesxrs/g00dv1n/Trojan.Downloader.yar | 49 - yara-mikesxrs/g00dv1n/Trojan.Dropper.yar | 12 - yara-mikesxrs/g00dv1n/Trojan.Frethog.yar | 30 - yara-mikesxrs/g00dv1n/Trojan.GBot.yar | 15 - .../g00dv1n/Trojan.Gamarue.Andromeda.yar | 21 - yara-mikesxrs/g00dv1n/Trojan.Injector.yar | 14 - yara-mikesxrs/g00dv1n/Trojan.Kovter.yar | 29 - yara-mikesxrs/g00dv1n/Trojan.Kuluoz.yar | 16 - yara-mikesxrs/g00dv1n/Trojan.Lethic.yar | 13 - yara-mikesxrs/g00dv1n/Trojan.Necurs.yar | 61 - yara-mikesxrs/g00dv1n/Trojan.Nedsym.yar | 15 - yara-mikesxrs/g00dv1n/Trojan.Neurevt.yar | 117 - yara-mikesxrs/g00dv1n/Trojan.PowerLoader.yar | 22 - yara-mikesxrs/g00dv1n/Trojan.Ransom.yar | 56 - yara-mikesxrs/g00dv1n/Trojan.Regin.yar | 101 - yara-mikesxrs/g00dv1n/Trojan.Rovnix.yar | 36 - yara-mikesxrs/g00dv1n/Trojan.Simda.yar | 19 - yara-mikesxrs/g00dv1n/Trojan.Sirefef.yar | 180 - yara-mikesxrs/g00dv1n/Trojan.Upatre.yar | 12 - .../g00dv1n/Trojan.Virtool.Obfuscator.yar | 12 - yara-mikesxrs/g00dv1n/TrojanPSW.Tepfer.yar | 68 - yara-mikesxrs/g00dv1n/TrojanPSW.ZBot.yar | 21 - yara-mikesxrs/g00dv1n/TrojanSpy.Ursnif.yar | 33 - yara-mikesxrs/g00dv1n/Virus.Chir.yar | 14 - yara-mikesxrs/g00dv1n/Virus.Madang.yar | 12 - yara-mikesxrs/g00dv1n/Worm.Cridex.yar | 21 - yara-mikesxrs/g00dv1n/Worm.Dorkbot.yar | 97 - yara-mikesxrs/g00dv1n/Worm.Phorpiex.yar | 99 - yara-mikesxrs/g00dv1n/Worm.SillyP2P.yar | 19 - yara-mikesxrs/g00dv1n/Worm.SkypeSpamer.yar | 13 - yara-mikesxrs/g00dv1n/g00dvin_index.yara | 3548 -- yara-mikesxrs/iSightPartners/SDBFile.yar | 20 - yara-mikesxrs/kaspersky/Adwind.yar | 27 - yara-mikesxrs/kaspersky/Crime_eyepyramid.yar | 58 - yara-mikesxrs/kaspersky/LazarusWannaCry.yar | 39 - .../apt_ProjectSauron_encrypted_LSA.yar | 33 - .../apt_ProjectSauron_encrypted_SSPI.yar | 19 - .../apt_ProjectSauron_encrypted_container.yar | 22 - .../apt_ProjectSauron_encryption.yar | 22 - ...pt_ProjectSauron_generic_pipe_backdoor.yar | 23 - .../apt_ProjectSauron_pipe_backdoor.yar | 24 - yara-mikesxrs/kaspersky/apt_duqu2_drivers.yar | 26 - yara-mikesxrs/kaspersky/apt_duqu2_loaders.yar | 36 - .../kaspersky/apt_equation_cryptotable.yar | 12 - ...equation_doublefantasy_genericresource.yar | 15 - ..._equation_equationlaser_runtimeclasses.yar | 17 - .../apt_equation_exploitlib_mutexes.yar | 28 - .../kaspersky/apt_hellsing_implantstrings.yar | 31 - .../kaspersky/apt_hellsing_installer.yar | 28 - .../kaspersky/apt_hellsing_irene.yar | 22 - .../kaspersky/apt_hellsing_msgertype2.yar | 22 - .../kaspersky/apt_hellsing_proxytool.yar | 22 - yara-mikesxrs/kaspersky/apt_hellsing_xkat.yar | 28 - .../kaspersky/apt_regin_2013_64bit_stage1.yar | 24 - .../apt_regin_dispatcher_disp_dll.yar | 22 - yara-mikesxrs/kaspersky/apt_regin_vfs.yar | 21 - yara-mikesxrs/kaspersky/backdoored_ssh.yar | 12 - ...xploit_Silverlight_Toropov_Generic_XAP.yar | 21 - yara-mikesxrs/kaspersky/kaspersky_index.yara | 578 - .../kaspersky/ransomware_PetrWrap.yar | 19 - yara-mikesxrs/kaspersky/stonedrill.yar | 45 - .../kaspersky/xDedic_SysScan_unpacked.yar | 26 - .../kaspersky/xdedic_packed_syscan.yar | 13 - yara-mikesxrs/one offs/9002Rat.yar | 16 - yara-mikesxrs/one offs/AdwindRat.yar | 14 - yara-mikesxrs/one offs/CVE-2013-3660.yar | 22 - yara-mikesxrs/one offs/ComputraceAgent.yar | 21 - yara-mikesxrs/one offs/CoreFlood_ldr.yar | 31 - yara-mikesxrs/one offs/Cridex.yar | 13 - yara-mikesxrs/one offs/Hancidoc_Dropper.yar | 14 - yara-mikesxrs/one offs/Mebroot_Torpig.yar | 17 - yara-mikesxrs/one offs/OSX_Malware.yar | 112 - yara-mikesxrs/one offs/Pegasus.yar | 24 - yara-mikesxrs/one offs/Qadars_DGA.yar | 10 - yara-mikesxrs/one offs/Shellphish.yar | 12 - yara-mikesxrs/one offs/W32ChirB.yar | 90 - yara-mikesxrs/one offs/XorDDoS.yar | 17 - yara-mikesxrs/one offs/ammyy_cerber3.yar | 21 - .../crime_ole_loadswf_cve_2018_4878.yar | 35 - .../crime_win32_gratefulpos_trojan.yar | 30 - yara-mikesxrs/one offs/dridex.yar | 17 - yara-mikesxrs/one offs/fastposloader.yar | 33 - yara-mikesxrs/one offs/marcher.yar | 18 - yara-mikesxrs/one offs/mwi_document.yar | 14 - yara-mikesxrs/one offs/nettraveler.yar | 26 - .../one offs/packager_cve2017_11882.yar | 16 - yara-mikesxrs/one offs/snake_uroburos.yar | 30 - yara-mikesxrs/paloalto/Palo_Alto_index.yara | 207 - .../paloalto/ce_enfal_cmstar_debug_msg.yar | 37 - .../paloalto/cobalt_gang_builder.yar | 41 - yara-mikesxrs/paloalto/findpos.yar | 28 - .../paloalto/general_win_dll_golang_socks.yar | 15 - .../general_win_faked_dlls_export_popo.yar | 22 - .../paloalto/general_win_golang_socks.yar | 30 - yara-mikesxrs/paloalto/hancitor_dropper.yar | 80 - yara-mikesxrs/paloalto/hancitor_payload.yar | 70 - yara-mikesxrs/paloalto/hancitor_stage1.yar | 16 - yara-mikesxrs/paloalto/powerstager.yar | 40 - .../paloalto/webshell_chinachopper_oab.yar | 70 - .../pombredanne/Android_AVITOMMS_Variant.yar | 33 - .../pombredanne/Android_AndroRat.yar | 15 - .../pombredanne/Android_BadMirror.yar | 14 - .../pombredanne/Android_Banker_Sberbank.yar | 15 - .../pombredanne/Android_Clicker_G.yar | 14 - yara-mikesxrs/pombredanne/Android_Copy9.yar | 14 - .../pombredanne/Android_DeathRing.yar | 14 - .../pombredanne/Android_Dendroid.yar | 15 - .../pombredanne/Android_Dogspectus.yar | 16 - .../pombredanne/Android_FakeBank_Fanta.yar | 17 - yara-mikesxrs/pombredanne/Android_Godless.yar | 37 - yara-mikesxrs/pombredanne/Android_Marcher.yar | 14 - .../pombredanne/Android_MazarBot.yar | 16 - yara-mikesxrs/pombredanne/Android_OmniRat.yar | 17 - yara-mikesxrs/pombredanne/Android_RuMMS.yar | 19 - .../pombredanne/PDF_Embedded_Exe.yar | 8 - yara-mikesxrs/pombredanne/SandroRat.yar | 13 - yara-mikesxrs/pombredanne/Spartan_SWF.yar | 14 - .../securityartwork/Erebus_Ransomware.yar | 17 - .../securityartwork/HardcodeHunter.yar | 13 - yara-mikesxrs/securityartwork/IoT_Reaper.yar | 17 - yara-mikesxrs/securityartwork/Linux_Bew.yar | 17 - .../securityartwork/Linux_Helios.yar | 17 - .../securityartwork/Meterpreter_rev_tcp.yar | 16 - .../OfficeMacrosWinintelDLL.yar | 18 - yara-mikesxrs/securityartwork/linux_Okiru.yar | 17 - yara-mikesxrs/securityartwork/multibanker.yar | 81 - .../shellcode_cve_2013_2729.yar | 23 - yara-mikesxrs/securityartwork/trickbot.yar | 66 - yara-mikesxrs/symantec/Bannerjack.yar | 17 - yara-mikesxrs/symantec/Cadelle_1.yar | 13 - yara-mikesxrs/symantec/Cadelle_2.yar | 30 - yara-mikesxrs/symantec/Cadelle_3.yar | 22 - yara-mikesxrs/symantec/Cadelle_4.yar | 13 - yara-mikesxrs/symantec/Eventlog.yar | 17 - yara-mikesxrs/symantec/Hacktool.yar | 18 - yara-mikesxrs/symantec/Kwampirs.yar | 74 - yara-mikesxrs/symantec/Multipurpose.yar | 15 - yara-mikesxrs/symantec/Proxy.yar | 17 - yara-mikesxrs/symantec/Securetunnel.yar | 17 - yara-mikesxrs/symantec/comrat.yar | 18 - yara-mikesxrs/symantec/fa.yar | 19 - yara-mikesxrs/symantec/isPE.yar | 9 - .../jiripbot _ ascii _ str _ decrypt.yar | 12 - .../jiripbot _ unicode _ str _ decrypt.yar | 13 - .../symantec/remsec_encrypted_api.yar | 15 - .../symantec/remsec_executable_blob_32.yar | 26 - .../symantec/remsec_executable_blob_64.yar | 27 - .../remsec_executable_blob_parser.yar | 30 - yara-mikesxrs/symantec/remsec_packer_A.yar | 26 - yara-mikesxrs/symantec/remsec_packer_B.yar | 63 - yara-mikesxrs/symantec/sav _ dropper.yar | 14 - yara-mikesxrs/symantec/sav.yar | 137 - yara-mikesxrs/symantec/symantec_index.yara | 746 - yara-mikesxrs/symantec/turla _ dll.yar | 14 - yara-mikesxrs/symantec/turla _ dropper.yar | 14 - .../symantec/wipbot _ 2013 _ core _ PDF.yar | 14 - .../symantec/wipbot _ 2013 _ core.yar | 45 - .../symantec/wipbot _ 2013 _ dll.yar | 18 - yara-mikesxrs/vitorafonso/banker.yar | 68 - yara-mikesxrs/vitorafonso/crisis.yar | 19 - yara-mikesxrs/vitorafonso/dropper.yar | 19 - yara-mikesxrs/vitorafonso/exploit.yar | 17 - yara-mikesxrs/vitorafonso/shedun.yar | 16 - yara-mikesxrs/vitorafonso/zitmo.yar | 23 - 1013 files changed, 13 insertions(+), 140759 deletions(-) delete mode 100644 yara-Neo23x0/configured_vulns_ext_vars.yar delete mode 100644 yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar delete mode 100644 yara-Neo23x0/expl_connectwise_screenconnect_vuln_feb24.yar delete mode 100644 yara-Neo23x0/gen_fake_amsi_dll.yar delete mode 100644 yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar delete mode 100644 yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar delete mode 100644 yara-Neo23x0/gen_webshells_ext_vars.yar delete mode 100644 yara-Neo23x0/general_cloaking.yar delete mode 100644 yara-Neo23x0/generic_anomalies.yar delete mode 100644 yara-Neo23x0/thor_inverse_matches.yar delete mode 100644 yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar delete mode 100644 yara-Neo23x0/yara_mixed_ext_vars.yar delete mode 100644 yara-mikesxrs/Anomali Labs/Lazarus_wipe_file_routine.yar delete mode 100644 yara-mikesxrs/Anomali Labs/PyInstaller_Binary.yar delete mode 100644 yara-mikesxrs/Brian Carter -carterb/archives_w_chinapic.yar delete mode 100644 yara-mikesxrs/Brian Carter -carterb/demuzacert.yar delete mode 100644 yara-mikesxrs/Brian Carter -carterb/injector_panel_sqlite.yar delete mode 100644 yara-mikesxrs/Brian Carter -carterb/mal_pdf.yar delete mode 100644 yara-mikesxrs/Brian Carter -carterb/panelzips.yar delete mode 100644 yara-mikesxrs/Brian Carter -carterb/pony_config.yar delete mode 100644 yara-mikesxrs/Brian Carter -carterb/tables_inject_panel.yar delete mode 100644 yara-mikesxrs/Brian Carter -carterb/vt_pony_post2gate.yar delete mode 100644 yara-mikesxrs/CISA/CADDYWIPER.yar delete mode 100644 yara-mikesxrs/CISA/HAFIUM_webshell_CVE_2021_27065.yar delete mode 100644 yara-mikesxrs/CISA/HAFNIUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar delete mode 100644 yara-mikesxrs/CISA/HERMETICWIZARD.yar delete mode 100644 yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar delete mode 100644 yara-mikesxrs/CISA/HERMETICWIZARD_WORM_CODE.yar delete mode 100644 yara-mikesxrs/CISA/ISAACWIPER.yar delete mode 100644 yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar delete mode 100644 yara-mikesxrs/Checkpoint/ElMachete_doc.yar delete mode 100644 yara-mikesxrs/Checkpoint/ElMachete_msi.yar delete mode 100644 yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar delete mode 100644 yara-mikesxrs/Checkpoint/Russia_Detector_rules.yar delete mode 100644 yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar delete mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar delete mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar delete mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar delete mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt3_bemstour_implant_command_stack_variable.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt3_bemstour_strings.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_1.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_2.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_droppers.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_loader.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt_WebAssistant_TcahfUpdate.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt_nazar_component_guids.yar delete mode 100644 yara-mikesxrs/Checkpoint/apt_nazar_svchost_commands.yar delete mode 100644 yara-mikesxrs/Checkpoint/checkpoint_index.yara delete mode 100644 yara-mikesxrs/Checkpoint/explosive_dll.yar delete mode 100644 yara-mikesxrs/Checkpoint/explosive_exe.yar delete mode 100644 yara-mikesxrs/Checkpoint/goziv3_trojan.yar delete mode 100644 yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX.yar delete mode 100644 yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar delete mode 100644 yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar delete mode 100644 yara-mikesxrs/Checkpoint/lyceum_dotnet_http_backdoor.yar delete mode 100644 yara-mikesxrs/Checkpoint/lyceum_golang_backdoor.yar delete mode 100644 yara-mikesxrs/Checkpoint/malware_bumblebee_packed.yar delete mode 100644 yara-mikesxrs/Checkpoint/nazar_component_guids.yar delete mode 100644 yara-mikesxrs/Checkpoint/qbot_vbs.yar delete mode 100644 yara-mikesxrs/Checkpoint/ransomware_ZZ_azov_wiper.yar delete mode 100644 yara-mikesxrs/CyberDefenses/installmonstr.yar delete mode 100644 yara-mikesxrs/CyberDefenses/u34.yar delete mode 100644 yara-mikesxrs/CyberDefenses/wirenet_dropper.yar delete mode 100644 yara-mikesxrs/Fidelis/AlienSpy.yar delete mode 100644 yara-mikesxrs/Fidelis/DarkComet.yar delete mode 100644 yara-mikesxrs/Fidelis/DarkCometDownloader.yar delete mode 100644 yara-mikesxrs/Fidelis/Scanbox.yar delete mode 100644 yara-mikesxrs/Fidelis/Ursnif_report_variant_memory.yar delete mode 100644 yara-mikesxrs/Fidelis/XenonCrypter.yar delete mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_SharedMemCreation.yar delete mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_Strings.yar delete mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar delete mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_derusbi_kernelModule.yar delete mode 100644 yara-mikesxrs/Fidelis/apt_win32_dll_bergard_pgv_pvid_variant.yar delete mode 100644 yara-mikesxrs/Fidelis/apt_win32_dll_rat_hiZorRAT.yar delete mode 100644 yara-mikesxrs/Fidelis/apt_win_exe_trojan_derusbi.yar delete mode 100644 yara-mikesxrs/Fidelis/crime_win32_exe_rat_netwire.yar delete mode 100644 yara-mikesxrs/Fidelis/crime_win_PWS_Fareit.yar delete mode 100644 yara-mikesxrs/Fidelis/network_traffic_njRAT.yar delete mode 100644 yara-mikesxrs/Fidelis/win_exe_njRAT.yar delete mode 100644 yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara delete mode 100644 yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara delete mode 100644 yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar delete mode 100644 yara-mikesxrs/Fireeye/APT_DeputyDog_Strings.yar delete mode 100644 yara-mikesxrs/Fireeye/BadRabbit.yar delete mode 100644 yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar delete mode 100644 yara-mikesxrs/Fireeye/FE_petya_ransomware,yar delete mode 100644 yara-mikesxrs/Fireeye/Fireeye_red_team_tool_countermeasures.yar delete mode 100644 yara-mikesxrs/Fireeye/Fireye_index.yara delete mode 100644 yara-mikesxrs/Fireeye/MACROCHECK.YAR delete mode 100644 yara-mikesxrs/Fireeye/Molerats_certs.yar delete mode 100644 yara-mikesxrs/Fireeye/TRITON_Framework.yar delete mode 100644 yara-mikesxrs/Fireeye/callTogether_certificate.yar delete mode 100644 yara-mikesxrs/Fireeye/hastati.yar delete mode 100644 yara-mikesxrs/Fireeye/qti_certificate.yar delete mode 100644 yara-mikesxrs/Florian Roth/Florian_Roth_index.yara delete mode 100644 yara-mikesxrs/Florian Roth/Havex_Trojan.yar delete mode 100644 yara-mikesxrs/Florian Roth/Havex_Trojan_PHP_Server.yar delete mode 100644 yara-mikesxrs/Florian Roth/POSCardStealer_SpyBot.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_alienspy_rat.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_apt17_malware.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_apt28.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_apt30_backspace.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_apt6_malware.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_backdoor_ssh_python.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_backspace.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_beepservice.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_between-hk-and-burma.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_blackenergy.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_blackenergy_installer.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_bluetermite_emdivi.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_buckeye.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_casper.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_cheshirecat.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_cloudduke.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_codoso.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_coreimpact_agent.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_cve2015_5119.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_danti_svcmondr.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_deeppanda.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_derusbi.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_dubnium.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_duqu2.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_emissary.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_eqgrp.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_fakem_backdoor.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_fancybear_dnc.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_fidelis_phishing_plain_sight.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_four_element_sword.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_furtim.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_ghostdragon_gh0st_rat.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_glassRAT.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_hackingteam_rules.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_hellsing_kaspersky.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_hizor_rat.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_indetectables_rat.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_inocnation.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_irongate.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_irontiger.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_irontiger_trendmicro.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_kaspersky_duqu2.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_keylogger_cn.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_korplug_fast.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_laudanum_webshells.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_miniasp.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_minidionis.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_mofang.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_ms_platinum.yara delete mode 100644 yara-mikesxrs/Florian Roth/apt_naikon.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_nanocore_rat.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_onhat_proxy.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_op_cleaver.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_passthehashtoolkit.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_plugx.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_poisonivy.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_poisonivy_gen3.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_poseidon_group.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_prikormka.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_project_m.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_project_sauron.yara delete mode 100644 yara-mikesxrs/Florian Roth/apt_project_sauron_extras.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_putterpanda.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_quarkspwdump.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_rocketkitten_keylogger.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_ruag.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_rwmc_powershell_creddump.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_sakula.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_scanbox_deeppanda.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_seaduke_unit42.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_shamoon.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_skeletonkey.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_snowglobe_babar.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_dec15.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_fysbis.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_jun16.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_xtunnel_bundestag.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_sphinx_moth.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_strider.yara delete mode 100644 yara-mikesxrs/Florian Roth/apt_stuxnet.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_suckfly.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_sysscan.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_terracotta.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_terracotta_liudoor.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_threatgroup_3390.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_tidepool.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_turbo_campaign.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_turla.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_unit78020_malware.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_volatile_cedar.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_waterbug.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_webshell_chinachopper.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_wildneutron.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_win_plugx.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_winnti.yar delete mode 100644 yara-mikesxrs/Florian Roth/apt_woolengoldfish.yar delete mode 100644 yara-mikesxrs/Florian Roth/cn_pentestset_scripts.yar delete mode 100644 yara-mikesxrs/Florian Roth/cn_pentestset_tools.yar delete mode 100644 yara-mikesxrs/Florian Roth/cn_pentestset_webshells.yar delete mode 100644 yara-mikesxrs/Florian Roth/cridex.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_antifw_installrex.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_bernhard_pos.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_buzus_softpulse.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_cmstar.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_cryptowall_svg.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_dexter_trojan.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_dridex_xml.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_enfal.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_fareit.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_kins_dropper.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_kraken_bot1.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_locky.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_malumpos.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_malware_generic.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_mikey_trojan.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_petya_ransom.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_phish_gina_dec15.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_rombertik_carbongrabber.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_shifu_trojan.yar delete mode 100644 yara-mikesxrs/Florian Roth/crime_upatre_oct15.yar delete mode 100644 yara-mikesxrs/Florian Roth/exploit_cve_2015_1674.yar delete mode 100644 yara-mikesxrs/Florian Roth/exploit_cve_2015_1701.yar delete mode 100644 yara-mikesxrs/Florian Roth/exploit_cve_2015_2426.yar delete mode 100644 yara-mikesxrs/Florian Roth/exploit_uac_elevators.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_ace_with_exe.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_b374k_extra.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_cn_hacktool_scripts.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_cn_hacktools.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_cn_webshells.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_deviceguard_evasion.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_faked_versions.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_gpp_cpassword.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_invoke_mimikatz.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_kerberoast.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_kirbi_mimkatz.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_malware_set_qa.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_metasploit_loader_rsmudge.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_mimikittenz.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_nopowershell.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_pirpi.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_powerkatz.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_powershell_empire.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_powershell_toolkit.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_regsrv32_issue.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_sharpcat.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_tempracer.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_thumbs_cloaking.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_transformed_strings.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_win_privesc.yar delete mode 100644 yara-mikesxrs/Florian Roth/gen_winshells.yar delete mode 100644 yara-mikesxrs/Florian Roth/general_cloaking.yar delete mode 100644 yara-mikesxrs/Florian Roth/general_officemacros.yar delete mode 100644 yara-mikesxrs/Florian Roth/generic_anomalies.yar delete mode 100644 yara-mikesxrs/Florian Roth/generic_cryptors.yar delete mode 100644 yara-mikesxrs/Florian Roth/generic_dumps.yar delete mode 100644 yara-mikesxrs/Florian Roth/generic_exe2hex_payload.yar delete mode 100644 yara-mikesxrs/Florian Roth/pup_lightftp.yar delete mode 100644 yara-mikesxrs/Florian Roth/spy_equation_fiveeyes.yar delete mode 100644 yara-mikesxrs/Florian Roth/spy_querty_fiveeyes.yar delete mode 100644 yara-mikesxrs/Florian Roth/spy_regin_fiveeyes.yar delete mode 100644 yara-mikesxrs/Florian Roth/thor-hacktools.yar delete mode 100644 yara-mikesxrs/Florian Roth/thor-webshells.yar delete mode 100644 yara-mikesxrs/Florian Roth/thor_inverse_matches.yar delete mode 100644 yara-mikesxrs/Florian Roth/threat_lenovo_superfish.yar delete mode 100644 yara-mikesxrs/InQuest/Adobe_Flash_DRM_Use_After_Free.yar delete mode 100644 yara-mikesxrs/InQuest/AgentTesla.yar delete mode 100644 yara-mikesxrs/InQuest/CVE_2018_4878_0day_ITW.yar delete mode 100644 yara-mikesxrs/InQuest/Embedded_PE_File.yar delete mode 100644 yara-mikesxrs/InQuest/Excel_IQY_File.yar delete mode 100644 yara-mikesxrs/InQuest/Excel_IQY_File_Suspicious_Request.yar delete mode 100644 yara-mikesxrs/InQuest/Excel_IQY_File_With_file_extension.yar delete mode 100644 yara-mikesxrs/InQuest/Hiddenbee.yar delete mode 100644 yara-mikesxrs/InQuest/MC_Office_DDE.yar delete mode 100644 yara-mikesxrs/InQuest/Microsoft_Office_Document_with_Embedded_Flash_File.yar delete mode 100644 yara-mikesxrs/InQuest/NTLM_Credential_Theft_via_PDF.yar delete mode 100644 yara-mikesxrs/InQuest/RTF_Byte_Nibble_Obfuscation_method.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/BlackShades_Trojan.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/Bublik_Downloader.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/Grozlex_Stealer.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/Kevin_Falcoz_index.yara delete mode 100644 yara-mikesxrs/Kevin Falcoz/Packers.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/Wabot_Worm.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/YahLover_Worm.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/Zegost_Trojan.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/compilers.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/lost_door_Trojan.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/universal_1337_stealer_serveur.yar delete mode 100644 yara-mikesxrs/Kevin Falcoz/xtreme_rat.yar delete mode 100644 yara-mikesxrs/Koodous/ASSDdeveloper.yar delete mode 100644 yara-mikesxrs/Koodous/Android.yar delete mode 100644 yara-mikesxrs/Koodous/Android_VirusPolicia.yar delete mode 100644 yara-mikesxrs/Koodous/Android_adware.yar delete mode 100644 yara-mikesxrs/Koodous/Android_mapin.yar delete mode 100644 yara-mikesxrs/Koodous/BatteryBot_ClickFraud.yar delete mode 100644 yara-mikesxrs/Koodous/ChinesePorn.yar delete mode 100644 yara-mikesxrs/Koodous/Drendoid_RAT.yar delete mode 100644 yara-mikesxrs/Koodous/FakeApps.yar delete mode 100644 yara-mikesxrs/Koodous/Fake_MosKow.yar delete mode 100644 yara-mikesxrs/Koodous/HackingTeam.yar delete mode 100644 yara-mikesxrs/Koodous/Koodous_index.yara delete mode 100644 yara-mikesxrs/Koodous/MalwareCertificates.yar delete mode 100644 yara-mikesxrs/Koodous/Ramsonware.yar delete mode 100644 yara-mikesxrs/Koodous/SMSsender.yar delete mode 100644 yara-mikesxrs/Koodous/Tinhvan.yar delete mode 100644 yara-mikesxrs/Koodous/generic_adware.yar delete mode 100644 yara-mikesxrs/Koodous/generic_smsfraud.yar delete mode 100644 yara-mikesxrs/Koodous/koler_ransomware.yar delete mode 100644 yara-mikesxrs/Koodous/malware_Advertising.yar delete mode 100644 yara-mikesxrs/Koodous/malware_Dropper.yar delete mode 100644 yara-mikesxrs/Koodous/mobidash.yar delete mode 100644 yara-mikesxrs/Koodous/realshell.yar delete mode 100644 yara-mikesxrs/Koodous/xbot007.yar delete mode 100644 yara-mikesxrs/McAfee/APT_KimSuky_dllbckdr.yar delete mode 100644 yara-mikesxrs/McAfee/BadRabbit_Ransomware.yar delete mode 100644 yara-mikesxrs/McAfee/CTB_Locker_Ransomware.yar delete mode 100644 yara-mikesxrs/McAfee/CredStealer.yar delete mode 100644 yara-mikesxrs/McAfee/CryptoLocker_rule2.yar delete mode 100644 yara-mikesxrs/McAfee/CryptoLocker_set1.yar delete mode 100644 yara-mikesxrs/McAfee/GPGQwerty_ransomware.yar delete mode 100644 yara-mikesxrs/McAfee/McAfee_index.yara delete mode 100644 yara-mikesxrs/McAfee/NionSpy.yar delete mode 100644 yara-mikesxrs/McAfee/OLE_JSRAT.yar delete mode 100644 yara-mikesxrs/McAfee/SAmSAmRansom2016,yar delete mode 100644 yara-mikesxrs/McAfee/SamSam_Ransomware_Latest.yar delete mode 100644 yara-mikesxrs/McAfee/Spygate_2.9_RAT.yar delete mode 100644 yara-mikesxrs/McAfee/W97M_Vawtrak_dropper.yar delete mode 100644 yara-mikesxrs/McAfee/WannaCry.yar delete mode 100644 yara-mikesxrs/McAfee/kraken_ransomware.yar delete mode 100644 yara-mikesxrs/McAfee/rovnix_downloader.yar delete mode 100644 yara-mikesxrs/McAfee/shifu.yar delete mode 100644 yara-mikesxrs/NCCGroup/APT15.yar delete mode 100644 yara-mikesxrs/NCCGroup/ISMRAT.yar delete mode 100644 yara-mikesxrs/NCCGroup/Sakula.yar delete mode 100644 yara-mikesxrs/NCCGroup/authenticode_anomalies.yara delete mode 100644 yara-mikesxrs/NCCGroup/badwinmail.yara delete mode 100644 yara-mikesxrs/NCCGroup/heartbleed.yar delete mode 100644 yara-mikesxrs/NCCGroup/metaStealer_memory.yar delete mode 100644 yara-mikesxrs/NCCGroup/package_manager.yara delete mode 100644 yara-mikesxrs/NCCGroup/redleaves.yar delete mode 100644 yara-mikesxrs/NCCGroup/turla_neuron_nautilus.yar delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_apipatch.yar delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_clipshot.yar delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_config.yar delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_loader.yar delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_shellcode.yar delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_sleep_routine.yar delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_strings.yar delete mode 100644 yara-mikesxrs/NCSC/SparrowDoor_xor.yar delete mode 100644 yara-mikesxrs/NCSC/turla_neuron_nautilus.yar delete mode 100644 yara-mikesxrs/PL CERT/Madprotect_packer.yar delete mode 100644 yara-mikesxrs/PL CERT/Polish_Bankbot_mobile.yar delete mode 100644 yara-mikesxrs/PL CERT/cryptomix_packer.yar delete mode 100644 yara-mikesxrs/PL CERT/cryptomix_payload.yar delete mode 100644 yara-mikesxrs/PL CERT/kbot.yar delete mode 100644 yara-mikesxrs/PL CERT/necurs.yar delete mode 100644 yara-mikesxrs/PL CERT/nymaim.yar delete mode 100644 yara-mikesxrs/PL CERT/ramnit.yar delete mode 100644 yara-mikesxrs/PL CERT/sage.yar delete mode 100644 yara-mikesxrs/PL CERT/tofsee.yar delete mode 100644 yara-mikesxrs/Recorded Future/TEMP.Periscope_Spearphish.yar delete mode 100644 yara-mikesxrs/Recorded Future/ext4_linuxlistener.yar delete mode 100644 yara-mikesxrs/SenseCy/ORXLocker.yar delete mode 100644 yara-mikesxrs/SenseCy/njrat_08d.yar delete mode 100644 yara-mikesxrs/Seth Hardy/3102.yar delete mode 100644 yara-mikesxrs/Seth Hardy/9002.yar delete mode 100644 yara-mikesxrs/Seth Hardy/APT_NGO_wuaclt.yar delete mode 100644 yara-mikesxrs/Seth Hardy/Babar.yar delete mode 100644 yara-mikesxrs/Seth Hardy/GeorBot.yar delete mode 100644 yara-mikesxrs/Seth Hardy/Scieron.yar delete mode 100644 yara-mikesxrs/Seth Hardy/Seth_Hardy_index.yara delete mode 100644 yara-mikesxrs/Seth Hardy/Swisyn.yar delete mode 100644 yara-mikesxrs/Seth Hardy/Waterbug.yar delete mode 100644 yara-mikesxrs/Seth Hardy/apt1.yar delete mode 100644 yara-mikesxrs/Seth Hardy/bangat.yar delete mode 100644 yara-mikesxrs/Seth Hardy/boouset.yar delete mode 100644 yara-mikesxrs/Seth Hardy/comfoo.yar delete mode 100644 yara-mikesxrs/Seth Hardy/cookies.yar delete mode 100644 yara-mikesxrs/Seth Hardy/cxpid.yar delete mode 100644 yara-mikesxrs/Seth Hardy/enfal.yar delete mode 100644 yara-mikesxrs/Seth Hardy/ezcob.yar delete mode 100644 yara-mikesxrs/Seth Hardy/f0xy.yar delete mode 100644 yara-mikesxrs/Seth Hardy/fakem.yar delete mode 100644 yara-mikesxrs/Seth Hardy/favorite.yar delete mode 100644 yara-mikesxrs/Seth Hardy/glasses.yar delete mode 100644 yara-mikesxrs/Seth Hardy/hangover.yar delete mode 100644 yara-mikesxrs/Seth Hardy/iexpl0re.yar delete mode 100644 yara-mikesxrs/Seth Hardy/imuler.yar delete mode 100644 yara-mikesxrs/Seth Hardy/insta11.yar delete mode 100644 yara-mikesxrs/Seth Hardy/kins.yar delete mode 100644 yara-mikesxrs/Seth Hardy/leverage.yar delete mode 100644 yara-mikesxrs/Seth Hardy/luckycat.yar delete mode 100644 yara-mikesxrs/Seth Hardy/lurk0+cctv0.yar delete mode 100644 yara-mikesxrs/Seth Hardy/maccontrol.yar delete mode 100644 yara-mikesxrs/Seth Hardy/mask.yar delete mode 100644 yara-mikesxrs/Seth Hardy/mirage.yar delete mode 100644 yara-mikesxrs/Seth Hardy/mongal.yar delete mode 100644 yara-mikesxrs/Seth Hardy/naikon.yar delete mode 100644 yara-mikesxrs/Seth Hardy/naspyupdate.yar delete mode 100644 yara-mikesxrs/Seth Hardy/nettraveler.yar delete mode 100644 yara-mikesxrs/Seth Hardy/nsfree.yar delete mode 100644 yara-mikesxrs/Seth Hardy/olyx.yar delete mode 100644 yara-mikesxrs/Seth Hardy/plugx.yar delete mode 100644 yara-mikesxrs/Seth Hardy/pubsab.yar delete mode 100644 yara-mikesxrs/Seth Hardy/quarian.yar delete mode 100644 yara-mikesxrs/Seth Hardy/regsubdat.yar delete mode 100644 yara-mikesxrs/Seth Hardy/remote.yar delete mode 100644 yara-mikesxrs/Seth Hardy/rookie.yar delete mode 100644 yara-mikesxrs/Seth Hardy/rooter.yar delete mode 100644 yara-mikesxrs/Seth Hardy/safenet.yar delete mode 100644 yara-mikesxrs/Seth Hardy/scarhikn.yar delete mode 100644 yara-mikesxrs/Seth Hardy/shell_crew.yar delete mode 100644 yara-mikesxrs/Seth Hardy/surtr.yar delete mode 100644 yara-mikesxrs/Seth Hardy/t5000.yar delete mode 100644 yara-mikesxrs/Seth Hardy/urausy_skypedat.yar delete mode 100644 yara-mikesxrs/Seth Hardy/vidgrab.yar delete mode 100644 yara-mikesxrs/Seth Hardy/warp.yar delete mode 100644 yara-mikesxrs/Seth Hardy/wimmie.yar delete mode 100644 yara-mikesxrs/Seth Hardy/xtreme.yar delete mode 100644 yara-mikesxrs/Seth Hardy/yayih.yar delete mode 100644 yara-mikesxrs/ThreatStreamLabs/PyInstaller_Binary.yar delete mode 100644 yara-mikesxrs/Trend Micro/FighterPOS.yar delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_MalumPOS.yar delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_NewPOSThings2015.yar delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_dumper.yar delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_dumper_old.yar delete mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_service.yar delete mode 100644 yara-mikesxrs/Trend Micro/VBS.yar delete mode 100644 yara-mikesxrs/Trend Micro/cracked_loki.yar delete mode 100644 yara-mikesxrs/Trend Micro/crime_linux_umbreon _ rootkit.yar delete mode 100644 yara-mikesxrs/US CERT/APT10 Dropper.yar delete mode 100644 yara-mikesxrs/US CERT/APT10 Redleaves Plugx.yar delete mode 100644 yara-mikesxrs/US CERT/APT10 Redleaves loader.yar delete mode 100644 yara-mikesxrs/US CERT/APT10 Redleaves.yar delete mode 100644 yara-mikesxrs/US CERT/APT10 redleaves handkerchief.yar delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_1.yara delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_2.yara delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_3.yara delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_5.yara delete mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_6.yara delete mode 100644 yara-mikesxrs/US CERT/APT28_implant_4.yara delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_10.yara delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_11.yara delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_12.yara delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_7.yara delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_8.yara delete mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_9.yara delete mode 100644 yara-mikesxrs/US CERT/APT29_unidentified.yara delete mode 100644 yara-mikesxrs/US CERT/Destructive_Hard_Drive_Tool.yar delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool.yar delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_2.yar delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_3.yar delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_5.yar delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_6.yar delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_7.yar delete mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_8.yar delete mode 100644 yara-mikesxrs/US CERT/Dragonfly.yar delete mode 100644 yara-mikesxrs/US CERT/Dragonfly2.0.yar delete mode 100644 yara-mikesxrs/US CERT/HIDDENCOBRA_RSA_MODULUS.yar delete mode 100644 yara-mikesxrs/US CERT/HIDDEN_COBRA.yar delete mode 100644 yara-mikesxrs/US CERT/Hidden Cobra Enfal.yar delete mode 100644 yara-mikesxrs/US CERT/Hidden_Cobra_DPRK_DDoS_Tool.yara delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor.yar delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_2.yar delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_3.yar delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_4.yar delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_5.yar delete mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_6.yar delete mode 100644 yara-mikesxrs/US CERT/Malware_used_by_cyber_threat_actor_1.yar delete mode 100644 yara-mikesxrs/US CERT/Malware_used_by_cyber_threat_actor_2.yar delete mode 100644 yara-mikesxrs/US CERT/Malware_used_by_cyber_threat_actor_3.yar delete mode 100644 yara-mikesxrs/US CERT/PAS_TOOL_PHP_WEB_KIT.yar delete mode 100644 yara-mikesxrs/US CERT/Proxy Tool.yar delete mode 100644 yara-mikesxrs/US CERT/Proxy_Tool_2.yar delete mode 100644 yara-mikesxrs/US CERT/Proxy_Tool_3.yar delete mode 100644 yara-mikesxrs/US CERT/SMB_Worm_Tool.yar delete mode 100644 yara-mikesxrs/US CERT/US_CERT_index.yara delete mode 100644 yara-mikesxrs/US CERT/WannaCry.yara delete mode 100644 yara-mikesxrs/US CERT/fallchill.yar delete mode 100644 yara-mikesxrs/US CERT/hatman.yar delete mode 100644 yara-mikesxrs/WithSecure/SILKLOADER.yar delete mode 100644 yara-mikesxrs/WithSecure/ducktail_artifacts.yar delete mode 100644 yara-mikesxrs/WithSecure/ducktail_dotnet_core_infostealer.yar delete mode 100644 yara-mikesxrs/WithSecure/ducktail_exceldna_packed.yar delete mode 100644 yara-mikesxrs/WithSecure/ducktail_nativeaot.yar delete mode 100644 yara-mikesxrs/Xylitol/Malware.yar delete mode 100644 yara-mikesxrs/Xylitol/Zeus_1134.yar delete mode 100644 yara-mikesxrs/Xylitol/ibanking.yar delete mode 100644 yara-mikesxrs/Xylitol/malware_banker.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_GDOCUPLOAD.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_GETMAIL.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_HACKSFASE1.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_HACKSFASE2.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_LIGHTBOLT.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_MAPIGET.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_RARSilent_EXE_PDF.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_Revird_svc.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_TARSIP_ECLIPSE.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_TARSIP_MOON.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WARP.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_ADSPACE.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_AUSOV.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_BOLID.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_CLOVER.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_CSON.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_DIV.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_GREENCAT.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_HEAD.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_KT3.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_QBP.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_RAVE.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_TABLE.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_TOCK.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_UGX.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_Y21K.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_YAHOO.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_dbg_mess.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_known_malicious_RARSilent.yar delete mode 100644 yara-mikesxrs/alienvault/APT1_letusgo.yar delete mode 100644 yara-mikesxrs/alienvault/AURIGA_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/AURIGA_driver_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/BANGAT_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/BISCUIT_GREENCAT_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/BOUNCER_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/BOUNCER_DLL_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/CALENDAR_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/CCREWBACK1.yar delete mode 100644 yara-mikesxrs/alienvault/COMBOS_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/CVE2012XXXX.yar delete mode 100644 yara-mikesxrs/alienvault/CaptainWord.yar delete mode 100644 yara-mikesxrs/alienvault/Careto generic malware signature.yar delete mode 100644 yara-mikesxrs/alienvault/Careto_CnC.yar delete mode 100644 yara-mikesxrs/alienvault/Careto_CnC_domains.yar delete mode 100644 yara-mikesxrs/alienvault/Careto_OSX_SBD.yar delete mode 100644 yara-mikesxrs/alienvault/Careto_SGH.yar delete mode 100644 yara-mikesxrs/alienvault/DAIRY_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/DownloaderPossibleCCrew.yar delete mode 100644 yara-mikesxrs/alienvault/EclipseSunCloudRAT.yar delete mode 100644 yara-mikesxrs/alienvault/Elise.yar delete mode 100644 yara-mikesxrs/alienvault/EzuriLoader.yar delete mode 100644 yara-mikesxrs/alienvault/EzuriLoaderOSX.yar delete mode 100644 yara-mikesxrs/alienvault/FatalRAT_unpacked.yar delete mode 100644 yara-mikesxrs/alienvault/GEN_CCREW1.yar delete mode 100644 yara-mikesxrs/alienvault/GLOOXMAIL_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/GOGGLES_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/GeorBotBinary.yar delete mode 100644 yara-mikesxrs/alienvault/GeorBotMemory.yar delete mode 100644 yara-mikesxrs/alienvault/HACKSFASE1_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/HACKSFASE2_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover2_Downloader.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover2_Keylogger.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover2_backdoor_shell.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover2_stealer.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Appinbot.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Auspo.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Deksila.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Foler.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Fuddol.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Gimwlog.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Gimwup.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Iconfall.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Linog.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Slidewin.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Smackdown_Downloader.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Smackdown_various.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Tymtin_Degrab.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_UpdateEx.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_Vacrhan_Downloader.yar delete mode 100644 yara-mikesxrs/alienvault/Hangover_ron_babylon.yar delete mode 100644 yara-mikesxrs/alienvault/Java0daycve2012xxxx_generic.yar delete mode 100644 yara-mikesxrs/alienvault/KINS_DLL_zeus.yar delete mode 100644 yara-mikesxrs/alienvault/KINS_dropper.yar delete mode 100644 yara-mikesxrs/alienvault/KURTON_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/Keyboy_document_ppsx_sct.yar delete mode 100644 yara-mikesxrs/alienvault/Keyboy_mobile_titan.yar delete mode 100644 yara-mikesxrs/alienvault/LIGHTDART_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/LONGRUN_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/MACROMAIL_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/MANITSME_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/MINIASP_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/MiniASP.yar delete mode 100644 yara-mikesxrs/alienvault/MoonProject.yar delete mode 100644 yara-mikesxrs/alienvault/NEWSREELS_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/NKRivts.yar delete mode 100644 yara-mikesxrs/alienvault/OSX_Dok.yar delete mode 100644 yara-mikesxrs/alienvault/OSX_MacSpy.yar delete mode 100644 yara-mikesxrs/alienvault/OSX_Proton.B.yar delete mode 100644 yara-mikesxrs/alienvault/OSX_Proton_B_systemd.1.yar delete mode 100644 yara-mikesxrs/alienvault/PRISM.yar delete mode 100644 yara-mikesxrs/alienvault/PrismaticSuccessor.yar delete mode 100644 yara-mikesxrs/alienvault/SEASALT_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/STARSYPOUND_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/SWORD_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/TABMSGSQL_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/TrojanCookies_CCREW.yar delete mode 100644 yara-mikesxrs/alienvault/alienvault_index.yara delete mode 100644 yara-mikesxrs/alienvault/avdetect_procs.yar delete mode 100644 yara-mikesxrs/alienvault/ccrewDownloader1.yar delete mode 100644 yara-mikesxrs/alienvault/ccrewDownloader2.yar delete mode 100644 yara-mikesxrs/alienvault/ccrewDownloader3.yar delete mode 100644 yara-mikesxrs/alienvault/ccrewMiniasp.yar delete mode 100644 yara-mikesxrs/alienvault/ccrewQAZ.yar delete mode 100644 yara-mikesxrs/alienvault/ccrewSSLBack1.yar delete mode 100644 yara-mikesxrs/alienvault/ccrewSSLBack2.yar delete mode 100644 yara-mikesxrs/alienvault/ccrewSSLBack3.yar delete mode 100644 yara-mikesxrs/alienvault/dbgdetect_files.yar delete mode 100644 yara-mikesxrs/alienvault/dbgdetect_funcs.yar delete mode 100644 yara-mikesxrs/alienvault/dbgdetect_procs.yar delete mode 100644 yara-mikesxrs/alienvault/leverage_a.yar delete mode 100644 yara-mikesxrs/alienvault/metaxcd.yar delete mode 100644 yara-mikesxrs/alienvault/nkminer_monero.yar delete mode 100644 yara-mikesxrs/alienvault/oceanlotus_constants.yar delete mode 100644 yara-mikesxrs/alienvault/oceanlotus_xor_decode.yar delete mode 100644 yara-mikesxrs/alienvault/sandboxdetect_misc.yar delete mode 100644 yara-mikesxrs/alienvault/thequickbrow_APT1.yar delete mode 100644 yara-mikesxrs/alienvault/urasay skype.yar delete mode 100644 yara-mikesxrs/alienvault/vmdetect_misc.yar delete mode 100644 yara-mikesxrs/bluecoat/Bluecoat_index.yara delete mode 100644 yara-mikesxrs/bluecoat/InceptionAndroid.yar delete mode 100644 yara-mikesxrs/bluecoat/InceptionBlackberry.yar delete mode 100644 yara-mikesxrs/bluecoat/InceptionDLL.yar delete mode 100644 yara-mikesxrs/bluecoat/InceptionIOS.yar delete mode 100644 yara-mikesxrs/bluecoat/InceptionMips.yar delete mode 100644 yara-mikesxrs/bluecoat/InceptionRTF.yar delete mode 100644 yara-mikesxrs/bluecoat/InceptionVBS.yar delete mode 100644 yara-mikesxrs/blueliv/WannaCryptor.yar delete mode 100644 yara-mikesxrs/blueliv/banswift.yar delete mode 100644 yara-mikesxrs/blueliv/banswift_wiper.yar delete mode 100644 yara-mikesxrs/blueliv/petya_eternalblue.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_ek_checkpoint.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_ek_redirector.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash2.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash4.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash5.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_flash_uncompressed.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_html.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_html2.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_jar.yar delete mode 100644 yara-mikesxrs/codewatchorg/angler_js.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole1_jar.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_css.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm10.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm11.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm12.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm3.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm5.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm6.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm8.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_jar.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_jar2.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_jar3.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole2_pdf.yar delete mode 100644 yara-mikesxrs/codewatchorg/blackhole_basic.yar delete mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_adobe_2010_1297_exploit.yar delete mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_adobe_2010_2884_exploit.yar delete mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_jar2.yar delete mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_java_2010_0842_exploit.yar delete mode 100644 yara-mikesxrs/codewatchorg/codewatchorg_index.yar delete mode 100644 yara-mikesxrs/codewatchorg/crimepack_jar.yar delete mode 100644 yara-mikesxrs/codewatchorg/crimepack_jar3.yar delete mode 100644 yara-mikesxrs/codewatchorg/cve_2013_0074.yar delete mode 100644 yara-mikesxrs/codewatchorg/cve_2013_0422.yar delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_jar.yar delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_jar2.yar delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_jar3.yar delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_js.yar delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_js2.yar delete mode 100644 yara-mikesxrs/codewatchorg/eleonore_js3.yar delete mode 100644 yara-mikesxrs/codewatchorg/fragus_htm.yar delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js.yar delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js2.yar delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js_flash.yar delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js_java.yar delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js_quicktime.yar delete mode 100644 yara-mikesxrs/codewatchorg/fragus_js_vml.yar delete mode 100644 yara-mikesxrs/codewatchorg/malicious_office.yar delete mode 100644 yara-mikesxrs/codewatchorg/malicious_pdf.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html10.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html11.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html2.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html3.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html4.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html5.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html6.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html7.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html8.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_html9.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_jar.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_jar2.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_jar3.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_pdf.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_pdf2.yar delete mode 100644 yara-mikesxrs/codewatchorg/phoenix_pdf3.yar delete mode 100644 yara-mikesxrs/codewatchorg/redkit_bin_basic.yar delete mode 100644 yara-mikesxrs/codewatchorg/sakura_jar.yar delete mode 100644 yara-mikesxrs/codewatchorg/sakura_jar2.yar delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_css.yar delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_css2.yar delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_htm.yar delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js.yar delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js2.yar delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js3.yar delete mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js4.yar delete mode 100644 yara-mikesxrs/codewatchorg/zerox88_js2.yar delete mode 100644 yara-mikesxrs/codewatchorg/zerox88_js3.yar delete mode 100644 yara-mikesxrs/codewatchorg/zeus_js.yar delete mode 100644 yara-mikesxrs/crowdstrike/CVE_2014_4113.yar delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _02 - rc4_dropper putterpanda.yar delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _03 - threepara_para_implant putterpanda.yar delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _05 _ httpclient putterpanda.yar delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _06 _ xor_dropper putterpanda.yar delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_CSIT_14003_03.yar delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_CSIT_14004_02.yar delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_FlyingKitten.yar delete mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_PutterPanda_01 - fourh_stack_strings putterpanda.yar delete mode 100644 yara-mikesxrs/crowdstrike/Crowdstrike_index.yara delete mode 100644 yara-mikesxrs/crowdstrike/Crowdstrike_target_breach.yar delete mode 100644 yara-mikesxrs/crowdstrike/gameover zeus.yar delete mode 100644 yara-mikesxrs/crowdstrike/rule CrowdStrike_PutterPanda_04_ pngdowner putterpanda.yar delete mode 100644 yara-mikesxrs/cylance/BackDoorLogger.yar delete mode 100644 yara-mikesxrs/cylance/Hkdoor_DLL.yar delete mode 100644 yara-mikesxrs/cylance/Hkdoor_backdoor.yar delete mode 100644 yara-mikesxrs/cylance/Hkdoor_driver.yar delete mode 100644 yara-mikesxrs/cylance/Hkdoor_dropper.yar delete mode 100644 yara-mikesxrs/cylance/Jasus.yar delete mode 100644 yara-mikesxrs/cylance/LoggerModule.yar delete mode 100644 yara-mikesxrs/cylance/MiSType_Backdoor_Packed.yar delete mode 100644 yara-mikesxrs/cylance/Misdat_Backdoor.yar delete mode 100644 yara-mikesxrs/cylance/Misdat_Backdoor_Packed.yar delete mode 100644 yara-mikesxrs/cylance/NetC.yar delete mode 100644 yara-mikesxrs/cylance/SType_Backdoor.yar delete mode 100644 yara-mikesxrs/cylance/ShellCreator2.yar delete mode 100644 yara-mikesxrs/cylance/SmartCopy2.yar delete mode 100644 yara-mikesxrs/cylance/StreamEX.yar delete mode 100644 yara-mikesxrs/cylance/SynFlooder.yar delete mode 100644 yara-mikesxrs/cylance/TinyZBot.yar delete mode 100644 yara-mikesxrs/cylance/WannaCryptor.yar delete mode 100644 yara-mikesxrs/cylance/ZhoupinExploitCrew.yar delete mode 100644 yara-mikesxrs/cylance/Zlib_Backdoor.yar delete mode 100644 yara-mikesxrs/cylance/antivirusdetector.yar delete mode 100644 yara-mikesxrs/cylance/baijiu.yar delete mode 100644 yara-mikesxrs/cylance/csext.yar delete mode 100644 yara-mikesxrs/cylance/cylance_index.yara delete mode 100644 yara-mikesxrs/cylance/kagent.yar delete mode 100644 yara-mikesxrs/cylance/mimikatzWrapper.yar delete mode 100644 yara-mikesxrs/cylance/pvz_in.yar delete mode 100644 yara-mikesxrs/cylance/pvz_out.yar delete mode 100644 yara-mikesxrs/cylance/snakewine.yar delete mode 100644 yara-mikesxrs/cylance/wndTest.yar delete mode 100644 yara-mikesxrs/cylance/zhCat.yar delete mode 100644 yara-mikesxrs/cylance/zhLookUp.yar delete mode 100644 yara-mikesxrs/cylance/zhmimikatz.yar delete mode 100644 yara-mikesxrs/eset/Animal_Farm.yar delete mode 100644 yara-mikesxrs/eset/ESET_index.yara delete mode 100644 yara-mikesxrs/eset/Gazer.yar delete mode 100644 yara-mikesxrs/eset/InvisiMole.yar delete mode 100644 yara-mikesxrs/eset/Linux_Moose.yar delete mode 100644 yara-mikesxrs/eset/Mumblehard_packer.yar delete mode 100644 yara-mikesxrs/eset/OSX_Keydnap_backdoor.yar delete mode 100644 yara-mikesxrs/eset/OSX_Keydnap_packer.yar delete mode 100644 yara-mikesxrs/eset/OSX_keydnap_downloader.yar delete mode 100644 yara-mikesxrs/eset/Operation Potao.yar delete mode 100644 yara-mikesxrs/eset/Operation Windigo.yar delete mode 100644 yara-mikesxrs/eset/PotaoNew.yara delete mode 100644 yara-mikesxrs/eset/Prikormka.yar delete mode 100644 yara-mikesxrs/eset/SparklingGoblin.yar delete mode 100644 yara-mikesxrs/eset/Turla_Carbon.yar delete mode 100644 yara-mikesxrs/eset/badiis.yar delete mode 100644 yara-mikesxrs/eset/kobalos.yar delete mode 100644 yara-mikesxrs/eset/kobalos_ssh_credential_stealer.yar delete mode 100644 yara-mikesxrs/eset/linux_rakos.yar delete mode 100644 yara-mikesxrs/eset/skip20_sqllang_hook.yar delete mode 100644 yara-mikesxrs/eset/sshdoor.yar delete mode 100644 yara-mikesxrs/eset/stantinko.yar delete mode 100644 yara-mikesxrs/eset/ta410.yar delete mode 100644 yara-mikesxrs/eset/turla-outlook.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.AdGazelle.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Adpeak.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Agent.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.BetterSurf.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.BrowseFox.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Conduit.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.ConvertAd.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Crossrider.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.DealPly.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Dlhelper.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Downloader.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.ELEX.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Gen.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Genieo.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Imali.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.InstallCore.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Linkury.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.MyWebSearch.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.NextLive.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.ObronaAds.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.OpenCandy.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.OutBrowse.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.PullUpdate.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.SProtect.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.SearchSuite.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Sendori.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.SimplyTech.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.SmartApps.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Solimbda.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Trioris.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Vitruvian.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.Wajam.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.WebTools.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.WebWatcher.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.iBryte.yar delete mode 100644 yara-mikesxrs/g00dv1n/Adware.uKor.yar delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Bladabindi.yar delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Dedipros.yar delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Fynloski.yar delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Gen.yar delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Liudoor.yar delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Mirage.yar delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar delete mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Zegost.yar delete mode 100644 yara-mikesxrs/g00dv1n/Malware.BitCoinMiner.yar delete mode 100644 yara-mikesxrs/g00dv1n/Malware.Downloader.yar delete mode 100644 yara-mikesxrs/g00dv1n/Malware.PWS.yar delete mode 100644 yara-mikesxrs/g00dv1n/PUP.SystemOptimizer.yar delete mode 100644 yara-mikesxrs/g00dv1n/PUP.Systweak.yar delete mode 100644 yara-mikesxrs/g00dv1n/Ransom.Crypters.yar delete mode 100644 yara-mikesxrs/g00dv1n/Risk.DetectAnalysis.yar delete mode 100644 yara-mikesxrs/g00dv1n/Risk.NetFilter.yar delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.AVSoft.yar delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.Braviax.yar delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.FakePAV.yar delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.FakeRean.yar delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.FakeSysDef.yar delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.LiveSP.yar delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.SDef.yar delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.SysDoc.yar delete mode 100644 yara-mikesxrs/g00dv1n/Rogue.Winwebsec.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Antivar.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Cbeplay.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.ChStartPage.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Citadel.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Comfoo.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Cutwail.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Dllpatcher.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Downloader.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Dropper.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Frethog.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.GBot.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Gamarue.Andromeda.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Injector.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Kovter.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Kuluoz.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Lethic.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Necurs.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Nedsym.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Neurevt.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.PowerLoader.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Ransom.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Regin.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Rovnix.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Simda.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Sirefef.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Upatre.yar delete mode 100644 yara-mikesxrs/g00dv1n/Trojan.Virtool.Obfuscator.yar delete mode 100644 yara-mikesxrs/g00dv1n/TrojanPSW.Tepfer.yar delete mode 100644 yara-mikesxrs/g00dv1n/TrojanPSW.ZBot.yar delete mode 100644 yara-mikesxrs/g00dv1n/TrojanSpy.Ursnif.yar delete mode 100644 yara-mikesxrs/g00dv1n/Virus.Chir.yar delete mode 100644 yara-mikesxrs/g00dv1n/Virus.Madang.yar delete mode 100644 yara-mikesxrs/g00dv1n/Worm.Cridex.yar delete mode 100644 yara-mikesxrs/g00dv1n/Worm.Dorkbot.yar delete mode 100644 yara-mikesxrs/g00dv1n/Worm.Phorpiex.yar delete mode 100644 yara-mikesxrs/g00dv1n/Worm.SillyP2P.yar delete mode 100644 yara-mikesxrs/g00dv1n/Worm.SkypeSpamer.yar delete mode 100644 yara-mikesxrs/g00dv1n/g00dvin_index.yara delete mode 100644 yara-mikesxrs/iSightPartners/SDBFile.yar delete mode 100644 yara-mikesxrs/kaspersky/Adwind.yar delete mode 100644 yara-mikesxrs/kaspersky/Crime_eyepyramid.yar delete mode 100644 yara-mikesxrs/kaspersky/LazarusWannaCry.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_LSA.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_SSPI.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_container.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encryption.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_generic_pipe_backdoor.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_pipe_backdoor.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_duqu2_drivers.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_duqu2_loaders.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_equation_cryptotable.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_equation_doublefantasy_genericresource.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_equation_equationlaser_runtimeclasses.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_equation_exploitlib_mutexes.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_implantstrings.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_installer.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_irene.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_msgertype2.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_proxytool.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_xkat.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_regin_2013_64bit_stage1.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_regin_dispatcher_disp_dll.yar delete mode 100644 yara-mikesxrs/kaspersky/apt_regin_vfs.yar delete mode 100644 yara-mikesxrs/kaspersky/backdoored_ssh.yar delete mode 100644 yara-mikesxrs/kaspersky/exploit_Silverlight_Toropov_Generic_XAP.yar delete mode 100644 yara-mikesxrs/kaspersky/kaspersky_index.yara delete mode 100644 yara-mikesxrs/kaspersky/ransomware_PetrWrap.yar delete mode 100644 yara-mikesxrs/kaspersky/stonedrill.yar delete mode 100644 yara-mikesxrs/kaspersky/xDedic_SysScan_unpacked.yar delete mode 100644 yara-mikesxrs/kaspersky/xdedic_packed_syscan.yar delete mode 100644 yara-mikesxrs/one offs/9002Rat.yar delete mode 100644 yara-mikesxrs/one offs/AdwindRat.yar delete mode 100644 yara-mikesxrs/one offs/CVE-2013-3660.yar delete mode 100644 yara-mikesxrs/one offs/ComputraceAgent.yar delete mode 100644 yara-mikesxrs/one offs/CoreFlood_ldr.yar delete mode 100644 yara-mikesxrs/one offs/Cridex.yar delete mode 100644 yara-mikesxrs/one offs/Hancidoc_Dropper.yar delete mode 100644 yara-mikesxrs/one offs/Mebroot_Torpig.yar delete mode 100644 yara-mikesxrs/one offs/OSX_Malware.yar delete mode 100644 yara-mikesxrs/one offs/Pegasus.yar delete mode 100644 yara-mikesxrs/one offs/Qadars_DGA.yar delete mode 100644 yara-mikesxrs/one offs/Shellphish.yar delete mode 100644 yara-mikesxrs/one offs/W32ChirB.yar delete mode 100644 yara-mikesxrs/one offs/XorDDoS.yar delete mode 100644 yara-mikesxrs/one offs/ammyy_cerber3.yar delete mode 100644 yara-mikesxrs/one offs/crime_ole_loadswf_cve_2018_4878.yar delete mode 100644 yara-mikesxrs/one offs/crime_win32_gratefulpos_trojan.yar delete mode 100644 yara-mikesxrs/one offs/dridex.yar delete mode 100644 yara-mikesxrs/one offs/fastposloader.yar delete mode 100644 yara-mikesxrs/one offs/marcher.yar delete mode 100644 yara-mikesxrs/one offs/mwi_document.yar delete mode 100644 yara-mikesxrs/one offs/nettraveler.yar delete mode 100644 yara-mikesxrs/one offs/packager_cve2017_11882.yar delete mode 100644 yara-mikesxrs/one offs/snake_uroburos.yar delete mode 100644 yara-mikesxrs/paloalto/Palo_Alto_index.yara delete mode 100644 yara-mikesxrs/paloalto/ce_enfal_cmstar_debug_msg.yar delete mode 100644 yara-mikesxrs/paloalto/cobalt_gang_builder.yar delete mode 100644 yara-mikesxrs/paloalto/findpos.yar delete mode 100644 yara-mikesxrs/paloalto/general_win_dll_golang_socks.yar delete mode 100644 yara-mikesxrs/paloalto/general_win_faked_dlls_export_popo.yar delete mode 100644 yara-mikesxrs/paloalto/general_win_golang_socks.yar delete mode 100644 yara-mikesxrs/paloalto/hancitor_dropper.yar delete mode 100644 yara-mikesxrs/paloalto/hancitor_payload.yar delete mode 100644 yara-mikesxrs/paloalto/hancitor_stage1.yar delete mode 100644 yara-mikesxrs/paloalto/powerstager.yar delete mode 100644 yara-mikesxrs/paloalto/webshell_chinachopper_oab.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_AVITOMMS_Variant.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_AndroRat.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_BadMirror.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_Banker_Sberbank.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_Clicker_G.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_Copy9.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_DeathRing.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_Dendroid.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_Dogspectus.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_FakeBank_Fanta.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_Godless.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_Marcher.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_MazarBot.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_OmniRat.yar delete mode 100644 yara-mikesxrs/pombredanne/Android_RuMMS.yar delete mode 100644 yara-mikesxrs/pombredanne/PDF_Embedded_Exe.yar delete mode 100644 yara-mikesxrs/pombredanne/SandroRat.yar delete mode 100644 yara-mikesxrs/pombredanne/Spartan_SWF.yar delete mode 100644 yara-mikesxrs/securityartwork/Erebus_Ransomware.yar delete mode 100644 yara-mikesxrs/securityartwork/HardcodeHunter.yar delete mode 100644 yara-mikesxrs/securityartwork/IoT_Reaper.yar delete mode 100644 yara-mikesxrs/securityartwork/Linux_Bew.yar delete mode 100644 yara-mikesxrs/securityartwork/Linux_Helios.yar delete mode 100644 yara-mikesxrs/securityartwork/Meterpreter_rev_tcp.yar delete mode 100644 yara-mikesxrs/securityartwork/OfficeMacrosWinintelDLL.yar delete mode 100644 yara-mikesxrs/securityartwork/linux_Okiru.yar delete mode 100644 yara-mikesxrs/securityartwork/multibanker.yar delete mode 100644 yara-mikesxrs/securityartwork/shellcode_cve_2013_2729.yar delete mode 100644 yara-mikesxrs/securityartwork/trickbot.yar delete mode 100644 yara-mikesxrs/symantec/Bannerjack.yar delete mode 100644 yara-mikesxrs/symantec/Cadelle_1.yar delete mode 100644 yara-mikesxrs/symantec/Cadelle_2.yar delete mode 100644 yara-mikesxrs/symantec/Cadelle_3.yar delete mode 100644 yara-mikesxrs/symantec/Cadelle_4.yar delete mode 100644 yara-mikesxrs/symantec/Eventlog.yar delete mode 100644 yara-mikesxrs/symantec/Hacktool.yar delete mode 100644 yara-mikesxrs/symantec/Kwampirs.yar delete mode 100644 yara-mikesxrs/symantec/Multipurpose.yar delete mode 100644 yara-mikesxrs/symantec/Proxy.yar delete mode 100644 yara-mikesxrs/symantec/Securetunnel.yar delete mode 100644 yara-mikesxrs/symantec/comrat.yar delete mode 100644 yara-mikesxrs/symantec/fa.yar delete mode 100644 yara-mikesxrs/symantec/isPE.yar delete mode 100644 yara-mikesxrs/symantec/jiripbot _ ascii _ str _ decrypt.yar delete mode 100644 yara-mikesxrs/symantec/jiripbot _ unicode _ str _ decrypt.yar delete mode 100644 yara-mikesxrs/symantec/remsec_encrypted_api.yar delete mode 100644 yara-mikesxrs/symantec/remsec_executable_blob_32.yar delete mode 100644 yara-mikesxrs/symantec/remsec_executable_blob_64.yar delete mode 100644 yara-mikesxrs/symantec/remsec_executable_blob_parser.yar delete mode 100644 yara-mikesxrs/symantec/remsec_packer_A.yar delete mode 100644 yara-mikesxrs/symantec/remsec_packer_B.yar delete mode 100644 yara-mikesxrs/symantec/sav _ dropper.yar delete mode 100644 yara-mikesxrs/symantec/sav.yar delete mode 100644 yara-mikesxrs/symantec/symantec_index.yara delete mode 100644 yara-mikesxrs/symantec/turla _ dll.yar delete mode 100644 yara-mikesxrs/symantec/turla _ dropper.yar delete mode 100644 yara-mikesxrs/symantec/wipbot _ 2013 _ core _ PDF.yar delete mode 100644 yara-mikesxrs/symantec/wipbot _ 2013 _ core.yar delete mode 100644 yara-mikesxrs/symantec/wipbot _ 2013 _ dll.yar delete mode 100644 yara-mikesxrs/vitorafonso/banker.yar delete mode 100644 yara-mikesxrs/vitorafonso/crisis.yar delete mode 100644 yara-mikesxrs/vitorafonso/dropper.yar delete mode 100644 yara-mikesxrs/vitorafonso/exploit.yar delete mode 100644 yara-mikesxrs/vitorafonso/shedun.yar delete mode 100644 yara-mikesxrs/vitorafonso/zitmo.yar diff --git a/main.py b/main.py index 19cdb22..d02e24d 100644 --- a/main.py +++ b/main.py @@ -246,7 +246,7 @@ def kill_suspicious_processes(): # Scan files for malware as they launch and kill if potentially malicious. for file_path in cmdline: if os.path.isfile(file_path): - if scan_for_malware(file_path) and os.path.basename(bypassed_processes): + if scan_for_malware(file_path): print(f"Terminating potentially malicious process {proc.info['name']} (PID: {proc.info['pid']} NOW...") proc.terminate() proc.wait() @@ -332,12 +332,24 @@ def realtimeAV(): kill_suspicious_processes() time.sleep(1) # check for malware every second +def threadCounter(): + previous_count = 0 + current_count = 0 + while True: + previous_count = threading.active_count() + print(f"Active AntiMalware Threads: {current_count}") + if current_count < previous_count and previous_count - current_count > -1: + print("WARNING: THREAD KILL DETECTED!") + time.sleep(3) # check for malware every second + current_count = threading.active_count() + # Start Monitoring in Threads threads = [ threading.Thread(target=start_file_system_monitor), threading.Thread(target=monitor_cpu_gpu_usage), threading.Thread(target=monitor_registry_changes), threading.Thread(target=realtimeAV), + threading.Thread(target=threadCounter), threading.Thread(target=monitor_tls_certificates), threading.Thread(target=monitor_browser, args=('chrome',)), threading.Thread(target=monitor_browser, args=('firefox',)) diff --git a/yara-Neo23x0/configured_vulns_ext_vars.yar b/yara-Neo23x0/configured_vulns_ext_vars.yar deleted file mode 100644 index d770c6c..0000000 --- a/yara-Neo23x0/configured_vulns_ext_vars.yar +++ /dev/null @@ -1,241 +0,0 @@ - -/* - Rules which detect vulnerabilities in configuration files. - External variables are used so they only work with YARA scanners, that pass them on (e.g. Thor, Loki and Spyre) -*/ - - -rule VULN_Linux_Sudoers_Commands { - meta: - description = "Detects sudoers config with commands which might allow privilege escalation to root" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Arnim Rupp" - reference = "https://gtfobins.github.io/" - date = "2022-11-22" - modified = "2024-04-15" - score = 50 - id = "221d90c8-e70e-5214-a03b-57ecabcdd480" - strings: - $command1 = "/sh " ascii - $command2 = "/bash " ascii - $command3 = "/ksh " ascii - $command4 = "/csh " ascii - $command5 = "/tcpdump " ascii - //$command6 = "/cat " ascii - //$command7 = "/head " ascii - $command8 = "/nano " ascii - $command9 = "/pico " ascii - $command10 = "/rview " ascii - $command11 = "/vi " ascii - $command12 = "/vim " ascii - $command13 = "/rvi " ascii - $command14 = "/rvim " ascii - //$command15 = "/more " ascii - $command16 = "/less " ascii - $command17 = "/dd " ascii - /* $command18 = "/mount " ascii prone to FPs */ - - condition: - ( filename == "sudoers" or filepath contains "/etc/sudoers.d" ) and - any of ($command*) -} - -rule VULN_Linux_NFS_Exports { - meta: - description = "Detects insecure /etc/exports NFS config which might allow privilege escalation to root or other users. The parameter insecure allows any non-root user to mount NFS shares via e.g. an SSH-tunnel. With no_root_squash SUID root binaries are allowed." - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - reference = "https://www.errno.fr/nfs_privesc.html" - author = "Arnim Rupp" - date = "2022-11-22" - score = 50 - id = "4b7d81d8-1ae1-5fcf-a91c-271477a839db" - strings: - // line has to start with / to avoid triggering on #-comment lines - $conf1 = /\n\/.{2,200}?\binsecure\b/ ascii - $conf2 = /\n\/.{2,200}?\bno_root_squash\b/ ascii - - condition: - filename == "exports" and - filepath contains "/etc" and - any of ($conf*) -} - -rule SUSP_AES_Key_in_MySql_History { - meta: - description = "Detects AES key outside of key management in .mysql_history" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Arnim Rupp" - date = "2022-11-22" - score = 50 - id = "28acef39-8606-5d3d-b395-0d8db13f6c9c" - strings: - $c1 = /\bAES_(DE|EN)CRYPT\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii - $c2 = /\baes_(de|en)crypt\(.{1,128}?,.??('|").{1,128}?('|")\)/ ascii - - condition: - filename == ".mysql_history" and - any of ($c*) -} - -rule VULN_Slapd_Conf_with_Default_Password { - meta: - description = "Detects an openldap slapd.conf with the default password test123" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Arnim Rupp" - date = "2022-11-22" - reference = "https://www.openldap.org/doc/admin21/slapdconfig.html" - score = 70 - id = "1d1319da-125b-5373-88f1-27a23c85729e" - strings: - /* \nrootpw \{SSHA\}fsAEyxlFOtvZBwPLAF68zpUhth8lERoR */ - $c1 = { 0A 72 6f 6f 74 70 77 20 7b 53 53 48 41 7d 66 73 41 45 79 78 6c 46 4f 74 76 5a 42 77 50 4c 41 46 36 38 7a 70 55 68 74 68 38 6c 45 52 6f 52 } - - condition: - filename == "slapd.conf" and - any of ($c*) -} - -rule VULN_Unencrypted_SSH_Private_Key : T1552_004 { - meta: - description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Arnim Rupp" - date = "2023-01-06" - reference = "https://attack.mitre.org/techniques/T1552/004/" - score = 50 - id = "84b279fc-99c8-5101-b2d8-5c7adbaf753f" - strings: - /* - -----BEGIN RSA PRIVATE KEY----- - MII - */ - $openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 } - - /* - -----BEGIN DSA PRIVATE KEY----- - MIIBvAIBAAKBgQ - */ - $openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 } - - /* - -----BEGIN EC PRIVATE KEY----- - M - */ - $openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d } - - /* - -----BEGIN OPENSSH PRIVATE KEY----- - b3BlbnNzaC1rZXktdjEAAAAABG5vbmU - - base64 contains: openssh-key-v1.....none - */ - $openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 } - - $putty_start = "PuTTY-User-Key-File" ascii - $putty_noenc = "Encryption: none" ascii - - condition: - /* - limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those - private keys for SSL, signing, ... which might be important but aren't usually used for lateral - movement => bad signal noise ratio - */ - ( - filepath contains "ssh" or - filepath contains "SSH" or - filepath contains "utty" or - filename contains "ssh" or - filename contains "SSH" or - filename contains "id_" or - filename contains "id2_" or - filename contains ".ppk" or - filename contains ".PPK" or - filename contains "utty" - ) - and - ( - $openssh_dsa at 0 or - $openssh_rsa at 0 or - $openssh_ecdsa at 0 or - $openssh_ed25519 at 0 or - ( - $putty_start at 0 and - $putty_noenc - ) - ) - and not filepath contains "/root/" - and not filename contains "ssh_host_" -} - - -rule VULN_Unencrypted_SSH_Private_Key_Root_Folder : T1552_004 { - meta: - description = "Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Arnim Rupp" - date = "2023-01-06" - reference = "https://attack.mitre.org/techniques/T1552/004/" - score = 65 - id = "9e6a03a1-d95f-5de7-a6c0-a2e77486007c" - strings: - /* - -----BEGIN RSA PRIVATE KEY----- - MII - */ - $openssh_rsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 } - - /* - -----BEGIN DSA PRIVATE KEY----- - MIIBvAIBAAKBgQ - */ - $openssh_dsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 76 41 49 42 41 41 4b 42 67 51 } - - /* - -----BEGIN EC PRIVATE KEY----- - M - */ - $openssh_ecdsa = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 45 43 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d } - - /* - -----BEGIN OPENSSH PRIVATE KEY----- - b3BlbnNzaC1rZXktdjEAAAAABG5vbmU - - base64 contains: openssh-key-v1.....none - */ - $openssh_ed25519 = { 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 62 6d 55 } - - $putty_start = "PuTTY-User-Key-File" ascii - $putty_noenc = "Encryption: none" ascii - - condition: - /* - limit to folders and filenames which are known to contain ssh keys to avoid triggering on all those - private keys for SSL, signing, ... which might be important but aren't usually used for lateral - movement => bad signal noise ratio - */ - ( - filepath contains "ssh" or - filepath contains "SSH" or - filepath contains "utty" or - filename contains "ssh" or - filename contains "SSH" or - filename contains "id_" or - filename contains "id2_" or - filename contains ".ppk" or - filename contains ".PPK" or - filename contains "utty" - ) - and - ( - $openssh_dsa at 0 or - $openssh_rsa at 0 or - $openssh_ecdsa at 0 or - $openssh_ed25519 at 0 or - ( - $putty_start at 0 and - $putty_noenc - ) - ) - and filepath contains "/root/" - and not filename contains "ssh_host_" -} diff --git a/yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar b/yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar deleted file mode 100644 index 1154331..0000000 --- a/yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar +++ /dev/null @@ -1,102 +0,0 @@ - -rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23 { - meta: - description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519" - author = "Florian Roth" - reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf" - date = "2023-07-18" - modified = "2023-07-21" - score = 70 - id = "07d725cc-2cf2-55e5-8609-486500547f13" - strings: - $sa1 = "216.41.162.172" ascii fullword - - $sb1 = "/flash/nsconfig/keys" ascii - $sb2 = "ldapsearch" ascii fullword - $sb3 = "ns_gui/vpn" ascii - $sb4 = "LDAPTLS_REQCERT" ascii fullword - condition: - filesize < 10MB and $sa1 - or ( - filepath == "/var/log" - and filename matches /^(bash|sh)\.log/ - and 1 of ($sb*) - ) -} - -rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_2 { - meta: - description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519" - author = "Florian Roth" - reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf" - date = "2023-07-21" - score = 70 - id = "471ce547-0133-5836-b9d1-02c932ecfd1e" - strings: - $s1 = "tar -czvf - /var/tmp/all.txt" ascii fullword - $s2 = "-out /var/tmp/test.tar.gz" ascii - $s3 = "/test.tar.gz /netscaler/" - condition: - filesize < 10MB and 1 of them -} - -rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_3 { - meta: - description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519" - author = "Florian Roth" - reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage" - date = "2023-07-24" - score = 70 - id = "2f40b423-f1da-5711-ac4f-18de77cd52d0" - strings: - $x1 = "cat /flash/nsconfig/ns.conf >>" ascii - $x2 = "cat /nsconfig/.F1.key >>" ascii - $x3 = "openssl base64 -d < /tmp/" ascii - $x4 = "cp /usr/bin/bash /var/tmp/bash" ascii - $x5 = "chmod 4775 /var/tmp/bash" - $x6 = "pwd;pwd;pwd;pwd;pwd;" - $x7 = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))" - condition: - filesize < 10MB and 1 of them -} - -rule LOG_EXPL_Citrix_Netscaler_ADC_Exploitation_Attempt_CVE_2023_3519_Jul23_1 { - meta: - description = "This YARA rule detects forensic artifacts that appear following an attempted exploitation of Citrix NetScaler ADC CVE-2023-3519. The rule identifies an attempt to access the vulnerable function using an overly long URL, a potential sign of attempted exploitation. However, it does not confirm whether such an attempt was successful." - author = "Florian Roth" - reference = "https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/" - date = "2023-07-27" - score = 65 - id = "7dfe4130-d976-5d6d-a05d-ccadefe45406" - strings: - /* overly long URL - all URLLEN values >= 200 */ - $sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/ - $s1 = ", type=1; Target: start=0x" - condition: - all of them -} - -rule WEBSHELL_SECRETSAUCE_Jul23_1 { - meta: - description = "Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)" - author = "Florian Roth" - reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage" - date = "2023-07-24" - score = 85 - id = "db0542e7-648e-5f60-9838-e07498f58b51" - strings: - $sa1 = "for ($x=0; $x<=1; $x++) {" ascii - $sa2 = "$_REQUEST[" ascii - $sa3 = "@eval" ascii - - $sb1 = "public $cmd;" ascii - $sb2 = "return @eval($a);" ascii - $sb3 = "$z->run($z->get('openssl_public_decrypt'));" - condition: - filesize < 100KB and ( - all of ($sa*) or - 2 of ($sb*) - ) -} - - diff --git a/yara-Neo23x0/expl_connectwise_screenconnect_vuln_feb24.yar b/yara-Neo23x0/expl_connectwise_screenconnect_vuln_feb24.yar deleted file mode 100644 index 3b69fe4..0000000 --- a/yara-Neo23x0/expl_connectwise_screenconnect_vuln_feb24.yar +++ /dev/null @@ -1,328 +0,0 @@ -import "pe" - -rule ConnectWise_ScreenConnect_Authentication_Bypass_Feb_2024_Exploitation_IIS_Logs { - meta: - description = "Detects an http request to '/SetupWizard.aspx/' with anything following it, which when found in IIS logs is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" - author = "Huntress DE&TH Team (modified by Florian Roth)" - reference = "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8" - date = "2024-02-20" - modified = "2024-02-21" - id = "2886530b-e164-4c4b-b01e-950e3c40acb4" - strings: - $s1 = " GET /SetupWizard.aspx/" ascii - $s2 = " POST /SetupWizard.aspx/" ascii - $s3 = " PUT /SetupWizard.aspx/" ascii - $s4 = " HEAD /SetupWizard.aspx/" ascii - condition: - 1 of them -} - -rule SUSP_ScreenConnect_User_PoC_Com_Unused_Feb24 { - meta: - description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account wasn't actually used yet to login" - author = "Florian Roth" - reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53" - date = "2024-02-23" - score = 65 - id = "c57e6c6a-298f-5ff3-b76a-03127ff88699" - strings: - $a1 = "" - - $s1 = "@poc.com" - $s2 = "0001" - condition: - filesize < 200KB - and all of ($a*) - and all of ($s*) -} - -rule SUSP_ScreenConnect_User_PoC_Com_Used_Feb24 { - meta: - description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account was already used yet to login" - author = "Florian Roth" - reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53" - date = "2024-02-23" - score = 75 - id = "91990558-f145-5968-9722-b6815f6ad8d5" - strings: - $a1 = "" - - $s1 = "@poc.com" - - $f1 = "0001" - condition: - filesize < 200KB - and all of ($a*) - and $s1 - and not 1 of ($f*) -} - -rule SUSP_ScreenConnect_Exploitation_Artefacts_Feb24 : SCRIPT { - meta: - description = "Detects post exploitation indicators observed by HuntressLabs in relation to the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 75 - id = "079f4153-8bc7-574f-b6fa-af5536b842ab" - strings: - $x01 = "-c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid}" - $x02 = ".msi c:\\mpyutd.msi" - $x03 = "/MyUserName_$env:UserName" - $x04 = " -OutFile C:\\Windows\\Help\\" - $x05 = "/Create /TN \\\\Microsoft\\\\Windows\\\\Wininet\\\\UserCache_" - $x06 = "$e = $r + \"ssh.exe\"" - $x07 = "Start-Process -f $e -a $args -PassThru -WindowStyle Hidden).Id" - $x08 = "-R 9595:localhost:3389 -p 443 -N -oStrictHostKeyChecking=no " - $x09 = "chromeremotedesktophost.msi', $env:ProgramData+" - $x10 = "9595; iwr -UseBasicParsing " - $x11 = "curl https://cmctt.]com/pub/media/wysiwyg/" - $x12 = ":8080/servicetest2.dll" - $x13 = "/msappdata.msi c:\\mpyutd.msi" - $x14 = "/svchost.exe -OutFile " - $x15 = "curl http://minish.wiki.gd" - $x16 = " -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile " - $x17 = "rundll32.exe' -Headers @" - $x18 = "/nssm.exe' -Headers @" - $x19 = "c:\\programdata\\update.dat UpdateSystem" - $x20 = "::size -eq 4){\\\"TVqQAA" ascii wide - $x21 = "::size -eq 4){\"TVqQAA" ascii wide - $x22 = "-nop -c [System.Reflection.Assembly]::Load(([WmiClass]'root\\cimv2:System_" - - /* Persistence */ - $xp0 = "/add default test@2021! /domain" - $xp1 = "/add default1 test@2021! /domain" - $xp2 = "oldadmin Pass8080!!" - $xp3 = "temp 123123qwE /add " - $xp4 = "oldadmin \"Pass8080!!\"" - $xp5 = "nssm set xmrig AppDirectory " - condition: - 1 of ($x*) -} - -rule SUSP_Command_Line_Combos_Feb24_2 : SCRIPT { - meta: - description = "Detects suspicious command line combinations often found in post exploitation activities" - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 75 - id = "d9bc6083-c3ca-5639-a9df-483fea6d0187" - strings: - $sa1 = " | iex" - $sa2 = "iwr -UseBasicParsing " - condition: - filesize < 2MB and all of them -} - -rule SUSP_PS1_Combo_TransferSH_Feb24 : SCRIPT { - meta: - description = "Detects suspicious PowerShell command that downloads content from transfer.sh as often found in loaders" - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 70 - id = "fd14cca5-9cf8-540b-9d6e-39ca2c267272" - strings: - $x1 = ".DownloadString('https://transfer.sh" - $x2 = ".DownloadString(\"https://transfer.sh" - $x3 = "Invoke-WebRequest -Uri 'https://transfer.sh" - $x4 = "Invoke-WebRequest -Uri \"https://transfer.sh" - condition: - 1 of them -} - -rule MAL_SUSP_RANSOM_LockBit_RansomNote_Feb24 { - meta: - description = "Detects the LockBit ransom note file 'LockBit-DECRYPT.txt' which is a sign of a LockBit ransomware infection" - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 75 - id = "b2fcb2a7-49e8-520c-944f-6acd5ded579b" - strings: - $x1 = ">>>> Your personal DECRYPTION ID:" - condition: - 1 of them -} - -rule MAL_SUSP_RANSOM_Lazy_RansomNote_Feb24 { - meta: - description = "Detects the Lazy ransom note file 'HowToRestoreYourFiles.txt' which is a sign of a Lazy ransomware infection" - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 75 - id = "287dfd67-8d0d-5906-b593-3af42a5a3aa4" - strings: - $x1 = "All Encrypted files can be reversed to original form and become usable" - condition: - 1 of them -} - - -rule SUSP_MAL_SigningCert_Feb24_1 { - meta: - description = "Detects PE files signed with a certificate used to sign malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709" - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 75 - hash1 = "37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab991aad5dd6a9c231b" - hash2 = "e8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2da729867935c793" - id = "f25ea77a-1b4e-5c13-9117-eedf0c20335a" - strings: - $s1 = "Wisdom Promise Security Technology Co." ascii - $s2 = "Globalsign TSA for CodeSign1" ascii - $s3 = { 5D AC 0B 6C 02 5A 4B 21 89 4B A3 C2 } - condition: - uint16(0) == 0x5a4d - and filesize < 70000KB - and all of them -} - -rule MAL_CS_Loader_Feb24_1 { - meta: - description = "Detects Cobalt Strike malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709" - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 75 - hash1 = "0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6a7ebe65bf3fdd6fe" - id = "6c9914a4-b079-5a39-9d3b-7b9a2b54dc2b" - strings: - $s1 = "Dll_x86.dll" ascii fullword - condition: - uint16(0) == 0x5a4d - and filesize < 1000KB - and ( - pe.exports("UpdateSystem") and ( - pe.imphash() == "0dc05c4c21a86d29f1c3bf9cc5b712e0" - or $s1 - ) - ) -} - -rule MAL_RANSOM_LockBit_Indicators_Feb24 { - meta: - description = "Detects Lockbit ransomware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709" - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 75 - hash1 = "a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0" - id = "108430c8-4fe5-58a1-b709-539b257c120c" - strings: - $op1 = { 76 c1 95 8b 18 00 93 56 bf 2b 88 71 4c 34 af b1 a5 e9 77 46 c3 13 } - $op2 = { e0 02 10 f7 ac 75 0e 18 1b c2 c1 98 ac 46 } - $op3 = { 8b c6 ab 53 ff 15 e4 57 42 00 ff 45 fc eb 92 ff 75 f8 ff 15 f4 57 42 00 } - condition: - uint16(0) == 0x5a4d - and filesize < 500KB - and ( - pe.imphash() == "914685b69f2ac2ff61b6b0f1883a054d" - or 2 of them - ) or all of them -} - -rule MAL_MSI_Mpyutils_Feb24_1 { - meta: - description = "Detects malicious MSI package mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709" - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 70 - hash1 = "8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600" - id = "e7794336-a325-5b92-8c25-81ed9cb28044" - strings: - $s1 = "crypt64ult.exe" ascii fullword - $s2 = "EXPAND.EXE" wide fullword - $s6 = "ICACLS.EXE" wide fullword - condition: - uint16(0) == 0xcfd0 - and filesize < 20000KB - and all of them -} - -rule MAL_Beacon_Unknown_Feb24_1 { - meta: - description = "Detects malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709 " - author = "Florian Roth" - reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" - date = "2024-02-23" - score = 75 - hash1 = "6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e70f6307aae21f9090" - hash2 = "b0adf3d58fa354dbaac6a2047b6e30bc07a5460f71db5f5975ba7b96de986243" - hash3 = "c0f7970bed203a5f8b2eca8929b4e80ba5c3276206da38c4e0a4445f648f3cec" - id = "9299fd44-5327-5a73-8299-108b710cb16e" - strings: - $s1 = "Driver.dll" wide fullword - $s2 = "X l.dlT" ascii fullword - $s3 = "$928c7481-dd27-8e23-f829-4819aefc728c" ascii fullword - condition: - uint16(0) == 0x5a4d - and filesize < 2000KB - and 3 of ($s*) -} - -/* --------------------------------------------------------------------------------- */ -/* only usable with THOR or THOR Lite, e.g. in THOR Cloud */ - -rule SUSP_ScreenConnect_User_Gmail_2024_Feb24 { - meta: - description = "Detects suspicious ScreenConnect user with Gmail address created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" - author = "Florian Roth" - reference = "https://twitter.com/_johnhammond/status/1760357971127832637" - date = "2024-02-22" - score = 65 - id = "3c86f4ee-4e8c-566b-b54e-e94418e4ec7e" - strings: - $a1 = "" - $s2 = "2024-" - condition: - filesize < 200KB - and all of them - and filepath contains "\\ScreenConnect\\App_Data\\" -} - -rule SUSP_ScreenConnect_New_User_2024_Feb24 { - meta: - description = "Detects suspicious new ScreenConnect user created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" - author = "Florian Roth" - reference = "https://twitter.com/_johnhammond/status/1760357971127832637" - date = "2024-02-22" - score = 50 - id = "f6675ded-39a4-590a-a201-fcfe3c056e60" - strings: - $a1 = "2024-" - condition: - filesize < 200KB - and all of them - and filepath contains "\\ScreenConnect\\App_Data\\" -} - -rule SUSP_ScreenConnect_User_2024_No_Logon_Feb24 { - meta: - description = "Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" - author = "Florian Roth" - reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53" - date = "2024-02-23" - score = 60 - id = "c0861f1c-08e2-565d-a468-2075c51b4004" - strings: - $a1 = "" - - $s1 = "2024-" - $s2 = "0001-01-01T00:00:00" - condition: - filesize < 200KB - and all of them - and filepath contains "\\ScreenConnect\\App_Data\\" -} diff --git a/yara-Neo23x0/gen_fake_amsi_dll.yar b/yara-Neo23x0/gen_fake_amsi_dll.yar deleted file mode 100644 index 32f86b2..0000000 --- a/yara-Neo23x0/gen_fake_amsi_dll.yar +++ /dev/null @@ -1,68 +0,0 @@ -import "pe" - -rule SUSP_Fake_AMSI_DLL_Jun23_1 { - meta: - description = "Detects an amsi.dll that has the same exports as the legitimate one but very different contents or file sizes" - author = "Florian Roth" - reference = "https://twitter.com/eversinc33/status/1666121784192581633?s=20" - date = "2023-06-07" - modified = "2023-06-12" - score = 65 - id = "b12df9de-ecfb-562b-b599-87fa786a33bc" - strings: - $a1 = "Microsoft.Antimalware.Scan.Interface" ascii - $a2 = "Amsi.pdb" ascii fullword - $a3 = "api-ms-win-core-sysinfo-" ascii - $a4 = "Software\\Microsoft\\AMSI\\Providers" wide - $a5 = "AmsiAntimalware@" ascii - $a6 = "AMSI UAC Scan" ascii - - $fp1 = "Wine builtin DLL" - condition: - uint16(0) == 0x5a4d - // AMSI.DLL exports - and ( - pe.exports("AmsiInitialize") - and pe.exports("AmsiScanString") - ) - // and now the anomalies - and ( - filesize > 200KB // files bigger than 100kB - or filesize < 35KB // files smaller than 35kB - or not 4 of ($a*) // files that don't contain the expected strings - ) - and not 1 of ($fp*) -} - -/* Uses the external variable "filename" and can thus only be used in LOKI or THOR */ - -rule SUSP_Fake_AMSI_DLL_Jun23_2 { - meta: - description = "Detects an amsi.dll that has very different contents or file sizes than the legitimate" - author = "Florian Roth" - reference = "https://twitter.com/eversinc33/status/1666121784192581633?s=20" - date = "2023-06-07" - modified = "2023-06-14" - score = 65 - id = "adec9525-6299-52d5-8f4e-a83366d3dcfd" - strings: - $a1 = "Microsoft.Antimalware.Scan.Interface" ascii - $a2 = "Amsi.pdb" ascii fullword - $a3 = "api-ms-win-core-sysinfo-" ascii - $a4 = "Software\\Microsoft\\AMSI\\Providers" wide - $a5 = "AmsiAntimalware@" ascii - $a6 = "AMSI UAC Scan" ascii - - $fp1 = "Wine builtin DLL" - condition: - uint16(0) == 0x5a4d - // AMSI.DLL - and filename == "amsi.dll" - // and now the anomalies - and ( - filesize > 200KB // files bigger than 100kB - or filesize < 35KB // files smaller than 35kB - or not 4 of ($a*) // files that don't contain the expected strings - ) - and not 1 of ($fp*) -} diff --git a/yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar b/yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar deleted file mode 100644 index f5f318f..0000000 --- a/yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar +++ /dev/null @@ -1,428 +0,0 @@ -import "pe" - -rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 { - meta: - description = "Detects malicious DLLs related to 3CX compromise" - author = "X__Junior, Florian Roth (Nextron Systems)" - reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" - date = "2023-03-29" - modified = "2023-04-20" - score = 85 - hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896" - hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02" - hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2" - id = "a6ea3299-fde5-5206-b5db-eb3a3f5944d9" - strings: - $opa1 = { 4C 89 F1 4C 89 EA 41 B8 40 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 F0 FF 15 ?? ?? ?? ?? 4C 8D 4C 24 ?? 45 8B 01 4C 89 F1 4C 89 EA FF 15 } /* VirtualProtect and execute payload*/ - $opa2 = { 48 C7 44 24 ?? 00 00 00 00 4C 8D 7C 24 ?? 48 89 F9 48 89 C2 41 89 E8 4D 89 F9 FF 15 ?? ?? ?? ?? 41 83 3F 00 0F 84 ?? ?? ?? ?? 0F B7 03 3D 4D 5A 00 00} /* ReadFile and MZ compare*/ - $opa3 = { 41 80 7C 00 ?? FE 75 ?? 41 80 7C 00 ?? ED 75 ?? 41 80 7C 00 ?? FA 75 ?? 41 80 3C 00 CE} /* marker */ - $opa4 = { 44 0F B6 CD 46 8A 8C 0C ?? ?? ?? ?? 45 30 0C 0E 48 FF C1} /* xor part in RC4 decryption*/ - - $opb1 = { 41 B8 40 00 00 00 49 8B D5 49 8B CC FF 15 ?? ?? ?? ?? 85 C0 74 ?? 41 FF D4 44 8B 45 ?? 4C 8D 4D ?? 49 8B D5 49 8B CC FF 15 } /* VirtualProtect and execute payload */ - $opb2 = { 44 8B C3 48 89 44 24 ?? 48 8B 5C 24 ?? 4C 8D 4D ?? 48 8B CB 48 89 74 24 ?? 48 8B D0 4C 8B F8 FF 15 } /* ReadFile and MZ compare*/ - $opb3 = { 80 78 ?? FE 75 ?? 80 78 ?? ED 75 ?? 80 38 FA 75 ?? 80 78 ?? CE } /* marker */ - $opb4 = { 49 63 C1 44 0F B6 44 05 ?? 44 88 5C 05 ?? 44 88 02 0F B6 54 05 ?? 49 03 D0 0F B6 C2 0F B6 54 05 ?? 41 30 12} /* xor part in RC4 decryption*/ - condition: - uint16(0) == 0x5a4d - and filesize < 5MB - and pe.characteristics & pe.DLL - and ( 2 of ($opa*) or 2 of ($opb*) ) -} - -rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_2 { - meta: - description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)" - author = "Florian Roth (Nextron Systems)" - reference = "https://twitter.com/dan__mayer/status/1641170769194672128?s=20" - date = "2023-03-29" - score = 80 - hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973" - id = "bf3597ff-d62b-5d21-9c9b-e46e685284cf" - strings: - $s1 = "raw.githubusercontent.com/IconStorages/images/main/icon%d.ico" wide fullword - $s2 = "https://raw.githubusercontent.com/IconStorages" wide fullword - $s3 = "icon%d.ico" wide fullword - $s4 = "__tutmc" ascii fullword - - $op1 = { 2d ee a1 00 00 c5 fa e6 f5 e9 40 fe ff ff 0f 1f 44 00 00 75 2e c5 fb 10 0d 46 a0 00 00 44 8b 05 7f a2 00 00 e8 0a 0e 00 00 } - $op4 = { 4c 8d 5c 24 71 0f 57 c0 48 89 44 24 60 89 44 24 68 41 b9 15 cd 5b 07 0f 11 44 24 70 b8 b1 68 de 3a 41 ba a4 7b 93 02 } - $op5 = { f7 f3 03 d5 69 ca e8 03 00 00 ff 15 c9 0a 02 00 48 8d 44 24 30 45 33 c0 4c 8d 4c 24 38 48 89 44 24 20 } - condition: - uint16(0) == 0x5a4d and - filesize < 900KB and 3 of them - or 5 of them -} - -rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_3 { - meta: - description = "Detects malicious DLLs related to 3CX compromise (decrypted payload)" - author = "Florian Roth , X__Junior (Nextron Systems)" - reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" - date = "2023-03-29" - score = 80 - hash1 = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973" - id = "d2d361b6-8485-57eb-b6eb-88785f42e93e" - strings: - $opa1 = { 41 81 C0 ?? ?? ?? ?? 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1 41 69 D0 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 ?? ?? ?? ?? 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 ?? ?? ?? ?? 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 } /*lcg chunk */ - $opa2 = { 8B C8 41 69 D1 ?? ?? ?? ?? C1 E1 ?? 33 C1 45 8B CA 8B C8 C1 E9 ?? 33 C1 81 C2 ?? ?? ?? ?? 8B C8 C1 E1 ?? 33 C1 41 8B C8 4C 0F AF CF 44 69 C2 ?? ?? ?? ?? 4C 03 C9 45 8B D1 4C 0F AF D7} /*lcg chunk */ - - $opb1 = { 45 33 C9 48 89 6C 24 ?? 48 8D 44 24 ?? 48 89 6C 24 ?? 8B D3 48 89 B4 24 ?? ?? ?? ?? 48 89 44 24 ?? 45 8D 41 ?? FF 15 } /* base64 decode */ - $opb2 = { 44 8B 0F 45 8B C6 48 8B 4D ?? 49 8B D7 44 89 64 24 ?? 48 89 7C 24 ?? 44 89 4C 24 ?? 4C 8D 4D ?? 48 89 44 24 ?? 44 89 64 24 ?? 4C 89 64 24 ?? FF 15} /* AES decryption */ - $opb3 = { 48 FF C2 66 44 39 2C 56 75 ?? 4C 8D 4C 24 ?? 45 33 C0 48 8B CE FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 44 0F B7 44 24 ?? 33 F6 48 8B 54 24 ?? 45 33 C9 48 8B 0B 48 89 74 24 ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 48 89 74 24 ?? FF 15 } /* internet connection */ - $opb4 = { 33 C0 48 8D 6B ?? 4C 8D 4C 24 ?? 89 44 24 ?? BA ?? ?? ?? ?? 48 89 44 24 ?? 48 8B CD 89 44 24 ?? 44 8D 40 ?? 8B F8 FF 15} /* VirtualProtect */ - condition: - ( all of ($opa*) ) - or - ( 1 of ($opa*) and 1 of ($opb*) ) - or - ( 3 of ($opb*) ) -} - -rule SUSP_APT_MAL_NK_3CX_Malicious_Samples_Mar23_1 { - meta: - description = "Detects marker found in malicious DLLs related to 3CX compromise" - author = "X__Junior, Florian Roth (Nextron Systems)" - reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" - date = "2023-03-29" - modified = "2023-04-20" - score = 75 - hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896" - hash2 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02" - hash3 = "cc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2" - id = "9fc6eb94-d02f-5bcd-9f55-b6c6a8301b4f" - strings: - $opx1 = { 41 80 7C 00 FD FE 75 ?? 41 80 7C 00 FE ED 75 ?? 41 80 7C 00 FF FA 75 ?? 41 80 3C 00 CE } /* marker */ - $opx2 = { 80 78 ?? FE 75 ?? 80 78 ?? ED 75 ?? 80 38 FA 75 ?? 80 78 ?? CE } /* marker */ - condition: - 1 of them -} - -rule APT_SUSP_NK_3CX_RC4_Key_Mar23_1 { - meta: - description = "Detects RC4 key used in 3CX binaries known to be malicious" - author = "Florian Roth (Nextron Systems)" - date = "2023-03-29" - reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" - score = 70 - hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896" - hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983" - hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868" - hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02" - id = "18ea2185-11a1-51ad-a51a-df9e6357bb58" - strings: - $x1 = "3jB(2bsG#@c7" - condition: - ( uint16(0) == 0xcfd0 or uint16(0) == 0x5a4d ) - and $x1 -} - -rule SUSP_3CX_App_Signed_Binary_Mar23_1 { - meta: - description = "Detects 3CX application binaries signed with a certificate and created in a time frame in which other known malicious binaries have been created" - author = "Florian Roth (Nextron Systems)" - date = "2023-03-29" - reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" - score = 65 - hash1 = "fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405" - hash2 = "dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc" - id = "b6ce4c1d-1b7b-5e0c-af4c-05cb3ad0a4e0" - strings: - $sa1 = "3CX Ltd1" - $sa2 = "3CX Desktop App" wide - $sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } // Known compromised cert - condition: - uint16(0) == 0x5a4d - and pe.timestamp > 1669680000 // 29.11.2022 earliest known malicious sample - and pe.timestamp < 1680108505 // 29.03.2023 date of the report - and all of ($sa*) - and $sc1 // serial number of known compromised certificate -} - -rule SUSP_3CX_MSI_Signed_Binary_Mar23_1 { - meta: - description = "Detects 3CX MSI installers signed with a known compromised certificate and signed in a time frame in which other known malicious binaries have been signed" - author = "Florian Roth (Nextron Systems)" - date = "2023-03-29" - reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" - score = 60 - hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868" - hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983" - id = "15d6d8ca-6982-5095-9879-ce97269a71c6" - strings: - $a1 = { 84 10 0C 00 00 00 00 00 C0 00 00 00 00 00 00 46 } // MSI marker - - $sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } // Known compromised cert - - $s1 = "3CX Ltd1" - $s2 = "202303" // in - condition: - uint16(0) == 0xcfd0 - and $a1 - and $sc1 - and ( - $s1 in (filesize-20000..filesize) - and $s2 in (filesize-20000..filesize) - ) -} - -rule APT_MAL_macOS_NK_3CX_Malicious_Samples_Mar23_1 { - meta: - description = "Detects malicious macOS application related to 3CX compromise (decrypted payload)" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" - date = "2023-03-30" - score = 80 - hash1 = "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb" - hash2 = "ac99602999bf9823f221372378f95baa4fc68929bac3a10e8d9a107ec8074eca" - hash3 = "51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72" - id = "ff39e577-7063-5025-bead-68394a86c87c" - strings: - $s1 = "20230313064152Z0" - $s2 = "Developer ID Application: 3CX (33CF4654HL)" - condition: - ( uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca ) and all of them -} - -/* 30.03.2023 */ - -rule APT_MAL_MacOS_NK_3CX_DYLIB_Mar23_1 { - meta: - description = "Detects malicious DYLIB files related to 3CX compromise" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/" - date = "2023-03-30" - score = 80 - hash1 = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67" - hash2 = "fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7" - id = "a19904d3-9b2d-561f-b734-20bf09584fa7" - strings: - /* XORed UA 0x7a */ - $xc1 = { 37 15 00 13 16 16 1B 55 4F 54 4A 5A 52 2D 13 14 - 1E 15 0D 09 5A 34 2E 5A 4B 4A 54 4A 41 5A 2D 13 - 14 4C 4E 41 5A 02 4C 4E 53 5A 3B 0A 0A 16 1F 2D - 1F 18 31 13 0E 55 4F 49 4D 54 49 4C 5A 52 31 32 - 2E 37 36 56 5A 16 13 11 1F 5A 3D 1F 19 11 15 53 - 5A 39 12 08 15 17 1F 55 4B 4A 42 54 4A 54 4F 49 - 4F 43 54 4B 48 42 5A 29 1B 1C 1B 08 13 55 4F 49 - 4D 54 49 4C 7A } - /* /;3cx_auth_token_content=%s;__tutma= */ - $xc2 = { 41 49 19 02 25 1b 0f 0e 12 25 0e 15 11 1f 14 25 19 15 14 0e 1f 14 0e 47 5f 09 41 25 25 0e 0f 0e 17 1b 47 } - /* /System/Library/CoreServices/SystemVersion.plist */ - $xc3 = { 55 29 03 09 0e 1f 17 55 36 13 18 08 1b 08 03 55 39 15 08 1f 29 1f 08 0c 13 19 1f 09 55 29 03 09 0e 1f 17 2c 1f 08 09 13 15 14 54 0a 16 13 09 0e } - condition: - 1 of them -} - -rule APT_SUSP_NK_3CX_Malicious_Samples_Mar23_1 { - meta: - description = "Detects indicator (event name) found in samples related to 3CX compromise" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/" - date = "2023-03-30" - score = 70 - hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896" - hash2 = "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983" - hash3 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868" - hash4 = "c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02" - id = "b233846a-19df-579b-a674-233d66824008" - strings: - $a1 = "AVMonitorRefreshEvent" wide fullword - condition: - 1 of them -} - -rule APT_MAL_NK_3CX_Malicious_Samples_Mar23_4 { - meta: - author = "MalGamy (Nextron Systems)" - reference = "https://twitter.com/WhichbufferArda/status/1641404343323688964?s=20" - description = "Detects decrypted payload loaded inside 3CXDesktopApp.exe which downloads info stealer" - date = "2023-03-29" - hash = "851c2c99ebafd4e5e9e140cfe3f2d03533846ca16f8151ae8ee0e83c692884b7" - score = 80 - id = "d11170df-570c-510c-80ec-39048acd0fbd" - strings: - $op1 = {41 69 D0 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 81 C2 [4] 33 C1 43 8D 0C 02 02 C8 49 C1 EA ?? 41 88 0B 8B C8 C1 E1 ?? 33 C1 44 69 C2 [4] 8B C8 C1 E9 ?? 33 C1 8B C8 C1 E1 ?? 41 81 C0 [4] 33 C1 4C 0F AF CF 4D 03 CA 45 8B D1 4C 0F AF D7 41 8D 0C 11 49 C1 E9 ?? 02 C8} // // xor with mul operation - $op2 = {4D 0F AF CC 44 69 C2 [4] 4C 03 C9 45 8B D1 4D 0F AF D4 41 8D 0C 11 41 81 C0 [4] 02 C8 49 C1 E9 ?? 41 88 4B ?? 4D 03 D1 8B C8 45 8B CA C1 E1 ?? 33 C1} // xor with mul operation - $op3 = {33 C1 4C 0F AF C7 8B C8 C1 E1 ?? 4D 03 C2 33 C1} // shift operation - condition: - 2 of them -} - -rule MAL_3CXDesktopApp_MacOS_Backdoor_Mar23 { - meta: - author = "X__Junior (Nextron Systems)" - reference = "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/" - description = "Detects 3CXDesktopApp MacOS Backdoor component" - date = "2023-03-30" - hash = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67" - score = 80 - id = "80046c8e-0c2a-5885-b140-a6084f48160d" - strings: - $sa1 = "%s/.main_storage" ascii fullword - $sa2 = "%s/UpdateAgent" ascii fullword - - $op1 = { 31 C0 41 80 34 06 ?? 48 FF C0 48 83 F8 ?? 75 ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 4C 89 F7 48 89 D9 E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 89 F7 5B 41 5E 41 5F E9 ?? ?? ?? ?? 5B 41 5E 41 5F C3} /* string decryption */ - $op2 = { 0F 11 84 24 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 31 C0 80 B4 04 ?? ?? ?? ?? ?? 48 FF C0} /* string decryption */ - condition: - ( ( uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca ) and filesize < 6MB - and - ( - ( 1 of ($sa*) and 1 of ($op* ) ) - or all of ($sa*) - ) - ) - or ( all of ($op*) ) -} - -/* 31.03.2023 */ - -rule APT_MAL_NK_3CX_ICONIC_Stealer_Mar23_1 { - meta: - description = "Detects ICONIC stealer payload used in the 3CX incident" - author = "Florian Roth (Nextron Systems)" - reference = "https://github.com/volexity/threat-intel/blob/main/2023/2023-03-30%203CX/attachments/iconicstealer.7z" - date = "2023-03-31" - score = 80 - hash1 = "8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423" - id = "e92b5b90-1146-5235-9711-a4d42689c49b" - strings: - - $s1 = "{\"HostName\": \"%s\", \"DomainName\": \"%s\", \"OsVersion\": \"%d.%d.%d\"}" wide fullword - $s2 = "******************************** %s ******************************" wide fullword - $s3 = "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data" wide fullword - $s4 = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles" wide fullword - $s5 = "SELECT url, title FROM urls ORDER BY id DESC LIMIT 500" wide fullword - $s6 = "TEXT value in %s.%s" ascii fullword - - $op1 = { 48 63 d1 48 63 ce 49 03 d1 49 03 cd 4c 63 c7 e8 87 1f 09 00 8b 45 d0 44 8d 04 37 } - $op2 = { 48 8b c8 8b 56 f0 48 89 46 d8 e8 78 8f f8 ff e9 ec 13 00 00 c7 46 20 ff ff ff ff e9 e0 13 00 00 33 ff } - condition: - uint16(0) == 0x5a4d - and filesize < 4000KB - and 4 of them - or 6 of them -} - -rule APT_MAL_NK_3CX_macOS_Elextron_App_Mar23_1 { - meta: - description = "Detects macOS malware used in the 3CX incident" - author = "Florian Roth (Nextron Systems)" - reference = "Internal Research" - date = "2023-03-31" - score = 80 - hash1 = "51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72" - hash2 = "f7ba7f9bf608128894196cf7314f68b78d2a6df10718c8e0cd64dbe3b86bc730" - id = "7a3755d4-37e5-5d3b-93aa-34edb557f2d5" - strings: - $a1 = "com.apple.security.cs.allow-unsigned-executable-memory" ascii - $a2 = "com.electron.3cx-desktop-app" ascii fullword - - $s1 = "s8T/RXMlALbXfowom9qk15FgtdI=" ascii - $s2 = "o8NQKPJE6voVZUIGtXihq7lp0cY=" ascii - condition: - uint16(0) == 0xfacf and - filesize < 400KB and ( - all of ($a*) - and 1 of ($s*) - ) -} - -rule MAL_3CXDesktopApp_MacOS_UpdateAgent_Mar23 { - meta: - description = "Detects 3CXDesktopApp MacOS UpdateAgent backdoor component" - author = "Florian Roth (Nextron Systems)" - reference = "https://twitter.com/patrickwardle/status/1641692164303515653?s=20" - date = "2023-03-30" - hash = "9e9a5f8d86356796162cee881c843cde9eaedfb3" - score = 80 - id = "596eb6d0-f96f-5106-ae67-9372d238e4cf" - strings: - $a1 = "/3CX Desktop App/.main_storage" ascii - - $x1 = ";3cx_auth_token_content=%s;__tutma=true" - - $s1 = "\"url\": \"https://" - $s3 = "/dev/null" - $s4 = "\"AccountName\": \"" - condition: - uint16(0) == 0xfeca - and filesize < 6MB - and ( - 1 of ($x*) - or ( $a1 and all of ($s*) ) - ) or all of them -} - -rule SUSP_APT_3CX_Regtrans_Anomaly_Apr23 : METARULE { - meta: - description = "Detects suspicious .regtrans-ms files with suspicious size or contents" - author = "Florian Roth" - reference = "https://www.3cx.com/blog/news/mandiant-initial-results/" - date = "2023-04-12" - score = 60 - id = "97406b8d-68fe-5f68-a26a-205dd4694e50" - strings: - $fp1 = "REGISTRY" wide - condition: - extension == ".regtrans-ms" and ( - filesize < 100KB - and not 1 of ($fp*) - ) -} - -rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_2 { - meta: - description = "Detects malicious VEILEDSIGNAL backdoor" - author = "X__Junior" - reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain" - date = "2023-04-29" - hash = "c4887a5cd6d98e273ba6e9ea3c1d8f770ef26239819ea24a1bfebd81d6870505" - score = 80 - id = "ff1fa0bd-19b7-553a-9506-bc5aa5d29056" - strings: - $sa1 = "\\.\\pipe\\gecko.nativeMessaging" ascii - $sa2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40" ascii - $sa3 = "application/json, text/javascript, */*; q=0.01" ascii - - $op1 = { 89 7? 24 ?? 44 8B CD 4C 8B C? 48 89 44 24 ?? 33 D2 33 C9 FF 15} /* MultiByteToWideChar */ - $op2 = { 4C 8B CB 4C 89 74 24 ?? 4C 8D 05 ?? ?? ?? ?? 44 89 74 24 ?? 33 D2 33 C9 FF 15} /* create thread*/ - $op3 = { 48 89 74 24 ?? 45 33 C0 89 74 24 ?? 41 B9 ?? ?? ?? ?? 89 74 24 ?? 48 8B D8 48 C7 00 ?? ?? ?? ?? 48 8B 0F 41 8D 50 ?? 48 89 44 24 ?? 89 74 24 ?? FF 15} /* CreateNamedPipeW */ - condition: - all of ($op*) or all of ($sa*) -} - -rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_3 { - meta: - description = "Detects malicious VEILEDSIGNAL backdoor" - author = "X__Junior" - reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain" - date = "2023-04-29" - hash = "595392959b609caf088d027a23443cf2fefd043607ccdec3de19ad3bb43a74b1" - score = 80 - id = "6b6f984e-242a-5b84-baa9-6311992cde9b" - strings: - $op1 = { 4C 8B CB 4C 89 74 24 ?? 4C 8D 05 ?? ?? ?? ?? 44 89 74 24 ?? 33 D2 33 C9 FF 15} /* create thread*/ - $op2 = { 89 7? 24 ?? 44 8B CD 4C 8B C? 48 89 44 24 ?? 33 D2 33 C9 FF 15} /* MultiByteToWideChar */ - $op3 = { 8B 54 24 ?? 4C 8D 4C 24 ?? 45 8D 46 ?? 44 89 74 24 ?? 48 8B CB FF 15} /* virtualprotect */ - $op4 = { 48 8D 44 24 ?? 45 33 C9 41 B8 01 00 00 40 48 89 44 24 ?? 41 8B D5 48 8B CF FF 15} /* CryptBinaryToStringA */ - condition: - all of them -} - -rule APT_MAL_VEILEDSIGNAL_Backdoor_Apr23_4 { - meta: - description = "Detects malicious VEILEDSIGNAL backdoor" - author = "X__Junior" - reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain" - date = "2023-04-29" - hash = "9b0761f81afb102bb784b398b16faa965594e469a7fcfdfd553ced19cc17e70b" - score = 80 - id = "77340ec0-36bb-5c47-995f-4e6f76b68fe1" - strings: - $op1 = { 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 } /* check for certian process */ - $op2 = { 48 8B C8 48 8D 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 45 33 C0 4C 8D 4D ?? B2 01 41 8D 48 ?? FF D0} /* RtlAdjustPrivilege */ - $op3 = { 33 FF C7 44 24 ?? 38 02 00 00 33 D2 8D 4F ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 FF 74 ?? 48 8D 54 24 ?? 48 8B C8 FF 15 } /* Process32FirstW */ - $op4 = { 4C 8D 05 ?? ?? ?? ?? 48 89 4C 24 ?? 4C 8B C8 33 D2 89 4C 24 ?? FF 15 } /* create thread*/ - condition: - all of them -} diff --git a/yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar b/yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar deleted file mode 100644 index 2f28d6f..0000000 --- a/yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar +++ /dev/null @@ -1,30 +0,0 @@ -import "pe" - -rule SUSP_VCRuntime_Sideloading_Indicators_Aug23 { - meta: - description = "Detects indicators of .NET based malware sideloading as VCRUNTIME140 with .NET DLL imports" - author = "Jonathan Peters" - date = "2023-08-30" - hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6" - score = 75 - id = "00400122-1343-5051-af31-880a3ef1745d" - condition: - (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll") - and pe.imports("mscoree.dll", "_CorDllMain") -} - -// rule SUSP_VCRuntime_Sideloading_Indicators_1_Aug23 { -// meta: -// description = "Detects indicators of .NET based malware sideloading as an unsigned VCRUNTIME140" -// author = "Jonathan Peters" -// date = "2023-08-30" -// hash = "b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6" -// score = 75 -// strings: -// $fp1 = "Wine builtin DLL" ascii -// condition: -// (filename == "VCRUNTIME140.dll" or filename == "vcruntime140.dll") -// and not pe.number_of_signatures == 0 -// and not pe.signatures[0].issuer contains "Microsoft Corporation" -// and not $fp1 -// } diff --git a/yara-Neo23x0/gen_webshells_ext_vars.yar b/yara-Neo23x0/gen_webshells_ext_vars.yar deleted file mode 100644 index dc18c72..0000000 --- a/yara-Neo23x0/gen_webshells_ext_vars.yar +++ /dev/null @@ -1,103 +0,0 @@ -/* - Webshell rules that use external variables for false positive filtering -*/ - -rule webshell_php_by_string_obfuscation : FILE { - meta: - description = "PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Arnim Rupp" - date = "2021/01/09" - modified = "2022-10-25" - hash = "e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc" - id = "be890bf6-de7e-588e-b5cd-72e8081d0b9c" - strings: - $opbs13 = "{\"_P\"./*-/*-*/\"OS\"./*-/*-*/\"T\"}" wide ascii - $opbs14 = "/*-/*-*/\"" wide ascii - $opbs16 = "'ev'.'al'" wide ascii - $opbs17 = "'e'.'val'" wide ascii - $opbs18 = "e'.'v'.'a'.'l" wide ascii - $opbs19 = "bas'.'e6'." wide ascii - $opbs20 = "ba'.'se6'." wide ascii - $opbs21 = "as'.'e'.'6'" wide ascii - $opbs22 = "gz'.'inf'." wide ascii - $opbs23 = "gz'.'un'.'c" wide ascii - $opbs24 = "e'.'co'.'d" wide ascii - $opbs25 = "cr\".\"eat" wide ascii - $opbs26 = "un\".\"ct" wide ascii - $opbs27 = "'c'.'h'.'r'" wide ascii - $opbs28 = "\"ht\".\"tp\".\":/\"" wide ascii - $opbs29 = "\"ht\".\"tp\".\"s:" wide ascii - $opbs31 = "'ev'.'al'" nocase wide ascii - $opbs32 = "eval/*" nocase wide ascii - $opbs33 = "eval(/*" nocase wide ascii - $opbs34 = "eval(\"/*" nocase wide ascii - $opbs36 = "assert/*" nocase wide ascii - $opbs37 = "assert(/*" nocase wide ascii - $opbs38 = "assert(\"/*" nocase wide ascii - $opbs40 = "'ass'.'ert'" nocase wide ascii - $opbs41 = "${'_'.$_}['_'](${'_'.$_}['__'])" wide ascii - $opbs44 = "'s'.'s'.'e'.'r'.'t'" nocase wide ascii - $opbs45 = "'P'.'O'.'S'.'T'" wide ascii - $opbs46 = "'G'.'E'.'T'" wide ascii - $opbs47 = "'R'.'E'.'Q'.'U'" wide ascii - $opbs48 = "se'.(32*2)" nocase - $opbs49 = "'s'.'t'.'r_'" nocase - $opbs50 = "'ro'.'t13'" nocase - $opbs51 = "c'.'od'.'e" nocase - $opbs53 = "e'. 128/2 .'_' .'d" - // move malicious code out of sight if line wrapping not enabled - $opbs54 = "" ascii - $s1 = "echo -----END CERTIFICATE----- >>" ascii - $s2 = "certutil -decode " ascii - condition: - filesize < 10KB and all of them -} - -rule StegoKatz { - meta: - description = "Encoded Mimikatz in other file types" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "https://goo.gl/jWPBBY" - date = "2015-09-11" - score = 70 - id = "78868bb0-af69-573d-afd2-350a46f69137" - strings: - $s1 = "VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0ls" ascii - $s2 = "Rpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Va" ascii - condition: - filesize < 1000KB and 1 of them -} - -rule Obfuscated_VBS_April17 { - meta: - description = "Detects cloaked Mimikatz in VBS obfuscation" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "Internal Research" - date = "2017-04-21" - id = "ca60b885-bb56-55ee-a2b3-dea6958883c2" - strings: - $s1 = "::::::ExecuteGlobal unescape(unescape(" ascii - condition: - filesize < 500KB and all of them -} - -rule Obfuscated_JS_April17 { - meta: - description = "Detects cloaked Mimikatz in JS obfuscation" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "Internal Research" - date = "2017-04-21" - id = "44abd2c0-5f8d-5a8c-b282-a09853e12054" - strings: - $s1 = "\";function Main(){for(var " ascii - $s2 = "=String.fromCharCode(parseInt(" ascii - $s3 = "));(new Function(" ascii - condition: - filesize < 500KB and all of them -} diff --git a/yara-Neo23x0/generic_anomalies.yar b/yara-Neo23x0/generic_anomalies.yar deleted file mode 100644 index c6ef1ab..0000000 --- a/yara-Neo23x0/generic_anomalies.yar +++ /dev/null @@ -1,518 +0,0 @@ -/* - - Generic Anomalies - - Florian Roth - Nextron Systems GmbH - - License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md) - -*/ - -/* Performance killer - value isn't big enough -rule Embedded_EXE_Cloaking { - meta: - description = "Detects an embedded executable in a non-executable file" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - date = "2015/02/27" - score = 65 - strings: - $noex_png = { 89 50 4E 47 } - $noex_pdf = { 25 50 44 46 } - $noex_rtf = { 7B 5C 72 74 66 31 } - $noex_jpg = { FF D8 FF E0 } - $noex_gif = { 47 49 46 38 } - $mz = { 4D 5A } - $a1 = "This program cannot be run in DOS mode" - $a2 = "This program must be run under Win32" - condition: - ( - ( $noex_png at 0 ) or - ( $noex_pdf at 0 ) or - ( $noex_rtf at 0 ) or - ( $noex_jpg at 0 ) or - ( $noex_gif at 0 ) - ) - and - for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) ) -} -*/ - -// whitelist-approach failed : reworked in SUSP_Known_Type_Cloaked_as_JPG - -// rule Cloaked_as_JPG { -// meta: -// description = "Detects a non-JPEG file cloaked as JPG" -// author = "Florian Roth (Nextron Systems)" -// date = "2015/03/02" -// modified = "2022-09-16" -// score = 40 -// strings: -// $fp1 = " 6500KB ) - and not $fp -} - -rule Suspicious_Size_chrome_exe { - meta: - description = "Detects uncommon file size of chrome.exe" - author = "Florian Roth (Nextron Systems)" - score = 60 - nodeepdive = 1 - date = "2015-12-21" - modified = "2022-09-15" - noarchivescan = 1 - id = "f164394a-5c02-5056-aceb-044ee118578d" - strings: - $fp1 = "HP Sure Click Chromium Launcher" wide - $fp2 = "BrChromiumLauncher.exe" wide fullword - condition: - uint16(0) == 0x5a4d - and filename == "chrome.exe" - and ( filesize < 500KB or filesize > 5000KB ) - and not 1 of ($fp*) -} - -rule Suspicious_Size_csrss_exe { - meta: - description = "Detects uncommon file size of csrss.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-21" - modified = "2022-01-28" - noarchivescan = 1 - id = "5a247b51-6c91-5753-95b3-4a4c2b2286eb" - condition: - uint16(0) == 0x5a4d - and filename == "csrss.exe" - and ( filesize > 50KB ) -} - -rule Suspicious_Size_iexplore_exe { - meta: - description = "Detects uncommon file size of iexplore.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-21" - noarchivescan = 1 - id = "d097a599-0fad-574f-8281-46c910e8e54d" - condition: - uint16(0) == 0x5a4d - and filename == "iexplore.exe" - and not filepath contains "teamviewer" - and ( filesize < 75KB or filesize > 910KB ) -} - -rule Suspicious_Size_firefox_exe { - meta: - description = "Detects uncommon file size of firefox.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-21" - noarchivescan = 1 - id = "73c4b838-9277-5756-a35d-4a644be5ad5d" - condition: - uint16(0) == 0x5a4d - and filename == "firefox.exe" - and ( filesize < 265KB or filesize > 910KB ) -} - -rule Suspicious_Size_java_exe { - meta: - description = "Detects uncommon file size of java.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-21" - noarchivescan = 1 - id = "b6dc297b-8388-5e39-ba77-c027cdea7afa" - condition: - uint16(0) == 0x5a4d - and filename == "java.exe" - and ( filesize < 30KB or filesize > 900KB ) -} - -rule Suspicious_Size_lsass_exe { - meta: - description = "Detects uncommon file size of lsass.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-21" - noarchivescan = 1 - id = "005661c7-7576-5c13-9534-b49c12b2faad" - condition: - uint16(0) == 0x5a4d - and filename == "lsass.exe" - and ( filesize < 10KB or filesize > 100KB ) -} - -rule Suspicious_Size_svchost_exe { - meta: - description = "Detects uncommon file size of svchost.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-21" - noarchivescan = 1 - id = "31a8d00e-ebfc-5001-9c58-d3a2580f16b3" - condition: - uint16(0) == 0x5a4d - and filename == "svchost.exe" - and ( filesize < 14KB or filesize > 100KB ) -} - -rule Suspicious_Size_winlogon_exe { - meta: - description = "Detects uncommon file size of winlogon.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-21" - noarchivescan = 1 - id = "8665e8d0-3b5f-5227-8879-cdd614123439" - condition: - uint16(0) == 0x5a4d - and filename == "winlogon.exe" - and ( filesize < 279KB or filesize > 970KB ) -} - -rule Suspicious_Size_igfxhk_exe { - meta: - description = "Detects uncommon file size of igfxhk.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-21" - modified = "2022-03-08" - noarchivescan = 1 - id = "18cc167a-3e65-567f-adcf-d2d311520c1d" - condition: - uint16(0) == 0x5a4d - and filename == "igfxhk.exe" - and ( filesize < 200KB or filesize > 300KB ) -} - -rule Suspicious_Size_servicehost_dll { - meta: - description = "Detects uncommon file size of servicehost.dll" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-23" - noarchivescan = 1 - id = "ac71393c-a475-59e0-b22a-d5ee3d25084b" - condition: - uint16(0) == 0x5a4d - and filename == "servicehost.dll" - and filesize > 150KB -} - -rule Suspicious_Size_rundll32_exe { - meta: - description = "Detects uncommon file size of rundll32.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-23" - noarchivescan = 1 - id = "5b9feae7-17d8-56e4-870a-ef865f2d09bf" - condition: - uint16(0) == 0x5a4d - and filename == "rundll32.exe" - and ( filesize < 30KB or filesize > 120KB ) -} - -rule Suspicious_Size_taskhost_exe { - meta: - description = "Detects uncommon file size of taskhost.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-23" - noarchivescan = 1 - id = "71b6c853-f490-5d5a-b481-909f6f3a8798" - condition: - uint16(0) == 0x5a4d - and filename == "taskhost.exe" - and ( filesize < 45KB or filesize > 120KB ) -} - -rule Suspicious_Size_spoolsv_exe { - meta: - description = "Detects uncommon file size of spoolsv.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-23" - noarchivescan = 1 - id = "14bb3463-b99f-57e1-8cff-fe9a34771093" - condition: - uint16(0) == 0x5a4d - and filename == "spoolsv.exe" - and ( filesize < 50KB or filesize > 1000KB ) -} - -rule Suspicious_Size_smss_exe { - meta: - description = "Detects uncommon file size of smss.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-23" - noarchivescan = 1 - id = "7bdc8953-9240-5d22-b2a6-fe95fbc101c2" - condition: - uint16(0) == 0x5a4d - and filename == "smss.exe" - and ( filesize < 40KB or filesize > 5000KB ) -} - -rule Suspicious_Size_wininit_exe { - meta: - description = "Detects uncommon file size of wininit.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - date = "2015-12-23" - noarchivescan = 1 - id = "7b58f497-f214-5bf3-8a5c-8edb52749d09" - condition: - uint16(0) == 0x5a4d - and filename == "wininit.exe" - and ( filesize < 90KB or filesize > 800KB ) -} - -rule Suspicious_AutoIt_by_Microsoft { - meta: - description = "Detects a AutoIt script with Microsoft identification" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "Internal Research - VT" - date = "2017-12-14" - score = 60 - hash1 = "c0cbcc598d4e8b501aa0bd92115b4c68ccda0993ca0c6ce19edd2e04416b6213" - id = "69b1c93d-ab12-5fdc-b6eb-fb135796d3a9" - strings: - $s1 = "Microsoft Corporation. All rights reserved" fullword wide - $s2 = "AutoIt" fullword ascii - condition: - uint16(0) == 0x5a4d and filesize < 2000KB and all of them -} - -rule SUSP_Size_of_ASUS_TuningTool { - meta: - description = "Detects an ASUS tuning tool with a suspicious size" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/" - date = "2018-10-17" - modified = "2022-12-21" - score = 60 - noarchivescan = 1 - hash1 = "d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a" - id = "d22a1bf9-55d6-5cb4-9537-ad13b23af4d1" - strings: - $s1 = "\\Release\\ASGT.pdb" ascii - condition: - uint16(0) == 0x5a4d and filesize < 300KB and filesize > 70KB and all of them -} - -rule SUSP_PiratedOffice_2007 { - meta: - description = "Detects an Office document that was created with a pirated version of MS Office 2007" - author = "Florian Roth (Nextron Systems)" - reference = "https://twitter.com/pwnallthethings/status/743230570440826886?lang=en" - date = "2018-12-04" - score = 40 - hash1 = "210448e58a50da22c0031f016ed1554856ed8abe79ea07193dc8f5599343f633" - id = "b36e9a59-7617-503b-968d-5b6b72b227ea" - strings: - $s7 = "Grizli777" ascii - condition: - uint16(0) == 0xcfd0 and filesize < 300KB and all of them -} - -rule SUSP_Scheduled_Task_BigSize { - meta: - description = "Detects suspiciously big scheduled task XML file as seen in combination with embedded base64 encoded PowerShell code" - author = "Florian Roth (Nextron Systems)" - reference = "Internal Research" - date = "2018-12-06" - id = "61b07b30-1058-5a53-99e7-2c48ec9d23b5" - strings: - $a0 = " 20KB and all of ($a*) and not 1 of ($fp*) -} - -rule SUSP_Putty_Unnormal_Size { - meta: - description = "Detects a putty version with a size different than the one provided by Simon Tatham (could be caused by an additional signature or malware)" - author = "Florian Roth (Nextron Systems)" - reference = "Internal Research" - date = "2019-01-07" - modified = "2022-06-30" - score = 50 - hash1 = "e5e89bdff733d6db1cffe8b3527e823c32a78076f8eadc2f9fd486b74a0e9d88" - hash2 = "ce4c1b718b54973291aefdd63d1cca4e4d8d4f5353a2be7f139a290206d0c170" - hash3 = "adb72ea4eab7b2efc2da6e72256b5a3bb388e9cdd4da4d3ff42a9fec080aa96f" - hash4 = "1c0bd6660fa43fa90bd88b56cdd4a4c2ffb4ef9d04e8893109407aa7039277db" - id = "576b118c-d4be-5ce2-994a-ce3f943dda88" - strings: - $s1 = "SSH, Telnet and Rlogin client" fullword wide - - $v1 = "Release 0.6" wide - $v2 = "Release 0.70" wide - - $fp1 = "KiTTY fork" fullword wide - condition: - uint16(0) == 0x5a4d - and $s1 and 1 of ($v*) - and not 1 of ($fp*) - // has offset - and filesize != 524288 - and filesize != 495616 - and filesize != 483328 - and filesize != 524288 - and filesize != 712176 - and filesize != 828400 - and filesize != 569328 - and filesize != 454656 - and filesize != 531368 - and filesize != 524288 - and filesize != 483328 - and filesize != 713592 - and filesize != 829304 - and filesize != 571256 - and filesize != 774200 - and filesize != 854072 - and filesize != 665144 - and filesize != 774200 - and filesize != 854072 - and filesize != 665144 - and filesize != 640000 /* putty provided by Safenet https://thalesdocs.com/gphsm/luna/7.1/docs/network/Content/install/sa_hw_install/hardware_installation_lunasa.htm */ - and filesize != 650720 /* Citrix XenCenter */ - and filesize != 662808 /* Citrix XenCenter */ - and filesize != 651256 /* Citrix XenCenter */ - and filesize != 664432 /* Citrix XenCenter */ -} - -rule SUSP_RTF_Header_Anomaly { - meta: - description = "Detects malformed RTF header often used to trick mechanisms that check for a full RTF header" - author = "Florian Roth (Nextron Systems)" - reference = "https://twitter.com/ItsReallyNick/status/975705759618158593" - date = "2019-01-20" - modified = "2022-09-15" - score = 50 - id = "fb362640-9a45-5ee5-8749-3980e0549932" - condition: - uint32(0) == 0x74725c7b and /* {\rt */ - not uint8(4) == 0x66 /* not f */ -} - -rule WEBSHELL_ASPX_ProxyShell_Aug21_1 { - meta: - description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST) and extension" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/" - date = "2021-08-13" - id = "8f01cbda-b1cf-5556-9f6a-e709df6dadb2" - condition: - uint32(0) == 0x4e444221 /* PST header: !BDN */ - and extension == ".aspx" -} diff --git a/yara-Neo23x0/thor_inverse_matches.yar b/yara-Neo23x0/thor_inverse_matches.yar deleted file mode 100644 index 014c43f..0000000 --- a/yara-Neo23x0/thor_inverse_matches.yar +++ /dev/null @@ -1,581 +0,0 @@ -/* - THOR Yara Inverse Matches - > Detect system file manipulations and common APT anomalies - - This is an extract from the THOR signature database - - Reference: - http://www.bsk-consulting.de/2014/05/27/inverse-yara-signature-matching/ - https://www.bsk-consulting.de/2014/08/28/scan-system-files-manipulations-yara-inverse-matching-22/ - - Notice: These rules require an external variable called "filename" - - License: Detetction Rule License 1.1 (https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md) - -*/ - -import "pe" - -private rule WINDOWS_UPDATE_BDC -{ -meta: - score = 0 -condition: - (uint32be(0) == 0x44434d01 and // magic: DCM PA30 - uint32be(4) == 0x50413330) - or - (uint32be(0) == 0x44434401 and - uint32be(12)== 0x50413330) // magic: DCD PA30 -} - -/* Rules -------------------------------------------------------------------- */ - -rule iexplore_ANOMALY { - meta: - author = "Florian Roth (Nextron Systems)" - description = "Abnormal iexplore.exe - typical strings not found in file" - date = "23/04/2014" - score = 55 - nodeepdive = 1 - id = "ea436608-d191-5058-b844-025e48082edc" - strings: - $win2003_win7_u1 = "IEXPLORE.EXE" wide nocase - $win2003_win7_u2 = "Internet Explorer" wide fullword - $win2003_win7_u3 = "translation" wide fullword nocase - $win2003_win7_u4 = "varfileinfo" wide fullword nocase - condition: - filename == "iexplore.exe" - and uint16(0) == 0x5a4d - and not filepath contains "teamviewer" - and not 1 of ($win*) and not WINDOWS_UPDATE_BDC - and filepath contains "C:\\" - and not filepath contains "Package_for_RollupFix" -} - -rule svchost_ANOMALY { - meta: - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - description = "Abnormal svchost.exe - typical strings not found in file" - date = "23/04/2014" - score = 55 - id = "5630054d-9fa4-587f-ba78-cda4478f9cc1" - strings: - $win2003_win7_u1 = "svchost.exe" wide nocase - $win2003_win7_u3 = "coinitializesecurityparam" wide fullword nocase - $win2003_win7_u4 = "servicedllunloadonstop" wide fullword nocase - $win2000 = "Generic Host Process for Win32 Services" wide fullword - $win2012 = "Host Process for Windows Services" wide fullword - condition: - filename == "svchost.exe" - and uint16(0) == 0x5a4d - and not 1 of ($win*) and not WINDOWS_UPDATE_BDC -} - -/* removed 1 rule here */ - -rule explorer_ANOMALY { - meta: - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - description = "Abnormal explorer.exe - typical strings not found in file" - date = "27/05/2014" - score = 55 - id = "ecadd78f-21a1-5a9f-8f3f-cb51e872805b" - strings: - $s1 = "EXPLORER.EXE" wide fullword - $s2 = "Windows Explorer" wide fullword - condition: - filename == "explorer.exe" - and uint16(0) == 0x5a4d - and not filepath contains "teamviewer" - and not 1 of ($s*) and not WINDOWS_UPDATE_BDC -} - -rule sethc_ANOMALY { - meta: - description = "Sethc.exe has been replaced - Indicates Remote Access Hack RDP" - author = "F. Roth" - reference = "http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf" - date = "2014/01/23" - score = 70 - id = "9dfbab4e-3dc8-5246-a051-1618f2ca5f39" - strings: - $s1 = "stickykeys" fullword nocase - $s2 = "stickykeys" wide nocase - $s3 = "Control_RunDLL access.cpl" wide fullword - $s4 = "SETHC.EXE" wide fullword - condition: - filename == "sethc.exe" - and uint16(0) == 0x5a4d - and not 1 of ($s*) and not WINDOWS_UPDATE_BDC -} - -rule Utilman_ANOMALY { - meta: - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - description = "Abnormal utilman.exe - typical strings not found in file" - date = "01/06/2014" - score = 70 - id = "98daff9b-1600-56b3-87ff-637deaa6808c" - strings: - $win7 = "utilman.exe" wide fullword - $win2000 = "Start with Utility Manager" fullword wide - $win2012 = "utilman2.exe" fullword wide - condition: - ( filename == "utilman.exe" or filename == "Utilman.exe" ) - and uint16(0) == 0x5a4d - and not 1 of ($win*) and not WINDOWS_UPDATE_BDC -} - -rule osk_ANOMALY { - meta: - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - description = "Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file" - date = "01/06/2014" - score = 55 - id = "6b78b001-f863-5a24-a9d1-ee5e8305766b" - strings: - $s1 = "Accessibility On-Screen Keyboard" wide fullword - $s2 = "\\oskmenu" wide fullword - $s3 = "&About On-Screen Keyboard..." wide fullword - $s4 = "Software\\Microsoft\\Osk" wide - condition: - filename == "osk.exe" - and uint16(0) == 0x5a4d - and not 1 of ($s*) and not WINDOWS_UPDATE_BDC -} - -rule magnify_ANOMALY { - meta: - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - description = "Abnormal magnify.exe (Magnifier) - typical strings not found in file" - date = "01/06/2014" - score = 55 - id = "db75201e-81a3-5f82-bf6f-ba155bfbcf81" - strings: - $win7 = "Microsoft Screen Magnifier" wide fullword - $win2000 = "Microsoft Magnifier" wide fullword - $winxp = "Software\\Microsoft\\Magnify" wide - condition: - filename =="magnify.exe" - and uint16(0) == 0x5a4d - and not 1 of ($win*) and not WINDOWS_UPDATE_BDC -} - -rule narrator_ANOMALY { - meta: - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - description = "Abnormal narrator.exe - typical strings not found in file" - date = "01/06/2014" - score = 55 - id = "a51f1916-f89a-58a9-b65c-91bf99575b80" - strings: - $win7 = "Microsoft-Windows-Narrator" wide fullword - $win2000 = "&About Narrator..." wide fullword - $win2012 = "Screen Reader" wide fullword - $winxp = "Software\\Microsoft\\Narrator" - $winxp_en = "SOFTWARE\\Microsoft\\Speech\\Voices" wide - condition: - filename == "narrator.exe" - and uint16(0) == 0x5a4d - and not 1 of ($win*) and not WINDOWS_UPDATE_BDC -} - -rule notepad_ANOMALY { - meta: - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - description = "Abnormal notepad.exe - typical strings not found in file" - date = "01/06/2014" - score = 55 - id = "16ddcd9e-ab6f-593e-80e0-a90399cbc3df" - strings: - $win7 = "HELP_ENTRY_ID_NOTEPAD_HELP" wide fullword - $win2000 = "Do you want to create a new file?" wide fullword - $win2003 = "Do you want to save the changes?" wide - $winxp = "Software\\Microsoft\\Notepad" wide - $winxp_de = "Software\\Microsoft\\Notepad" wide - condition: - filename == "notepad.exe" - and uint16(0) == 0x5a4d - and not 1 of ($win*) and not WINDOWS_UPDATE_BDC -} - -/* NEW ---------------------------------------------------------------------- */ - -rule csrss_ANOMALY { - meta: - description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "not set" - date = "2015/03/16" - hash = "17542707a3d9fa13c569450fd978272ef7070a77" - id = "bbd2841a-ec72-5eb4-b34a-5ecbf9c5b517" - strings: - $s1 = "Client Server Runtime Process" fullword wide - $s4 = "name=\"Microsoft.Windows.CSRSS\"" fullword ascii - $s5 = "CSRSRV.dll" fullword ascii - $s6 = "CsrServerInitialization" fullword ascii - condition: - filename == "csrss.exe" - and uint16(0) == 0x5a4d - and not 1 of ($s*) and not WINDOWS_UPDATE_BDC -} - -rule conhost_ANOMALY { - meta: - description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "not set" - date = "2015/03/16" - hash = "1bd846aa22b1d63a1f900f6d08d8bfa8082ae4db" - id = "9803fa1b-bcaf-5451-831b-fc0dc9d711f2" - strings: - $s2 = "Console Window Host" fullword wide - condition: - filename == "conhost.exe" - and uint16(0) == 0x5a4d - and not 1 of ($s*) and not WINDOWS_UPDATE_BDC -} - -rule wininit_ANOMALY { - meta: - description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "not set" - date = "2015/03/16" - hash = "2de5c051c0d7d8bcc14b1ca46be8ab9756f29320" - id = "a251984f-c667-55ec-8cc3-3888e80ddf1e" - strings: - $s1 = "Windows Start-Up Application" fullword wide - condition: - filename == "wininit.exe" - and uint16(0) == 0x5a4d - and not 1 of ($s*) and not WINDOWS_UPDATE_BDC -} - -rule winlogon_ANOMALY { - meta: - description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file winlogon.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "not set" - date = "2015/03/16" - hash = "af210c8748d77c2ff93966299d4cd49a8c722ef6" - id = "ee424459-8048-52b8-ba97-4d09265a881f" - strings: - $s1 = "AuthzAccessCheck failed" fullword - $s2 = "Windows Logon Application" fullword wide - condition: - filename == "winlogon.exe" - and not 1 of ($s*) - and uint16(0) == 0x5a4d - and not WINDOWS_UPDATE_BDC - and not filepath contains "Malwarebytes" -} - -rule SndVol_ANOMALY { - meta: - description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "not set" - date = "2015/03/16" - hash = "e057c90b675a6da19596b0ac458c25d7440b7869" - id = "0c4d705f-4b24-55f9-bcf4-3f65eea0b7af" - strings: - $s1 = "Volume Control Applet" fullword wide - condition: - filename == "sndvol.exe" - and uint16(0) == 0x5a4d - and not 1 of ($s*) and not WINDOWS_UPDATE_BDC -} - -rule doskey_ANOMALY { - meta: - description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file doskey.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "not set" - date = "2015/03/16" - hash = "f2d1995325df0f3ca6e7b11648aa368b7e8f1c7f" - id = "be9c239a-2918-5330-bbd0-33cc17067f70" - strings: - $s3 = "Keyboard History Utility" fullword wide - condition: - filename == "doskey.exe" - and uint16(0) == 0x5a4d - and not 1 of ($s*) and not WINDOWS_UPDATE_BDC -} - -rule lsass_ANOMALY { - meta: - description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "not set" - date = "2015/03/16" - hash = "04abf92ac7571a25606edfd49dca1041c41bef21" - id = "0c0f6129-3e01-56d3-b297-cee231567759" - strings: - $s1 = "LSA Shell" fullword wide - $s2 = "Local Security Authority Process" fullword ascii - $s3 = "Local Security Authority Process" fullword wide - $s4 = "LsapInitLsa" fullword - condition: - filename == "lsass.exe" - and uint16(0) == 0x5a4d - and not 1 of ($s*) and not WINDOWS_UPDATE_BDC -} - -rule taskmgr_ANOMALY { - meta: - description = "Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe" - author = "Florian Roth (Nextron Systems)" - reference = "not set" - date = "2015/03/16" - nodeepdive = 1 - hash = "e8b4d84a28e5ea17272416ec45726964fdf25883" - id = "e1c3a150-6e7e-5ead-a338-0bac6f43185d" - strings: - $s0 = "Windows Task Manager" fullword wide - $s1 = "taskmgr.chm" fullword - $s2 = "TmEndTaskHandler::" ascii - $s3 = "CM_Request_Eject_PC" /* Win XP */ - $s4 = "NTShell Taskman Startup Mutex" fullword wide - condition: - ( filename == "taskmgr.exe" or filename == "Taskmgr.exe" ) and not 1 of ($s*) and not WINDOWS_UPDATE_BDC - and uint16(0) == 0x5a4d - and filepath contains "C:\\" - and not filepath contains "Package_for_RollupFix" -} - -/* removed 22 rules here */ - -/* APT ---------------------------------------------------------------------- */ - -rule APT_Cloaked_PsExec - { - meta: - description = "Looks like a cloaked PsExec. This may be APT group activity." - date = "2014-07-18" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 60 - id = "e389bb76-0d1d-5e0e-9f79-a3117c919da3" - strings: - $s0 = "psexesvc.exe" wide fullword - $s1 = "Sysinternals PsExec" wide fullword - condition: - uint16(0) == 0x5a4d and $s0 and $s1 - and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is - and not filepath matches /RECYCLE.BIN\\S-1/ -} - -/* removed 6 rules here */ - -rule APT_Cloaked_SuperScan - { - meta: - description = "Looks like a cloaked SuperScan Port Scanner. This may be APT group activity." - date = "2014-07-18" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 50 - id = "96027f7d-822c-5c5e-acd9-cde8289c6b50" - strings: - $s0 = "SuperScan4.exe" wide fullword - $s1 = "Foundstone Inc." wide fullword - condition: - uint16(0) == 0x5a4d and $s0 and $s1 and not filename contains "superscan" -} - -rule APT_Cloaked_ScanLine - { - meta: - description = "Looks like a cloaked ScanLine Port Scanner. This may be APT group activity." - date = "2014-07-18" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 50 - id = "78041dc0-491b-5a44-a125-3ad72b266cf8" - strings: - $s0 = "ScanLine" wide fullword - $s1 = "Command line port scanner" wide fullword - $s2 = "sl.exe" wide fullword - condition: - uint16(0) == 0x5a4d and $s0 and $s1 and $s2 and not filename == "sl.exe" -} - -rule SUSP_Renamed_Dot1Xtray { - meta: - description = "Detects a legitimate renamed dot1ctray.exe, which is often used by PlugX for DLL side-loading" - author = "Florian Roth (Nextron Systems)" - reference = "Internal Research" - date = "2018-11-15" - hash1 = "f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68" - id = "3685a79e-7dd6-5221-b58a-6ec1c61030cc" - strings: - $a1 = "\\Symantec_Network_Access_Control\\" ascii - $a2 = "\\dot1xtray.pdb" ascii - $a3 = "DOT1X_NAMED_PIPE_CONNECT" fullword wide /* Goodware String - occured 2 times */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them - and not filename matches /dot1xtray.exe/i - and not filepath matches /Recycle.Bin/i -} - -rule APT_Cloaked_CERTUTIL { - meta: - description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads" - author = "Florian Roth (Nextron Systems)" - reference = "Internal Research" - date = "2018-09-14" - modified = "2022-06-27" - id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef" - strings: - $s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii - $s5 = "certutil.pdb" fullword ascii - $s3 = "Password Token" fullword ascii - condition: - uint16(0) == 0x5a4d and all of them - and not filename contains "certutil" - and not filename contains "CertUtil" - and not filename contains "Certutil" - and not filepath contains "\\Bromium\\" -} - -rule APT_SUSP_Solarwinds_Orion_Config_Anomaly_Dec20 { - meta: - description = "Detects a suspicious renamed Afind.exe as used by different attackers" - author = "Florian Roth (Nextron Systems)" - reference = "https://twitter.com/iisresetme/status/1339546337390587905?s=12" - date = "2020-12-15" - score = 70 - nodeepdive = 1 - id = "440a3eb9-b573-53ea-ab26-c44d9cf62401" - strings: - $s1 = "ReportWatcher" fullword wide ascii - - $fp1 = "ReportStatus" fullword wide ascii - condition: - filename == "SolarWindows.Orion.Core.BusinessLayer.dll.config" - and $s1 - and not $fp1 -} - -rule PAExec_Cloaked { - meta: - description = "Detects a renamed remote access tool PAEXec (like PsExec)" - author = "Florian Roth (Nextron Systems)" - reference = "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/" - date = "2017-03-27" - score = 70 - hash1 = "01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc" - id = "fad8417b-bbdb-5a4e-8324-660e27cb39f8" - strings: - $x1 = "Ex: -rlo C:\\Temp\\PAExec.log" fullword ascii - $x2 = "Can't enumProcesses - Failed to get token for Local System." fullword wide - $x3 = "PAExec %s - Execute Programs Remotely" fullword wide - $x4 = "\\\\%s\\pipe\\PAExecIn%s%u" fullword wide - $x5 = "\\\\.\\pipe\\PAExecIn%s%u" fullword wide - $x6 = "%%SystemRoot%%\\%s.exe" fullword wide - $x7 = "in replacement for PsExec, so the command-line usage is identical, with " fullword ascii - $x8 = "\\\\%s\\ADMIN$\\PAExec_Move%u.dat" fullword wide - condition: - ( uint16(0) == 0x5a4d and filesize < 600KB and 1 of ($x*) ) - and not filename == "paexec.exe" - and not filename == "PAExec.exe" - and not filename == "PAEXEC.EXE" - and not filename matches /Install/ - and not filename matches /uninstall/ -} - -rule SUSP_VULN_DRV_PROCEXP152_May23 { - meta: - description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS), often used by attackers to elevate privileges (false positives are possible in cases in which old versions of process explorer are still present on the system)" - author = "Florian Roth" - reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/" - date = "2023-05-05" - modified = "2023-07-28" - score = 50 - hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - id = "748eb390-f320-5045-bed2-24ae70471f43" - strings: - $a1 = "\\ProcExpDriver.pdb" ascii - $a2 = "\\Device\\PROCEXP152" wide fullword - $a3 = "procexp.Sys" wide fullword - condition: - uint16(0) == 0x5a4d - and filesize < 200KB - and all of them -} - -rule SUSP_VULN_DRV_PROCEXP152_Renamed_May23 { - meta: - description = "Detects vulnerable process explorer driver (original file name: PROCEXP152.SYS) that has been renamed (often used by attackers to elevate privileges)" - author = "Florian Roth" - reference = "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/" - date = "2023-05-05" - score = 70 - hash1 = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - id = "af2ec5d5-3453-5d35-8d19-4f37c61fabce" - strings: - $a1 = "\\ProcExpDriver.pdb" ascii - $a2 = "\\Device\\PROCEXP152" wide fullword - $a3 = "procexp.Sys" wide fullword - condition: - uint16(0) == 0x5a4d - and filesize < 200KB - and all of them - and not filename matches /PROCEXP152\.SYS/i -} - -rule SUSP_ANOMALY_Teams_Binary_Nov23 : SCRIPT { - meta: - description = "Detects a suspicious binary with the name teams.exe, update.exe or squirrel.exe in the AppData folder of Microsoft Teams that is unsigned or signed by a different CA" - author = "Florian Roth" - score = 60 - reference = "https://twitter.com/steve_noel/status/1722698479636476325/photo/1" - date = "2023-11-11" - id = "60557ed1-ac16-5e3b-b105-157dc34f6ad7" - strings: - $a1 = "Microsoft Code Signing PCA" ascii - condition: - ( - filename iequals "teams.exe" or - filename iequals "update.exe" or - filename iequals "squirrel.exe" - ) - and filepath icontains "\\AppData\\Local\\Microsoft\\Teams" - and pe.number_of_signatures == 0 - and not $a1 -} - -rule SAM_Hive_Backup { - meta: - description = "Detects a SAM hive backup file - SAM is the Security Account Manager - contains password hashes" - author = "Florian Roth" - reference = "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry" - score = 60 - nodeepdive = 1 - date = "2015-03-31" - modified = "2023-12-12" - id = "31fb6c0c-966d-5002-bf8c-4129964c81ff" - strings: - $s1 = "\\SystemRoot\\System32\\Config\\SAM" wide - condition: - uint32(0) == 0x66676572 and $s1 in (0..200) - and not filepath contains "\\System32\\Config" - and not filepath contains "\\System32\\config" - and not filepath contains "System Volume Information" - and not filepath contains "\\config\\RegBack" -} diff --git a/yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar b/yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar deleted file mode 100644 index 5b11630..0000000 --- a/yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar +++ /dev/null @@ -1,6831 +0,0 @@ - -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" - hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" - hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" - date = "2023-06-14" - score = 70 - id = "1dadf1a5-6eea-5d47-be5e-9c93bf23f49a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-06-14" - score = 70 - id = "c9596048-1bc9-5d4f-8c34-97494f2d4e9e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - date = "2023-06-14" - score = 70 - id = "299e1312-e4ff-5152-a046-b020c825df5a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elrawdsk/i -} - - -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-06-14" - score = 70 - id = "0854ee57-7214-5959-86be-afd26950432c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-06-14" - score = 70 - id = "e14e96ea-42e6-5946-9237-a16f9c072d2c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-06-14" - score = 70 - id = "1af90e2a-a7b8-5ae0-98a4-ffe0543cda9c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-06-14" - score = 70 - id = "9a0e6700-1e63-5d7d-b255-d8492162395c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RwDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" - hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" - hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" - hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - date = "2023-06-14" - score = 70 - id = "8790783a-921d-513e-9df5-6565e6f6709f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RwDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" - hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - date = "2023-06-14" - score = 70 - id = "0d3a77dc-c2c8-5741-b574-e3a1afe4e43d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vmdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_A130 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - date = "2023-06-14" - score = 70 - id = "ed7c99d8-ba92-53fa-b633-e64e5d7fe5a3" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-06-14" - score = 70 - id = "353bb544-18f6-5c1b-b100-b2ddb55c3cc2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc" - hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478" - hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" - hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a" - hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476" - hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06" - hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7" - hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" - hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" - hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - date = "2023-06-14" - score = 70 - id = "c36713ac-c8f2-5061-8d1e-42a5c33a60e9" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - date = "2023-06-14" - score = 70 - id = "4b16ba1a-e7d7-500b-8ebc-aac1561a22f5" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_B50F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - date = "2023-06-14" - score = 70 - id = "5d7314e6-51aa-5220-9aa2-6d6c826550bb" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i -} - - -rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" - hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-06-14" - score = 70 - id = "7f7ebb0c-bb5a-5585-80d9-9638233554a3" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0x64/i -} - - -rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-06-14" - score = 70 - id = "5b426649-d516-5dcd-964d-968ebf0cce24" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwRwDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-06-14" - score = 70 - id = "1b982901-3e6b-5aa6-8720-8d9305350dc7" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-06-14" - score = 70 - id = "e3bcd228-a606-585f-a2fc-b4113ee87708" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-06-14" - score = 70 - id = "052f73e5-4140-5d25-85d7-3e69937edb29" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Monitor_win10_x64/i -} - - -rule PUA_VULN_Renamed_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-06-14" - score = 70 - id = "d60b5524-2fc9-52d4-8911-57bf41fc47a8" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e } /* CompanyName PhoenixTechnologiesLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500048004c004100530048004e0054 } /* InternalName PHLASHNT */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00500068006c006100730068 } /* ProductName WinPhlash */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500048004c004100530048004e0054002e005300590053 } /* OriginalFilename PHLASHNTSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800630029002000500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e00200032003000300030002d0032003000300033 } /* LegalCopyright cPhoenixTechnologiesLtd */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PhlashNT/i -} - - -rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-06-14" - score = 70 - id = "a197bb49-05c6-5f73-a598-2df9ff503ffa" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i -} - - -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-06-14" - score = 70 - id = "e94c3003-24cc-5dfd-baf1-7377497a4b16" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" - hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" - hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" - hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" - hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" - hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" - hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" - hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" - hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" - hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" - hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - date = "2023-06-14" - score = 70 - id = "4de41d13-ffdc-56fa-a5fe-c72ea5bf872f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_927C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" - hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" - hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-06-14" - score = 70 - id = "cc670ae4-3be4-5e70-9b8c-4bf52aa3191d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /driver7-x86-withoutdbg/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-06-14" - score = 70 - id = "853fcdcf-12e5-5783-b582-f8449d575d8c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-06-14" - score = 70 - id = "8cd1c035-64aa-5bad-b2df-f7b50a90c92b" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-06-14" - score = 70 - id = "4e938de0-3822-57a1-987b-818cb7a169d2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" - hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - date = "2023-06-14" - score = 70 - id = "b8fae701-2e8a-542d-8672-4c76f109fa75" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_I2cIo/i -} - - -rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-06-14" - score = 70 - id = "d9c795cd-876a-535f-b64e-55b1cae39da1" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mtcBSv64/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-06-14" - score = 70 - id = "87c2d1a5-15a0-51ef-a1be-8c22ffabf03a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-06-14" - score = 70 - id = "565bd15e-3769-5fd3-90c7-5e5f75fb3bb5" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viraglt64/i -} - - -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-06-14" - score = 70 - id = "9513ae4a-9a61-51da-823c-76d33b2cf809" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFltX64/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-06-14" - score = 70 - id = "f63927d6-7bbf-590d-b3e0-f5cd70160760" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C71 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" - hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-06-14" - score = 70 - id = "04bee759-d8ca-5f28-9eb5-b6397c58ce8d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ncpl/i -} - - -rule PUA_VULN_Renamed_Driver_Bsmisys_5962 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIXP64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - date = "2023-06-14" - score = 70 - id = "8ebe6df1-b307-50ea-83c8-2984223da6dd" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BSMIXP64/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_99F4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1" - hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7" - hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8" - hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793" - hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" - hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4" - hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb" - hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530" - hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5" - hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03" - hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6" - hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d" - hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6" - hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2" - hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be" - hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805" - hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" - hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57" - hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4" - hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558" - hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94" - hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d" - hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482" - hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7" - hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1" - hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499" - hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526" - hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" - hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" - hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - date = "2023-06-14" - score = 70 - id = "120b0300-f965-5c0e-a996-b98efee72d75" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" - hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" - date = "2023-06-14" - score = 70 - id = "e25beaaf-9c1e-5d39-9938-2548ed97325e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_5F5E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Bs_Def.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" - hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" - hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - date = "2023-06-14" - score = 70 - id = "352c2210-c58d-57be-98f3-39ba15d97cf9" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Bs_Def/i -} - - -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-06-14" - score = 70 - id = "2b0714b8-ddd7-5313-83d3-53fcb7bb9c43" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIOx64/i -} - - -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" - hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - date = "2023-06-14" - score = 70 - id = "3e356a91-0fce-57fe-a2f9-a9ceca2309ae" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-06-14" - score = 70 - id = "fbe0700a-ba46-53e7-b519-ad7a6ca42183" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-06-14" - score = 70 - id = "8f464004-8afe-58c8-9170-52a0496b6158" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Se64a/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-06-14" - score = 70 - id = "c612b1f8-cff0-532e-8a2f-aa24cdad8920" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-06-14" - score = 70 - id = "ee7f79aa-59fb-54c6-bb4d-939f3b48f4c8" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" - hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-06-14" - score = 70 - id = "d4f27c90-7d23-5969-b635-64eeb859960c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-06-14" - score = 70 - id = "9e5a5fc6-24ac-5df2-999f-1d1063bd3f46" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_4932 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - date = "2023-06-14" - score = 70 - id = "82418e8e-31cb-5499-9263-f0edc2d2b1e7" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-06-14" - score = 70 - id = "61d26f77-ddd9-5f83-b531-886eb05331a0" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" - hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-06-14" - score = 70 - id = "800313e5-3004-57e6-9f4c-969153ede685" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" - hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-06-14" - score = 70 - id = "5c6ff79e-d218-5d5f-a057-e6971ef447bf" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - date = "2023-06-14" - score = 70 - id = "188a50cc-7cf9-545d-87c1-9d3fce1070be" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_80CB { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - date = "2023-06-14" - score = 70 - id = "1675607c-efae-5099-be11-bc206c0712b5" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Dh_Kernel_10/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" - hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-06-14" - score = 70 - id = "619ff7aa-13db-5f36-987f-36e5f3af4f4b" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-06-14" - score = 70 - id = "b3c63fd3-4741-57b7-9de9-d2d2d391882f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-06-14" - score = 70 - id = "4df83628-e87e-5e13-b6dd-033541771ae3" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" - hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-06-14" - score = 70 - id = "1895c269-a7f5-5b4e-8fea-6ac70c16f79b" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i -} - - -rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-06-14" - score = 70 - id = "b71a72cc-08d0-572e-b404-ba2f01dc20a6" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i -} - - -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-06-14" - score = 70 - id = "88bfa047-8980-51e0-8baf-9a9301b36283" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i -} - - -rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - date = "2023-06-14" - score = 70 - id = "729acf46-93eb-5ab1-a696-d4cc6bf43a53" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-06-14" - score = 70 - id = "788423ac-b11d-593a-a043-0bcdcf49465e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E16D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" - hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" - hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" - hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-06-14" - score = 70 - id = "1a622734-cb50-5d17-aa0a-d5a04b26b386" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /libnicm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-06-14" - score = 70 - id = "f9cdf106-d925-5630-82a0-dd03a708e6f1" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-06-14" - score = 70 - id = "b467d87b-12bc-56ef-9901-520e73be1b50" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-06-14" - score = 70 - id = "045c065f-82e8-5302-b1b4-d5a49491fb84" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv106.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - date = "2023-06-14" - score = 70 - id = "8a32a060-72e4-586a-9269-48ca9e7b49f7" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrDrv106/i -} - - -rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-06-14" - score = 70 - id = "577bb210-93ca-5f9f-a297-c8bce58dfd1f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /etdsupp/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-06-14" - score = 70 - id = "39d8757d-888a-5098-b1c0-7954b233599e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" - hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" - hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" - hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" - date = "2023-06-14" - score = 70 - id = "0bb01569-32ea-52c5-a5cd-27ed4eddfa4b" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Agent64/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-06-14" - score = 70 - id = "32290d09-5e5a-5cd7-ae87-5be0646fbbc1" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i -} - - -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_904E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - date = "2023-06-14" - score = 70 - id = "f8c55d27-288b-50ea-a8ef-bbd4f9d0739f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NICM/i -} - - -rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-06-14" - score = 70 - id = "0f9f6aaf-37f7-593c-8086-0907e7c09e24" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i -} - - -rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" - hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de" - hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f" - hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" - hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - date = "2023-06-14" - score = 70 - id = "99ca2e37-5fcd-5fe2-8e38-88d1153fe950" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrIbDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-06-14" - score = 70 - id = "fb17b415-51c9-5bd1-b557-8d57015f90e1" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-06-14" - score = 70 - id = "f896b0df-8862-5345-8feb-bdbddedda0bc" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7795 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a" - date = "2023-06-14" - score = 70 - id = "d7c72129-94ab-5ff6-8b39-5c8c24ac1949" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i -} - - -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-06-14" - score = 70 - id = "04c4bd4a-67ca-5dbb-9347-ad1a5c949895" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i -} - - -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-06-14" - score = 70 - id = "e74ef985-275d-5d14-97a3-e3085600aaa6" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFlt/i -} - - -rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-06-14" - score = 70 - id = "8613524c-6928-5d5a-9dd3-d067b93ac4b4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LenovoDiagnosticsDriver/i -} - - -rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-06-14" - score = 70 - id = "ee5c03fc-8778-57ef-b300-2009bbf9208f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DBUtilDrv2/i -} - - -rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" - hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-06-14" - score = 70 - id = "e4a1e60c-3b56-518b-ba68-798dd6d5fce6" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i -} - - -rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-06-14" - score = 70 - id = "610c253b-de94-5ebd-af97-d0a6b1339d81" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /asmmap64/i -} - - -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_FB81 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" - hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" - date = "2023-06-14" - score = 70 - id = "922f318f-7f43-5844-8037-e40fcce7cb1a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /nscm/i -} - - -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-06-14" - score = 70 - id = "b352e8e9-b15a-5969-966d-00462cd461f4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i -} - - -rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23BA { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - date = "2023-06-14" - score = 70 - id = "dd239b64-e8dd-5850-9ec3-125245b6f0cd" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LHA/i -} - - -rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-06-14" - score = 70 - id = "ab17ebdd-3335-5868-a2b8-f6247cf7b778" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LMIinfo/i -} - - -rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-06-14" - score = 70 - id = "b347378c-88d1-52bb-8a30-a6558a4bc725" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-06-14" - score = 70 - id = "3582ec77-9fac-5e3a-9795-ac4429aeea01" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-06-14" - score = 70 - id = "40c14c2c-4e0b-5de6-a095-a6f68d9de2b2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-06-14" - score = 70 - id = "ad49ce42-e771-5b2c-a292-670c60de11af" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow8x64/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-06-14" - score = 70 - id = "3435fbbb-b668-580e-a820-d65415d2daaa" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-06-14" - score = 70 - id = "2c802dbd-41c6-5651-ad49-ba034d725a49" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-06-14" - score = 70 - id = "a9a3ad7f-01cd-5e4f-964b-1ebd8faa1a92" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HOSTNT/i -} - - -rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-06-14" - score = 70 - id = "67859aea-01d4-5463-9f4c-f6b4db2a7c30" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo11X64/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-06-14" - score = 70 - id = "4a43c176-9f5b-56c0-8655-0b90f862ec6e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-06-14" - score = 70 - id = "718285a7-b151-5ccd-8dcf-9edac9db7d61" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" - hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-06-14" - score = 70 - id = "2c22997e-aaa3-5a23-83bb-0f4be8da3837" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_2899 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - date = "2023-06-14" - score = 70 - id = "7d961433-d8f7-526b-b5f1-29d896f39a5f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-06-14" - score = 70 - id = "3851c445-23c0-59a1-85e9-a32758a73bd8" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-06-14" - score = 70 - id = "7523cea1-54f0-5328-90ec-e5170c5cfe01" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" - hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" - hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" - date = "2023-06-14" - score = 70 - id = "3e19f0b1-a1ce-5f2e-a26d-1c7ff8e82f16" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-06-14" - score = 70 - id = "86dedef9-d4dc-5c62-b03c-502c0f80ae57" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /speedfan/i -} - - -rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-06-14" - score = 70 - id = "bcdf7111-a4ee-5603-b42e-b1acbaf80d69" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-06-14" - score = 70 - id = "0434de42-0da2-5e6c-9c07-e742e53b5c98" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i -} - - -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-06-14" - score = 70 - id = "ec649ec9-8a01-5665-b18f-eabb5da7c6ea" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_075D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - date = "2023-06-14" - score = 70 - id = "ebf21994-6431-57ba-9c7f-d768cbf7eb33" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" - hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - date = "2023-06-14" - score = 70 - id = "2f1a0973-929d-506e-b344-ce9d37c8eaf5" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i -} - - -rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-06-14" - score = 70 - id = "f5ff0000-66e2-5f32-87b2-f66481c904b4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-06-14" - score = 70 - id = "bcfba84e-b503-5dd7-b64d-85fcda1c559f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" - hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-06-14" - score = 70 - id = "45887d8b-facf-5053-bc58-16bd214a24f1" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" - hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - date = "2023-06-14" - score = 70 - id = "1078dda3-be3d-57d2-becf-dbe54943e48b" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-06-14" - score = 70 - id = "54bb3bce-fafa-519c-a701-2857ba3b8a97" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-06-14" - score = 70 - id = "239d02c6-0f72-5ce8-833c-62b7e8e371e8" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003800360035 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" - hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9" - hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c" - hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5" - hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7" - hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" - hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - date = "2023-06-14" - score = 70 - id = "081a636c-c65c-500e-9eee-7da4347f658a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-06-14" - score = 70 - id = "1e317c82-53b6-5ab2-9298-1dd046f6fd65" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-06-14" - score = 70 - id = "94cea41e-38ce-5786-b483-91778b9d1b23" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-06-14" - score = 70 - id = "f54f0567-711e-5cfd-bc81-34854e8c6cb2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3070 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-06-14" - score = 70 - id = "eaed99a4-a035-5f0a-bcbe-8f0e2953da40" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-06-14" - score = 70 - id = "9cd3e34b-90ba-5e52-b049-966a7dceed9d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" - hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - date = "2023-06-14" - score = 70 - id = "a3e882e8-d5ae-5b62-b95c-5132299e1682" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-06-14" - score = 70 - id = "af95748b-1c9d-5065-9a12-2a9826a4f245" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-06-14" - score = 70 - id = "57d993b7-ce28-5f14-872a-71bbb4f79d2e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CupFixerx64/i -} - - -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-06-14" - score = 70 - id = "e7e44244-24cc-556d-9a3c-d797535979a5" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-06-14" - score = 70 - id = "7a7404ea-d835-5d65-9c8e-1f694d9458fe" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-06-14" - score = 70 - id = "029b7abb-cea8-5713-b220-476d2b2fc30e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IOMap64/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-06-14" - score = 70 - id = "e61c9ebc-6ec1-5302-934b-f023601a34d8" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-06-14" - score = 70 - id = "2e64bafa-9707-53f1-981c-ce1e863a8cfc" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - date = "2023-06-14" - score = 70 - id = "e53b6cb1-981b-5639-8186-5b1a96bdb9b0" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hw/i -} - - -rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-06-14" - score = 70 - id = "64fe7b58-75a4-5a83-a621-c77c63d6ca1c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mydrivers/i -} - - -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-06-14" - score = 70 - id = "aa83d18f-662b-573d-873a-a88179982b9e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i -} - - -rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_8E63 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - date = "2023-06-14" - score = 70 - id = "d967bff5-7db8-587b-9422-a43280230261" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /kEvP64/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-06-14" - score = 70 - id = "7fbdb3fe-4655-5656-babb-d99a3ff0c00f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - date = "2023-06-14" - score = 70 - id = "cc96821c-2dbb-5205-9aa4-55fb8cbe12b5" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-06-14" - score = 70 - id = "6c116541-9615-5ede-ad94-7879306eee68" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-06-14" - score = 70 - id = "db63af64-4b16-5873-b2ba-792f3d8cdbc7" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-06-14" - score = 70 - id = "ff70dd78-039c-53db-8692-5a34d2d0b82a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-06-14" - score = 70 - id = "9bf0e4e6-84e3-58ae-8a53-caa45cf7cf1d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-06-14" - score = 70 - id = "ac00f0ae-fb0b-50e4-91f4-ea2f46bdb27b" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-06-14" - score = 70 - id = "76145e28-0c1d-5916-b966-0ce7dcad8a90" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i -} - - -rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-06-14" - score = 70 - id = "fae3ff35-0e7c-542f-85c1-8fecca9078f3" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i -} - - -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-06-14" - score = 70 - id = "71498e5d-a30f-5501-a45f-3c01f1dac039" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" - hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-06-14" - score = 70 - id = "0c8db0c4-24fa-5a66-b60d-f121a535f14a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-06-14" - score = 70 - id = "5f75950b-3802-55d5-ad51-37ab9c31d5e4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FairplayKD/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-06-14" - score = 70 - id = "be9dd90a-22ec-5981-8f8e-16cfd2b9b824" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-06-14" - score = 70 - id = "0648fea6-a29e-5cc4-bdf9-e74966dbeb71" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /viragt64/i -} - - -rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-06-14" - score = 70 - id = "8e5947fc-33c2-53c4-b9cb-548373df35dc" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-06-14" - score = 70 - id = "d5efbb84-070c-5caa-92c0-d320088d2e73" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-06-14" - score = 70 - id = "323095b4-4fee-5c73-99f1-fe1142889cea" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i -} - - -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-06-14" - score = 70 - id = "0c9f3005-da64-5545-b9d3-4c9c43152dca" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIO/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-06-14" - score = 70 - id = "67cbef32-1033-55ff-8a49-b12ee01e6800" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-06-14" - score = 70 - id = "6f5fdb7c-ed88-5e1f-9f03-d86bf9646ee2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-06-14" - score = 70 - id = "98494db9-778d-531c-9688-535d539cd953" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /otipcibus/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-06-14" - score = 70 - id = "f6bf8995-aba2-52ff-ba26-eabbef6933bd" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-06-14" - score = 70 - id = "a40d5b51-bdcd-5ca9-b708-220f0d3e5c83" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i -} - - -rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-06-14" - score = 70 - id = "35a9803d-08a8-5cad-9eb6-ac7a9366f32b" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i -} - - -rule PUA_VULN_Renamed_Driver_Pchuntersys_Pchunter_1B7F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-06-14" - score = 70 - id = "1e9534ab-0139-5550-93ac-e0e2e4f54c3f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 800KB and all of them and not filename matches /PCHunter/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-06-14" - score = 70 - id = "ec46068f-99f6-5335-a695-c2d4f67661c4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8E88 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-06-14" - score = 70 - id = "dcdacb63-7b72-512e-98fc-f9899eef184f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-06-14" - score = 70 - id = "ab5fa19d-04b9-53b1-8c25-311b2b70de67" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-06-14" - score = 70 - id = "5011ac46-4366-57f2-8102-10fffffb3c27" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_B179 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - date = "2023-06-14" - score = 70 - id = "0b7fdb14-88a4-55cc-ab9e-062dd05df561" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwOs2Ec7x64/i -} - - -rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-06-14" - score = 70 - id = "375a9cb2-5ba6-56d1-944c-38c724f3746d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-06-14" - score = 70 - id = "6af53a8a-2e39-536a-a817-a29748de5055" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-06-14" - score = 70 - id = "9225e30b-aca2-5989-a73b-8d40d72e2a01" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-06-14" - score = 70 - id = "90404bf8-2575-5437-898d-6dfb22b04027" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-06-14" - score = 70 - id = "f5af1fa3-89f3-5e06-8f67-bb26b89a5c1d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-06-14" - score = 70 - id = "fc4c8180-77b2-593e-b4c0-5340871291bd" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-06-14" - score = 70 - id = "084f65a0-6a2a-59b6-9a5a-3f45a4f5c892" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i -} - - -rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" - hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-06-14" - score = 70 - id = "63c99882-aa1c-522c-ae84-485306bdbea4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /vboxdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" - hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-06-14" - score = 70 - id = "6eecc3dd-cbcf-5d2f-8005-e027230e64b1" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i -} - - -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-06-14" - score = 70 - id = "4ecccfaa-43fb-582e-9a9e-77529ee9234f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-06-14" - score = 70 - id = "492872fa-b936-526f-94c6-c9524039e583" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-06-14" - score = 70 - id = "272c95fe-bf5a-53d8-b54b-10dfa4f2945a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-06-14" - score = 70 - id = "715dc163-ea21-5633-9d27-6b80e5207fb6" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswVmm/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_31F4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" - hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - date = "2023-06-14" - score = 70 - id = "f7ade11a-24e4-5e93-9a9b-d7700b0182db" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-06-14" - score = 70 - id = "8f96b69a-eec3-5b8d-b938-902b02f32e29" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-06-14" - score = 70 - id = "f9a24212-2805-5af3-906f-56ba8a60409c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-06-14" - score = 70 - id = "e13ccc4c-bee8-5b8d-a94c-8c6d42b7656e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-06-14" - score = 70 - id = "dac8f089-8029-55f6-afcc-f2095c22a925" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo10X64/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-06-14" - score = 70 - id = "51c17b83-1d09-58c5-857c-f144ff6f5108" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-06-14" - score = 70 - id = "f4cb25ca-f56d-5bdc-a53c-5bc91c677e49" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-06-14" - score = 70 - id = "9faf0f73-9c1e-549c-a375-8b3c3b89652c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-06-14" - score = 70 - id = "89b49564-f27a-5184-9710-a3b5c3b435fb" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-06-14" - score = 70 - id = "70f1192d-29b0-5e55-9a0c-e0a17ca5e57a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-06-14" - score = 70 - id = "3ed4ee1e-989f-5729-9f93-e1a84cf0565b" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-06-14" - score = 70 - id = "ef749b9f-ba3a-53f6-ba93-d8a57f4ef398" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" - hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-06-14" - score = 70 - id = "f178f1b8-8f10-50e2-9d17-f83e09e2b020" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-06-14" - score = 70 - id = "c633441c-348f-527e-8187-51b28a53b63a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-06-14" - score = 70 - id = "f4821039-4998-5f15-99a7-72c4a1219d94" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-06-14" - score = 70 - id = "54df9ee8-fd07-5c87-a94f-63289f1844f5" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-06-14" - score = 70 - id = "9d1dabed-5497-5325-b982-653aed3fd039" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /amsdk/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-06-14" - score = 70 - id = "eff2a649-3401-5c91-8856-602c4e976982" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-06-14" - score = 70 - id = "932a6fdd-6631-5af4-94bf-7fbf48243d7f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-06-14" - score = 70 - id = "e786e683-d225-506b-ae7d-7c81aa4ac14d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-06-14" - score = 70 - id = "58289f86-0988-5bf7-b009-8315f1b3696f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-06-14" - score = 70 - id = "51fc8e1a-fbf2-59cf-9cde-464859a4160c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-06-14" - score = 70 - id = "70173412-67b5-5647-ab39-354b69193668" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-06-14" - score = 70 - id = "27aa8117-0bc2-5f84-98df-d7360bba16a4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /physmem/i -} - - -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-06-14" - score = 70 - id = "defc1d03-fae1-5a21-b8ca-f39bdbecaad6" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-06-14" - score = 70 - id = "8ea15559-48f5-5f9c-bf03-1ee3b0cac919" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-06-14" - score = 70 - id = "e5ec701e-320e-5991-988f-a1334b9a85ff" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i -} - - -rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-06-14" - score = 70 - id = "b964d59a-0fbf-56be-ae31-323431384cf2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /amp/i -} - - -rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-06-14" - score = 70 - id = "39029753-a7bc-555f-9c5b-075e934f344a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /superbmc/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-06-14" - score = 70 - id = "d3a08d45-760a-538c-93ee-6363e1931b2a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" - hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-06-14" - score = 70 - id = "0deb0c4b-e67b-5d53-bd95-3d7fd7833958" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-06-14" - score = 70 - id = "fc2c48af-ca7f-5481-b77a-1378df03f8c6" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i -} - - -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5" - hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" - hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" - hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - date = "2023-06-14" - score = 70 - id = "cc5590d8-d1c0-5abe-86ee-c68bf005031d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-06-14" - score = 70 - id = "515d9838-49af-5f17-aed3-47386b5ea8aa" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" - hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-06-14" - score = 70 - id = "5b79a437-d01b-588e-9ebb-b9ec5eaaffcc" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-06-14" - score = 70 - id = "a949774e-d4d6-50bb-b95c-b9964f2c9054" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-06-14" - score = 70 - id = "6effbb24-7e9f-5ba2-85fc-348719c1875d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-06-14" - score = 70 - id = "8d7f71b6-6477-58ed-8840-01f1431354d3" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-06-14" - score = 70 - id = "dd403a42-674c-55b6-b22e-1b6abd0d64ad" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-06-14" - score = 70 - id = "4a38e7a2-564f-5e50-85ee-cd0d60a7e584" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-06-14" - score = 70 - id = "3f866c44-1ed4-5b68-b137-6c5867dbd23c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-06-14" - score = 70 - id = "e20746e7-2863-50ad-9b62-2a0e68a229be" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_RCIO64/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" - hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-06-14" - score = 70 - id = "4b8f46b5-c709-5fdf-a6d6-1cf7745fc989" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /amifldrv64/i -} - - -rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" - hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - date = "2023-06-14" - score = 70 - id = "8a86b8d4-fc20-5b4e-9ff7-f19d229d7eff" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpoutx64/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-06-14" - score = 70 - id = "616ba0c6-a6fe-550c-9e04-bbeba84118ba" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-06-14" - score = 70 - id = "d8069eed-ff86-59ff-a410-12a8f57764e2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - date = "2023-06-14" - score = 70 - id = "08d52deb-a03e-5738-8416-71071d8f683a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-06-14" - score = 70 - id = "3ab90f44-3463-5e71-8637-b85450e8f45d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-06-14" - score = 70 - id = "d348bd57-9044-5fcd-905f-795ae2e5adc4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-06-14" - score = 70 - id = "25ccdffd-65c4-52aa-9bd3-1bd219b28ad0" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IObitUnlocker/i -} - - -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-06-14" - score = 70 - id = "d7f84859-7bbf-5077-bb7a-e3de30f7a458" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rzpnk/i -} - - -rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-06-14" - score = 70 - id = "7c0bdc84-8e81-5a5f-be68-c166478147fb" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-06-14" - score = 70 - id = "6c6c46f1-00ad-5a6f-89f4-7fd7911676ac" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-06-14" - score = 70 - id = "ae0da285-f043-5d20-8157-8b33c827f488" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-06-14" - score = 70 - id = "a2496fca-4e17-54a1-af5b-016e74c3adaa" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-06-14" - score = 70 - id = "e8f74917-d750-52e4-a9d0-832620ef8b24" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-06-14" - score = 70 - id = "0fa674cc-8084-5a92-804b-3572af484c63" - strings: - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ADV64DRV/i -} - - -rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-06-14" - score = 70 - id = "d857b678-5cd6-5784-b9ae-b5171c811a9d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-06-14" - score = 70 - id = "dce72757-4557-559c-89d3-3c526628ccbd" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-06-14" - score = 70 - id = "a83e9bdc-24f4-54a1-aad9-80e84b9e3502" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i -} - - -rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-06-14" - score = 70 - id = "7c820b70-f985-596b-8426-05035c0bfafc" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDPowerProfiler/i -} - - -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-06-14" - score = 70 - id = "9f1349f3-a816-5209-bf11-d84dfa035169" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-06-14" - score = 70 - id = "7fc1fa6a-9c53-51b8-8c41-cdffe6baa132" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-06-14" - score = 70 - id = "96f9b580-772e-5b98-ad82-06fcd246a980" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-06-14" - score = 70 - id = "200441c8-14b2-5c30-afe7-2b1a0a979827" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-06-14" - score = 70 - id = "0c7fa8ed-1c1b-524a-b81d-62c145832fd9" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-06-14" - score = 70 - id = "599205df-343a-5d3d-9894-c1d1f67e8805" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 600KB and all of them and not filename matches /Lv561av/i -} - - -rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-06-14" - score = 70 - id = "668c02d0-dabf-598f-8c90-5d6f0e3399e2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i -} - - -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-06-14" - score = 70 - id = "f8eac5b8-e6b4-5749-aa2a-a5e7feefd389" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-06-14" - score = 70 - id = "fe86a574-2863-59d4-8021-d1a16d3f8cb2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-06-14" - score = 70 - id = "cc1da8e7-b6ef-5580-93f3-d1d0ce2ddac7" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" - hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-06-14" - score = 70 - id = "940ec295-fcb3-58ed-94fc-41d27943ff0e" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NalDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow10x64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-06-14" - score = 70 - id = "062699e5-a4c4-5428-9867-450293bd591f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow10x64/i -} - - -rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-06-14" - score = 70 - id = "8db66d7c-9c5b-5ec5-a0d3-6eeac0faad51" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-06-14" - score = 70 - id = "d8ad2385-f6ec-54df-b61e-e39d7e42ab9f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-06-14" - score = 70 - id = "a054c49f-545a-50e4-9233-aa02e16be947" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-06-14" - score = 70 - id = "699ffd4c-b617-5176-8309-f29c2cb00441" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-06-14" - score = 70 - id = "c8838651-0a16-565f-8d0a-0bafb7655f34" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WCPU/i -} - - -rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-06-14" - score = 70 - id = "2dd7f773-866a-5d1b-9048-9f632a5940fd" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-06-14" - score = 70 - id = "8ecfdace-3521-59b7-8f71-357e6aa89f12" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" - hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-06-14" - score = 70 - id = "7d87c723-84b9-56cd-84e1-ef5cdbd61d13" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HW/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-06-14" - score = 70 - id = "cf02e07e-5d9c-55ee-a253-3a1c28ee77bc" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-06-14" - score = 70 - id = "ffbaa9ba-f68a-554a-9fe8-544bb2e4880f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-06-14" - score = 70 - id = "43d4d647-32f2-5838-9182-c72420786bdb" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvflash/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-06-14" - score = 70 - id = "4dd6a8d8-f4b0-5a4f-889f-288c3c58564c" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-06-14" - score = 70 - id = "3ad3446c-e086-5f48-9494-b40dc410d350" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-06-14" - score = 70 - id = "aecc5ac9-d563-53cd-8c12-c8c21bd69772" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - date = "2023-06-14" - score = 70 - id = "5486718a-942a-5c48-b2ba-619ec75f9a5f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i -} - - -rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-06-14" - score = 70 - id = "af3aeaf1-cf11-534a-98ce-f0fc91a55594" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-06-14" - score = 70 - id = "c982914b-d99f-5ff4-a520-285308d54947" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-06-14" - score = 70 - id = "9c70d8f6-1bd9-5a04-be49-ba4eb5d3bbb3" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VProEventMonitor/i -} - - -rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-06-14" - score = 70 - id = "6fc3cdb0-6d5f-56f8-8f36-0ff5bef55de3" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /krpocesshacker/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-06-14" - score = 70 - id = "0319c351-404e-5272-b0d5-952ce977838f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-06-14" - score = 70 - id = "87a0873b-23fb-5a11-a3f4-942f30cdcfa7" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-06-14" - score = 70 - id = "a8590fdf-3af6-5231-b089-bb07eef1e2d4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CtiIo64/i -} - - -rule PUA_VULN_Renamed_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-06-14" - score = 70 - id = "820cc12f-f611-50d6-8091-4aca403d3e97" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SysDrv3S/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-06-14" - score = 70 - id = "92155ad4-0564-570b-8b9b-39ec68a937af" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-06-14" - score = 70 - id = "4a81c778-c70d-57f7-b57e-3f2de7bfbd27" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz_x64/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-06-14" - score = 70 - id = "8f7f8c67-774d-5864-a9a9-e43896a8e1f4" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-06-14" - score = 70 - id = "c37e0f2e-edf4-57bc-96d3-2256241603b7" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" - hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-06-14" - score = 70 - id = "f2b28250-5041-59a9-a49f-9b9597e630ef" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-06-14" - score = 70 - id = "d9027c11-b261-5751-a75f-149cc317a186" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-06-14" - score = 70 - id = "529c87c6-e363-57ca-894e-84af66030798" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i -} - - -rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-06-14" - score = 70 - id = "9607a849-b445-5b65-8aec-34c637c49101" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /phymem64/i -} - - -rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" - hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-06-14" - score = 70 - id = "4f275c35-b939-507c-8c6b-2851cc48cd35" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i -} - - -rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-06-14" - score = 70 - id = "e8b4df5f-9449-5943-ad88-479215dbca33" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-06-14" - score = 70 - id = "398bc71f-c1a6-57bb-81df-6e378a64e39a" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-06-14" - score = 70 - id = "70296e41-c455-5353-a682-272346ecc4c8" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 1000KB and all of them and not filename matches /VBoxDrv/i -} - - -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-06-14" - score = 70 - id = "bf7ca47b-217f-50a3-a634-d34a788c0e6d" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-06-14" - score = 70 - id = "2ef0b4a6-b99a-5726-b485-08ad34af82c2" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-06-14" - score = 70 - id = "ee625dbd-bb74-5c20-bfd9-05a50b0ab728" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_7021 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-06-14" - score = 70 - id = "d913ce75-2d9f-58e5-8cf9-c58062b16116" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i -} - - -rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-06-14" - score = 70 - id = "dbfbd9f6-bb1e-5d55-bf0c-0c33f1947de0" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i -} - - -rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-06-14" - score = 70 - id = "f149cf06-3087-5976-9b85-3779caa99ab5" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_HWMIO64_W10/i -} - - -rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-06-14" - score = 70 - id = "d31d0885-997d-54ac-8dc0-dc4703b0a105" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ - condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} - - -rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-06-14" - score = 70 - id = "fa919157-ac17-529a-ac52-77794cfaae58" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-06-14" - score = 70 - id = "604edf79-865e-5d1e-bc2d-b2948d4ba5c1" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-06-14" - score = 70 - id = "96c759e8-6824-5845-82fc-512810a6cc8f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i -} - - -rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-06-14" - score = 70 - id = "dfb8899e-3cbb-55c5-b531-761200da2d8f" - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i -} diff --git a/yara-Neo23x0/yara_mixed_ext_vars.yar b/yara-Neo23x0/yara_mixed_ext_vars.yar deleted file mode 100644 index 74778fc..0000000 --- a/yara-Neo23x0/yara_mixed_ext_vars.yar +++ /dev/null @@ -1,556 +0,0 @@ -/* - This is a collection of rules that use external variables - They work with scanners that support the use of external variables, like - THOR, LOKI or SPARK - https://www.nextron-systems.com/compare-our-scanners/ -*/ - -import "pe" -import "math" - -rule Acrotray_Anomaly { - meta: - description = "Detects an acrotray.exe that does not contain the usual strings" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - score = 75 - id = "e3fef644-e535-5137-ac98-2fd1b7ca4361" - strings: - $s1 = "PDF/X-3:2002" fullword wide - $s2 = "AcroTray - Adobe Acrobat Distiller helper application" fullword wide - $s3 = "MS Sans Serif" fullword wide - $s4 = "COOLTYPE.DLL" fullword ascii - condition: - uint16(0) == 0x5a4d and filesize < 3000KB - and ( filename == "acrotray.exe" or filename == "AcroTray.exe" ) - and not all of ($s*) -} - -rule COZY_FANCY_BEAR_modified_VmUpgradeHelper { - meta: - description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - date = "2016-06-14" - id = "97b844a4-0fa4-5850-8803-2212a69e3d16" - strings: - $s1 = "VMware, Inc." wide fullword - $s2 = "Virtual hardware upgrade helper service" fullword wide - $s3 = "vmUpgradeHelper\\vmUpgradeHelper.pdb" ascii - condition: - uint16(0) == 0x5a4d and - filename == "VmUpgradeHelper.exe" and - not all of ($s*) -} - -rule IronTiger_Gh0stRAT_variant -{ - meta: - author = "Cyber Safety Solutions, Trend Micro" - description = "This is a detection for a s.exe variant seen in Op. Iron Tiger" - reference = "http://goo.gl/T5fSJC" - id = "e7eeee0f-d7a1-5359-bc1f-5a2a883c7227" - strings: - $str1 = "Game Over Good Luck By Wind" nocase wide ascii - $str2 = "ReleiceName" nocase wide ascii - $str3 = "jingtisanmenxiachuanxiao.vbs" nocase wide ascii - $str4 = "Winds Update" nocase wide ascii fullword - condition: - uint16(0) == 0x5a4d and (any of ($str*)) - and not filename == "UpdateSystemMib.exe" -} - -rule OpCloudHopper_Cloaked_PSCP { - meta: - description = "Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" - date = "2017-04-07" - score = 90 - id = "c1e2e456-dbdd-54cf-b0e0-b356f291cfcd" - strings: - $s1 = "AES-256 SDCTR" ascii - $s2 = "direct-tcpip" ascii - condition: - all of them and filename == "rundll32.exe" -} - -rule msi_dll_Anomaly { - meta: - description = "Detetcs very small and supicious msi.dll" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" - date = "2017-02-10" - hash1 = "8c9048e2f5ea2ef9516cac06dc0fba8a7e97754468c0d9dc1e5f7bce6dbda2cc" - id = "92cd5c51-ed84-5428-9105-50139f9289c8" - strings: - $x1 = "msi.dll.eng" fullword wide - condition: - uint16(0) == 0x5a4d and filesize < 15KB and filename == "msi.dll" and $x1 -} - -rule PoS_Malware_MalumPOS_Config -{ - meta: - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - date = "2015-06-25" - description = "MalumPOS Config File" - reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/" - id = "0fd2b9c2-d016-5db2-8fcc-618df6c815de" - strings: - $s1 = "[PARAMS]" - $s2 = "Name=" - $s3 = "InterfacesIP=" - $s4 = "Port=" - condition: - all of ($s*) and filename == "log.ini" and filesize < 20KB -} - -rule Malware_QA_update_test { - meta: - description = "VT Research QA uploaded malware - file update_.exe" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "VT Research QA" - date = "2016-08-29" - score = 80 - hash1 = "3b3392bc730ded1f97c51e23611740ff8b218abf0a1100903de07819eeb449aa" - id = "8f319277-1eaf-559e-87ad-f4ab89b04ca5" - strings: - $s1 = "test.exe" fullword ascii - $s2 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP" fullword ascii - condition: - uint16(0) == 0x5a4d and filesize < 1000KB and all of them and filename == "update.exe" -} - - -/* These only work with external variable "filename" ------------------------ */ -/* as used in LOKI, THOR, SPARK --------------------------------------------- */ - -rule SysInterals_PipeList_NameChanged { - meta: - description = "Detects NirSoft PipeList" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "https://goo.gl/Mr6M2J" - date = "2016-06-04" - score = 90 - hash1 = "83f0352c14fa62ae159ab532d85a2b481900fed50d32cc757aa3f4ccf6a13bee" - id = "01afcf29-a74c-5be2-8b24-694a2802ef34" - strings: - $s1 = "PipeList" ascii fullword - $s2 = "Sysinternals License" ascii fullword - condition: - uint16(0) == 0x5a4d and filesize < 170KB and all of them - and not filename contains "pipelist.exe" - and not filename contains "PipeList.exe" -} - -/* - Yara Rule Set - Author: Florian Roth - Date: 2016-04-26 - Identifier: regsvr32 issue -*/ - -/* Rule Set ----------------------------------------------------------------- */ - -rule SCT_Scriptlet_in_Temp_Inet_Files { - meta: - description = "Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass)" - license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" - author = "Florian Roth (Nextron Systems)" - reference = "http://goo.gl/KAB8Jw" - date = "2016-04-26" - id = "8b729257-3676-59b2-961c-dae1085cbbf6" - strings: - $s1 = "" fullword ascii nocase - $s2 = "ActiveXObject(\"WScript.Shell\")" ascii - condition: - ( uint32(0) == 0x4D583F3C or uint32(0) == 0x6D78F3C ) /* 50000KB and not filename matches /WER/ -} - -rule lsadump { - meta: - description = "LSA dump programe (bootkey/syskey) - pwdump and others" - author = "Benjamin DELPY (gentilkiwi)" - score = 80 - nodeepdive = 1 - id = "3bfa8dd8-720d-5326-ac92-0fb96cf21219" - strings: - $str_sam_inc = "\\Domains\\Account" ascii nocase - $str_sam_exc = "\\Domains\\Account\\Users\\Names\\" ascii nocase - $hex_api_call = {(41 b8 | 68) 00 00 00 02 [0-64] (68 | ba) ff 07 0f 00 } - $str_msv_lsa = { 4c 53 41 53 52 56 2e 44 4c 4c 00 [0-32] 6d 73 76 31 5f 30 2e 64 6c 6c 00 } - $hex_bkey = { 4b 53 53 4d [20-70] 05 00 01 00} - - $fp1 = "Sysinternals" ascii - $fp2 = "Apple Inc." ascii wide - $fp3 = "Kaspersky Lab" ascii fullword - $fp4 = "ESET Security" ascii - $fp5 = "Disaster Recovery Module" wide - $fp6 = "Bitdefender" wide fullword - condition: - uint16(0) == 0x5a4d and - (($str_sam_inc and not $str_sam_exc) or $hex_api_call or $str_msv_lsa or $hex_bkey ) - and not 1 of ($fp*) - and not filename contains "Regdat" - and not filetype == "EXE" - and not filepath contains "Dr Watson" - and not extension == "vbs" -} - -rule SUSP_ServU_SSH_Error_Pattern_Jul21_1 { - meta: - description = "Detects suspicious SSH component exceptions that could be an indicator of exploitation attempts as described in advisory addressing CVE-2021-35211 in ServU services" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ" - date = "2021-07-12" - score = 60 - id = "1a89f0b0-445c-5867-94cd-f07ba1becad6" - strings: - $s1 = "EXCEPTION: C0000005;" ascii - $s2 = "CSUSSHSocket::ProcessReceive();" ascii - condition: - filename == "DebugSocketlog.txt" - and all of ($s*) -} - -rule SUSP_ServU_Known_Mal_IP_Jul21_1 { - meta: - description = "Detects suspicious IP addresses used in exploitation of ServU services CVE-2021-35211 and reported by Solarwinds" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ" - date = "2021-07-12" - score = 60 - id = "118272a7-7ec9-568b-99e0-8cfe97f3f64e" - strings: - $xip1 = "98.176.196.89" ascii fullword - $xip2 = "68.235.178.32" ascii fullword - $xip3 = "208.113.35.58" ascii fullword - $xip4 = "144.34.179.162" ascii fullword - $xip5 = "97.77.97.58" ascii fullword - condition: - filename == "DebugSocketlog.txt" - and 1 of them -} - -rule SUSP_EXPL_Confluence_RCE_CVE_2021_26084_Indicators_Sep21 { - meta: - description = "Detects ELF binaries owner by the confluence user but outside usual confluence directories" - author = "Florian Roth (Nextron Systems)" - reference = "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis" - date = "2021-09-01" - score = 55 - id = "395d37ea-1986-5fdd-b58c-562ae0d8be35" - condition: - uint32be(0) == 0x7f454c46 /* ELF binary */ - and owner == "confluence" - and not filepath contains "/confluence/" -} - -rule SUSP_Blocked_Download_Proxy_Replacement_Jan23_1 { - meta: - description = "Detects a file that has been replaced with a note by a security solution like an Antivirus or a filtering proxy server" - author = "Florian Roth (Nextron Systems)" - reference = "https://www.virustotal.com/gui/search/filename%253A*.exe%2520tag%253Ahtml%2520size%253A10kb-%2520size%253A2kb%252B/files" - date = "2023-01-28" - score = 60 - id = "58bc8288-6bdb-57d5-9de5-a54a39584838" - strings: - $x01 = "Web Filter Violation" - $x02 = "Google Drive can't scan this file for viruses." - $x03 = " target=\"_blank\">Cloudflare Bitly displays this warning when a link has been flagged as suspect. There are many" - $x08 = "Something went wrong. Don't worry, your files are still safe and the Dropbox team has been notified." - $x09 = "

sinkhole

" - $x10 = "The requested short link is blocked by website administration due to violation of the website policy terms." - $x11 = "= 7.0 - and math.entropy(0, 1024) >= 7.0 -} - - -rule SUSP_Password_XLS_Unencrypted { - meta: - description = "Detects files named e.g. password.xls, which might contain unportected clear text passwords" - author = "Arnim Rupp (https://github.com/ruppde)" - reference = "Internal Research" - date = "2023-10-04" - score = 60 - id = "41096ef1-dd02-5956-9053-3d7fb1a5092c" - condition: - // match password and the german passwort: - ( - filename istartswith "passwor" or /* EN / DE */ - filename istartswith "contrase" or /* ES */ - filename istartswith "mot de pass" or /* FR */ - filename istartswith "mot_de_pass" or /* FR */ - filename istartswith "motdepass" or /* FR */ - filename istartswith "wachtwoord" /* NL */ - ) - and ( - // no need to check if an xls is password protected, because it's trivial to break - ( - filename iendswith ".xls" - and uint32be(0) == 0xd0cf11e0 // xls - ) - or - ( - filename iendswith ".xlsx" - and uint32be(0) == 0x504b0304 // unencrypted xlsx = pkzip - ) - ) -} - -rule SUSP_Password_XLS_Encrypted { - meta: - description = "Detects files named e.g. password.xlsx, which might contain clear text passwords, but are password protected from MS Office" - author = "Arnim Rupp (https://github.com/ruppde)" - reference = "Internal Research" - date = "2023-10-04" - score = 50 - id = "d3334923-3396-524d-9111-8ccb754ab99e" - condition: - // match password and the german passwort: - ( - filename istartswith "passwor" or /* EN / DE */ - filename istartswith "contrase" or /* ES */ - filename istartswith "mot de pass" or /* FR */ - filename istartswith "mot_de_pass" or /* FR */ - filename istartswith "motdepass" or /* FR */ - filename istartswith "wachtwoord" /* NL */ - ) - and filename iendswith ".xlsx" - and uint32be(0) == 0xd0cf11e0 // encrypted xlsx = CDFV2 -} diff --git a/yara-mikesxrs/Anomali Labs/Lazarus_wipe_file_routine.yar b/yara-mikesxrs/Anomali Labs/Lazarus_wipe_file_routine.yar deleted file mode 100644 index 8c649f5..0000000 --- a/yara-mikesxrs/Anomali Labs/Lazarus_wipe_file_routine.yar +++ /dev/null @@ -1,28 +0,0 @@ -rule AnomaliLABS_Lazarus_wipe_file_routine { - meta: - author = "aaron shelmire" - date = "2015 May 26" - desc = “Yara sig to detect File Wiping routine of the Lazarus group” - reference = "https://blog.anomali.com/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks" - strings: - $rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 } - /* imports for overwrite function */ - $imp_getTick = "GetTickCount" - $imp_srand = "srand" - $imp_CreateFile = "CreateFileA" - $imp_SetFilePointer = "SetFilePointer" - $imp_WriteFile = "WriteFile" - $imp_FlushFileBuffers = "FlushFileBuffers" - $imp_GetFileSizeEx = "GetFileSizeEx" - $imp_CloseHandle = "CloseHandle" - /* imports for rename function */ - $imp_strrchr = "strrchr" - $imp_rand = "rand" - $Move_File = "MoveFileA" - $Move_FileEx = "MoveFileEx" - $imp_RemoveDir = "RemoveDirectoryA" - $imp_DeleteFile = "DeleteFileA" - $imp_GetLastError = "GetLastError" -condition: - $rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/Anomali Labs/PyInstaller_Binary.yar b/yara-mikesxrs/Anomali Labs/PyInstaller_Binary.yar deleted file mode 100644 index 9e5d2f9..0000000 --- a/yara-mikesxrs/Anomali Labs/PyInstaller_Binary.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule PyInstaller_Binary - { -meta: - author = "Nicholas Albright, ThreatStream" - desc = "Generic rule to identify PyInstaller Compiled Binaries" - reference = "https://blog.anomali.com/crushing-python-malware" -strings: - $string0 = "zout00-PYZ.pyz" - $string1 = "python" - $string2 = "Python DLL" - $string3 = "Py_OptimizeFlag" - $string4 = "pyi_carchive" - $string5 = ".manifest" -condition: - all of them // and new_file -} \ No newline at end of file diff --git a/yara-mikesxrs/Brian Carter -carterb/archives_w_chinapic.yar b/yara-mikesxrs/Brian Carter -carterb/archives_w_chinapic.yar deleted file mode 100644 index 77b4084..0000000 --- a/yara-mikesxrs/Brian Carter -carterb/archives_w_chinapic.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule chinapic_zip - -{ - - meta: - description = "Find zip archives of pony panels that have china.jpg" - author = "Brian Carter" - last_modified = "March 31, 2017" - - strings: - $txt1 = "china.jpg" - $txt2 = "config.php" - $magic = { 50 4b 03 04 } - - condition: - $magic at 0 and all of ($txt*) - -} diff --git a/yara-mikesxrs/Brian Carter -carterb/demuzacert.yar b/yara-mikesxrs/Brian Carter -carterb/demuzacert.yar deleted file mode 100644 index 4f67618..0000000 --- a/yara-mikesxrs/Brian Carter -carterb/demuzacert.yar +++ /dev/null @@ -1,20 +0,0 @@ -rule PotentiallyCompromisedCert - -{ - meta: - description = "Search for PE files using cert issued to DEMUZA " - author = "Brian Carter" - last_modified = "July 21, 2017" - sample = "7ef8f5e0ca92a0f3a5bd8cdc52236564" - TLP = "WHITE" - - strings: - $magic = { 50 4b 03 04 (14 | 0a) 00 } - - $txt1 = "demuza@yandex.ru" nocase - $txt2 = "https://secure.comodo.net/CPS0C" nocase - $txt3 = "COMODO CA Limited1" - - condition: - $magic at 0 and all of ($txt*) -} diff --git a/yara-mikesxrs/Brian Carter -carterb/injector_panel_sqlite.yar b/yara-mikesxrs/Brian Carter -carterb/injector_panel_sqlite.yar deleted file mode 100644 index 3cbfe55..0000000 --- a/yara-mikesxrs/Brian Carter -carterb/injector_panel_sqlite.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule INJECTOR_PANEL_SQLITE - -{ - meta: - description = "Find sqlite dbs used with tables inject panel" - author = "Brian Carter" - last_modified = "August 14, 2017" - - strings: - $magic = { 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00 } - $txt1 = "CREATE TABLE Settings" - $txt2 = "CREATE TABLE Jabber" - $txt3 = "CREATE TABLE Users" - $txt4 = "CREATE TABLE Log" - $txt5 = "CREATE TABLE Fakes" - $txt6 = "CREATE TABLE ATS_links" - - condition: - $magic at 0 and all of ($txt*) - -} diff --git a/yara-mikesxrs/Brian Carter -carterb/mal_pdf.yar b/yara-mikesxrs/Brian Carter -carterb/mal_pdf.yar deleted file mode 100644 index ed82015..0000000 --- a/yara-mikesxrs/Brian Carter -carterb/mal_pdf.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule PDF_EMBEDDED_DOCM - -{ - meta: - description = "Find pdf files that have an embedded docm with openaction" - author = "Brian Carter" - last_modified = "May 11, 2017" - - strings: - $magic = { 25 50 44 46 2d } - - $txt1 = "EmbeddedFile" - $txt2 = "docm)" - $txt3 = "JavaScript" nocase - - condition: - $magic at 0 and all of ($txt*) - -} diff --git a/yara-mikesxrs/Brian Carter -carterb/panelzips.yar b/yara-mikesxrs/Brian Carter -carterb/panelzips.yar deleted file mode 100644 index 42da6a9..0000000 --- a/yara-mikesxrs/Brian Carter -carterb/panelzips.yar +++ /dev/null @@ -1,128 +0,0 @@ -rule chinapic_zip - -{ - - meta: - description = "Find zip archives of pony panels that have china.jpg" - author = "Brian Carter" - last_modified = "March 31, 2017" - - strings: - $txt1 = "china.jpg" - $txt2 = "config.php" - $txt3 = "setup.php" - $magic = { 50 4b 03 04 } - - condition: - $magic at 0 and all of ($txt*) - -} - -rule diamondfox_zip - -{ - - meta: - description = "Find zip archives of panels" - author = "Brian Carter" - last_modified = "March 31, 2017" - - strings: - $txt1 = "gate.php" - $txt2 = "install.php" - $txt3 = "post.php" - $txt4 = "plugins" - $txt5 = "statistics.php" - $magic = { 50 4b 03 04 } - $not1 = "joomla" nocase - - condition: - $magic at 0 and all of ($txt*) and not any of ($not*) - -} - -rule keybase_zip - -{ - - meta: - description = "Find zip archives of panels" - author = "Brian Carter" - last_modified = "March 31, 2017" - - strings: - $txt1 = "clipboard.php" - $txt2 = "config.php" - $txt3 = "create.php" - $txt4 = "login.php" - $txt5 = "screenshots.php" - $magic = { 50 4b 03 04 } - - condition: - $magic at 0 and all of ($txt*) - -} - -rule zeus_zip - -{ - - meta: - description = "Find zip archives of panels" - author = "Brian Carter" - last_modified = "April 19, 2017" - - strings: - $txt1 = "cp.php" - $txt2 = "gate.php" - $txt3 = "botnet_bots.php" - $txt4 = "botnet_scripts.php" - $magic = { 50 4b 03 04 } - - condition: - $magic at 0 and all of ($txt*) - -} - -rule atmos_zip - -{ - - meta: - description = "Find zip archives of panels" - author = "Brian Carter" - last_modified = "April 27, 2017" - - strings: - $txt1 = "cp.php" - $txt2 = "gate.php" - $txt3 = "api.php" - $txt4 = "file.php" - $txt5 = "ts.php" - $txt6 = "index.php" - $magic = { 50 4b 03 04 } - - condition: - $magic at 0 and all of ($txt*) - -} - -rule new_pony_panel - -{ - - meta: - description = "New Pony Zips" - - strings: - $txt1 = "includes/design/images/" - $txt2 = "includes/design/style.css" - $txt3 = "admin.php" - $txt4 = "includes/design/images/user.png" - $txt5 = "includes/design/images/main_bg.gif" - $magic = { 50 4b 03 04 } - - condition: - $magic at 0 and all of ($txt*) - -} diff --git a/yara-mikesxrs/Brian Carter -carterb/pony_config.yar b/yara-mikesxrs/Brian Carter -carterb/pony_config.yar deleted file mode 100644 index b1fb013..0000000 --- a/yara-mikesxrs/Brian Carter -carterb/pony_config.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule config_php - -{ - meta: - description = "Find config.php files that have details for the db" - author = "Brian Carter" - last_modified = "March 31, 2017" - - strings: - $txt1 = "$mysql_host =" - $txt2 = "$mysql_user =" - $txt3 = "mysql_pass =" - $txt4 = "mysql_database =" - $txt5 = "global_filter_list" - $txt6 = "white-list" - $php1 = " 5 - and new_file - -} diff --git a/yara-mikesxrs/CISA/CADDYWIPER.yar b/yara-mikesxrs/CISA/CADDYWIPER.yar deleted file mode 100644 index 7975b99..0000000 --- a/yara-mikesxrs/CISA/CADDYWIPER.yar +++ /dev/null @@ -1,27 +0,0 @@ -rule CISA_10376640_04 : trojan wiper CADDYWIPER -{ - meta: - Author = "CISA Code & Media Analysis" - Incident = "10376640" - Date = "2022-03-23" - Last_Modified = "20220324_1700" - Actor = "n/a" - Category = "Trojan Wiper" - Family = "CADDYWIPER" - Description = "Detects Caddy wiper samples" - Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115c" - MD5_1 = "42e52b8daf63e6e26c3aa91e7e971492" - SHA256_1 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea" - strings: - $s0 = { 44 73 52 6F 6C 65 47 65 74 50 72 69 6D 61 72 79 44 6F 6D 61 69 6E } - $s1 = { 50 C6 45 A1 00 C6 45 A2 48 C6 45 A3 00 C6 45 A4 59 C6 } - $s2 = { C6 45 A6 53 C6 45 A7 00 C6 45 A8 49 C6 } - $s3 = { C6 45 B0 44 C6 45 B1 00 C6 45 B2 52 } - $s4 = { C6 45 B8 45 C6 45 B9 00 C6 45 BA 39 } - $s5 = { C6 45 AC 43 C6 45 AD 3A C6 45 AE 5C C6 45 AF } - $s6 = { 55 C6 45 B0 73 C6 45 B1 65 C6 45 B2 72 C6 45 B3 } - $s7 = { C6 45 E0 44 C6 45 E1 3A C6 45 E2 5C C6 45 E3 } - $s8 = { 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F } - condition: - all of them -} diff --git a/yara-mikesxrs/CISA/HAFIUM_webshell_CVE_2021_27065.yar b/yara-mikesxrs/CISA/HAFIUM_webshell_CVE_2021_27065.yar deleted file mode 100644 index 0849b4b..0000000 --- a/yara-mikesxrs/CISA/HAFIUM_webshell_CVE_2021_27065.yar +++ /dev/null @@ -1,23 +0,0 @@ -rule CISA_10328929_01 : trojan webshell exploit CVE_2021_27065 -{ - meta: - Author = "CISA Code & Media Analysis" - Incident = "10328929" - Date = "2021-03-17" - Last_Modified = "20210317_2200" - Actor = "n/a" - Category = "Trojan WebShell Exploit CVE-2021-27065" - Family = "HAFNIUM" - Description = "Detects CVE-2021-27065 Webshellz" - Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-084b" - MD5_1 = "ab3963337cf24dc2ade6406f11901e1f" - SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5" - strings: - $s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 } - $s1 = { 65 76 61 6C 28 } - $s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 } - $s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D } - $s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D } - condition: - $s0 or ($s1 and $s2) or ($s3 and $s4) -} diff --git a/yara-mikesxrs/CISA/HAFNIUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar b/yara-mikesxrs/CISA/HAFNIUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar deleted file mode 100644 index 9e3c7a6..0000000 --- a/yara-mikesxrs/CISA/HAFNIUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule CISA_10328929_02 : trojan webshell exploit CVE_2021_27065 -{ - meta: - Author = "CISA Code & Media Analysis" - Incident = "10328929" - Date = "2021-03-17" - Last_Modified = "20210317_2200" - Actor = "n/a" - Category = "Trojan WebShell Exploit CVE-2021-27065" - Family = "HAFNIUM" - Description = "Detects CVE-2021-27065 Exchange OAB VD MOD" - Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-084b" - MD5_1 = "ab3963337cf24dc2ade6406f11901e1f" - SHA256_1 = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5" - strings: - $s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 } - $s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F } - $s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 } - condition: - $s0 and $s1 and $s2 -} diff --git a/yara-mikesxrs/CISA/HERMETICWIZARD.yar b/yara-mikesxrs/CISA/HERMETICWIZARD.yar deleted file mode 100644 index 9648940..0000000 --- a/yara-mikesxrs/CISA/HERMETICWIZARD.yar +++ /dev/null @@ -1,34 +0,0 @@ -rule CISA_10376640_02 : trojan wiper worm HERMETICWIZARD -{ - meta: - Author = "CISA Code & Media Analysis" - Incident = "10376640" - Date = "2022-03-12" - Last_Modified = "20220413_1300" - Actor = "n/a" - Category = "Trojan Wiper Worm" - Family = "HERMETICWIZARD" - Description = "Detects Hermetic Wizard samples" - Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b" - MD5_1 = "0959bf541d52b6e2915420442bf44ce8" - SHA256_1 = "5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48" - strings: - $s0 = { 70 00 69 00 70 00 65 00 5C 00 25 00 73 } - $s1 = { 6E 00 6D 00 61 00 6E 00 73 00 65 00 72 00 76 } - $s2 = { 73 61 6D 72 } - $s3 = { 62 72 6F 77 73 65 72 } - $s4 = { 6E 65 74 6C 6F 67 6F 6E } - $s5 = { 6C 73 61 72 70 63 } - $s6 = { 6E 74 73 76 63 73 } - $s7 = { 73 76 63 63 74 6C } - $s8 = { 73 74 61 72 74 20 63 6D 64 20 2F 63 20 22 70 69 6E 67 20 6C 6F 63 61 6C 68 6F 73 74 } - $s9 = { 67 00 75 00 65 00 73 00 74 } - $s10 = { 74 00 65 00 73 00 74 } - $s11 = { 75 00 73 00 65 00 72 } - $s12 = { 61 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F } - $s13 = { 51 00 61 00 7A 00 31 00 32 00 33 } - $s14 = { 51 00 77 00 65 00 72 00 74 00 79 00 31 00 32 } - $s15 = { 63 6D 64 20 2F 63 20 73 74 61 72 74 20 72 65 67 } - condition: - all of them -} diff --git a/yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar b/yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar deleted file mode 100644 index 734e854..0000000 --- a/yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar +++ /dev/null @@ -1,24 +0,0 @@ -rule CISA_10376640_03 : trojan wiper worm HERMETICWIZARD -{ - meta: - Author = "CISA Code & Media Analysis" - Incident = "10376640" - Date = "2022-03-13" - Last_Modified = "20220413_1300" - Actor = "n/a" - Category = "Trojan Wiper Worm" - Family = "HERMETICWIZARD" - Description = "Detects Hermetic Wizard samples" - Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b" - MD5_1 = "58d71fff346017cf8311120c69c9946a" - SHA256_1 = "2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b" - strings: - $s0 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F } - $s1 = { 5C 00 5C 00 25 00 73 00 5C 00 70 00 69 00 70 00 65 00 5C 00 25 00 73 } - $s2 = { 64 00 6C 00 6C 00 00 00 2D 00 69 } - $s3 = { 2D 00 68 00 00 00 00 00 2D 00 73 } - $s4 = { 2D 00 63 00 00 00 00 00 2D 00 61 } - $s5 = { 43 6F 6D 6D 61 6E 64 4C 69 6E 65 54 6F 41 72 67 76 57 } - condition: - all of them -} diff --git a/yara-mikesxrs/CISA/HERMETICWIZARD_WORM_CODE.yar b/yara-mikesxrs/CISA/HERMETICWIZARD_WORM_CODE.yar deleted file mode 100644 index 4858849..0000000 --- a/yara-mikesxrs/CISA/HERMETICWIZARD_WORM_CODE.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule CISA_10376640_05 : trojan wiper worm HERMETICWIZARD -{ - meta: - Author = "CISA Code & Media Analysis" - Incident = "10376640" - Date = "2022-04-14" - Last_Modified = "20220414_1037" - Actor = "n/a" - Category = "Trojan Wiper Worm" - Family = "HERMETICWIZARD" - Description = "Detects Hermetic Wizard samples" - Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b" - MD5_1 = "517d2b385b846d6ea13b75b8adceb061" - SHA256 = "a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec" - strings: - $s0 = { 57 69 7A 61 72 64 2E 64 6C 6C } - $s1 = { 69 6E 66 6C 61 74 65 } - $s2 = { 4D 61 72 6B 20 41 64 6C 65 72 } - condition: - all of them and filesize < 2000KB -} diff --git a/yara-mikesxrs/CISA/ISAACWIPER.yar b/yara-mikesxrs/CISA/ISAACWIPER.yar deleted file mode 100644 index f8571f9..0000000 --- a/yara-mikesxrs/CISA/ISAACWIPER.yar +++ /dev/null @@ -1,29 +0,0 @@ -ule CISA_10376640_01 : trojan wiper ISAACWIPER -{ - meta: - Author = "CISA Code & Media Analysis" - Incident = "10376640" - Date = "2022-03-14" - Last_Modified = "20220418_1900" - Actor = "n/a" - Category = "Trojan Wiper" - Family = "ISAACWIPER" - Description = "Detects ISACC Wiper samples" - MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc" - SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" - MD5_2 = "8061889aaebd955ba6fb493abe7a4de1" - SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" - MD5_3 = "ecce8845921a91854ab34bff2623151e" - SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" - strings: - $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 } - $s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C } - $s2 = { 46 00 41 00 49 00 4C 00 45 00 44 } - $s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 } - $s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F } - $s5 = {53 74 61 72 74 40 34} - $s6 = {3B 57 34 74 2D 6A} - $s7 = {43 6C 65 61 6E 65 72 2E} - condition: - all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) -} diff --git a/yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar b/yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar deleted file mode 100644 index 83036ad..0000000 --- a/yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar +++ /dev/null @@ -1,30 +0,0 @@ -rule CISA_10376640_01 : trojan wiper ISAACWIPER -{ - meta: - Author = "CISA Code & Media Analysis" - Incident = "10376640" - Date = "2022-03-14" - Last_Modified = "20220418_1900" - Actor = "n/a" - Category = "Trojan Wiper" - Family = "ISAACWIPER" - Description = "Detects ISACC Wiper samples" - Reference = "https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-115b" - MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc" - SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" - MD5_2 = "8061889aaebd955ba6fb493abe7a4de1" - SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" - MD5_3 = "ecce8845921a91854ab34bff2623151e" - SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" - strings: - $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 } - $s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C } - $s2 = { 46 00 41 00 49 00 4C 00 45 00 44 } - $s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 } - $s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F } - $s5 = {53 74 61 72 74 40 34} - $s6 = {3B 57 34 74 2D 6A} - $s7 = {43 6C 65 61 6E 65 72 2E} - condition: - all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) -} diff --git a/yara-mikesxrs/Checkpoint/ElMachete_doc.yar b/yara-mikesxrs/Checkpoint/ElMachete_doc.yar deleted file mode 100644 index 0b2d5f4..0000000 --- a/yara-mikesxrs/Checkpoint/ElMachete_doc.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule ElMachete_doc -{ - meta: - author = "CPR" - reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" - hash1 = "8E1360CC27E95FC47924D9BA3EF84CB8FA9E142CFD16E1503C5277D0C16AE241" - strings: - $s1 = "You want to continue with the Document" ascii - $s2 = "certutil -decode" ascii - $s3 = /C:\\ProgramData\\.{1,20}\.txt/ - $s4 = /C:\\ProgramData\\.{1,20}\.vbe/ - condition: - uint16be(0) == 0xD0CF and 2 of ($s*) -} diff --git a/yara-mikesxrs/Checkpoint/ElMachete_msi.yar b/yara-mikesxrs/Checkpoint/ElMachete_msi.yar deleted file mode 100644 index e99d561..0000000 --- a/yara-mikesxrs/Checkpoint/ElMachete_msi.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule ElMachete_msi -{ - meta: - author = "CPR" - reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" - hash1 = "ED09DA9D48AFE918F9C7F72FE4466167E2F127A28A7641BA80D6165E82F48431" - strings: - $s1 = "MSI Wrapper (8.0.26.0)" - $s2 = "Windows Installer XML Toolset (3.11.0.1701)" - $s3 = "\\Lib\\site-packages\\PIL\\" - $s4 = "\\Lib\\site-packages\\pyHook\\" - $s5 = "\\Lib\\site-packages\\requests\\" - $s6 = "\\Lib\\site-packages\\win32com\\" - $s7 = "\\Lib\\site-packages\\Crypto\\" - condition: - 4 of them -} diff --git a/yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar b/yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar deleted file mode 100644 index a9cf611..0000000 --- a/yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar +++ /dev/null @@ -1,11 +0,0 @@ -rule Gozi_JJ_struct: trojan { - meta: - module = "Gozi_JJ_struct" - reference = "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/" - strings: - $jj = "JJ" ascii - $pe_file = "This program cannot be run in DOS mode" ascii - $bss = ".bss" ascii - condition: - #jj >= 2 and (for all i in (1,2) : (@jj[i] < 0x400 and @jj[i] > 0x200)) and (@jj[2] - @jj[1] == 0x14) and ($pe_file in (0..1000)) and ($bss in (0..1000)) -} diff --git a/yara-mikesxrs/Checkpoint/Russia_Detector_rules.yar b/yara-mikesxrs/Checkpoint/Russia_Detector_rules.yar deleted file mode 100644 index 46bdbb5..0000000 --- a/yara-mikesxrs/Checkpoint/Russia_Detector_rules.yar +++ /dev/null @@ -1,7777 +0,0 @@ -*/ -https://research.checkpoint.com/2019/russianaptecosystem/ -*/ - -import "hash" - -private global rule MZOnly { - strings: - $mz = "MZ" - condition: - $mz at 0 -} - -private global rule FileSize { - condition: - filesize < 1MB -} -rule Karagany { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 89 ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? 8D ?? ?? 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_1 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 29 ?? 66 ?? ?? ?? 89 ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8D ?? ?? 8B ?? ?? BA ?? ?? ?? ?? F7 ?? 01 ?? 89 ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? F7 ?? 03 ?? ?? 8B ?? ?? 29 ?? 89 ?? ?? 8B ?? ?? 8D ?? ?? 5? 6A ?? FF 7? ?? FF 7? ?? FF 5? ?? 85 ?? 74 } - $block_2 = { 5? 89 ?? 83 ?? ?? B8 ?? ?? ?? ?? 60 C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? 8D ?? ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_3 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 29 ?? 66 ?? ?? ?? 89 ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8D ?? ?? 8B ?? ?? 5? 6A ?? 5? FF 7? ?? FF 5? ?? 85 ?? 74 } - $block_4 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 8B ?? ?? 01 ?? 83 ?? ?? 83 ?? ?? 8D ?? ?? 83 ?? ?? 8B ?? 01 ?? 89 ?? ?? 8D ?? ?? 85 ?? 74 } - $block_5 = { 8D ?? ?? 83 ?? ?? 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 5? ?? 85 ?? 0F 84 } - $block_6 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 74 } - $block_7 = { 5? 89 ?? 60 8B ?? ?? 8B ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 29 } - $block_8 = { 5? 89 ?? 83 ?? ?? 60 8B ?? ?? 66 ?? ?? 66 ?? ?? ?? 75 } - $block_9 = { 8B ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? 8D ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "fcf7bfe68ff302869475b73e4c605a099ed2e1074e79c7b3acb2a451cd2ea915" or - hash.sha256(0, filesize) == "568e05c51259597cf79b633a041ad090588846b95c85f19a847d731c90a11122" or - hash.sha256(0, filesize) == "28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0" or - 10 of them -} - -rule Havex { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 03 ?? 0F AF ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 } - $block_1 = { 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8A ?? 5? F6 ?? 5? 1A ?? 8D ?? ?? FE ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_2 = { 8D ?? ?? C6 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? 4? 83 ?? ?? 3B ?? 0F 82 } - $block_3 = { 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 75 } - $block_4 = { 6A ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_5 = { 07 E8 ?? ?? ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 74 } - $block_6 = { 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 8B ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? EB } - $block_7 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 } - $block_8 = { 8B ?? ?? 33 ?? 66 ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? FF 0? ?? 4? 79 } - $block_9 = { 66 ?? ?? 66 ?? ?? ?? 66 ?? 33 ?? 4? 5? 0F B7 ?? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D } - $block_10 = { 5? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_11 = { 8B ?? ?? 8D ?? ?? 8B ?? 2B ?? D1 ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 8B ?? 5? C9 C3 } - $block_12 = { 80 B? ?? ?? ?? ?? ?? 8D ?? ?? 0F 94 ?? 0F B6 ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 8B ?? 4? EB } - $block_13 = { 8B ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 2B ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 83 } - $block_14 = { 5? 8B ?? 0F B7 ?? ?? 83 ?? ?? 33 ?? 4? 5? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D } - $block_15 = { E8 ?? ?? ?? ?? 2B ?? ?? 8B ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 83 } - $block_16 = { 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? 8B } - $block_17 = { 8D ?? ?? 83 ?? ?? ?? 5? 33 ?? 8B ?? AB AB AB AB 33 ?? 8D ?? ?? AB AB AB AB 5? } - $block_18 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F B7 ?? 72 } - $block_19 = { 8B ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_20 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 } - $block_21 = { 8B ?? ?? 8D ?? ?? A5 A5 A5 A5 FF 1? ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? C3 } - $block_22 = { 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 3B ?? 0F 84 } - $block_23 = { 33 ?? 66 ?? ?? 0F B7 ?? ?? ?? 4? 5? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D } - $block_24 = { 6A ?? E8 ?? ?? ?? ?? CC 8B ?? ?? ?? 0F AF ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? C3 } - $block_25 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 } - $block_26 = { E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 } - $block_27 = { 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 74 } - $block_28 = { 80 B? ?? ?? ?? ?? ?? 8D ?? ?? 0F 94 ?? 0F B6 ?? 5? 5? E8 ?? ?? ?? ?? EB } - $block_29 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_30 = { E8 ?? ?? ?? ?? 8B ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 83 ?? ?? 0F 83 } - $block_31 = { 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 4? 83 ?? ?? 0F B7 ?? 0F 8C } - $block_32 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_33 = { 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_34 = { FF 8? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? C1 ?? ?? 39 ?? ?? 0F 85 } - $block_35 = { 5? FF B? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_36 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? A5 A5 A5 6A ?? A5 0F B6 ?? ?? 5? 2B ?? 5? } - $block_37 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 8A ?? ?? 5? 5? 5? 89 ?? ?? ?? 84 ?? 0F 85 } - $block_38 = { 8A ?? 88 ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 } - $block_39 = { 6A ?? 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 74 } - $block_40 = { 2B ?? ?? 8B ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 83 } - $block_41 = { 0F BE ?? ?? ?? FF 7? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_42 = { 8B ?? ?? BE ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_43 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 3C ?? 0F 84 } - $block_44 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_45 = { 8B ?? ?? 4? 4? 83 ?? ?? 89 ?? ?? 8A ?? ?? 8A ?? ?? 3A ?? 0F 85 } - $block_46 = { 8A ?? ?? ?? ?? ?? 8D ?? ?? ?? 30 ?? 0F B6 ?? 4? 83 ?? ?? 72 } - $block_47 = { 0F B6 ?? ?? 33 ?? 8A ?? ?? ?? ?? ?? 30 ?? 0F B6 ?? 4? 4? 75 } - $block_48 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB } - $block_49 = { 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? ?? ?? ?? ?? FF 0? 4? 3B ?? 7C } - $block_50 = { 8B ?? ?? C1 ?? ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_51 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 } - $block_52 = { 6A ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 8A ?? ?? 84 ?? 0F 84 } - $block_53 = { 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 0F B7 ?? 83 ?? ?? 3B ?? 7F } - $block_54 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 } - $block_55 = { 8B ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 83 ?? ?? 0F 83 } - $block_56 = { BE ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_57 = { 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 94 ?? 5? 5? 3C ?? 74 } - $block_58 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 } - $block_59 = { FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_60 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? 39 ?? ?? 0F 83 } - $block_61 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C } - $block_62 = { 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 } - $block_63 = { 8A ?? 88 ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 } - $block_64 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8B ?? 3B ?? 0F 84 } - $block_65 = { 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_66 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? C9 C3 } - - condition: - hash.sha256(0, filesize) == "e38aa99eff1f9fedd99cf541c3255e99f3276839a883cadb6e916649522729e3" or - hash.sha256(0, filesize) == "e42badd8fb20f1bc72b1cec65c42a96ee60a4b52d19e8f5a7248afee03646ace" or - hash.sha256(0, filesize) == "45abd87da6a584ab2a66a06b40d3c84650f2a33f5f55c5c2630263bc17ec4139" or - hash.sha256(0, filesize) == "7e0dafedd01d09e66524f2345d652b29d3f634361c0a69e8d466dcbdfd0e3001" or - hash.sha256(0, filesize) == "2c109406998723885cf04c3ced7af8010665236459d6fe610e678065994154d4" or - hash.sha256(0, filesize) == "f65d767afd198039d044b17b96ebad54390549c6e18ead7e19e342d60b70a2c3" or - hash.sha256(0, filesize) == "a2fe7a346b39a062c60c50167be7dd4f6a8175df054faa67bff33ec42b1072d9" or - hash.sha256(0, filesize) == "269ea4b883de65f235a04441144519cf6cac80ef666eccf073eedd5f9319be0f" or - hash.sha256(0, filesize) == "49c1c5e8a71f488a7b560c6751752363389f6272d8c310fee78307dc9dcd3ee2" or - hash.sha256(0, filesize) == "59af70f71cdf933f117ab97d6f1c1bab82fd15dbe654ba1b27212d7bc20cec8c" or - hash.sha256(0, filesize) == "0e34262813677090938983039ba9ff3ade0748a3aba25e28d19e2831c036b095" or - hash.sha256(0, filesize) == "2f24c7ccbd7a9e830ed3f9b3b7be7856e0cc8c1580082433cbe9bf33c86193c6" or - hash.sha256(0, filesize) == "b139829440aabe33071aa34604f739d70f9a0a3b06051f3190aabf839df2d408" or - hash.sha256(0, filesize) == "0c20ffcdf2492ccad2e53777a0885c579811f91c05d076ff160684082681fe68" or - hash.sha256(0, filesize) == "2221c2323fb6e30b9c10ee68d60b7d7be823911540bb115f75b2747d015e35f9" or - hash.sha256(0, filesize) == "487eaf5cc52528b5f3bb27ba53afffb6d534068b364a41fc887b8c1e1485795a" or - hash.sha256(0, filesize) == "4ff5f102f0f1284a189485fc4c387c977dd92f0bc6a30c4d837e864aed257129" or - hash.sha256(0, filesize) == "022da314d1439f779364aba958d51b119ac5fda07aac8f5ced77146dbf40c8ac" or - hash.sha256(0, filesize) == "6606dd9a5d5182280c12d009a03b8ed6179872fcb08be9aa16f098250cc5b7a7" or - hash.sha256(0, filesize) == "646c94a0194ca70fbe68c444a0c9b444e195280f9a0d19f12393421311653552" or - hash.sha256(0, filesize) == "ce99e5f64f2d1e58454f23b4c1de33d71ee0b9fcd52c9eb69569f1c420332235" or - hash.sha256(0, filesize) == "e029db63346c513be42242e268559174f6b00d818e00d93c14bd443314f65fe5" or - hash.sha256(0, filesize) == "69b555a37e919c3e6c24cfe183952cdb695255f9458b25d00d15e204d96c737b" or - hash.sha256(0, filesize) == "fd689fcdcef0f1198b9c778b4d93adfbf6e80118733c94e61a450aeb701750b4" or - hash.sha256(0, filesize) == "6122db2cdac0373cc8513c57786088a5548721d01e7674e78082774044e92980" or - hash.sha256(0, filesize) == "2f593c22a8fd0de3bbb57d26320446a9c7eed755ae354957c260908c93d8cf79" or - hash.sha256(0, filesize) == "1d768ebfbdf97ad5282e7f85da089e174b1db760f1cbdca1a815e8e6245f155a" or - hash.sha256(0, filesize) == "b8514bff04e8f4e77430202db61ec5c206d3ec0f087a65ee72c9bb94a058b685" or - hash.sha256(0, filesize) == "d755904743d48c31bdff791bfa440e79cfe1c3fc9458eb708cf8bb78f117dd07" or - hash.sha256(0, filesize) == "bacac71fcc61db9b55234d1ccf45d5fffd9392c430cdd25ee7a5cea4b24c7128" or - hash.sha256(0, filesize) == "ee53e509d0f2a3c888232f2232b603463b421b9c08fe7f44ed4eead0643135d3" or - hash.sha256(0, filesize) == "2efd5355651db8e07613e74b1bf85b50273c1f3bce5e4edbedea0ccdff023754" or - hash.sha256(0, filesize) == "439e5617d57360f76f24daed3fe0b59f20fc9dade3008fd482260ba58b739a23" or - hash.sha256(0, filesize) == "c4e2e341689799281eaef47de75f59edceaba281398b41fe7616436f247ab93d" or - hash.sha256(0, filesize) == "778568b44e13751800bf66c17606dfdfe35bebbb94c8e6e2a2549c7482c33f7a" or - hash.sha256(0, filesize) == "85d3f636b515f0729c47f66e3fc0c9a0aacf3ec09c4acf8bf20a1411edcdc40a" or - hash.sha256(0, filesize) == "56a1513bcf959d5df3ff01476ddb4b158ce533658ab7d8dd439324b16f193ac2" or - hash.sha256(0, filesize) == "61969cd978cd2de3a13a10510d0dea5d0d3b212209804563ed3d42033a9d0f54" or - hash.sha256(0, filesize) == "98bd5e8353bc9b70f8a52786365bcdb28bd3aef164d62c38dae8df33e04ac11a" or - hash.sha256(0, filesize) == "2dc296eb532097ac1808df7a16f7740ef8771afda3ac339d144d710f9cefceb4" or - hash.sha256(0, filesize) == "aafbf4bba99c47e7d05c951ad964ce09493db091ba5945e89df916c6fa95d101" or - hash.sha256(0, filesize) == "a3a6f0dc5558eb93afa98434020a8642f7b29c41d35fa34809d6801d99d8c4f3" or - hash.sha256(0, filesize) == "066346170856972f6769705bc6ff4ad21e88d2658b4cacea6f94564f1856ed18" or - hash.sha256(0, filesize) == "6b2a438e0233fe8e7ba8774e2e5c59bf0b7c12679d52d6783a0010ecad11978c" or - hash.sha256(0, filesize) == "31db22caf480c471205a7608545370c1b3c0c9be5285a9ef2264e856052b66b4" or - hash.sha256(0, filesize) == "6296d95b49d795fa10ae6e9c4e4272ea4e1444105bddbf45b34ee067b2603b38" or - hash.sha256(0, filesize) == "4cf75059f2655ca95b4eba11f1ce952d8e08bb4dbcb12905f6f37cf8145a538d" or - hash.sha256(0, filesize) == "e73f8b394e51348ef3b6cea7c5e5ecc2ee06bb395c5ac30f6babb091080c1e74" or - hash.sha256(0, filesize) == "9517a412633b8ebeac875a2da7fe119b72efad62859dc1719b84d561792a9033" or - hash.sha256(0, filesize) == "d89a80a3fbb0a4a40157c6752bd978bc113b0c413e3f73eb922d4e424edeb8a7" or - hash.sha256(0, filesize) == "da3c1a7b63a6a7cce0c9ef01cf95fd4a53ba913bab88a085c6b4b8e4ed40d916" or - hash.sha256(0, filesize) == "d71da8a59f3e474c3bcd3f2f00fae0b235c4e01cd9f465180dd0ab19d6af5526" or - hash.sha256(0, filesize) == "684ea2083f2f7099f0a611c81f26f30127ad297fcac8988cabb60fcf56979dfc" or - hash.sha256(0, filesize) == "2c37e0504b98413e0308e44fd84f98e968f6f62399ea06bc38d3f314ee94b368" or - hash.sha256(0, filesize) == "aef82593822a934b77b81ebc461c496c4610474727539b0b6e1499ca836f0dee" or - hash.sha256(0, filesize) == "9d530e2254580842574a740698d2348b68b46fd88312c9325321ad0d986f523d" or - hash.sha256(0, filesize) == "8da93bc4d20e5f38d599ac89db26fc2f1eecbf36c14209302978d46fc4ce5412" or - hash.sha256(0, filesize) == "170e5eb004357dfce6b41de8637e1dbeb87fa58e8b54a2031aac33afb930f3c8" or - hash.sha256(0, filesize) == "b3b01b36b6437c624da4b28c4c8f773ae8133fca9dd10dc17742e956117f5759" or - hash.sha256(0, filesize) == "b0faba6156c7b0cd59b94eeded37d8c1041d4b8dfa6aacd6520a6d28c3f02a5e" or - hash.sha256(0, filesize) == "5a13d0c954280b4c65af409376de86ac43eb966f25b85973a20d330a34cdd9a6" or - hash.sha256(0, filesize) == "92c959c36617445a35e6f4f2ee2733861aa1b3baf8728d19a4fd5176f3c80401" or - hash.sha256(0, filesize) == "edb7caa3dce3543d65f29e047ea789a9e429e46bed5c29c4748e656285a08050" or - hash.sha256(0, filesize) == "02e5191078497be1e6ea8bac93b6cfb9b3ee36a58e4f7dd343ac1762e7f9301e" or - hash.sha256(0, filesize) == "170596e88b26f04d349f6014d17a88026ec55eab44888e2a9bb4dd90a79f6878" or - hash.sha256(0, filesize) == "cb58396d40e69d5c831f46aed93231ed0b7d41fee95f8da7c594c9dbd06ee111" or - hash.sha256(0, filesize) == "24be375f0e11d88210e53f15cc08d72ab6c6287676c3fe3c6f70b513e5f442ed" or - hash.sha256(0, filesize) == "8e222cb1a831c407a3f6c7863f3faa6358b424e70a041c196e91fb7989735b68" or - hash.sha256(0, filesize) == "bb3529aa5312abbee0cfbd00f10c3f2786f452a2ca807f0acbd336602a13ac79" or - hash.sha256(0, filesize) == "a05b53260c2855829226dffd814022b7ff4750d278d6c46f2e8e0dc58a36a1f9" or - hash.sha256(0, filesize) == "698ec413986dc7fc761b1a17624ffffb1590902020b9d0cd5d9a6013c67d9100" or - hash.sha256(0, filesize) == "f1d6e8b07ac486469e09c876c3e267db2b2d651299c87557cbf4eafb861cf79c" or - hash.sha256(0, filesize) == "4f3ceab96fb55d0b05380a1d95bb494ca44d7a9d7f10ded02d5b6fc27c92cb05" or - hash.sha256(0, filesize) == "f6aab09e1c52925fe599246dfdb4c1d06bea5c380c4c3e9c33661c869d41a23a" or - hash.sha256(0, filesize) == "c43ce82560cea125f65c7701c733c61ae3faa782c8b00efcb44fd7dbd32a5c4b" or - hash.sha256(0, filesize) == "224e8349ba128f0ab57bdebef5287f4b84b9dccbc2d8503f53f6333efd5f9265" or - hash.sha256(0, filesize) == "cd019e717779e2d2b1f4c27f75e940b5f98d4ebb48de604a6cf2ab911220ae50" or - hash.sha256(0, filesize) == "593849098bd288b7bed9646e877fa0448dcb25ef5b4482291fdf7123de867911" or - hash.sha256(0, filesize) == "ecb097f3367f0155887dde9f891ff823ff54ddfe5217cdbb391ea5b10c5a08dc" or - hash.sha256(0, filesize) == "83e57d8f3810a72a772742d4b786204471a7607e02fa445c3cd083f164cc4af3" or - hash.sha256(0, filesize) == "4b547b3992838cfb3b61cb25f059c0b56c2f7caaa3b894dbc20bf7b33dadc5a1" or - hash.sha256(0, filesize) == "0f4046be5de15727e8ac786e54ad7230807d26ef86c3e8c0e997ea76ab3de255" or - hash.sha256(0, filesize) == "7c1136d6f5b10c22698f7e049dbc493be6e0ce03316a86c422ca9b670cb133aa" or - hash.sha256(0, filesize) == "72ff91b3f36ccf07e3daf6709db441d2328cecab366fd5ff81fc70dd9eb45db8" or - hash.sha256(0, filesize) == "d5687b5c5cec11c851e84a1d40af3ef52607575487a70224f63458c24481076c" or - hash.sha256(0, filesize) == "bcdcb4b5e9aaaee2c46d5b0ed16aca629de9faa5e787c672191e0bdf64619a95" or - hash.sha256(0, filesize) == "6e5f4296bffa7128b6e8fa72ad1924d2ff19b9d64775bd1e0a9ce9c5944bd419" or - hash.sha256(0, filesize) == "d3ee530abe41705a819ee9220aebb3ba01531e16df7cded050ba2cf051940e46" or - hash.sha256(0, filesize) == "bee9f2a01e0049d4cf94016284b16849136233366d1509489797084672e5448f" or - hash.sha256(0, filesize) == "ec48b131612ef5637b387d9c2b0907d68a080fb77c6168e779fb7f3a0efa04dc" or - hash.sha256(0, filesize) == "1ef47da67f783f8cc8cda7481769647b754874c91e0c666f741611decd878c19" or - hash.sha256(0, filesize) == "0850c39a7fcaa7091aaea333d33c71902b263935df5321edcd5089d10e4bbebb" or - hash.sha256(0, filesize) == "8d343be0ea83597f041f9cbc6ea5b63773affc267c6ad99d31badee16d2c86e5" or - hash.sha256(0, filesize) == "13da3fe28302a8543dd527d9e09723caeed98006c3064c5ed7b059d6d7f36554" or - hash.sha256(0, filesize) == "6367cb0663c2898aff64440176b409c1389ca7834e752b350a87748bef3a878b" or - hash.sha256(0, filesize) == "358da2c5bb5fbd9c9cf791536054bbb387ce37253c31555f5afa544f38de2a3f" or - hash.sha256(0, filesize) == "ebb16c9536e6387e7f6988448a3142d17ab695b2894624f33bd591ceb3e46633" or - hash.sha256(0, filesize) == "0ea750a8545252b73f08fe87db08376f789fe7e58a69f5017afa2806046380a5" or - hash.sha256(0, filesize) == "65a4332dfe474a8bb9b5fa35495aade453da7a03eb0049211e57b5660d08d75c" or - hash.sha256(0, filesize) == "dc612882987fab581155466810f87fd8f0f2da5c61ad8fc618cef903c9650fcd" or - hash.sha256(0, filesize) == "d588e789f0b5914bd6f127950c5daf6519c78b527b0ed7b323e42b0613f6566f" or - hash.sha256(0, filesize) == "c25c1455dcab2f17fd6a25f8af2f09ca31c8d3773de1cb2a55acd7aeaa6963c8" or - hash.sha256(0, filesize) == "b8f2fdddf7a9d0b813931e0efe4e6473199688320d5e8289928fe87ce4b1d068" or - hash.sha256(0, filesize) == "94d4e4a8f2d53426154c41120b4f3cf8105328c0cc5d4bd9126a54c14b296093" or - hash.sha256(0, filesize) == "101e70a5455212b40406fe70361995a3a346264eabd4029200356565d2bacd6a" or - hash.sha256(0, filesize) == "60f86898506f0fdf6d997f31deff5b6200a6969b457511cc00446bd22dd1f0a4" or - hash.sha256(0, filesize) == "b647f883911ff20f776e0a42564b13ef961fa584ebd5cfce9dd2990bca5df24e" or - hash.sha256(0, filesize) == "c987f8433c663c9e8600a7016cdf63cd14590a019118c52238c24c39c9ec02ad" or - hash.sha256(0, filesize) == "66ec58b4bdcb30d1889972c1ee30af7ff213deece335f798e57ff51fe28752e3" or - hash.sha256(0, filesize) == "3a88ff66f4eb675f0c3e6c5f947c012945c4e15b77a2cd195de8a8aba23ccb29" or - hash.sha256(0, filesize) == "43608e60883304c1ea389c7bad244b86ff5ecf169c3b5bca517a6e7125325c7b" or - hash.sha256(0, filesize) == "abdb2da30435430f808b229f8b6856fafc154a386ef4f7c5e8de4a746e350e0c" or - hash.sha256(0, filesize) == "7081455301e756d6459ea7f03cd55f7e490622d36a5a019861e6b17141f69bd0" or - hash.sha256(0, filesize) == "c66525285707daff30fce5d79eb1bdf30519586dfec4edf73e4a0845fd3d0e1c" or - hash.sha256(0, filesize) == "59c4cba96dbab5d8aa7779eac18b67b2e6f8b03066eb092415d50dff55e43b72" or - hash.sha256(0, filesize) == "0c9b20f4cb0b3206f81c2afbb2ee4d995c28f74f38216f7d35454af624af8876" or - hash.sha256(0, filesize) == "6e92c2d298e25bcff17326f69882b636150d2a1af494ef8186565544f0d04d3d" or - hash.sha256(0, filesize) == "0a0a5b68a8a7e4ed4b6d6881f57c6a9ac55b1a50097588e462fe8d3c486158bf" or - hash.sha256(0, filesize) == "837e68be35c2f0ab9e2b3137d6f9f7d16cc387f3062a21dd98f436a4bcceb327" or - hash.sha256(0, filesize) == "fb30c3bb1b25b3d4cca975f2e0c45b95f3eb57a765267271a9689dd526658b43" or - hash.sha256(0, filesize) == "e3a7fa8636d040c9c3a8c928137d24daa15fc6982c002c5dd8f1c552f11cbcad" or - 12 of them -} - -rule HavexModuleOPC { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 } - $block_1 = { 8B ?? ?? 33 ?? 66 ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? FF 0? ?? 4? 79 } - $block_2 = { 8D ?? ?? 5? 89 ?? ?? 8B ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 89 ?? ?? 3B ?? 0F 85 } - $block_3 = { 89 ?? ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? FF 4? ?? 0F 85 } - $block_4 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 } - $block_5 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_6 = { 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 4? 83 ?? ?? 0F B7 ?? 0F 8C } - $block_7 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 8D ?? ?? AB AB AB AB 83 ?? ?? ?? C7 } - $block_8 = { 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_9 = { 0F B7 ?? 8B ?? C1 ?? ?? 0B ?? D1 ?? 8D ?? ?? F3 ?? 13 ?? 66 } - $block_10 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB } - $block_11 = { 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? A5 A5 A5 A5 5? 5? 74 } - $block_12 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? FF 4? ?? 0F 85 } - $block_13 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? 8B ?? 85 ?? 0F 84 } - $block_14 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C } - $block_15 = { 8B ?? ?? 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - - condition: - hash.sha256(0, filesize) == "6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82" or - hash.sha256(0, filesize) == "004c99be0c355e1265b783aae557c198bcc92ee84ed49df70db927a726c842f3" or - hash.sha256(0, filesize) == "7933809aecb1a9d2110a6fd8a18009f2d9c58b3c7dbda770251096d4fcc18849" or - 12 of them -} - -rule KaraganyModuleScreenshot { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 6A ?? 5? C6 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A5 A5 A4 BE ?? ?? ?? ?? 8D ?? ?? A5 A5 8D ?? ?? A4 8B ?? ?? ?? ?? ?? 5? FF D? 5? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 5? FF D? 6A ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? 5? FF D? 5? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 5? FF D? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 75 } - $block_1 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 33 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_3 = { 5? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 8D ?? ?? ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "05fb04474a3785995508101eca7affd8c89c658f7f9555de6d6d4db40583ac53" or - 5 of them -} - -rule Listrix { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 74 } - $block_2 = { 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 33 ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 66 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 66 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_6 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_7 = { 8B ?? ?? ?? 8D ?? ?? ?? 83 ?? ?? 5? 66 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_8 = { 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9" or - 10 of them -} - -rule KaraganyModuleFileListing { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 88 ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 88 ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 88 ?? ?? 89 ?? ?? 66 ?? ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8D } - $block_1 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? FF 1? ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 0F B7 ?? ?? 0F B7 ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 74 } - $block_3 = { 0F B7 ?? ?? 0F B7 ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_4 = { 8A ?? ?? 8D ?? ?? ?? ?? ?? 04 ?? 5? 88 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_5 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? F6 ?? ?? ?? 0F 84 } - $block_6 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_7 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4" or - 8 of them -} - -rule Ddex_loader { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 5? 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 75 } - $block_1 = { FF 3? ?? ?? ?? ?? FF 7? ?? FF 7? ?? FF 3? ?? ?? ?? ?? FF 7? ?? 68 ?? ?? ?? ?? FF 3? FF 1? ?? ?? ?? ?? 83 ?? ?? FF 3? E8 ?? ?? ?? ?? FF 7? ?? 8B ?? ?? 5? FF 7? ?? 89 ?? FF D? FF 7? ?? 5? FF 7? ?? FF D? 5? 33 ?? 5? 4? 5? C9 C2 } - $block_2 = { 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 5? FF 7? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 74 } - $block_3 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? A5 A5 68 ?? ?? ?? ?? A5 E8 ?? ?? ?? ?? 85 ?? 75 } - $block_4 = { 83 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 5? 33 ?? 5? 5? 8B ?? FF D? 39 ?? ?? ?? 0F 86 } - $block_5 = { 5? 5? 83 ?? ?? ?? ?? 5? 5? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 5? 5? 85 ?? 0F 84 } - $block_6 = { 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? A5 A5 A5 83 ?? ?? ?? 74 } - $block_7 = { 0F B7 ?? ?? 5? 5? 6A ?? 5? 5? 5? FF 3? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 75 } - $block_8 = { 5? E8 ?? ?? ?? ?? 3B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 84 } - $block_9 = { 5? 68 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "377a9c610cc17bbf19470b1a3f847b74e0f56d4f4fd57a3298c630dab403acea" or - hash.sha256(0, filesize) == "3094ac9d2eeb17d4cda19542f816d15619b4c3fec52b87fdfcd923f4602d827b" or - hash.sha256(0, filesize) == "76b272828c68b5c6d3693809330555b5a1a6a8bda73228c8edc37afca78a21d6" or - hash.sha256(0, filesize) == "7a115335c971ad4f15af10ea54e2d3a6db08c73815861db4526335b81ebde253" or - 10 of them -} - -rule HavexLoader { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 } - $block_1 = { 66 ?? ?? 66 ?? ?? ?? 66 ?? 33 ?? 4? 5? 0F B7 ?? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D } - $block_2 = { 8B ?? ?? 33 ?? 66 ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? FF 0? ?? 4? 79 } - $block_3 = { E8 ?? ?? ?? ?? 2B ?? ?? 8B ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 83 } - $block_4 = { 5? 8B ?? 0F B7 ?? ?? 83 ?? ?? 33 ?? 4? 5? 8B ?? 66 ?? ?? 0F B7 ?? 4? 83 ?? ?? 7D } - $block_5 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F B7 ?? 72 } - $block_6 = { 8D ?? ?? 83 ?? ?? ?? 5? 33 ?? 8B ?? AB AB AB AB 33 ?? 8D ?? ?? AB AB AB AB 5? } - $block_7 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 } - $block_8 = { 8B ?? ?? 8D ?? ?? A5 A5 A5 A5 FF 1? ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? C3 } - $block_9 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_10 = { 80 B? ?? ?? ?? ?? ?? 8D ?? ?? 0F 94 ?? 0F B6 ?? 5? 5? E8 ?? ?? ?? ?? EB } - $block_11 = { E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 } - $block_12 = { 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 4? 83 ?? ?? 0F B7 ?? 0F 8C } - $block_13 = { 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_14 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_15 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? A5 A5 A5 6A ?? A5 0F B6 ?? ?? 5? 2B ?? 5? } - $block_16 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 8A ?? ?? 5? 5? 5? 89 ?? ?? ?? 84 ?? 0F 85 } - $block_17 = { 2B ?? ?? 8B ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 83 } - $block_18 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 3C ?? 0F 84 } - $block_19 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB } - $block_20 = { 0F B6 ?? ?? 33 ?? 8A ?? ?? ?? ?? ?? 30 ?? 0F B6 ?? 4? 4? 75 } - $block_21 = { 8A ?? ?? ?? ?? ?? 8D ?? ?? ?? 30 ?? 0F B6 ?? 4? 83 ?? ?? 72 } - $block_22 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 } - $block_23 = { 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 0F B7 ?? 83 ?? ?? 3B ?? 7F } - $block_24 = { 6A ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 8A ?? ?? 84 ?? 0F 84 } - $block_25 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? 39 ?? ?? 0F 83 } - $block_26 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C } - $block_27 = { 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 } - $block_28 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? C9 C3 } - - condition: - hash.sha256(0, filesize) == "401215e6ae0b80cb845c7e2910dddf08af84c249034d76e0cf1aa31f0cf2ea67" or - 12 of them -} - -rule HavexModuleOutlook { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 } - $block_1 = { 8B ?? ?? 33 ?? 66 ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? FF 0? ?? 4? 79 } - $block_2 = { 89 ?? ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? FF 4? ?? 0F 85 } - $block_3 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 } - $block_4 = { E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 } - $block_5 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_6 = { 66 ?? ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? ?? 4? 83 ?? ?? 0F B7 ?? 0F 8C } - $block_7 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 8D ?? ?? AB AB AB AB 83 ?? ?? ?? C7 } - $block_8 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB } - $block_9 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 } - $block_10 = { 8B ?? E8 ?? ?? ?? ?? 0F B7 ?? 0F B7 ?? 83 ?? ?? 3B ?? 7F } - $block_11 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? FF 4? ?? 0F 85 } - $block_12 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C } - $block_13 = { 8B ?? ?? 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - - condition: - hash.sha256(0, filesize) == "0859cb511a12f285063ffa8cb2a5f9b0b3c6364f8192589a7247533fda7a878e" or - 12 of them -} - -rule HavexModuleNetworkScanner { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 5? 89 ?? ?? 8B ?? D1 ?? 5? 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? 80 E? ?? C0 ?? ?? D3 ?? 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? C1 ?? ?? 0B ?? 33 ?? 4? 89 ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? FF 4? ?? 8B ?? ?? 33 ?? 3B ?? 0F 94 ?? 89 ?? ?? 33 ?? 89 } - $block_1 = { 8B ?? ?? 03 ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? FF 7? ?? 8B ?? ?? FF 7? ?? 8B ?? FF 7? ?? FF 3? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? B0 ?? 5? C9 C3 } - $block_2 = { FF 7? ?? 33 ?? 4? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 33 ?? C6 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 } - $block_3 = { 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? FF 7? ?? 88 ?? 0F BE ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 } - $block_4 = { 8B ?? ?? 03 ?? 0F AF ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 72 } - $block_5 = { 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 38 ?? ?? 0F 84 } - $block_6 = { 33 ?? 83 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB } - - condition: - hash.sha256(0, filesize) == "9a2a8cb8a0f4c29a7c2c63ee58e55aada0a3895382abe7470de4822a4d868ee6" or - hash.sha256(0, filesize) == "2120c3a30870921ab5e03146a1a1a865dd24a2b5e6f0138bf9f2ebf02d490850" or - 7 of them -} - -rule Sysmain { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? 33 ?? AB AB AB 8B ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? FF 7? ?? ?? E8 ?? ?? ?? ?? 85 ?? 75 } - $block_1 = { FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_2 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? 5? 83 ?? ?? 6A ?? 99 5? F7 ?? 8B ?? 39 ?? ?? 77 } - $block_3 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 3? FF D? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_5 = { 89 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 84 } - $block_6 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? D3 ?? 83 ?? ?? 0F B7 ?? 8B ?? ?? 66 ?? ?? ?? 7D } - $block_7 = { 8D ?? ?? 8D ?? ?? A5 A5 A5 8D ?? ?? 5? A5 FF 1? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 75 } - $block_8 = { FF 3? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? ?? 81 7? ?? ?? ?? ?? ?? 5? 5? 0F 8E } - $block_9 = { 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 5? E8 ?? ?? ?? ?? 4? 5? 88 ?? 3B ?? ?? ?? ?? ?? 72 } - $block_10 = { FF 4? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? ?? 39 ?? ?? 0F 85 } - $block_11 = { 8B ?? ?? ?? 33 ?? AB AB AB E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_14 = { 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 86 } - $block_15 = { BE ?? ?? ?? ?? 8D ?? ?? ?? A5 A5 A5 8D ?? ?? ?? A5 E8 ?? ?? ?? ?? 85 ?? 74 } - $block_16 = { 5? 5? 5? 5? 68 ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_17 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_18 = { 8B ?? ?? ?? ?? ?? 8B ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_19 = { BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_20 = { 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_21 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_22 = { 8B ?? ?? ?? ?? ?? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_23 = { FF 4? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? C1 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_24 = { 8B ?? ?? FF 3? E8 ?? ?? ?? ?? FF 3? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_25 = { 6A ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 5? 5? C9 C3 } - $block_26 = { FF 4? ?? ?? 8B ?? ?? FF 4? ?? 83 ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_27 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_28 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_29 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_30 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_31 = { FF 4? ?? 8B ?? ?? ?? ?? ?? FF 4? ?? 8D ?? ?? 3B ?? 89 ?? ?? 0F 8C } - $block_32 = { 6A ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 5? C9 C3 } - $block_33 = { 68 ?? ?? ?? ?? FF 7? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_34 = { FF 7? ?? ?? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_35 = { 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_36 = { 8D ?? ?? ?? 0F B6 ?? 5? E8 ?? ?? ?? ?? 4? 5? 88 ?? 3B ?? ?? 72 } - $block_37 = { 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_38 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 2B ?? ?? 75 } - $block_39 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_40 = { FF 3? E8 ?? ?? ?? ?? FF 3? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_41 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_42 = { 8D ?? ?? ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_43 = { FF 8? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 8E } - $block_44 = { BE ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? 85 ?? 0F 84 } - $block_45 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? C9 C3 } - $block_46 = { 8B ?? ?? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 } - $block_47 = { BF ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? 85 ?? 0F 84 } - $block_48 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_49 = { 5? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_50 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 4? 83 ?? ?? 7C } - $block_51 = { 8B ?? ?? 5? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_52 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? 85 ?? 0F 84 } - $block_53 = { 8B ?? ?? 5? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C2 } - $block_54 = { 8B ?? ?? 5? 33 ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C2 } - $block_55 = { 5? BB ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 86 } - $block_56 = { FC 6B ?? ?? 64 ?? ?? ?? 8B ?? ?? 8B ?? ?? AD 8B } - - condition: - hash.sha256(0, filesize) == "81e5e73452aa8b14f6c6371af2dccab720a32fadfc032b3c8d96f9cdaab9e9df" or - hash.sha256(0, filesize) == "31488f632f5f7d3ec0ea82eab1f9baba16826967c3a6fa141069ef5453b1eb95" or - hash.sha256(0, filesize) == "dc75404b6fc8cdb73258c2cc7bc758347ffb4237c8d18222f3489dc303daf989" or - hash.sha256(0, filesize) == "53d2a3324f276f29c749727c20708a3421a5144046ce14a8e025a8133316e0ac" or - hash.sha256(0, filesize) == "d5e3122a263d3f66dcfa7c2fed25c2b8a3be725b2c934fa9d9ef4c5aefbc6cb9" or - hash.sha256(0, filesize) == "a8e6abaa0ddc34b9db6bda17b502be7f802fb880941ce2bd0473fd9569113599" or - hash.sha256(0, filesize) == "387d4ea82c51ecda162a3ffd68a3aca5a21a20a46dc08a0ebe51b03b7984abe9" or - 12 of them -} - -rule IndustroyerWiper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 5? 8B ?? ?? 89 ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 0F 10 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 5? 0F 11 ?? ?? 5? 0F 10 ?? ?? ?? ?? ?? 89 ?? ?? 33 ?? 8D ?? ?? ?? ?? ?? 5? 0F 11 ?? ?? 68 ?? ?? ?? ?? 0F 10 ?? ?? ?? ?? ?? 5? 8D ?? ?? 0F 11 ?? ?? 5? 0F 10 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 0F 11 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_1 = { 6A ?? 5? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? 0F 46 ?? 3D ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 46 ?? 3D ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 46 ?? 3D ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 46 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 8D ?? ?? 6A ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? FF 1? } - $block_2 = { 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 8B ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 } - $block_3 = { FF B? ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_5 = { FF B? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F B6 ?? 8B ?? ?? ?? ?? ?? 0F 44 ?? 83 ?? ?? 83 ?? ?? 72 } - - condition: - hash.sha256(0, filesize) == "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910" or - hash.sha256(0, filesize) == "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81" or - 6 of them -} - -rule IndustroyerPortScanner { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 83 ?? ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 5? 8B ?? 4? } - $block_1 = { 5? 8B ?? 5? 8B ?? ?? 83 ?? ?? 5? 8B ?? 5? 39 ?? ?? 8B ?? 0F 42 ?? ?? 8B ?? ?? 2B ?? 3B ?? 0F 86 } - $block_2 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 83 ?? ?? ?? 5? 0F 43 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 } - $block_3 = { 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 2B ?? 89 ?? ?? ?? 6A ?? 5? 99 F7 ?? 89 ?? ?? ?? 83 ?? ?? 7C } - $block_4 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 83 ?? ?? 0F 8F } - $block_5 = { 83 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 0F 87 } - $block_6 = { 5? 8B ?? 5? 5? 5? 33 ?? 89 ?? ?? 33 ?? 38 ?? ?? 5? 8B ?? ?? 0F 94 ?? 5? 8B ?? ?? 89 ?? ?? 89 } - $block_7 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 83 ?? ?? 0F 8C } - $block_8 = { 8B ?? 33 ?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 2B ?? 89 ?? ?? 4? D1 ?? 3B ?? ?? 0F 47 ?? 85 ?? 74 } - $block_9 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 0F 88 } - $block_10 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? 6A ?? 5? 99 F7 ?? 8D ?? ?? 8B ?? 83 ?? ?? 0F 86 } - $block_11 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 0F 8F } - $block_12 = { 5? 8B ?? 5? F7 ?? ?? ?? ?? ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 89 ?? ?? 89 ?? ?? 74 } - $block_13 = { 5? 8B ?? 83 ?? ?? 5? 6A ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 5? 89 ?? ?? 3B ?? 0F 84 } - $block_14 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 33 ?? 66 } - $block_15 = { 5? 5? 5? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 } - $block_16 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 5? 8B ?? 83 ?? ?? 5? 8B ?? 5? 80 7? ?? ?? 0F 85 } - $block_17 = { 8B ?? ?? 8B ?? ?? 8B ?? C1 ?? ?? 8B ?? 83 ?? ?? 0F B6 ?? ?? 0F AB ?? 88 ?? ?? EB } - $block_18 = { 39 ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 3B ?? 0F 8F } - $block_19 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? EB } - $block_20 = { 39 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E9 } - $block_21 = { 8B ?? ?? 0F B7 ?? 8B ?? 83 ?? ?? C1 ?? ?? 5? 0F B6 ?? ?? 0F AB ?? 88 ?? ?? EB } - $block_22 = { 8B ?? ?? 8B ?? ?? 2B ?? 6A ?? 5? 99 F7 ?? 8D ?? ?? 89 ?? ?? 83 ?? ?? 0F 86 } - $block_23 = { 8B ?? ?? 2B ?? 8B ?? ?? 3B ?? 89 ?? ?? 0F 42 ?? 83 ?? ?? 2B ?? 3B ?? 76 } - $block_24 = { 6A ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? CC 8B ?? 85 ?? 74 } - $block_25 = { 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? ?? 0F 85 } - $block_26 = { 83 ?? ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 5? } - $block_27 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_28 = { 39 ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 0F 88 } - $block_29 = { 39 ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 0F 8F } - $block_30 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 ?? ?? ?? ?? 5? 3B ?? 77 } - $block_31 = { 8D ?? ?? 8D ?? ?? A5 A5 A5 A5 8B ?? ?? 83 ?? ?? ?? 75 } - $block_32 = { FF 4? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? 5? E8 } - $block_33 = { 39 ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? 68 ?? ?? ?? ?? EB } - $block_34 = { 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 0F B6 ?? 3B ?? ?? 75 } - $block_35 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 5? 80 7? ?? ?? 0F 85 } - $block_36 = { 2B ?? 99 F7 ?? ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 75 } - - condition: - hash.sha256(0, filesize) == "2dd7d880975dd90ea0d9d400319741c74b9491a0dc2b1c13ce3a850f37e03184" or - 12 of them -} - -rule IndustroyerPayloadOPC { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 6A ?? 6A ?? FF 7? ?? C6 ?? ?? 5? 6A ?? 5? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 44 ?? EB } - $block_1 = { 5? 5? 6A ?? FF 7? ?? 33 ?? 5? 6A ?? 66 ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 44 ?? EB } - $block_2 = { 5? 5? 6A ?? 33 ?? 5? 5? 6A ?? 66 ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 44 ?? EB } - $block_3 = { 83 ?? ?? 89 ?? ?? 8D ?? ?? 0F 43 ?? ?? C6 ?? ?? 8B ?? ?? 8B ?? ?? EB } - $block_4 = { 8B ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 8B ?? 6A ?? 5? FF 5? ?? 85 ?? 0F 85 } - $block_5 = { 8B ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 88 } - $block_6 = { 89 ?? ?? 0F B6 ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? 3B ?? ?? 73 } - $block_7 = { 0F 57 ?? 0F 11 ?? ?? ?? ?? ?? 0F 11 ?? ?? ?? ?? ?? 66 } - $block_8 = { 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 88 } - $block_9 = { 0F B7 ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 } - - condition: - hash.sha256(0, filesize) == "156bd34d713d0c8419a5da040b3c2dd48c4c6b00d8a47698e412db16b1ffac0f" or - 10 of them -} - -rule IndustroyerBackdoor { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 5? FF 7? ?? 5? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { 5? 8D ?? ?? ?? ?? ?? 33 ?? 5? 5? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 5? 8B ?? 8B ?? ?? 33 ?? 8B ?? ?? 5? 03 ?? 8B ?? 2B ?? 5? 33 ?? 3B ?? 0F 47 ?? 8B ?? ?? 85 ?? 74 } - $block_3 = { 89 ?? ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 9? 9? 3D ?? ?? ?? ?? 0F 84 } - $block_4 = { 83 ?? ?? 5? 8B ?? 83 ?? ?? 5? 5? 8D ?? ?? 33 ?? 5? 8B ?? ?? 89 ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_5 = { 5? FF 7? ?? 33 ?? 4? 5? 5? E8 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_6 = { 33 ?? 5? 5? E8 ?? ?? ?? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_7 = { 83 ?? ?? 5? 8B ?? 83 ?? ?? 5? 5? 8D ?? ?? 33 ?? 5? 8B ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_8 = { 8B ?? ?? 33 ?? 8B ?? ?? 5? 03 ?? 8B ?? 2B ?? 5? 33 ?? 3B ?? 0F 47 ?? 8B ?? ?? 85 ?? 74 } - $block_9 = { 5? 8B ?? 83 ?? ?? 5? 5? 8D ?? ?? 33 ?? 5? 8B ?? ?? 89 ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_10 = { 5? FF 1? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 9? 9? 9? 9? FF 7? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_11 = { 5? 8B ?? 83 ?? ?? 5? 5? 8D ?? ?? 33 ?? 5? 8B ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_12 = { 33 ?? 0F 94 ?? 89 ?? ?? 9? 9? 9? 9? 33 ?? E8 ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_13 = { 33 ?? 5? 5? E8 ?? ?? ?? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_14 = { FF 1? ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 5? 6A ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_15 = { E8 ?? ?? ?? ?? FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_16 = { 5? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 84 } - $block_17 = { 5? FF 1? ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 3D ?? ?? ?? ?? 0F 84 } - $block_18 = { 5? FF 7? ?? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_19 = { 8D ?? ?? 5? 5? 6A ?? FF 7? ?? 5? FF 3? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_20 = { 2B ?? ?? 03 ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 5? 5? 85 ?? 0F 85 } - $block_21 = { 89 ?? ?? 33 ?? FF 3? 4? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 82 } - $block_22 = { FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_23 = { 5? 8D ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_24 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_25 = { E8 ?? ?? ?? ?? 83 ?? ?? 5? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_26 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_27 = { 33 ?? 21 ?? ?? 66 ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_28 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_29 = { FF 3? E8 ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_30 = { 5? E8 ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_31 = { 33 ?? 5? 5? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_32 = { 6A ?? 5? E8 ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_33 = { 8D ?? ?? 5? 5? FF 7? ?? 5? 3D ?? ?? ?? ?? 0F 84 } - $block_34 = { 8D ?? ?? 5? 5? 6A ?? 5? 81 F? ?? ?? ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47" or - hash.sha256(0, filesize) == "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77" or - hash.sha256(0, filesize) == "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4" or - hash.sha256(0, filesize) == "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571" or - 12 of them -} - -rule IndustroyerPayloadIEC104 { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 33 ?? 89 ?? 66 ?? ?? ?? 0F B6 ?? ?? 88 ?? 0F B6 ?? ?? 88 ?? ?? 0F B6 ?? ?? 83 ?? ?? 74 } - $block_1 = { B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 8D ?? ?? 8B ?? C1 ?? ?? 2B ?? 0F 84 } - $block_2 = { 8B ?? ?? ?? ?? ?? 5? 6A ?? FF 3? ?? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 80 7? ?? ?? 0F 84 } - $block_3 = { 5? 8B ?? 5? 8B ?? ?? 8B ?? 0F B6 ?? 88 ?? ?? 0F B6 ?? ?? 88 ?? ?? 8A ?? ?? A8 ?? 74 } - $block_4 = { C6 ?? ?? ?? 0F B6 ?? ?? 0F BE ?? ?? D0 ?? 0F BE ?? C1 ?? ?? 03 ?? 89 ?? ?? 0F B6 } - $block_5 = { 8B ?? ?? ?? ?? ?? 33 ?? 2B ?? ?? ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_6 = { 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 86 } - $block_7 = { 0F B6 ?? ?? 83 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 } - $block_8 = { 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 8B ?? 0F 1F } - $block_9 = { FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 80 7? ?? ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad" or - 10 of them -} - -rule Telebots { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? ?? 03 ?? 5? 8B ?? ?? ?? ?? ?? 03 ?? 0F 84 } - $block_1 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 94 ?? 4? } - $block_2 = { 0F B7 ?? ?? 5? 0F AF ?? ?? FF 7? ?? 03 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B } - $block_3 = { 5? 5? 5? 6A ?? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_4 = { 8B ?? ?? 6A ?? 5? 8B ?? F3 ?? 8B ?? ?? 8D ?? ?? A5 66 ?? A4 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 } - $block_5 = { 80 3? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? C6 ?? ?? ?? 8D ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? 0F B7 ?? 74 } - $block_6 = { 5? 5? 5? FF 7? ?? FF 7? ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_7 = { 8B ?? ?? 6A ?? 5? 8B ?? F3 ?? 8B ?? ?? 8D ?? ?? 66 ?? A4 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 } - $block_8 = { 8B ?? ?? 05 ?? ?? ?? ?? 0F B7 ?? 89 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 75 } - $block_9 = { 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 0F B7 ?? B9 ?? ?? ?? ?? 66 ?? ?? 77 } - $block_10 = { 5? 8B ?? 83 ?? ?? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? A3 ?? ?? ?? ?? 3B ?? 0F 84 } - $block_11 = { 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 0F B7 ?? B9 ?? ?? ?? ?? 66 ?? ?? 76 } - $block_12 = { 0F B7 ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 8D ?? ?? 85 ?? 74 } - $block_13 = { 6A ?? 5? 8B ?? F3 ?? 0F B7 ?? 5? FF 7? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? EB } - $block_14 = { 0F B6 ?? ?? 99 8B ?? 03 ?? ?? ?? ?? ?? 13 ?? ?? ?? ?? ?? 89 ?? ?? 39 ?? ?? ?? ?? ?? 75 } - $block_15 = { FF 7? ?? ?? 8D ?? ?? ?? FF 7? ?? ?? 5? 5? FF 7? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_16 = { 0F B7 ?? ?? 8B ?? ?? 01 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 75 } - $block_17 = { 33 ?? 39 ?? ?? 6A ?? 0F 95 ?? 4? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 74 } - $block_18 = { 6A ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 33 ?? 39 ?? ?? 0F 84 } - $block_19 = { 5? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_20 = { 8D ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_21 = { 33 ?? 4? 66 ?? ?? ?? 6A ?? C6 ?? ?? 5? 66 ?? ?? ?? 8B ?? 8D ?? ?? A5 A5 A5 8B } - $block_22 = { 8D ?? ?? 5? 8B ?? ?? 6A ?? FF 7? ?? 03 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_23 = { 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 3B ?? 0F 8C } - $block_24 = { 5? FF 7? ?? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 9F ?? 8D ?? ?? EB } - $block_25 = { 0F B7 ?? ?? 83 ?? ?? ?? 5? 5? 0F B7 ?? ?? 8D ?? ?? ?? 89 ?? ?? 85 ?? 7E } - $block_26 = { 8D ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_27 = { 0F B7 ?? ?? 01 ?? ?? 81 4? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? ?? 76 } - $block_28 = { 8B ?? ?? 83 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_29 = { 8D ?? ?? 5? 8B ?? ?? 8B ?? ?? FF 3? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_30 = { 33 ?? 4? 6A ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_31 = { 5? 5? FF 1? ?? ?? ?? ?? 5? FF 7? ?? 33 ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_32 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_33 = { 0F B7 ?? ?? 21 ?? ?? 21 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 } - $block_34 = { 5? 8B ?? 5? 5? 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_35 = { 68 ?? ?? ?? ?? 6A ?? 6A ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_36 = { FF 7? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_37 = { FF 7? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_38 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 } - $block_39 = { 8B ?? ?? 83 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 75 } - $block_40 = { 80 3? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 74 } - $block_41 = { 5? FF 7? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 } - $block_42 = { 8B ?? ?? 6A ?? 6A ?? 89 ?? FF D? 5? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_43 = { 5? 68 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_44 = { 8D ?? ?? 66 ?? ?? 0F B7 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 74 } - $block_45 = { 0F B7 ?? 0F B7 ?? 5? FF 7? ?? 2B ?? 03 ?? 5? E8 ?? ?? ?? ?? 83 } - $block_46 = { 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_47 = { 0F B7 ?? ?? 83 ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 75 } - $block_48 = { 83 ?? ?? ?? 0F B7 ?? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 85 ?? 75 } - $block_49 = { 6A ?? 5? 8B ?? F3 ?? 8B ?? 8D ?? ?? A5 A5 A5 A5 A4 8B ?? EB } - $block_50 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_51 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? 3B ?? 0F 84 } - $block_52 = { 8D ?? ?? 66 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 85 ?? 74 } - $block_53 = { 5? 5? BE ?? ?? ?? ?? 8B ?? A5 A5 66 ?? 6A ?? A4 5? } - $block_54 = { 8D ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 75 } - $block_55 = { 0F B7 ?? 5? FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 } - $block_56 = { FF 7? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_57 = { 5? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_58 = { 8B ?? 8B ?? A5 A5 A5 83 ?? ?? 83 ?? ?? 4? A5 75 } - $block_59 = { 99 03 ?? ?? ?? ?? ?? 13 ?? 89 ?? ?? 89 ?? ?? EB } - $block_60 = { 0F B7 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_61 = { FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 8B ?? 5? C9 C2 } - $block_62 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_63 = { 0F B7 ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? 3B ?? 0F 83 } - - condition: - hash.sha256(0, filesize) == "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745" or - 12 of them -} - -rule PotaoUSBSpreader { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF D? 89 ?? ?? 6A ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 33 ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 8B ?? 5? C3 } - $block_1 = { 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? 6A ?? 5? 88 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 5? 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? } - $block_2 = { 81 E? ?? ?? ?? ?? 5? 5? 8B ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF D? A1 ?? ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? FF D? 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? 5? 8B ?? ?? ?? 6A ?? 8B ?? 6A ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? FF D? 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? 5? 8B ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? FF D? 8B ?? ?? ?? 8B ?? ?? 5? FF D? 85 ?? 0F 84 } - $block_3 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 6A ?? 83 ?? ?? 8D ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? FF D? 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 6A ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? FF D? 8B ?? ?? 8D ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 } - $block_4 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF D? 8B ?? ?? 8D ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 8B ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 8B ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 } - $block_5 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 5? 5? 89 ?? ?? ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 5? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_6 = { 83 ?? ?? 5? 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 83 ?? ?? 0F 84 } - $block_7 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 5? FF D? 8B ?? ?? 6A ?? FF D? 8B ?? 8B ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 84 } - $block_8 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 8B ?? ?? ?? 8B ?? ?? 8B ?? D3 ?? F6 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "7492e84a30e890ebe3ca5140ad547965cc8c43f0a02f66be153b038a73ee5314" or - hash.sha256(0, filesize) == "4688afcc161603bfa1c997b6d71b9618be96f9ff980e5486c451b1cc2c5076cb" or - hash.sha256(0, filesize) == "09c04206b57bb8582faffb37e4ebb6867a02492ffc08268bcbc717708d1a8919" or - hash.sha256(0, filesize) == "b8b02cc57e45bcf500b433806e6a4f8af7f0ac0c5fc9adfd11820eebf4eb5d79" or - hash.sha256(0, filesize) == "e3892d2d9f87ea848477529458d025898b24a6802eb4df13e96b0314334635d0" or - hash.sha256(0, filesize) == "95631685006ac92b7eb0755274e2a36a3c9058cf462dd46f9f4f66e8d67b9db2" or - hash.sha256(0, filesize) == "34e6fb074284e58ca80961feda4fe651d6d658077914a528a4a6efa91ecc749d" or - hash.sha256(0, filesize) == "461dd5a58ffcad9fffba9181e234f2e0149c8b8ba28c7ea53753c74fdfa0b0d5" or - hash.sha256(0, filesize) == "1acae7c11fb559b81df5fc6d0df0fe502e87f674ca9f4aefc2d7d8f828ba7f5c" or - hash.sha256(0, filesize) == "99a09ad92cc1a2564f3051057383cb6268893bc4a62903eabf3538c6bfb3aa9c" or - hash.sha256(0, filesize) == "7d15bd854c1dfef847cdd3caabdf4ab81f2410ee5c7f91d377cc72eb81135ff4" or - hash.sha256(0, filesize) == "12bb18fa9a12cb89dea3733b342940b80cd453886390079cb4c2ffcd664baeda" or - hash.sha256(0, filesize) == "340b09d661a6ac45af53c348a5c1846ad6323d34311e66454e46c1d38d53af8b" or - hash.sha256(0, filesize) == "3d78f52fa0c08d8bf3d42074bf76ee56aa233fb9a6bc76119998d085d94368ca" or - hash.sha256(0, filesize) == "f1d7e36af4c30bf3d680c87bbc4430de282d00323bf8ae9e17b04862af286736" or - hash.sha256(0, filesize) == "e57eb9f7fdf3f0e90b1755d947f1fe7bb65e67308f1f4a8c25bc2946512934b7" or - hash.sha256(0, filesize) == "339a5199e6d0b5f781b08b2ca0ad0495e75e52b8e2fd69e1d970388fbca7a0d6" or - hash.sha256(0, filesize) == "90b20b1687909c2f76f750ba3fd4b14731ce736c08c3a8608d28eae3f4cd68f3" or - hash.sha256(0, filesize) == "61862a55dcf8212ce9dd4a8f0c92447a6c7093681c592eb937a247e38c8109d4" or - hash.sha256(0, filesize) == "93accb71bf4e776955756c76990298decfebe4b1dd9fbf9d368e81dc1cb9532d" or - 10 of them -} - -rule PotaoDropper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? 99 B1 ?? E8 ?? ?? ?? ?? 33 ?? ?? 33 ?? ?? 89 ?? ?? 89 } - $block_1 = { 8B ?? ?? 0F BE ?? ?? 33 ?? 8B ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 75 } - $block_2 = { B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 } - $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 74 } - $block_4 = { 8B ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 7C } - $block_5 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 03 ?? 5? 8B ?? 5? C3 } - $block_6 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB } - $block_7 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F BE ?? 85 ?? 75 } - $block_8 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 89 ?? ?? FC 33 ?? 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B } - $block_9 = { 83 ?? ?? ?? ?? ?? ?? 60 0F 31 33 ?? 4? D1 ?? 23 ?? 89 ?? ?? 61 8B ?? ?? EB } - $block_10 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 } - $block_11 = { 5? 8B ?? 83 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 74 } - $block_12 = { 8B ?? ?? 0F BE ?? ?? 8B ?? ?? 0F BE ?? ?? ?? ?? ?? 33 ?? 8B ?? ?? 88 } - $block_13 = { 8B ?? ?? 0F BE ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 74 } - $block_14 = { 8B ?? ?? 0F BE ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 75 } - $block_15 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8D ?? ?? 8B ?? ?? 03 ?? EB } - $block_16 = { B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 33 ?? ?? 89 } - $block_17 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 03 ?? EB } - $block_18 = { 5? 8B ?? 5? 5? 5? 5? FC 33 ?? 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B } - $block_19 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 } - $block_20 = { B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 33 ?? ?? 89 } - $block_21 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 0F BF ?? 81 F? ?? ?? ?? ?? 75 } - $block_22 = { B2 ?? B1 ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? ?? ?? EB } - $block_23 = { 0F B6 ?? ?? C6 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 5? C3 } - $block_24 = { 8B ?? ?? 89 ?? 33 ?? 85 ?? 0F 94 ?? 5? 5? 5? 8B ?? C9 C3 } - $block_25 = { 8B ?? ?? 03 ?? ?? 0F BE ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 79 } - $block_26 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_27 = { 83 ?? ?? ?? E8 ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_28 = { 89 ?? ?? 8B ?? ?? 5? 5? A3 ?? ?? ?? ?? 5? C9 C3 } - $block_29 = { 8B ?? ?? 89 ?? 33 ?? 85 ?? 0F 94 ?? 8B ?? C9 C3 } - $block_30 = { 83 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 0F 85 } - $block_31 = { 8B ?? ?? 03 ?? ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 75 } - $block_32 = { 5? 8B ?? 5? 89 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "97afe4b12a9fed40ad20ab191ba0a577f5a46cbfb307e118a7ae69d04adc2e2d" or - hash.sha256(0, filesize) == "904bb2efe661f654425e691b7748556e558a636d4f25c43af9d2d4dfbe83262e" or - hash.sha256(0, filesize) == "2de76a3c07344ce322151dbb42febdff97ade8176466a3af07e5280bd859a186" or - hash.sha256(0, filesize) == "793a8ce811f423dfde47a5f44ae50e19e7e41ad055e56c7345927eac951e966b" or - hash.sha256(0, filesize) == "29dfc81b400a1400782623c618cb1d507f5d17bb13de44f123a333093648048f" or - hash.sha256(0, filesize) == "b62589ee5ba94d15edcf8613e3d57255dd7a12fce6d2dbd660fd7281ce6234f4" or - hash.sha256(0, filesize) == "4e88b8b121d768c611fe16ae1f008502b2191edc6f2ee84fef7b12b4d86fe000" or - hash.sha256(0, filesize) == "d2c11706736fda2b178ac388206472fd8d050e0f13568c84b37683423acd155d" or - hash.sha256(0, filesize) == "f1f61a0f9488be3925665f8063006f90fab1bf0bd0b6ff5f7799f8995ff8960e" or - 12 of them -} - -rule Potaov1Packed { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? FF 5? ?? 85 ?? 0F 84 } - $block_1 = { 6A ?? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 9? 9? 9? 9? 9? 9? 9? 9? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_3 = { 9? 9? 9? 9? 9? 9? 9? 9? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_4 = { 5? 8B ?? 5? 5? 8B ?? ?? 8B ?? 0F B7 ?? ?? 83 ?? ?? ?? 33 ?? 8D ?? ?? ?? 66 ?? ?? ?? 0F 83 } - $block_5 = { FF 7? ?? 03 ?? FF 7? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_6 = { 5? 8D ?? ?? 5? 5? 5? 5? 5? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_7 = { 9? 9? 9? 9? 9? 9? 9? 9? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_8 = { F3 ?? ?? ?? ?? 0F 57 ?? F3 ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F 86 } - $block_9 = { 8D ?? ?? E8 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 3B ?? 74 } - $block_10 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? C9 C2 } - $block_11 = { 6A ?? FF 1? ?? ?? ?? ?? 33 ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? C9 C2 } - $block_12 = { 83 ?? ?? ?? ?? ?? ?? 60 0F 31 33 ?? 4? D1 ?? 23 ?? 89 ?? ?? 61 8B ?? ?? EB } - $block_13 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 5? 5? 89 ?? ?? 39 ?? ?? ?? ?? ?? 0F 84 } - $block_14 = { FF 7? ?? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_15 = { D9 ?? ?? D9 ?? ?? DC ?? ?? ?? ?? ?? DF ?? F6 ?? ?? 0F 8A } - $block_16 = { 2B ?? 4? 89 ?? ?? ?? 60 9? 9? 9? 9? 9? 9? 61 33 ?? 33 } - $block_17 = { 2B ?? 4? 89 ?? ?? 60 9? 9? 9? 9? 9? 9? 61 33 ?? 33 } - $block_18 = { 6A ?? FF 1? ?? ?? ?? ?? 0C ?? 9E AD 9? B5 ?? CB } - - condition: - hash.sha256(0, filesize) == "20198aad15943b67fea8a0826d5b77f014de5691fd6b3bc3a7c0331ca4681ce1" or - hash.sha256(0, filesize) == "ab8d308fd59a8db8a130fcfdb6db56c4f7717877c465be98f71284bdfccdfa25" or - hash.sha256(0, filesize) == "54a76f5cd5a32ed7d5fa78e5d8311bafc0de57a475bc2fddc23ee4b3510b9d44" or - hash.sha256(0, filesize) == "945c594aee1b5bd0f3a72abe8f5a3df74fc6ca686887db5e40fe859e3fc90bb1" or - hash.sha256(0, filesize) == "8a508924e46c9afadb6d8e863942bd33ce278b1cc1033dd3a8e2a77b8d3648a3" or - hash.sha256(0, filesize) == "2ff0941fe3514abc12484ad2853d22fd7cb36469a313b5ecb6ef0c6391cf78ab" or - hash.sha256(0, filesize) == "ac73eb13779656a5692082c11733731ec4e177ca46f36abdffb28efa39c0940b" or - 12 of them -} - -rule PotaoDropperFakeExcel { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? 33 ?? 69 ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 33 ?? 69 ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 5? 33 ?? 5? 5? C2 } - $block_1 = { 33 ?? 4? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB } - $block_2 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 5? 03 ?? 5? 5? 8B ?? 5? C2 } - $block_3 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 03 ?? 5? 8B ?? 5? C3 } - $block_4 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB } - $block_5 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_6 = { 8B ?? ?? 33 ?? 85 ?? 0F 94 ?? 5? 89 ?? 5? 5? 8B ?? 8B ?? 5? C3 } - $block_7 = { C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_8 = { 8B ?? ?? 5? 33 ?? 89 ?? 85 ?? 5? 0F 94 ?? 5? C9 C2 } - $block_9 = { 1B ?? 83 ?? ?? 85 ?? 5? 0F 94 ?? 5? 8B ?? 5? C3 } - - condition: - hash.sha256(0, filesize) == "aa23a93d2fed81daacb93ea7ad633426e04fcd063ff2ea6c0af5649c6cfa0385" or - hash.sha256(0, filesize) == "048621ecf8f25133b2b09d512bb0fe15fc274ec7cb2ccc966aeb44d7a88beb5b" or - hash.sha256(0, filesize) == "8bc189dee0a71b3a8a1767e95cc726e13808ed7d2e9546a9d6b6843cea5eb3bd" or - hash.sha256(0, filesize) == "c66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88" or - hash.sha256(0, filesize) == "d6f126ab387f1d856672c730991573385c5746c7c84738ab97b13c897063ff4a" or - 10 of them -} - -rule PotaoDropperw { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 03 ?? ?? ?? ?? ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 88 ?? EB } - $block_1 = { 5? 5? 8D ?? ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 83 ?? ?? 74 } - $block_3 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB } - $block_4 = { 5? 8B ?? 83 ?? ?? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 } - $block_5 = { 5? 68 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 3B ?? 0F 84 } - $block_6 = { A1 ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? 33 ?? 88 ?? ?? FF 0? ?? ?? ?? ?? EB } - $block_7 = { FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? C9 C3 } - $block_8 = { 8B ?? 8D ?? ?? A5 A5 66 ?? 8D ?? ?? 89 ?? ?? 83 ?? ?? ?? EB } - $block_9 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 9B 89 ?? ?? 83 ?? ?? ?? 75 } - $block_10 = { FF 7? ?? FF 1? ?? ?? ?? ?? 9B 89 ?? ?? 83 ?? ?? ?? 75 } - $block_11 = { 8B ?? ?? 4? 5? E8 ?? ?? ?? ?? 8B ?? 5? 3B ?? 0F 84 } - $block_12 = { 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 88 ?? ?? ?? ?? ?? EB } - $block_13 = { 8B ?? ?? 89 ?? 33 ?? 85 ?? 0F 94 ?? 8B ?? C9 C2 } - - condition: - hash.sha256(0, filesize) == "61dd8b60ac35e91771d9ed4f337cd63e0aa6d0a0c5a17bb28cac59b3c21c24a9" or - hash.sha256(0, filesize) == "4328b06093a4ad01f828dc837053cb058fe00f3a7fd5cfb9d1ff7feb7ebb8e32" or - hash.sha256(0, filesize) == "cf3b0d8e9a7d0ad32351ade0c52de583b5ca2f72e5af4adbf638c81f4ad8fbcb" or - hash.sha256(0, filesize) == "dbc1b98b1df1d9c2dc8a5635682ed44a91df6359264ed63370724afa9f19c7ee" or - hash.sha256(0, filesize) == "15760f0979f2ba1b4d991f19e8b59fc1e61632fcc88755a4d147c0f5d47965c5" or - hash.sha256(0, filesize) == "b9c285f485421177e616a148410ddc5b02e43f0af375d3141b7e829f7d487bfd" or - 12 of them -} - -rule PotaoDebugDropper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 0F BE ?? ?? 33 ?? 8B ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 75 } - $block_1 = { B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 0F B6 ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 } - $block_2 = { 8B ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 7C } - $block_3 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F BE ?? 85 ?? 75 } - $block_4 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 89 ?? ?? FC 33 ?? 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B } - $block_5 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 } - $block_6 = { 5? 8B ?? 83 ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 74 } - $block_7 = { 6A ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? ?? ?? EB } - $block_8 = { 8B ?? ?? 0F BE ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 74 } - $block_9 = { 8B ?? ?? 0F BE ?? ?? 8B ?? ?? 0F BE ?? ?? ?? ?? ?? 33 ?? 8B ?? ?? 88 } - $block_10 = { 8B ?? ?? 0F BE ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 75 } - $block_11 = { B9 ?? ?? ?? ?? C1 ?? ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 33 ?? ?? 89 } - $block_12 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 } - $block_13 = { B9 ?? ?? ?? ?? D1 ?? 8B ?? ?? 0F B6 ?? ?? C1 ?? ?? 33 ?? ?? 89 } - $block_14 = { 0F B6 ?? ?? C6 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 5? C3 } - $block_15 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 0F BF ?? 81 F? ?? ?? ?? ?? 75 } - $block_16 = { 8B ?? ?? 03 ?? ?? 0F BE ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 79 } - $block_17 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_18 = { 5? 8B ?? 5? 89 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "f845778c3f2e3272145621776a90f662ee9344e3ae550c76f65fd954e7277d19" or - hash.sha256(0, filesize) == "c821cb34c86ec259af37c389a8f6cd635d98753576c675882c9896025a1abc53" or - hash.sha256(0, filesize) == "910f55e1c4e75696405e158e40b55238d767730c60119539b644ef3e6bc32a5d" or - 12 of them -} - -rule WildNeutronJripbot { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 83 ?? ?? 0F 84 } - $block_1 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 0F B6 ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 4? 83 ?? ?? 83 ?? ?? 72 } - $block_3 = { 8B ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_4 = { 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_5 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_6 = { 8B ?? ?? ?? 0F B6 ?? ?? ?? 5? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? FF 4? ?? ?? 83 ?? ?? ?? ?? 5? 5? 72 } - $block_7 = { 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_8 = { 8D ?? ?? ?? 5? BB ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 8B ?? ?? ?? ?? ?? 0F 84 } - $block_9 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? FF D? 0F B7 ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? 89 ?? ?? ?? 5? E9 } - $block_10 = { 8B ?? ?? ?? ?? ?? 8B ?? 5? 8D ?? ?? ?? ?? ?? 5? 6A ?? FF B? ?? ?? ?? ?? FF 5? ?? 85 ?? 0F 85 } - $block_11 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 } - $block_12 = { 33 ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 3? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_13 = { 5? 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? 8B ?? 39 ?? ?? ?? ?? ?? 0F 8E } - $block_14 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? 5? 66 ?? ?? 0F 84 } - $block_15 = { 8A ?? ?? 0F B6 ?? 8B ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_16 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_17 = { 0F B7 ?? 8B ?? ?? 33 ?? 8D ?? ?? ?? F7 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 85 ?? 0F 84 } - $block_18 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? 66 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_19 = { 8D ?? ?? 5? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 0F BF ?? ?? ?? ?? ?? 0F BF ?? ?? 4? 3B ?? 75 } - $block_20 = { 83 ?? ?? 5? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 8D ?? ?? AB AA 8B ?? ?? 5? 8D } - $block_21 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_22 = { 0F BF ?? ?? ?? ?? ?? 2B ?? D1 ?? 03 ?? 0F B7 ?? 9? 99 F7 ?? 4? 89 ?? ?? ?? ?? ?? 3B ?? 75 } - $block_23 = { 33 ?? 66 ?? ?? 0F B7 ?? ?? 83 ?? ?? F7 ?? 1B ?? 23 ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_24 = { 0F B7 ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 6A ?? 5? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 } - $block_25 = { 8A ?? ?? 0F B6 ?? 8B ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 } - $block_26 = { 5? 8B ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_27 = { 8D ?? ?? ?? 5? 5? 8B ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 39 ?? ?? ?? 0F 8E } - $block_28 = { FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? FF 8? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_29 = { 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 77 } - $block_30 = { 0F B7 ?? ?? 33 ?? 66 ?? ?? ?? 5? 0F 94 ?? 83 ?? ?? 33 ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 } - $block_31 = { 8B ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 39 ?? ?? 5? 0F 94 ?? 8D ?? ?? 5? 89 ?? ?? 8D } - $block_32 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? EB } - $block_33 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_34 = { 0F B7 ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 } - $block_35 = { 5? E8 ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 5? 66 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 } - $block_36 = { 0F B7 ?? 33 ?? 83 ?? ?? 0F 94 ?? 83 ?? ?? 66 ?? ?? 0F B7 ?? 83 ?? ?? 33 ?? 66 ?? ?? 75 } - $block_37 = { 8B ?? 5? 5? 5? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_38 = { 8B ?? ?? 03 ?? 8B ?? ?? 03 ?? 03 ?? D1 ?? 89 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_39 = { 8D ?? ?? ?? 5? 6A ?? BA ?? ?? ?? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_40 = { BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_41 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_42 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_43 = { 8B ?? 6B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_44 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_45 = { 8B ?? ?? 2B ?? ?? D1 ?? 03 ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_46 = { 0F B6 ?? ?? 5? 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? ?? 83 ?? ?? 8D } - $block_47 = { BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_48 = { 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 5? 5? 5? 5? 0F B7 ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? EB } - $block_49 = { 8B ?? 5? E8 ?? ?? ?? ?? 03 ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_50 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D } - $block_51 = { 8B ?? ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_52 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8D ?? ?? 5? 5? FF D? 85 ?? 0F 84 } - $block_53 = { 0F B7 ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 0F 87 } - $block_54 = { 0F BF ?? 33 ?? 8B ?? F7 ?? 4? 89 ?? ?? ?? ?? ?? 0F B7 ?? 8B ?? 0F AF ?? 3B ?? 72 } - $block_55 = { 8B ?? 2B ?? D1 ?? 8D ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_56 = { 8B ?? ?? ?? ?? ?? 33 ?? 33 ?? 81 E? ?? ?? ?? ?? 1B ?? 89 ?? ?? ?? ?? ?? 0F 88 } - $block_57 = { 2B ?? 8D ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_58 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 } - $block_59 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? FF D? 85 ?? 0F 84 } - $block_60 = { 8B ?? ?? ?? 2B ?? D1 ?? 8D ?? ?? B9 ?? ?? ?? ?? 66 ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_61 = { FF B? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_62 = { 8B ?? ?? 5? 8B ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_63 = { 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? 89 ?? ?? ?? ?? ?? 66 ?? ?? 0F 84 } - $block_64 = { 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 5? 6A ?? 5? 5? 5? 0F B7 } - $block_65 = { 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_66 = { 0F B7 ?? 33 ?? 83 ?? ?? 0F 94 ?? 66 ?? ?? ?? 83 ?? ?? 33 ?? 66 ?? ?? ?? 75 } - $block_67 = { 8B ?? ?? ?? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 } - $block_68 = { 5? 8B ?? 5? 5? 83 ?? ?? ?? A1 ?? ?? ?? ?? 5? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_69 = { 0F B7 ?? ?? 83 ?? ?? 8D ?? ?? ?? 5? 5? FF 5? ?? ?? 8B ?? 83 ?? ?? 85 ?? 75 } - $block_70 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 0F 8C } - $block_71 = { FF B? ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_72 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_73 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_74 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_75 = { 8B ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? AB AB AB 66 ?? AA BB } - $block_76 = { 0F B7 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 83 ?? ?? 0F 84 } - $block_77 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_78 = { 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 0F 87 } - $block_79 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 23 ?? 23 ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_80 = { 8D ?? ?? 66 ?? ?? ?? 0F BF ?? 4? 66 ?? ?? 89 ?? ?? 3B ?? ?? ?? ?? ?? 75 } - $block_81 = { 33 ?? 85 ?? 0F 94 ?? 5? 5? 5? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 } - $block_82 = { 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_83 = { 8B ?? ?? 2B ?? D1 ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_84 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 86 } - $block_85 = { 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF D? 84 ?? 0F 84 } - $block_86 = { 6A ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_87 = { 0F B7 ?? 33 ?? 66 ?? ?? 66 ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 74 } - $block_88 = { BB ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_89 = { 8B ?? 2B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? D1 ?? 89 ?? ?? 85 ?? 0F 8E } - $block_90 = { 0F B7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 } - $block_91 = { 0F BF ?? ?? 0F BF ?? ?? ?? ?? ?? 03 ?? B8 ?? ?? ?? ?? 2B ?? 3B ?? 75 } - $block_92 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_93 = { 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_94 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? F6 ?? ?? 0F 85 } - $block_95 = { C7 ?? ?? ?? ?? ?? 0F B7 ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? 66 ?? ?? 0F 84 } - $block_96 = { 8D ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_97 = { 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_98 = { BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_99 = { 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "683f5b476f8ffe87ec22b8bab57f74da4a13ecc3a5c2cbf951999953c2064fc9" or - hash.sha256(0, filesize) == "ccc851cbd600592f1ed2c2969a30b87f0bf29046cdfa1590d8f09cfe454608a5" or - hash.sha256(0, filesize) == "b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45" or - hash.sha256(0, filesize) == "8ca7ed720babb32a6f381769ea00e16082a563704f8b672cb21cf11843f4da7a" or - hash.sha256(0, filesize) == "758e6b519f6c0931ff93542b767524fc1eab589feb5cfc3854c77842f9785c92" or - hash.sha256(0, filesize) == "781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e" or - 12 of them -} - -rule WildNeutronTunnel { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 89 ?? ?? E8 ?? ?? ?? ?? C6 ?? ?? 89 ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_3 = { 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 8B ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_5 = { 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_6 = { 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 95 ?? ?? ?? 39 ?? 0F 86 } - $block_7 = { 8D ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 85 } - $block_8 = { A1 ?? ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 44 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 74 } - $block_9 = { E8 ?? ?? ?? ?? F6 ?? 0F BE ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 75 } - $block_10 = { 5? 8B ?? 5? 5? 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_11 = { C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_13 = { A1 ?? ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 44 ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 74 } - $block_14 = { 8B ?? ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? F3 ?? C7 ?? ?? ?? ?? ?? ?? 0F 97 ?? 0F 92 ?? 38 ?? 74 } - $block_15 = { 0F B7 ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 31 ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 75 } - $block_16 = { 8B ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? 31 ?? 0F A4 ?? ?? C1 ?? ?? 01 ?? 11 ?? 39 ?? 0F 83 } - $block_17 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 8B ?? ?? C6 ?? ?? ?? 4? 83 ?? ?? 0F 87 } - $block_18 = { E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 } - $block_19 = { E8 ?? ?? ?? ?? 9? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 85 ?? 0F 84 } - $block_20 = { 8B ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? 80 3? ?? 0F 45 ?? 83 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 84 } - $block_21 = { 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_22 = { 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 } - $block_23 = { 5? 83 ?? ?? 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_24 = { B8 ?? ?? ?? ?? 85 ?? BA ?? ?? ?? ?? 0F 44 ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 } - $block_25 = { 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_26 = { 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 84 ?? 89 ?? 74 } - $block_27 = { 8B ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 84 } - $block_28 = { B8 ?? ?? ?? ?? 85 ?? BA ?? ?? ?? ?? 0F 45 ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 } - $block_29 = { 8B ?? ?? ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 0F 44 ?? ?? ?? 89 ?? ?? ?? E9 } - $block_30 = { 5? 5? 5? 5? 89 ?? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 31 ?? 85 ?? 0F 84 } - $block_31 = { 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 88 } - $block_32 = { 83 ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 44 ?? 83 ?? ?? 19 ?? 83 ?? ?? 83 ?? ?? 19 ?? 83 } - $block_33 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 95 ?? 85 ?? 74 } - $block_34 = { E8 ?? ?? ?? ?? F6 ?? 0F BE ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 75 } - $block_35 = { 0F B6 ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 4? 83 ?? ?? 83 ?? ?? 83 ?? ?? 72 } - $block_36 = { 8B ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? 0F B7 ?? 8D ?? ?? 8B ?? ?? 03 ?? EB } - $block_37 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 31 ?? 85 ?? 89 ?? ?? 0F 84 } - $block_38 = { C1 ?? ?? 03 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? ?? 0F 88 } - $block_39 = { 8B ?? ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_40 = { 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_41 = { 89 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 83 ?? ?? 8D ?? ?? ?? 31 ?? 39 ?? 0F 82 } - $block_42 = { 8B ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 88 } - $block_43 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? 88 ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? ?? 80 F? ?? 0F 84 } - $block_44 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_45 = { 31 ?? 83 ?? ?? 0F 94 ?? 89 ?? 89 ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 } - $block_46 = { 8B ?? ?? B8 ?? ?? ?? ?? 89 ?? C1 ?? ?? D3 ?? 09 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? ?? ?? 0F 85 } - $block_47 = { 8B ?? ?? 83 ?? ?? 66 ?? ?? ?? ?? ?? 0F 94 ?? 83 ?? ?? ?? ?? 0F 94 ?? 20 ?? 88 ?? ?? ?? 74 } - $block_48 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_49 = { 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? 33 ?? ?? ?? ?? ?? 0F 85 } - $block_50 = { 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 88 } - $block_51 = { 8B ?? ?? ?? 89 ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_52 = { 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_53 = { 8B ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_54 = { 0F B6 ?? ?? 83 ?? ?? 32 ?? ?? 0F B6 ?? 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? 83 ?? ?? 83 ?? ?? 75 } - $block_55 = { 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 8C } - $block_56 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_57 = { 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 89 ?? E8 ?? ?? ?? ?? 31 ?? 85 ?? 0F 94 ?? E9 } - $block_58 = { 5? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 4? 83 ?? ?? 0F 8E } - $block_59 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_60 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 88 } - $block_61 = { 89 ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_62 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? 31 ?? 85 ?? 89 ?? ?? ?? 0F 84 } - $block_63 = { 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_64 = { A1 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 84 ?? 0F 85 } - $block_65 = { 83 ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? 89 ?? 0F 84 } - $block_66 = { FF D? 0F B6 ?? 68 ?? ?? ?? ?? 83 ?? ?? 6A ?? 89 ?? ?? ?? ?? ?? FF D? 5? FF D? 85 ?? 74 } - $block_67 = { 0F B6 ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 4? 83 ?? ?? 83 ?? ?? 83 ?? ?? 72 } - $block_68 = { E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 84 } - $block_69 = { 5? 89 ?? 83 ?? ?? 0F B7 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 31 ?? 8B ?? ?? 66 ?? ?? ?? 74 } - $block_70 = { 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_71 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 31 ?? 85 ?? 0F 84 } - $block_72 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 31 ?? 8B ?? ?? 85 ?? 0F 84 } - $block_73 = { C1 ?? ?? 03 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 89 ?? ?? ?? 0F 88 } - $block_74 = { 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 0F 85 } - $block_75 = { 5? 5? 6A ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_76 = { E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_77 = { 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 94 ?? 84 ?? 0F 85 } - $block_78 = { 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 94 ?? 84 ?? 0F 84 } - $block_79 = { 5? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? 89 ?? 83 ?? ?? 0F 8F } - $block_80 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? 89 ?? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_81 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_82 = { 5? 5? 5? 5? 83 ?? ?? 89 ?? 89 ?? ?? ?? 89 ?? 8B ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_83 = { 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 84 } - $block_84 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 39 ?? 0F 8E } - $block_85 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 85 } - $block_86 = { 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_87 = { 83 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_88 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_89 = { 8B ?? B9 ?? ?? ?? ?? 8B ?? ?? F3 ?? 0F 97 ?? 89 ?? 0F 92 ?? 89 ?? 38 ?? 74 } - $block_90 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 8C } - $block_91 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_92 = { 8B ?? ?? ?? 4? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_93 = { 0F BE ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 84 ?? 75 } - $block_94 = { 89 ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? F3 ?? 0F 85 } - $block_95 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? 31 ?? 85 ?? 0F 85 } - $block_96 = { E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? BA ?? ?? ?? ?? 0F 84 } - $block_97 = { C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 } - $block_98 = { 5? 89 ?? 5? 83 ?? ?? 8B ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 31 ?? 85 ?? 0F 84 } - $block_99 = { 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? 89 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c" or - hash.sha256(0, filesize) == "cfacc5389683518ecdd78002c975af6870fa5876337600e0b362abbbab0a19d2" or - hash.sha256(0, filesize) == "81955e36dd46f3b05a1d7e47ffd53b7d1455406d952c890b5210a698dd97e938" or - 12 of them -} - -rule WildNeutron { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 5? BE ?? ?? ?? ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? 85 ?? 0F 84 } - $block_1 = { 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_2 = { 8B ?? ?? ?? 83 ?? ?? ?? ?? FE ?? ?? ?? 83 ?? ?? ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? A5 A5 A5 A5 7C } - $block_3 = { 8B ?? ?? 8B ?? ?? 03 ?? 0F B6 ?? 6A ?? 5? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 } - $block_4 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 8B ?? 5? C9 C3 } - $block_5 = { FF 7? ?? 8B ?? ?? FF 7? ?? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_6 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 5? C9 C3 } - $block_7 = { 01 ?? ?? 68 ?? ?? ?? ?? FF 7? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_8 = { 8B ?? ?? 8B ?? ?? 03 ?? 0F B6 ?? 6A ?? 5? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 } - $block_9 = { 0F B6 ?? 5? 0D ?? ?? ?? ?? 5? FF 7? ?? 8D ?? ?? 89 ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 74 } - $block_10 = { 8B ?? ?? 5? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 33 ?? 39 ?? ?? 5? 0F 94 ?? 8B ?? 5? 89 ?? ?? 8D } - $block_11 = { 8D ?? ?? 0F B6 ?? ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? 03 ?? 8D ?? ?? ?? 39 ?? ?? ?? ?? ?? 74 } - $block_12 = { 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 66 ?? ?? 0F B7 ?? 83 ?? ?? 5? 89 ?? E8 ?? ?? ?? ?? 5? 85 ?? 75 } - $block_13 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 } - $block_14 = { 2B ?? ?? 8B ?? ?? 83 ?? ?? ?? ?? 89 ?? 6A ?? 5? BF ?? ?? ?? ?? 8B ?? 33 ?? 66 ?? ?? 0F 85 } - $block_15 = { 5? 8B ?? 83 ?? ?? 5? 5? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_16 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 5? 5? 5? C9 C3 } - $block_17 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 8B ?? ?? 83 ?? ?? 83 ?? ?? ?? 5? 8D ?? ?? 5? 89 ?? ?? 0F 82 } - $block_18 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8D ?? ?? 6A ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_19 = { 0F B6 ?? ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? 03 ?? 8D ?? ?? 6A ?? 5? 39 ?? ?? ?? ?? ?? 73 } - $block_20 = { 5? 8B ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 5? C1 ?? ?? 5? 5? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_21 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 33 ?? AB AB 8B ?? 5? E9 } - $block_22 = { 8D ?? ?? 5? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_23 = { 8D ?? ?? 5? FF 7? ?? 8B ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 4? 83 ?? ?? 3B ?? 0F 86 } - $block_24 = { 8B ?? ?? 81 C? ?? ?? ?? ?? 6A ?? 8D ?? ?? 5? F3 ?? 0F B6 ?? ?? 89 ?? ?? 83 ?? ?? 0F 87 } - $block_25 = { 5? 8B ?? A5 A5 A5 A5 8D ?? ?? 6A ?? 5? FF 7? ?? 89 ?? ?? FF 5? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_26 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 5? 8B ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_27 = { 8B ?? ?? 83 ?? ?? 5? 5? 89 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 } - $block_28 = { 8B ?? ?? 83 ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_29 = { 8B ?? 6B ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_30 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_31 = { 8B ?? ?? ?? C1 ?? ?? 8A ?? 8A ?? ?? ?? 2A ?? 80 C? ?? D2 ?? 89 ?? ?? ?? 84 ?? 0F 85 } - $block_32 = { 0F B6 ?? ?? 89 ?? ?? 4? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_33 = { 8B ?? 0F B6 ?? 6A ?? FF 7? ?? 8D ?? ?? 8B ?? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 } - $block_34 = { 8D ?? ?? ?? 5? 5? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_35 = { 8A ?? 88 ?? ?? 0F B6 ?? 4? FE ?? ?? C6 ?? ?? ?? 8A ?? ?? ?? ?? ?? 88 ?? ?? 84 ?? 79 } - $block_36 = { 8B ?? ?? 8B ?? ?? 8B ?? 8D ?? ?? A5 A5 A5 A5 8B ?? ?? E8 ?? ?? ?? ?? 6A ?? 8B ?? 5? } - $block_37 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? 5? 5? C9 C3 } - $block_38 = { 33 ?? 5? 0F B6 ?? ?? 4? 8B ?? 8B ?? D3 ?? 8D ?? ?? D3 ?? 89 ?? ?? 4? 39 ?? ?? 76 } - $block_39 = { 0F B6 ?? 0F B6 ?? ?? 66 ?? ?? ?? 66 ?? ?? 0F B7 ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 74 } - $block_40 = { 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 } - $block_41 = { 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 83 ?? ?? 89 ?? ?? 03 ?? 89 ?? ?? 3B ?? 0F 85 } - $block_42 = { 8B ?? ?? FF 7? ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_43 = { 0F B6 ?? 89 ?? 8B ?? 03 ?? ?? 6A ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 } - $block_44 = { FF 7? ?? 8D ?? ?? FF 7? ?? 8D ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_45 = { 8B ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 86 } - $block_46 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? 5? 5? 0F 84 } - $block_47 = { 8B ?? ?? 89 ?? ?? 03 ?? 5? 8B ?? ?? 03 ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 } - $block_48 = { 8D ?? ?? 5? 5? 89 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 } - $block_49 = { 0F B6 ?? ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 0B ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 82 } - $block_50 = { 8B ?? ?? 8B ?? ?? C1 ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_51 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_52 = { 8B ?? 6B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_53 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 } - $block_54 = { FF 3? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_55 = { 03 ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 } - $block_56 = { 80 7? ?? ?? ?? 8A ?? 0F 95 ?? 0A ?? 33 ?? 3A ?? 0F 95 ?? 0F AF ?? 09 ?? 4? 75 } - $block_57 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B7 ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 03 ?? 89 } - $block_58 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 } - $block_59 = { 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? C1 ?? ?? 0B ?? 89 ?? ?? 75 } - $block_60 = { 8D ?? ?? 5? FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_61 = { 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? 5? 5? C9 C3 } - $block_62 = { 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_63 = { 5? 8B ?? 0F B6 ?? ?? 5? 0F B6 ?? C1 ?? ?? 0B ?? 8D ?? ?? 5? 3B ?? ?? 0F 85 } - $block_64 = { 8D ?? ?? 5? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 } - $block_65 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 4? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 } - $block_66 = { 89 ?? ?? 8B ?? 89 ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 8F } - $block_67 = { 8B ?? ?? 83 ?? ?? 0F 94 ?? 89 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 74 } - $block_68 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 } - $block_69 = { 8D ?? ?? ?? ?? ?? 5? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_70 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_71 = { 5? 8B ?? ?? 8B ?? ?? BF ?? ?? ?? ?? 03 ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 84 } - $block_72 = { 0F B6 ?? ?? 8B ?? ?? 8A ?? ?? 32 ?? 88 ?? 4? 4? 83 ?? ?? 83 ?? ?? ?? 75 } - $block_73 = { 5? 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 8D ?? ?? 89 ?? 3D ?? ?? ?? ?? 77 } - $block_74 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_75 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_76 = { 83 ?? ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_77 = { 8D ?? ?? 5? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 } - $block_78 = { 8D ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 } - $block_79 = { 83 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_80 = { 8D ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 0F AF ?? 89 } - $block_81 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 } - $block_82 = { 2B ?? 5? 8D ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 } - $block_83 = { 5? 8B ?? 5? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? 8B ?? ?? 5? 83 ?? ?? 0F 85 } - $block_84 = { 0F B6 ?? ?? 5? 0F B6 ?? 83 ?? ?? C1 ?? ?? 0B ?? 2B ?? 89 ?? 3B ?? 7D } - $block_85 = { 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_86 = { 8D ?? ?? 5? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_87 = { 8B ?? ?? FF 7? ?? 83 ?? ?? 5? FF 7? ?? FF 5? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_88 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 89 ?? ?? 76 } - $block_89 = { 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 4? 8D ?? ?? A5 A5 A5 A5 89 ?? ?? 75 } - $block_90 = { D1 ?? 04 ?? 14 ?? 3A ?? ?? 1B ?? 1C ?? 0F 9C ?? 5? 18 ?? 22 ?? 4? CF } - $block_91 = { 33 ?? 39 ?? ?? 0F 94 ?? 21 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 23 ?? E9 } - - condition: - hash.sha256(0, filesize) == "d026f0ca46a82907f3cdd31cbe1b0d7c3ca2c7b90892a855549ab21d456df5b3" or - hash.sha256(0, filesize) == "8cbe98930191e4c2e8f9e1a67d4b4cf828e37314728456cf4c00e5435d4878f6" or - hash.sha256(0, filesize) == "973f5084662fd80d886d518c9295a1a24fcfcd8843a628f98f5223847d4b4cf1" or - hash.sha256(0, filesize) == "2291700fb2908bb55eb76b3c319908b09e885f1a4700f17ba3c8ada9193b7ae5" or - hash.sha256(0, filesize) == "c9272ed0e0266e5ecc5af0cd7760175789d41b5a7814d9e6e338b7d836f9796d" or - hash.sha256(0, filesize) == "f7f003b6f3b77e3cb21d27218634236cdc853c7b71f353c1ef6583992a42b8b5" or - hash.sha256(0, filesize) == "ca03a812cc11edf1efba5a14bc78494cf6c227e60df7a69b4606f2bbaaafaf7a" or - hash.sha256(0, filesize) == "c3b8f989d3ab2587fa2d15487cc0933113f5d1ba3f181f3d3a2eedfd830a9ad4" or - hash.sha256(0, filesize) == "c84c779ae60885dac387db3d747d30dd1a889506262b1a7b41be6690883db0e6" or - hash.sha256(0, filesize) == "544f05d18b4c3e5ed8defe313951d7afde9e3c46201ea34f4fe8b1888369b606" or - hash.sha256(0, filesize) == "4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865" or - 12 of them -} - -rule WildNeutronHacktool_MultiPurpose { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 4C ?? ?? 49 ?? ?? ?? 49 ?? ?? ?? 4D ?? ?? ?? 4D ?? ?? ?? 5? 5? 5? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_1 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 75 } - $block_2 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_3 = { 33 ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 } - $block_4 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7" or - 5 of them -} - -rule WildNeutronPasswordDumper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 83 ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 0F 46 ?? 0F B6 ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 8D ?? ?? 83 ?? ?? 44 ?? ?? ?? 0F B6 ?? ?? BE ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 41 ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 44 ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? 83 ?? ?? 8D ?? ?? 45 ?? ?? ?? 83 ?? ?? 8D ?? ?? 44 ?? ?? ?? 83 ?? ?? 41 ?? ?? ?? 0F 46 ?? 44 ?? ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 44 ?? ?? ?? ?? 44 ?? ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? 44 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4D ?? ?? 74 } - $block_1 = { 0F B6 ?? ?? 44 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 83 ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 0F 46 ?? 0F B6 ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 0F 46 ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 8D ?? ?? 83 ?? ?? 44 ?? ?? ?? 0F B6 ?? ?? BE ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 41 ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 44 ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? 83 ?? ?? 8D ?? ?? 45 ?? ?? ?? 83 ?? ?? 8D ?? ?? 44 ?? ?? ?? 83 ?? ?? 41 ?? ?? ?? 0F 46 ?? 44 ?? ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? B9 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 44 ?? ?? ?? ?? 44 ?? ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? 44 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4D ?? ?? 74 } - $block_2 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 9? } - $block_3 = { 4C ?? ?? 49 ?? ?? ?? 49 ?? ?? ?? 4D ?? ?? ?? 4D ?? ?? ?? 5? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_5 = { 48 ?? ?? ?? ?? 5? 48 ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 44 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 84 } - $block_6 = { 48 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 33 ?? 4D ?? ?? 45 ?? ?? ?? 45 ?? ?? 0F 8E } - $block_7 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - $block_8 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? 49 ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "6f00e11ea02918c6c8d5435326ccf9f12a4cae97d8fdcc7e4a5bf1fbfd97ca0a" or - hash.sha256(0, filesize) == "9e67848919e4adc9d74aee76858981465c60cc830638fe7cee97cecf4e9bebaf" or - 10 of them -} - -rule WildNeutronProxy { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0B ?? 23 ?? 23 ?? 8B ?? C1 ?? ?? 81 E? ?? ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? BE ?? ?? ?? ?? 8B ?? 23 ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 23 ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? 8B ?? 83 ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 83 ?? ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 03 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 83 ?? ?? 0B ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? D1 ?? C1 ?? ?? 23 ?? 0B ?? C1 ?? ?? 0B ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? ?? 89 ?? 8B ?? 83 ?? ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 03 ?? 8B ?? 83 ?? ?? 0B ?? 03 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 03 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 83 ?? ?? 0B ?? 03 ?? 8B ?? 83 ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 03 ?? 8B ?? 83 ?? ?? 0B ?? 03 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 83 ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? D1 ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 03 ?? D1 ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 23 ?? 0B ?? C1 ?? ?? 0B ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? ?? 83 ?? ?? ?? FF 4? ?? 83 ?? ?? ?? 89 ?? 0F 8C } - $block_1 = { 5? 8B ?? 5? 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? 5? C1 ?? ?? 0B ?? 0F B6 ?? ?? 5? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 5? C1 ?? ?? 0B ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? 33 ?? 8B ?? C1 ?? ?? 6A ?? 5? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? C1 ?? ?? 8B ?? C1 ?? ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 0B ?? 8B ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 03 ?? 23 ?? 0B ?? ?? ?? ?? ?? ?? C1 ?? ?? 03 ?? C1 ?? ?? 23 ?? 0B ?? ?? ?? ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 0B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? C1 ?? ?? 0B ?? 8B ?? D1 ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 0B ?? 8B ?? C1 ?? ?? 23 ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? C1 ?? ?? 23 ?? 0B ?? ?? ?? ?? ?? ?? C1 ?? ?? 03 ?? 23 ?? 0B ?? ?? ?? ?? ?? ?? BF ?? ?? ?? ?? C1 ?? ?? 23 ?? 0B ?? 83 ?? ?? ?? BA ?? ?? ?? ?? EB } - $block_2 = { 8B ?? 33 ?? 8B ?? C1 ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? 31 ?? ?? C1 ?? ?? 33 ?? ?? 83 ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? ?? 31 ?? ?? 33 ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? C1 ?? ?? 33 ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 33 ?? ?? ?? ?? ?? ?? 33 ?? FF 4? ?? 0F 85 } - $block_3 = { 8D ?? ?? ?? ?? ?? 8D ?? ?? A5 A5 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 5? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? F3 ?? 8D } - $block_4 = { 5? 8B ?? 5? 5? 0F B6 ?? ?? 5? 0F B6 ?? ?? 5? 8D ?? ?? 0F B6 ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? C1 ?? ?? 0B ?? 8B ?? C1 ?? ?? 33 ?? 25 ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 25 ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 25 ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 25 ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? D1 ?? 8B ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? 33 ?? D1 ?? 89 ?? ?? C7 } - $block_5 = { D1 ?? 8B ?? 33 ?? ?? 5? 81 E? ?? ?? ?? ?? 33 ?? 33 ?? ?? 5? D1 ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 33 ?? 81 E? ?? ?? ?? ?? 33 ?? C1 ?? ?? 33 ?? 8B ?? C1 ?? ?? 88 ?? 8B ?? C1 ?? ?? 88 ?? ?? 88 ?? ?? 8B ?? 8B ?? C1 ?? ?? 88 ?? ?? 8B ?? C1 ?? ?? 88 ?? ?? 8B ?? C1 ?? ?? C1 ?? ?? 88 ?? ?? 88 ?? ?? 88 ?? ?? 33 ?? C9 C3 } - $block_6 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 33 ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? AB AB AB 6A ?? AB 5? 5? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? FF B? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 75 } - $block_7 = { FF B? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 6A ?? 89 ?? ?? ?? ?? ?? 5? 66 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? FF B? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_8 = { 2B ?? 89 ?? ?? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 0F B6 ?? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? 8D ?? ?? ?? ?? ?? ?? C1 ?? ?? 5? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 03 ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? } - $block_9 = { FF B? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? FF B? ?? ?? ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? ?? ?? AB AB AB AB 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "1c81bc28ad91baed60ca5e7fee68fbcb976cf8a483112fa81aab71a18450a6b0" or - 10 of them -} - -rule GreyEnergyMini { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { E8 ?? ?? ?? ?? FF 4? ?? B7 ?? E0 ?? 8E ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 89 ?? F7 ?? ?? 5? AB F3 } - $block_1 = { 5? 8B ?? 8B ?? ?? 8B ?? ?? 5? 8D ?? ?? 8B ?? ?? 0F BE ?? 5? 8B ?? 5? 2B ?? 5? 89 ?? ?? 5? EB } - $block_2 = { 0F B7 ?? ?? B9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? ?? ?? E9 } - $block_3 = { 4? E8 ?? ?? ?? ?? FF 6? ?? F4 EC C0 ?? ?? 89 ?? F7 ?? BE ?? ?? ?? ?? F7 ?? 8B ?? ?? 8B ?? E9 } - $block_4 = { A2 ?? ?? ?? ?? 6D A6 9C 85 ?? ?? ?? ?? ?? B6 ?? 35 ?? ?? ?? ?? 88 ?? F7 ?? DB ?? 12 ?? ?? F9 } - $block_5 = { 8D ?? ?? 5? 6A ?? FF 7? ?? 5? FF 5? ?? 0F B7 ?? ?? 8D ?? ?? ?? 33 ?? 33 ?? 66 ?? ?? ?? 73 } - $block_6 = { 29 ?? ?? ?? ?? ?? 4? 66 ?? ?? ?? ?? ?? 9D 09 ?? ?? ?? ?? ?? 87 ?? ?? ?? ?? ?? 1F 5? FC EB } - $block_7 = { 5? AF 3D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? A0 ?? ?? ?? ?? D7 7F } - $block_8 = { 03 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? FF 4? ?? 66 ?? ?? ?? 66 ?? ?? ?? 0F 83 } - $block_9 = { AD 87 ?? ?? 24 ?? E0 ?? B4 ?? 4? FE ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 5? 2E ?? ?? 2D } - $block_10 = { F5 20 ?? 00 ?? ?? ?? ?? ?? 28 ?? 67 ?? ?? 00 ?? ?? ?? ?? ?? 13 ?? 6C 60 77 } - $block_11 = { FB 4? B0 ?? 89 ?? F7 ?? BF ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 } - $block_12 = { 9A ?? ?? ?? ?? ?? ?? 85 ?? CE A2 ?? ?? ?? ?? 62 ?? ?? ?? ?? ?? ?? 4? 7A } - $block_13 = { AB BD ?? ?? ?? ?? 00 ?? ?? E8 ?? ?? ?? ?? 4? 08 ?? ?? ?? ?? ?? 0F 85 } - $block_14 = { 6A ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 39 ?? 0F 84 } - $block_15 = { 8A ?? ?? 88 ?? ?? ?? ?? ?? 8A ?? ?? 88 ?? ?? ?? ?? ?? 5? C9 C2 } - $block_16 = { 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? ?? ?? ?? 33 ?? 3B ?? 0F 84 } - $block_17 = { 4? 87 ?? ?? ?? ?? ?? B5 ?? 4? F9 E5 ?? 1A ?? ?? E6 ?? 9E E3 } - $block_18 = { 8B ?? ?? 0F B7 ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 01 ?? ?? 8B } - $block_19 = { 11 ?? ?? ?? ?? ?? 00 ?? ?? ?? B3 ?? ED A2 ?? ?? ?? ?? AF 4? } - $block_20 = { 6A ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? 0F 84 } - $block_21 = { 0F B7 ?? 89 ?? ?? FF 7? ?? FF 7? ?? FF 5? ?? 89 ?? ?? EB } - $block_22 = { C7 ?? ?? ?? ?? ?? ?? 88 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_23 = { 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_24 = { 9D 9? 4? 37 9B 0A ?? ?? DD ?? ?? 4? 32 ?? ?? 31 ?? 3E } - $block_25 = { 0F B7 ?? ?? ?? 81 E? ?? ?? ?? ?? 03 ?? 01 ?? ?? 8B } - $block_26 = { 27 E7 ?? D0 ?? ?? ?? ?? ?? 86 ?? ?? ?? ?? ?? ?? B0 } - $block_27 = { C0 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 5? 4? A7 7E } - $block_28 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 85 } - $block_29 = { C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 } - $block_30 = { 8A ?? ?? ?? ?? ?? 2B ?? 88 ?? ?? 39 ?? ?? 0F 86 } - $block_31 = { C1 ?? ?? F8 A7 A2 ?? ?? ?? ?? B9 ?? ?? ?? ?? E3 } - $block_32 = { F1 6D 2F 4? D2 ?? ?? ?? ?? ?? 24 ?? AE 10 ?? 71 } - $block_33 = { 14 ?? 4? 9B C5 ?? ?? 0C ?? 9? E8 ?? ?? ?? ?? 76 } - - condition: - hash.sha256(0, filesize) == "b60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22" or - hash.sha256(0, filesize) == "d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a" or - hash.sha256(0, filesize) == "7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076" or - hash.sha256(0, filesize) == "dcade5e14c26c19e935b13d5170d74f99e75d3e4dba443db1dab8bea78745584" or - hash.sha256(0, filesize) == "c2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15" or - 12 of them -} - -rule GreyEnergyDropperUnpacked { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 8C } - $block_1 = { 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 66 ?? ?? ?? EB } - $block_2 = { C7 ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_3 = { 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 33 ?? BE ?? ?? ?? ?? F7 ?? 0F BE ?? ?? ?? 3B ?? 74 } - $block_4 = { 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_5 = { 8B ?? ?? 03 ?? ?? 0F BE ?? 8B ?? ?? 33 ?? BE ?? ?? ?? ?? F7 ?? 0F BE ?? ?? ?? 3B ?? 74 } - $block_6 = { 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_7 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_8 = { 5? 8B ?? 83 ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_9 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_10 = { 33 ?? 83 ?? ?? ?? 0F 9D ?? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 } - $block_11 = { 8B ?? ?? 5? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_12 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 6A ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_14 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 81 F? ?? ?? ?? ?? 75 } - $block_15 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "d13191de5cca61574e041d4ef2ee83ba618e4bc324fc93ff850c6922370fa651" or - hash.sha256(0, filesize) == "9e64b19434beee9fad059926a968e64bf31417914f638cd220894a3b6a4780f7" or - 12 of them -} - -rule GreyEnergyMiniUnpacked { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 5? 8D ?? ?? 5? 5? 5? 5? 5? 5? 5? 5? 5? FF 7? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_1 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 3? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 8B ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 33 ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_3 = { FF 7? ?? FF D? 8B ?? ?? 03 ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 5? 5? FF 7? ?? FF 7? ?? FF D? 85 ?? 0F 84 } - $block_5 = { 8D ?? ?? 5? 8D ?? ?? 5? 5? 5? FF 7? ?? FF 7? ?? FF D? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_6 = { 8B ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_7 = { FF 7? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_8 = { FF 3? FF 1? ?? ?? ?? ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 5? 5? 8B ?? 5? C9 C2 } - $block_9 = { 83 ?? ?? ?? 83 ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_10 = { 2B ?? D1 ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_11 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 3? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_14 = { FF 7? ?? 8D ?? ?? ?? ?? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_15 = { 8D ?? ?? 5? 8D ?? ?? 5? 5? 5? FF 7? ?? FF 7? ?? FF D? 85 ?? 0F 84 } - $block_16 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_17 = { 8B ?? ?? 03 ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_18 = { 0F B7 ?? 8B ?? 83 ?? ?? 8A ?? ?? ?? 0F BE ?? 3B ?? 74 } - $block_19 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_20 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 86 } - $block_21 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_22 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_23 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "6fe6aa31c6010febead115f96afd8fae7e086e2cd11032d424388bbaf3ab40fd" or - hash.sha256(0, filesize) == "b0959c8df85147fd7dc13c83082d2a9d8e464c7e846083d4a9850fa254482106" or - 12 of them -} - -rule GeminiDuke { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 83 ?? ?? ?? 5? 5? 5? 0F B6 ?? 0F B6 ?? EB } - $block_1 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? ?? 81 F? ?? ?? ?? ?? 74 } - $block_2 = { 8B ?? ?? 03 ?? ?? 8B ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 8B ?? ?? 03 ?? ?? 8B ?? ?? 88 ?? ?? E9 } - $block_3 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? FF D? 84 ?? 0F 85 } - $block_4 = { 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 83 ?? ?? 5? 5? 8B ?? ?? ?? 5? 5? 33 ?? 0F B6 ?? 0F B6 ?? EB } - $block_5 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? 8B ?? FF D? 85 ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 0F 84 } - $block_6 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? FF 7? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_7 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_8 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_9 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 3B ?? 7E } - $block_10 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 3B ?? 7D } - $block_11 = { 0F BE ?? ?? 8B ?? ?? 8A ?? ?? ?? 88 ?? 8A ?? ?? 2C ?? 88 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? EB } - $block_12 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_13 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 5? 8B ?? ?? 81 C? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? 88 } - $block_14 = { 8D ?? ?? ?? 6A ?? 5? 8B ?? 5? E8 ?? ?? ?? ?? 0F BE ?? 0C ?? 83 ?? ?? 88 ?? ?? ?? 80 C? ?? EB } - $block_15 = { 8B ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 5? FF D? 88 ?? ?? 83 ?? ?? 83 ?? ?? 72 } - $block_16 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB } - $block_17 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 2B ?? 0F B6 ?? ?? 2B ?? 8B ?? ?? 03 ?? ?? 88 ?? C6 } - $block_18 = { 5? 5? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_19 = { 8B ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 5? FF D? 88 ?? ?? 83 ?? ?? 3B ?? 7C } - $block_20 = { 88 ?? ?? ?? ?? ?? 0F B6 ?? 8A ?? ?? ?? ?? ?? ?? 32 ?? ?? ?? 5? 88 ?? ?? ?? ?? ?? 5? C2 } - $block_21 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? 9? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 81 F? ?? ?? ?? ?? 74 } - $block_22 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 66 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? EB } - $block_23 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_24 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F B6 ?? 81 F? ?? ?? ?? ?? 75 } - $block_25 = { 8B ?? 8B ?? ?? 0F B6 ?? ?? ?? 8D ?? ?? 8B ?? 5? FF 5? ?? 88 ?? ?? ?? 4? 83 ?? ?? 72 } - $block_26 = { 5? 6A ?? 6A ?? 6A ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_27 = { 6A ?? 6A ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_28 = { 8B ?? ?? 2B ?? 66 ?? ?? ?? ?? ?? 66 ?? 0F B7 ?? 89 ?? ?? 8D ?? ?? 83 ?? ?? 0F 8C } - $block_29 = { 8B ?? 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? 8B ?? 5? FF 5? ?? 88 ?? ?? 4? 3B ?? ?? ?? 7C } - $block_30 = { 8D ?? ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 0F BE ?? 0C ?? 83 ?? ?? 88 ?? ?? ?? FE ?? EB } - $block_31 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 2B ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 3B ?? 7C } - $block_32 = { 8B ?? ?? ?? ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_33 = { 88 ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 25 ?? ?? ?? ?? 79 } - $block_34 = { 8A ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? ?? 0F B6 ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_35 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? 83 ?? ?? 0F 84 } - $block_36 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? 83 ?? ?? 0F 85 } - $block_37 = { 8B ?? ?? ?? 8A ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 03 ?? 03 ?? 25 ?? ?? ?? ?? 79 } - $block_38 = { 5? 8B ?? 5? 5? 8B ?? ?? 5? 32 ?? 38 ?? 5? C6 ?? ?? ?? 8B ?? 88 ?? ?? 0F 84 } - $block_39 = { 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 01 ?? ?? ?? ?? ?? 5? 5? 5? C9 C2 } - $block_40 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? ?? ?? ?? ?? 32 ?? ?? ?? 88 ?? ?? ?? ?? ?? 5? C2 } - $block_41 = { 0F B6 ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_42 = { 5? 8B ?? 5? 89 ?? ?? 8B ?? ?? 0F B6 ?? ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 79 } - $block_43 = { 8B ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? ?? 5? 0F 95 ?? 83 ?? ?? C3 } - $block_44 = { 8B ?? ?? 8B ?? ?? ?? 8B ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_45 = { 0F B7 ?? ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 80 7? ?? ?? ?? 8B ?? 74 } - $block_46 = { 8B ?? ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 03 ?? 03 ?? 25 ?? ?? ?? ?? 79 } - $block_47 = { 8B ?? ?? 0F B7 ?? ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 38 ?? ?? 74 } - $block_48 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? ?? ?? ?? 0F 83 } - $block_49 = { 8B ?? ?? 03 ?? ?? 2B ?? ?? 66 ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 85 ?? 75 } - $block_50 = { 8B ?? ?? 8B ?? ?? 0F AF ?? 8B ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 } - $block_51 = { 5? 8B ?? ?? ?? 32 ?? 38 ?? 5? C6 ?? ?? ?? ?? 8B ?? 88 ?? ?? ?? 0F 84 } - $block_52 = { 33 ?? 6A ?? 5? F7 ?? 0F BE ?? 80 C? ?? FE ?? 85 ?? 88 ?? ?? ?? 75 } - $block_53 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 2B ?? 0F B6 ?? ?? 3B ?? 7C } - $block_54 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 85 ?? 0F 84 } - $block_55 = { 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_56 = { 0F B6 ?? 8A ?? ?? 88 ?? ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_57 = { 5? 8B ?? 5? 5? 33 ?? 33 ?? 39 ?? ?? 5? 8B ?? ?? 89 ?? ?? 0F 8E } - $block_58 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_59 = { 5? 8B ?? 5? 89 ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_60 = { 0F B7 ?? ?? 0F B7 ?? ?? 99 F7 ?? 88 ?? ?? 0F B6 ?? ?? 85 ?? 74 } - $block_61 = { 8B ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 94 ?? 84 ?? 0F 85 } - $block_62 = { 5? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_63 = { 8A ?? ?? 5? 5? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 5? C9 C2 } - $block_64 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 8B ?? ?? 8A ?? ?? ?? ?? ?? ?? 88 } - $block_65 = { 0F BE ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 } - $block_66 = { 5? 8B ?? 5? 5? 33 ?? 39 ?? ?? 5? 5? 8B ?? 89 ?? ?? 0F 84 } - $block_67 = { 8A ?? ?? 84 ?? 8B ?? ?? 0F BE ?? 8D ?? ?? ?? C6 ?? ?? 75 } - $block_68 = { 6A ?? 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_69 = { 5? 8B ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 79 } - $block_70 = { 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_71 = { 0F B6 ?? ?? 0F B6 ?? ?? 33 ?? 3B ?? 0F 9F ?? 8A ?? E9 } - $block_72 = { 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F BE ?? 85 ?? 75 } - $block_73 = { 8B ?? ?? 8B ?? ?? 0F AF ?? 8B ?? ?? 5? 8D ?? ?? ?? E8 } - $block_74 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_75 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 85 ?? 75 } - $block_76 = { 8A ?? ?? ?? 84 ?? 0F BE ?? 8D ?? ?? ?? C6 ?? ?? 75 } - $block_77 = { 0F B6 ?? ?? ?? ?? ?? 4? 25 ?? ?? ?? ?? 5? 5? 79 } - $block_78 = { 0F B6 ?? ?? 0F B6 ?? ?? 33 ?? 3B ?? 0F 9F ?? E9 } - $block_79 = { 0F B6 ?? ?? 0F B6 ?? 2B ?? 0F B6 ?? ?? 3B ?? 7C } - $block_80 = { 0F B7 ?? ?? 0F B7 ?? 99 F7 ?? 84 ?? 88 ?? ?? 74 } - $block_81 = { 8B ?? ?? C1 ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_82 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F B6 ?? ?? 3B ?? 7C } - $block_83 = { 0F BE ?? ?? C6 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 } - $block_84 = { 5? 5? 33 ?? 33 ?? 39 ?? ?? ?? 89 ?? ?? ?? 0F 8E } - $block_85 = { 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 8C } - - condition: - hash.sha256(0, filesize) == "bc54acf4e60688ea668ef40ef965f2bad41dcf260ddae26d28b5551461c4b402" or - hash.sha256(0, filesize) == "1323e3d7656a427733663f03b3037326ffa9c57c68fa8e014a5bf7cb1455359a" or - hash.sha256(0, filesize) == "a8b01a219a9fe565aadf82bc28b60048c60b640e780386c7a84a425049df5af9" or - hash.sha256(0, filesize) == "ce2c4dd21b99407bfa7066a6a57d180c00527e7db8ee52558c597550ac8b5d7c" or - hash.sha256(0, filesize) == "7b9e542426408aa384d0394820f82f330e615a1ad17a777d04720458b33b08a3" or - 12 of them -} - -rule OnionDuke { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 5? 8B ?? FF D? 8B ?? 89 ?? ?? ?? ?? ?? C6 ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { A1 ?? ?? ?? ?? 0F B7 ?? ?? 8A ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? C6 ?? ?? ?? 85 ?? 74 } - $block_2 = { 89 ?? ?? 89 ?? 8B ?? ?? 89 ?? ?? C6 ?? ?? ?? 6A ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_3 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? FF D? 33 ?? B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 8B ?? 83 ?? ?? 0F 8D } - $block_4 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 5? 8B ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_5 = { 8D ?? ?? 89 ?? ?? 8B ?? 5? 5? 8B ?? ?? FF D? 8B ?? ?? 8B ?? 89 ?? ?? C6 ?? ?? ?? 3B ?? 0F 8C } - $block_6 = { 0F B7 ?? ?? ?? 8D ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 8B ?? 6A ?? 8B ?? 75 } - $block_7 = { 8B ?? ?? 8B ?? 8B ?? ?? 8B ?? FF D? 8B ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? FF D? 3B ?? ?? ?? 0F 83 } - $block_8 = { 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 33 ?? 83 ?? ?? 0F 94 ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? C3 } - $block_9 = { FF D? 8B ?? 8B ?? 6A ?? 8B ?? FF D? 33 ?? 6A ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_10 = { 8B ?? ?? 83 ?? ?? ?? 8B ?? ?? 4? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 85 } - $block_11 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 8B ?? FF D? 8B ?? ?? 5? 8B ?? FF D? 85 ?? 0F 84 } - $block_12 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_13 = { 8B ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? FF D? 0F B7 ?? ?? ?? 8D ?? ?? ?? 3B ?? 0F 85 } - $block_14 = { 5? 8B ?? 5? 5? 0F B6 ?? ?? C1 ?? ?? 8B ?? 8B ?? ?? 83 ?? ?? 5? BF ?? ?? ?? ?? 3B ?? 73 } - $block_15 = { 8B ?? ?? ?? 8B ?? ?? ?? 5? 89 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_16 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? 85 ?? 0F 84 } - $block_17 = { 8B ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 85 } - $block_18 = { 8B ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 5? C6 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_19 = { A1 ?? ?? ?? ?? 8B ?? 5? 8B ?? ?? 8B ?? FF D? 8B ?? 89 ?? ?? C6 ?? ?? ?? 85 ?? 0F 84 } - $block_20 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 82 } - $block_21 = { 33 ?? 6A ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_22 = { 8B ?? 8B ?? ?? 2B ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 0F 84 } - $block_23 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 } - $block_24 = { C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? 39 ?? ?? 0F 82 } - $block_25 = { 8B ?? 8B ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? FF D? 8B ?? 85 ?? 0F 84 } - $block_26 = { 8B ?? ?? ?? 6A ?? 83 ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_27 = { 5? 8B ?? 5? 5? 5? 8B ?? 8B ?? ?? 8B ?? 8B ?? ?? 5? FF D? 8B ?? 33 ?? 3B ?? 0F 84 } - $block_28 = { 2B ?? 5? 89 ?? ?? 8D ?? ?? 5? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_29 = { 8B ?? ?? 2B ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 0F 84 } - $block_30 = { 8B ?? ?? 8B ?? 8B ?? ?? 8B ?? ?? 5? FF D? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_31 = { 5? 5? 6A ?? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 85 ?? 0F 95 ?? 89 ?? ?? 5? 8B ?? C3 } - $block_32 = { 8B ?? 8B ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? FF D? 85 ?? 0F 84 } - $block_33 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? 83 ?? ?? ?? 0F 85 } - $block_34 = { C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 88 ?? ?? 39 ?? ?? 0F 82 } - $block_35 = { 8B ?? ?? 5? 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_36 = { 8B ?? ?? 8B ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_37 = { 5? 8B ?? 5? 5? 8B ?? ?? 8B ?? 8B ?? ?? 5? 5? 8B ?? 8B ?? FF D? 85 ?? 0F 84 } - $block_38 = { 8B ?? ?? 6A ?? 8D ?? ?? 5? 5? 8B ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_39 = { 8B ?? ?? 5? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 98 ?? 83 ?? ?? ?? 72 } - $block_40 = { 8B ?? 8B ?? ?? 8B ?? FF D? 6A ?? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 3B ?? 0F 84 } - $block_41 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 8B ?? ?? 8B ?? FF D? 85 ?? 0F 84 } - $block_42 = { 0F B6 ?? ?? 8B ?? 8B ?? ?? 5? 8B ?? FF D? 8B ?? 8B ?? 6A ?? 8B ?? FF D? } - $block_43 = { 0F B6 ?? ?? 88 ?? ?? 0F B6 ?? 88 ?? ?? 0F B6 ?? ?? 88 ?? 4? 4? 3B ?? 72 } - $block_44 = { 89 ?? ?? 8B ?? 8B ?? ?? 8B ?? C7 ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 } - $block_45 = { 8B ?? ?? 8D ?? ?? 33 ?? 3B ?? 0F 94 ?? C6 ?? ?? ?? 8B ?? 83 ?? ?? 72 } - $block_46 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_47 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? ?? 32 ?? 0F B6 ?? 66 ?? ?? ?? 4? 3B ?? 72 } - $block_48 = { 8B ?? 8B ?? ?? 8B ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 } - $block_49 = { C6 ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? 39 ?? ?? 0F 82 } - $block_50 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_51 = { 8B ?? ?? 8B ?? 8B ?? ?? 8B ?? ?? 5? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_52 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 5? 8B ?? FF D? 8B ?? 85 ?? 0F 84 } - $block_53 = { 5? 8D ?? ?? 5? 89 ?? ?? 8B ?? 6A ?? 5? 8B ?? ?? FF D? 85 ?? 0F 85 } - $block_54 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? 8B ?? 8B ?? ?? 5? 5? FF D? 3B ?? 0F 8C } - $block_55 = { FF 1? ?? ?? ?? ?? 33 ?? 3D ?? ?? ?? ?? 0F 94 ?? 8B ?? 85 ?? 0F 84 } - $block_56 = { 8B ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 8D ?? ?? 89 ?? ?? ?? 3B ?? 0F 87 } - $block_57 = { 8B ?? ?? 8B ?? 8B ?? ?? 6A ?? FF D? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_58 = { 8B ?? ?? 33 ?? 85 ?? 0F 95 ?? 5? 5? 89 ?? ?? 5? 8B ?? 8B ?? 5? C3 } - $block_59 = { 8B ?? ?? 0F AF ?? 03 ?? ?? 8B ?? 5? 8B ?? ?? 5? 5? FF D? 3B ?? 74 } - $block_60 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_61 = { 8B ?? ?? 8B ?? ?? 8B ?? 5? 5? 8B ?? ?? FF D? 8B ?? 3B ?? 0F 85 } - $block_62 = { 8B ?? 8A ?? ?? ?? 32 ?? ?? 4? 0F B6 ?? 66 ?? ?? ?? ?? 3B ?? 72 } - $block_63 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 82 } - $block_64 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 83 ?? ?? FF D? 3B ?? 0F 84 } - $block_65 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? 33 ?? 3B ?? 0F 84 } - $block_66 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? 8B ?? ?? 5? FF D? 8B ?? 3B ?? ?? 75 } - $block_67 = { 8B ?? ?? 03 ?? 33 ?? 3B ?? 0F 94 ?? C6 ?? ?? ?? 83 ?? ?? 72 } - $block_68 = { 5? E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_69 = { 5? 8B ?? 5? 5? 5? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 } - $block_70 = { 8B ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 82 } - $block_71 = { 8D ?? ?? 99 8B ?? 2B ?? D1 ?? 89 ?? ?? 8B ?? 39 ?? ?? 0F 8C } - $block_72 = { 83 ?? ?? 89 ?? ?? 8B ?? 8B ?? 83 ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_73 = { 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_74 = { 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_75 = { 33 ?? 6A ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_76 = { 8B ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_77 = { FF D? 8B ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? FF D? 85 ?? 0F 84 } - $block_78 = { 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 33 ?? 85 ?? 0F 84 } - $block_79 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_80 = { 8B ?? 8B ?? 8B ?? ?? FF D? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_81 = { 8B ?? 8B ?? ?? 5? 8B ?? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_82 = { C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_83 = { 8B ?? ?? ?? 83 ?? ?? 33 ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 85 } - $block_84 = { 33 ?? 39 ?? ?? C6 ?? ?? ?? 0F 94 ?? 8B ?? 83 ?? ?? 72 } - $block_85 = { 8B ?? ?? 8B ?? 8B ?? ?? 5? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_86 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_87 = { 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? ?? 0F 85 } - $block_88 = { 8B ?? B8 ?? ?? ?? ?? D3 ?? 8B ?? 23 ?? ?? 3B ?? 0F 85 } - $block_89 = { 8B ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? 33 ?? 3B ?? 0F 84 } - $block_90 = { 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? 89 ?? ?? 39 ?? ?? 0F 82 } - $block_91 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 5? 8B ?? 83 ?? ?? 0F 86 } - $block_92 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 80 7? ?? ?? 8D ?? ?? 75 } - $block_93 = { 8B ?? ?? 8D ?? ?? 0F B7 ?? 8D ?? ?? 89 ?? ?? 3B ?? 73 } - $block_94 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_95 = { 8B ?? ?? ?? 8B ?? 89 ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_96 = { 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_97 = { 8B ?? 8B ?? ?? 8B ?? 89 ?? ?? FF D? 85 ?? 0F 84 } - $block_98 = { 8B ?? ?? 2B ?? ?? 83 ?? ?? 3D ?? ?? ?? ?? 0F 85 } - $block_99 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "65a2ca760bfce4762cd1cb3623c7d5d0ff86187d3bf3ba8fdea1339585a57ec2" or - hash.sha256(0, filesize) == "0102777ec0357655c4313419be3a15c4ca17c4f9cb4a440bfb16195239905ade" or - hash.sha256(0, filesize) == "366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b" or - hash.sha256(0, filesize) == "ddce4b5e1c03d04bb82780a2d0f08469bb589b6fe8f0d4cc2a140b16344f5bd1" or - hash.sha256(0, filesize) == "49dca913ff5c4782e8f8fa2dfd161110bc5c8cd36c9ce8aa0efd1860ab668e6e" or - hash.sha256(0, filesize) == "d04bef6765408d528fdf82a46c157b44e8b5e7762a15b0264033c9558ccc48dd" or - hash.sha256(0, filesize) == "c47f2973f077f21abfb202b54ea18ee2a182e4305ee0046c1bc6d15a1179a43c" or - hash.sha256(0, filesize) == "3877a522c924f834e442ef19d9b11ab6d3385849e60d5f310f6320e2d9e42804" or - hash.sha256(0, filesize) == "df818c2dccacc532ba0205749329b7e46d1f6616b40da55e0d994105bd988bd2" or - hash.sha256(0, filesize) == "489d448514a3ddf30144cc1634e6623e529dd3aee54a050a920a3d4342b4b96a" or - hash.sha256(0, filesize) == "0474111e44b9aa56d6e6024c6f278e915d57b7862ceb927672fc3417f76a3ba3" or - hash.sha256(0, filesize) == "4558eb18504f724e4f33f1504ff924ce64701d26d703cf1e42a48504e7f51927" or - hash.sha256(0, filesize) == "8d86c0985530271618a342579afd1a9ecb27dfb080866e3b888bd3e45e1eb8f5" or - hash.sha256(0, filesize) == "567332c2a6813d529bcb9196102ad45eceb982143e9d2f326f02cec1511954b0" or - hash.sha256(0, filesize) == "a9e2d988781e970882fb1cee420bf01dda30730046a82f0faf4703523842feb5" or - hash.sha256(0, filesize) == "930939256e2c2fa30e7260897d96859c08cf767664e4bd3cedf156b6765b5413" or - hash.sha256(0, filesize) == "bd589360b299dc4803aa35abca527137a51feadae2b1e3bc2b5a301bb5b245da" or - hash.sha256(0, filesize) == "6271c4909f39e1f29dcc79cde0f526cbde45d906726e73bd3b52d041a34eda38" or - hash.sha256(0, filesize) == "540913b3647c28a14418a6f288be9e4d8f99048227efea8ca1b13877269002eb" or - hash.sha256(0, filesize) == "3af9cfb2797bed22e1d12970d068d794270a0f07d3f3dcfdcdb9abfc3a80e0f8" or - hash.sha256(0, filesize) == "97afcd01e00d32dc4d1161d7a127933593cfc092ec635af5dc7a775a088b6091" or - hash.sha256(0, filesize) == "316528ade312cc5ed76f0b44c7f2c2fc84f60ae215992d9393f57431383cf776" or - hash.sha256(0, filesize) == "d07a802eb6d2c296c3f1bc726b5a716c4a7d8e97053c53e81658a31f969e6ce7" or - hash.sha256(0, filesize) == "c218b779461d83d70791e0578175503cd69128c9723f2c5d7d36b85073b0f2f9" or - hash.sha256(0, filesize) == "ef0fab7757a6b5e842297fa2e0dc7a7ce084278c5d12b878bba7d90759a0e22b" or - hash.sha256(0, filesize) == "ac9c7ac457a605ff836eb6fe127eabc7a251dd73ea0a1fa59a591de30fa75d3f" or - hash.sha256(0, filesize) == "df03f0ae0622f5040bf449ab8b7559a97da7f746cc2ce24a8ad5336b18699296" or - 12 of them -} - -rule CosmicDuke { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8A ?? 8B ?? ?? 8B ?? 8B ?? 8B ?? ?? 6A ?? FF D? 0F B6 ?? 83 ?? ?? 8B ?? D3 ?? 09 ?? 80 F? ?? 72 } - $block_1 = { 5? FF 1? ?? ?? ?? ?? 5? B0 ?? 5? 4? 06 25 ?? ?? ?? ?? 5? 5? 5? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 00 } - $block_2 = { A1 ?? ?? ?? ?? 8B ?? ?? 5? 6A ?? 6A ?? 81 C? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_3 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_4 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 5? 5? 5? C9 C3 } - $block_5 = { 8B ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? FF D? F6 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_6 = { 8B ?? 99 6A ?? 5? F7 ?? 0F B6 ?? ?? ?? 2B ?? 03 ?? ?? 8A ?? ?? ?? 88 ?? ?? ?? 4? 3B ?? ?? 72 } - $block_7 = { 8B ?? 99 6A ?? 5? F7 ?? 0F B6 ?? ?? ?? 2B ?? 8B ?? ?? 03 ?? 8A ?? ?? 88 ?? ?? ?? 4? 3B ?? 72 } - $block_8 = { 01 ?? 28 ?? ?? 84 ?? ?? 04 ?? 00 ?? ?? D7 05 ?? ?? ?? ?? 5? F1 4? 00 ?? ?? ?? ?? ?? A8 ?? 74 } - $block_9 = { 5? 8B ?? 83 ?? ?? 5? 4? 1D ?? ?? ?? ?? 2D ?? ?? ?? ?? D2 ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 8E } - $block_10 = { 12 ?? ?? 04 ?? 06 35 ?? ?? ?? ?? 4? 10 ?? ?? ?? ?? ?? 01 ?? 4? 27 11 ?? ?? ?? ?? ?? 0B ?? 75 } - $block_11 = { C6 ?? ?? C7 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B6 ?? 99 01 ?? 5? B3 ?? 11 ?? ?? 38 ?? 74 } - $block_12 = { 33 ?? 6A ?? 8D ?? ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 5? 74 } - $block_13 = { 8B ?? 99 83 ?? ?? 8D ?? ?? 8B ?? 99 83 ?? ?? 8D ?? ?? C1 ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 7F } - $block_14 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_15 = { 8B ?? ?? 8B ?? 4? C1 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 87 } - $block_16 = { 01 ?? 08 ?? 8B ?? ?? ?? ?? ?? 61 07 0C ?? 16 83 ?? ?? ?? ?? ?? ?? 0D ?? ?? ?? ?? 04 ?? 74 } - $block_17 = { 5? 5? 8D ?? ?? 5? 8B ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_18 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 33 ?? 81 7? ?? ?? ?? ?? ?? 5? 0F 85 } - $block_19 = { 0F B6 ?? ?? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 80 7? ?? ?? 74 } - $block_20 = { 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 8D ?? ?? ?? ?? ?? ?? 0F 8C } - $block_21 = { 8D ?? ?? E8 ?? ?? ?? ?? 12 ?? ?? ?? ?? ?? 15 ?? ?? ?? ?? 4? FC E8 ?? ?? ?? ?? 3B ?? 74 } - $block_22 = { 08 ?? ?? E8 ?? ?? ?? ?? 09 ?? ?? ?? ?? ?? ?? 1D ?? ?? ?? ?? E8 ?? ?? ?? ?? 0E B1 ?? 00 } - $block_23 = { 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 } - $block_24 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 85 ?? 0F 8E } - $block_25 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 3B ?? ?? 0F 94 ?? 84 ?? 0F 85 } - $block_26 = { 88 ?? ?? ?? ?? ?? 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_27 = { 6A ?? 5? FF 7? ?? 8D ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 39 ?? ?? ?? 0F 8E } - $block_28 = { 0F B7 ?? ?? ?? 83 ?? ?? 0F AF ?? ?? ?? 0F AF ?? ?? ?? 99 83 ?? ?? 03 ?? C1 ?? ?? 89 } - $block_29 = { 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 3B ?? 89 ?? ?? ?? 0F 84 } - $block_30 = { 8B ?? ?? ?? 89 ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? C1 ?? ?? 33 ?? 33 ?? 85 ?? 0F 8E } - $block_31 = { A1 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 85 ?? 0F 8E } - $block_32 = { 8D ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? F7 ?? ?? ?? ?? ?? 0F 84 } - $block_33 = { 8B ?? ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? 83 ?? ?? 33 ?? 88 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_34 = { 89 ?? ?? FF 7? ?? FF 1? 5? A1 ?? ?? ?? ?? 0E 88 ?? 08 ?? ?? FF 1? 9? 08 ?? ?? CA } - $block_35 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_36 = { 5? 6A ?? BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_37 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 99 83 ?? ?? 03 ?? 8B ?? C1 ?? ?? 4? C1 } - $block_38 = { 12 ?? ?? 00 ?? ?? AB 25 ?? ?? ?? ?? FF 3? DB ?? ?? ?? ?? ?? 32 ?? ?? 1C ?? 75 } - $block_39 = { 0F B6 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 03 ?? FF 4? ?? ?? 89 ?? ?? ?? ?? ?? 0F 85 } - $block_40 = { 8B ?? ?? 66 ?? ?? ?? C6 ?? ?? 66 ?? ?? ?? 83 ?? ?? FF 4? ?? 89 ?? ?? 0F 85 } - $block_41 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_42 = { 5? 5? 6A ?? FF 1? ?? ?? ?? ?? 5? 8B ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_43 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? 88 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_44 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 2B ?? ?? 66 ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_45 = { 5? 68 ?? ?? ?? ?? FF 7? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_46 = { 89 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_47 = { 5? FF 7? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 5? C9 C3 } - $block_48 = { A1 ?? ?? ?? ?? 4? 4? 89 ?? ?? ?? C1 ?? ?? 33 ?? 85 ?? 88 ?? ?? ?? 0F 8E } - $block_49 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 38 ?? ?? 5? 5? 0F 84 } - $block_50 = { 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 83 ?? ?? ?? 39 ?? ?? 0F 84 } - $block_51 = { 5? 5? B0 ?? 4? 07 05 ?? ?? ?? ?? 4? 04 ?? 65 ?? 00 ?? ?? 85 ?? 0F 84 } - $block_52 = { FF 0? ?? ?? ?? ?? 8B ?? ?? A1 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? C9 C3 } - $block_53 = { B8 ?? ?? ?? ?? 2B ?? 4? 89 ?? ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 82 } - $block_54 = { A1 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? ?? C1 ?? ?? 85 ?? 0F 8E } - $block_55 = { 8B ?? ?? 8B ?? 5? 8D ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 5? ?? 85 ?? 0F 84 } - $block_56 = { 68 ?? ?? ?? ?? FF D? 81 4? ?? ?? ?? ?? ?? 4? 3B ?? ?? ?? ?? ?? 0F 8C } - $block_57 = { 0F B6 ?? ?? FF 8? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 4? 3B ?? 72 } - $block_58 = { 8D ?? ?? ?? E8 ?? ?? ?? ?? 99 6A ?? 5? F7 ?? 33 ?? 88 ?? 85 ?? 74 } - $block_59 = { 8B ?? ?? 8B ?? ?? 89 ?? 8B ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_60 = { 0C ?? 83 ?? ?? 0E BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 0E 5? 11 ?? ?? EB } - $block_61 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_62 = { FF 7? ?? E8 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_63 = { 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 3B ?? ?? 0F 94 ?? 84 ?? 0F 85 } - $block_64 = { 8B ?? ?? 2B ?? ?? 83 ?? ?? 01 ?? ?? F7 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_65 = { 5? 8B ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 5? 5? 3B ?? 0F 84 } - $block_66 = { 4? F4 8B ?? 0F AF ?? 85 ?? 22 ?? 1C ?? 83 ?? ?? ?? 85 ?? 0F 84 } - $block_67 = { 0F B6 ?? ?? 99 0F A4 ?? ?? C1 ?? ?? 01 ?? 11 ?? ?? 38 ?? ?? 74 } - $block_68 = { 8B ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 5? 5? A9 ?? ?? ?? ?? 0F 85 } - $block_69 = { FF 4? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 0F 85 } - $block_70 = { 6A ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_71 = { 8B ?? ?? ?? 5? FF 7? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_72 = { FF 4? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 8C } - $block_73 = { 83 ?? ?? ?? 8B ?? ?? 5? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_74 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? 0F AF ?? ?? 2B ?? 3B ?? 7C } - $block_75 = { 39 ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 86 } - $block_76 = { 8B ?? ?? 8B ?? 5? 8D ?? ?? 5? 6A ?? 5? FF 5? ?? 85 ?? 0F 84 } - $block_77 = { 68 ?? ?? ?? ?? FF D? 83 ?? ?? ?? 4? 3B ?? ?? ?? ?? ?? 0F 8C } - $block_78 = { 8B ?? ?? 83 ?? ?? 2B ?? 8D ?? ?? ?? 8B ?? 3B ?? ?? 0F 85 } - $block_79 = { 68 ?? ?? ?? ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_80 = { 5? 89 ?? 60 8B ?? ?? 03 ?? ?? 5? 8B ?? ?? 8B ?? 85 ?? 74 } - $block_81 = { 33 ?? 4? 85 ?? 01 ?? 4? 4? 37 01 ?? 03 ?? C9 4? 3B ?? 7E } - $block_82 = { 0F B6 ?? ?? 99 C1 ?? ?? 83 ?? ?? 11 ?? ?? 38 ?? ?? 5? 74 } - $block_83 = { 8B ?? ?? 8B ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_84 = { 0F B6 ?? 8A ?? ?? ?? ?? ?? ?? 30 ?? 4? 3B ?? ?? 0F 8C } - $block_85 = { 21 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 5? ?? 6D 02 ?? E3 } - $block_86 = { 5? 0A ?? ?? 01 ?? 33 ?? EE 17 04 ?? 89 ?? ?? 04 ?? 70 } - $block_87 = { 5? FF 7? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_88 = { 8B ?? 2B ?? 03 ?? 89 ?? ?? 8B ?? ?? 2B ?? 3B ?? 0F 83 } - $block_89 = { 0F B6 ?? ?? 99 C1 ?? ?? 83 ?? ?? 11 ?? ?? 38 ?? ?? 74 } - $block_90 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? 83 ?? ?? 0F 82 } - $block_91 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? F6 ?? ?? 0F 84 } - $block_92 = { 8B ?? ?? 89 ?? ?? 83 ?? ?? F7 ?? ?? ?? ?? ?? 0F 84 } - $block_93 = { 83 ?? ?? 8D ?? ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 82 } - $block_94 = { 8B ?? ?? 8B ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_95 = { 80 8? ?? ?? ?? ?? ?? F8 2A ?? ?? 8B ?? ?? 85 ?? 74 } - $block_96 = { 0F B6 ?? 03 ?? 3B ?? 89 ?? ?? 0F 96 ?? 84 ?? 74 } - $block_97 = { A1 ?? ?? ?? ?? FF 4? ?? C1 ?? ?? 39 ?? ?? 0F 8C } - $block_98 = { 68 ?? ?? ?? ?? 1E 0E C4 ?? 18 ?? ?? 85 ?? 0F 84 } - $block_99 = { 5? D5 ?? 10 ?? 81 F? ?? ?? ?? ?? 08 ?? ?? 1F 01 } - - condition: - hash.sha256(0, filesize) == "c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665" or - hash.sha256(0, filesize) == "41d63d293a6e2722fcf82f8bf67b8f566bd4d3f669ede146ccc286f0228d8f62" or - hash.sha256(0, filesize) == "7c14761d20617ab7f408d6c63367f16026377d7c13f3e3c67525e034fc0c6d7c" or - hash.sha256(0, filesize) == "9ce93f04dbb6a3b833f1146a54dadfdc224fdf24e3cca1f8a1eb4e902d597ff6" or - hash.sha256(0, filesize) == "5ef73d904cf5dcbec5919fba0b640168d6feb8f7021507568297e3da1a7e47a5" or - hash.sha256(0, filesize) == "831267e0977becf098b5064aac6fd39b5f8e6fd975c06d4b8540cea71d402317" or - hash.sha256(0, filesize) == "182ab7eb1dce2827a05aff0d83a13dd8346bd3b8ab2dfb681817a0d3aab05b15" or - hash.sha256(0, filesize) == "246543cc4a538472bed0626c159715a963e39dfc69d79f60c3ab227c62277016" or - hash.sha256(0, filesize) == "51b4e69183f3d02124f3314cc64a7869425f053d8021c74c12f21d7c2afe2163" or - hash.sha256(0, filesize) == "3c5d2fcacafc21d9f43c595ddf03bec801ccb958b8641018612c21bc741800d0" or - hash.sha256(0, filesize) == "4bc8280a99d07165055fabed11049d8da275f27f5d8cffc4ed10a68be2d0cb84" or - hash.sha256(0, filesize) == "92172ff7bfeee332409a145bc626bebf732225d006877168f35c046368e5118c" or - hash.sha256(0, filesize) == "5b50e26a01b320f05d66727e9d220d5858cdac203ff62e4b9ced1cafc2683637" or - hash.sha256(0, filesize) == "29585bb17b28e8b15b2a250be9516f416fa7cac84cc24aa4e004f6987323147e" or - hash.sha256(0, filesize) == "f21794d0b0938643e2aabe9f2ed762528e631a2ebda76020d0b59ce91fb51e41" or - hash.sha256(0, filesize) == "2c480399bff7d05736caa1858fd43d9223df3fd531ae574dc3c9eb06cc3579ef" or - hash.sha256(0, filesize) == "75e8567e7667eb02eec661134ecc07a7970d9448fc5b7dc021b5bcb039953a47" or - hash.sha256(0, filesize) == "2e8aa9dac584a51c7d960baccf76747c858175573f5c013b7c44328f0871da04" or - hash.sha256(0, filesize) == "6322e8bbb5a7cc542a7da0fb33a60fc7443bcbd8601b828c9c7f138c71cce090" or - hash.sha256(0, filesize) == "008beba8635e24baa50beee2e98654f73c04476a06fdcb893655f0a8201932d2" or - hash.sha256(0, filesize) == "d5f1d8d2629b91744fe812207cb3f0bebfd1aec9937b7744a263d1a4e3421063" or - hash.sha256(0, filesize) == "1590bdbaff2c178387e924b689b030057b4cbd2865e9c4dd3886a8791ac8e4ee" or - hash.sha256(0, filesize) == "68355d29ce79a5177084fe6292f0f8b9daa2018c571b552fff9f4a0815b432ce" or - hash.sha256(0, filesize) == "1005b40f977b92cbc01b7a66558ff0621cbaf36f7b4b2ab2ca3c3a267891bc8d" or - hash.sha256(0, filesize) == "aecb468db5cebcfa25deadeb3b12fbc48b05a485b44deb500b4002521bc3e685" or - hash.sha256(0, filesize) == "027c9da59c77e83b42535a0c965c4994a144715e796453fc2a5b189f0036c4b4" or - hash.sha256(0, filesize) == "4f9b6a88245f782d81e9eec9315b9444c83d68941f9fc23641e3909c8da9db9d" or - hash.sha256(0, filesize) == "334ed05005ce829224d0dd4cc5baab6b837cf02ac0e321c8f97d11b3ba1c77a7" or - hash.sha256(0, filesize) == "73aac0b568f83746c9a54a2a6fdd2984c3e6f8d0c77a681c219abb9480859197" or - hash.sha256(0, filesize) == "bd4928921ddadb44f9f573da61dac034533bf14fe38acd5754f3ccec1d566300" or - hash.sha256(0, filesize) == "3d37e753812687fb7287cf8644d13fe2673ea7c3b540637c1ce1c6819f1c521b" or - hash.sha256(0, filesize) == "1c86bcc74684c2533026a8b4d9463ad4b5a1f30f6915ca19197b41e0cb893b77" or - hash.sha256(0, filesize) == "38c0252f75b1c6b3980e40bb69cb932773a6e0b189fc8a80efc2dcb455209eab" or - hash.sha256(0, filesize) == "a8200a476f72ef77f4cd6bd71ebae9f473e923b140600b9da0bbaf1f22e1cecb" or - hash.sha256(0, filesize) == "70a7248b90573ba2edde5d9e8f0acd478235054480d98b0531d85725555f3a5c" or - hash.sha256(0, filesize) == "a1176b60ca96cfeb37dde61bde935f645a64fabd8e300f072fc355434b711dcf" or - hash.sha256(0, filesize) == "2146da9bc0e27d7eb10983b7dd89f250fa0015ce284dde8f0bb6a79626d34a2a" or - hash.sha256(0, filesize) == "fe5bc1248fc79fc15663ef169f0a269c1abe847d00b01e9571fe5c0d760d68f0" or - hash.sha256(0, filesize) == "0a013787f9c1731213059f2d8e1a7514f610783aaaea8fa5736063ab7793c0d7" or - hash.sha256(0, filesize) == "64e3a2bba82027dd6ff631fa5890a7ba8331b62a0a4c0b1ca24d143c2b61c323" or - hash.sha256(0, filesize) == "2eafc64769c500d635b7225c9b1411db8f50db8618e4d5807e1640b641a2f5ee" or - hash.sha256(0, filesize) == "16870c6b572934f5a106d5f632b6d41bb23924c12ddf172be24c6dfca25226b1" or - hash.sha256(0, filesize) == "3e889cd495e008760fd12751d6d45cadf8a7280c4545f2ebe469f84b9b77c835" or - hash.sha256(0, filesize) == "7c2bb277e3a982e9e2f76da2c96119514dde4f3e36b16eca5994be5f28bd0029" or - hash.sha256(0, filesize) == "9c2562e05eb940ae8d73c9baa7cfe85cb3ec619689227f65e4fbeeb3fec598ad" or - hash.sha256(0, filesize) == "ec49400e70c02a884a5df74ca99690886ec2d528e200c42dbdf057fd9b7f87f8" or - hash.sha256(0, filesize) == "43bcee4067c067d9063ddfc101fc8b5a6e8d42184ef8b0fdd9bb14102cb9973d" or - hash.sha256(0, filesize) == "f61cdc7f68f47d23c4571b517ab4cdcfd984cf3f6f8f91dec99dfd7dc5a2dcff" or - hash.sha256(0, filesize) == "cae1277446cb62f1ed3674e7ea87063a28b9d364e3638fa779fe8e3d6e1fb15f" or - hash.sha256(0, filesize) == "187b1cc7264c04c3158f835546cad0be74e6411bb50cb8899179a71018f0b4b9" or - hash.sha256(0, filesize) == "f6c62f9f846b3d100d60b1f2ae57a71c91dd8dc215dce652e2c85dff60c0197f" or - hash.sha256(0, filesize) == "7e371cd323898e403df7a80add34d791e160e443bcd2d02f27ddc0c04ba1bdab" or - hash.sha256(0, filesize) == "04819cde7e928e6ff376daeb73b894959f672a85b363753c227416fc0f4a8acd" or - hash.sha256(0, filesize) == "0314ed09890d5aa2dba659fe1343be93d48c3875a89e261484967fea7ea6c7eb" or - hash.sha256(0, filesize) == "05637ef950feaeb0944d9fccca38eeff38e366c24a137ef08c9f1442aeb6afb7" or - hash.sha256(0, filesize) == "910a016a7b6e0a76bc7ddf12f9135090e0b23d00c382d70084b46bea4bbbcae7" or - hash.sha256(0, filesize) == "82670519b8d63d36967c611bc94659e5bff867837129ac93bcffe7589af46384" or - hash.sha256(0, filesize) == "bf012045464ba2aadc1547940eb3ce262d0e023c2198c134dee658c859ecd8ab" or - hash.sha256(0, filesize) == "dad4c4aea24f2bd3e2f4b93bf782ebef70e8fdf930aff25a3e1b85a717314aa0" or - hash.sha256(0, filesize) == "30b24935c8537c51ce56a69510019d8481ac78e6c5ccdbe792c625c69c5358f9" or - 12 of them -} - -rule CloudDuke { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? ?? 5? 83 ?? ?? ?? 5? 0F 84 } - $block_1 = { 6A ?? 68 ?? ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_2 = { 8B ?? ?? ?? ?? ?? 4? 83 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 85 } - $block_3 = { 8B ?? ?? 03 ?? 33 ?? 0F B7 ?? ?? 83 ?? ?? 03 ?? 0F B7 ?? ?? 5? 89 ?? ?? 85 ?? 74 } - $block_4 = { 6A ?? 68 ?? ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { FF 7? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 75 } - $block_6 = { 8B ?? ?? ?? 2B ?? ?? ?? 33 ?? 4? 03 ?? ?? ?? 99 13 ?? ?? ?? 3B ?? 0F 82 } - $block_7 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 45 ?? ?? ?? ?? ?? 89 } - $block_8 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_9 = { 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? 66 ?? ?? ?? 74 } - $block_10 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8B ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_11 = { 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 } - $block_13 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_14 = { 8B ?? 33 ?? 89 ?? 4? 83 ?? ?? 83 ?? ?? 3B ?? ?? 0F 8C } - $block_15 = { 8B ?? ?? 03 ?? 89 ?? ?? 81 3? ?? ?? ?? ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "c3ea57eea9f522cfc70ef8c3b614f7e44903293a2e8354359b99efbf4cd436df" or - hash.sha256(0, filesize) == "56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e" or - hash.sha256(0, filesize) == "0f7d64f514e99a2abdc10dc85e7e6f57c210a0f35472f7b897a19b73be36bece" or - hash.sha256(0, filesize) == "ecd0ce1973500c27bb5d70f326d115fba84c0b1680a726a041ed57b42063e7b1" or - hash.sha256(0, filesize) == "d4d79be85dc98f74088d6393a8fdf2b5d947ae4f279909af2aed0221dcecfe94" or - hash.sha256(0, filesize) == "ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46" or - hash.sha256(0, filesize) == "85c5ba695992ed59269ea7f7a58f3453f6047729d1f68a444d450439bbccc1f4" or - hash.sha256(0, filesize) == "6c8eb3365b7fb7683b9b465817e5cb87574026e306c700f3d103eba056777720" or - hash.sha256(0, filesize) == "d3d503934c0dfe75e386d0fb8da2e32238d93739624b6c5a929fe5b722b35d36" or - hash.sha256(0, filesize) == "ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145" or - hash.sha256(0, filesize) == "c1ee4232d1b6504fc7f93cb0478e90049a71992498ed2d701925d852e91cfcc3" or - hash.sha256(0, filesize) == "97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7" or - hash.sha256(0, filesize) == "e1490d6e5ce4c2cddef0815c55bf8946cb830ce0ac7f586cf1ae16ef66f1bd8b" or - hash.sha256(0, filesize) == "6c7e768e48b9b225b7b9f84528c53c2e6f9b639ce2e7919fe0dff9aad07ea4f5" or - hash.sha256(0, filesize) == "bfc1bafd9b01178037226fa55546d7ed7e9203c13e1b66419e887fee704d5196" or - hash.sha256(0, filesize) == "a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004" or - hash.sha256(0, filesize) == "88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f" or - hash.sha256(0, filesize) == "1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7" or - hash.sha256(0, filesize) == "12f58639a883b0fcfe3d2e8bcb0330b978731975c9dfa2f8e583adbafc4d534e" or - 12 of them -} - -rule PinchDuke { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { FF 7? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? ?? FF 4? ?? 8A ?? ?? ?? ?? ?? 4? 83 ?? ?? 88 ?? 7C } - $block_1 = { 5? 5? FF 1? ?? ?? ?? ?? 5? 8B ?? 5? 5? 6A ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 3B ?? 89 ?? ?? 0F 84 } - $block_2 = { 5? 8B ?? ?? ?? ?? ?? 5? FF D? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_3 = { 5? 5? 5? 5? 8D ?? ?? 5? FF 7? ?? 89 ?? ?? FF 7? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_4 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 8B ?? C1 ?? ?? 25 ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 88 ?? ?? 79 } - $block_5 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? 5? 5? C9 C3 } - $block_6 = { 8A ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 5? 8B ?? ?? 0F B6 ?? 8D ?? ?? 33 ?? 85 ?? 89 ?? ?? 7E } - $block_7 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? C1 ?? ?? 0F AF ?? ?? C1 ?? ?? 01 ?? ?? EB } - $block_8 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 3B ?? 89 ?? ?? 0F 85 } - $block_9 = { 8B ?? 2B ?? ?? 33 ?? F7 ?? 8B ?? D1 ?? 0F AF ?? 03 ?? ?? 5? FF 7? ?? FF 5? ?? 85 ?? 5? 5? 7E } - $block_10 = { FF 7? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? ?? FF 4? ?? 8A ?? ?? ?? ?? ?? 4? 3B ?? 88 ?? 7C } - $block_11 = { 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_12 = { FF 4? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 8B ?? ?? 6A ?? 03 ?? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 6A ?? 5? 39 ?? ?? 89 ?? ?? 89 ?? ?? 0F 82 } - $block_14 = { 0F B6 ?? ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 4? 83 ?? ?? 7C } - $block_15 = { FF 4? ?? 8D ?? ?? 5? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_16 = { FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 01 ?? ?? 8B ?? ?? 2B ?? ?? FF 4? ?? 39 ?? ?? 7C } - $block_17 = { 0F B6 ?? ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 4? 3B ?? 7C } - $block_18 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_19 = { 0F B6 ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 4? 3B ?? 7C } - $block_20 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 8A ?? ?? 5? 8A ?? ?? 5? 8B ?? 0F 8E } - $block_21 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 03 ?? 03 ?? 25 ?? ?? ?? ?? 79 } - $block_22 = { 0F B6 ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C } - $block_23 = { 0F B6 ?? ?? 8B ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 4? 3B ?? 7C } - $block_24 = { 8B ?? 2B ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? 2B ?? B8 ?? ?? ?? ?? 3B ?? 0F 87 } - $block_25 = { 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 4? 3B ?? ?? 7C } - $block_26 = { 8D ?? ?? 5? 8B ?? ?? 68 ?? ?? ?? ?? FF 7? ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_27 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 7C } - $block_28 = { 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 7? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_29 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 99 2B ?? D1 ?? 6A ?? 89 ?? ?? 8B ?? ?? 5? 3B ?? 7E } - $block_30 = { 5? 5? 5? 5? 5? 5? 5? 8D ?? ?? 5? 5? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_31 = { 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 85 ?? 5? 5? 0F 84 } - $block_32 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 0F 84 } - $block_33 = { FF 7? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C3 } - $block_34 = { 8B ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? FF 4? ?? 83 ?? ?? ?? 83 ?? ?? ?? 0F 8F } - $block_35 = { 8D ?? ?? 5? FF 7? ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_36 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? C1 ?? ?? 03 ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? C9 C3 } - $block_37 = { 8D ?? ?? 5? 6A ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_38 = { 8D ?? ?? ?? 0F B6 ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 83 ?? ?? 5? 5? 88 ?? 7C } - $block_39 = { 5? 8B ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 4? 0F AF ?? 03 ?? 85 ?? 89 ?? ?? 75 } - $block_40 = { 5? 33 ?? 4? 5? 8D ?? ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 85 } - $block_41 = { 6A ?? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_42 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_43 = { 99 BB ?? ?? ?? ?? F7 ?? 8B ?? ?? 80 C? ?? 30 ?? ?? ?? 4? 3B ?? ?? 89 ?? ?? 7C } - $block_44 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_45 = { 8D ?? ?? ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_46 = { 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_47 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 5? 8B ?? E8 ?? ?? ?? ?? 4? 83 ?? ?? 7C } - $block_48 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 5? 8B ?? E8 ?? ?? ?? ?? 4? 3B ?? ?? 7C } - $block_49 = { 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 80 C? ?? 30 ?? ?? ?? 4? 3B ?? 89 ?? ?? 7C } - $block_50 = { 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_51 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 33 ?? 5? 5? 5? C9 C3 } - $block_52 = { 5? 8B ?? 81 E? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 8F } - $block_53 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 4? 79 } - $block_54 = { 8B ?? ?? 6B ?? ?? 8D ?? ?? ?? 4? 89 ?? ?? 0F B6 ?? 8D ?? ?? 83 ?? ?? 72 } - $block_55 = { FF 7? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 5? 5? C9 C3 } - $block_56 = { 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_57 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 4? E8 ?? ?? ?? ?? 3B ?? 0F 8C } - $block_58 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? C6 ?? ?? ?? 33 ?? 8D ?? ?? AB AB AA 83 } - $block_59 = { 0F B6 ?? 8B ?? ?? E8 ?? ?? ?? ?? 4? 8A ?? 33 ?? 4? 84 ?? 89 ?? ?? 75 } - $block_60 = { 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 8E } - $block_61 = { 33 ?? 83 ?? ?? 0F 94 ?? 89 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 4? EB } - $block_62 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 5? 5? 0F 84 } - $block_63 = { 8B ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? FF 4? ?? 0F 85 } - $block_64 = { 0F B6 ?? ?? 8B ?? ?? 83 ?? ?? ?? D3 ?? 09 ?? ?? 4? 83 ?? ?? ?? 7C } - $block_65 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? C9 C3 } - $block_66 = { FF 4? ?? E8 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 39 ?? ?? 0F 8F } - $block_67 = { 33 ?? F7 ?? 8B ?? D1 ?? 0F AF ?? 03 ?? FF 5? ?? 85 ?? 5? 5? 7E } - $block_68 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? C9 C2 } - $block_69 = { 5? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_70 = { 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? ?? ?? ?? ?? FF 0? 4? 3B ?? 72 } - $block_71 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_72 = { 83 ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 5? 5? 0F 85 } - $block_73 = { FF 1? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? ?? 0F 85 } - $block_74 = { 5? 8B ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 82 } - $block_75 = { 8B ?? ?? 6A ?? C1 ?? ?? 5? 3B ?? 89 ?? ?? 89 ?? ?? 0F 86 } - $block_76 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 5? 5? 0F 84 } - $block_77 = { 8B ?? ?? 0F B6 ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 4? 3B ?? 7C } - $block_78 = { 8D ?? ?? 5? 5? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_79 = { 0F B6 ?? ?? 8B ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? 73 } - $block_80 = { 8B ?? ?? 8B ?? 83 ?? ?? ?? 33 ?? 89 ?? ?? 4? 3B ?? 0F 8C } - $block_81 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 5? 5? 0F 84 } - $block_82 = { 5? 5? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 3B ?? 89 ?? ?? 0F 84 } - $block_83 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 33 ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_84 = { 0F B6 ?? 8B ?? 83 ?? ?? C1 ?? ?? 4? 0B ?? 4? 84 ?? 78 } - $block_85 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 0F 84 } - $block_86 = { 0F B6 ?? 8A ?? ?? 30 ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 7C } - $block_87 = { 8B ?? ?? 3B ?? A3 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 0F 86 } - $block_88 = { C7 ?? ?? ?? ?? ?? ?? 33 ?? 8D ?? ?? AB 66 ?? B3 ?? BF } - $block_89 = { 0F B6 ?? 8D ?? ?? 0F B6 ?? 03 ?? 25 ?? ?? ?? ?? 79 } - $block_90 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 5? 0F 86 } - $block_91 = { 4? 0F B6 ?? 8D ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 73 } - $block_92 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 3B ?? 5? 5? 0F 84 } - $block_93 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 84 ?? 5? 5? 0F 85 } - $block_94 = { FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 5? 8A ?? 5? C9 C3 } - $block_95 = { 6A ?? 8B ?? 5? 99 F7 ?? 8D ?? ?? 80 C? ?? 5? E8 } - $block_96 = { 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? 83 ?? ?? C9 C3 } - $block_97 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? C9 C3 } - $block_98 = { 5? 8B ?? 8B ?? ?? 5? 8B ?? ?? 8B ?? 2B ?? 0F 84 } - $block_99 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C3 } - - condition: - hash.sha256(0, filesize) == "35f911365d14ff533acce7367c2ab74167a9beb7b4e8fd487f25b9db4d68f627" or - hash.sha256(0, filesize) == "7abf424fd57e49756307cc07e05627470a0d1f000a3c8fcc422ea4391981f6a2" or - hash.sha256(0, filesize) == "0ce3bfa972ced61884ae7c1d77c7d4c45e17c7d767e669610cf2ef72b636b464" or - hash.sha256(0, filesize) == "dd29a6b5c62d8726a3073b6f7d20e6f34d00616de61fc55d04bda9e7824cd598" or - hash.sha256(0, filesize) == "b2417de25ad9e6bed08229561eb96d4f2e83ab63b4407c7601a0113ed193fe84" or - hash.sha256(0, filesize) == "51eda4521b3ee9d6917832e4e04a4f58891867b8f7b0ade61725fd124ba40f82" or - hash.sha256(0, filesize) == "4e31304e1ea66c267b5882f9335a2384eea18a6617a49308846ce624b68e7489" or - hash.sha256(0, filesize) == "8b7427620d6537aa905727af48f7dec1e003a8b7c74d417f0a5ded7926a7d590" or - hash.sha256(0, filesize) == "98cd87a544ca06ae249e4f3c9790efbd63d8954e0ff695d2404e92f2383871bf" or - hash.sha256(0, filesize) == "49bc860fb8856436e1d540754732843f1a534901ecdd031870702bacab58ae54" or - hash.sha256(0, filesize) == "d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d" or - hash.sha256(0, filesize) == "28b56f4245bd2081a8d0885bcd0cad7b384ee4a927d87ce8532c5650ac532916" or - hash.sha256(0, filesize) == "ded70a8fc7074ea0ceb7f489b2ebb1198154a2507538fc73cbb74712d5fc6d19" or - hash.sha256(0, filesize) == "d88bd6947eef00bd3baadc55ff1c55b3cdcff5ba8fd145d5b5bf8894c42a7fd3" or - hash.sha256(0, filesize) == "56f87c2b24a502fbda0ae9cee8f21615b1ba39737d70d2f4f4011fa6fdd174a1" or - hash.sha256(0, filesize) == "7a3b78feba1670850602b7c33cb0968b4d89db609d98c81744b43cae23d563f5" or - 12 of them -} - -rule MiniDuke { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? BE ?? ?? ?? ?? EB } - $block_1 = { FF 0? ?? ?? ?? ?? 0F B6 ?? ?? 5? 6A ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 87 } - $block_2 = { 0F B6 ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? C1 ?? ?? 03 ?? 8D ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? EB } - $block_3 = { 2B ?? 2B ?? 8D ?? ?? ?? 8D ?? ?? 8B ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 4? C1 ?? ?? 4? 5? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 8B ?? ?? FE ?? 83 ?? ?? 88 ?? FF 4? } - $block_5 = { 8B ?? ?? BB ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 8B ?? ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 } - $block_6 = { BF ?? ?? ?? ?? 3B ?? 8B ?? ?? 1B ?? F7 ?? 03 ?? 8B ?? ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 } - $block_7 = { BE ?? ?? ?? ?? 3B ?? ?? 8B ?? ?? 1B ?? F7 ?? 03 ?? 03 ?? ?? 89 ?? ?? 3B ?? ?? 0F 87 } - $block_8 = { 33 ?? 66 ?? ?? ?? 0F 95 ?? 4? 83 ?? ?? 83 ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 } - $block_9 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 } - $block_10 = { 8B ?? ?? BA ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 } - $block_11 = { 8B ?? ?? 5? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 } - $block_12 = { 8B ?? ?? BE ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 } - $block_13 = { C7 ?? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 5? 5? 89 ?? ?? 5? 8B ?? 5? C3 } - $block_14 = { 5? 8B ?? 8B ?? 83 ?? ?? 5? 8B ?? ?? 33 ?? 2B ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 86 } - $block_15 = { FF 0? ?? ?? ?? ?? 5? 5? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 87 } - $block_16 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 } - $block_17 = { BE ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 8B ?? ?? 03 ?? 3B ?? ?? 0F 87 } - $block_18 = { BA ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 87 } - $block_19 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_20 = { 8B ?? ?? BE ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 03 ?? 3B ?? ?? 0F 87 } - $block_21 = { BA ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 8B ?? ?? 03 ?? 3B ?? ?? 0F 87 } - $block_22 = { 8B ?? ?? 8B ?? ?? 89 ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 3B ?? 72 } - $block_23 = { 5? 5? 8B ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 3B ?? 0F 85 } - $block_24 = { 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_25 = { 5? 6A ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 } - $block_26 = { 8B ?? ?? 83 ?? ?? 85 ?? 83 ?? ?? 83 ?? ?? ?? 01 ?? ?? 85 ?? 0F 81 } - $block_27 = { BB ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 03 ?? ?? 3B ?? ?? 0F 87 } - $block_28 = { BE ?? ?? ?? ?? 3B ?? 1B ?? F7 ?? 03 ?? 03 ?? ?? 3B ?? ?? 0F 87 } - $block_29 = { BE ?? ?? ?? ?? 3B ?? ?? 1B ?? F7 ?? 03 ?? 03 ?? 3B ?? ?? 0F 87 } - $block_30 = { 8B ?? ?? 0F B6 ?? ?? 83 ?? ?? C1 ?? ?? 03 ?? 4? 83 ?? ?? 0F 84 } - $block_31 = { 0F B7 ?? 5? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 74 } - $block_32 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? 5? 6A ?? 5? FF D? 85 ?? 0F 84 } - $block_33 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 5? 5? 89 ?? ?? 5? 8B ?? 5? C3 } - $block_34 = { 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 } - $block_35 = { 0F B6 ?? ?? 8D ?? ?? C6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 0F 87 } - $block_36 = { 0F B6 ?? ?? 8D ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 4? 4? E9 } - $block_37 = { 0F B6 ?? ?? 8D ?? ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 4? 4? EB } - $block_38 = { 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? ?? 8B } - $block_39 = { 0F B6 ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? C1 ?? ?? 03 ?? 8D } - $block_40 = { 0F B6 ?? ?? 8D ?? ?? ?? 8B ?? C1 ?? ?? 4? 83 ?? ?? EB } - $block_41 = { 0F B6 ?? ?? 83 ?? ?? C1 ?? ?? 03 ?? 4? 83 ?? ?? 0F 84 } - $block_42 = { 8B ?? C1 ?? ?? 83 ?? ?? 8D ?? ?? 8B ?? ?? 3B ?? 0F 83 } - $block_43 = { 8B ?? ?? 8B ?? C1 ?? ?? 83 ?? ?? 8D ?? ?? 3B ?? 0F 83 } - $block_44 = { 5? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 09 ?? ?? 85 ?? 0F 81 } - $block_45 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 87 } - $block_46 = { 33 ?? 66 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 0F B7 ?? EB } - $block_47 = { 8B ?? C1 ?? ?? 83 ?? ?? 8D ?? ?? 3B ?? ?? 0F 83 } - - condition: - hash.sha256(0, filesize) == "6a95d2895362fc8657bc90d73d77e32f09b86699eb625905ddeb45ccd6b13c71" or - hash.sha256(0, filesize) == "bf210e54c65ea69ebda418f701c2c6b8aff840f31c1072d641a726cef8c7b5ad" or - hash.sha256(0, filesize) == "8e28dcf7fd7ce1ad9a65c186e09a7843ee31af924509148f085958cadfdda8fb" or - hash.sha256(0, filesize) == "5b96b07528f762dfcb9d6936995ed4e358d29542ae756f6e5547fa3b5b7797b6" or - hash.sha256(0, filesize) == "a1015f0b99106ae2852d740f366e15c1d5c711f57680a2f04be0283e8310f69e" or - hash.sha256(0, filesize) == "1db9187b7b0e5bc97aca233f29b96295c0bc4058fdcff50df543c1f044e58836" or - hash.sha256(0, filesize) == "f2ede48413704b3efc4d629d3db1a1331352a0afb0d91683640dc4b4af2921d1" or - hash.sha256(0, filesize) == "7889fbd40f65cfe21d0c7486b29eb4c5042abff4ac660c12c7936831445cfd6e" or - hash.sha256(0, filesize) == "2f9834f7b7fe09d98ef7b27d3828691ed4b361d1ccbbf8e10703f9ec03b05259" or - hash.sha256(0, filesize) == "5569b85532adb1e637f83c997910924345f10aa9c2948b3d26be13eec6cbeb8b" or - hash.sha256(0, filesize) == "f4b01a3a299b09d2b4418cb66e80c34e3ec04016ed27199c472515cf95a023d0" or - hash.sha256(0, filesize) == "12a057ca7c92cda3cd0e09efc5bff2ebd3f7d2991e999038c7f31a6ac6a95c3d" or - hash.sha256(0, filesize) == "b1584a6f1059ad1c24bde2a9a8ae83ffc6679eb531d30f3f1c69f81e3a3819dc" or - hash.sha256(0, filesize) == "f151f5a656d43a76a07fa03166906d51f9683b27b0e9b86464e3a68e9dba1fac" or - hash.sha256(0, filesize) == "35c08566dc38ad65e906b3683ace98e5beef855aeedc611a0317a72eee193539" or - hash.sha256(0, filesize) == "62a2df9d001d3e0f222d77b6781eb279761f1354570773ef1929a86557a11454" or - hash.sha256(0, filesize) == "55265193d63d56553e8e135e9a60d7d7c13cbf9d82ac25f84306ec98d74725b0" or - hash.sha256(0, filesize) == "e961202d84aad7fa9faaeb63651735416612d25c611a7a025e2eaab67c79e272" or - hash.sha256(0, filesize) == "29ad305cba186c07cedc1f633c09b9b0171289301e1d4319a1d76d0513a6ac50" or - hash.sha256(0, filesize) == "abfffd23c81b6301675567622ccee08cf578ce91f372fce68cff8fc1dbc3053d" or - hash.sha256(0, filesize) == "56dfc5905e7dfc67912ed164dc68c0806fdd3d7cd151415aaffcc1b7ab2f1a84" or - hash.sha256(0, filesize) == "b55e6e10a7f46c97cd247028287ea664bacf7ec7e500a4bf4f53c9dea7625426" or - hash.sha256(0, filesize) == "13a50942322977d6471f71debc6d3db38807d88778366bae6cfcae45823a17f8" or - hash.sha256(0, filesize) == "de8184c6850d17f90e861309828af1f7b7e3b1695ebe5d303d3d4b6ef4ba1218" or - hash.sha256(0, filesize) == "a6e2852f2e6701656da74adb412cd0850b0d27750803613223be3eb5ac5cc26c" or - hash.sha256(0, filesize) == "764f8c8f8832954c99fb0c2ac5ac5d89506dc5dc50310c9112318b75e9f9e2bf" or - hash.sha256(0, filesize) == "1f19bd932336fa721e739b32c07b67c01ea4bd0ebc70e92a70f41e51f4668a0a" or - hash.sha256(0, filesize) == "acd886fa7b9117807f1e11f0f38b9fad1afce51aa9cfbe3810a39d883d0ca663" or - hash.sha256(0, filesize) == "94d39845ec228ff1c84668207c4591ae0e2b6605bdf11e84916534ab09744736" or - hash.sha256(0, filesize) == "05e4224d4dd4e5fbd381ed33edb5bf847fbc138fbe9f57cb7d1f8fc9fa9a382d" or - hash.sha256(0, filesize) == "19580f275b82ee091bdc3028e6e5018fdcc915fe7853d4151b44f3d7e101e531" or - hash.sha256(0, filesize) == "55129d34050b2c028de564e3166611e1d148c26de0972cbe047caf530f118468" or - hash.sha256(0, filesize) == "ecc5e2526ca32a447c862612b71c1db5675a759897e680573fa143ac0a8e662a" or - hash.sha256(0, filesize) == "830ee990a6d4aaf00bb051704c93b468792561e8dd6a6ed4662f6032d38dd37a" or - hash.sha256(0, filesize) == "7815e5275ea849a9ed1f193abd8781ff7ae6b88ef6282f6a0900175a4bb59131" or - hash.sha256(0, filesize) == "c13794601c5bdec3d5d76de9571e6c0e0b022b9fc62907018566895e3b949982" or - hash.sha256(0, filesize) == "6e57c69963562d28a3a9da9f9103c199c909d0baa185a5d21e1b200a5a14ab72" or - hash.sha256(0, filesize) == "2ae4cc6834e3679e99fc93d2f5fba02167a31cf5b68a5a9ca7aa1a4b9f7cb4ae" or - hash.sha256(0, filesize) == "3d0b1f970eaeeabf9372ffc1ad7e61226632904cf0311ea8f872ddbfd34a3a2a" or - hash.sha256(0, filesize) == "f0d822926f4e6aec2cf2bd7701d67e8399ccc05bc028377a275a90e06620a109" or - hash.sha256(0, filesize) == "23486eedb5fe8a026f602507f490b4df4721e8befa65007b84c4f5b1ed95e1bd" or - hash.sha256(0, filesize) == "4809c2c7fa19acfa011f97946205f979afb54ac2c166f48ab35a20cd9d53a2ca" or - hash.sha256(0, filesize) == "c60621e82f58b5ea5b36cde40889a076cb2c7f1612144998b1d388200bc7e295" or - hash.sha256(0, filesize) == "fe2672737205351df003e1969ef1ef0df9e13a9a31bf77f844236857ed0b0bf5" or - hash.sha256(0, filesize) == "91b97f3b8ef8ebc8bbd06e06927e7b38090c026f8fca77e209e69c056b042cb7" or - hash.sha256(0, filesize) == "dfe146fffd2ae59172f52048f7e7d231807e0d732e19bdb443820a8305165741" or - hash.sha256(0, filesize) == "354786c5df71cd090c96d1328b4e31cd28b8ddc77904863d100b6c35ad235b69" or - hash.sha256(0, filesize) == "8d457e4189017712917c5c8f900bb9072c5910c9f975c50337115f952d885635" or - hash.sha256(0, filesize) == "6c2409d415e66faebf0a031350b44d5a014ab4f62f2c1a3115982d452b7f97b9" or - hash.sha256(0, filesize) == "cc6ad212f50e0a7a708bb1b63a01d8932f471618cdda69b2e12106ae112b2415" or - hash.sha256(0, filesize) == "7f5d3a8dfa13ba8e2142a3b1d644f107cc89c7e90cda2a5543df5787f8bfde1e" or - hash.sha256(0, filesize) == "15101f74f974e3e80cc37805ebe5cc2efed77bb5745d82e1b44b1da4f0c83691" or - hash.sha256(0, filesize) == "a962ea9027514712ba3949dc3ca54559d1d42e116837dda5f9809d6523a41255" or - hash.sha256(0, filesize) == "9c13a32033bc7dd06016651b0f21a2bed9be1dc40c6879f925c71e05f4f1c8f7" or - hash.sha256(0, filesize) == "415f88765b88dd90e5b0502e4fa1408e06ac9552c7c8974a510e6e23a9756a45" or - 12 of them -} - -rule CozyDuke { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8D ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_1 = { 8D ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 3B ?? ?? 0F 84 } - $block_2 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? A1 ?? ?? ?? ?? 5? 85 ?? 0F 85 } - $block_3 = { 5? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 95 ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 72 } - $block_4 = { 8B ?? 33 ?? 39 ?? ?? 8B ?? 0F 95 ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? FF D? 5? 5? 33 ?? 5? 8B ?? 5? C2 } - $block_5 = { 0F BE ?? ?? 33 ?? 81 F? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 4? 83 ?? ?? 72 } - $block_6 = { 8B ?? ?? 0F B6 ?? 0F A4 ?? ?? 25 ?? ?? ?? ?? 99 C1 ?? ?? 0B ?? 4? 0B ?? 89 ?? ?? 3B ?? ?? 7C } - $block_7 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 5? 5? 8B ?? ?? FF D? 85 ?? 0F 88 } - $block_8 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? 0F 84 } - $block_9 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8B ?? ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_10 = { 0F BE ?? ?? 66 ?? ?? 48 ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 72 } - $block_11 = { 5? 5? 5? 8D ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_12 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 8B ?? 33 ?? 39 ?? ?? 8B ?? 0F 95 ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? FF D? 5? 33 ?? 5? 8B ?? 5? C2 } - $block_14 = { 8B ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? 0F 84 } - $block_15 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? 0F A4 ?? ?? 99 C1 ?? ?? 0B ?? 4? 0B ?? 89 ?? ?? 3B ?? ?? 7C } - $block_16 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_17 = { 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_18 = { 2B ?? D1 ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 83 ?? ?? 0F 83 } - $block_19 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_20 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 } - $block_21 = { 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8C } - $block_22 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 6A ?? 5? 5? 5? 33 ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_23 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_24 = { 8B ?? ?? ?? ?? ?? 4? 83 ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 82 } - $block_25 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? ?? 0F 84 } - $block_26 = { 8B ?? ?? 5? BA ?? ?? ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_27 = { 8B ?? ?? ?? ?? ?? 8B ?? 5? 8B ?? ?? FF D? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 82 } - $block_28 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 5? 3B ?? 0F 84 } - $block_29 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_30 = { 8B ?? ?? 8B ?? ?? 5? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 94 ?? 39 ?? ?? 72 } - $block_31 = { 5? 5? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_32 = { 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_33 = { 33 ?? 5? 8D ?? ?? 5? 5? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_34 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_35 = { 0F BE ?? ?? 33 ?? 81 F? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 4? 83 ?? ?? 72 } - $block_36 = { 0F BE ?? ?? 33 ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 4? 83 ?? ?? 72 } - $block_37 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_38 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 8B ?? 5? 8B ?? ?? 5? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 } - $block_39 = { 83 ?? ?? 8B ?? 03 ?? ?? 5? FF 3? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - $block_40 = { 8D ?? ?? 5? 5? 5? 5? 5? 5? 5? 5? 5? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_41 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? 33 ?? 3B ?? 0F 84 } - $block_42 = { 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 5? 85 ?? 0F 85 } - $block_43 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_44 = { 0F BE ?? ?? 66 ?? ?? 48 ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? 72 } - $block_45 = { 8D ?? ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_46 = { 0F AF ?? 5? 03 ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? 83 ?? ?? 77 } - $block_47 = { 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_48 = { 6A ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_49 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 5? C6 ?? ?? ?? FF D? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_50 = { FF 7? ?? 8B ?? ?? ?? ?? ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_51 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_52 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF D? 85 ?? 0F 85 } - $block_53 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_54 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_55 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? 33 ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_56 = { 0F BE ?? ?? 33 ?? 81 F? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 4? 3B ?? 72 } - $block_57 = { 8B ?? ?? 69 ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 0F 8C } - $block_58 = { 8D ?? ?? 5? 33 ?? 81 C? ?? ?? ?? ?? 5? 66 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_59 = { 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? 0F 1F } - $block_60 = { 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_61 = { 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 86 } - $block_62 = { 33 ?? 5? 5? 5? 5? 5? E8 ?? ?? ?? ?? CC 8B ?? 5? 8B ?? 5? 5? 5? 8B ?? ?? 85 ?? 75 } - $block_63 = { 83 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 85 } - $block_64 = { 8B ?? 8D ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_65 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 80 C? ?? 88 ?? ?? ?? ?? ?? ?? 3B ?? 72 } - $block_66 = { 8B ?? 8D ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_67 = { 8B ?? ?? 8B ?? ?? 6A ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_68 = { 8D ?? ?? 33 ?? 5? 66 ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_69 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8D ?? ?? 83 ?? ?? 3B ?? ?? 0F 85 } - $block_70 = { 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_71 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? A1 ?? ?? ?? ?? 5? 85 ?? 0F 85 } - $block_72 = { 8B ?? ?? 8B ?? ?? 8B ?? 5? 5? 8B ?? ?? ?? ?? ?? ?? FF D? 83 ?? ?? 85 ?? 0F 84 } - $block_73 = { 0F B6 ?? ?? 34 ?? 66 ?? ?? 48 ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? 72 } - $block_74 = { 5? 8B ?? 5? 5? 8B ?? ?? 5? 8B ?? 5? 8B ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 } - $block_75 = { 0F BE ?? ?? 33 ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 03 ?? 83 ?? ?? 72 } - $block_76 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_77 = { 0F BE ?? ?? 33 ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 4? 83 ?? ?? 72 } - $block_78 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 5? 5? 8B ?? ?? FF D? 3B ?? 0F 85 } - $block_79 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? 5? 5? FF D? 3B ?? 0F 85 } - $block_80 = { 5? 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 5? C6 ?? ?? ?? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_81 = { 8B ?? 83 ?? ?? 5? FF 3? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - $block_82 = { 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_83 = { 33 ?? 83 ?? ?? 0F 95 ?? 8B ?? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 } - $block_84 = { 0F BE ?? ?? F7 ?? 33 ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? ?? 4? 83 ?? ?? 72 } - $block_85 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_86 = { 8D ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_87 = { 42 ?? ?? ?? ?? 32 ?? FE ?? 34 ?? 88 ?? ?? ?? 0F B6 ?? 48 ?? ?? ?? 72 } - $block_88 = { 8A ?? ?? 32 ?? 80 F? ?? FE ?? 88 ?? ?? ?? 0F B6 ?? 83 ?? ?? 72 } - $block_89 = { 8B ?? 33 ?? 0F BE ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 } - $block_90 = { 89 ?? ?? ?? ?? ?? C6 ?? ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_91 = { 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_92 = { 8A ?? 80 E? ?? 0F BE ?? F7 ?? 1B ?? 81 E? ?? ?? ?? ?? 81 C? } - $block_93 = { 8B ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 84 } - $block_94 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 3B ?? 0F 84 } - $block_95 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 5? C3 } - $block_96 = { 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? 49 ?? ?? 0F 1F } - $block_97 = { 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_98 = { 0F BE ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 } - $block_99 = { 83 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 0F 85 } - - condition: - hash.sha256(0, filesize) == "3dea35172449f0b9a86dff9af3b4480cc4c37a30e8cb54963ff91c4c1ffe7b0d" or - hash.sha256(0, filesize) == "262dbadca239e5259161130ac9f0f5ef50691fd9dc3e3490b6c0d7b76e7ee34e" or - hash.sha256(0, filesize) == "9891b5586cede16aa1e1b87380621f68e8956b991cf7675bbe18d2ec61a7522f" or - hash.sha256(0, filesize) == "01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9" or - hash.sha256(0, filesize) == "8a5d8d103cb175d7dc41932ef9a890997e25dbe15f94ecd2105835fe49779354" or - hash.sha256(0, filesize) == "7cdb9c2e8b6ca7f0a683a39c0bdadc7a512cff5d8264fdec012c541fd19c0522" or - hash.sha256(0, filesize) == "4bcb2a5d99297b30f8ff00e08cf7330d5e2f69fc602bb317bf8e9f703a137a99" or - hash.sha256(0, filesize) == "c1b19af1e354f13c90163780be6ad50f02d5bf8bac1c9cc1eab1377a159de1be" or - hash.sha256(0, filesize) == "fdd7e8582ef8d7a23f269653435582cfe924ca9b2db34af63af5e57d1f3e09c2" or - hash.sha256(0, filesize) == "ac4ffc7a2ba8840a20f6b07aa44328f1802b79ced6a56b3ac7e78fa1178ba65a" or - hash.sha256(0, filesize) == "4464c945c88ac9a4a22e86f0922f18c164e87f26c3f3fa054eb488fdd7d4bfc8" or - hash.sha256(0, filesize) == "bc7bcb663477238508ce8ad366cc9a77811c7f5eabaec47175858fe972639f40" or - hash.sha256(0, filesize) == "036c5c0075d67f67fee546321f5b9c4f00d37aa9249ffe1627e71946bad4a3d1" or - hash.sha256(0, filesize) == "a5373b33ac970dedeb52528b123959145bf51c95b159a30a7823ad8018ac4b41" or - hash.sha256(0, filesize) == "30c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73" or - hash.sha256(0, filesize) == "f6d52c5608931cdf66d71502fcf012b6781edde64ba1f956c1868f7e36d8c8d2" or - hash.sha256(0, filesize) == "dc70d3046b59785b2b9b7091e26f2484ba7a488dba420a8a05be388a337c399e" or - hash.sha256(0, filesize) == "d469000ca9e6af92876334e3a460ea4ac8a61c1a6ee819eefbfd0c79ea4fb315" or - hash.sha256(0, filesize) == "1233cca912fb61873c7388f299a4a1b78054e681941beb31f0a48f8c6d7a182b" or - hash.sha256(0, filesize) == "12e1139ef422c2c0884fb5b1786a8489c1769a96880a30406e4a28b76ea4a73a" or - hash.sha256(0, filesize) == "f722677df4fb7eb4ac986a944d4f6630b91ac22b31f8d39ec9bf941376d5d4db" or - hash.sha256(0, filesize) == "1a7239c006a3adf893bdb5c2300b2964ed8bb454e1b622853e4460707dc63c16" or - hash.sha256(0, filesize) == "418a21d49fe5bca8a3e050f039a0e2aa03db6d2de0fb49e3ff9d987f31b22dda" or - hash.sha256(0, filesize) == "65fa52f632e4e83ff83120c7df6b90291025a76d5daeb183e814ec0b3bd2bd4e" or - hash.sha256(0, filesize) == "b9ea2cc39808780ade1fe51287072e958448be7e3a7b32bfd48438453592018c" or - hash.sha256(0, filesize) == "89996b66d5a339939b2072d29675ec3ca6d793f42a5d335a8ea7dab8773321ef" or - hash.sha256(0, filesize) == "6eeffe540693418a107db3e7d2d9b72a54b2354aa6886b571272aa41f8cc8e0c" or - hash.sha256(0, filesize) == "5f827730c7bd155997121f023ca9775077a37a58111738fcb3213757170bd860" or - hash.sha256(0, filesize) == "637cabc343e3ed5b447dccb13aa7caf4d3a3eb3cd617d360167f270ec34596ea" or - hash.sha256(0, filesize) == "70ae2363191e8b20d1773ecc73afc2b9a5dd8247c7b97eecfd1378f3e7aabf92" or - hash.sha256(0, filesize) == "b9c996b06e0db273a4edede3fd6fda2b40b2e0201eba3e8ac581d802fc610a4a" or - hash.sha256(0, filesize) == "18c0b02776487babbf6219cdaf97cbf2b534e0cf87a527228dda2d4a468a257f" or - hash.sha256(0, filesize) == "7ed2d1aceab5f54df4acca63b5d269842d49521e13bab5e652237667c7eef261" or - hash.sha256(0, filesize) == "86056f462d5783604b7f050047db210ecf698e72f3664b27d58265663ff5b324" or - 12 of them -} - -rule BlackEnergyPluginMalwareUpdate { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? 2B ?? 89 ?? ?? 3B ?? ?? 0F 83 } - $block_1 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? FF 7? ?? 5? FF 7? ?? FF D? 85 ?? 0F 84 } - $block_2 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 5? FF 7? ?? FF D? 85 ?? 0F 84 } - $block_3 = { 8D ?? ?? 5? 6A ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 5? 8B ?? 83 ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_5 = { 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_6 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? FF D? 3D ?? ?? ?? ?? 0F 85 } - $block_7 = { FF 7? ?? 8B ?? ?? FF 3? 33 ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_8 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? FF D? 3D ?? ?? ?? ?? 0F 85 } - $block_9 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? FF D? 83 ?? ?? 0F 85 } - $block_10 = { 5? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? 3B ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "e1fc973641508fa98ad4c338122484f6c3aee64488b0c91f7eccf6453927fdf8" or - 11 of them -} - -rule BlackEnergyDropper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8D ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? C9 C2 } - $block_1 = { E8 ?? ?? ?? ?? 8A ?? ?? 5? D5 ?? F1 8D ?? ?? 5? F7 ?? B9 ?? ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? E9 } - $block_2 = { 83 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? 83 ?? ?? ?? B8 ?? ?? ?? ?? 8D ?? 8B ?? ?? 8B ?? 85 ?? 0F 84 } - $block_3 = { 4? 9? CD ?? 25 ?? ?? ?? ?? 0D ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4? FC 04 ?? 72 } - $block_4 = { 4? 3C ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? F8 89 ?? B8 ?? ?? ?? ?? F3 ?? 8D ?? ?? F7 ?? E9 } - $block_5 = { 89 ?? 8B ?? ?? B9 ?? ?? ?? ?? 0F B7 ?? ?? 2B ?? 8D ?? ?? ?? 2B ?? 66 ?? ?? ?? 0F 82 } - $block_6 = { 6E F7 ?? 03 ?? BF ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? BF ?? ?? ?? ?? 8D ?? E9 } - $block_7 = { 5? 8B ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 6A ?? FF D? 8B ?? 85 ?? 0F 84 } - $block_8 = { 28 ?? ?? ?? C9 89 ?? F7 ?? 0A ?? 8D ?? ?? BA ?? ?? ?? ?? 33 ?? 8A ?? F7 ?? E9 } - $block_9 = { 8E ?? 16 B3 ?? 65 ?? 80 3? ?? ?? ?? ?? ?? 5? F7 ?? BA ?? ?? ?? ?? 5? 89 ?? E9 } - $block_10 = { 37 81 4? ?? ?? ?? ?? ?? F6 ?? 2A ?? ?? B2 ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_11 = { 0B ?? BB ?? ?? ?? ?? F7 ?? 5? 5? B9 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 03 ?? 0F 85 } - $block_12 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 03 ?? 8B ?? 2B ?? 8B ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 } - $block_13 = { 8B ?? ?? 68 ?? ?? ?? ?? 6A ?? 03 ?? E8 ?? ?? ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_14 = { 01 ?? EF AA 3C ?? AD 26 ?? ?? ?? ?? ?? F7 ?? 8B ?? 03 ?? D1 ?? 83 ?? ?? E9 } - $block_15 = { 8B ?? ?? F7 ?? 8D ?? ?? F7 ?? 8B ?? 2B ?? 83 ?? ?? 89 ?? ?? 3B ?? ?? 0F 86 } - $block_16 = { D7 C8 ?? ?? ?? AD 8D ?? ?? 8B ?? ?? ?? 8B ?? 2B ?? D3 ?? 2B ?? 03 ?? 0F 84 } - $block_17 = { 89 ?? BA ?? ?? ?? ?? 5? BA ?? ?? ?? ?? 0F B6 ?? 89 ?? BA ?? ?? ?? ?? E9 } - $block_18 = { 0F C9 89 ?? F7 ?? 0A ?? 8D ?? ?? BA ?? ?? ?? ?? 33 ?? 8A ?? F7 ?? E9 } - $block_19 = { 32 ?? ?? 4? 8E ?? ?? 1C ?? 9? BF ?? ?? ?? ?? D6 89 ?? 8B ?? ?? ?? E9 } - $block_20 = { 60 30 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? F7 ?? E9 } - $block_21 = { 86 ?? 3F 9A ?? ?? ?? ?? ?? ?? 5? 18 ?? D6 8B ?? ?? ?? 89 ?? ?? E9 } - $block_22 = { 5? CD ?? FF 5? ?? 01 ?? 4? 05 ?? ?? ?? ?? D0 ?? ?? ?? ?? ?? EF 75 } - $block_23 = { 9A ?? ?? ?? ?? ?? ?? 0A ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_24 = { BF ?? ?? ?? ?? 89 ?? 5? 5? 5? FF D? 80 B? ?? ?? ?? ?? ?? 0F 85 } - $block_25 = { 5? 5? 03 ?? 33 ?? F7 ?? 4? 89 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 83 } - $block_26 = { 1A ?? B0 ?? AF AB 9? 4? 4? 89 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 82 } - $block_27 = { 8B ?? ?? B9 ?? ?? ?? ?? 89 ?? 8D ?? 2B ?? 0F B7 ?? ?? 2B ?? E9 } - $block_28 = { 0F AC ?? ?? 2E ?? ?? E5 ?? D6 05 ?? ?? ?? ?? FF D? 85 ?? 0F 85 } - $block_29 = { F9 AC BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? F7 ?? F7 ?? E9 } - $block_30 = { BB ?? ?? ?? ?? D7 2A ?? 5? A5 5? FF D? 5? 5? 85 ?? 0F 85 } - $block_31 = { 89 ?? 8B ?? ?? 89 ?? B9 ?? ?? ?? ?? 0F B7 ?? ?? E9 } - $block_32 = { 33 ?? ?? 4? 4? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_33 = { 89 ?? 5? 5? 5? FF D? 80 B? ?? ?? ?? ?? ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "e052ea4fbc3aeed1e46df6966bb60c29c6e706ba8fd737fd9ab414fc29189345" or - hash.sha256(0, filesize) == "23f9272cb2f08dfe5c847ba7764d003310d26585b22ebd1d8d77935907474235" or - hash.sha256(0, filesize) == "07a76c1d09a9792c348bb56572692fcc4ea5c96a77a2cddf23c0117d03a0dfad" or - hash.sha256(0, filesize) == "6d4d0715b274bd8331e67b064416e0806d1c0941930ba9ee6e4bac0eb360f7e6" or - 12 of them -} - -rule BlackEnergyDriver { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F BF ?? ?? BA ?? ?? ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? BA ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E9 } - $block_1 = { E8 ?? ?? ?? ?? 48 ?? ?? FF D? BA ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_2 = { 89 ?? ?? 8D ?? ?? 89 ?? 8D ?? ?? ?? ?? ?? ?? 8B ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 84 } - $block_3 = { 03 ?? ?? 8D ?? 8D ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 89 ?? 8B ?? ?? 83 ?? ?? 0F 84 } - $block_4 = { E8 ?? ?? ?? ?? 4? E4 ?? D1 ?? 65 ?? ?? 00 ?? ?? EE 9? 1F D8 ?? ?? 0E 27 13 ?? ?? 9? 07 1E 7F } - $block_5 = { 4? 06 60 6A ?? 4? 8B ?? ?? 81 E? ?? ?? ?? ?? FF 0? 8B ?? ?? ?? ?? ?? 8D ?? ?? F7 ?? F7 ?? E9 } - $block_6 = { 4? 14 ?? 39 ?? A2 ?? ?? ?? ?? 0D ?? ?? ?? ?? 5? 0C ?? 06 8B ?? ?? 8B ?? 5? 5? 5? 89 ?? ?? E9 } - $block_7 = { 89 ?? 89 ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 } - $block_8 = { 8B ?? ?? F7 ?? 8B ?? ?? 89 ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 0F 84 } - $block_9 = { 0F B6 ?? ?? 8D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 5? F7 ?? F7 ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 5? E9 } - $block_10 = { BA ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 33 ?? FF D? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_11 = { BA ?? ?? ?? ?? 41 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? 33 ?? FF D? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_12 = { 8B ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? F7 ?? 0F B6 ?? ?? 89 ?? B9 ?? ?? ?? ?? 89 ?? E9 } - $block_13 = { 1E DF ?? ?? ?? ?? ?? 5? 36 ?? ?? D2 ?? D2 ?? 27 BF ?? ?? ?? ?? 1D ?? ?? ?? ?? 9? 04 ?? 73 } - $block_14 = { 8B ?? ?? B9 ?? ?? ?? ?? 89 ?? 8D ?? ?? 0F B7 ?? ?? B8 ?? ?? ?? ?? 8D ?? BA ?? ?? ?? ?? E9 } - $block_15 = { F7 ?? BA ?? ?? ?? ?? 89 ?? B8 ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? F7 ?? B9 ?? ?? ?? ?? E9 } - $block_16 = { 4? D7 3E ?? ?? ?? ?? ?? B1 ?? B8 ?? ?? ?? ?? 8B ?? 89 ?? F7 ?? 8B ?? ?? 83 ?? ?? ?? 0F 87 } - $block_17 = { B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? 33 ?? BF ?? ?? ?? ?? F7 ?? 89 ?? 8B ?? 3B ?? 0F 82 } - $block_18 = { F7 ?? 03 ?? ?? F7 ?? F7 ?? 89 ?? ?? 89 ?? B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 83 ?? ?? ?? 0F 85 } - $block_19 = { BA ?? ?? ?? ?? 41 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? 33 ?? FF D? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_20 = { 44 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 0F B7 ?? ?? 45 ?? ?? 66 ?? ?? ?? ?? 73 } - $block_21 = { 8D ?? 8B ?? ?? 0F B7 ?? ?? ?? 89 ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 85 } - $block_22 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? 89 ?? 8B ?? ?? 3B ?? 0F 85 } - $block_23 = { F3 ?? ?? ?? 9E E7 ?? 10 ?? D1 ?? ?? ?? ?? ?? 4? FC 8D ?? 89 ?? 8B ?? ?? 3B ?? ?? 0F 8C } - $block_24 = { B7 ?? 4? 39 ?? EC F7 ?? 89 ?? F7 ?? C7 ?? ?? ?? ?? ?? ?? F7 ?? 8B ?? ?? 3B ?? ?? 0F 87 } - $block_25 = { C5 ?? AC AF 9F 5? 8A ?? FF B? ?? ?? ?? ?? 0E F9 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? E9 } - $block_26 = { 03 ?? ?? F7 ?? B9 ?? ?? ?? ?? 8B ?? ?? 89 ?? 89 ?? 8D ?? ?? 8B ?? ?? 39 ?? ?? 0F 82 } - $block_27 = { 9D 1F BB ?? ?? ?? ?? A3 ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? E9 } - $block_28 = { 8D ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? B9 ?? ?? ?? ?? 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 0F 85 } - $block_29 = { 6E EA ?? ?? ?? ?? ?? ?? 0C ?? 8B ?? ?? 89 ?? B8 ?? ?? ?? ?? 03 ?? ?? F7 ?? 8D ?? E9 } - $block_30 = { 4? 8C ?? 89 ?? ?? ?? ?? ?? F7 ?? 8B ?? ?? F7 ?? 8B ?? ?? ?? ?? ?? 3B ?? ?? 0F 82 } - $block_31 = { DA ?? ?? 5? 0C ?? 07 03 ?? ?? 89 ?? 0F B6 ?? 89 ?? 33 ?? 8D ?? ?? 8D ?? ?? ?? E9 } - $block_32 = { 8B ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 03 ?? ?? F7 ?? 8D ?? ?? 0F B6 ?? E9 } - $block_33 = { 6E AC 8D ?? ?? ?? ?? ?? C1 ?? ?? 8D ?? ?? ?? ?? ?? F7 ?? 8B ?? ?? ?? C1 ?? ?? E9 } - $block_34 = { F7 ?? 8B ?? ?? B9 ?? ?? ?? ?? 8D ?? F7 ?? 8B ?? ?? 0F B7 ?? ?? B8 ?? ?? ?? ?? E9 } - $block_35 = { 69 ?? ?? ?? ?? ?? ?? 86 ?? ?? ?? ?? ?? 67 ?? 5? 8B ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 } - $block_36 = { 8B ?? ?? B8 ?? ?? ?? ?? F7 ?? 8B ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? 0F BF ?? ?? E9 } - $block_37 = { 85 ?? ?? 83 ?? ?? ?? AE 5? 05 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? 3B ?? 0F 82 } - $block_38 = { 8B ?? ?? 0F B7 ?? ?? F7 ?? 25 ?? ?? ?? ?? F7 ?? 8D ?? 8D ?? 8B ?? ?? 03 ?? E9 } - $block_39 = { 9? 1A ?? 26 ?? 66 ?? ?? ?? 5? D3 ?? 06 10 ?? ?? ?? ?? ?? 19 ?? ?? 1A ?? ?? 78 } - $block_40 = { AF 88 ?? ?? ?? ?? ?? 65 ?? 0C ?? FF 5? ?? 5? E4 ?? FF 8? ?? ?? ?? ?? B6 ?? E9 } - $block_41 = { 8B ?? ?? 8D ?? 03 ?? ?? 89 ?? 0F B6 ?? 89 ?? 33 ?? 8D ?? ?? 8D ?? ?? ?? E9 } - $block_42 = { C4 ?? ?? ?? 20 ?? 5? 9B 6D 14 ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_43 = { CC 15 ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 65 ?? 5? B6 ?? D3 ?? ?? ?? ?? ?? 9D E9 } - $block_44 = { 27 99 6B ?? ?? ?? 8A ?? AA F1 89 ?? 8B ?? ?? F7 ?? 89 ?? F7 ?? 5? 8D ?? E9 } - $block_45 = { F1 18 ?? 1A ?? ?? A8 ?? 5? B5 ?? 23 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? E9 } - $block_46 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? E9 } - $block_47 = { 80 1? ?? 8C ?? ?? ?? ?? ?? 0C ?? 89 ?? 89 ?? 88 ?? ?? 89 ?? 0F B6 ?? ?? E9 } - $block_48 = { 8B ?? ?? 89 ?? BA ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? 0F 84 } - $block_49 = { D0 ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? 89 ?? 8D ?? ?? 8B ?? ?? 39 ?? ?? 0F 82 } - $block_50 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? 8B ?? ?? 83 ?? ?? 0F 84 } - $block_51 = { EF F7 ?? 5? B9 ?? ?? ?? ?? F7 ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? E9 } - $block_52 = { 8B ?? ?? F7 ?? 8D ?? ?? 8D ?? ?? 03 ?? ?? 8D ?? ?? ?? ?? ?? 0F B6 ?? E9 } - $block_53 = { F7 ?? B8 ?? ?? ?? ?? 89 ?? 8B ?? ?? F7 ?? F7 ?? 8B ?? 03 ?? 85 ?? 0F 85 } - $block_54 = { 8B ?? ?? BE ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_55 = { B9 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 88 ?? ?? F7 ?? 0F B6 ?? ?? 89 ?? E9 } - $block_56 = { 8B ?? ?? F7 ?? B9 ?? ?? ?? ?? 8B ?? ?? 8D ?? 0F B7 ?? ?? F7 ?? 89 ?? E9 } - $block_57 = { 8D ?? ?? 33 ?? 44 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_58 = { 0F BE ?? ?? 8D ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? 0F BE ?? ?? E9 } - $block_59 = { F7 ?? 89 ?? F7 ?? C7 ?? ?? ?? ?? ?? ?? F7 ?? 8B ?? ?? 3B ?? ?? 0F 87 } - $block_60 = { 8B ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 84 ?? 0F 84 } - $block_61 = { 5? B4 ?? E5 ?? 38 ?? ?? ?? ?? ?? 07 2E ?? ?? F8 B4 ?? 3A ?? 5? EB } - $block_62 = { 8D ?? ?? 8B ?? ?? 2B ?? 8B ?? ?? B9 ?? ?? ?? ?? F7 ?? 85 ?? 0F 84 } - $block_63 = { D5 ?? 35 ?? ?? ?? ?? 5? 5? 4? 4? AE 10 ?? ?? ?? ?? ?? 89 ?? ?? E9 } - $block_64 = { E8 ?? ?? ?? ?? 61 DF ?? 4? 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? E9 } - $block_65 = { BA ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_66 = { 89 ?? 89 ?? 8B ?? ?? 89 ?? 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 0F 85 } - $block_67 = { 2C ?? 28 ?? ?? ?? ?? ?? 4? F7 ?? F7 ?? 8B ?? ?? 3B ?? ?? 0F 8D } - $block_68 = { 27 2A ?? ?? ?? ?? ?? EC 5? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_69 = { D1 ?? ?? ?? ?? ?? EC 0C ?? 04 ?? 00 ?? 00 ?? 61 D7 0A ?? 4? 76 } - $block_70 = { D1 ?? 89 ?? 88 ?? ?? F7 ?? BA ?? ?? ?? ?? 0F B6 ?? ?? 8D ?? E9 } - $block_71 = { BF ?? ?? ?? ?? F7 ?? 89 ?? 8D ?? ?? ?? F7 ?? 8B ?? 3B ?? 0F 82 } - $block_72 = { 06 1A ?? ?? ?? ?? ?? 1B ?? ?? ?? ?? ?? F7 ?? 89 ?? 8B ?? ?? E9 } - $block_73 = { 8B ?? ?? F7 ?? 89 ?? 03 ?? ?? 0F B6 ?? F7 ?? 89 ?? 89 ?? E9 } - $block_74 = { 8B ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_75 = { 1E 4? 9B 36 ?? 8B ?? ?? ?? B7 ?? 5? C1 ?? ?? 83 ?? ?? 0F 84 } - $block_76 = { B8 ?? ?? ?? ?? 8B ?? 89 ?? F7 ?? 8B ?? ?? 83 ?? ?? ?? 0F 87 } - $block_77 = { 16 85 ?? ?? B6 ?? 4? 5? F4 62 ?? ?? 89 ?? 83 ?? ?? F7 ?? E9 } - $block_78 = { F7 ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? 0F 8C } - $block_79 = { 85 ?? ?? ?? ?? ?? A6 89 ?? ?? 89 ?? 89 ?? ?? 89 ?? 89 ?? E9 } - $block_80 = { 15 ?? ?? ?? ?? 5? F4 F7 ?? 8D ?? 0F B6 ?? ?? 85 ?? 0F 85 } - $block_81 = { 89 ?? 88 ?? ?? F7 ?? BA ?? ?? ?? ?? 0F B6 ?? ?? 8D ?? E9 } - $block_82 = { 4? B7 ?? 64 ?? ?? AD B3 ?? 8A ?? ?? ?? ?? ?? 5? F7 ?? E9 } - $block_83 = { 2B ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 86 } - $block_84 = { 8D ?? ?? ?? ?? ?? 0F B6 ?? 5? E8 ?? ?? ?? ?? 88 ?? ?? E9 } - $block_85 = { F7 ?? 8D ?? ?? 8B ?? ?? F7 ?? 89 ?? 0F BE ?? 85 ?? 0F 84 } - $block_86 = { 8B ?? ?? 8D ?? 8D ?? ?? 89 ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_87 = { 0F BE ?? ?? F7 ?? 89 ?? 89 ?? 0F BE ?? ?? 3B ?? 0F 85 } - $block_88 = { F7 ?? ?? 3B ?? 4? 89 ?? ?? 81 7? ?? ?? ?? ?? ?? 0F 8C } - $block_89 = { F4 1B ?? F7 ?? EE E8 ?? ?? ?? ?? 4? 06 39 ?? ?? 0F 82 } - $block_90 = { 8B ?? ?? F7 ?? F7 ?? 0F B7 ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_91 = { 5? ED 0C ?? 9C 4? AF 9? 82 E? ?? 35 ?? ?? ?? ?? 73 } - $block_92 = { 0F BE ?? ?? 89 ?? 8D ?? ?? 0F BE ?? ?? 3B ?? 0F 85 } - $block_93 = { 8B ?? ?? 0F BE ?? ?? 03 ?? 33 ?? BE ?? ?? ?? ?? E9 } - $block_94 = { 8B ?? ?? 89 ?? B8 ?? ?? ?? ?? 8B ?? ?? 3B ?? 0F 84 } - $block_95 = { 5? 6A ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_96 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_97 = { BA ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 0F 85 } - $block_98 = { 5? A4 8B ?? ?? B8 ?? ?? ?? ?? F7 ?? 89 ?? ?? E9 } - $block_99 = { 6A ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "1ce0dfe1a6663756a32c69f7494ad082d293d32fe656d7908fb445283ab5fa68" or - hash.sha256(0, filesize) == "edb16d3ccd50fc8f0f77d0875bf50a629fa38e5ba1b8eeefd54468df97eba281" or - hash.sha256(0, filesize) == "32d3121135a835c3347b553b70f3c4c68eef711af02c161f007a9fbaffe7e614" or - hash.sha256(0, filesize) == "4d31a81515ea04765b488dadc49acac4a2b81ca16eee1993ccd97b51a75510d5" or - hash.sha256(0, filesize) == "244dd8018177ea5a92c70a7be94334fa457c1aab8a1c1ea51580d7da500c3ad5" or - hash.sha256(0, filesize) == "7874a10e551377d50264da5906dc07ec31b173dee18867f88ea556ad70d8f094" or - hash.sha256(0, filesize) == "ac13b819379855af80ea3499e7fb645f1c96a4a6709792613917df4276c583fc" or - hash.sha256(0, filesize) == "cbc4b0aaa30b967a6e29df452c5d7c2a16577cede54d6d705ca1f095bd6d4988" or - hash.sha256(0, filesize) == "cfb20e7516b42486d11c59021a8be8a457ee1fa0d0be6d5d958e80b3cfeb04ae" or - hash.sha256(0, filesize) == "3432db9cb1fb9daa2f2ac554a0a006be96040d2a7776a072a8db051d064a8be2" or - hash.sha256(0, filesize) == "2aade7381aa87f55b7d7a5284d22be5472fd8cd966d216fd4445ca3a8bbb3ff3" or - hash.sha256(0, filesize) == "166ba02539d3ea8cd1298d916fad1264a815f55798df5477698b7d775542b696" or - hash.sha256(0, filesize) == "405013e66b6f137f915738e5623228f36c74e362873310c5f2634ca2fda6fbc5" or - hash.sha256(0, filesize) == "97be6b2cec90f655ef11ed9feef5b9ef057fd8db7dd11712ddb3702ed7c7bda1" or - hash.sha256(0, filesize) == "90ba78b6710462c2d97815e8745679942b3b296135490f0095bdc0cd97a34d9c" or - hash.sha256(0, filesize) == "7a393b3eadfc8938cbecf84ca630e56e37d8b3d23e084a12ea5a7955642db291" or - hash.sha256(0, filesize) == "ca7a8180996a98e718f427837f9d52453b78d0a307e06e1866db4d4ce969d525" or - hash.sha256(0, filesize) == "ed080c2635180f27c8d288e96c1105d0914dc1bb55917d2f5f2538fc32974aa2" or - hash.sha256(0, filesize) == "43ce710a83c99fb4c0bac2ea93727a9d5dda6e82e30b5fe861f9e3e0acddaa1c" or - hash.sha256(0, filesize) == "edcd1722fdc2c924382903b7e4580f9b77603110e497393c9947d45d311234bf" or - hash.sha256(0, filesize) == "81125a5eb555dc898a5af966cf5ac8380e6c8e64a1c7f7981e8db8c9dbb37394" or - hash.sha256(0, filesize) == "5111de45210751c8e40441f16760bf59856ba798ba99e3c9532a104752bf7bcc" or - hash.sha256(0, filesize) == "b73777469f939c331cbc1c9ad703f973d55851f3ad09282ab5b3546befa5b54a" or - 12 of them -} - -rule BlackEnergyPluginNetworkDiscovery { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? 2B ?? 89 ?? ?? 3B ?? ?? 0F 83 } - $block_1 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? FF D? 85 ?? 0F 84 } - $block_2 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? ?? 5? 6A ?? FF D? 89 ?? ?? 3B ?? 0F 84 } - $block_3 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_4 = { 5? 8B ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 5? 6A ?? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_5 = { 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 5? FF 7? ?? FF D? 85 ?? 0F 84 } - $block_6 = { 8B ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 5? 6A ?? FF D? 8B ?? 89 ?? ?? 3B ?? 0F 84 } - $block_7 = { FF 4? ?? 6A ?? 8D ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_8 = { 03 ?? 0F B6 ?? C1 ?? ?? 8A ?? ?? ?? ?? ?? 4? 88 ?? 3B ?? 0F BE ?? 75 } - $block_9 = { 5? 5? 5? 8D ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_10 = { FF 7? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_11 = { 8B ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_12 = { 8D ?? ?? 5? 6A ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 85 } - $block_14 = { 8B ?? ?? C1 ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 3B ?? 0F 86 } - $block_15 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "325db53fdeb928597531ee1d20f7528f687c2c5611e3fa408f41a654e73b0f1b" or - 12 of them -} - -rule VPNFilterStage1 { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { B8 ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_1 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FC C1 ?? ?? F3 ?? F6 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 74 } - $block_2 = { 31 ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_3 = { BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_4 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 31 ?? 83 ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_5 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_6 = { 5? B9 ?? ?? ?? ?? 89 ?? 31 ?? 5? 5? 5? FC 8D ?? ?? 83 ?? ?? 89 ?? F3 ?? 66 ?? ?? ?? ?? 31 ?? 9? } - $block_7 = { 8B ?? ?? 8B ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? FF 5? ?? 85 ?? 0F 85 } - $block_8 = { FF 8? ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 8F } - $block_9 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? BE ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_10 = { B1 ?? 89 ?? 8B ?? ?? ?? F6 ?? BA ?? ?? ?? ?? 89 ?? 31 ?? 0F B6 ?? F7 ?? 8D ?? ?? 88 ?? 04 ?? 88 } - $block_11 = { 89 ?? C1 ?? ?? F6 ?? ?? 0F 95 ?? 0F B6 ?? 01 ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 75 } - $block_13 = { 8B ?? ?? 89 ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_14 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_15 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_16 = { 8B ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? BE ?? ?? ?? ?? 01 ?? 89 ?? ?? 0F B6 ?? 8B ?? ?? 29 } - $block_17 = { B9 ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_18 = { 01 ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? 39 ?? 0F 87 } - $block_19 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 8D ?? ?? 3D ?? ?? ?? ?? 89 ?? ?? 0F 87 } - $block_20 = { BE ?? ?? ?? ?? B9 ?? ?? ?? ?? FC F3 ?? A1 ?? ?? ?? ?? 66 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? 5? C3 } - $block_21 = { 8B ?? ?? 0F B6 ?? 01 ?? 4? 0F B6 ?? 83 ?? ?? 30 ?? 88 ?? 88 ?? FF 4? ?? 8B ?? ?? 39 ?? ?? 74 } - $block_22 = { B9 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? 0F 85 } - $block_23 = { 83 ?? ?? 89 ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 85 } - $block_24 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 29 ?? 8D ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F 86 } - $block_25 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_26 = { 4? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_27 = { 89 ?? B3 ?? F6 ?? BA ?? ?? ?? ?? 89 ?? 31 ?? 0F B6 ?? F7 ?? 88 ?? 04 ?? 3C ?? 88 ?? ?? ?? 74 } - $block_28 = { 8B ?? ?? 8B ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_29 = { 0F B6 ?? C1 ?? ?? 89 ?? ?? 0F B6 ?? ?? 09 ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 4? 3D ?? ?? ?? ?? 77 } - $block_30 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_31 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_32 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? 83 ?? ?? 0F 86 } - $block_33 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 85 } - $block_34 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_35 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_36 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_37 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? 01 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_38 = { 8D ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_39 = { C7 ?? ?? ?? ?? ?? ?? 29 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_40 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 0F B6 ?? ?? ?? 0F B6 ?? 39 ?? 74 } - $block_41 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_42 = { 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 89 ?? 0F 8E } - $block_43 = { 89 ?? 31 ?? FC C1 ?? ?? F3 ?? 8D ?? ?? ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 76 } - $block_44 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_45 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 89 ?? 0F 84 } - $block_46 = { 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_47 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_48 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_49 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? ?? ?? ?? C6 ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 } - $block_50 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_51 = { 80 F? ?? 0F B6 ?? ?? 0F B6 ?? ?? 19 ?? 83 ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? ?? 39 ?? ?? 0F 85 } - $block_52 = { 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 89 ?? 0F 84 } - $block_53 = { 0F B6 ?? ?? 8B ?? ?? ?? ?? ?? 80 E? ?? 80 F? ?? 19 ?? 83 ?? ?? 83 ?? ?? 39 ?? 89 ?? ?? 74 } - $block_54 = { C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_55 = { 89 ?? 31 ?? FC C1 ?? ?? F3 ?? 89 ?? C1 ?? ?? 31 ?? 8B ?? ?? 89 ?? 29 ?? 83 ?? ?? 89 ?? EB } - $block_56 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? 4? 83 ?? ?? 32 ?? 88 ?? 88 ?? FF 4? ?? 8B ?? ?? 39 ?? ?? 0F 84 } - $block_57 = { FC 31 ?? B9 ?? ?? ?? ?? 89 ?? F3 ?? 8B ?? ?? FF 5? ?? BA ?? ?? ?? ?? 85 ?? 89 ?? ?? 74 } - $block_58 = { 8D ?? ?? 4? 8D ?? ?? 89 ?? 89 ?? 0F B6 ?? ?? 8D ?? ?? ?? 89 ?? 89 ?? 8B ?? ?? 89 ?? 75 } - $block_59 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_60 = { 8B ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_61 = { 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_62 = { 8B ?? ?? 89 ?? 03 ?? ?? 0F B7 ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? 0B ?? ?? 74 } - $block_63 = { B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_64 = { 01 ?? 89 ?? ?? ?? ?? ?? 31 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_65 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_66 = { 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 89 ?? ?? 0F 82 } - $block_67 = { 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 85 } - $block_68 = { 0F B6 ?? ?? BA ?? ?? ?? ?? 4? 89 ?? 31 ?? C6 ?? ?? ?? ?? 8D ?? ?? F7 ?? 88 ?? 04 ?? 88 } - $block_69 = { 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 85 } - $block_70 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 85 } - $block_71 = { 8B ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_72 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_73 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 29 ?? 0F 84 } - $block_74 = { 8B ?? ?? ?? ?? ?? 01 ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_75 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? 83 ?? ?? 8D ?? ?? 29 ?? ?? 39 ?? 89 ?? ?? 89 ?? 0F 87 } - $block_76 = { 8B ?? ?? C1 ?? ?? 0F B6 ?? ?? 4? 09 ?? 31 ?? 39 ?? 0F 97 ?? 4? F7 ?? 21 ?? 83 ?? ?? 75 } - $block_77 = { 8B ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 93 ?? 4? 0F B6 ?? 83 ?? ?? F7 ?? 21 ?? 39 ?? 75 } - $block_78 = { 5? B8 ?? ?? ?? ?? 89 ?? 5? 5? 5? 83 ?? ?? F6 ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 0F 85 } - $block_79 = { 80 B? ?? ?? ?? ?? ?? ?? 0F 95 ?? 08 ?? 0F 94 ?? 4? 0F B6 ?? 01 ?? 3B ?? ?? ?? ?? ?? 75 } - $block_80 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_81 = { 8B ?? ?? 39 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 87 } - $block_82 = { 89 ?? 89 ?? C1 ?? ?? 88 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 39 ?? 0F 82 } - $block_83 = { 89 ?? 8B ?? ?? ?? ?? ?? 89 ?? C1 ?? ?? F6 ?? ?? FC F3 ?? 89 ?? 89 ?? ?? ?? ?? ?? 74 } - $block_84 = { 31 ?? 89 ?? ?? ?? ?? ?? 8B ?? 0F B6 ?? ?? ?? ?? ?? 80 E? ?? 88 ?? ?? ?? ?? ?? 0F 84 } - $block_85 = { 0A ?? ?? ?? 4? 88 ?? F6 ?? 08 ?? C0 ?? ?? 34 ?? 0F B6 ?? 01 ?? ?? ?? ?? ?? 39 ?? 75 } - $block_86 = { 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_87 = { 0F B6 ?? ?? ?? 89 ?? 0F B6 ?? 29 ?? 84 ?? 89 ?? 0F 94 ?? 39 ?? 0F 92 ?? 08 ?? 4? 74 } - $block_88 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 81 C? ?? ?? ?? ?? 39 ?? 0F 87 } - $block_89 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_90 = { 8B ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_91 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_92 = { 5? 89 ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_93 = { 5? 89 ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_94 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_95 = { 8D ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 89 ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_96 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 8F } - $block_97 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? ?? ?? ?? A9 ?? ?? ?? ?? 0F 84 } - $block_98 = { 5? 89 ?? 83 ?? ?? 83 ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_99 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92" or - hash.sha256(0, filesize) == "51e92ba8dac0f93fc755cb98979d066234260eafc7654088c5be320f431a34fa" or - 12 of them -} - -rule VPNFilterStage3PluginTor { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 31 ?? 83 ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? F7 ?? 21 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 39 ?? 76 } - $block_1 = { 5? 8D ?? ?? 6A ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_2 = { 83 ?? ?? B9 ?? ?? ?? ?? FC 89 ?? ?? ?? ?? ?? 89 ?? BF ?? ?? ?? ?? F3 ?? 74 } - $block_3 = { 6B ?? ?? DB ?? ?? ?? ?? ?? D9 ?? DE ?? D9 ?? D9 ?? DD ?? DF ?? DD ?? 9E 72 } - $block_4 = { DD ?? DD ?? DD ?? D9 ?? D9 ?? ?? ?? ?? ?? D9 ?? DD ?? DF ?? DD ?? 9E 72 } - $block_5 = { 5? 68 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 88 } - $block_6 = { 89 ?? BD ?? ?? ?? ?? 99 F7 ?? 4? 83 ?? ?? 4? 88 ?? 83 ?? ?? 89 ?? 7E } - $block_7 = { D9 ?? D8 ?? D9 ?? C7 ?? ?? ?? ?? ?? ?? ?? DD ?? DF ?? DD ?? 9E 0F 86 } - $block_8 = { 83 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_9 = { 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 85 ?? 0F 88 } - $block_10 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_11 = { 8D ?? ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_12 = { 8D ?? ?? B9 ?? ?? ?? ?? FC 89 ?? BF ?? ?? ?? ?? F3 ?? 74 } - $block_13 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_14 = { 6B ?? ?? DB ?? ?? ?? ?? ?? D8 ?? D9 ?? DD ?? DF ?? 9E 76 } - $block_15 = { 8D ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 4? 0F 84 } - $block_16 = { D9 ?? ?? ?? ?? ?? D8 ?? D9 ?? DD ?? DF ?? DD ?? 9E 75 } - $block_17 = { 83 ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? C9 C3 } - $block_18 = { 5? B8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719" or - hash.sha256(0, filesize) == "acf32f21ec3955d6116973b3f1a85f19f237880a80cdf584e29f08bd12666999" or - 12 of them -} - -rule VPNFilterStage3PluginPacketSniffer { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? ?? ?? 31 ?? 31 ?? 8A ?? ?? 8A ?? ?? C1 ?? ?? 09 ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_1 = { 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 6A ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_2 = { 8B ?? ?? 8B ?? ?? 01 ?? 25 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 39 ?? ?? 0F 86 } - $block_3 = { 31 ?? 83 ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? F7 ?? 21 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 39 ?? 76 } - $block_4 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 89 ?? 8B ?? ?? 80 7? ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_5 = { 8B ?? ?? 5? 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_6 = { 5? 5? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_7 = { 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 85 ?? 0F 84 } - $block_8 = { 8D ?? ?? ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 05 ?? ?? ?? ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_10 = { 8D ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? FF 9? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_11 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 29 ?? 8D ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 86 } - $block_12 = { 8B ?? ?? 83 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_13 = { 89 ?? 89 ?? FC C1 ?? ?? 31 ?? F3 ?? 8B ?? ?? 89 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? 5? 5? 5? 5? C3 } - $block_14 = { 8B ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_15 = { 8D ?? ?? 29 ?? 89 ?? ?? 5? 5? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_16 = { 8B ?? ?? 5? 4? 5? 89 ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 84 } - $block_17 = { 8B ?? ?? FC 8B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? 89 ?? C1 ?? ?? 8D ?? ?? F3 ?? F6 ?? ?? 89 ?? 74 } - $block_18 = { B8 ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? 8B ?? ?? F3 ?? 0F 97 ?? 0F 92 ?? BF ?? ?? ?? ?? 38 ?? 74 } - $block_19 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? C1 ?? ?? 85 ?? 0F 84 } - $block_20 = { 8B ?? ?? C6 ?? ?? 5? 8B ?? ?? 5? 89 ?? 4? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_21 = { B8 ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? 8B ?? ?? F3 ?? 0F 97 ?? 0F 92 ?? BF ?? ?? ?? ?? 38 ?? 75 } - $block_22 = { 8B ?? ?? ?? ?? ?? 09 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? ?? ?? ?? ?? 0F 87 } - $block_23 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_24 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? 83 ?? ?? 0F 86 } - $block_25 = { 8D ?? ?? ?? 89 ?? 31 ?? F7 ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 80 B? ?? ?? ?? ?? ?? 0F 84 } - $block_26 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 83 ?? ?? ?? 0F 84 } - $block_27 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? C1 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_28 = { 88 ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 80 F? ?? 19 ?? 83 ?? ?? 83 ?? ?? 3B ?? ?? 0F 85 } - $block_29 = { 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_30 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_31 = { 83 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? F6 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_32 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_33 = { 8B ?? ?? 8B ?? ?? FC 89 ?? ?? 89 ?? ?? BA ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? 89 ?? F3 ?? 75 } - $block_34 = { 8D ?? ?? 8B ?? ?? ?? ?? ?? 31 ?? 8A ?? ?? 88 ?? 8D ?? ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 } - $block_35 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_36 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 39 ?? 0F 82 } - $block_37 = { 66 ?? ?? ?? 89 ?? 8B ?? ?? 25 ?? ?? ?? ?? 83 ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 66 ?? ?? 0F 84 } - $block_38 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_39 = { 8B ?? ?? 89 ?? 85 ?? 0F 94 ?? 25 ?? ?? ?? ?? 31 ?? 5? 89 ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 84 } - $block_40 = { 8B ?? ?? 8D ?? ?? 5? 83 ?? ?? 8B ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 84 } - $block_41 = { 83 ?? ?? 8B ?? ?? 5? 5? 5? 8B ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_42 = { 66 ?? ?? ?? 31 ?? ?? F9 9B 4? 6A ?? C1 ?? ?? ?? ?? ?? ?? A2 ?? ?? ?? ?? 28 ?? ?? EF 77 } - $block_43 = { 83 ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_44 = { 8B ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_45 = { 5? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 83 ?? ?? 0F 84 } - $block_46 = { 8B ?? ?? 8B ?? ?? 01 ?? 5? 8B ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 39 ?? 0F 84 } - $block_47 = { 8B ?? 8B ?? ?? 01 ?? 89 ?? 3B ?? ?? 0F 92 ?? 25 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 75 } - $block_48 = { 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_49 = { 83 ?? ?? 8D ?? ?? 8D ?? ?? 5? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_50 = { 5? 5? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_51 = { 8B ?? ?? 89 ?? 03 ?? ?? 0F B7 ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? 0B ?? ?? 74 } - $block_52 = { 8A ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_53 = { FC 31 ?? B9 ?? ?? ?? ?? 89 ?? F3 ?? 8B ?? ?? FF 5? ?? BA ?? ?? ?? ?? 89 ?? ?? 85 ?? 74 } - $block_54 = { 5? 5? 8B ?? 5? 8B ?? ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_55 = { 83 ?? ?? BB ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 8B ?? 85 ?? 0F 85 } - $block_56 = { 83 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 } - $block_57 = { 8A ?? ?? ?? 31 ?? 88 ?? 89 ?? 29 ?? 84 ?? 89 ?? 0F 94 ?? 39 ?? 0F 92 ?? 09 ?? 4? 74 } - $block_58 = { 5? 5? 6A ?? 8B ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_59 = { 8B ?? ?? 8B ?? 5? 8B ?? ?? 83 ?? ?? 5? 5? 8B ?? ?? 5? FF 5? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_60 = { 8B ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 84 } - $block_61 = { 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 88 } - $block_62 = { 8D ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_63 = { 5? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_64 = { 8B ?? ?? B9 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_65 = { 8B ?? 83 ?? ?? 89 ?? 8D ?? ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_66 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_67 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_68 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 39 ?? 0F 87 } - $block_69 = { 8B ?? ?? 8B ?? ?? 5? 5? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_70 = { 0F B6 ?? 5? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 8D ?? ?? ?? ?? ?? 74 } - $block_71 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 01 ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 8E } - $block_72 = { 89 ?? 31 ?? 8A ?? 31 ?? C1 ?? ?? 8A ?? ?? 09 ?? 8D ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 } - $block_73 = { 80 B? ?? ?? ?? ?? ?? ?? 0F 95 ?? 08 ?? 0F 94 ?? 25 ?? ?? ?? ?? 4? 01 ?? 39 ?? 75 } - $block_74 = { 8B ?? ?? 8D ?? ?? 83 ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_75 = { 8D ?? ?? 8B ?? ?? ?? ?? ?? 5? 89 ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? 5? 85 ?? 0F 85 } - $block_76 = { 8B ?? ?? 89 ?? 89 ?? C1 ?? ?? 83 ?? ?? 0F A3 ?? ?? ?? ?? ?? ?? 0F 92 ?? 84 ?? 74 } - $block_77 = { 8D ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? 31 ?? FC 8B ?? ?? F3 ?? 8B ?? ?? 3B ?? ?? 0F 8F } - $block_78 = { 05 ?? ?? ?? ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_79 = { 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_80 = { 5? 5? 68 ?? ?? ?? ?? A1 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 84 } - $block_81 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? 89 ?? 0F AF ?? 85 ?? 7E } - $block_82 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? 89 ?? 0F AF ?? 85 ?? 78 } - $block_83 = { 5? 5? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_84 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? C1 ?? ?? 8B ?? ?? 39 ?? 0F 87 } - $block_85 = { 66 ?? ?? ?? 8D ?? ?? 89 ?? 81 E? ?? ?? ?? ?? FC 89 ?? C1 ?? ?? F3 ?? F6 ?? ?? 74 } - $block_86 = { 5? 5? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 89 ?? ?? 0F 85 } - $block_87 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 85 ?? 0F 85 } - $block_88 = { 05 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_89 = { 66 ?? ?? ?? 8D ?? ?? 89 ?? 81 E? ?? ?? ?? ?? FC 89 ?? C1 ?? ?? F3 ?? F6 ?? ?? 75 } - $block_90 = { 83 ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 } - $block_91 = { 31 ?? 8D ?? ?? ?? ?? ?? ?? 8A ?? ?? 4? D3 ?? 8B ?? 09 ?? 89 ?? 39 ?? ?? 0F 86 } - $block_92 = { 31 ?? 8A ?? 89 ?? 8D ?? ?? 6A ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_93 = { 8B ?? ?? 66 ?? ?? ?? 89 ?? 81 E? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - $block_94 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 0F 84 } - $block_95 = { 5? 6A ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_96 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 87 } - $block_97 = { 8D ?? ?? 31 ?? 8A ?? ?? 8A ?? ?? C1 ?? ?? 25 ?? ?? ?? ?? 09 ?? 83 ?? ?? 0F 86 } - $block_98 = { E8 ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 31 ?? 88 ?? 4? 81 E? ?? ?? ?? ?? 83 ?? ?? E9 } - $block_99 = { 5? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? BA ?? ?? ?? ?? 83 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "3df17f01c4850b96b00e90c880fdfabbd11c64a8707d24488485dd12fae8ec85" or - 12 of them -} - -rule VPNFilterStage2 { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 85 } - $block_1 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 31 ?? 83 ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_2 = { 8B ?? ?? 8B ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? FF 5? ?? 85 ?? 0F 85 } - $block_3 = { 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 75 } - $block_4 = { B8 ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_5 = { 8B ?? ?? 31 ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_6 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? BE ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_7 = { FF 8? ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 8F } - $block_8 = { 8B ?? ?? 89 ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_9 = { 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_10 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 85 } - $block_11 = { 89 ?? C1 ?? ?? F6 ?? ?? 0F 95 ?? 0F B6 ?? 01 ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { B1 ?? 89 ?? 8B ?? ?? ?? F6 ?? BA ?? ?? ?? ?? 89 ?? 31 ?? 0F B6 ?? F7 ?? 8D ?? ?? 88 ?? 04 ?? 88 } - $block_13 = { D0 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? D3 ?? 85 ?? 0F 85 } - $block_14 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? 83 ?? ?? 0F 86 } - $block_15 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? C1 ?? ?? 85 ?? 0F 84 } - $block_16 = { 89 ?? BA ?? ?? ?? ?? FC C1 ?? ?? F3 ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 75 } - $block_17 = { 5? 89 ?? 5? 89 ?? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_18 = { 8B ?? ?? B8 ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? F3 ?? BF ?? ?? ?? ?? 0F 97 ?? 0F 92 ?? 38 ?? 74 } - $block_19 = { 8B ?? ?? B8 ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? F3 ?? BF ?? ?? ?? ?? 0F 97 ?? 0F 92 ?? 38 ?? 75 } - $block_20 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_21 = { 8B ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_22 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_23 = { 8B ?? ?? 8B ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_24 = { B9 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_25 = { 8D ?? ?? ?? 89 ?? 31 ?? F7 ?? 80 B? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_26 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_27 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_28 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_29 = { 8B ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? C1 ?? ?? BE ?? ?? ?? ?? 01 ?? 89 ?? ?? 0F B6 ?? 8B ?? ?? 29 } - $block_30 = { BF ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_31 = { C7 ?? ?? ?? ?? ?? ?? 29 ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_32 = { B9 ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_33 = { 89 ?? B3 ?? F6 ?? BA ?? ?? ?? ?? 89 ?? 31 ?? 0F B6 ?? F7 ?? 88 ?? 04 ?? 3C ?? 88 ?? ?? ?? 74 } - $block_34 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? 01 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_35 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_36 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_37 = { 8D ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_38 = { 8B ?? ?? 0F B6 ?? 01 ?? 4? 0F B6 ?? 83 ?? ?? 30 ?? 88 ?? 88 ?? FF 4? ?? 8B ?? ?? 39 ?? ?? 74 } - $block_39 = { 0F B6 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FE ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 75 } - $block_40 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_41 = { B9 ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? 0F 85 } - $block_42 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_43 = { 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_44 = { 8B ?? 8D ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_45 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_46 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_47 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 89 ?? 0F 84 } - $block_48 = { 89 ?? 31 ?? FC C1 ?? ?? F3 ?? 89 ?? C1 ?? ?? 31 ?? 8B ?? ?? 89 ?? 29 ?? 83 ?? ?? 89 ?? EB } - $block_49 = { 89 ?? 31 ?? FC C1 ?? ?? F3 ?? 8D ?? ?? ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 76 } - $block_50 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_51 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_52 = { 8B ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 89 ?? 0F 84 } - $block_53 = { 8D ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_54 = { 8B ?? ?? 89 ?? ?? 89 ?? ?? 01 ?? 89 ?? ?? 8D ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_55 = { 8B ?? 83 ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_56 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_57 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? 4? 83 ?? ?? 32 ?? 88 ?? 88 ?? FF 4? ?? 8B ?? ?? 39 ?? ?? 0F 84 } - $block_58 = { C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_59 = { 8B ?? ?? 89 ?? 03 ?? ?? 0F B7 ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? 0B ?? ?? 74 } - $block_60 = { 66 ?? ?? ?? 31 ?? ?? F9 9B 4? 6A ?? C1 ?? ?? ?? ?? ?? ?? A2 ?? ?? ?? ?? 28 ?? ?? EF 77 } - $block_61 = { E8 ?? ?? ?? ?? 4? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 39 ?? 0F 8F } - $block_62 = { 8B ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_63 = { 8B ?? ?? ?? ?? ?? 01 ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_64 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_65 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_66 = { B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_67 = { 80 F? ?? 0F B6 ?? 0F B6 ?? ?? 19 ?? C1 ?? ?? 83 ?? ?? 09 ?? 8D ?? ?? ?? 39 ?? ?? 0F 85 } - $block_68 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 29 ?? 0F 84 } - $block_69 = { 8B ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_70 = { 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_71 = { FC 31 ?? B9 ?? ?? ?? ?? 89 ?? F3 ?? 8B ?? ?? FF 5? ?? BA ?? ?? ?? ?? 85 ?? 89 ?? ?? 74 } - $block_72 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? 83 ?? ?? 8D ?? ?? 29 ?? ?? 39 ?? 89 ?? ?? 89 ?? 0F 87 } - $block_73 = { 8D ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 3B ?? ?? 0F 87 } - $block_74 = { 0F B6 ?? ?? BA ?? ?? ?? ?? 4? 89 ?? 31 ?? C6 ?? ?? ?? ?? 8D ?? ?? F7 ?? 88 ?? 04 ?? 88 } - $block_75 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_76 = { 8B ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_77 = { 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_78 = { 5? B8 ?? ?? ?? ?? 89 ?? 5? 5? 5? 83 ?? ?? F6 ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 0F 85 } - $block_79 = { 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_80 = { 0A ?? ?? ?? 4? 88 ?? F6 ?? 08 ?? C0 ?? ?? 34 ?? 0F B6 ?? 01 ?? ?? ?? ?? ?? 39 ?? 75 } - $block_81 = { 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_82 = { 8B ?? ?? 0F B6 ?? 83 ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_83 = { 8D ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_84 = { 8B ?? ?? 89 ?? ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_85 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 81 C? ?? ?? ?? ?? 39 ?? 0F 87 } - $block_86 = { 5? 89 ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_87 = { 8D ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 89 ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_88 = { 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_89 = { 8B ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_90 = { 8B ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_91 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_92 = { 8B ?? ?? 89 ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_93 = { 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_94 = { 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_95 = { 8B ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 85 } - $block_96 = { 8B ?? ?? 83 ?? ?? 89 ?? C1 ?? ?? F6 ?? ?? 8D ?? ?? 89 ?? ?? 8D ?? ?? FC F3 ?? 0F 84 } - $block_97 = { 0F B6 ?? ?? ?? 89 ?? 0F B6 ?? 29 ?? 84 ?? 89 ?? 0F 94 ?? 39 ?? 0F 92 ?? 08 ?? 4? 74 } - $block_98 = { 89 ?? 83 ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 0F 8E } - $block_99 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "9e854d40f22675a0f1534f7c31626fd3b67d5799f8eea4bd2e2d4be187d9e1c7" or - hash.sha256(0, filesize) == "8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1" or - hash.sha256(0, filesize) == "d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e" or - hash.sha256(0, filesize) == "9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17" or - hash.sha256(0, filesize) == "f30a0fe494a871bd7d117d41025e8d2e17cd545131e6f27d59b5e65e7ab50d92" or - 12 of them -} - -rule CloudAtlasPayload { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 0F B7 ?? ?? 8B ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? EB } - $block_1 = { 6A ?? 8B ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_2 = { 8D ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 } - $block_3 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 84 } - $block_4 = { 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 } - $block_5 = { 8B ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_6 = { 8B ?? ?? 81 C? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_7 = { 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_8 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? 8B ?? ?? 03 ?? ?? 3B ?? 0F 83 } - $block_9 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_10 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 } - $block_11 = { 0F B7 ?? ?? 0F B7 ?? ?? 8B ?? ?? 03 ?? ?? 3B ?? 75 } - - condition: - hash.sha256(0, filesize) == "34905d840bbfbbc555dfd280b383e2c00d4c7987be71067ad7152b26f06d2cd0" or - 12 of them -} - -rule CloudAtlasLoader { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? F3 ?? A4 C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F AF ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_1 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F B6 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 35 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 } - $block_2 = { 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 0F B7 ?? ?? 5? 0F B6 ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 6B ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? 5? 0F B6 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 0F B6 ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 7E } - $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C6 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? 5? 0F B6 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 35 ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 } - $block_4 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8D ?? ?? 5? 0F B7 ?? ?? 5? 0F B6 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? 35 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 33 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB } - $block_5 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 } - $block_6 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 0F AF ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? C6 ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? BA ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 2D ?? ?? ?? ?? 89 } - $block_7 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 89 } - $block_8 = { 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 0F B6 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 0F AF ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 0F B6 ?? ?? 5? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 6B ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? ?? 89 ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B6 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 0F B7 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 81 C? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 35 ?? ?? ?? ?? 89 } - $block_9 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 35 ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB } - - condition: - hash.sha256(0, filesize) == "85ec69f1a08b30db4d30202d3a584bd33ea412ba46336b1b51fae7260e29f844" or - 10 of them -} - -rule RedOctoberPluginNetScan { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 } - $block_1 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 87 } - $block_2 = { 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_3 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? 0F B7 ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 } - $block_4 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_5 = { 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 } - $block_6 = { 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 } - $block_7 = { C6 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_8 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 86 } - $block_9 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? 0F 8F } - $block_10 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? 0F 8C } - $block_11 = { 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_13 = { 8B ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? 0F B7 ?? 5? 8B ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? EB } - $block_14 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 0F 85 } - $block_15 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? ?? 3D ?? ?? ?? ?? 74 } - $block_16 = { 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_17 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 89 ?? ?? E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 79 } - $block_18 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_19 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 33 ?? 83 ?? ?? ?? 0F 94 ?? 88 } - $block_20 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_21 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_22 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_23 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 0F BE ?? ?? 0F BE ?? ?? ?? ?? ?? 3B ?? 75 } - $block_24 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_25 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3D ?? ?? ?? ?? 0F 86 } - $block_26 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 83 ?? ?? 74 } - $block_27 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 73 } - $block_28 = { 8B ?? ?? 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 73 } - $block_29 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 0F 85 } - $block_30 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 83 ?? ?? ?? 0F 84 } - $block_31 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 0F 84 } - $block_32 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_33 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 86 } - $block_34 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 75 } - $block_35 = { A1 ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 0F 85 } - $block_36 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_37 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 0F BE ?? 0F BE ?? ?? ?? ?? ?? 3B ?? 75 } - $block_38 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 85 ?? 74 } - $block_39 = { A1 ?? ?? ?? ?? 0F B7 ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? 83 ?? ?? 75 } - $block_40 = { 8D ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_41 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_42 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_43 = { E8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? 8B ?? ?? 0F BE ?? 85 ?? 0F 84 } - $block_44 = { 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_45 = { 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_46 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_47 = { 8B ?? ?? 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? 73 } - $block_48 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_49 = { 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 82 } - $block_50 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 83 } - $block_51 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_52 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_53 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_54 = { 0F B7 ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_55 = { 8D ?? ?? E8 ?? ?? ?? ?? 0F BF ?? 0F BF ?? ?? 3B ?? 75 } - $block_56 = { 8B ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_57 = { 8B ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 8E } - $block_58 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 85 } - $block_59 = { 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? 81 F? ?? ?? ?? ?? 0F 8D } - $block_60 = { 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 74 } - $block_61 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C2 } - $block_62 = { 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_63 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_64 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? 0F 87 } - $block_65 = { 8B ?? ?? 8B ?? ?? 8B ?? 3B ?? ?? ?? ?? ?? 0F 85 } - $block_66 = { 8B ?? ?? 8B ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_67 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 } - $block_68 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 85 ?? 75 } - $block_69 = { 8B ?? ?? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_70 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_71 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "4240d4239a0bdc43581dc73e875b03653ad40d1380fa12e0359305b38c13b474" or - 12 of them -} - -rule RedOctoberPluginDASvcInstall { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C } - $block_1 = { 68 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 } - $block_3 = { 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 0F BE ?? 83 ?? ?? 74 } - $block_4 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_5 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_6 = { 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_7 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E } - $block_8 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_9 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_10 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_11 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_12 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_13 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_14 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_15 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_16 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_17 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_18 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_19 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C } - $block_20 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 } - $block_21 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 } - $block_22 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_23 = { 8B ?? ?? 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_24 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_25 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 } - $block_26 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 } - $block_27 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_28 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 } - - condition: - hash.sha256(0, filesize) == "ae5bd9750738afef22568a3400a876e5bfefb4fe1d24e8badef97c756c9056ca" or - 12 of them -} - -rule RedOctoberPluginAdobeBDInstaller { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 } - $block_1 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_2 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_3 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_4 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_5 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_6 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_7 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_8 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_9 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_10 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_11 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 } - $block_12 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 } - $block_13 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_14 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 } - $block_15 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_16 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "feb0166bf33745d7d065d4815022b5d76ff6a5b999181aa719bf5e72f8328f23" or - 12 of them -} - -rule RedOctoberPluginFrogbackdoor { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C } - $block_1 = { 5? 8D ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_2 = { 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_3 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_4 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E } - $block_5 = { 6A ?? 5? 5? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_6 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_7 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_8 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_9 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_10 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_11 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_12 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_13 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_14 = { 8B ?? ?? ?? ?? ?? 5? FF D? 4? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 84 } - $block_15 = { 0F B7 ?? ?? 83 ?? ?? ?? 89 ?? ?? 0F B7 ?? ?? 8D ?? ?? ?? 85 ?? 7E } - $block_16 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_17 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_18 = { 5? 8D ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_19 = { 5? 5? 5? 6A ?? 6A ?? 8D ?? ?? 5? FF D? 89 ?? ?? 83 ?? ?? 0F 85 } - $block_20 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C } - $block_21 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 } - $block_22 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 } - $block_23 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_24 = { 8B ?? ?? 8A ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_25 = { 8B ?? ?? 33 ?? 5? 33 ?? 4? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_26 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_27 = { 8B ?? ?? 5? 33 ?? 32 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - - condition: - hash.sha256(0, filesize) == "79cf65316806b8e30ef0baaa14bf891720fd17578e9789f199084ff5f522014b" or - 12 of them -} - -rule RedOctoberPluginCredentialStealing { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? 5? 5? 5? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 68 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 4? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 4? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? FF D? 8B ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BB ?? ?? ?? ?? 4? 4? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 4? FF 0? ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? 4? A1 ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 4? BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 03 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF D? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 4? 8B ?? FF 0? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 0B ?? 0F 84 } - $block_1 = { 8B ?? 5? 5? 5? 03 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? 8B ?? 4? BF ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? 4? 4? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 8B ?? 03 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 4? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0B ?? 0F 84 } - $block_2 = { 8B ?? 5? 8B ?? 5? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BA ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? BB ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? BB ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_3 = { 8B ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 4? 8B ?? BB ?? ?? ?? ?? 8A ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 32 ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? FF 0? ?? ?? ?? ?? 4? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 0B ?? 0F 85 } - $block_4 = { 8B ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 32 ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 4? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F B6 ?? 8B ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? C1 ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 4? 8B ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 33 ?? BB ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 0F 85 } - $block_5 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? A1 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_6 = { 83 ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? B9 ?? ?? ?? ?? 4? BE ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 5? C9 C2 } - $block_7 = { B8 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 4? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? 4? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 4? 81 F? ?? ?? ?? ?? 0F 85 } - $block_8 = { 4? 00 ?? ?? 4? 5? 33 ?? 2E ?? 4? 4? 00 ?? 01 ?? 03 ?? ?? ?? ?? ?? ?? 0A ?? 0C ?? 0E 0F 10 ?? 12 ?? 14 ?? 16 17 18 ?? 1A ?? 1C ?? 1E 1F 20 ?? 22 ?? 24 ?? 26 ?? 28 ?? 2A ?? 2C ?? 2E ?? 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 3A ?? 3C ?? 3E ?? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 60 61 62 ?? ?? 65 ?? ?? ?? ?? ?? 6B ?? ?? ?? ?? 70 } - $block_9 = { 14 ?? 16 17 18 ?? 1A ?? 1C ?? 1E 1F 20 ?? 22 ?? 24 ?? 26 ?? 28 ?? 2A ?? 2C ?? 2E ?? 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 3A ?? 3C ?? 3E ?? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 60 61 62 ?? ?? 65 ?? ?? ?? ?? ?? 6B ?? ?? ?? ?? 70 } - - condition: - hash.sha256(0, filesize) == "80f47c05bae10b97d298bf6aaacc0906c05fd0b77275543bc8c4f9bf8ff60a59" or - hash.sha256(0, filesize) == "5e9de30527a893d114330b48b90c49bcc4c6e00bfbfd6a473a48f70c8ef6aa0b" or - hash.sha256(0, filesize) == "5d6c6c542ca29d9c756b9f440863152f4c8c5f1ddb5732b0adbca82074a2a4c0" or - hash.sha256(0, filesize) == "2378ad529852c05da10c15e4b3fda00c4a818bef463a20c03e6330150bd4df21" or - 10 of them -} - -rule RedOctoberPluginGetFileReg { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 0F B6 ?? 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? 8A ?? 0F B6 ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_1 = { 0F B6 ?? ?? 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? D3 ?? 83 ?? ?? 89 ?? ?? ?? 0B ?? 8B ?? ?? ?? 3B ?? 7E } - $block_2 = { 8B ?? 0F B6 ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? 03 ?? 33 ?? 81 C? ?? ?? ?? ?? 4? 89 ?? 80 3? ?? 75 } - $block_3 = { 8B ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 8E } - $block_4 = { 8B ?? ?? ?? 2B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 0F AF ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 } - $block_5 = { 33 ?? 83 ?? ?? 0F 95 ?? 5? 83 ?? ?? 83 ?? ?? 03 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 8C } - $block_6 = { 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_7 = { 8B ?? ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_8 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 33 ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_9 = { 8B ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 83 ?? ?? D3 ?? 83 ?? ?? 0B ?? 3B ?? 7E } - $block_10 = { 8B ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F B6 ?? F6 ?? ?? ?? 89 ?? ?? ?? 74 } - $block_11 = { 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 95 ?? 89 ?? 8B } - $block_12 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_13 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_14 = { 8B ?? ?? ?? ?? ?? 33 ?? 4? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_15 = { 5? 8B ?? 5? 5? 83 ?? ?? ?? 83 ?? ?? ?? 5? 8B ?? ?? 5? 5? 85 ?? 0F 84 } - $block_16 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_17 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_18 = { 0F B6 ?? 8A ?? ?? 8B ?? ?? 30 ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 0F 8C } - $block_19 = { 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 5? 5? C9 C3 } - $block_20 = { 8B ?? ?? ?? ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_21 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 } - $block_22 = { 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_23 = { 83 ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 0F 85 } - $block_24 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? C1 ?? ?? 0B ?? 83 ?? ?? 0F B6 } - $block_25 = { 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_26 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? FF 2? } - $block_27 = { 8B ?? ?? ?? 03 ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 89 } - $block_28 = { 8D ?? ?? ?? ?? ?? ?? 9? 3B ?? ?? ?? BA ?? ?? ?? ?? 0F 83 } - $block_29 = { 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_30 = { 8B ?? ?? 5? 33 ?? 5? 33 ?? 4? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_31 = { 5? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_32 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 84 } - $block_33 = { 33 ?? 3C ?? 0F 94 ?? BB ?? ?? ?? ?? 89 ?? ?? ?? E9 } - $block_34 = { 8B ?? ?? ?? ?? ?? 23 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_35 = { 39 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 0F B6 ?? 0F 84 } - $block_36 = { 5? E8 ?? ?? ?? ?? 8D ?? ?? ?? 5? 66 ?? ?? 0F 85 } - $block_37 = { 0F B6 ?? ?? 8D ?? ?? B1 ?? 84 ?? ?? ?? ?? ?? 74 } - $block_38 = { 33 ?? 39 ?? ?? ?? 0F 9D ?? 03 ?? 3B ?? ?? ?? 76 } - $block_39 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "6ce873a31d527fc123bed28841737cb201b0cb5f347e0e530dda34a7b62c1f5e" or - 12 of them -} - -rule RedOctoberPluginSystemInfo { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 0F 84 } - $block_1 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_2 = { 5? 83 ?? ?? ?? ?? 8B ?? ?? ?? 5? 5? 8B ?? ?? ?? C7 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? 0F 84 } - $block_3 = { 5? 5? 8B ?? 5? 8B ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 8E } - $block_4 = { 8B ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? B9 ?? ?? ?? ?? 33 ?? F3 ?? 0F 84 } - $block_5 = { 68 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 2B ?? 85 ?? 89 ?? ?? ?? 0F 8F } - $block_6 = { 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 } - $block_7 = { 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? C1 ?? ?? 03 ?? 0B ?? 83 ?? ?? 0F B6 } - $block_8 = { 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_9 = { 5? 8A ?? ?? 8D ?? ?? 0F B6 ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 } - $block_10 = { 8B ?? ?? ?? 2B ?? 8B ?? 33 ?? 2B ?? 85 ?? 89 ?? ?? ?? 0F 8E } - $block_11 = { 8B ?? ?? ?? 3B ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? 0F 84 } - $block_12 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_13 = { 5? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_14 = { 5? 8B ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 0F B6 ?? 5? } - $block_15 = { 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 85 ?? 0F 8F } - $block_16 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "ad768f49895c295086ad289804f25d16710231446ffdd82b3b9e6e92c237825a" or - 12 of them -} - -rule RedOctoberPluginInternetConnectivity { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? C6 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_1 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 } - $block_2 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_3 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_4 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_5 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_6 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_7 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_8 = { 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_9 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_10 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_11 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_12 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_13 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_14 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 } - $block_15 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "5a3684d67f5dd4bca879f376e086476dbd27689bd1c1daa6acbbde339fb6ccca" or - 12 of them -} - -rule RedOctoberPluginFileputexec { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C } - $block_1 = { 68 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 } - $block_3 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E } - $block_4 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_5 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_6 = { 8B ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_7 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_8 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_9 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_10 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_11 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_12 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_13 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_14 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_15 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_16 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C } - $block_17 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 } - $block_18 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 } - $block_19 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_20 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_21 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 } - $block_22 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 } - $block_23 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_24 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_25 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 } - - condition: - hash.sha256(0, filesize) == "b596d4e58b5af33fb4380d4663454f4e3196d86e18390edb8c6f77485be8e7be" or - 12 of them -} - -rule RedOctoberPluginFileInfo { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 68 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C } - $block_2 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 8B ?? ?? 33 ?? 33 ?? 89 ?? ?? 3B ?? 0F 84 } - $block_3 = { 6A ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_4 = { 8D ?? ?? 5? 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_5 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_6 = { 8B ?? ?? C1 ?? ?? 6A ?? 83 ?? ?? 5? FF 7? ?? 8B ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 } - $block_7 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E } - $block_8 = { 8B ?? ?? 33 ?? 6A ?? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? 3B ?? 74 } - $block_9 = { 8D ?? ?? 5? 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_10 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 0F AF ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? EB } - $block_11 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? 7C } - $block_12 = { 0F B6 ?? ?? 0F B6 ?? ?? 83 ?? ?? ?? C1 ?? ?? 0B ?? 33 ?? 80 F? ?? 0F 94 ?? 89 ?? ?? EB } - $block_13 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_14 = { 8B ?? ?? 89 ?? ?? ?? ?? ?? 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 03 ?? 80 3? ?? 74 } - $block_15 = { 8B ?? ?? 03 ?? ?? 89 ?? ?? 83 ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_16 = { 8B ?? ?? ?? ?? ?? 33 ?? 5? 33 ?? 4? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_17 = { 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 8A ?? ?? ?? ?? ?? 4? 88 ?? 3B ?? ?? ?? ?? ?? 75 } - $block_18 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_19 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_20 = { 8B ?? ?? 8D ?? ?? 8A ?? 88 ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? F6 ?? ?? ?? 75 } - $block_21 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_22 = { 0F B6 ?? 8B ?? 33 ?? 83 ?? ?? 4? D3 ?? 8B ?? ?? C1 ?? ?? 8A ?? ?? 84 ?? 74 } - $block_23 = { 0F B6 ?? 33 ?? 8B ?? 83 ?? ?? 4? D3 ?? 8B ?? ?? C1 ?? ?? 8A ?? ?? 84 ?? 75 } - $block_24 = { 33 ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 85 } - $block_25 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 03 ?? 83 ?? ?? 89 ?? ?? 3B ?? ?? 7D } - $block_26 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 8B ?? 2B ?? 80 3? ?? 89 ?? ?? 72 } - $block_27 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 2B ?? 89 ?? ?? B8 ?? ?? ?? ?? E9 } - $block_28 = { 0F B6 ?? ?? 0F B6 ?? ?? 8B ?? ?? C1 ?? ?? 0B ?? 03 ?? 89 ?? ?? 3B ?? 75 } - $block_29 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_30 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 89 ?? ?? 03 ?? 3B ?? ?? 0F 8C } - $block_31 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_32 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_33 = { 6A ?? 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_34 = { 8B ?? ?? ?? ?? ?? 33 ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C2 } - $block_35 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_36 = { 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 8A ?? ?? ?? ?? ?? 4? 88 ?? 3B ?? 75 } - $block_37 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? 8B ?? ?? 8B ?? 5? 3B ?? ?? 0F 83 } - $block_38 = { 5? 8B ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? ?? ?? ?? 5? 5? 5? 03 ?? E9 } - $block_39 = { 8B ?? ?? 8D ?? ?? 8B ?? 99 2B ?? 33 ?? D1 ?? 4? 2B ?? 8D ?? ?? EB } - $block_40 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 80 7? ?? ?? 89 ?? ?? 0F 85 } - $block_41 = { 8B ?? ?? 0F B6 ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? 7C } - $block_42 = { 8A ?? 83 ?? ?? ?? 83 ?? ?? ?? 0F B6 ?? 89 ?? ?? 83 ?? ?? 0F 87 } - $block_43 = { 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 03 ?? 3B ?? ?? 7D } - $block_44 = { 6A ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_45 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_46 = { 8B ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_47 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 86 } - $block_48 = { 8B ?? ?? 8B ?? ?? 4? 89 ?? ?? 0F B6 ?? F6 ?? ?? ?? 89 ?? ?? 74 } - $block_49 = { 8B ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_50 = { 6A ?? 6A ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 3B ?? ?? 0F 82 } - $block_51 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_52 = { 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 83 ?? ?? 74 } - $block_53 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C } - $block_54 = { 8B ?? 8B ?? ?? BA ?? ?? ?? ?? 2B ?? 8D ?? ?? 3B ?? 0F 8C } - $block_55 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 } - $block_56 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 } - $block_57 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_58 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_59 = { 8B ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C2 } - $block_60 = { 6A ?? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_61 = { 8B ?? ?? 0F BE ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 } - $block_62 = { 8B ?? 8B ?? 2B ?? ?? BE ?? ?? ?? ?? 2B ?? 3B ?? 0F 8C } - $block_63 = { 8B ?? ?? FF 4? ?? 89 ?? ?? 8B ?? ?? 3B ?? ?? 0F 8D } - $block_64 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 0F 85 } - $block_65 = { 8B ?? ?? 4? 89 ?? ?? 8A ?? 0F B6 ?? 83 ?? ?? 0F 8F } - $block_66 = { 8B ?? ?? 33 ?? 89 ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_67 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 } - $block_68 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? FF 0? 3B ?? ?? 0F 83 } - $block_69 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 } - $block_70 = { 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 3B ?? ?? 74 } - - condition: - hash.sha256(0, filesize) == "c870d08388e2786bf97667bf381d8a88c2fd9f94b64dc8c5ba4b715d2a2088ab" or - 12 of them -} - -rule RedOctoberPluginMetasploit { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? ?? 0F B6 ?? 8A ?? ?? 4? 88 ?? ?? 88 ?? ?? 99 F7 ?? ?? FF 4? ?? 81 7? ?? ?? ?? ?? ?? 7C } - $block_1 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 } - $block_2 = { 68 ?? ?? ?? ?? 8B ?? ?? 69 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_3 = { 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 0F BE ?? 83 ?? ?? 74 } - $block_4 = { 5? 8B ?? 5? 5? 8B ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 8E } - $block_5 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_6 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_7 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? ?? 03 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_8 = { 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 81 C? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 8B ?? ?? 0F B7 ?? ?? 5? 8B ?? ?? 0F B7 ?? 5? 8B ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? EB } - $block_10 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 89 ?? ?? E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 79 } - $block_11 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 33 ?? 83 ?? ?? ?? 0F 94 ?? 88 } - $block_12 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_13 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_14 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_15 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? 83 ?? ?? 74 } - $block_16 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_17 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_18 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_19 = { 88 ?? ?? 0F B6 ?? 8A ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_20 = { 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_21 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_22 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_23 = { 0F B6 ?? 8A ?? ?? 30 ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 7C } - $block_24 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_25 = { 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 85 } - $block_26 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_27 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 } - $block_28 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_29 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 75 } - $block_30 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_31 = { 8B ?? ?? 0F B6 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 74 } - - condition: - hash.sha256(0, filesize) == "82095ecc6099be283f9e211780d7100b732fc216383e59605804b6f0734db9ba" or - 12 of them -} - -rule RedOctoberPluginOfficeBDInstaller { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 } - $block_1 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_2 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_3 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 8B ?? ?? 5? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_4 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_5 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_6 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_7 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_8 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_9 = { 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_10 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_11 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_12 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_14 = { 5? 5? 5? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 84 } - $block_15 = { 5? 8B ?? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? FF D? 3B ?? 0F 84 } - $block_16 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_17 = { 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_18 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_19 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 } - - condition: - hash.sha256(0, filesize) == "19830a143595d6c6791da1abd4126cba59b6c71f2d535227ba36b7298d276250" or - 12 of them -} - -rule RedOctoberPluginPOP3Client { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? 5? 5? 5? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? A3 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? FF 0? ?? ?? ?? ?? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A1 ?? ?? ?? ?? BB ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? A1 ?? ?? ?? ?? BF ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 8B ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? 4? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 03 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? BE ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 0B ?? 0F 84 } - $block_1 = { 8B ?? 5? 5? 5? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? A3 ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 4? 4? 8B ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? BE ?? ?? ?? ?? 4? 8B ?? 8B ?? A1 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 4? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? 8B ?? A1 ?? ?? ?? ?? BB ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? A1 ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF D? 8B ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? 4? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 0B ?? 0F 84 } - $block_2 = { 5? 8B ?? 5? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BB ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 4? 8B ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 4? 4? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? BE ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? 8B ?? ?? FF 0? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BA ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_3 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 4? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8A ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? 8B ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 32 ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? 8B ?? 4? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0B ?? 0F 85 } - $block_4 = { BA ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 32 ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 0F B6 ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? C1 ?? ?? FF 0? ?? ?? ?? ?? BF ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 8B ?? BB ?? ?? ?? ?? 8B ?? 4? 4? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 33 ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BB ?? ?? ?? ?? 4? 0F 85 } - $block_5 = { 83 ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 03 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 4? BB ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 5? C9 C2 } - $block_6 = { BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 4? 2B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B ?? 2B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? A3 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B8 ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_7 = { 8B ?? 4? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 8B ?? FF 0? ?? ?? ?? ?? A3 ?? ?? ?? ?? BF ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? FF 0? ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? BF ?? ?? ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? BE ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_8 = { 4? 00 ?? ?? 4? 5? 33 ?? 2E ?? 4? 4? 00 ?? 01 ?? 03 ?? ?? ?? ?? ?? ?? 0A ?? 0C ?? 0E 0F 10 ?? 12 ?? 14 ?? 16 17 18 ?? 1A ?? 1C ?? 1E 1F 20 ?? 22 ?? 24 ?? 26 ?? 28 ?? 2A ?? 2C ?? 2E ?? 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 3A ?? 3C ?? 3E ?? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 60 61 62 ?? ?? 65 ?? ?? ?? ?? ?? 6B ?? ?? ?? ?? 70 } - $block_9 = { 14 ?? 16 17 18 ?? 1A ?? 1C ?? 1E 1F 20 ?? 22 ?? 24 ?? 26 ?? 28 ?? 2A ?? 2C ?? 2E ?? 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 3A ?? 3C ?? 3E ?? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 4? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 5? 60 61 62 ?? ?? 65 ?? ?? ?? ?? ?? 6B ?? ?? ?? ?? 70 } - - condition: - hash.sha256(0, filesize) == "1ac828db983ae799edf65e6b6bef81ceffd1e2079a6e1c5e6cf969a37f956698" or - hash.sha256(0, filesize) == "c89b2bb62d13777aa6b1a4a22813e06907b26809d4745df963a760d365cc09cd" or - 10 of them -} - -rule RedOctoberPluginCollectInfo { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 6A ?? 8B ?? 99 6A ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_1 = { 0F B6 ?? ?? 0F BE ?? ?? ?? ?? ?? 5? 0F B6 ?? 0F BE ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 83 } - $block_2 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 4? 5? 68 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_3 = { 5? 5? 5? 33 ?? 8D ?? ?? ?? 5? 5? 5? 5? 5? 5? 8B ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_4 = { 83 ?? ?? 33 ?? 6A ?? 5? 8B ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_5 = { 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 85 ?? 74 } - $block_6 = { 8D ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_7 = { 6A ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_8 = { 8B ?? ?? ?? ?? ?? ?? 5? 5? 5? 0F B6 ?? 5? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C3 } - $block_9 = { 8D ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_10 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_11 = { 8B ?? ?? ?? ?? ?? 8A ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_12 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 } - $block_13 = { 8B ?? ?? ?? ?? ?? 5? 5? 8A ?? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_14 = { 8B ?? ?? 6A ?? 8D ?? ?? ?? 5? 8B ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_15 = { 8B ?? ?? 8B ?? C1 ?? ?? 5? E8 ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 3B ?? 0F 84 } - $block_16 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_17 = { 8B ?? 8B ?? ?? 8B ?? FF D? 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_18 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_19 = { 8D ?? ?? 89 ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? F6 ?? ?? ?? 89 ?? ?? 0F 84 } - $block_20 = { 8B ?? ?? ?? ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_21 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_22 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_23 = { 8D ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_24 = { FF 7? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 33 ?? 5? 89 ?? ?? 39 ?? ?? 0F 84 } - $block_25 = { 8D ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_26 = { 5? 8B ?? 5? 5? 33 ?? 5? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 84 } - $block_27 = { 8B ?? 8B ?? ?? FF D? 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_28 = { 0F 95 ?? 8B ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 5? 83 ?? ?? C2 } - $block_29 = { 8B ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_30 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_31 = { 8B ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_32 = { 5? 8B ?? 5? 5? 5? 8B ?? ?? 8B ?? 0F B6 ?? ?? 33 ?? 3B ?? 0F 8E } - $block_33 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 5? 8B ?? ?? FF D? 85 ?? 0F 85 } - $block_34 = { 6A ?? 68 ?? ?? ?? ?? FF 3? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_35 = { 8D ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_36 = { 5? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_37 = { 8B ?? ?? 5? 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_38 = { 8B ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_39 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C6 ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_40 = { 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 } - $block_41 = { 5? 5? 5? 8B ?? ?? ?? 33 ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_42 = { 5? 5? 5? 8B ?? ?? ?? 32 ?? 8B ?? 88 ?? ?? ?? 85 ?? 0F 84 } - $block_43 = { 8D ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_44 = { 6A ?? 8B ?? 2B ?? ?? 5? 5? 89 ?? ?? 5? 89 ?? ?? 0F 88 } - $block_45 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 33 ?? 5? 66 ?? ?? ?? 0F 85 } - $block_46 = { 5? 8D ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_47 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 } - $block_48 = { 8B ?? ?? 8B ?? ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_49 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_50 = { FF 7? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 } - $block_51 = { 8B ?? ?? 80 7? ?? ?? 8B ?? ?? 0F 95 ?? 88 ?? ?? 8B } - $block_52 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_53 = { 8B ?? ?? ?? 4? 89 ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 82 } - $block_54 = { 0F B6 ?? 8B ?? ?? 8B ?? ?? 4? 3D ?? ?? ?? ?? 0F 87 } - $block_55 = { 8B ?? ?? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 } - $block_56 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_57 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_58 = { 8B ?? ?? 8B ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_59 = { 0F B7 ?? ?? 0F B6 ?? ?? 5? 8D ?? ?? 83 ?? ?? 7D } - $block_60 = { 8B ?? 8B ?? E8 ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_61 = { 8B ?? ?? 80 7? ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_62 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_63 = { 8B ?? ?? 83 ?? ?? 33 ?? 83 ?? ?? 39 ?? ?? 0F 87 } - $block_64 = { 8B ?? ?? ?? 01 ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 86 } - - condition: - hash.sha256(0, filesize) == "cf8b014c410edf2116fd54803ef9325c45d26d44160fa0feefa361a576aa7980" or - 24 of them -} - -rule RedOctoberPluginDocBackdoor { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 84 } - $block_1 = { 5? 8B ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_2 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 03 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_3 = { 8B ?? ?? 5? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 5? 6A ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 03 ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? ?? 83 ?? ?? 75 } - $block_4 = { 8B ?? ?? 2B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 03 ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 75 } - $block_6 = { 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 33 ?? BA ?? ?? ?? ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 83 ?? ?? ?? ?? ?? ?? 74 } - $block_7 = { 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_8 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_9 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B6 ?? 85 ?? 74 } - - condition: - hash.sha256(0, filesize) == "bef87ae1f54d63f88c59f38e1725735db723b729d0dbbda2411d5b9779649415" or - 10 of them -} - -rule KillDisk { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? 6A ?? 5? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { 8B ?? ?? ?? ?? ?? 5? FF D? 83 ?? ?? ?? 5? 0F 95 ?? ?? ?? FF 1? ?? ?? ?? ?? 80 7? ?? ?? ?? 0F 84 } - $block_2 = { 5? FF 1? ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 84 ?? 75 } - $block_3 = { 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? 03 ?? 03 ?? 01 ?? ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 82 } - $block_4 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 33 ?? 5? 5? 6A ?? 5? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_5 = { 8B ?? ?? ?? ?? ?? ?? 85 ?? 0F 95 ?? 5? 33 ?? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C3 } - $block_6 = { 8B ?? C1 ?? ?? 8B ?? F3 ?? 8B ?? 8B ?? ?? ?? 83 ?? ?? A9 ?? ?? ?? ?? F3 ?? 0F 85 } - $block_7 = { 68 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_8 = { 8B ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 89 ?? ?? ?? 0F 84 } - $block_9 = { 8B ?? C1 ?? ?? 8B ?? F3 ?? 8B ?? 83 ?? ?? F3 ?? FF 1? ?? ?? ?? ?? 3C ?? 0F 85 } - $block_10 = { 68 ?? ?? ?? ?? FF D? 8B ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 86 } - $block_11 = { 5? 5? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_12 = { 8B ?? ?? ?? 2B ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 0F 84 } - $block_13 = { 8B ?? ?? ?? 83 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 3B ?? ?? ?? 89 ?? ?? ?? 0F 82 } - $block_14 = { 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 82 } - $block_15 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_16 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_17 = { 8B ?? C1 ?? ?? 8B ?? F3 ?? 8B ?? 83 ?? ?? F6 ?? ?? ?? ?? F3 ?? 0F 84 } - $block_18 = { 8B ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 0F 84 } - $block_19 = { 89 ?? ?? ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 } - $block_20 = { 6A ?? 6A ?? 6A ?? 32 ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_21 = { 6A ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_22 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? 5? 5? 8B ?? ?? 85 ?? 5? 0F 84 } - $block_23 = { 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 } - $block_24 = { 8B ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_25 = { 8B ?? C1 ?? ?? F3 ?? 8B ?? 83 ?? ?? 85 ?? F3 ?? 0F 84 } - $block_26 = { 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 0F 82 } - $block_27 = { 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 89 ?? ?? ?? 0F 84 } - $block_28 = { 8B ?? ?? ?? 3B ?? 8B ?? ?? ?? C6 ?? ?? ?? ?? 0F 87 } - $block_29 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 84 ?? 0F 84 } - $block_30 = { 5? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_31 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 } - $block_32 = { 0F B7 ?? 66 ?? ?? 83 ?? ?? 83 ?? ?? 66 ?? ?? 75 } - $block_33 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 84 ?? 74 } - $block_34 = { 83 ?? ?? ?? ?? 83 ?? ?? ?? ?? 8B ?? ?? ?? 0F 85 } - $block_35 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "26173c9ec8fd1c4f9f18f89683b23267f6f9d116196ed15655e9cb453af2890e" or - hash.sha256(0, filesize) == "8246f709efa922a485e1ca32d8b0d10dc752618e8b3fce4d3dd58d10e4a6a16d" or - 12 of them -} - -rule XData { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 5? 8B ?? 5? 8B ?? ?? 5? 8B ?? 8B ?? ?? 5? 8B ?? ?? 3B ?? 0F 82 } - $block_1 = { 5? 5? 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? 32 ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_2 = { 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 85 ?? 5? 0F 94 ?? 5? 8B ?? 5? C3 } - $block_3 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 33 ?? ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 } - $block_4 = { 48 ?? ?? 48 ?? ?? ?? 0F 10 ?? ?? 0F 11 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 5? C3 } - $block_5 = { BA ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 44 ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 74 } - $block_6 = { 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 33 ?? 85 ?? 0F 84 } - $block_7 = { 48 ?? ?? ?? ?? 0F B6 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? 5? C3 } - $block_8 = { 5? 8B ?? 5? 5? 5? 8B ?? 33 ?? 5? 33 ?? 33 ?? 0F B7 ?? ?? 8B ?? ?? ?? ?? ?? 66 ?? ?? 73 } - $block_9 = { 8D ?? ?? 89 ?? ?? 5? 6A ?? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? F7 ?? 5? 1B ?? 83 } - $block_10 = { 6A ?? FF 3? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 5? 89 ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? 0F 85 } - $block_11 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? 4? 89 ?? ?? 89 ?? ?? 89 ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 89 } - $block_12 = { 8B ?? ?? 03 ?? ?? 0F B6 ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? EB } - $block_13 = { 5? 8B ?? 5? 8B ?? ?? 5? 8B ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 0F 1F } - $block_14 = { 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 6A ?? 5? 4? 6A ?? 89 ?? ?? 5? 3B ?? ?? 0F 82 } - $block_15 = { 83 ?? ?? ?? 8D ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? ?? 4? 89 ?? ?? 83 ?? ?? 0F 8C } - $block_16 = { A1 ?? ?? ?? ?? 8D ?? ?? 33 ?? ?? ?? ?? ?? 6A ?? 6A ?? 5? 6A ?? FF D? 83 ?? ?? 0F 84 } - $block_17 = { 8B ?? ?? 8D ?? ?? 5? 33 ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_18 = { A1 ?? ?? ?? ?? 8B ?? 33 ?? ?? ?? ?? ?? 5? FF D? 66 ?? ?? ?? 8D ?? ?? 8D ?? ?? 0F 84 } - $block_19 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 33 ?? 5? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8A } - $block_20 = { 8B ?? ?? 33 ?? 2B ?? 99 C7 ?? ?? ?? ?? ?? ?? F7 ?? ?? 5? 89 ?? ?? B3 ?? 85 ?? 74 } - $block_21 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 33 ?? 5? 5? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 8A } - $block_22 = { 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 82 } - $block_23 = { 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_24 = { 48 ?? ?? ?? ?? 4D ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_25 = { A1 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 84 } - $block_26 = { 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_27 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 84 ?? 75 } - $block_28 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? 8B ?? 89 ?? ?? 5? 8B ?? 66 ?? ?? ?? 0F 84 } - $block_29 = { 8B ?? ?? 8B ?? ?? 8B ?? 85 ?? 8D ?? ?? 0F 45 ?? 8B ?? ?? 8D ?? ?? 85 ?? 74 } - $block_30 = { 6A ?? 68 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 } - $block_31 = { 81 E? ?? ?? ?? ?? 8B ?? 03 ?? 03 ?? 99 2B ?? ?? 83 ?? ?? 01 ?? 11 ?? ?? 8B } - $block_32 = { 0F B6 ?? 8D ?? ?? 33 ?? C1 ?? ?? 0F B6 ?? 33 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_33 = { A1 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_34 = { 4? 8D ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 33 ?? 0F 1F } - $block_35 = { 48 ?? ?? ?? ?? 5? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? 49 ?? ?? ?? ?? 0F 82 } - $block_36 = { 8B ?? ?? 2B ?? 8B ?? ?? 3B ?? 89 ?? ?? 0F 47 ?? 8B ?? F7 ?? 3B ?? 76 } - $block_37 = { 5? 8D ?? ?? A5 A5 A5 A5 FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 33 ?? 8D } - $block_38 = { 8B ?? ?? 33 ?? 6A ?? 5? 89 ?? ?? 8B ?? ?? 2B ?? 99 F7 ?? 85 ?? 0F 84 } - $block_39 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_40 = { 8D ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_41 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_42 = { 6A ?? 5? 8D ?? ?? ?? ?? ?? F3 ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_43 = { 5? 8B ?? 5? 8B ?? ?? 5? 8B ?? 8B ?? ?? 5? 8B ?? ?? 3B ?? 0F 82 } - $block_44 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_45 = { 4? 83 ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 82 } - $block_46 = { 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? ?? ?? ?? 2B ?? 0F 1F } - $block_47 = { 6A ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 0F 1F } - $block_48 = { FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 3D ?? ?? ?? ?? 0F 83 } - $block_49 = { 8B ?? ?? 2B ?? 99 F7 ?? ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? 72 } - $block_50 = { 83 ?? ?? ?? 8D ?? ?? 8D ?? ?? 0F 43 ?? ?? 83 ?? ?? ?? 72 } - $block_51 = { A1 ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 5? FF D? 3B ?? ?? 0F 85 } - $block_52 = { 48 ?? ?? ?? ?? 5? 48 ?? ?? ?? 49 ?? ?? 4D ?? ?? 0F 84 } - $block_53 = { FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 84 } - $block_54 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 } - $block_55 = { 49 ?? ?? 48 ?? ?? 48 ?? ?? ?? BA ?? ?? ?? ?? 0F 1F } - $block_56 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_57 = { 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 84 ?? 0F 84 } - $block_58 = { 48 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 0F 44 ?? 8B } - $block_59 = { 8B ?? 41 ?? ?? 44 ?? ?? ?? 41 ?? ?? 3B ?? 0F 47 } - $block_60 = { 5? 5? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_61 = { 83 ?? ?? ?? 8D ?? ?? 8D ?? ?? 0F 43 ?? ?? 5? E8 } - - condition: - hash.sha256(0, filesize) == "d174f0c6ded55eb315320750aaa3152fc241acbfaef662bf691ffd0080327ab9" or - hash.sha256(0, filesize) == "92ad1b7965d65bfef751cf6e4e8ad4837699165626e25131409d4134f031a497" or - hash.sha256(0, filesize) == "ff07c0b13d10db6f897526dd05041bf089b1b9b706833722480309b9b22e5040" or - 12 of them -} - -rule Exaramel { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 8B ?? ?? 33 ?? 5? 8B ?? ?? 33 ?? 03 ?? 5? 8B ?? 2B ?? 3B ?? 8B ?? ?? 0F 47 ?? 85 ?? 74 } - $block_1 = { 8B ?? 8D ?? ?? 0F 10 ?? ?? 5? 83 ?? ?? 8B ?? 8B ?? 5? 0F 11 ?? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 78 } - $block_2 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 6A ?? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_3 = { 33 ?? 83 ?? ?? ?? 0F 94 ?? 89 ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 33 ?? 5? 8B ?? 5? C3 } - $block_4 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 88 } - $block_5 = { FF 7? ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 } - $block_6 = { 8B ?? ?? 8D ?? ?? 8D ?? ?? 83 ?? ?? 8D ?? ?? 83 ?? ?? 8D ?? ?? 89 ?? ?? 0F 1F } - $block_7 = { 8B ?? ?? 83 ?? ?? 0F 10 ?? ?? 8B ?? 8B ?? 5? 0F 11 ?? 8B ?? ?? ?? ?? ?? FF D? } - $block_8 = { FF 7? ?? FF D? 8B ?? 8B ?? 8B ?? ?? 33 ?? 8D ?? ?? 3B ?? 0F 47 ?? 85 ?? 74 } - $block_9 = { 5? 5? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 6A ?? 6A ?? 85 ?? 0F 84 } - $block_10 = { 5? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 44 } - $block_11 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_12 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_13 = { 5? 8B ?? 8B ?? ?? 33 ?? 8B ?? ?? 66 ?? ?? 0F B7 ?? 83 ?? ?? 75 } - $block_14 = { 8B ?? ?? 0F B7 ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 } - $block_15 = { 83 ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? 0F B7 ?? 66 ?? ?? 0F 84 } - $block_16 = { 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? F6 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_17 = { 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 } - $block_18 = { 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "2f12fd3fb35f8690eea80dd48de98660c55df7f5c26b49d0cc82aaf3635b0c7a" or - 12 of them -} - -rule TeleBotRust { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 86 } - $block_1 = { 8A ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 75 } - $block_2 = { 8D ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_3 = { 07 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? 3F 07 00 ?? 3F 07 00 ?? F8 06 00 ?? 3F 07 00 ?? F8 06 00 ?? 3F 07 00 ?? 3F 07 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? 3F 07 00 ?? 3F 07 00 ?? 3F 07 00 ?? 3F 07 00 ?? F8 06 00 ?? 3F 07 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? F8 06 00 ?? 3F 07 00 ?? 3F 07 00 ?? 3F 07 00 ?? 81 0? ?? ?? ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 81 0? ?? ?? ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? B7 ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? ?? ?? ?? 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 5? 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? ?? ?? ?? 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? 61 0B ?? 00 ?? ?? 00 ?? B7 ?? 00 ?? 73 } - $block_4 = { F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8A ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B7 ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8A ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 8A ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_5 = { E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? C1 ?? ?? 89 ?? ?? ?? 89 ?? 0B ?? ?? ?? 31 ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? 31 ?? 8B ?? ?? ?? 01 ?? 11 ?? 0F A4 ?? ?? 0F A4 ?? ?? 89 ?? 31 ?? 8B ?? ?? ?? 31 ?? 89 ?? ?? ?? 8B ?? ?? ?? 01 ?? 89 ?? ?? ?? 8B ?? ?? 11 ?? 89 ?? ?? ?? 89 ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? 33 ?? ?? ?? 01 ?? 11 ?? 89 ?? ?? 89 ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 33 ?? ?? 31 ?? 01 ?? ?? ?? 89 ?? ?? ?? 89 ?? 11 ?? 33 ?? ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? 33 ?? ?? ?? 31 ?? 35 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? 33 ?? ?? ?? 01 ?? 89 ?? ?? ?? 11 ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 31 ?? 8B ?? ?? ?? 89 ?? ?? 33 ?? ?? 01 ?? 89 ?? 11 ?? ?? ?? 89 ?? ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 33 ?? ?? ?? 31 ?? 01 ?? ?? 89 ?? 11 ?? 0F A4 ?? ?? 0F A4 ?? ?? 8B ?? ?? ?? 31 ?? 33 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? 01 ?? 11 ?? ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 31 ?? 8B ?? ?? ?? 31 ?? 01 ?? ?? 89 ?? 89 ?? 11 ?? 0F A4 ?? ?? 0F A4 ?? ?? 31 ?? 33 ?? ?? 01 ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? 8B ?? ?? ?? 89 ?? 11 ?? 0F A4 ?? ?? 89 ?? ?? ?? 0F A4 ?? ?? 31 ?? 8B ?? ?? ?? 31 ?? 89 ?? 01 ?? 11 ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 89 ?? ?? ?? 33 ?? ?? 31 ?? 8B ?? ?? ?? 01 ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? 11 ?? 0F A4 ?? ?? 89 ?? ?? ?? 0F A4 ?? ?? 31 ?? 8B ?? ?? ?? 31 ?? 89 ?? 01 ?? 11 ?? ?? 0F A4 ?? ?? 0F A4 ?? ?? 89 ?? 8B ?? ?? ?? 31 ?? 33 ?? ?? 01 ?? ?? ?? 89 ?? 11 ?? 03 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 11 ?? 8B ?? ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_6 = { 5? 8B ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 85 ?? BF ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 0F 45 ?? 0F 44 ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 0B ?? ?? ?? 0B ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 75 } - $block_7 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 89 ?? 5? 5? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 4? 31 ?? 89 ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 5? 6A ?? 6A ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 0F 1F ?? 8C ?? 00 ?? B6 ?? 00 ?? 9E 1F 00 ?? A3 ?? ?? ?? ?? 1F 00 ?? 9A ?? ?? ?? ?? ?? ?? 00 ?? ?? 00 ?? 5? 21 ?? 00 ?? ?? 00 ?? EE 21 ?? 00 ?? ?? ?? ?? ?? 21 ?? 00 ?? 21 ?? 00 ?? 22 ?? 00 ?? ?? 00 } - $block_8 = { 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 0F 10 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? 0F B7 ?? 31 ?? 0F 11 ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 83 ?? ?? B9 ?? ?? ?? ?? 0F 45 ?? 0F 94 ?? 8D ?? ?? ?? ?? ?? ?? 09 ?? 89 ?? 8B ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? F3 ?? ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? F2 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? F2 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? ?? 5? FF 5? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_9 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 5? 6A ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? 89 ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 66 ?? A6 03 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? ?? ?? ?? ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? 02 ?? 00 ?? ?? ?? ?? ?? 03 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? 01 ?? 00 ?? ?? 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 9? 06 00 ?? 7E } - - condition: - hash.sha256(0, filesize) == "1672b944cf80cc2b3f837a78988a335072e197104acb5bb8148834c37ce72c85" or - 10 of them -} - -rule CredRaptor { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 99 03 ?? 89 ?? ?? ?? ?? ?? 13 ?? 85 ?? 74 } - $block_1 = { 33 ?? C6 ?? ?? ?? 66 ?? ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? 0F 82 } - $block_2 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 7F } - $block_3 = { 8D ?? ?? ?? 8B ?? ?? ?? ?? ?? 2B ?? 5? 6A ?? 03 ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_4 = { 5? 8B ?? 5? 8B ?? ?? 0F B7 ?? ?? 8B ?? 83 ?? ?? 0F B6 ?? ?? ?? ?? ?? 5? 4? 5? 5? 83 ?? ?? 0F 87 } - $block_5 = { 5? 5? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_6 = { 0F B7 ?? ?? 8B ?? ?? ?? ?? ?? 4? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_7 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 5? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_8 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? 0F 8E } - $block_9 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 99 0F 57 ?? 66 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 89 } - $block_10 = { 85 ?? 0F 95 ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C2 } - $block_11 = { 8B ?? 0F B7 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_12 = { 8B ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 0F BF ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 83 ?? ?? 39 ?? ?? 7F } - $block_13 = { 5? 8B ?? 83 ?? ?? 0F B6 ?? ?? ?? ?? ?? 5? 8B ?? F7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 0F 84 } - $block_14 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_15 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? DD ?? ?? ?? ?? ?? 8B ?? ?? DD ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_16 = { 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? 0F 84 } - $block_17 = { 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_18 = { 8B ?? ?? ?? ?? ?? C1 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_19 = { 6A ?? FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? BA ?? ?? ?? ?? 85 ?? 0F 45 ?? 80 3? ?? 75 } - $block_20 = { 85 ?? 0F B6 ?? 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 5? 0F 44 ?? FF 1? ?? ?? ?? ?? FF 7? ?? FF 1? } - $block_21 = { 8D ?? ?? BA ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_22 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_23 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? F6 ?? ?? ?? 89 ?? ?? 89 ?? ?? 74 } - $block_24 = { 5? 8B ?? 8B ?? ?? 5? 5? 8B ?? 0F B7 ?? ?? 83 ?? ?? 0F B6 ?? ?? ?? ?? ?? 4? 83 ?? ?? 0F 87 } - $block_25 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 8B ?? 33 ?? 5? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 38 ?? ?? 0F 85 } - $block_26 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_27 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 4? 83 ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 8C } - $block_28 = { 8B ?? ?? 8B ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? ?? 8D ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 84 ?? 79 } - $block_29 = { 5? 8B ?? 8B ?? ?? 5? 5? 0F B7 ?? ?? 03 ?? ?? 8B ?? 0F B7 ?? ?? 8B ?? ?? 03 ?? 3B ?? 77 } - $block_30 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_31 = { 8B ?? 5? 0F BF ?? ?? 89 ?? ?? 5? 8B ?? ?? 4? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 74 } - $block_32 = { 8B ?? ?? ?? ?? ?? 33 ?? 3B ?? 0F 94 ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_33 = { 8B ?? ?? 8D ?? ?? 0F B6 ?? ?? 5? 8B ?? 83 ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? E9 } - $block_34 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? 8B ?? 0F B7 ?? ?? 83 ?? ?? 80 B? ?? ?? ?? ?? ?? 0F 84 } - $block_35 = { 33 ?? 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_36 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? 5? 6A ?? FF B? ?? ?? ?? ?? FF D? 85 ?? 0F 84 } - $block_37 = { 03 ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 85 ?? 0F 84 } - $block_38 = { 8B ?? ?? 0F BF ?? ?? 8B ?? ?? 03 ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_39 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 5? 8B ?? ?? 8B ?? ?? 03 ?? ?? 5? 8B ?? ?? 89 ?? ?? 0F 84 } - $block_40 = { 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_41 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 0F BF ?? ?? 33 ?? 89 ?? ?? 85 ?? 7E } - $block_42 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 4? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_43 = { 0F B6 ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? 89 ?? 39 ?? ?? ?? ?? ?? 73 } - $block_44 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_45 = { 8B ?? ?? 33 ?? B9 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_46 = { 68 ?? ?? ?? ?? 6A ?? 5? 8B ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_47 = { 0F B6 ?? ?? ?? ?? ?? 84 ?? B9 ?? ?? ?? ?? 0F 45 ?? A2 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_48 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 95 ?? 84 ?? 74 } - $block_49 = { 6A ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 8B ?? 89 ?? ?? 0B ?? 0F 84 } - $block_50 = { 8B ?? ?? 5? 5? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_51 = { 6A ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 84 ?? 0F 95 ?? 8B ?? 85 ?? 74 } - $block_52 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_53 = { 8B ?? ?? 8B ?? 0F B7 ?? ?? 8B ?? ?? 83 ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_54 = { 33 ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? C7 ?? ?? ?? ?? ?? ?? 39 ?? ?? 0F 8E } - $block_55 = { 5? 8B ?? 0F BE ?? ?? 83 ?? ?? 83 ?? ?? 5? 5? 5? 8B ?? 8B ?? 83 ?? ?? 0F 87 } - $block_56 = { 8D ?? ?? 89 ?? ?? 0F AF ?? C1 ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 75 } - $block_57 = { 0F B7 ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_58 = { 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 75 } - $block_59 = { 8A ?? ?? 2C ?? 4? 0F B6 ?? 8B ?? 8D ?? ?? 8D ?? ?? 89 ?? 8B ?? 8D ?? ?? 66 } - $block_60 = { 5? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 8D } - $block_61 = { 8B ?? ?? 8B ?? 8B ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 85 } - $block_62 = { 8B ?? ?? 8B ?? ?? 33 ?? 85 ?? 0F 95 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 75 } - $block_63 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 80 7? ?? ?? 74 } - $block_64 = { 8B ?? ?? 0F BF ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 74 } - $block_65 = { 6A ?? B8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_66 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 4? 89 ?? ?? 3B ?? ?? 0F 8C } - $block_67 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_68 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 85 ?? 0F 8E } - $block_69 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_70 = { 8B ?? ?? 8B ?? ?? B9 ?? ?? ?? ?? 01 ?? ?? 01 ?? ?? 89 ?? ?? 3B ?? 0F 85 } - $block_71 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_72 = { 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 89 ?? ?? ?? ?? ?? 8A ?? 3C ?? 0F 84 } - $block_73 = { 6A ?? 83 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 0B ?? 89 ?? ?? 0F 84 } - $block_74 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 83 } - $block_75 = { 0F B7 ?? ?? 33 ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 0F 1F } - $block_76 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_77 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? 3B ?? C7 ?? ?? ?? ?? ?? 0F 94 ?? 84 ?? 75 } - $block_78 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_79 = { 5? 8B ?? ?? 5? 0F B6 ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 66 ?? ?? ?? 0F 83 } - $block_80 = { 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_81 = { E8 ?? ?? ?? ?? 0F B7 ?? B9 ?? ?? ?? ?? 66 ?? ?? 0F 94 ?? 84 ?? 75 } - $block_82 = { B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3B ?? 0F 44 ?? 89 ?? ?? ?? ?? ?? EB } - $block_83 = { 8B ?? 0F BF ?? ?? 8B ?? ?? ?? 01 ?? ?? ?? ?? ?? F6 ?? ?? ?? ?? 74 } - $block_84 = { 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8D ?? ?? 0F 43 ?? ?? 8D } - $block_85 = { 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_86 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 83 ?? ?? 0F 43 ?? 80 7? ?? ?? 74 } - $block_87 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 8B ?? 83 ?? ?? 3B ?? ?? 74 } - $block_88 = { 66 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? 72 } - $block_89 = { 8B ?? ?? 33 ?? 38 ?? ?? 8B ?? ?? ?? 0F 94 ?? 3B ?? 0F 84 } - $block_90 = { FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 } - $block_91 = { 4? 89 ?? 8B ?? ?? 8B ?? 8D ?? ?? 89 ?? 88 ?? 0F B6 ?? EB } - $block_92 = { 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_93 = { 5? 8B ?? 83 ?? ?? 80 B? ?? ?? ?? ?? ?? 5? 5? 5? 0F 85 } - $block_94 = { 8B ?? ?? ?? 8A ?? ?? 8B ?? 89 ?? ?? ?? F6 ?? ?? 0F 85 } - $block_95 = { E8 ?? ?? ?? ?? 0F B7 ?? 66 ?? ?? 0F 94 ?? 84 ?? 75 } - $block_96 = { 8B ?? ?? 8B ?? 2B ?? ?? F6 ?? ?? ?? 89 ?? ?? 0F 84 } - $block_97 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? 0F 1F } - $block_98 = { FE ?? 88 ?? ?? 0F B6 ?? 8B ?? ?? ?? 89 ?? ?? EB } - $block_99 = { 4? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 8F } - - condition: - hash.sha256(0, filesize) == "b0df1c855db31dd29a1e9b40f8360e5036e848e023741e05114d46b7359ff6f6" or - hash.sha256(0, filesize) == "50b990f6555055a265fde98324759dbc74619d6a7c49b9fd786775299bf77d26" or - 12 of them -} - -rule Keylogger { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 40 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? F3 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B7 ?? 85 ?? 75 } - $block_2 = { 88 ?? ?? ?? 5? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 0F B6 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_3 = { 44 ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 5? 5? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_4 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 87 } - $block_5 = { 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 48 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 } - $block_6 = { 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 48 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB } - $block_7 = { 88 ?? ?? ?? 5? 48 ?? ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_8 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 83 ?? ?? 74 } - $block_9 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "e3f134ae88f05463c4707a80f956a689fba7066bb5357f6d45cba312ad0db68e" or - 10 of them -} - -rule Telebot_Downloader { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? 8A ?? ?? ?? 0F B7 ?? ?? ?? C1 ?? ?? 83 ?? ?? ?? ?? 88 ?? ?? ?? 66 ?? ?? ?? ?? 0F 85 } - $block_1 = { BB ?? ?? ?? ?? 89 ?? 29 ?? 89 ?? ?? ?? 89 ?? 83 ?? ?? 29 ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? 0F 83 } - $block_2 = { 0F B6 ?? 8B ?? ?? ?? 4? 89 ?? ?? ?? 8A ?? ?? ?? ?? ?? 85 ?? 88 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 74 } - $block_3 = { 66 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 94 ?? 39 ?? 0F 94 ?? 08 ?? 80 F? ?? 88 ?? ?? ?? 74 } - $block_4 = { 0F 1F ?? ?? ?? 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? BA ?? ?? ?? ?? 8B ?? ?? 89 ?? F7 ?? 89 ?? 0F 80 } - $block_5 = { 8B ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? 0F 85 } - $block_6 = { 8D ?? ?? ?? 89 ?? 6A ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_7 = { 8B ?? ?? 0F AF ?? ?? 89 ?? 8B ?? ?? 01 ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 } - $block_8 = { 8B ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 80 F? ?? 75 } - $block_9 = { 8B ?? ?? 0F AF ?? ?? 89 ?? 8B ?? ?? 01 ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? FF D? 85 ?? 7E } - $block_10 = { 8B ?? ?? ?? 89 ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_11 = { 8B ?? ?? 89 ?? C1 ?? ?? 01 ?? C1 ?? ?? 89 ?? 8B ?? ?? 01 ?? 89 ?? ?? 8B ?? ?? 0F B6 ?? 3C ?? 75 } - $block_12 = { 8D ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_13 = { 87 ?? 8D ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? 83 ?? ?? 89 ?? ?? ?? 83 ?? ?? 0F 85 } - $block_14 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_15 = { 89 ?? ?? 89 ?? E8 ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_16 = { 8B ?? ?? ?? F2 ?? ?? ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? F2 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_17 = { 0F B6 ?? ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? C1 ?? ?? 83 ?? ?? C1 ?? ?? 09 ?? 39 ?? 0F 83 } - $block_18 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_19 = { 89 ?? E8 ?? ?? ?? ?? 0F 1F ?? ?? ?? ?? ?? 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 89 ?? 85 ?? 0F 88 } - $block_20 = { C7 ?? ?? ?? ?? ?? C6 ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - $block_21 = { 8B ?? ?? 8B ?? ?? ?? 8D ?? ?? 8B ?? ?? ?? 89 ?? 8D ?? ?? 83 ?? ?? 89 ?? ?? ?? 8D ?? ?? 0F 82 } - $block_22 = { 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_23 = { 83 ?? ?? 31 ?? 0F 57 ?? 89 ?? 0F 29 ?? ?? ?? 0F 29 ?? ?? ?? 0F 29 ?? ?? ?? 0F 29 ?? ?? ?? 9? } - $block_24 = { 8B ?? ?? 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? FF D? 83 ?? ?? 83 ?? ?? ?? ?? 0F 84 } - $block_25 = { 8B ?? ?? 35 ?? ?? ?? ?? 89 ?? 8B ?? ?? 80 F? ?? 89 ?? 89 ?? 09 ?? 85 ?? 0F 94 ?? 0F B6 ?? EB } - $block_26 = { 0F 1F ?? ?? 5? 5? FF 7? ?? ?? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 0F 85 } - $block_27 = { 0F BD ?? ?? ?? 0F BD ?? 83 ?? ?? 83 ?? ?? 29 ?? 8D ?? ?? 89 ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 } - $block_28 = { 89 ?? ?? 89 ?? ?? ?? 8D ?? ?? 31 ?? 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 0F 1F ?? 66 ?? ?? 75 } - $block_29 = { 66 ?? 5? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 80 7? ?? ?? 0F 85 } - $block_30 = { 8D ?? ?? ?? 89 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 84 ?? 0F 85 } - $block_31 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 1F } - $block_32 = { BE ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 29 ?? 39 ?? 89 ?? 0F 43 ?? 83 ?? ?? 72 } - $block_33 = { 8D ?? ?? 31 ?? 89 ?? 89 ?? 89 ?? ?? ?? 0F 1F ?? ?? ?? ?? ?? ?? 0F B6 ?? 8D ?? ?? 84 ?? 78 } - $block_34 = { 83 ?? ?? 0F B6 ?? 89 ?? 8D ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? 83 ?? ?? 8B } - $block_35 = { 0D ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? 8B ?? ?? 21 ?? 89 ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_36 = { 89 ?? 89 ?? E8 ?? ?? ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 89 ?? 89 ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_37 = { 8B ?? ?? ?? 8B ?? ?? ?? BD ?? ?? ?? ?? BB ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 39 ?? 0F 84 } - $block_38 = { 89 ?? ?? ?? 8B ?? ?? ?? 4? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? 8B ?? ?? ?? 0F B6 ?? 83 ?? ?? 89 } - $block_39 = { 89 ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 84 ?? 89 ?? ?? ?? C6 ?? ?? ?? ?? 0F 85 } - $block_40 = { 8B ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_41 = { 8B ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_42 = { 0F B6 ?? ?? 89 ?? 0F B6 ?? ?? ?? ?? ?? 4? 0F B6 ?? ?? ?? ?? ?? 3A ?? ?? ?? ?? ?? 89 ?? 74 } - $block_43 = { 8B ?? ?? BD ?? ?? ?? ?? 0F B6 ?? ?? ?? BB ?? ?? ?? ?? 89 ?? ?? ?? 24 ?? 3C ?? 89 ?? 75 } - $block_44 = { 5? 5? 83 ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? 89 ?? ?? B1 ?? 89 ?? ?? ?? 80 7? ?? ?? 0F 85 } - $block_45 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? 83 ?? ?? 7F } - $block_46 = { 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 85 ?? 89 ?? ?? ?? 0F 44 ?? 8D ?? ?? ?? 89 ?? 85 ?? 74 } - $block_47 = { 89 ?? ?? ?? 31 ?? 85 ?? 89 ?? BF ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_48 = { E8 ?? ?? ?? ?? FF 7? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_49 = { 0F 1F ?? ?? E8 ?? ?? ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 39 ?? 75 } - $block_50 = { 80 7? ?? ?? ?? 0F 97 ?? 80 F? ?? 0F 97 ?? 3A ?? ?? ?? 18 ?? 80 C? ?? 20 ?? 20 ?? 0F B6 } - $block_51 = { 8B ?? ?? 0F B6 ?? 0F B6 ?? C1 ?? ?? 89 ?? 8B ?? ?? 83 ?? ?? 0F B6 ?? 0F B6 ?? 09 ?? EB } - $block_52 = { 89 ?? 83 ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? 0F 42 ?? 8D ?? ?? 81 F? ?? ?? ?? ?? 0F 83 } - $block_53 = { 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 0F B6 ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 84 ?? 0F 88 } - $block_54 = { 8D ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 } - $block_55 = { 0F 1F ?? ?? ?? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 8B ?? ?? 80 3? ?? 75 } - $block_56 = { 8D ?? ?? ?? FF 7? ?? ?? FF 7? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? ?? ?? 3C ?? 75 } - $block_57 = { 89 ?? BE ?? ?? ?? ?? 83 ?? ?? 0F 42 ?? 8D ?? ?? 89 ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 83 } - $block_58 = { 8A ?? ?? ?? 88 ?? ?? ?? 0F B7 ?? ?? ?? 66 ?? ?? ?? ?? 8B ?? ?? 8B ?? F0 ?? ?? 0F 8E } - $block_59 = { C6 ?? ?? BB ?? ?? ?? ?? 8A ?? ?? ?? 88 ?? ?? 0F B7 ?? ?? ?? 66 ?? ?? ?? 89 ?? ?? C7 } - $block_60 = { 89 ?? ?? B1 ?? 86 ?? ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_61 = { 8B ?? ?? ?? 8B ?? ?? 8D ?? ?? 89 ?? 0F B6 ?? C1 ?? ?? 09 ?? 83 ?? ?? 66 ?? ?? ?? 73 } - $block_62 = { 8B ?? ?? ?? C1 ?? ?? 66 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 09 ?? 31 ?? 89 ?? E9 } - $block_63 = { 8B ?? ?? 89 ?? 31 ?? 29 ?? 89 ?? 01 ?? 89 ?? ?? 39 ?? ?? 8B ?? ?? ?? 8B ?? ?? 0F 95 } - $block_64 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? 8B ?? ?? 8B ?? 89 ?? 85 ?? 89 ?? ?? ?? 0F 84 } - $block_65 = { 31 ?? B0 ?? F0 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? C1 ?? ?? 0F B7 ?? 3D ?? ?? ?? ?? 0F 82 } - $block_66 = { 89 ?? 89 ?? C1 ?? ?? C1 ?? ?? C1 ?? ?? C1 ?? ?? 0F B6 ?? 0F B7 ?? 09 ?? 09 ?? 0F 85 } - $block_67 = { 89 ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? 29 ?? 89 ?? ?? ?? 8B ?? ?? ?? 83 ?? ?? 0F 85 } - $block_68 = { 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - $block_69 = { 0F 1F ?? E8 ?? ?? ?? ?? FF 7? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 87 } - $block_70 = { 8B ?? ?? ?? BF ?? ?? ?? ?? BA ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? 39 ?? 0F 84 } - $block_71 = { 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? ?? 0F 87 } - $block_72 = { 0F 1F ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 4? 85 ?? 0F 84 } - $block_73 = { 8B ?? ?? ?? 83 ?? ?? ?? 0F 94 ?? 80 7? ?? ?? BE ?? ?? ?? ?? 18 ?? 20 ?? 0F B6 ?? EB } - $block_74 = { 5? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0B ?? ?? 0F 85 } - $block_75 = { 89 ?? B8 ?? ?? ?? ?? 83 ?? ?? 0F 42 ?? 8B ?? ?? ?? 8D ?? ?? 3D ?? ?? ?? ?? 0F 83 } - $block_76 = { 0F B6 ?? ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? ?? 0F B6 ?? ?? 4? 3A ?? ?? ?? ?? ?? 74 } - $block_77 = { 31 ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? 89 ?? 29 ?? 29 ?? 89 ?? ?? ?? 0F 84 } - $block_78 = { 4? BF ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 44 ?? ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 89 } - $block_79 = { 0F B6 ?? ?? 89 ?? 89 ?? 89 ?? ?? 8B ?? ?? ?? 24 ?? 3C ?? 89 ?? BE ?? ?? ?? ?? 75 } - $block_80 = { 0F 1F ?? ?? 5? 89 ?? 83 ?? ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 8A ?? 80 F? ?? 74 } - $block_81 = { 8B ?? ?? ?? 0F B6 ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? C1 ?? ?? 09 ?? EB } - $block_82 = { 8B ?? ?? ?? BF ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 29 ?? 89 ?? ?? ?? 89 ?? 0F 1F } - $block_83 = { 8B ?? ?? ?? 0F B6 ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 89 ?? ?? ?? 81 F? ?? ?? ?? ?? 76 } - $block_84 = { 89 ?? E8 ?? ?? ?? ?? 0F 1F ?? ?? ?? ?? ?? ?? 5? 5? 5? 5? 89 ?? 8B ?? ?? 85 ?? 74 } - $block_85 = { 0F 1F ?? ?? ?? 8A ?? ?? ?? 81 E? ?? ?? ?? ?? 88 ?? 09 ?? 8A ?? ?? ?? 84 ?? 0F 85 } - $block_86 = { 8B ?? ?? 83 ?? ?? 5? 5? FF 7? ?? FF 5? ?? 83 ?? ?? 4? 83 ?? ?? 84 ?? B0 ?? 0F 84 } - $block_87 = { 8B ?? ?? ?? 8D ?? ?? 8B ?? 0F B6 ?? ?? 89 ?? ?? 66 ?? ?? ?? 89 ?? 04 ?? 3C ?? 72 } - $block_88 = { 8B ?? ?? 83 ?? ?? 0F B6 ?? 0F B6 ?? C1 ?? ?? 89 ?? 8B ?? ?? 0F B6 ?? 0F B6 ?? 09 } - $block_89 = { 8B ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 47 ?? 4? 39 ?? 0F 87 } - $block_90 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 83 ?? ?? 31 ?? 83 ?? ?? ?? 89 ?? 89 ?? ?? ?? 0F 84 } - $block_91 = { 89 ?? 83 ?? ?? 89 ?? ?? ?? 8B ?? 89 ?? ?? ?? 31 ?? 8B ?? ?? 89 ?? ?? ?? 0F 1F } - $block_92 = { 66 ?? ?? ?? ?? 0F 10 ?? 83 ?? ?? 66 ?? ?? ?? ?? 0F 11 ?? 83 ?? ?? 83 ?? ?? 75 } - $block_93 = { 89 ?? 83 ?? ?? 31 ?? 89 ?? ?? ?? 8B ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 0F 1F } - $block_94 = { 8B ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 84 } - $block_95 = { 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? 83 ?? ?? 01 ?? 8D ?? ?? 8D ?? ?? 0F 1F } - $block_96 = { 31 ?? 85 ?? 89 ?? ?? ?? 0F 95 ?? ?? ?? 0F 95 ?? 80 7? ?? ?? 88 ?? ?? ?? 0F 85 } - $block_97 = { 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 0F B6 ?? 3C ?? 74 } - $block_98 = { 3B ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 0F 85 } - $block_99 = { 8B ?? ?? ?? 85 ?? 0F 94 ?? 89 ?? 29 ?? 0F 94 ?? 08 ?? 80 F? ?? 88 ?? ?? ?? 75 } - - condition: - hash.sha256(0, filesize) == "2ee5a743bd420aa04e0ea9ab7a25e1cc2c346a55d6a518f267896694d75539a2" or - 12 of them -} - -rule Zebrocy { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 8D ?? ?? 8B ?? ?? 0F B6 ?? E8 ?? ?? ?? ?? 84 ?? 74 } - $block_1 = { 33 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 } - $block_2 = { 36 ?? 38 ?? 61 62 ?? ?? 65 ?? ?? ?? 38 ?? ?? 38 ?? ?? ?? ?? ?? 31 ?? ?? ?? ?? ?? 20 ?? ?? 6C 75 } - $block_3 = { 67 ?? ?? ?? ?? ?? ?? ?? 20 ?? ?? 6C 6C 65 ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? 20 ?? 20 ?? ?? ?? 70 } - $block_4 = { 4? 2D ?? ?? ?? ?? 61 6C 69 ?? ?? ?? ?? ?? ?? ?? 6B ?? ?? ?? 65 ?? 33 ?? 2E ?? ?? 6C 00 ?? ?? 79 } - $block_5 = { 69 ?? ?? ?? ?? ?? ?? 6E 67 ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? ?? 65 ?? ?? 62 ?? ?? 20 ?? ?? 6D 6F 72 } - $block_6 = { 65 ?? ?? 4? 00 ?? ?? 00 ?? 4? 00 ?? FF 0? 00 ?? 00 ?? 00 ?? 80 0? ?? 00 ?? 08 ?? 06 4? 61 73 } - $block_7 = { 5? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_8 = { 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 8C } - $block_9 = { 4? 6F 64 ?? ?? ?? ?? ?? ?? 65 ?? ?? ?? 3D ?? ?? ?? ?? 32 ?? 34 ?? 36 ?? 38 ?? 61 62 ?? ?? 65 } - $block_10 = { 6C 69 ?? ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 2F 68 ?? ?? ?? ?? 20 ?? ?? 65 ?? ?? ?? ?? 74 } - $block_11 = { 61 20 ?? ?? 6E 63 ?? ?? ?? 6E 30 ?? 32 ?? 34 ?? 36 ?? 38 ?? 4? 4? 4? 4? 4? 4? 30 ?? 32 ?? 34 } - $block_12 = { 6F 2F 63 ?? ?? 68 ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? 63 ?? ?? ?? 4? 4? 20 ?? ?? ?? 20 ?? ?? 7A } - $block_13 = { 35 ?? ?? ?? ?? 32 ?? 33 ?? 32 ?? ?? ?? ?? ?? 61 69 ?? ?? ?? ?? ?? ?? 20 ?? ?? 61 6E 64 ?? 72 } - $block_14 = { 69 ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 3A ?? 2F 31 ?? 30 ?? 39 ?? 2E ?? ?? 37 2E ?? ?? 36 ?? 70 } - $block_15 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_16 = { 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? 83 ?? ?? 39 ?? 0F 87 } - $block_17 = { 66 ?? ?? ?? ?? 89 ?? ?? ?? 0F B7 ?? ?? ?? 09 ?? 66 ?? ?? ?? ?? 0F B6 ?? ?? ?? 84 ?? 0F 84 } - $block_18 = { 9? 4? 00 ?? ?? 00 ?? 08 ?? 4? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 00 ?? 5? 6F 70 } - $block_19 = { 8B ?? ?? 0F BE ?? ?? 83 ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 4? 89 ?? ?? 3B ?? ?? 72 } - $block_20 = { 20 ?? ?? 61 3D ?? ?? ?? ?? 20 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6D 61 78 } - $block_21 = { 20 ?? ?? ?? ?? ?? 20 ?? 20 ?? 6D 3D ?? ?? ?? ?? 32 ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? 73 } - $block_22 = { 61 63 ?? ?? 3D ?? ?? ?? ?? 6C 6F 63 ?? ?? 67 ?? ?? ?? ?? ?? 63 ?? ?? ?? 6B ?? ?? ?? 70 } - $block_23 = { 38 ?? 38 ?? 30 ?? 32 ?? ?? ?? ?? ?? 33 ?? 34 ?? 33 ?? 32 ?? ?? ?? ?? ?? 5? 4? 6F 6E 74 } - $block_24 = { 9E 02 ?? 9C 9E 02 ?? 03 ?? 00 ?? 04 ?? 00 ?? C0 ?? ?? ?? ?? ?? ?? 00 ?? 9E 02 ?? 5? E3 } - $block_25 = { 36 ?? ?? 39 ?? 36 ?? ?? ?? ?? ?? ?? 61 6C 69 ?? ?? ?? ?? ?? ?? ?? 63 ?? ?? ?? 61 6C 75 } - $block_26 = { 00 ?? FF 0? 00 ?? 00 ?? 00 ?? 80 F? ?? FF 1? 02 ?? 0A ?? ?? 65 ?? 64 ?? 6F 6C 6F 72 } - $block_27 = { 8D ?? ?? A1 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F 84 } - $block_28 = { 5? 5? 89 ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_29 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? 8B ?? ?? 8B ?? ?? 88 ?? ?? ?? FF 4? ?? FF 4? ?? 75 } - $block_30 = { 65 ?? ?? ?? ?? ?? 65 ?? ?? ?? 6C 65 ?? ?? ?? ?? 68 ?? ?? ?? ?? 65 ?? ?? 20 ?? ?? 76 } - $block_31 = { 4? 5? 5? 5? 5? 5? 5? 4? 4? 4? 5? 4? 4? 4? 5? 4? 4? 5? 69 ?? ?? ?? ?? ?? ?? 6E 6C 6F } - $block_32 = { 69 ?? ?? ?? ?? ?? ?? 6F 3A ?? 69 ?? ?? ?? ?? ?? ?? 20 ?? ?? 65 ?? ?? ?? 20 ?? ?? 72 } - $block_33 = { 61 63 ?? ?? ?? 65 ?? ?? ?? 6E 3C ?? 63 ?? ?? ?? 65 ?? ?? ?? ?? 6B ?? ?? ?? 6F 6D 61 } - $block_34 = { 3D ?? ?? ?? ?? 6E 3D ?? ?? ?? ?? 29 ?? 28 ?? 6D 3A ?? ?? 28 ?? 6D 3A ?? ?? 28 ?? 73 } - $block_35 = { CE BC ?? ?? ?? ?? 20 ?? 3D ?? ?? ?? ?? 20 ?? 3C ?? 3D ?? ?? ?? ?? 20 ?? ?? 20 ?? 66 } - $block_36 = { 07 0A ?? ?? ?? 61 67 ?? ?? 69 ?? ?? ?? ?? ?? ?? 8C ?? 4? 00 ?? ?? 08 ?? ?? 6E 74 } - $block_37 = { 8B ?? ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_38 = { 69 ?? ?? ?? ?? ?? ?? 6E 6B ?? ?? ?? 6E 28 ?? ?? 61 69 ?? ?? ?? ?? ?? ?? 66 ?? 72 } - $block_39 = { 61 6E 5? 4? 6C 62 ?? ?? 69 ?? ?? ?? ?? ?? ?? 61 6E 64 ?? 69 ?? ?? ?? ?? ?? ?? 67 } - $block_40 = { 20 ?? ?? 61 3D ?? ?? ?? ?? 3D ?? ?? ?? ?? 3D ?? ?? ?? ?? 3D ?? ?? ?? ?? 20 ?? 73 } - $block_41 = { 29 ?? 28 ?? ?? 61 6E 20 ?? 28 ?? ?? 61 6E 29 ?? 4? 4? 20 ?? ?? 20 ?? 5? 61 6C 75 } - $block_42 = { 62 ?? ?? 64 ?? ?? ?? 31 ?? ?? 69 ?? ?? ?? ?? ?? 63 ?? ?? 6C 63 ?? ?? 20 ?? ?? 73 } - $block_43 = { 63 ?? ?? ?? ?? ?? 4? 6F 64 ?? ?? ?? ?? ?? ?? 63 ?? ?? 69 ?? ?? ?? ?? ?? ?? ?? 70 } - $block_44 = { 5? 4? 4? 4? 5? 4? 4? 4? 5? 4? 4? 5? 69 ?? ?? ?? ?? ?? ?? 6E 6C 6F 63 ?? ?? 4? 4? } - $block_45 = { 6E 66 ?? ?? 6E 20 ?? ?? ?? ?? ?? 62 ?? ?? 2E ?? ?? ?? 2E ?? ?? ?? 2E ?? ?? ?? 2E } - $block_46 = { 5? 5? 5? 88 ?? ?? 8B ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 85 ?? 0F 84 } - $block_47 = { 8B ?? E8 ?? ?? ?? ?? 8D ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? FF 4? ?? 0F 85 } - $block_48 = { 35 ?? ?? ?? ?? 33 ?? 39 ?? 35 ?? ?? ?? ?? 37 32 ?? 35 ?? ?? ?? ?? 4? 4? 5? 4? } - $block_49 = { 20 ?? ?? ?? 65 ?? ?? ?? 6E 65 ?? ?? 31 ?? ?? 6D 6F 61 20 ?? ?? 61 6E 64 ?? 72 } - $block_50 = { 69 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? 2D ?? ?? ?? ?? 6E 6B ?? ?? ?? 6E 20 ?? ?? 74 } - $block_51 = { 65 ?? ?? ?? ?? ?? 6C 6F 63 ?? ?? 67 ?? ?? ?? ?? ?? 63 ?? ?? ?? 6B ?? ?? ?? 70 } - $block_52 = { 8B ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_53 = { 4? 4? 00 ?? 00 ?? 00 ?? 00 ?? 80 F? ?? FF 1? 03 ?? 07 4? 6B ?? ?? ?? 6F 72 } - $block_54 = { 0F B6 ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? C6 ?? ?? ?? 3B ?? 74 } - $block_55 = { 67 ?? 6D 61 67 ?? ?? 69 ?? ?? ?? ?? ?? ?? 88 ?? 4? 00 ?? 00 ?? 4? 6F 6E 74 } - $block_56 = { 6E 67 ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? ?? 65 ?? ?? 62 ?? ?? 20 ?? ?? 6D 6F 72 } - $block_57 = { 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 3B ?? ?? 0F 86 } - $block_58 = { 6D 65 ?? ?? 62 ?? ?? 20 ?? ?? 2D ?? ?? ?? ?? 6E 6B ?? ?? ?? 6E 20 ?? ?? 74 } - $block_59 = { 4? 24 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 0F B7 ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_60 = { 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 88 ?? ?? C7 ?? ?? ?? ?? ?? ?? 84 ?? 0F 84 } - $block_61 = { 32 ?? 35 ?? ?? ?? ?? 32 ?? 35 ?? ?? ?? ?? 39 ?? 36 ?? ?? ?? ?? ?? 6D 65 } - $block_62 = { 69 ?? ?? ?? ?? ?? ?? 5? 61 6B ?? ?? ?? 61 6D 69 ?? ?? ?? ?? ?? ?? ?? 72 } - $block_63 = { 20 ?? ?? 6C 6C 6F 63 ?? ?? 67 ?? ?? ?? ?? ?? 63 ?? ?? ?? 6B ?? ?? ?? 70 } - $block_64 = { 63 ?? 6B ?? ?? ?? 6F 66 ?? ?? ?? ?? 65 ?? ?? ?? ?? ?? ?? 20 ?? ?? 6E 79 } - $block_65 = { 68 ?? ?? ?? ?? 6C 6C 65 ?? ?? 6C 20 ?? ?? 65 ?? ?? ?? 20 ?? ?? 6C 6F 77 } - $block_66 = { 32 ?? ?? ?? ?? ?? 34 ?? 34 ?? 37 37 35 ?? ?? ?? ?? 32 ?? ?? ?? ?? ?? 73 } - $block_67 = { 5? 61 69 ?? ?? ?? ?? ?? ?? 61 69 ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 61 79 } - $block_68 = { 4? 4? 5? 4? 5? 4? 5? 5? 5? 32 ?? ?? 4? 5? 4? 5? 5? 4? 4? 4? 5? 4? 61 74 } - $block_69 = { 8B ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 8C } - $block_70 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 83 ?? ?? 2B ?? 83 ?? ?? 83 ?? ?? 0F 86 } - $block_71 = { A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? FF 5? ?? 4? 85 ?? 0F 8E } - $block_72 = { 61 6E 4? 68 ?? ?? ?? ?? 4? 6F 6D 6D 6F 6E 4? 6F 6F 6B ?? ?? ?? 6F 70 } - $block_73 = { 64 ?? ?? 2D ?? ?? ?? ?? 20 ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? ?? 6F 6E 74 } - $block_74 = { 6F 6F 4? 4? 20 ?? ?? 65 ?? ?? 4? 20 ?? ?? 69 ?? ?? ?? ?? ?? ?? ?? 74 } - $block_75 = { 6A ?? 5? 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 87 } - $block_76 = { 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? FF 5? ?? 8B ?? 4? 85 ?? 0F 8C } - $block_77 = { 64 ?? ?? ?? 61 6E 25 ?? ?? ?? ?? 28 ?? 62 ?? ?? 2E ?? 6C 6F 61 74 } - $block_78 = { 65 ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? 61 6C 69 ?? ?? ?? ?? ?? ?? ?? 66 } - $block_79 = { 2A ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 34 ?? 26 ?? ?? 39 ?? 26 ?? 6D 70 } - $block_80 = { 64 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? 3B ?? ?? 0F 86 } - $block_81 = { 62 ?? ?? 63 ?? ?? ?? 61 6B ?? ?? ?? 61 6E 20 ?? ?? 61 6E 64 ?? 72 } - $block_82 = { 6E 67 ?? ?? ?? 6D 61 69 ?? ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? ?? 73 } - $block_83 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? FF 5? ?? 4? 85 ?? 0F 8E } - $block_84 = { 8D ?? ?? 8D ?? ?? 8B ?? ?? 0F B6 ?? E8 ?? ?? ?? ?? 84 ?? 74 } - $block_85 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_86 = { 33 ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? FF 5? ?? 4? 85 ?? 0F 8E } - $block_87 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 94 ?? 83 ?? ?? 75 } - $block_88 = { 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_89 = { 8D ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 87 } - $block_90 = { 33 ?? E8 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_91 = { 69 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 00 ?? 4? 6F 6E 74 } - $block_92 = { 69 ?? ?? ?? ?? ?? ?? BC ?? ?? ?? ?? 00 ?? 4? 6F 6E 74 } - $block_93 = { 0F B7 ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? ?? ?? 75 } - $block_94 = { FF 0? ?? ?? ?? ?? 81 3? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_95 = { 5? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_96 = { BA ?? ?? ?? ?? 8B ?? D3 ?? 85 ?? ?? ?? ?? ?? 0F 84 } - $block_97 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? E8 } - $block_98 = { A1 ?? ?? ?? ?? 8B ?? 8B ?? FF 5? ?? 4? 85 ?? 0F 8C } - $block_99 = { 0F B7 ?? ?? 5? 5? E8 ?? ?? ?? ?? 80 7? ?? ?? 75 } - - condition: - hash.sha256(0, filesize) == "dd7e69e14c88972ac173132b90b3f4bfb2d1faec15cca256a256dd3a12b6e75d" or - hash.sha256(0, filesize) == "f5c28f2089c1ac3cdc9d1bc01297838f663dfb0f2a4a2686edb47cc64ea60bb4" or - hash.sha256(0, filesize) == "f3f26c446fb3bf8453f434bbeed506ba78f40f510c4186cb7229e2473862c10f" or - hash.sha256(0, filesize) == "074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426" or - hash.sha256(0, filesize) == "b483b6f21601752ff800ba52092e358050e4b370117503a9309787fd57935926" or - hash.sha256(0, filesize) == "e2f3caade127e855fdec68faf8eea845fed9ae98ea17cd74644e57de91fb6e11" or - hash.sha256(0, filesize) == "ee9218a451c455fbca45460c0a27e1881833bd2a05325ed60f30bd4d14bb2fdc" or - hash.sha256(0, filesize) == "15486216ab9c8b474fe8a773fc46bb37a19c6af47d5bd50f5670cd9950a7207c" or - hash.sha256(0, filesize) == "044f8ab501090fd77ae6e9ebf57e7fba9041be7ab986ce58f38583f4839a5126" or - hash.sha256(0, filesize) == "d7c12acb306b5100a5497586942b68a8f6d5deb353083da594caba2523c3171f" or - hash.sha256(0, filesize) == "10a9a217d3b53a3e43ec03b81a026f7a70350a062b900d672353690090e1ade6" or - hash.sha256(0, filesize) == "c8f39b13b5d6952c853c4b9fd63d1a1cc2acaf01fd97185761894d1634ba0a38" or - hash.sha256(0, filesize) == "e5b3252692c3486339cf68799d3e19fe4ac530f3f09236167a6f01510a488e90" or - hash.sha256(0, filesize) == "736dca8fdbe0a9cbf0982a5fd540d7b31eccb83ad1e63393a8c3ce6b379f6c9d" or - hash.sha256(0, filesize) == "142287861c2322646c185b5092a1e7176a63a4d4909f03ae88446c7ff1fde105" or - hash.sha256(0, filesize) == "25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8" or - hash.sha256(0, filesize) == "b6d2b8a527b2d2dafbfca559086c391aefdceed788fc9578d15c50a20343ee50" or - hash.sha256(0, filesize) == "5223a45d8b08eb14e87a87edaa4b71593b4f9d2bdb6de1a5b6f3e77869eeca8a" or - 12 of them -} - -rule XTunnel { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 89 ?? ?? 8B ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 69 ?? ?? ?? ?? ?? 89 } - $block_1 = { 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? C7 } - $block_2 = { 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 76 } - $block_3 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_4 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? 75 } - $block_5 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? 75 } - $block_6 = { 0F B7 ?? ?? ?? ?? ?? 5? 5? 6A ?? 5? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 75 } - $block_7 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 0F BF ?? ?? 83 ?? ?? 74 } - $block_8 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 87 } - $block_9 = { 0F B6 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 44 ?? ?? ?? ?? 44 ?? ?? 0F 8D } - $block_10 = { 8B ?? ?? 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 75 } - $block_11 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 83 } - $block_12 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? 0F 44 ?? 89 } - $block_13 = { 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? A8 ?? 0F 85 } - $block_14 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 80 3? ?? 0F 85 } - $block_15 = { 5? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 84 } - $block_16 = { 5? 48 ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_17 = { 8B ?? ?? 8B ?? 8B ?? ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 } - $block_18 = { 8B ?? ?? 8B ?? 8B ?? ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 } - $block_19 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - $block_20 = { 5? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? A8 ?? 0F 85 } - $block_21 = { 5? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F 84 } - $block_22 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? 75 } - $block_23 = { 8B ?? ?? ?? ?? ?? 5? B9 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 8F } - $block_24 = { 8B ?? ?? 8B ?? 8B ?? ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 8E } - $block_25 = { 0F B6 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 44 ?? ?? ?? ?? 44 ?? ?? 0F 8D } - $block_26 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_27 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 87 } - $block_28 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 23 ?? 8B ?? 85 ?? 0F 84 } - $block_29 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 03 ?? ?? 0F B6 ?? 33 ?? 8B ?? ?? 03 ?? ?? 88 ?? E9 } - $block_30 = { 8B ?? ?? 8D ?? ?? 8B ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 5? ?? 85 ?? 0F 88 } - $block_31 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 83 } - $block_32 = { E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 81 3? ?? ?? ?? ?? 0F 84 } - $block_33 = { 2B ?? 8B ?? ?? 5? 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_34 = { 2B ?? 5? 8B ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_35 = { 8B ?? ?? 2B ?? 8B ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_36 = { 8B ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 } - $block_37 = { 80 B? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 0F 85 } - $block_38 = { 8B ?? ?? 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? 66 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? EB } - $block_39 = { 8B ?? ?? 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 } - $block_40 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 88 ?? ?? 8A ?? ?? A8 ?? 0F 85 } - $block_41 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F B6 ?? ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_42 = { 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? 48 ?? ?? ?? 2B ?? ?? 48 ?? ?? ?? 3B ?? ?? 0F 8E } - $block_43 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_44 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_45 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 85 } - $block_46 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F B6 ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_47 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 82 } - $block_48 = { 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 87 } - $block_49 = { 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? FF D? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 8E } - $block_50 = { 8D ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? FF 1? 85 ?? 0F 88 } - $block_51 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - $block_52 = { 48 ?? ?? ?? ?? ?? ?? 0F BF ?? ?? 81 E? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_53 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F B6 ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_54 = { 48 ?? ?? ?? 8B ?? ?? 89 ?? 4C ?? ?? ?? 48 ?? ?? ?? 49 ?? ?? 4C ?? ?? 0F 83 } - $block_55 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? A8 ?? 0F 85 } - $block_56 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 87 } - $block_57 = { 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 80 3? ?? 0F 85 } - $block_58 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F B6 ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_59 = { 8B ?? ?? 8B ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_60 = { 8B ?? ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 } - $block_61 = { 0F B7 ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 } - $block_62 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F 84 } - $block_63 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 87 } - $block_64 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 } - $block_65 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - $block_66 = { 8B ?? ?? 8B ?? 5? 5? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_67 = { 8B ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_68 = { 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_69 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? A8 ?? 0F 85 } - $block_70 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 81 F? ?? ?? ?? ?? 41 ?? ?? ?? 44 } - $block_71 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 80 3? ?? 0F 95 ?? 80 F? ?? F6 ?? ?? 0F 85 } - $block_72 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_73 = { 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 5? E9 } - $block_74 = { E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 } - $block_75 = { 6A ?? 6A ?? 5? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_76 = { 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? ?? 3B ?? 7D } - $block_77 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F BF ?? ?? ?? 83 ?? ?? 0F 84 } - $block_78 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_79 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_80 = { 48 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F BA ?? ?? 48 ?? ?? ?? ?? 89 } - $block_81 = { 8B ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_82 = { 8B ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_83 = { 8B ?? ?? ?? ?? ?? 0F BF ?? ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 66 } - $block_84 = { BF ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 8E } - $block_85 = { 0F B7 ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 66 ?? ?? ?? 75 } - $block_86 = { 0F B6 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? ?? 3B ?? 7D } - $block_87 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 80 7? ?? ?? 89 ?? ?? 75 } - $block_88 = { 33 ?? B8 ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? 39 ?? ?? 0F 86 } - $block_89 = { 33 ?? BA ?? ?? ?? ?? 33 ?? 66 ?? ?? ?? 39 ?? ?? 0F 86 } - $block_90 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 38 ?? ?? ?? ?? ?? 0F 85 } - $block_91 = { 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_92 = { 48 ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_93 = { 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? ?? 83 ?? ?? 0F 85 } - $block_94 = { 8B ?? ?? 8D ?? ?? 8B ?? 5? 5? FF 5? ?? 85 ?? 0F 88 } - $block_95 = { 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? 83 ?? ?? 0F 84 } - $block_96 = { 8B ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 39 ?? ?? 0F 83 } - $block_97 = { 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? 83 ?? ?? 0F 85 } - $block_98 = { 8B ?? ?? 8B ?? ?? 8B ?? 0F B6 ?? ?? 83 ?? ?? 74 } - $block_99 = { 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? 66 ?? ?? ?? 75 } - - condition: - hash.sha256(0, filesize) == "79f977c8f815c5910df382b920460fd6448103923f4dc128fc56fdf3867c47b1" or - hash.sha256(0, filesize) == "c5f8236e578a2b877fe538b2ef6f4aeceeb1b9cb73bba4d02fd368a5eb85cfab" or - hash.sha256(0, filesize) == "60ee6fdca66444bdc2e4b00dc67a1b0fdee5a3cd9979815e0aab9ce6435262c6" or - hash.sha256(0, filesize) == "d2e947a39714478983764b270985d2529ff682ffec9ebac792158353caf90ed3" or - hash.sha256(0, filesize) == "1c8869abf756e77e1b6d7d0ad5ca8f1cdce1a111315c3703e212fb3db174a6d5" or - hash.sha256(0, filesize) == "566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092" or - hash.sha256(0, filesize) == "8c488b029188e3280ed3614346575a4a390e0dda002bca08c0335210a6202949" or - hash.sha256(0, filesize) == "40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f" or - hash.sha256(0, filesize) == "86356fa5be88673bcf6f75e9d80d5bfd1a4e8aa621c3565442997e7af3dbded6" or - hash.sha256(0, filesize) == "a979c5094f75548043a22b174aa10e1f2025371bd9e1249679f052b168e194b3" or - hash.sha256(0, filesize) == "c6a9db52a3855d980a7f383dbe2fb70300a12b7a3a4f0a995e2ebdef769eaaca" or - hash.sha256(0, filesize) == "a2c9041ee1918523e67dbaf1c514f98609d4dbe451ba08657653bb41946fc89d" or - hash.sha256(0, filesize) == "35a4ba765653f05de95f51cd2cc2898dafdb2a82d750f51dd892c160eaf7fcd9" or - hash.sha256(0, filesize) == "a37eda810ca92486bfb0e1f1b27adb7c9df57aafab686c000ae1d6ec5d6f6180" or - hash.sha256(0, filesize) == "688146426628260d32a6b4891d0900eab98c996e66018203d54270e2b76472b1" or - hash.sha256(0, filesize) == "4dd8ab2471337a56b431433b7e8db2a659dc5d9dc5481b4209c4cddd07d6dc2b" or - hash.sha256(0, filesize) == "730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a" or - hash.sha256(0, filesize) == "d2a6064429754571682f475b6b67f36526f1573d846182aab3516c2637fa1e81" or - hash.sha256(0, filesize) == "53262019782e1ede6c8b3a4cdfdfffed1fc9abb99a0a39ff193c585450fac044" or - hash.sha256(0, filesize) == "cee41e51e82f5ea3cd318e6cb7e1e2218a7a86a2fbf8ffa566e4c5158bc6dd02" or - hash.sha256(0, filesize) == "b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44" or - hash.sha256(0, filesize) == "fc224a6cca956a59812a13e53ba08a279996ea2ee194fe20fb10170ca5c2db6a" or - hash.sha256(0, filesize) == "1289ee3d29967f491542c0bdeff6974aad6b37932e91ff9c746fb220d5edb407" or - hash.sha256(0, filesize) == "20bf23ec9f25639f0e41a844448ced8fc5eb74ca017ef7ea920bdf6123ef21bd" or - hash.sha256(0, filesize) == "e46b038a1e735c4bf9aab5b8610ff38fa19670daf0bace985511acfc3a497459" or - hash.sha256(0, filesize) == "854a522a113b6413ff4db5f0ba0aec98cba3c5ef386311660f6dabab26f6aa14" or - hash.sha256(0, filesize) == "be2e58669dbdec916f7aaaf4d7c55d866c4f38ac290812b10d680d943bb5b757" or - hash.sha256(0, filesize) == "e2a850aeffc9a466c77ca3e39fd3ee4f74d593583666aea5b014aa6c50ca7af8" or - hash.sha256(0, filesize) == "4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976" or - 12 of them -} - -rule XAgent { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { 0F B6 ?? ?? ?? ?? ?? 4B ?? ?? ?? 88 ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? 72 } - $block_2 = { 69 ?? ?? ?? ?? ?? 8D ?? ?? 48 ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? 81 F? ?? ?? ?? ?? 0F 8E } - $block_3 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 85 } - $block_4 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? 8B ?? ?? 5? FF D? 84 ?? 0F 84 } - $block_5 = { 48 ?? ?? 48 ?? ?? 48 ?? ?? ?? 49 ?? ?? 83 ?? ?? 49 ?? ?? 49 ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 75 } - $block_6 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_7 = { 0F 10 ?? ?? ?? ?? ?? 0F 29 ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? 33 ?? 48 ?? ?? E8 ?? ?? ?? ?? EB } - $block_8 = { 4C ?? ?? ?? ?? 44 ?? ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? ?? 44 ?? ?? ?? 0F 1F } - $block_9 = { 0F B6 ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 33 ?? 0F B6 ?? ?? ?? C1 ?? ?? 33 ?? 83 ?? ?? 33 ?? C7 } - $block_10 = { 5? 0F B6 ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 5? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? } - $block_11 = { 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 49 ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 41 ?? ?? ?? 84 ?? 0F 84 } - $block_12 = { 8B ?? 8B ?? ?? 8B ?? FF D? 66 ?? ?? ?? 8A ?? ?? 88 ?? ?? 0F B6 ?? 83 ?? ?? 83 ?? ?? 0F 87 } - $block_13 = { 48 ?? ?? ?? ?? 5? 5? 41 ?? 48 ?? ?? ?? 49 ?? ?? 49 ?? ?? 48 ?? ?? 4C ?? ?? 49 ?? ?? 0F 84 } - $block_14 = { 8B ?? ?? 8B ?? 83 ?? ?? 8A ?? ?? 30 ?? ?? ?? 8B ?? ?? FE ?? 0F B6 ?? 83 ?? ?? 3B ?? 72 } - $block_15 = { 5? 8B ?? 83 ?? ?? 8B ?? 83 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? 0F 86 } - $block_16 = { 8B ?? ?? 5? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_17 = { 6A ?? 68 ?? ?? ?? ?? 8B ?? C6 ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 83 ?? ?? 0F 87 } - $block_18 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 8B ?? ?? 2B ?? ?? 5? C1 ?? ?? 5? C6 ?? ?? ?? 85 ?? 0F 84 } - $block_19 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? 66 ?? ?? ?? 0F B6 ?? 4? 89 ?? ?? ?? ?? ?? 3B ?? 75 } - $block_20 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 } - $block_21 = { 2B ?? 8B ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 83 ?? ?? 0F 87 } - $block_22 = { 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_23 = { 0F B6 ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? ?? ?? 4D ?? ?? 84 ?? 74 } - $block_24 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 9? 0F B7 ?? ?? ?? 66 ?? ?? 75 } - $block_25 = { 8B ?? 8B ?? ?? 8D ?? ?? 5? 8B ?? FF D? 0F B6 ?? ?? 8D ?? ?? C6 ?? ?? ?? 39 ?? ?? 75 } - $block_26 = { 2B ?? 8B ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 83 ?? ?? 0F 85 } - $block_27 = { 6A ?? 5? 8D ?? ?? 5? 8B ?? ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 4? 0F 84 } - $block_28 = { 8A ?? ?? 8B ?? ?? 2B ?? ?? FE ?? 88 ?? ?? 0F B6 ?? C1 ?? ?? 89 ?? ?? 3B ?? 0F 82 } - $block_29 = { 8D ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? ?? ?? FE ?? 8D ?? ?? ?? 01 ?? 0F B6 ?? 3B ?? 72 } - $block_30 = { 5? 8B ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_31 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_32 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? 0F 85 } - $block_33 = { 5? 5? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_34 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 48 ?? ?? ?? 48 ?? ?? 74 } - $block_35 = { 45 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_36 = { 33 ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_37 = { 48 ?? ?? 48 ?? ?? FF 5? ?? 40 ?? ?? ?? 40 ?? ?? ?? 83 ?? ?? 66 ?? ?? ?? 0F 84 } - $block_38 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? FF D? 84 ?? 0F 84 } - $block_39 = { 8A ?? ?? 8B ?? ?? FE ?? 0F B6 ?? 88 ?? ?? 8B ?? ?? 2B ?? C1 ?? ?? 3B ?? 72 } - $block_40 = { 66 ?? ?? 66 ?? ?? 0F B6 ?? ?? 88 ?? ?? 0F B6 ?? ?? 83 ?? ?? 88 ?? ?? 5? EB } - $block_41 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_42 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 86 } - $block_43 = { 5? 8B ?? ?? ?? ?? ?? 03 ?? 6A ?? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_44 = { 8B ?? ?? ?? ?? ?? 5? FF D? 8B ?? ?? 5? FF D? 5? FF D? 8B ?? ?? 85 ?? 0F 84 } - $block_45 = { 8A ?? ?? 8B ?? ?? 2B ?? ?? FE ?? 88 ?? ?? 0F B6 ?? C1 ?? ?? 3B ?? 0F 82 } - $block_46 = { 8B ?? ?? 2B ?? ?? 8B ?? ?? 0F B7 ?? BF ?? ?? ?? ?? C1 ?? ?? 3B ?? 0F 86 } - $block_47 = { 8B ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 83 ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 82 } - $block_48 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_49 = { 41 ?? ?? 45 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? 0F 82 } - $block_50 = { 33 ?? 89 ?? ?? 89 ?? ?? 66 ?? ?? ?? C6 ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 82 } - $block_51 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? 5? FF D? 83 ?? ?? ?? 0F 82 } - $block_52 = { 45 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_53 = { 8B ?? ?? FF D? 8B ?? ?? 03 ?? 8B ?? 0F AF ?? 89 ?? ?? 89 ?? ?? E9 } - $block_54 = { 5? 8B ?? 8B ?? ?? 0F B7 ?? 5? 5? 5? 8B ?? 33 ?? 33 ?? 66 ?? ?? 74 } - $block_55 = { 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_56 = { 0F B7 ?? 8B ?? 81 E? ?? ?? ?? ?? 03 ?? 66 ?? ?? ?? 66 ?? ?? ?? 74 } - $block_57 = { 48 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 66 ?? ?? ?? ?? 40 ?? ?? 0F 84 } - $block_58 = { 33 ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 66 ?? ?? ?? 39 ?? ?? 0F 82 } - $block_59 = { 48 ?? ?? ?? 48 ?? ?? 83 ?? ?? 0F B6 ?? ?? 30 ?? ?? 48 ?? ?? 75 } - $block_60 = { 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_61 = { 8D ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 } - $block_62 = { 6A ?? 68 ?? ?? ?? ?? 5? 5? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_63 = { 40 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 83 } - $block_64 = { 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_65 = { 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 85 } - $block_66 = { 41 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 83 } - $block_67 = { 85 ?? 0F 94 ?? 84 ?? 0F 94 ?? 48 ?? ?? ?? ?? ?? ?? 84 ?? 0F 84 } - $block_68 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? 8B ?? 8B ?? ?? FF D? 66 ?? ?? 75 } - $block_69 = { 8B ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? FF D? 0F B7 ?? 66 ?? ?? 74 } - $block_70 = { 8B ?? ?? 5? 5? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_71 = { 48 ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? 0F 95 ?? 66 ?? ?? ?? 74 } - $block_72 = { FE ?? ?? 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 8A ?? 88 ?? 88 ?? 75 } - $block_73 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? ?? 2B ?? C1 ?? ?? 3B ?? 0F 83 } - $block_74 = { 0F B6 ?? ?? 8B ?? 5? 5? 33 ?? 33 ?? 89 ?? ?? 89 ?? ?? 8B } - $block_75 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_76 = { 2B ?? D1 ?? 5? 5? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_77 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 4? ?? 83 ?? ?? ?? 0F 82 } - $block_78 = { 0F B6 ?? ?? 0F B6 ?? ?? ?? C1 ?? ?? 03 ?? C1 ?? ?? EB } - $block_79 = { 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_80 = { 8B ?? 8B ?? ?? 66 ?? ?? ?? 0F 95 ?? 66 ?? ?? ?? ?? 74 } - $block_81 = { 5? 8B ?? 5? 8B ?? ?? 0F B7 ?? 33 ?? 33 ?? 66 ?? ?? 74 } - $block_82 = { 8D ?? ?? ?? ?? ?? ?? 8B ?? F6 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_83 = { 0F B6 ?? ?? 8A ?? ?? FE ?? ?? 88 ?? ?? ?? ?? ?? ?? 75 } - $block_84 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 86 } - $block_85 = { 4F ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? 0F 85 } - $block_86 = { 48 ?? ?? ?? 4C ?? ?? 48 ?? ?? 41 ?? ?? ?? 84 ?? 0F 84 } - $block_87 = { 5? 8B ?? 5? 8B ?? ?? 5? 33 ?? 89 ?? ?? 3B ?? 0F 86 } - $block_88 = { 0F B7 ?? C1 ?? ?? 4? 03 ?? 0F B7 ?? ?? 66 ?? ?? 75 } - $block_89 = { 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_90 = { 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_91 = { 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_92 = { 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 0F 1F } - $block_93 = { 8B ?? ?? ?? ?? ?? 6A ?? FF D? 83 ?? ?? ?? 0F 84 } - $block_94 = { 8B ?? ?? 89 ?? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 83 } - $block_95 = { 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 95 ?? 3A ?? 0F 85 } - $block_96 = { 0F BE ?? 0F B6 ?? FE ?? 4? 66 ?? ?? ?? 3C ?? 72 } - $block_97 = { 49 ?? ?? ?? 44 ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_98 = { 8B ?? ?? 8B ?? ?? 5? 5? C6 ?? ?? ?? ?? 5? C9 C3 } - $block_99 = { 48 ?? ?? ?? 4C ?? ?? 49 ?? ?? 41 ?? ?? ?? 0F 1F } - - condition: - hash.sha256(0, filesize) == "6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82" or - hash.sha256(0, filesize) == "e1b1143c0003c6905227df37d40aacbaecc2be8b9d86547650fe11bd47ca6989" or - hash.sha256(0, filesize) == "bebe0be0cf8349706b2feb789572e035955209d5bf5d5fea0e5d29a7fbfdc7c4" or - hash.sha256(0, filesize) == "9f06b3c694c8b398e2f47e98590a94d5daefbebfb5426fb3c99eb34aecb536b8" or - hash.sha256(0, filesize) == "88a5377f829e45ed89767e2e4aaee853e587eb202528c963802893108b70fe3f" or - hash.sha256(0, filesize) == "fa908ee3822dbda90d3b378ea3c4354eef8a27259ea3fe69a86f18e94f8742a2" or - hash.sha256(0, filesize) == "68065abd6482405614d245537600ea60857c6ec9febac4870486b5227589d35c" or - hash.sha256(0, filesize) == "0356f5fa9907ea060a7d6964e65f019896deb1c7e303b7ba04da1458dc73a842" or - hash.sha256(0, filesize) == "a1c73ce193ffa5323aaef73fbabbc2a984e10900f09cf9fcb0cb11606a23c402" or - hash.sha256(0, filesize) == "4096a8c13d6c492d9204cb11c294bb64b04a7636ca1e6257c2ae431d0c385cc2" or - hash.sha256(0, filesize) == "261b0a5912965ea95b8ae02aae1e761a61f9ad3a9fb85ef781e62013d6a21368" or - hash.sha256(0, filesize) == "1a09ce8a9210d2530d6ce1d59bfae2ac617ac89558cdcdcac15392d176e70c8d" or - hash.sha256(0, filesize) == "8a80c2f8dbffa1f2763547aac332746afb85b47f977780485d17d7eb2ea187b7" or - hash.sha256(0, filesize) == "280905558e848f5bb9ab923e6e44002480464a8bdeb50f00b6757e1fff8b46fb" or - hash.sha256(0, filesize) == "1228e9066819f115e8b2a6c1b75352566a6a5dc002d9d36a8c5b47758c9f6a45" or - hash.sha256(0, filesize) == "c19d266af9e33dae096e45e7624ab3a3f642c8de580e902fec9dac11bcb8d3fd" or - hash.sha256(0, filesize) == "45a872495dae7805bb537bc7a37a9bd604bf48b26496dbe35f4e13e200bad6a2" or - hash.sha256(0, filesize) == "dea4e560017b4da05e8fd0a03ba74239723349934ee8fbd201a79be1ecf1c32d" or - hash.sha256(0, filesize) == "c488f4946612c13601a1bed48fce0733645ae3ab5fda03395383160d44bde964" or - hash.sha256(0, filesize) == "b8fd23432d615c451b0845a7d7b9b17b371da06627d390f501ca1fd58f9d1ac2" or - hash.sha256(0, filesize) == "8646a5330f516adce0c05ad019cf041cf79c1ca069048c3f8db94dcbdb00c408" or - hash.sha256(0, filesize) == "7a5cb45a3efcebbf49e18c4b2397dc2bdff039d9127a8119abe4c2f85a85e1f0" or - hash.sha256(0, filesize) == "24e11c80f1d4c1e9db654d54cc784db6b5f4a126f9fe5e26c269fdc4009c8f29" or - hash.sha256(0, filesize) == "8325cd6e26fb39cf7a08787e771a6cf708e0b45350d1ea239982af06db90804f" or - hash.sha256(0, filesize) == "a5b68575ac4fbe83c23ff991ad0d5389f51a2aef71ee3c2277985c68361cf1cc" or - hash.sha256(0, filesize) == "8bca0031f3b691421cb15f9c6e71ce193355d2d8cf2b190438b6962761d0c6bb" or - hash.sha256(0, filesize) == "1e6a0e542dcddec9d937c111c3ea6670e08c6606f869444d0702ec7f1363bff1" or - hash.sha256(0, filesize) == "001d65185910ae8cd9e7e2472745e593be62b98eae3f5f2266a29c37e56daa1d" or - hash.sha256(0, filesize) == "8925aa5c9e912236f265f3d3f95b9fa8bbfd8dec1e381f168309056b23995d4c" or - hash.sha256(0, filesize) == "d4525abc9dd2b7ab7f0c22e58a0117980039afdf15bed04bb0c637cd41fbfb9d" or - hash.sha256(0, filesize) == "858e7a7223d6ed91cfa89f5cae013f9a450d13cdc7adb1963072d6eb6cbad513" or - hash.sha256(0, filesize) == "0abda721c4f1ca626f5d8bd2ce186aa98b197ca68d53e81cf152c32230345071" or - hash.sha256(0, filesize) == "ddab96e4a8e909065e05c4b6a73ba351ea45ad4806258f41ac3cecbcae8671a6" or - hash.sha256(0, filesize) == "4182821d00485cbc5628bbdc41a76e8a956142021f6682549559d04636a17a3f" or - hash.sha256(0, filesize) == "fc2dbfda41860b2385314c87e81f1ebb4f9ae1106b697e019841d8c3bf402570" or - hash.sha256(0, filesize) == "f97f2985ff599e073156e37cbd34024067680072ac18f9d2040c64eedbe38e4f" or - hash.sha256(0, filesize) == "a0749f75ec464a86acd146a825d6ddf1c351f290860fe7bf6a47ce4fb2a085f1" or - hash.sha256(0, filesize) == "07393ac2e890772f70adf9e8d3aa07ab2f98e2726e3be275276dadd00daf5fc6" or - hash.sha256(0, filesize) == "6c69b9bda696d416cb22b775f9a63f98dd4e634f003e3b0704cbb67721b13dde" or - hash.sha256(0, filesize) == "dd8facad6c0626b6c94e1cc891698d4982782a5564aae696a218c940b7b8d084" or - hash.sha256(0, filesize) == "715f69916db9ff8fedf6630307f4ebb84aae6653fd0e593036517c5040d84dbe" or - hash.sha256(0, filesize) == "82fc44696d1c5ddfdd5338fcafb6a9dcf7a0796235cd58184d05a2f388ed7e9e" or - hash.sha256(0, filesize) == "b1800cb1d4b755e05b0fca251b8c6da96bb85f8042f2d755b7f607cbeef58db8" or - hash.sha256(0, filesize) == "2d11e8d81bf776d668355ed15a596193d4bb10a42289ddb3223c1227b042d854" or - hash.sha256(0, filesize) == "ee8636cfa3521c7f9cc7588221d1edc0eed7ba68256b72e3dc2a4a75a6bd5b87" or - hash.sha256(0, filesize) == "b23193bff95c4e65af0c9848036eb80ef006503a78be842e921035f8d77eb5de" or - hash.sha256(0, filesize) == "9a527274f99865a7d70487fe22e62f692f8b239d6cb80816b919734c7c741584" or - hash.sha256(0, filesize) == "94c220653ea7421c60e3eafd753a9ae9d69b475d61230f2f403789d326309c24" or - hash.sha256(0, filesize) == "d11dcf98d78c8281fc7f4affc30a798d6fd7cb0fbdbd9daa8f004fbcd1deee28" or - hash.sha256(0, filesize) == "2b6e280b4ff000dc0926d9586a8b3710697ed95112b2e465660e6409823e6bad" or - hash.sha256(0, filesize) == "8554e0894babf3c743b66aa2a07f9aa99893be131824ec72835b9fb11e0aeb39" or - hash.sha256(0, filesize) == "69691bc9ff36ccb46c2acef50edc393996a4c42bc6e9a86976050b9eff83dc00" or - hash.sha256(0, filesize) == "1daeacb30433f88c52f21f2d323dd3c6b556b3611d29a34c6c72e4a8e714f86a" or - hash.sha256(0, filesize) == "e00eaf295a28f5497dbb5cb8f647537b6e55dd66613505389c24e658d150972c" or - hash.sha256(0, filesize) == "596c486fabc8581f788fe27dcd24fddee8fd8cc484e6744db68a29fa5a804cf6" or - hash.sha256(0, filesize) == "72ee0330474c00ec15576112b33e8198b1272e0e3f44fce3800af79821b7e431" or - hash.sha256(0, filesize) == "c7661b27a06a3a8c471fbb060ab8cab25fa9546e0a4c5c1101fe8098b2ad11e9" or - hash.sha256(0, filesize) == "225e94f198bdfcf7550dc30881654f192e460dce88fe927fad8c5adb149eed25" or - hash.sha256(0, filesize) == "52bf280be543485434945074ebc3d1e4f2ab15c0286c7a063c33ea39786a77e1" or - hash.sha256(0, filesize) == "cee85e2fd2ca34a2f90bce9b50c400fe4fd14b536fd0ff26c0c3a9aad6e1904a" or - hash.sha256(0, filesize) == "b93e55763bd8dec8944410e4e00d0f174640905b99629d8111819528593d1c2a" or - hash.sha256(0, filesize) == "608a428b7c7f32726b8239725fb7b7a7760b750ea89e2d66fa966b0797ea614e" or - hash.sha256(0, filesize) == "f2287ddc1376c1ffbf6652d06d115a42e041df1976b321142c0f92dbdb96e82e" or - hash.sha256(0, filesize) == "32717c2876f5622a562d548b55e09657f453b40d7aeb15bb738c789a4c4ee61d" or - hash.sha256(0, filesize) == "02c7cf55fd5c5809ce2dce56085ba43795f2480423a4256537bfdfda0df85592" or - hash.sha256(0, filesize) == "e2bea753318d715dfc2f186c49ae3e9c404d0f5df52e959ea546f78a3624bc3b" or - hash.sha256(0, filesize) == "b4f755c91c2790f4ab9bac4ee60725132323e13a2688f3d8939ae9ed4793d014" or - hash.sha256(0, filesize) == "3d13f2e5b241168005425b15410556bcf26d04078da6b2ef42bc0c2be7654bf8" or - hash.sha256(0, filesize) == "b5413aab02e9076e7a62fe53826b16147c3fa4d47b073e334311184e39d9a71e" or - hash.sha256(0, filesize) == "dea3a99388e9c962de9ea1008ff35bc2dc66f67a911451e7b501183e360bb95e" or - hash.sha256(0, filesize) == "fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5" or - hash.sha256(0, filesize) == "aa2914cc937b6eb4e703955cbf576e8d783af2164ddd9ec759dd9ad2cc71d42a" or - hash.sha256(0, filesize) == "d0e019229493a1cfb3ffc918a2d8ffcbaee31f9132293c95b1f8c1fd6d595054" or - hash.sha256(0, filesize) == "ea957d663dbc0b28844f6aa7dfdc5ac0110a4004ac46c87d0f1aa943ef253cfe" or - hash.sha256(0, filesize) == "9ead4bc59075215f8e474d790cef4aa8dbc35815c7339011b956ecce6a84ff47" or - hash.sha256(0, filesize) == "b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6" or - hash.sha256(0, filesize) == "638e7ca68643d4b01432f0ecaaa0495b805cc3cccc17a753b0fa511d94a22bdd" or - hash.sha256(0, filesize) == "99d3f03fc6f048c74e58da6fb7ea1e831ba31d58194ad2463a7a6cd55da5f96b" or - hash.sha256(0, filesize) == "e031299fa1381b40c660b8cd831bb861654f900a1e2952b1a76bedf140972a81" or - hash.sha256(0, filesize) == "bf28267386a010197a50b65f24e815aa527f2adbc53c609d2b2a4f999a639413" or - hash.sha256(0, filesize) == "5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1" or - 12 of them -} - -rule SeduploaderPayload2 { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_1 = { 5? 8B ?? 83 ?? ?? 5? 8D ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_2 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 33 ?? 5? FF 7? ?? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_3 = { 6A ?? 68 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 5? FF 7? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_4 = { 0F B6 ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 80 C? ?? 75 } - $block_5 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_6 = { 5? 33 ?? 6A ?? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 5? 85 ?? 75 } - $block_7 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 8B ?? ?? 8B ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_8 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? 5? 6A ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_9 = { 33 ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_10 = { FF 7? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 8B ?? 5? C9 C3 } - $block_11 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_12 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 33 ?? 8D ?? ?? AB AB 8B ?? 33 ?? 33 ?? E8 ?? ?? ?? ?? 3B ?? 74 } - $block_13 = { 83 ?? ?? ?? 8D ?? ?? 5? FF 7? ?? FF D? 8B ?? ?? 33 ?? 84 ?? 0F 44 ?? 33 ?? 85 ?? 0F 94 } - $block_14 = { FF 7? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? 8B ?? 5? C9 C3 } - $block_15 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? C6 ?? ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_16 = { 5? 8B ?? 83 ?? ?? 5? 5? 6A ?? FF 7? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_17 = { 5? 8B ?? 83 ?? ?? 5? 6A ?? FF 7? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_18 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? 8B ?? ?? 5? 5? 89 ?? ?? 8B ?? ?? 5? C9 C2 } - $block_19 = { FF 7? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 33 ?? 4? 85 ?? 5? 0F 45 ?? E8 ?? ?? ?? ?? 83 } - $block_20 = { 81 7? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 85 } - $block_21 = { 5? E8 ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 0F B6 } - $block_22 = { 8D ?? ?? 89 ?? ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_23 = { 8B ?? 83 ?? ?? 89 ?? 33 ?? 39 ?? 0F 45 ?? 03 ?? 89 ?? ?? 8D ?? ?? 3B ?? 72 } - $block_24 = { 8B ?? 33 ?? AB AB AB 83 ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? EB } - $block_25 = { 8B ?? ?? 8B ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 5? 5? 89 ?? 8B ?? ?? 5? C9 C2 } - $block_26 = { FF 7? ?? E8 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 8B ?? 5? C9 C2 } - $block_27 = { 0F B6 ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 25 ?? ?? ?? ?? 79 } - $block_28 = { 5? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_29 = { FF 7? ?? E8 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? C9 C2 } - $block_30 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 84 ?? 0F 85 } - $block_31 = { 8D ?? ?? 5? 8D ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_32 = { 0F B7 ?? 8B ?? 81 E? ?? ?? ?? ?? 03 ?? 66 ?? ?? ?? 66 ?? ?? ?? 74 } - $block_33 = { 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 81 E? ?? ?? ?? ?? 79 } - $block_34 = { 0F B7 ?? 8B ?? 66 ?? ?? ?? 25 ?? ?? ?? ?? 03 ?? 66 ?? ?? ?? 74 } - $block_35 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 89 ?? ?? 5? 5? 83 ?? ?? 0F 82 } - $block_36 = { 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_37 = { 5? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_38 = { FE ?? ?? 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 8A ?? 88 ?? 88 ?? 75 } - $block_39 = { 8B ?? ?? E8 ?? ?? ?? ?? 84 ?? 8B ?? ?? 8B ?? ?? 6A ?? 0F 85 } - $block_40 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 4? ?? 83 ?? ?? ?? 0F 82 } - $block_41 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 89 ?? ?? 83 ?? ?? 0F 82 } - $block_42 = { 8D ?? ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_43 = { 0F B6 ?? ?? 8A ?? ?? FE ?? ?? 88 ?? ?? ?? ?? ?? ?? 75 } - $block_44 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 5? 33 ?? 8B ?? 85 ?? 0F 84 } - $block_45 = { FF 7? ?? FF 7? ?? FF 7? ?? FF 7? ?? FF 5? ?? 5? C9 C3 } - $block_46 = { 8B ?? ?? E8 ?? ?? ?? ?? 84 ?? 8B ?? ?? 8B ?? ?? 0F 85 } - $block_47 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 5? C9 C2 } - $block_48 = { 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 85 ?? 0F 84 } - $block_49 = { 8B ?? 8B ?? ?? 66 ?? ?? 0F 95 ?? ?? 66 ?? ?? ?? 74 } - $block_50 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C2 } - $block_51 = { 5? 89 ?? ?? E8 ?? ?? ?? ?? 33 ?? 5? 39 ?? ?? 0F 84 } - $block_52 = { 5? 8B ?? 5? 5? 8B ?? 5? 33 ?? 8B ?? ?? 85 ?? 0F 84 } - $block_53 = { 85 ?? 89 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 44 } - $block_54 = { 8B ?? ?? 8B ?? ?? 5? 5? C6 ?? ?? ?? ?? 5? C9 C3 } - $block_55 = { 8B ?? 4? 99 F7 ?? 8B ?? 80 C? ?? 88 ?? 85 ?? 75 } - $block_56 = { 5? 8B ?? 5? 5? 8B ?? 5? 33 ?? 8B ?? 85 ?? 0F 84 } - $block_57 = { FF 7? ?? E8 ?? ?? ?? ?? 5? 8B ?? 5? 5? 5? C9 C3 } - $block_58 = { 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 5? 0F 84 } - - condition: - hash.sha256(0, filesize) == "ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18" or - hash.sha256(0, filesize) == "12e6642cf6413bdf5388bee663080fa299591b2ba023d069286f3be9647547c8" or - hash.sha256(0, filesize) == "3ac11a74275725a22c233cd974229d2b167c336da667410f7262b4926dabd31b" or - hash.sha256(0, filesize) == "430902c206ab08581de0500ad2f23a77e4915680edb8437c151c77bab6e6cbc3" or - hash.sha256(0, filesize) == "eae782130b06d95f3373ff7d5c0977a8019960bdf80614c1aa7e324dc350428a" or - hash.sha256(0, filesize) == "0a842c40cdbbbc2bf5a6513e39a2bd8ea266f914ac93c958fda8c0d0048c4f94" or - hash.sha256(0, filesize) == "f50791f9909c542e4abb5e3f760c896995758a832b0699c23ca54b579a9f2108" or - hash.sha256(0, filesize) == "8c47961181d9929333628af20bdd750021e925f40065374e6b876e3b8afbba57" or - hash.sha256(0, filesize) == "11cd541511cc793e7416655cda1e100d0a70fb043dfe7f6664564b91733431d0" or - hash.sha256(0, filesize) == "c3b2c7bbd2aa1e3100b9382ed78dfa0041af764e0e02013acdf282410b302ead" or - hash.sha256(0, filesize) == "0ac7b666814fd016b3d21d7812f4a272104511f90ca666fa13e9fb6cefa603c7" or - hash.sha256(0, filesize) == "df47a939809f925475bc19804319652635848b8f346fb7dfd8c95c620595fe9f" or - hash.sha256(0, filesize) == "aeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632" or - hash.sha256(0, filesize) == "853dbbba09e2463c45c0ad913d15d67d15792d888f81b4908b2216859342aa04" or - hash.sha256(0, filesize) == "73db52c0d4e31a00030b47b4f0fa7125000b19c6c9d462c3d0ce0f9d68f04e4c" or - hash.sha256(0, filesize) == "57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b" or - hash.sha256(0, filesize) == "500fa112a204b6abb365101013a17749ce83403c30cd37f7c6f94e693c2d492f" or - hash.sha256(0, filesize) == "dfa8a85e26c07a348a854130c652dcc6d29b203ee230ce0603c83d9f11bbcacc" or - hash.sha256(0, filesize) == "5a414a39851c4e22d4f9383211dfc080e16e2caffd90fa06dcbe51d11fdb0d6c" or - hash.sha256(0, filesize) == "69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261" or - hash.sha256(0, filesize) == "b6fff95a74f9847f1a4282b38f148d80e4684d9c35d9ae79fad813d5dc0fd7a9" or - hash.sha256(0, filesize) == "3b87bfb837339445987cdf2e97169cb0c63072dc1d5bffa8ffb4af108a410988" or - hash.sha256(0, filesize) == "1140c624fbfe28b9ef19fef2e9aa251adfbe8c157820d5f0356d88b4d80c2c88" or - hash.sha256(0, filesize) == "6b8c44ba1d8ed34b9c3ce7142f9a09a8b50aa1a40a45774bec23c0f59aad0117" or - 12 of them -} - -rule WinexeSVC { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 31 ?? B9 ?? ?? ?? ?? 48 ?? ?? F3 ?? ?? 48 ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 31 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 4D ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? 31 ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 45 ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF D? 48 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_2 = { 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 85 } - $block_3 = { FF 1? ?? ?? ?? ?? C1 ?? ?? 03 ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? 41 ?? ?? 89 ?? E8 ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? ?? ?? ?? ?? 41 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 84 } - $block_4 = { 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? 41 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 84 } - $block_5 = { 0F 1F ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF D? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF D? BA ?? ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? FF D? 8B ?? ?? 85 ?? 0F 85 } - $block_6 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF D? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF D? BA ?? ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? FF D? 8B ?? ?? 85 ?? 0F 85 } - $block_7 = { 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 45 ?? ?? 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_8 = { 89 ?? 48 ?? ?? ?? ?? C1 ?? ?? A9 ?? ?? ?? ?? 0F 44 ?? 49 ?? ?? ?? 89 ?? 4C ?? ?? ?? 00 ?? 48 ?? ?? 49 ?? ?? ?? 48 ?? ?? 45 ?? ?? 41 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 74 } - $block_9 = { 41 ?? 41 ?? 41 ?? 41 ?? 5? 5? 5? 5? 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "993d38b57284ebead293296c4aaf4ecffe4f8ac63ca115ae9463368b407cef97" or - hash.sha256(0, filesize) == "a4a838150809d833f84ab590f2ef566be777d12655c1f2c5df17c895497262fa" or - 10 of them -} - -rule SeduploaderDropper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 41 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_1 = { 0F B7 ?? ?? 4C ?? ?? ?? 44 ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 74 } - $block_2 = { 41 ?? ?? ?? 0F B6 ?? ?? ?? 88 ?? ?? ?? 88 ?? ?? ?? 8B ?? 0F B6 ?? ?? ?? 03 ?? 41 ?? ?? 7D } - $block_3 = { FF 1? ?? ?? ?? ?? 4C ?? ?? 41 ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 } - $block_4 = { 0F B6 ?? 0F B6 ?? 0F AF ?? 8A ?? ?? 02 ?? ?? ?? ?? ?? 32 ?? 4? 88 ?? ?? 83 ?? ?? 72 } - $block_5 = { FF D? 5? 5? E8 ?? ?? ?? ?? 5? 5? 8B ?? ?? 5? 5? 33 ?? B0 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_6 = { FF 7? ?? 33 ?? 5? 5? FF 7? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 9D } - $block_7 = { 40 ?? 5? 5? 5? 41 ?? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? 48 ?? ?? 3B ?? ?? 0F 83 } - $block_8 = { 5? 5? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A4 BE ?? ?? ?? ?? 8D ?? ?? A5 66 ?? 33 } - $block_9 = { 42 ?? ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? 88 ?? ?? 48 ?? ?? ?? 49 ?? ?? 0F 87 } - $block_10 = { 42 ?? ?? ?? ?? 0F 95 ?? 83 ?? ?? 88 ?? ?? 48 ?? ?? ?? 49 ?? ?? 0F 87 } - $block_11 = { 6A ?? FF 7? ?? 6A ?? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_12 = { 42 ?? ?? ?? 83 ?? ?? 8D ?? ?? 89 ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 87 } - $block_13 = { 4C ?? ?? ?? 48 ?? ?? 8B ?? 48 ?? ?? FF 5? ?? 45 ?? ?? 84 ?? 0F 84 } - $block_14 = { 0F B6 ?? ?? ?? ?? ?? 03 ?? 03 ?? ?? 33 ?? 4? 89 ?? 83 ?? ?? 72 } - $block_15 = { 40 ?? ?? 0F B6 ?? 8A ?? ?? ?? 42 ?? ?? ?? ?? 44 ?? ?? ?? ?? 75 } - $block_16 = { 45 ?? ?? ?? 40 ?? ?? ?? 0F B6 ?? ?? ?? 44 ?? ?? 45 ?? ?? 7D } - $block_17 = { 49 ?? ?? 48 ?? ?? 45 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_18 = { 8B ?? 4D ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? 0F 86 } - $block_19 = { 8B ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_20 = { 6A ?? 5? 6A ?? 6A ?? FF 7? ?? FF D? 8B ?? 83 ?? ?? 0F 84 } - $block_21 = { 5? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 5? 0F 85 } - $block_22 = { 42 ?? ?? ?? 83 ?? ?? 89 ?? ?? 48 ?? ?? ?? 49 ?? ?? 0F 87 } - $block_23 = { 4A ?? ?? ?? 83 ?? ?? 48 ?? ?? ?? 89 ?? ?? 49 ?? ?? 0F 87 } - $block_24 = { 0F B6 ?? ?? ?? ?? ?? 03 ?? 03 ?? 33 ?? 4? 83 ?? ?? 72 } - $block_25 = { 8B ?? 83 ?? ?? 4A ?? ?? ?? 8D ?? ?? 41 ?? ?? 0F 87 } - $block_26 = { 48 ?? ?? ?? 4C ?? ?? ?? 45 ?? ?? 49 ?? ?? 0F 87 } - $block_27 = { 4A ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? 41 ?? ?? 0F 87 } - - condition: - hash.sha256(0, filesize) == "ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8" or - hash.sha256(0, filesize) == "69d5123a277dc1f618be5edcc95938a0df148c856d2e1231a07e2743bd683e01" or - hash.sha256(0, filesize) == "4bcd11142d5b9f96730715905152a645a1bf487921dd65618c354281512a4ae7" or - hash.sha256(0, filesize) == "2884e438b4dbb3bcead37789908e2eb210ead820dfc03091dc7f46b50ddd1e5b" or - hash.sha256(0, filesize) == "63d0b28114f6277b901132bc1cc1f541a594ee72f27d95653c54e1b73382a5f6" or - 12 of them -} - -rule Seduploader { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 6A ?? 68 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 5? FF 7? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_1 = { 0F B6 ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 80 C? ?? 75 } - $block_2 = { 33 ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_3 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_4 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? 5? 6A ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_5 = { 83 ?? ?? ?? 8D ?? ?? 5? FF 7? ?? FF D? 8B ?? ?? 33 ?? 84 ?? 0F 44 ?? 33 ?? 85 ?? 0F 94 } - $block_6 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? C6 ?? ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_7 = { 5? E8 ?? ?? ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 8B ?? ?? 0F B6 } - $block_8 = { 8B ?? 33 ?? AB AB AB 83 ?? ?? ?? 83 ?? ?? ?? 8B ?? ?? C7 ?? ?? ?? ?? ?? EB } - $block_9 = { 0F B6 ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? ?? 0F B6 ?? 03 ?? 25 ?? ?? ?? ?? 79 } - $block_10 = { 0F B7 ?? 8B ?? 66 ?? ?? ?? 25 ?? ?? ?? ?? 03 ?? 66 ?? ?? ?? 74 } - $block_11 = { 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_12 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 89 ?? ?? 83 ?? ?? 0F 82 } - $block_13 = { 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 85 ?? 0F 84 } - $block_14 = { 8B ?? 4? 99 F7 ?? 8B ?? 80 C? ?? 88 ?? 85 ?? 75 } - - condition: - hash.sha256(0, filesize) == "f5b3f920cdd1ea42905caf7f0894194aaf5096b9a90c77ac06139dcb42018f9e" or - 12 of them -} - -rule HideDRV { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 45 ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_1 = { 48 ?? ?? ?? ?? 0F B7 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 7D } - $block_2 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_3 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 74 } - $block_4 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_5 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_6 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_7 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F BF ?? ?? 83 ?? ?? 85 ?? 74 } - $block_8 = { BA ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 84 } - $block_9 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 85 } - $block_10 = { BA ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_11 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { 89 ?? ?? ?? 48 ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 85 ?? 74 } - $block_13 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 74 } - $block_14 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - - condition: - hash.sha256(0, filesize) == "4bfe2216ee63657312af1b2507c8f2bf362fdf1d63c88faba397e880c2e39430" or - 12 of them -} - -rule OLDBAIT { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8D ?? ?? 5? 6A ?? FF D? 8B ?? ?? ?? 5? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 6A ?? 33 ?? 5? 89 ?? ?? ?? FF D? 89 ?? ?? 8B ?? 89 ?? 89 ?? ?? 6A ?? 89 ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 83 ?? ?? 3B ?? 0F 85 } - $block_1 = { 8D ?? ?? 5? 6A ?? FF D? 8B ?? ?? ?? 5? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 6A ?? 33 ?? 5? 89 ?? ?? ?? FF D? 89 ?? ?? 8B ?? 89 ?? 89 ?? ?? 6A ?? 89 ?? ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 } - $block_2 = { 5? 6A ?? 5? FF D? 5? 5? 8B ?? ?? ?? 89 ?? ?? 6A ?? 5? 89 ?? ?? ?? 89 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_3 = { 5? 6A ?? 5? FF D? 8B ?? 8B ?? ?? ?? 89 ?? ?? 6A ?? 5? 89 ?? ?? ?? 89 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_4 = { 8D ?? ?? 5? 6A ?? FF D? 8B ?? ?? ?? 5? 5? 5? 89 ?? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { 5? 5? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 29 ?? 66 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_6 = { 8B ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? 66 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_7 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? FF 7? ?? 60 FC B2 ?? 33 } - $block_8 = { 30 ?? ?? 0F B6 ?? C1 ?? ?? D1 ?? 4? 0B ?? 3B ?? 72 } - - condition: - hash.sha256(0, filesize) == "10b02dfe93a30d5da0aab3559ec3a55dab6cd96e8ef7c4d1a8e86c59efe63634" or - hash.sha256(0, filesize) == "de006fffc2c0580844830436ee2bdce2f492072b72375b93867a1523c0275ecd" or - hash.sha256(0, filesize) == "360fc67cb295c0a79934f7899ed804424e0c6c4e316d7f3478f2f8c4386f5b68" or - hash.sha256(0, filesize) == "7313eaf95a8a8b4c206b9afe306e7c0675a21999921a71a5a16456894571d21d" or - 9 of them -} - -rule dropper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 8B ?? ?? B9 ?? ?? ?? ?? A1 ?? ?? ?? ?? 85 ?? 0F 45 ?? A3 ?? ?? ?? ?? 8B ?? ?? 85 ?? 74 } - $block_1 = { 0F B6 ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 89 ?? ?? 03 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 75 } - $block_2 = { 80 B? ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 0F 44 ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_3 = { 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 33 ?? 8B ?? 4? 8B ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 } - $block_4 = { 0F B7 ?? 4? 8B ?? 89 ?? ?? 81 E? ?? ?? ?? ?? 66 ?? ?? ?? 8B ?? 03 ?? ?? 89 ?? ?? 66 ?? ?? ?? 75 } - $block_5 = { 0F 28 ?? ?? ?? ?? ?? 8B ?? 0F 11 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 28 ?? ?? ?? ?? ?? 0F 11 ?? ?? C7 } - $block_6 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_7 = { 0F 57 ?? 32 ?? 66 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 } - $block_8 = { 8D ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_9 = { 8D ?? ?? 0F B7 ?? 5? FF 7? ?? 89 ?? ?? 0F B7 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 74 } - $block_10 = { 83 ?? ?? ?? 03 ?? 5? 8D ?? ?? 5? FF 5? ?? 8D ?? ?? 5? 8D ?? ?? 5? 6A ?? 6A ?? FF D? 85 ?? 0F 88 } - $block_11 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? EB } - $block_12 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 83 ?? ?? 0F 84 } - $block_13 = { 8B ?? C7 ?? ?? ?? ?? ?? ?? 2B ?? ?? F7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? 89 ?? ?? 74 } - $block_14 = { 5? 8B ?? 83 ?? ?? 8B ?? 33 ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 38 ?? 0F 84 } - $block_15 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_16 = { 5? 8B ?? 5? 5? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? 80 7? ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 0F 85 } - $block_17 = { 8B ?? 0F 57 ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? 66 ?? ?? ?? ?? 5? 8B ?? ?? 89 ?? ?? 89 ?? ?? 0F 88 } - $block_18 = { 5? 8B ?? ?? ?? ?? ?? 5? 6A ?? BF ?? ?? ?? ?? 5? 6A ?? 5? FF D? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_19 = { 80 B? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 8D ?? ?? 0F 44 ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_20 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 03 ?? ?? ?? ?? ?? 0F B7 ?? ?? C7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 74 } - $block_21 = { 8D ?? ?? 33 ?? 4? 3B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 0F B6 ?? 0F 4E ?? 89 ?? ?? 84 ?? 75 } - $block_22 = { 8B ?? ?? FF B? ?? ?? ?? ?? 4? 01 ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 88 } - $block_23 = { 8B ?? ?? 8D ?? ?? 81 F? ?? ?? ?? ?? 0F 42 ?? 81 F? ?? ?? ?? ?? 8D ?? ?? 0F 43 ?? 85 ?? 74 } - $block_24 = { 8A ?? 8D ?? ?? 30 ?? ?? 0F B6 ?? 30 ?? ?? 0F B6 ?? 30 ?? ?? 0F B6 ?? 30 ?? ?? 83 ?? ?? 75 } - $block_25 = { 3B ?? 8B ?? 6A ?? 5? 0F 4C ?? 3B ?? 0F 4C ?? 8A ?? ?? ?? 88 ?? ?? ?? 4? 4? 4? 83 ?? ?? 7C } - $block_26 = { 8B ?? 0F AF ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 81 E? ?? ?? ?? ?? 89 ?? ?? 85 ?? 7E } - $block_27 = { FF 7? ?? 8D ?? ?? ?? ?? ?? FF B? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_28 = { 8B ?? ?? 4? 8B ?? ?? 83 ?? ?? 4? 89 ?? ?? 89 ?? ?? 89 ?? 8B ?? ?? 89 ?? ?? 3B ?? ?? 0F 8C } - $block_29 = { 8B ?? ?? 0F 57 ?? 8B ?? 8B ?? ?? 8B ?? 66 ?? ?? ?? ?? 03 ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 8D } - $block_30 = { B9 ?? ?? ?? ?? 83 ?? ?? 2B ?? 8B ?? ?? 3B ?? 0F B6 ?? 8B ?? ?? 6A ?? 5? 0F 4F ?? 84 ?? 75 } - $block_31 = { 8D ?? ?? ?? ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 6A ?? 5? 0F 45 ?? 85 ?? 0F 85 } - $block_32 = { 5? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_33 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 5? 85 ?? 5? 0F 45 ?? E8 ?? ?? ?? ?? 85 ?? 5? 5? 0F 45 } - $block_34 = { 0F BF ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 74 } - $block_35 = { FF B? ?? ?? ?? ?? 5? 8D ?? ?? 5? 8B ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_36 = { 0F B7 ?? ?? ?? ?? ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? F6 ?? ?? ?? ?? ?? ?? 75 } - $block_37 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? F6 ?? ?? ?? 8B ?? ?? 8D ?? ?? 0F 45 ?? ?? 89 ?? ?? 85 ?? 74 } - $block_38 = { 8B ?? 8D ?? ?? ?? ?? ?? 2B ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 } - $block_39 = { 8B ?? ?? FF 7? ?? 8B ?? ?? 4? 03 ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_40 = { 8B ?? ?? 03 ?? ?? 03 ?? C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? 3B ?? 8B ?? 0F 46 ?? 8D ?? ?? EB } - $block_41 = { 5? 8B ?? 83 ?? ?? BA ?? ?? ?? ?? 5? 5? 8B ?? 5? 8B ?? ?? 03 ?? 0F B7 ?? ?? 66 ?? ?? 75 } - $block_42 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_43 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? ?? B8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_44 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_45 = { 8B ?? ?? ?? ?? ?? 6A ?? 5? 3B ?? 6A ?? 0F 42 ?? 83 ?? ?? 5? 0F 48 ?? 89 ?? ?? 85 ?? 7E } - $block_46 = { 8B ?? ?? 33 ?? 8B ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 4? 66 ?? ?? ?? 8B ?? ?? 89 ?? ?? 0F 83 } - $block_47 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? C1 ?? ?? 6A ?? 88 ?? ?? 5? 88 ?? ?? 89 ?? ?? ?? ?? ?? EB } - $block_48 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_49 = { 8D ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_50 = { 8B ?? ?? 8B ?? ?? 5? 8B ?? 8B ?? 03 ?? 3B ?? 0F 4C ?? 89 ?? ?? 81 F? ?? ?? ?? ?? 7E } - $block_51 = { 5? 8B ?? 83 ?? ?? B8 ?? ?? ?? ?? 33 ?? 5? 5? 5? 8B ?? ?? 66 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_52 = { 33 ?? 4? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 7F } - $block_53 = { 8B ?? ?? 6A ?? 5? D3 ?? 03 ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 } - $block_54 = { 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 0F 85 } - $block_55 = { 8D ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_56 = { 5? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_57 = { 8B ?? ?? 0F B6 ?? ?? FF 0? 8B ?? 8B ?? 2B ?? 03 ?? 89 ?? ?? 89 ?? ?? 3B ?? ?? 77 } - $block_58 = { 8B ?? ?? 8B ?? ?? 5? 8B ?? ?? 4? 0F B6 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_59 = { 33 ?? 83 ?? ?? 0F 92 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 5? 85 ?? 74 } - $block_60 = { 2B ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 } - $block_61 = { 2B ?? 8B ?? ?? 8D ?? ?? 3B ?? 0F 9D ?? FE ?? 24 ?? 4? 88 ?? ?? 4? 03 ?? 3B ?? 7C } - $block_62 = { 33 ?? 8D ?? ?? 5? 5? FF 7? ?? 89 ?? ?? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_63 = { 5? 8B ?? 83 ?? ?? 8D ?? ?? 5? 8B ?? ?? FF 3? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_64 = { 8B ?? 89 ?? ?? 8B ?? ?? 6A ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 5? 85 ?? 0F 84 } - $block_65 = { 8B ?? ?? BE ?? ?? ?? ?? 8D ?? ?? 83 ?? ?? A5 89 ?? ?? A5 A5 66 ?? 8B ?? ?? 8B } - $block_66 = { 8D ?? ?? 88 ?? ?? 5? 5? FF D? 0F 28 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 0F 11 } - $block_67 = { 6B ?? ?? ?? 89 ?? ?? ?? ?? ?? 33 ?? 03 ?? ?? ?? ?? ?? 85 ?? 0F 95 ?? A8 ?? 74 } - $block_68 = { 8B ?? ?? 33 ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 3B ?? ?? 8B ?? ?? 0F 95 ?? 85 ?? 74 } - $block_69 = { 8B ?? ?? 6A ?? 5? 5? 83 ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_70 = { 8B ?? ?? ?? ?? ?? 89 ?? 8B ?? 2B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 83 } - $block_71 = { 8D ?? ?? 5? 5? FF D? 0F 28 ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B ?? 0F 11 ?? ?? 66 } - $block_72 = { 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_73 = { 8A ?? ?? 24 ?? 0F B6 ?? 66 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? 66 ?? ?? 66 } - $block_74 = { 5? 8B ?? 5? 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? 39 ?? ?? 0F 4C ?? ?? 85 ?? 75 } - $block_75 = { 33 ?? 8B ?? 39 ?? ?? 0F 45 ?? ?? C6 ?? ?? ?? 8B ?? ?? F7 ?? ?? ?? ?? ?? ?? 74 } - $block_76 = { A1 ?? ?? ?? ?? FF 0? ?? ?? ?? ?? 3B ?? 5? 8B ?? 0F 45 ?? 39 ?? ?? ?? ?? ?? 7D } - $block_77 = { 0F B7 ?? ?? ?? ?? ?? 4? 3B ?? B8 ?? ?? ?? ?? 0F 47 ?? 66 ?? ?? ?? ?? ?? ?? 74 } - $block_78 = { 8B ?? ?? 03 ?? 2B ?? FF 8? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_79 = { FF 7? ?? 8D ?? ?? ?? ?? ?? 6A ?? 6A ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_80 = { 4? 2B ?? 89 ?? ?? D3 ?? 8B ?? ?? 0B ?? 89 ?? ?? 6A ?? 5? 89 ?? ?? 3B ?? 0F 85 } - $block_81 = { 8B ?? ?? ?? ?? ?? 0F B6 ?? 0F B6 ?? ?? 66 ?? ?? ?? 66 ?? ?? 66 ?? ?? ?? 75 } - $block_82 = { 5? 8D ?? ?? ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 5? 5? 85 ?? 0F 84 } - $block_83 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_84 = { 0F B6 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 4? C6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_85 = { 0F 10 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 0F 11 ?? ?? ?? 83 ?? ?? 83 ?? ?? 72 } - $block_86 = { 83 ?? ?? ?? ?? ?? ?? 33 ?? 4? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_87 = { 8B ?? ?? 8A ?? ?? ?? ?? ?? ?? 4? 88 ?? ?? 4? 8B ?? ?? 0F B7 ?? ?? 3B ?? 7C } - $block_88 = { 8B ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_89 = { 8B ?? ?? 2B ?? ?? 03 ?? ?? 01 ?? ?? 8B ?? ?? 89 ?? ?? ?? 4? 83 ?? ?? 0F 8C } - $block_90 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 33 ?? 89 ?? ?? 89 ?? ?? 5? 8B ?? 85 ?? 0F 84 } - $block_91 = { 8A ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? 3C ?? 75 } - $block_92 = { 5? 8B ?? 5? 5? 8B ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_93 = { 8B ?? ?? 89 ?? ?? 66 ?? ?? 33 ?? 8B ?? ?? 89 ?? ?? 89 ?? 39 ?? ?? 0F 8E } - $block_94 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_95 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_96 = { 80 3? ?? 8D ?? ?? 0F 44 ?? 85 ?? 8B ?? 8D ?? ?? 0F 4E ?? 8B ?? 85 ?? 7F } - $block_97 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_98 = { 5? 8D ?? ?? 89 ?? ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 } - $block_99 = { 8B ?? 8B ?? ?? 2B ?? 6A ?? 03 ?? E8 ?? ?? ?? ?? 89 ?? ?? 5? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "e1a3a012b332f0728e11f7bbb7429dece387a1244b3daaee6da6b4407c48caf7" or - 12 of them -} - -rule koadic { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 8B ?? ?? ?? ?? ?? ?? 33 ?? 5? 5? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? FF D? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 89 } - $block_1 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 } - $block_2 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 } - $block_3 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 } - $block_4 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 } - $block_5 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_6 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 } - $block_7 = { 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 } - $block_8 = { 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? FF 5? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 85 } - $block_9 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "430cbf950f9cea3f77374145f488a104f4ab664edca448effacbf2f8ba01b901" or - hash.sha256(0, filesize) == "7ea33696c91761e95697549e0b0f84db2cf4033216cd16c3264b10daa31f598c" or - 10 of them -} - -rule SedrecoDropper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { FF B? ?? ?? ?? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - $block_1 = { 68 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_2 = { 41 ?? ?? ?? 48 ?? ?? 44 ?? ?? 46 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 40 ?? ?? ?? 0F 1F } - $block_3 = { 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_4 = { 8D ?? ?? 5? 6A ?? 6A ?? FF 7? ?? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { 8B ?? 33 ?? F7 ?? 33 ?? 85 ?? 0F 95 ?? 33 ?? 33 ?? 89 ?? ?? 4? 03 ?? 89 ?? ?? 3B } - $block_6 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 5? 6A ?? 6A ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_7 = { 8B ?? 33 ?? F7 ?? ?? 33 ?? 85 ?? 0F 95 ?? 33 ?? 89 ?? ?? 33 ?? 8D ?? ?? ?? EB } - $block_8 = { 4C ?? ?? ?? 41 ?? ?? ?? D1 ?? 49 ?? ?? ?? FF C? 8B ?? 8D ?? ?? 0F 1F } - $block_9 = { 8D ?? ?? ?? ?? ?? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_10 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_11 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { 4C ?? ?? ?? ?? 4C ?? ?? ?? ?? 03 ?? 0F 1F ?? 44 ?? ?? 75 } - $block_13 = { 6A ?? 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_14 = { 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 } - $block_15 = { 33 ?? 83 ?? ?? 0F 9F ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB } - $block_16 = { 45 ?? ?? ?? 46 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 0F 1F } - $block_17 = { 0F B6 ?? ?? 01 ?? ?? 0F B6 ?? 01 ?? ?? 83 ?? ?? 4? 75 } - $block_18 = { 8D ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? ?? 03 ?? 0F 1F } - $block_19 = { 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_20 = { E8 ?? ?? ?? ?? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB } - $block_21 = { BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 3B ?? 0F 4E ?? EB } - - condition: - hash.sha256(0, filesize) == "378ef276eeaa4a29dab46d114710fc14ba0a9f964f6d949bcbc5ed3267579892" or - hash.sha256(0, filesize) == "0d260a4ea865773a86b3fc0fe89df92c86289c0266b1dd5ab8e3174839cb94c2" or - hash.sha256(0, filesize) == "fb3a3339e2ba82cb3dcdc43d0e49e7b8a26ced3a587f5ee15a256aee062e6e05" or - hash.sha256(0, filesize) == "d403ded7c4acfffe8dc2a3ad8fb848f08388b4c3452104f6970835913d92166c" or - hash.sha256(0, filesize) == "2c81023a146d2b5003d2b0c617ebf2eb1501dc6e55fc6326e834f05f5558c0ec" or - 12 of them -} - -rule Downdelph { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 81 C? ?? ?? ?? ?? 5? 5? 33 ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 8B ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8B ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 83 ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 64 ?? ?? 64 ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { 5? 8B ?? 5? 5? 8B ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 6A ?? 4? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? ?? 5? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? F7 ?? 6A ?? 03 ?? 5? 5? E8 ?? ?? ?? ?? 5? FF 7? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 3B ?? 74 } - $block_2 = { 5? 8D ?? ?? 33 ?? E8 ?? ?? ?? ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A4 BE ?? ?? ?? ?? 8D ?? ?? A5 66 ?? 33 } - $block_4 = { FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 66 ?? ?? ?? C6 ?? ?? ?? 83 ?? ?? 0F 84 } - $block_5 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 5? 5? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A4 BE ?? ?? ?? ?? 8D ?? ?? A5 66 ?? 33 } - $block_6 = { 6A ?? 6A ?? FF 3? E8 ?? ?? ?? ?? FF 3? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_7 = { 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 8B ?? ?? 4? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_8 = { 0F BE ?? ?? ?? 6A ?? 99 5? F7 ?? 32 ?? ?? ?? 4? 88 ?? ?? ?? 83 ?? ?? 72 } - $block_9 = { FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805" or - hash.sha256(0, filesize) == "cfc60d5db3bfb4ec462d5e4bd5222f04d7383d2c1aec1dc2a23e3c74a166a93d" or - hash.sha256(0, filesize) == "6ccc375923a00571dffca613a036f77a9fc1ee22d1fddffb90ab7adfbb6b75f1" or - hash.sha256(0, filesize) == "3e23201e6c52470e73a92af2ded12e6a5d1ad39538f41e762ca1c4b8d93c6d8d" or - hash.sha256(0, filesize) == "79a508ba42247ddf92accbf5987b1ffc7ba20cd11806d332979d8a8fe85abb04" or - 10 of them -} - -rule Coreshell { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 6A ?? 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 } - $block_1 = { A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F AF ?? 69 ?? ?? ?? ?? ?? 2D ?? ?? ?? ?? 0F AF ?? 39 ?? 0F 84 } - $block_2 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_3 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_4 = { 8D ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_5 = { 5? E8 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 8D ?? ?? 5? 5? 89 ?? ?? FF 5? ?? 85 ?? 0F 85 } - $block_6 = { 68 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_7 = { FF B? ?? ?? ?? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_8 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_9 = { 8B ?? ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_10 = { 8B ?? 33 ?? F7 ?? ?? ?? ?? ?? 33 ?? 85 ?? 0F 95 ?? 33 ?? 89 ?? ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? EB } - $block_11 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_12 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 8B ?? ?? ?? 8B ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_14 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 89 ?? ?? ?? 0F 84 } - $block_15 = { 8B ?? ?? ?? ?? ?? 0B ?? 83 ?? ?? 8A ?? ?? 8B ?? ?? 88 ?? ?? 8B ?? ?? 4? 4? 83 ?? ?? 0F 82 } - $block_16 = { 8B ?? ?? ?? 8B ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_17 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? ?? 4? 80 C? ?? 88 ?? ?? ?? 3B ?? ?? ?? 72 } - $block_18 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? C7 ?? ?? ?? ?? ?? ?? 0F 6E ?? ?? 0F 72 ?? ?? 0F 7E ?? ?? EB } - $block_19 = { 8D ?? ?? ?? 8D ?? ?? ?? 5? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? FF D? 85 ?? 0F 85 } - $block_20 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_21 = { B9 ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? C6 ?? ?? ?? ?? F3 ?? 66 ?? AA 8B ?? ?? ?? 85 ?? 0F 84 } - $block_22 = { B9 ?? ?? ?? ?? 33 ?? 8D ?? ?? ?? 88 ?? ?? ?? F3 ?? 66 ?? AA 8B ?? ?? ?? 3B ?? 0F 84 } - $block_23 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 8B ?? ?? 5? 8B ?? 8B ?? 5? 33 ?? 5? 89 ?? ?? 3B ?? 0F 83 } - $block_24 = { 5? 8B ?? 83 ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_25 = { 8D ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_26 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 83 ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 3B ?? 72 } - $block_27 = { B8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 31 ?? F7 ?? 0F AF ?? 01 ?? 89 ?? ?? ?? ?? ?? E9 } - $block_28 = { 8B ?? 33 ?? F7 ?? 33 ?? 85 ?? 0F 95 ?? 33 ?? 33 ?? 89 ?? ?? 4? 03 ?? 89 ?? ?? 3B } - $block_29 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 80 C? ?? FF 8? ?? ?? ?? ?? 88 ?? ?? 75 } - $block_30 = { 8D ?? ?? 5? 6A ?? 6A ?? FF 7? ?? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_31 = { 8B ?? 33 ?? F7 ?? ?? 33 ?? 5? 85 ?? 0F 95 ?? 33 ?? 89 ?? ?? 33 ?? 8D ?? ?? ?? EB } - $block_32 = { 5? 8B ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 6E ?? ?? 0F 72 ?? ?? 0F 7E ?? ?? EB } - $block_33 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 } - $block_34 = { 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 98 ?? 8D ?? ?? ?? 8D ?? ?? 23 } - $block_35 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_36 = { 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_37 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_38 = { 8B ?? ?? ?? 33 ?? BE ?? ?? ?? ?? 89 ?? ?? ?? F7 ?? 3B ?? 89 ?? ?? ?? 0F 83 } - $block_39 = { 0F B6 ?? ?? ?? D2 ?? 8A ?? ?? ?? D2 ?? 8B ?? ?? 0A ?? 8B ?? ?? FF 4? ?? 88 } - $block_40 = { 8B ?? ?? 0F B6 ?? ?? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? 85 ?? 5? 74 } - $block_41 = { 8B ?? ?? ?? ?? ?? 9A ?? ?? ?? ?? ?? ?? 2F 9D FF D? FF D? 8B ?? 83 ?? ?? 75 } - $block_42 = { 8B ?? ?? ?? ?? ?? 4? 15 ?? ?? ?? ?? A6 01 ?? ?? 3A ?? ?? ?? 9E FF D? FF D? } - $block_43 = { 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - $block_44 = { 8B ?? ?? 8D ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_45 = { 6A ?? 6A ?? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_46 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 83 ?? ?? 66 ?? ?? ?? ?? 3B ?? 72 } - $block_47 = { 8B ?? ?? ?? 4? 83 ?? ?? 3B ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 0F 82 } - $block_48 = { FF 7? ?? E8 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C2 } - $block_49 = { 0F B6 ?? ?? 88 ?? ?? 8B ?? ?? 0F B6 ?? ?? 30 ?? ?? 8B ?? ?? 4? 3B ?? 7C } - $block_50 = { 33 ?? 5? 85 ?? 5? 0F 94 ?? 5? 8B ?? ?? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 } - $block_51 = { 68 ?? ?? ?? ?? A4 A4 4? 3F DC ?? 15 ?? ?? ?? ?? 5? FF D? 8B ?? 3B ?? 75 } - $block_52 = { 5? 8D ?? ?? ?? ?? ?? 5? 89 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_53 = { 8B ?? ?? 33 ?? 85 ?? 5? 0F 94 ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? C2 } - $block_54 = { 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 98 ?? 8D ?? ?? ?? 4? } - $block_55 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_56 = { 8B ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F 83 } - $block_57 = { 6A ?? 8D ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_58 = { 8B ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 0F 83 } - $block_59 = { 8B ?? 33 ?? BB ?? ?? ?? ?? F7 ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 0F 83 } - $block_60 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_61 = { 80 6? ?? ?? 6A ?? 5? 33 ?? 8D ?? ?? 39 ?? ?? F3 ?? 66 ?? AA 0F 84 } - $block_62 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 4? 80 C? ?? 4? 88 ?? ?? 75 } - $block_63 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 0F 84 } - $block_64 = { 6A ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_65 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_66 = { FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 98 ?? 8D ?? ?? ?? 8D ?? ?? E9 } - $block_67 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 83 ?? ?? 0F 84 } - $block_68 = { 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? 0F 84 } - $block_69 = { FF 7? ?? E8 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? C9 C2 } - $block_70 = { 6A ?? 6A ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_71 = { 6A ?? 8D ?? ?? ?? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_72 = { 8D ?? ?? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_73 = { C7 ?? ?? ?? ?? ?? ?? 0F 6E ?? ?? 0F 72 ?? ?? 0F 7E ?? ?? EB } - $block_74 = { 5? 64 ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? 8B ?? ?? AD 8B ?? ?? E9 } - $block_75 = { 8B ?? ?? 03 ?? ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? 39 ?? ?? 0F 83 } - $block_76 = { FF 1? ?? ?? ?? ?? 0F B6 ?? ?? 03 ?? ?? 8B ?? ?? 88 ?? ?? EB } - $block_77 = { 4? 83 ?? ?? 83 ?? ?? 3B ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 82 } - $block_78 = { B0 ?? 8A ?? ?? ?? ?? ?? F6 ?? ?? 88 ?? ?? ?? ?? ?? 0F 85 } - $block_79 = { 8B ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_80 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 89 ?? ?? 0F 85 } - $block_81 = { 6A ?? 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_82 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 81 3? ?? ?? ?? ?? 0F 85 } - $block_83 = { 33 ?? 83 ?? ?? 0F 9F ?? 4? 83 ?? ?? 83 ?? ?? 89 ?? ?? EB } - $block_84 = { 8B ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_85 = { 8B ?? ?? 2D ?? ?? ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 87 } - $block_86 = { 81 E? ?? ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 84 ?? 0F 85 } - $block_87 = { 33 ?? 5? 85 ?? 5? 5? 0F 94 ?? 5? 81 C? ?? ?? ?? ?? C2 } - $block_88 = { 83 ?? ?? ?? 4? 83 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 82 } - $block_89 = { FF 1? ?? ?? ?? ?? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB } - $block_90 = { 8B ?? ?? 4? 83 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 82 } - $block_91 = { 8B ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_92 = { 8B ?? ?? ?? ?? ?? 5? FF 9? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_93 = { 4? 83 ?? ?? 3B ?? 89 ?? ?? ?? 89 ?? ?? ?? 0F 82 } - $block_94 = { 8B ?? ?? ?? ?? ?? 81 3? ?? ?? ?? ?? 0F 95 ?? 88 } - $block_95 = { 8B ?? ?? ?? ?? ?? FF D? 3B ?? ?? ?? ?? ?? 0F 86 } - $block_96 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? C9 C2 } - $block_97 = { E8 ?? ?? ?? ?? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB } - $block_98 = { 8B ?? ?? 83 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_99 = { BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 3B ?? 0F 4E ?? EB } - - condition: - hash.sha256(0, filesize) == "102b0158bcd5a8b64de44d9f765193dd80df1504e398ce52d37b7c8c33f2552a" or - hash.sha256(0, filesize) == "eb5ab0c73b28d7b7c7e29411609b7686813f3bf629ec3a764bfdf2f9a19b5341" or - hash.sha256(0, filesize) == "4f26e4178b078a4be3842e3b86bf5299c7f7ad386a226b4da5a2cca5c9129f6d" or - hash.sha256(0, filesize) == "d5debe5d88e76a409b9bc3f69a02a7497d333934d66f6aaa30eb22e45b81a9ab" or - hash.sha256(0, filesize) == "31a0906b0d8b07167129e134009dc307c2d92522da5709e52b67d3c5a70adf93" or - hash.sha256(0, filesize) == "e6d09ce32cc62b6f17279204fac1771a6eb35077bb79471115e8dfed2c86cd75" or - hash.sha256(0, filesize) == "744f2a1e1a62dff2a8d5bd273304a4d21ee37a3c9b0bdcffeeca50374bd10a39" or - hash.sha256(0, filesize) == "1fa3e580eabfcf7ffc8f59d96ee0d6b4ab96a7a33ab73558e454d7ce79147c41" or - hash.sha256(0, filesize) == "9392776d6d8e697468ab671b43dce2b7baf97057b53bd3517ecd77a081eff67d" or - hash.sha256(0, filesize) == "d54173be095b688016528f18dc97f2d583efcf5ce562ec766afc0b294eb51ac7" or - hash.sha256(0, filesize) == "423a0799efe41b28a8b765fa505699183c8278d5a7bf07658b3bd507bfa5346f" or - hash.sha256(0, filesize) == "51dae85f5971dbdeb601c974350b80ec1104f304f08893d80e24a52279e1edc7" or - hash.sha256(0, filesize) == "e917166adf6e1135444f327d8fff6ec6c6a8606d65dda4e24c2f416d23b69d45" or - hash.sha256(0, filesize) == "1b5b7c0818ca68e7107ab18d89476314d854b02f0809f8c530fb4334a864c594" or - hash.sha256(0, filesize) == "7695f20315f84bb1d940149b17dd58383210ea3498450b45fefa22a450e79683" or - hash.sha256(0, filesize) == "22c3718bf7df29555098738f77c3139dae39dcdd34b39dab72df04ade4cffa7f" or - hash.sha256(0, filesize) == "67ecc3b8c6057090c7982883e8d9d0389a8a8f6e8b00f9e9b73c45b008241322" or - hash.sha256(0, filesize) == "29cc2e69f65b9ce5fe04eb9b65942b2dabf48e41770f0a49eb698271b99d2787" or - hash.sha256(0, filesize) == "69e9fd2edc1b752117c1d864b18cfa0cca6443825d909ef483a3664f851f5bc8" or - hash.sha256(0, filesize) == "03ed773bde6c6a1ac3b24bde6003322df8d41d3d1c85109b8669c430b58d2f69" or - hash.sha256(0, filesize) == "0c7cdbfc5226c3b94b17f70f5a82da016c054fe12b050ee7f3c28db900ea98a5" or - hash.sha256(0, filesize) == "5ac044cf6bab6ebfdda66f92d3b420f5f6d4629a535d80e43705ab55f3b03ea0" or - hash.sha256(0, filesize) == "c8087186a215553d2f95c68c03398e17e67517553f6e9a8adc906faa51bce946" or - hash.sha256(0, filesize) == "ce554d57333bdbccebb5e2e8d16a304947981e48ea2a5cc3d5f4ced7c1f56df3" or - hash.sha256(0, filesize) == "dbfeaebd4e716bf6a0f2518b7edba3dda475f2de7ef70c3ff6399cfee2e47ec0" or - hash.sha256(0, filesize) == "7edeedea096e890d59ed8435db6760dc7fa4d55f9d039fefd473ba1e43ba5838" or - hash.sha256(0, filesize) == "f6d107a65479bb5e8a6d885739ae4c2dcc46e9b468e5d8f388dadfc7f57719fc" or - hash.sha256(0, filesize) == "6cd30c85dd8a64ca529c6eab98a757fb326de639a39b597414d5340285ba91c6" or - hash.sha256(0, filesize) == "d58f2a799552aff8358e9c63a4345ea971b27edd14b8eac825db30a8321d1a7a" or - hash.sha256(0, filesize) == "7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965" or - hash.sha256(0, filesize) == "4536650c9c5e5e1bb57d9bedf7f9a543d6f09addf857f0d802fb64e437b6844a" or - hash.sha256(0, filesize) == "4af1736b26052d95cbd106ee1a667e2ce3346f78783f1231df19282a5e738348" or - hash.sha256(0, filesize) == "1b3dd8aaafd750aa85185dc52672b26d67d662796847d7cbb01a35b565e74d35" or - hash.sha256(0, filesize) == "4a9efdfa479c8092fefee182eb7d285de23340e29e6966f1a7302a76503799a2" or - hash.sha256(0, filesize) == "1bab1a3e0e501d3c14652ecf60870e483ed4e90e500987c35489f17a44fef26c" or - hash.sha256(0, filesize) == "966660738c9e3ec103c2f8fe361c8ac20647cacaa5153197fa1917e9da99082e" or - 12 of them -} - -rule SedrecoPayload { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8D ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 8B ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 } - $block_1 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 4D ?? ?? 0F 84 } - $block_2 = { 8B ?? ?? ?? 83 ?? ?? 8B ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F B6 ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 74 } - $block_3 = { 33 ?? 33 ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 48 ?? ?? ?? ?? 0F 9C ?? 89 } - $block_4 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? A1 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_6 = { 8D ?? ?? ?? ?? ?? 5? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_7 = { 48 ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_8 = { 48 ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_10 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_11 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_12 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 45 ?? ?? 45 ?? ?? 48 ?? ?? FF 9? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 8D ?? ?? 8B ?? ?? 03 ?? 8B ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? 89 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_14 = { 8D ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 } - $block_15 = { 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF D? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_16 = { 8D ?? ?? C1 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 86 } - $block_17 = { 41 ?? ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 4D ?? ?? 44 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_18 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 9? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_19 = { 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? 8B ?? 39 ?? ?? ?? 0F 83 } - $block_20 = { 4C ?? ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 } - $block_21 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? FF D? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_22 = { 6A ?? 6A ?? 8D ?? ?? 5? 6A ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 0F 84 } - $block_23 = { 8B ?? ?? 5? 6A ?? 8B ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 } - $block_24 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? 5? 5? FF D? 85 ?? 0F 84 } - $block_25 = { 8D ?? ?? 5? 5? 6A ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 0F 85 } - $block_26 = { 5? 8D ?? ?? ?? 5? 5? 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_27 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BE ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_28 = { 8D ?? ?? ?? ?? ?? 5? 5? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_29 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_30 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 03 ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 87 } - $block_31 = { 8B ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? 6A ?? 5? FF D? 8B ?? 83 ?? ?? 0F 84 } - $block_32 = { 6A ?? 6A ?? 8D ?? ?? ?? 5? A1 ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 } - $block_33 = { 8D ?? ?? 5? 5? 6A ?? 5? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 0F 85 } - $block_34 = { 0F 57 ?? 5? 8B ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_35 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_36 = { A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 8B ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_37 = { 5? A1 ?? ?? ?? ?? 6A ?? FF 3? ?? ?? ?? ?? 8B ?? ?? FF D? 8B ?? 83 ?? ?? 0F 84 } - $block_38 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 } - $block_39 = { 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? 39 ?? ?? 0F 83 } - $block_40 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? A1 ?? ?? ?? ?? 3B ?? 0F 84 } - $block_41 = { 0F B7 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 5? 5? 5? C3 } - $block_42 = { 8B ?? ?? ?? 4? 8A ?? 4? 88 ?? ?? ?? 8A ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 85 } - $block_43 = { A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB } - $block_44 = { 8B ?? ?? ?? ?? ?? 4? 83 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 82 } - $block_45 = { A1 ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? FF D? A1 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_46 = { A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? ?? FF D? A1 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_47 = { 5? 8B ?? 83 ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? 5? C7 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_48 = { 33 ?? 8B ?? 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_49 = { A1 ?? ?? ?? ?? 6A ?? 8B ?? ?? ?? ?? ?? 6A ?? 6A ?? 5? FF D? 85 ?? 0F 84 } - $block_50 = { 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 0F B6 ?? 03 ?? 88 ?? ?? FE ?? EB } - $block_51 = { 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_52 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 3B ?? ?? ?? ?? ?? ?? 0F 83 } - $block_53 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? 0F 86 } - $block_54 = { BF ?? ?? ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_55 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - $block_56 = { 0F B6 ?? ?? ?? C6 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 } - $block_57 = { 33 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 5? ?? 85 ?? 0F 84 } - $block_58 = { 83 ?? ?? ?? 8B ?? ?? 4? 83 ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? ?? 0F 82 } - $block_59 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? FF 5? ?? 83 ?? ?? 0F 85 } - $block_60 = { 48 ?? ?? ?? ?? 8D ?? ?? 48 ?? ?? 8D ?? ?? 0F B6 ?? ?? 40 ?? ?? 74 } - $block_61 = { 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_62 = { 8D ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? C6 ?? ?? ?? 3B ?? 0F 86 } - $block_63 = { 83 ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_64 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_65 = { 8B ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - $block_66 = { 44 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_67 = { 8B ?? ?? 0F B6 ?? ?? ?? 03 ?? 01 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_68 = { 8B ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? 5? 5? FF D? 83 ?? ?? 0F 85 } - $block_69 = { 83 ?? ?? 5? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_70 = { 4C ?? ?? 8D ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_71 = { 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_72 = { 4? 8B ?? BE ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? ?? 0F 83 } - $block_73 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? 29 ?? ?? 0F 88 } - $block_74 = { B9 ?? ?? ?? ?? 01 ?? ?? 29 ?? ?? 4? 89 ?? ?? 3B ?? 0F 82 } - $block_75 = { FF 7? ?? A1 ?? ?? ?? ?? 5? 8B ?? ?? FF D? 83 ?? ?? 0F 85 } - $block_76 = { FF 1? ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 } - $block_77 = { 0F B6 ?? ?? 01 ?? ?? 0F B6 ?? 01 ?? ?? 83 ?? ?? 4? 75 } - $block_78 = { 8B ?? ?? 8D ?? ?? 03 ?? 2B ?? 89 ?? ?? 83 ?? ?? 0F 83 } - $block_79 = { 8D ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 83 } - $block_80 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 0F 84 } - $block_81 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 1F } - $block_82 = { A1 ?? ?? ?? ?? 8B ?? ?? FF D? 3D ?? ?? ?? ?? 0F 85 } - $block_83 = { 8B ?? ?? 8A ?? ?? ?? 0F B6 ?? 8D ?? ?? 83 ?? ?? 77 } - $block_84 = { 48 ?? ?? ?? ?? ?? ?? FF 5? ?? 3D ?? ?? ?? ?? 0F 85 } - $block_85 = { 0F B7 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 03 ?? 8B ?? 66 } - $block_86 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 89 } - $block_87 = { 0F B6 ?? ?? 03 ?? 0F B6 ?? 03 ?? 83 ?? ?? 4? 75 } - $block_88 = { 8D ?? ?? 81 F? ?? ?? ?? ?? B8 ?? ?? ?? ?? 0F 44 } - $block_89 = { 0F B6 ?? ?? 03 ?? 0F B6 ?? 03 ?? 8D ?? ?? 4? 75 } - $block_90 = { 89 ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 83 } - $block_91 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 8D } - $block_92 = { 8D ?? ?? ?? 41 ?? ?? 03 ?? 2B ?? 83 ?? ?? 0F 83 } - $block_93 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 } - $block_94 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 87 } - - condition: - hash.sha256(0, filesize) == "19d05f9a5eacb4acd748cfbf7640b842fd6ed1f4f25dc5bbe592e0e802f7ab0f" or - hash.sha256(0, filesize) == "69a49e535d635b55efdc1c0e5e923891832089ab1fec0ea406f4798605e42ef1" or - hash.sha256(0, filesize) == "02be8ba0c1d64099f0529dab3251ee6e5602493085e54abe739659abc2ea050c" or - hash.sha256(0, filesize) == "3580a48e47119fd36913b0108cce9b20a1adf0a2458c2b33f0d9a7df1fe140ef" or - hash.sha256(0, filesize) == "a939510f362c50cafee4d5a8d6c7db555a819e78e9f7614a243f6adc59190745" or - hash.sha256(0, filesize) == "a64340b35668f375a321cb7ee0e027391d875f64cf4f3780c83fb4e84a43c8f9" or - hash.sha256(0, filesize) == "74c404cfc6e8c752635b4d8a0488d0fb6801c7096fa5c1173660da0b05f44f9e" or - hash.sha256(0, filesize) == "c808c38fd8157e3e0fadadd6a1748e302bd0e69429697625f53ad692c539b241" or - hash.sha256(0, filesize) == "43e0f9b4cb9186ededff44a79db89627ce1be2fcd0d96d727aca525a0736efc9" or - hash.sha256(0, filesize) == "baaf5fa70b68ec9c1847d8784227e0f2dcf48d02a203f7cbffc113f4cec0f006" or - hash.sha256(0, filesize) == "ba1c02aa6c12794a33c4742e62cbda3c17def08732f3fbaeb801f1806770b9a0" or - hash.sha256(0, filesize) == "9a508287e3089d1d838271c9f19e659ea2d4b0a47de7faa7ad09191a758de862" or - hash.sha256(0, filesize) == "0260ed46bdf7d903ac06292a39568040fed63f4aae0a723216e53a2b29730052" or - hash.sha256(0, filesize) == "37bf2c811842972314956434449fd294e793b43c1a7b37cfe41af4fcc07d329d" or - hash.sha256(0, filesize) == "11097a7a3336e0ab124fa921b94e3d51c4e9e4424e140e96127bfcf1c10ef110" or - hash.sha256(0, filesize) == "a9dc96d45702538c2086a749ba2fb467ba8d8b603e513bdef62a024dfeb124cb" or - 12 of them -} - -rule SeduploaderPayload { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_1 = { 5? 8B ?? 83 ?? ?? 5? 8D ?? ?? 33 ?? 5? 68 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_2 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_3 = { 5? 33 ?? 6A ?? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 5? 85 ?? 75 } - $block_4 = { 5? 8B ?? 83 ?? ?? 5? 5? 5? 8B ?? ?? 8B ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_5 = { FF 7? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 33 ?? 4? 85 ?? 5? 0F 45 ?? E8 ?? ?? ?? ?? 83 } - $block_6 = { 8B ?? 83 ?? ?? 89 ?? 33 ?? 39 ?? 0F 45 ?? 03 ?? 89 ?? ?? 8D ?? ?? 3B ?? 72 } - $block_7 = { 8D ?? ?? 89 ?? ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_8 = { 5? 5? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_9 = { 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_10 = { 5? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 84 } - $block_11 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? 5? 33 ?? 8B ?? 85 ?? 0F 84 } - $block_12 = { 85 ?? 89 ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F 44 } - - condition: - hash.sha256(0, filesize) == "de660457cab011deedf4c1a142021b8702ab94ce71dc5e0c75300253e7db3ee0" or - 12 of them -} - -rule CarbonDropper_v3_71_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? A1 ?? ?? ?? ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 8A ?? ?? ?? ?? ?? 5? 89 ?? ?? 66 ?? ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? ?? ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 5? 66 ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 5? 89 ?? ?? 8B ?? ?? ?? ?? ?? 88 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 66 ?? ?? ?? ?? ?? ?? 89 ?? ?? 33 ?? 8D ?? ?? ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? C6 ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 66 ?? ?? ?? 88 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 6A ?? 6A ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? 5? 6A ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 84 ?? 74 } - $block_1 = { 5? 8B ?? 83 ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? C6 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? C6 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 6A ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_2 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 88 ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 84 } - $block_3 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 5? 5? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? C6 ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_4 = { 0F B7 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? 68 ?? ?? ?? ?? 5? FF D? 83 ?? ?? 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { FF 1? ?? ?? ?? ?? 83 ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? FF D? 83 ?? ?? 8B ?? 68 ?? ?? ?? ?? 89 ?? ?? ?? FF D? 83 ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_6 = { 5? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? 6A ?? FF D? 5? FF D? 8B ?? ?? 5? 6A ?? 8B ?? FF D? 5? FF D? 89 ?? ?? 8B ?? ?? 5? 6A ?? FF D? 5? FF D? 85 ?? 0F 84 } - $block_7 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 5? 6A ?? 6A ?? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_8 = { 8B ?? ?? ?? 8B ?? ?? ?? 5? 5? 6A ?? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_9 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122" or - 10 of them -} - -rule Mosquito { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 33 ?? 8D ?? ?? ?? BA ?? ?? ?? ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 76 } - $block_1 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 5? 68 ?? ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 8C } - $block_2 = { 8B ?? 89 ?? ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_3 = { E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? ?? 5? FF D? 85 ?? 0F 84 } - $block_4 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_5 = { 8B ?? ?? 8B ?? 8B ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 8B ?? ?? ?? 85 ?? 0F 85 } - $block_6 = { 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? 8B ?? ?? 5? FF D? 8B ?? ?? ?? 85 ?? 0F 85 } - $block_7 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_8 = { 2B ?? D1 ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 3B ?? 0F 86 } - $block_9 = { 8B ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 6A ?? 6A ?? 5? 8B ?? ?? FF D? 83 ?? ?? ?? ?? 0F 84 } - $block_10 = { 8D ?? ?? ?? 5? BB ?? ?? ?? ?? 8B ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_11 = { 8B ?? ?? ?? 33 ?? 33 ?? C7 ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_12 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 5? 68 ?? ?? ?? ?? FF D? FF 1? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 95 ?? 8B ?? 3B ?? 74 } - $block_14 = { 2B ?? ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8B ?? C1 ?? ?? 03 ?? 83 ?? ?? 0F 83 } - $block_15 = { 8D ?? ?? ?? 5? 8B ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_16 = { 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_17 = { 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_18 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_19 = { 8B ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 88 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_20 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_21 = { 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_22 = { 5? 5? 5? 6A ?? 5? 5? 5? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8C } - $block_23 = { E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_24 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_25 = { 8B ?? ?? 8B ?? 8B ?? ?? FF D? 8B ?? ?? 2B ?? 83 ?? ?? 0F 82 } - $block_26 = { 2B ?? D1 ?? B9 ?? ?? ?? ?? 2B ?? 8B ?? ?? ?? 3B ?? 0F 87 } - $block_27 = { 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 87 } - $block_28 = { 33 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_29 = { 8B ?? ?? ?? FF 4? ?? ?? 01 ?? 03 ?? 3B ?? ?? 0F 83 } - $block_30 = { 0F B7 ?? 66 ?? ?? 83 ?? ?? 83 ?? ?? 66 ?? ?? 75 } - $block_31 = { 0F B7 ?? B9 ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "b4249f6af24ea89976f3f7d9e3a605ccfbfe768069891f62c48df950d9212093" or - hash.sha256(0, filesize) == "a2af1e9af48c4fa52a52ffba734ffeaa46c17d7320137d51dbd15539cc4cef8b" or - hash.sha256(0, filesize) == "443cd03b37fca8a5df1bbaa6320649b441ca50d1c1fcc4f5a7b94b95040c73d1" or - hash.sha256(0, filesize) == "62209d2f0ceeff20534292d5a58ed532c960579b75927321f4f7c7e7079dd06a" or - hash.sha256(0, filesize) == "a41a80cd7a485e5bcb038b0170e70a25040c71a41dad4bc2c8f3915fbcbeac0c" or - hash.sha256(0, filesize) == "555efee854fd1ffe71bc6130ec51995f89ceb93b9ee0e6e22d9c911d0adf7699" or - hash.sha256(0, filesize) == "f9b83eff6d705c214993be9575f8990aa8150128a815e849c6faee90df14a0ea" or - hash.sha256(0, filesize) == "2bc291368b3819de13a3aa8365f22de94acebf2f93133c38bfdade770c9d8f1e" or - hash.sha256(0, filesize) == "bdcc7e900f10986cdb6dc7762de35b4f07f2ee153a341bef843b866e999d73a3" or - 12 of them -} - -rule CarbonLoader_v3_77_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 40 ?? 5? 5? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 41 ?? ?? 45 ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? 4D ?? ?? 0F 84 } - $block_1 = { 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF C? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 48 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? 33 ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_2 = { 44 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_3 = { 40 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 33 ?? 33 ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 33 ?? 48 ?? ?? ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 } - $block_5 = { 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? ?? 0F 84 } - $block_6 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_7 = { 4C ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_8 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a" or - 10 of them -} - -rule CarbonLoader_v3_71_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 40 ?? 5? 5? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 41 ?? ?? 45 ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? 4D ?? ?? 0F 84 } - $block_1 = { 44 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 40 ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 33 ?? 33 ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? 41 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_3 = { 33 ?? 48 ?? ?? ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 } - $block_4 = { 33 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? ?? 0F 84 } - $block_5 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_6 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_7 = { 4C ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_8 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? 33 ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_9 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 75 } - - condition: - hash.sha256(0, filesize) == "31b176b9906211c14ee5b9cff4c56f71866ec47d7f7c783aeb31692168d66566" or - hash.sha256(0, filesize) == "1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e" or - hash.sha256(0, filesize) == "02f9501cb01b375e752a9cc4aa5ee084a504944bdc853e1bdfc860dd76e0d198" or - hash.sha256(0, filesize) == "ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f" or - 10 of them -} - -rule UroburosVirtualBoxDriver { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 48 ?? ?? ?? 3B ?? 0F 46 ?? 85 ?? 74 } - $block_1 = { 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? 0F 85 } - $block_2 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 4D ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 } - $block_3 = { 8B ?? 48 ?? ?? ?? ?? 41 ?? ?? C1 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 88 } - $block_4 = { 45 ?? ?? ?? 45 ?? ?? ?? 65 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 33 ?? 0F B6 ?? 3B ?? 74 } - $block_5 = { 48 ?? ?? 49 ?? ?? ?? 4D ?? ?? ?? 45 ?? ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_6 = { B8 ?? ?? ?? ?? 0F A2 3D ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 72 } - $block_7 = { B8 ?? ?? ?? ?? 0F A2 0F BA ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 72 } - $block_8 = { 48 ?? ?? ?? ?? C1 ?? ?? 41 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 88 } - $block_9 = { 8B ?? B8 ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 44 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 5? C3 } - $block_10 = { 48 ?? ?? ?? ?? 8B ?? 41 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 88 } - $block_11 = { 49 ?? ?? ?? 49 ?? ?? ?? 45 ?? ?? 48 ?? ?? 4D ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 } - $block_12 = { 33 ?? 0F A2 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 72 } - $block_13 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? B8 ?? ?? ?? ?? 85 ?? 0F 49 } - $block_14 = { B9 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_15 = { 4C ?? ?? ?? 48 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_16 = { 40 ?? 5? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_17 = { 8B ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 92 ?? 84 ?? 0F 84 } - $block_18 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_19 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_20 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 88 } - - condition: - hash.sha256(0, filesize) == "cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986" or - 12 of them -} - -rule CarbonCommunicationLibrary_v3_62_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F 8C } - $block_1 = { 8B ?? 48 ?? ?? ?? ?? ?? ?? 8D ?? ?? 4C ?? ?? 4C ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_2 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 33 ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } - $block_3 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 } - $block_4 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 0F 84 } - $block_5 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? 0F 85 } - $block_6 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 75 } - $block_7 = { 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 41 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_8 = { 41 ?? ?? 41 ?? ?? 41 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? 41 ?? ?? 2B ?? 83 ?? ?? 85 ?? 48 ?? ?? 7E } - $block_9 = { 41 ?? ?? 44 ?? ?? 41 ?? ?? 45 ?? ?? 41 ?? ?? 41 ?? ?? 0F 4C ?? 8B ?? 2B ?? 85 ?? 48 ?? ?? 7E } - $block_10 = { 44 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? 44 ?? ?? 48 ?? ?? ?? ?? 0F 85 } - $block_11 = { 48 ?? ?? ?? ?? 5? 5? 5? 41 ?? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? 83 ?? ?? 0F 8E } - $block_12 = { 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 40 ?? ?? ?? 85 ?? 0F 44 ?? 40 ?? ?? 74 } - $block_13 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 ?? ?? 0F 84 } - $block_14 = { FF 7? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 5? 5? 0F 85 } - $block_15 = { FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? 0F 84 } - $block_16 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 86 } - $block_17 = { 89 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 99 83 ?? ?? 03 ?? 83 ?? ?? 2B ?? 49 ?? ?? 8D ?? ?? ?? 75 } - $block_18 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 85 } - $block_19 = { 8B ?? 33 ?? 45 ?? ?? 21 ?? ?? ?? 99 45 ?? ?? 45 ?? ?? 4D ?? ?? 41 ?? ?? 85 ?? 4C ?? ?? 7E } - $block_20 = { 8B ?? 99 F7 ?? 83 ?? ?? ?? 8A ?? 83 ?? ?? ?? 33 ?? 4? 89 ?? ?? 88 ?? ?? 85 ?? 89 ?? ?? 7E } - $block_21 = { 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_22 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 33 ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_23 = { 44 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 41 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 84 } - $block_24 = { 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? 8D ?? ?? 41 ?? ?? ?? 3B ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 8C } - $block_25 = { 44 ?? ?? 4C ?? ?? 33 ?? 48 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_26 = { 4C ?? ?? ?? ?? ?? ?? 33 ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_27 = { 48 ?? ?? B8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 45 ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 83 } - $block_28 = { 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 0F B6 ?? ?? 2B ?? ?? ?? ?? ?? ?? 75 } - $block_29 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 33 ?? 44 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_30 = { 8B ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 99 2B ?? 83 ?? ?? F7 ?? 8D ?? ?? EB } - $block_31 = { 5? FF 7? ?? E8 ?? ?? ?? ?? 5? 4? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 85 } - $block_32 = { 45 ?? ?? 49 ?? ?? 45 ?? ?? 49 ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? 0F 8E } - $block_33 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 33 ?? 8B ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 } - $block_34 = { 41 ?? ?? 48 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 } - $block_35 = { 49 ?? ?? 8B ?? 48 ?? ?? ?? 83 ?? ?? 0F A3 ?? ?? 41 ?? ?? 44 ?? ?? ?? 41 ?? ?? 79 } - $block_36 = { 48 ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_37 = { 4C ?? ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } - $block_38 = { 8B ?? ?? 89 ?? ?? 2B ?? ?? 03 ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 5? 89 ?? ?? 0F 84 } - $block_39 = { 0F B6 ?? 23 ?? ?? 8B ?? ?? D3 ?? 8B ?? ?? D2 ?? 08 ?? ?? FF 4? ?? 83 ?? ?? ?? 7C } - $block_40 = { 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF D? 85 ?? 5? 5? 0F 84 } - $block_41 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B6 } - $block_42 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 41 ?? ?? 0F 85 } - $block_43 = { 5? FF 1? ?? ?? ?? ?? 5? 5? 5? 89 ?? ?? ?? FF D? 3B ?? 5? 5? 89 ?? ?? ?? 0F 84 } - $block_44 = { FF 4? ?? 81 6? ?? ?? ?? ?? ?? FF 4? ?? 29 ?? ?? 4? 83 ?? ?? ?? 89 ?? ?? 0F 8F } - $block_45 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 84 } - $block_46 = { 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? 45 ?? ?? 41 ?? ?? 48 ?? ?? 0F 84 } - $block_47 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 8F } - $block_48 = { 8B ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? 89 ?? ?? 89 ?? ?? 0F 8E } - $block_49 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 5? 5? 33 ?? 33 ?? 3B ?? 89 ?? ?? 0F 84 } - $block_50 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 89 ?? ?? 0F 84 } - $block_51 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 72 } - $block_52 = { 8B ?? ?? ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? 69 ?? ?? ?? ?? ?? 3B ?? 0F 87 } - $block_53 = { 83 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 87 } - $block_54 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_55 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 } - $block_56 = { 8B ?? 99 F7 ?? ?? 33 ?? 89 ?? ?? 88 ?? ?? 89 ?? ?? 3B ?? 89 ?? ?? 7E } - $block_57 = { 8B ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? ?? 8B ?? 2B ?? 89 ?? ?? ?? EB } - $block_58 = { 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_59 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 33 ?? 48 ?? ?? 0F 84 } - $block_60 = { 48 ?? ?? ?? ?? 83 ?? ?? 48 ?? ?? ?? ?? 0F 93 ?? 48 ?? ?? ?? 5? C3 } - $block_61 = { C6 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? 75 } - $block_62 = { 8B ?? ?? 03 ?? ?? 5? 99 2B ?? 5? 8B ?? ?? 8B ?? D1 ?? 3B ?? 5? 7D } - $block_63 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 5? 8B ?? ?? 39 ?? 89 ?? 89 ?? ?? 0F 84 } - $block_64 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 33 ?? 39 ?? 5? 89 ?? 89 ?? ?? 0F 84 } - $block_65 = { 5? FF 1? ?? ?? ?? ?? 5? 5? 5? 89 ?? ?? ?? FF D? 85 ?? 5? 5? 0F 84 } - $block_66 = { 0F B7 ?? ?? ?? 5? FF 7? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 5? 5? 74 } - $block_67 = { 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? 03 ?? E8 ?? ?? ?? ?? 85 ?? 5? 0F 84 } - $block_68 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 85 } - $block_69 = { 8B ?? ?? ?? 41 ?? ?? ?? ?? 0F BA ?? ?? 83 ?? ?? 41 ?? ?? 0F 8E } - $block_70 = { 48 ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_71 = { 48 ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 0F 8F } - $block_72 = { 8B ?? 85 ?? 0F 44 ?? C1 ?? ?? 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? 75 } - $block_73 = { 5? FF 1? ?? ?? ?? ?? 5? 5? 5? 89 ?? ?? FF D? 3B ?? 5? 5? 0F 84 } - $block_74 = { 8B ?? ?? ?? ?? ?? 33 ?? 3B ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 8E } - $block_75 = { 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? 4? 99 F7 ?? 8B ?? 03 ?? EB } - $block_76 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 5? FF 1? ?? ?? ?? ?? EB } - $block_77 = { 8B ?? ?? ?? 45 ?? ?? 41 ?? ?? 69 ?? ?? ?? ?? ?? 3B ?? 0F 87 } - $block_78 = { 8B ?? ?? 0F B6 ?? ?? 8D ?? ?? ?? ?? ?? ?? FF 0? 4? 3B ?? 7C } - $block_79 = { FF 3? ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 5? 5? 0F 85 } - $block_80 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF D? 3B ?? 89 ?? ?? 0F 84 } - $block_81 = { 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 5? 5? 0F 85 } - $block_82 = { 49 ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 85 } - $block_83 = { 49 ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } - $block_84 = { B9 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_85 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? 0F 85 } - $block_86 = { 8B ?? ?? ?? ?? ?? ?? 99 83 ?? ?? 33 ?? 2B ?? 83 ?? ?? 75 } - $block_87 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_88 = { 5? 5? FF 3? ?? ?? ?? ?? FF D? 3B ?? A3 ?? ?? ?? ?? 0F 84 } - $block_89 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 2B ?? 2B } - $block_90 = { 45 ?? ?? 48 ?? ?? 48 ?? ?? 41 ?? ?? 85 ?? 8B ?? 0F 85 } - $block_91 = { 44 ?? ?? 48 ?? ?? 48 ?? ?? 41 ?? ?? 85 ?? 8B ?? 0F 85 } - $block_92 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? E8 ?? ?? ?? ?? 3A ?? 0F 84 } - $block_93 = { 49 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_94 = { 49 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_95 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_96 = { 48 ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 85 } - $block_97 = { 0F B6 ?? ?? 49 ?? ?? 44 ?? ?? ?? ?? 48 ?? ?? 7C } - $block_98 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 } - $block_99 = { 41 ?? ?? 99 83 ?? ?? 03 ?? 83 ?? ?? 2B ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "c58d57f5ce9ca7689e6b71d3dcb48b2caf41a9e7105bb68bae113218869dd6a0" or - hash.sha256(0, filesize) == "8d20dd4433821eaeb1b2bec5911ba3633e656ca56ae50b75d35b2d52ea55b2cb" or - hash.sha256(0, filesize) == "7a68a6357868f19f698dacd12dea49655f9651fb01e2de4042e8bbc97095c121" or - 12 of them -} - -rule Agent_BTZ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 66 ?? ?? ?? D1 ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 0F B7 ?? 79 } - $block_1 = { 8B ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_2 = { 83 ?? ?? 5? 5? 5? 5? 8B ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_3 = { 0F B7 ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 4? EB } - $block_4 = { 2B ?? D1 ?? 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_5 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 } - $block_6 = { E8 ?? ?? ?? ?? 33 ?? F7 ?? 8B ?? 03 ?? 9B 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 8B ?? 5? C2 } - $block_7 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 8D } - $block_8 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 3B ?? 0F 84 } - $block_9 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? 89 ?? ?? 8D ?? ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_10 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 80 C? ?? 88 ?? ?? ?? ?? ?? ?? 4? 81 F? ?? ?? ?? ?? 72 } - $block_11 = { 3B ?? 89 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? 0F 84 } - $block_12 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 0F B7 ?? 79 } - $block_13 = { 0F B7 ?? 8B ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 66 ?? ?? C1 ?? ?? 83 ?? ?? 83 ?? ?? 0F B7 ?? 75 } - $block_14 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 85 ?? 0F 85 } - $block_15 = { BF ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? C6 ?? ?? ?? 8B ?? ?? 85 ?? 0F 84 } - $block_16 = { 8D ?? ?? 6A ?? 5? C7 ?? ?? ?? ?? ?? ?? FF D? 5? 8B ?? FF 1? ?? ?? ?? ?? 33 ?? 3B ?? 0F 84 } - $block_17 = { E8 ?? ?? ?? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_18 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? FF D? 83 ?? ?? 0F 84 } - $block_19 = { 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_20 = { 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_21 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 8B ?? 8B ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 85 } - $block_22 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_23 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 85 ?? 0F 84 } - $block_24 = { 8D ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 85 ?? 0F 85 } - $block_25 = { BA ?? ?? ?? ?? 66 ?? ?? ?? B8 ?? ?? ?? ?? 66 ?? ?? ?? 33 ?? 66 ?? ?? ?? 39 ?? ?? 0F 85 } - $block_26 = { E8 ?? ?? ?? ?? 8B ?? 8B ?? 0F AF ?? 4? 33 ?? F7 ?? 4? 01 ?? ?? ?? 81 F? ?? ?? ?? ?? 72 } - $block_27 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? 33 ?? 5? C1 ?? ?? 5? 0B ?? 5? 5? C3 } - $block_28 = { 0F B6 ?? ?? 0F B6 ?? ?? 83 ?? ?? 03 ?? 03 ?? C1 ?? ?? 0B ?? 0F BE ?? ?? ?? ?? ?? EB } - $block_29 = { 8D ?? ?? 8B ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 8B ?? ?? ?? C1 ?? ?? 03 ?? 3B ?? 0F 8C } - $block_30 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 5? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_31 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? C1 ?? ?? 0B ?? 5? C3 } - $block_32 = { 33 ?? 0F B7 ?? 8B ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? F3 ?? 33 ?? EB } - $block_33 = { 8D ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_34 = { 68 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 } - $block_35 = { 0F B7 ?? ?? C1 ?? ?? 0F B7 ?? ?? 0B ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 80 3? ?? 0F 85 } - $block_36 = { 88 ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_37 = { E8 ?? ?? ?? ?? 8B ?? 8B ?? 0F AF ?? 4? 99 F7 ?? 4? 03 ?? 81 F? ?? ?? ?? ?? 7C } - $block_38 = { C6 ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? C1 ?? ?? 8D ?? ?? 83 ?? ?? 0F 82 } - $block_39 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_40 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_41 = { 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_42 = { C6 ?? ?? ?? 33 ?? 89 ?? ?? 89 ?? ?? 88 ?? ?? 8B ?? 8B ?? D3 ?? 83 ?? ?? 0F 84 } - $block_43 = { 0F BE ?? 33 ?? 81 E? ?? ?? ?? ?? C1 ?? ?? 33 ?? ?? ?? ?? ?? ?? 4? 4? 85 ?? 75 } - $block_44 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 8D ?? ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_45 = { 8B ?? ?? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 83 ?? ?? 85 ?? 0F 84 } - $block_46 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_47 = { E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8D } - $block_48 = { 0F B7 ?? ?? ?? ?? ?? ?? 66 ?? ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 0F B7 ?? 79 } - $block_49 = { 85 ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? 0F 84 } - $block_50 = { 81 E? ?? ?? ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_51 = { 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 33 ?? 8D ?? ?? ?? 0F AF ?? 85 ?? 76 } - $block_52 = { 8D ?? ?? 5? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 85 ?? 0F 84 } - $block_53 = { 5? 8B ?? C1 ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 79 } - $block_54 = { 66 ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? 0F B7 ?? C1 ?? ?? 0B ?? 5? 5? C3 } - $block_55 = { 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_56 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 85 ?? 0F 85 } - $block_57 = { 8D ?? ?? ?? ?? ?? 5? 6A ?? 8B ?? ?? ?? ?? ?? 5? FF D? 83 ?? ?? 0F 85 } - $block_58 = { DF ?? ?? ?? DF ?? ?? ?? D8 ?? DC ?? ?? ?? ?? ?? DF ?? F6 ?? ?? 0F 85 } - $block_59 = { BA ?? ?? ?? ?? D3 ?? 8B ?? ?? C1 ?? ?? 0F B7 ?? ?? 23 ?? 3B ?? 75 } - $block_60 = { 8D ?? ?? 5? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_61 = { 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 3B ?? 0F 84 } - $block_62 = { 8B ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_63 = { 88 ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_64 = { 8A ?? ?? 0F BE ?? 34 ?? 03 ?? 88 ?? ?? 0F BE ?? 03 ?? 4? 3B ?? 72 } - $block_65 = { 8B ?? ?? ?? 83 ?? ?? C1 ?? ?? 8D ?? ?? 89 ?? ?? ?? 3B ?? 0F 86 } - $block_66 = { 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_67 = { 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_68 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 88 ?? ?? ?? 3B ?? 0F 85 } - $block_69 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? FF D? 83 ?? ?? 0F 85 } - $block_70 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_71 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E } - $block_72 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_73 = { 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_74 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 85 ?? 0F 85 } - $block_75 = { C1 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 86 } - $block_76 = { 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_77 = { 8B ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_78 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_79 = { 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_80 = { 5? A1 ?? ?? ?? ?? 8B ?? ?? FF D? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_81 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_82 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_83 = { 4? C1 ?? ?? 8D ?? ?? ?? 0F B7 ?? 33 ?? 66 ?? ?? 0F 83 } - $block_84 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 } - $block_85 = { 4? 0F B7 ?? 0F B7 ?? 0F B7 ?? ?? ?? BA ?? ?? ?? ?? 8D } - $block_86 = { 0F B7 ?? 66 ?? ?? ?? 66 ?? ?? 0F B7 ?? 66 ?? ?? 73 } - $block_87 = { 8B ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 82 } - $block_88 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? 3D ?? ?? ?? ?? 0F 86 } - $block_89 = { 0F B6 ?? 83 ?? ?? C1 ?? ?? 4? 0F AF ?? 4? 85 ?? 75 } - $block_90 = { 83 ?? ?? 5? 8B ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_91 = { 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_92 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_93 = { 4? 99 2B ?? D1 ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 79 } - $block_94 = { 4? 0F B7 ?? 0F B7 ?? C1 ?? ?? 33 ?? 85 ?? 0F 8E } - $block_95 = { 8B ?? ?? ?? ?? ?? ?? 0F BF ?? 66 ?? ?? ?? ?? 77 } - $block_96 = { 8D ?? ?? ?? ?? ?? ?? 6A ?? 5? FF D? 85 ?? 0F 84 } - $block_97 = { 8B ?? ?? ?? D1 ?? 8D ?? ?? ?? 8B ?? 3B ?? 0F 83 } - $block_98 = { C6 ?? ?? ?? ?? ?? ?? 80 B? ?? ?? ?? ?? ?? 0F 85 } - $block_99 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "df5cc17e0efb2e4c2a85494a1f60672f3191820ef2caea81bcb031970c3f412e" or - hash.sha256(0, filesize) == "1cc5a57c19dc68342d1676fe759ab509df3eeff797cdbbf43e3c16c305ab162c" or - hash.sha256(0, filesize) == "a59222bf08fb3ef323b813c4f884b995c8831210d7f947f6d8778d587ce76045" or - hash.sha256(0, filesize) == "fe73c1b35c624fb62c24fcd8c251723337eed4bbc8fa8bc12d2df621e8908604" or - hash.sha256(0, filesize) == "80ed95992ad658a48480a895b1d07bd786bbdabc04e91c060896e3a06647c191" or - hash.sha256(0, filesize) == "63658c331ac38322935d6dcde8bd892aa99084a0cea91bbef3b7789b02bf8d0e" or - hash.sha256(0, filesize) == "03479db12f2d1948193ee22cbea216705d5f3dba6416c5d1e2b3aab3f269d4c1" or - hash.sha256(0, filesize) == "303de69b0bc23556fc5dd63a184e5f59556b72fa1f6e3967584f4f18e2a604ec" or - hash.sha256(0, filesize) == "05dc66031e4276bc20010743d8cd0ee36e4064cf087b6b4617fefb86a4702873" or - hash.sha256(0, filesize) == "bae62f7f96c4cc300ec685f42eb451388cf50a13aa624b3f2a019d071fddaeb1" or - hash.sha256(0, filesize) == "cf5e73c4517c8547732f01a6fd614f9ad1aa628b9fc6a82d3b2f222f7b2a0433" or - hash.sha256(0, filesize) == "cb993d5b90d9a5bd569177ee60e71e3b4639019f46ddd2a9fb8e890565335f66" or - hash.sha256(0, filesize) == "9e9fbc3085a126405185e7e028889a39640e3c924d2384b2428454fd475a1860" or - hash.sha256(0, filesize) == "fd3829e670125d22c74ce0c989808f6bb1da32e4645d6ae3de672678d2060101" or - hash.sha256(0, filesize) == "c0de0fec34da3e9ca92c47bfadf723ab75c90fe02ceb3455d74155badfcb3380" or - hash.sha256(0, filesize) == "6798b3278ae926b0145ee342ee9840d0b2e6ba11ff995c2bc84d3c6eb3e55ff4" or - hash.sha256(0, filesize) == "d49f2aa4db1972b5e6a9ab81a1fb28eb43cf5c2a714a5d6caddd91fcbfc2e332" or - hash.sha256(0, filesize) == "89db8a69ff030600f26d5c875785d20f15d45331d007733be9a2422261d16cea" or - hash.sha256(0, filesize) == "3a6c1aa367476ea1a6809814cf534e094035f88ac5fb759398b783f3929a0db2" or - hash.sha256(0, filesize) == "6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96" or - hash.sha256(0, filesize) == "529d08b500a7687bb973c757fbfbc2c2790fbee52f060ca0575b8caf57ab0bf1" or - hash.sha256(0, filesize) == "d401aec6175aa34c773dee269cb881d00a8868b75a8fd6437d3b86cc2db8180d" or - hash.sha256(0, filesize) == "15580d72045b0806d99cde386e42bf3f078746c4194b0932efc6fcdb9104898d" or - hash.sha256(0, filesize) == "49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e" or - hash.sha256(0, filesize) == "636106ef35adeddfb60763b0316d67d11ef6845fcc6879adc23465cb20ed97c5" or - hash.sha256(0, filesize) == "7c08e72dc458191de61d5245ecfdc9e6b7c1f1f0ad8e4a7c04ab114503f88114" or - hash.sha256(0, filesize) == "730b196431d4953cd5e3c4468637429a05b350f7d508c3ec0a982bec4c60d5ab" or - hash.sha256(0, filesize) == "e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49" or - hash.sha256(0, filesize) == "69690f609140db503463daf6a3699f1bf3e2a5a6049cefe7e6437f762040e548" or - hash.sha256(0, filesize) == "211ebdbf5821f69f40bc8d37c1bd7c52e6cae42126d48ffbcb09c046054ae2d1" or - hash.sha256(0, filesize) == "0e3f899dcb2328fa8b2be2c4fcc3fbe5f62d0f8728f23e306ebec1c4c94c9180" or - 12 of them -} - -rule Kazuar { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 89 ?? B8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? B8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 89 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? FF D? 83 ?? ?? 3D ?? ?? ?? ?? 0F 85 } - $block_1 = { 4? C7 ?? ?? ?? ?? ?? ?? ?? 4? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 8D ?? ?? ?? ?? ?? 4? 8D ?? ?? ?? 4? 89 ?? E8 ?? ?? ?? ?? 4? 8D ?? ?? ?? ?? ?? 4? 89 ?? E8 ?? ?? ?? ?? 31 ?? 4? 89 ?? ?? ?? 4? 89 ?? ?? ?? 4? 89 ?? 4? 31 ?? 4? FF D? 3D ?? ?? ?? ?? 89 ?? 0F 85 } - $block_2 = { 8B ?? ?? 4? 01 ?? 4? 01 ?? 0F B7 ?? ?? 8B ?? ?? 4? 8D ?? ?? 8B ?? ?? 4? 01 ?? EB } - $block_3 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 5? 5? 0F 94 } - $block_4 = { E8 ?? ?? ?? ?? 0F BE ?? 4? FF C? 4? 31 ?? 4? 69 ?? ?? ?? ?? ?? EB } - $block_5 = { E8 ?? ?? ?? ?? 0F B7 ?? 4? FF C? 4? 31 ?? 4? 69 ?? ?? ?? ?? ?? EB } - - condition: - hash.sha256(0, filesize) == "49e0356272b9f8a30ec24a6e271f94e11668d7a48704bb9aed64f61b4b9b343c" or - hash.sha256(0, filesize) == "743b3347dc86b4a4aa6510648076eeca9eec0ff23c1294b3931263c990bcb5e6" or - 6 of them -} - -rule OutlookBackdoor { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 0F B6 ?? ?? 8B ?? C6 ?? ?? C1 ?? ?? 8A ?? ?? ?? ?? ?? 4? 88 ?? 4? 83 ?? ?? 8A ?? ?? ?? ?? ?? EB } - $block_1 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 39 ?? ?? ?? 0F 84 } - $block_2 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? ?? 5? 5? 0F B7 ?? 5? 66 ?? ?? 0F 84 } - $block_3 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_4 = { 5? 83 ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 39 ?? ?? ?? ?? ?? 0F 84 } - $block_5 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 5? F7 ?? 5? 1B ?? 23 ?? ?? 5? 8B ?? 75 } - $block_6 = { 5? FF 1? ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 } - $block_7 = { 8B ?? 8D ?? ?? ?? 5? 33 ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? 8B ?? 5? FF 5? ?? 39 ?? ?? ?? 0F 84 } - $block_8 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_9 = { FF 7? ?? 8B ?? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 33 ?? BF ?? ?? ?? ?? AB AB AB 83 ?? ?? AB 33 } - $block_10 = { 68 ?? ?? ?? ?? FF 7? ?? FF D? 83 ?? ?? ?? 89 ?? ?? 8D ?? ?? 5? 6A ?? FF D? 83 ?? ?? 0F 85 } - $block_11 = { 5? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 } - $block_12 = { 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 } - $block_13 = { 8D ?? ?? 5? 88 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_14 = { 0F B6 ?? ?? C1 ?? ?? 0B ?? 8A ?? ?? ?? ?? ?? 88 ?? 4? FF 4? ?? 80 E? ?? C0 ?? ?? EB } - $block_15 = { 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_16 = { 6A ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_17 = { 5? 33 ?? 33 ?? 38 ?? ?? 5? 0F 94 ?? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 38 ?? ?? 75 } - $block_18 = { 8B ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 83 ?? ?? C9 C2 } - $block_19 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 64 ?? ?? ?? ?? ?? ?? 83 ?? ?? C9 C2 } - $block_20 = { 5? 8B ?? 83 ?? ?? 5? 5? BE ?? ?? ?? ?? 8D ?? ?? A5 A5 A5 A4 33 ?? 5? 89 ?? ?? 5? } - $block_21 = { 0F B6 ?? ?? 8B ?? C1 ?? ?? 0B ?? 8A ?? ?? ?? ?? ?? 88 ?? 4? FF 4? ?? 3B ?? ?? 73 } - $block_22 = { 8D ?? ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 85 } - $block_23 = { 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_24 = { 0F B7 ?? 8B ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? C1 ?? ?? 66 ?? ?? 4? 4? 4? 0F B7 ?? 75 } - $block_25 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 4? 5? 5? 5? 0F 84 } - $block_26 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 9? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_27 = { 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 } - $block_28 = { 8B ?? ?? ?? 8B ?? 6A ?? FF 1? 8B ?? FF 4? ?? ?? 8B ?? FF 5? ?? 39 ?? ?? ?? 0F 82 } - $block_29 = { 01 ?? ?? ?? 8B ?? ?? ?? 0F B6 ?? 8B ?? 29 ?? ?? ?? 5? 8B ?? FF 5? ?? 84 ?? 74 } - $block_30 = { 6A ?? 5? 5? FF 7? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 2B ?? ?? ?? 0F 84 } - $block_31 = { 8B ?? ?? ?? 0F B6 ?? ?? 33 ?? 5? 4? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B } - $block_32 = { 89 ?? ?? ?? 8D ?? ?? 99 6A ?? 5? F7 ?? 8B ?? ?? ?? 8D ?? ?? C1 ?? ?? 3B ?? 7E } - $block_33 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 } - $block_34 = { 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 } - $block_35 = { 6A ?? 5? 2B ?? 8B ?? ?? 2B ?? 01 ?? ?? C6 ?? ?? 83 ?? ?? 4? 39 ?? ?? 0F 8D } - $block_36 = { B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? 33 ?? 83 ?? ?? ?? 89 ?? ?? 0F 85 } - $block_37 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? 5? 0F B7 ?? C1 ?? ?? 5? 0B ?? 5? C3 } - $block_38 = { 88 ?? 83 ?? ?? 6A ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 } - $block_39 = { 8D ?? ?? ?? ?? ?? 5? 33 ?? E8 ?? ?? ?? ?? 66 ?? 0F B7 ?? 66 ?? ?? ?? 5? 7E } - $block_40 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 5? 8D ?? ?? 5? 5? 89 ?? ?? FF D? 85 ?? 0F 85 } - $block_41 = { 5? 8B ?? 5? 8B ?? C1 ?? ?? 89 ?? ?? 0F B6 ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 79 } - $block_42 = { 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? 8B ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_43 = { 66 ?? ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? ?? 0F B7 ?? C1 ?? ?? 0B ?? C9 C3 } - $block_44 = { 8B ?? ?? 8A ?? ?? ?? 88 ?? ?? 0F BE ?? 5? E8 ?? ?? ?? ?? 5? 85 ?? 74 } - $block_45 = { 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? 39 ?? ?? 0F 84 } - $block_46 = { 0F 94 ?? 22 ?? 88 ?? ?? C6 ?? ?? ?? C6 ?? ?? ?? BB ?? ?? ?? ?? EB } - $block_47 = { 89 ?? ?? ?? 8D ?? ?? 99 6A ?? 5? F7 ?? 8D ?? ?? C1 ?? ?? 3B ?? 7E } - $block_48 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_49 = { 8B ?? ?? 33 ?? 4? D3 ?? 8B ?? C1 ?? ?? 0F B7 ?? ?? 23 ?? 3B ?? 75 } - $block_50 = { FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_51 = { 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 } - $block_52 = { A1 ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 6A ?? 99 5? F7 ?? 85 ?? 0F 86 } - $block_53 = { 8B ?? 83 ?? ?? 6A ?? 99 5? 2B ?? F7 ?? 4? 0F AF ?? 03 ?? 5? } - $block_54 = { 33 ?? 4? D3 ?? 8B ?? ?? C1 ?? ?? 0F B7 ?? ?? 23 ?? 3B ?? 75 } - $block_55 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_56 = { E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 } - $block_57 = { 8B ?? ?? 8A ?? ?? 99 6A ?? 5? F7 ?? 0F B6 ?? 83 ?? ?? 74 } - $block_58 = { 8B ?? ?? 2B ?? ?? 6A ?? 99 5? F7 ?? FF 7? ?? 3B ?? 0F 83 } - $block_59 = { 5? 8B ?? 83 ?? ?? 0F B7 ?? 5? 33 ?? 5? 8B ?? 66 ?? ?? 74 } - $block_60 = { 8B ?? ?? 83 ?? ?? 6A ?? C1 ?? ?? 5? 89 ?? ?? 3B ?? 0F 86 } - $block_61 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 } - $block_62 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 5? FF 5? ?? 3B ?? 0F 85 } - $block_63 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 84 } - $block_64 = { 8B ?? ?? ?? 8B ?? 8D ?? ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 85 } - $block_65 = { FF 4? ?? ?? FF 4? ?? ?? FF 4? ?? ?? 39 ?? ?? ?? 0F 8F } - $block_66 = { 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? 83 ?? ?? C9 C3 } - $block_67 = { 8B ?? ?? ?? 03 ?? 89 ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 83 } - $block_68 = { 80 7? ?? ?? 0F 94 ?? 83 ?? ?? ?? 22 ?? 8A ?? 3C ?? 75 } - $block_69 = { 8B ?? ?? 5? 33 ?? 5? 4? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 } - $block_70 = { 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? 83 ?? ?? C9 C2 } - $block_71 = { 4? C1 ?? ?? 8D ?? ?? ?? 0F B7 ?? 33 ?? 66 ?? ?? 0F 83 } - $block_72 = { 8B ?? ?? 6A ?? 5? 8D ?? ?? ?? ?? ?? F3 ?? 5? 5? C9 C3 } - $block_73 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_74 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? 8B ?? 5? 83 ?? ?? 0F 84 } - $block_75 = { 8B ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? C9 C3 } - $block_76 = { 8B ?? ?? 5? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 } - $block_77 = { 8B ?? ?? 8B ?? 5? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_78 = { 8B ?? ?? 5? 5? 33 ?? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 } - $block_79 = { 8B ?? ?? 5? 5? 8B ?? 64 ?? ?? ?? ?? ?? ?? 5? C9 C2 } - $block_80 = { 8B ?? ?? 5? 8B ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 } - $block_81 = { 5? 5? 0F B6 ?? ?? ?? 8D ?? ?? 25 ?? ?? ?? ?? 5? 79 } - $block_82 = { 8B ?? ?? 5? 5? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C3 } - $block_83 = { 8B ?? ?? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 } - $block_84 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_85 = { 8B ?? ?? 8B ?? 8B ?? 89 ?? ?? FF 5? ?? 85 ?? 0F 86 } - $block_86 = { 83 ?? ?? ?? 80 3? ?? 0F 94 ?? ?? 80 7? ?? ?? 74 } - $block_87 = { 8B ?? ?? 5? 8B ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_88 = { 8B ?? ?? 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? C9 C2 } - $block_89 = { 0F B6 ?? ?? 8B ?? 5? 8B ?? FF 5? ?? 84 ?? 0F 84 } - $block_90 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 89 ?? 5? C9 C3 } - $block_91 = { 4? 99 2B ?? D1 ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 79 } - $block_92 = { 8B ?? E8 ?? ?? ?? ?? 81 7? ?? ?? ?? ?? ?? 0F 86 } - $block_93 = { 8B ?? ?? ?? 8B ?? 5? FF 5? ?? 39 ?? ?? ?? 0F 84 } - $block_94 = { 8B ?? ?? 5? 64 ?? ?? ?? ?? ?? ?? 83 ?? ?? C9 C3 } - - condition: - hash.sha256(0, filesize) == "863f298f367a82853a58f9dad4c477956f48fdd9328a93e1aeee1df22da80493" or - hash.sha256(0, filesize) == "f1998b3c322e35006b6a6ba1c23807a3f9bc8058ee50efea059278a06fa4a4eb" or - 25 of them -} - -rule Gazer { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 68 ?? ?? ?? ?? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 85 } - $block_1 = { 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_2 = { FF 3? ?? ?? ?? ?? 21 ?? ?? ?? 21 ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 86 } - $block_3 = { 5? 8D ?? ?? 5? 5? 68 ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_4 = { FF 3? ?? ?? ?? ?? FF 4? ?? 89 ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 39 ?? ?? ?? ?? ?? 0F 86 } - $block_5 = { 8B ?? ?? 5? 5? 83 ?? ?? 5? 5? 6A ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 } - $block_6 = { 8B ?? ?? 8B ?? 6A ?? 5? 5? FF 5? ?? 8B ?? 8B ?? ?? 8B ?? 5? FF 5? ?? FF 5? ?? 3B ?? 0F 8C } - $block_7 = { FF 7? ?? FF D? 01 ?? ?? FF 4? ?? 0F BF ?? ?? 6B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 89 ?? ?? 5? } - $block_8 = { 6A ?? 5? 66 ?? ?? ?? 8D ?? ?? ?? 5? 5? 6A ?? C7 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_9 = { 5? 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_10 = { 8D ?? ?? 5? 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_11 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_12 = { 8D ?? ?? 5? FF 7? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_13 = { 8B ?? ?? ?? FF 4? ?? ?? 8B ?? ?? ?? ?? ?? 4? 33 ?? F7 ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 82 } - $block_14 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_15 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 1? 8B ?? 8B ?? ?? 8B ?? 5? FF 5? ?? 3B ?? 0F 8C } - $block_16 = { E8 ?? ?? ?? ?? FF 7? ?? ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 3B ?? 0F 84 } - $block_17 = { 6A ?? 5? 01 ?? ?? 01 ?? ?? 01 ?? ?? 01 ?? ?? 0F B7 ?? ?? FF 4? ?? 39 ?? ?? 72 } - $block_18 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 3B ?? 0F 84 } - $block_19 = { 6A ?? 8D ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_20 = { 5? 6A ?? E8 ?? ?? ?? ?? 5? 5? 0F BE ?? 83 ?? ?? 0F AF ?? 03 ?? 4? 4? 3B ?? 72 } - $block_21 = { 0F B7 ?? ?? 0F B7 ?? ?? 2B ?? 5? FF 1? ?? ?? ?? ?? 33 ?? F7 ?? ?? 5? 85 ?? 74 } - $block_22 = { 8D ?? ?? 5? 89 ?? ?? 8B ?? ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_23 = { 8D ?? ?? ?? 5? FF 7? ?? ?? 5? 6A ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_24 = { 5? FF 7? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_25 = { 6A ?? 5? 01 ?? ?? 01 ?? ?? 01 ?? ?? 03 ?? 0F B7 ?? ?? FF 4? ?? 39 ?? ?? 72 } - $block_26 = { 8B ?? ?? FF 4? ?? 8B ?? ?? ?? ?? ?? 4? 33 ?? F7 ?? 89 ?? ?? 39 ?? ?? 0F 82 } - $block_27 = { 8D ?? ?? ?? 5? 6A ?? 6A ?? 6A ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_28 = { 5? 5? 5? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 } - $block_29 = { FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 0F AF ?? FF 4? ?? 39 ?? ?? 7C } - $block_30 = { 8D ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_31 = { 8D ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_32 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 } - $block_33 = { FF 3? ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 } - $block_34 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? A5 A5 A5 5? 38 ?? ?? 0F 84 } - $block_35 = { FF 7? ?? 8B ?? ?? ?? ?? ?? 6A ?? FF 3? FF D? 8B ?? ?? 0F B7 ?? 4? 74 } - $block_36 = { A1 ?? ?? ?? ?? FF 7? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 3B ?? 0F 84 } - $block_37 = { 8D ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D? 85 ?? 0F 85 } - $block_38 = { 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 5? 66 ?? ?? ?? 5? 4? FF D? 3B ?? 7E } - $block_39 = { FF 4? ?? ?? 6A ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_40 = { 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_41 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 5? FF 7? ?? ?? 85 ?? 0F 84 } - $block_42 = { 5? 5? 8D ?? ?? 5? BF ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_43 = { FF 3? ?? ?? ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_44 = { 8B ?? ?? A1 ?? ?? ?? ?? C1 ?? ?? 03 ?? 89 ?? ?? 39 ?? ?? 0F 84 } - $block_45 = { 6A ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? A3 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_46 = { 5? 8B ?? ?? ?? ?? ?? 6A ?? FF 3? FF D? 8B ?? ?? 0F B7 ?? 4? 74 } - $block_47 = { 0F B7 ?? ?? 83 ?? ?? ?? 33 ?? 8D ?? ?? ?? 66 ?? ?? ?? 0F 83 } - $block_48 = { 5? 8D ?? ?? 5? 6A ?? 8D ?? ?? 5? FF 7? ?? FF D? 85 ?? 0F 84 } - $block_49 = { 8D ?? ?? 5? BF ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_50 = { 5? FF 1? ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? ?? 33 ?? 4? 85 ?? 7E } - $block_51 = { 5? 8B ?? ?? ?? ?? ?? 5? FF 3? FF D? 8B ?? ?? 0F B7 ?? 4? 74 } - $block_52 = { 83 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F 86 } - $block_53 = { 8B ?? ?? 8D ?? ?? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_54 = { 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 5? FF 7? ?? 85 ?? 0F 84 } - $block_55 = { FF 3? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_56 = { FF 7? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_57 = { 8B ?? ?? 8B ?? ?? 5? 8B ?? ?? 5? 0F B7 ?? ?? 2B ?? 2B } - $block_58 = { 8B ?? 5? 5? 5? FF D? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_59 = { FF 7? ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_60 = { FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_61 = { 68 ?? ?? ?? ?? FF D? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_62 = { 8B ?? 6A ?? 5? 33 ?? D1 ?? 89 ?? ?? F6 ?? ?? 0F 84 } - $block_63 = { 5? 6A ?? FF 3? FF D? 8B ?? ?? ?? 0F B7 ?? 4? 0F 84 } - $block_64 = { 6A ?? 6A ?? FF 7? ?? FF D? 89 ?? ?? 3B ?? 0F 84 } - $block_65 = { FF 7? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 3B ?? 0F 84 } - $block_66 = { 8D ?? ?? 5? E8 ?? ?? ?? ?? 5? 5? 8A ?? 5? C9 C3 } - $block_67 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 5? 39 ?? ?? 0F 84 } - $block_68 = { 5? 8B ?? ?? 5? 5? 64 ?? ?? ?? ?? ?? ?? 5? C9 C3 } - $block_69 = { FF 7? ?? 5? FF 7? ?? FF D? 5? 5? 33 ?? 5? C9 C2 } - - condition: - hash.sha256(0, filesize) == "2007aa72dfe0c6c93beb44f737b85b6cd487175e7abc6b717dae9344bed46c6c" or - hash.sha256(0, filesize) == "364593bebe015945002f6affec90154a69cb051d59ac7557f076930375fb054f" or - hash.sha256(0, filesize) == "29e80fbdd60e723f69d111d72d3436b84d835add2fff26f52d426b5a8f4e17d1" or - hash.sha256(0, filesize) == "02e28a176dd2ad9507e8d76b739af6fa2f1f7c373e70adbd70a44e8b137e58f8" or - hash.sha256(0, filesize) == "4a941b881e917cd41477e2d4549fc8e217cd883773f2c703186e5525dc4d6c07" or - 12 of them -} - -rule PenquinTurla { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 89 ?? ?? BE ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_1 = { 89 ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 83 ?? ?? ?? 89 ?? 89 ?? C1 ?? ?? 8B ?? ?? C1 ?? ?? 30 ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 39 ?? 74 } - $block_3 = { 5? 31 ?? B9 ?? ?? ?? ?? 5? 5? 83 ?? ?? 8D ?? ?? ?? FC 8B ?? ?? ?? F3 ?? A1 ?? ?? ?? ?? 85 ?? 75 } - $block_4 = { C7 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 31 ?? 85 ?? 0F 84 } - $block_5 = { 0F B7 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 83 ?? ?? 3D ?? ?? ?? ?? 66 ?? ?? ?? ?? 7E } - $block_6 = { 89 ?? 89 ?? 8B ?? D3 ?? 83 ?? ?? 0F B6 ?? ?? ?? 89 ?? D3 ?? 09 ?? 89 ?? 83 ?? ?? FF 4? ?? ?? 75 } - $block_7 = { 5? 89 ?? 5? 31 ?? 5? 31 ?? 5? 83 ?? ?? 89 ?? 89 ?? ?? 4? 8D ?? ?? C6 ?? ?? ?? 0F BE ?? 85 ?? 74 } - $block_8 = { 01 ?? 8D ?? ?? 01 ?? 89 ?? ?? 8D ?? ?? 89 ?? ?? 89 ?? ?? ?? FF 5? ?? BA ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 89 ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? 83 ?? ?? 31 ?? 29 ?? 8B ?? 8D ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_10 = { 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_11 = { FF 4? ?? 89 ?? 89 ?? C1 ?? ?? 8B ?? ?? C1 ?? ?? 30 ?? 0F B6 ?? 0F B6 ?? ?? 0F B6 ?? 39 ?? 0F 84 } - $block_12 = { E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? E9 } - $block_13 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 86 } - $block_14 = { F6 ?? ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? 8B ?? ?? ?? 89 ?? ?? 89 ?? ?? 0F 85 } - $block_15 = { 0F B7 ?? ?? C1 ?? ?? 25 ?? ?? ?? ?? 0F 95 ?? ?? ?? ?? ?? 89 ?? 80 8? ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_16 = { 8B ?? ?? 88 ?? 80 E? ?? 0F B6 ?? ?? ?? ?? ?? 24 ?? 08 ?? 88 ?? ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? E9 } - $block_17 = { 0F B6 ?? ?? ?? 89 ?? 4? 30 ?? ?? ?? ?? ?? 31 ?? 81 F? ?? ?? ?? ?? 0F 9D ?? 4? 4? 21 ?? 39 ?? 7C } - $block_18 = { 8B ?? ?? FF 4? ?? 8B ?? ?? 89 ?? ?? 0F B6 ?? 88 ?? ?? ?? 8B ?? ?? 4? 8B ?? ?? 89 ?? ?? 39 ?? 72 } - $block_19 = { 0F B6 ?? 31 ?? 31 ?? 89 ?? ?? ?? 31 ?? 4? 89 ?? ?? ?? 31 ?? BD ?? ?? ?? ?? 89 ?? ?? ?? 88 ?? E9 } - $block_20 = { FF 8? ?? ?? ?? ?? 31 ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 95 ?? 85 ?? 8D ?? ?? ?? 0F 84 } - $block_21 = { C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 41 ?? ?? ?? 75 } - $block_22 = { 48 ?? ?? ?? ?? ?? ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_23 = { 41 ?? 5? 5? 48 ?? ?? BE ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_24 = { 64 ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_25 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_26 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_27 = { 48 ?? ?? E8 ?? ?? ?? ?? 29 ?? 8D ?? ?? 83 ?? ?? 41 ?? ?? 44 ?? ?? ?? 41 ?? ?? ?? 4D ?? ?? 0F 84 } - $block_28 = { 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 ?? ?? F3 ?? B9 ?? ?? ?? ?? 0F 97 ?? 0F 92 ?? 38 ?? 0F 84 } - $block_29 = { 48 ?? 49 ?? ?? FF C? 48 ?? ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 0F 85 } - $block_30 = { BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 89 ?? ?? ?? ?? ?? 0F 88 } - $block_31 = { 48 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 0F 05 C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 89 } - $block_32 = { 4C ?? ?? 48 ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 0F 05 48 ?? ?? ?? ?? ?? 76 } - $block_33 = { 0F BE ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? 40 ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 74 } - $block_34 = { C7 ?? ?? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? 39 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 84 } - $block_35 = { 89 ?? ?? ?? 8B ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_36 = { 89 ?? ?? 31 ?? 31 ?? 89 ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 5? ?? 85 ?? 0F 84 } - $block_37 = { 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_38 = { C7 ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_39 = { C7 ?? ?? ?? ?? ?? ?? 31 ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 } - $block_40 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_41 = { 89 ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 29 ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_42 = { 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_43 = { C7 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_44 = { 89 ?? ?? ?? 8B ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_45 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_46 = { 8D ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 31 ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? ?? 0F 8D } - $block_47 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_48 = { 8D ?? ?? 89 ?? 89 ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 0F B7 ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? 0F 86 } - $block_49 = { 8B ?? ?? ?? BE ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 88 } - $block_50 = { 89 ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_51 = { FF 4? ?? 4? 0F BE ?? 0F B6 ?? 83 ?? ?? 89 ?? ?? 0F BE ?? 8D ?? ?? 88 ?? 88 ?? 2C ?? 3C ?? 77 } - $block_52 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_53 = { 89 ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 39 ?? ?? 89 ?? ?? 0F 85 } - $block_54 = { 5? 5? 5? 5? 83 ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? 89 ?? ?? 0F 88 } - $block_55 = { 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_56 = { 8B ?? ?? ?? ?? ?? ?? 89 ?? 29 ?? 8B ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_57 = { 89 ?? ?? B8 ?? ?? ?? ?? 89 ?? ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_58 = { 48 ?? ?? E8 ?? ?? ?? ?? 89 ?? 48 ?? ?? ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_59 = { 41 ?? 49 ?? ?? 5? 48 ?? ?? ?? 5? 8B ?? ?? 48 ?? ?? C6 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 87 } - $block_60 = { 44 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_61 = { 41 ?? 4C ?? ?? ?? 5? 48 ?? ?? 5? 8B ?? ?? 48 ?? ?? C6 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 87 } - $block_62 = { 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? F0 ?? ?? ?? 89 ?? 8B ?? ?? ?? ?? ?? 48 ?? ?? 0F 83 } - $block_63 = { 44 ?? ?? BA ?? ?? ?? ?? FC 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? F3 ?? ?? 40 ?? ?? ?? 74 } - $block_64 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 44 ?? ?? E8 ?? ?? ?? ?? 89 ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_65 = { 48 ?? ?? ?? ?? ?? 0F 94 ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? 41 ?? ?? ?? 44 ?? ?? 0F 84 } - $block_66 = { 49 ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 41 ?? ?? 41 ?? ?? 0F 84 } - $block_67 = { C6 ?? ?? BF ?? ?? ?? ?? 89 ?? ?? 89 ?? E8 ?? ?? ?? ?? C6 ?? ?? B9 ?? ?? ?? ?? FC F3 ?? 74 } - $block_68 = { FC 89 ?? C1 ?? ?? 89 ?? F3 ?? 8B ?? ?? ?? ?? ?? 80 8? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E9 } - $block_69 = { 5? 89 ?? 5? 89 ?? 5? 5? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_70 = { C7 ?? ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_71 = { 8B ?? 83 ?? ?? 89 ?? 8B ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? 8B ?? ?? ?? 85 ?? 0F 84 } - $block_72 = { 5? 31 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 85 ?? 0F 8E } - $block_73 = { 8B ?? ?? 8B ?? 89 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 95 ?? 0F B6 ?? 4? 21 ?? ?? 9? } - $block_74 = { 8D ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_75 = { C7 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_76 = { 89 ?? ?? ?? 31 ?? 8D ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_77 = { B8 ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? 0F 84 } - $block_78 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_79 = { 4C ?? ?? ?? ?? 4D ?? ?? 4C ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? FF D? 83 ?? ?? 0F 84 } - $block_80 = { 4C ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 4A ?? ?? ?? 48 ?? ?? 48 ?? ?? 49 ?? ?? 0F 89 } - $block_81 = { 44 ?? ?? 44 ?? ?? 41 ?? ?? B9 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } - $block_82 = { 8B ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 80 3? ?? 0F 84 } - $block_83 = { 48 ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? ?? 0F 85 } - $block_84 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_85 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? 49 ?? ?? ?? 0F 88 } - $block_86 = { 89 ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } - $block_87 = { 4D ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 41 ?? ?? ?? 0F 8F } - $block_88 = { 4C ?? ?? 4C ?? ?? 48 ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 87 } - $block_89 = { 48 ?? ?? ?? ?? 49 ?? ?? 89 ?? 4C ?? ?? 44 ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 83 ?? ?? 0F 84 } - $block_90 = { 8B ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 01 ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 87 } - $block_91 = { 8B ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? ?? ?? 0F 84 } - $block_92 = { BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 41 ?? ?? ?? 0F 84 } - $block_93 = { BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 41 ?? ?? ?? 0F 85 } - $block_94 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_95 = { FF 4? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4D ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? FF C? 0F 84 } - $block_96 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 8B ?? ?? 48 ?? ?? ?? 5? 41 ?? 41 ?? 41 ?? 41 ?? C9 C3 } - $block_97 = { 49 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 4C ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 8E } - $block_98 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 89 ?? ?? ?? 0F 84 } - $block_99 = { 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 41 ?? ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "d49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0" or - hash.sha256(0, filesize) == "8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667" or - hash.sha256(0, filesize) == "1eee1d0f736f3b796ab8da66bb16a68c7600e9a0c0cc8de0b640bc53beb9a90a" or - hash.sha256(0, filesize) == "8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc" or - hash.sha256(0, filesize) == "3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4" or - hash.sha256(0, filesize) == "5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8" or - 12 of them -} - -rule Wipbot { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 4? 0F B7 ?? 4? 8B ?? 4? 89 ?? 4? 01 ?? C1 ?? ?? 4? 81 E? ?? ?? ?? ?? 4? 01 ?? 66 ?? ?? ?? 75 } - $block_1 = { D9 ?? FB 5? 1A ?? ?? 3C ?? CC 04 ?? 18 ?? A4 02 ?? ?? BE ?? ?? ?? ?? 15 ?? ?? ?? ?? 5? EB } - $block_2 = { BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 4? C7 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 85 ?? 0F 84 } - $block_3 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_4 = { 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { FF C? 89 ?? 0F BE ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 31 ?? 69 ?? ?? ?? ?? ?? 85 ?? 75 } - $block_6 = { FF C? 69 ?? ?? ?? ?? ?? 89 ?? 0F BE ?? ?? E8 ?? ?? ?? ?? 0F BE ?? 31 ?? 85 ?? 75 } - $block_7 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_8 = { 5? 89 ?? 5? 5? 5? 83 ?? ?? 83 ?? ?? ?? 0F 94 ?? ?? 85 ?? 0F 94 ?? 0A ?? ?? 74 } - $block_9 = { 5? 5? 5? 4? 81 E? ?? ?? ?? ?? 8B ?? ?? 31 ?? 4? 01 ?? 66 ?? ?? ?? ?? 0F 84 } - $block_10 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 85 ?? 0F 84 } - $block_11 = { 5? 89 ?? 5? 5? 5? 81 E? ?? ?? ?? ?? 8B ?? ?? 01 ?? 66 ?? ?? ?? ?? 0F 84 } - $block_12 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? FF D? 83 ?? ?? 85 ?? 0F 84 } - $block_13 = { BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 85 ?? 4? 89 ?? 0F 84 } - $block_14 = { 5? 89 ?? 5? 5? 31 ?? 5? 89 ?? 83 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_15 = { 03 ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_16 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 89 ?? 0F 84 } - $block_17 = { 4? 8D ?? ?? 4? 0F B7 ?? ?? 4? 8D ?? ?? 4? 8B ?? ?? 4? 01 ?? EB } - $block_18 = { 5? 5? 5? 4? 83 ?? ?? 31 ?? 4? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_19 = { A6 BE ?? ?? ?? ?? 4? B9 ?? ?? ?? ?? 18 ?? A6 85 ?? ?? 18 ?? 7E } - $block_20 = { 89 ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_21 = { 4? 8D ?? ?? ?? ?? ?? ?? 4? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_22 = { BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4? 85 ?? 0F 84 } - $block_23 = { 4? 85 ?? 89 ?? 0F 94 ?? 85 ?? 0F 94 ?? 4? 01 ?? 08 ?? 74 } - $block_24 = { BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_25 = { E8 ?? ?? ?? ?? 81 7? ?? ?? ?? ?? ?? 0F 94 ?? 0F B6 ?? EB } - $block_26 = { 83 ?? ?? 0F 9F ?? 0F B6 ?? 4? 81 C? ?? ?? ?? ?? 5? 5? C3 } - $block_27 = { 4? 85 ?? 4? 0F 94 ?? 4? 85 ?? 0F 94 ?? 4? 08 ?? 74 } - $block_28 = { 8D ?? ?? ?? ?? ?? 89 ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_29 = { 85 ?? 0F 94 ?? 85 ?? 0F 94 ?? 08 ?? 8D ?? ?? 74 } - $block_30 = { 5? 5? 5? 5? 4? 83 ?? ?? 4? 85 ?? 4? 89 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "895a97bb6340a0ede31b2376fecb605c7d91a3fcc588a31bc4ff3c39d1cd12c9" or - hash.sha256(0, filesize) == "d76ce236f12c7f964dd72727e27f9444f62fcf72ce9de356a3bbbf32c23189e2" or - hash.sha256(0, filesize) == "8ce2bdb1680ac8eafcb2adce7acb89ea741ac9cd6e6c1b3a551b521e2ab9a1c5" or - hash.sha256(0, filesize) == "e74faa35ed394f666e02de1b7f26665eb9a70dd3c355ef9d9e2d26a4d8a96f7e" or - hash.sha256(0, filesize) == "0b97c87126578113050d8e014e8fefeb33146eebc40e75c070882ec31ae26aab" or - hash.sha256(0, filesize) == "d2505d073b948b309c65b2f613afba06584d22b4b07181c58e0f4a4893d3f9b1" or - hash.sha256(0, filesize) == "1a6beed80ce6d2dee4445a5e0eb5a3f13675f461f9d975b6c6ef6cba5e916949" or - hash.sha256(0, filesize) == "44748d0ea4c2927a58b3e4c8090fb5b7bdfe41a4f00f8e5de2952a76312c3aa2" or - hash.sha256(0, filesize) == "57ec50ea2c1735d535dbf62df964190e21fbc21aca3c4cf34bd455f9ab3dd76d" or - hash.sha256(0, filesize) == "7fbe1f25b25da7d1dd187bcaeb1d1b13a48ffef136bba9af3d3c6cd2e6bf3e90" or - hash.sha256(0, filesize) == "fae51b0649a3c99e7c3054e584acca4359aae140d621f4a02e4f4e1fe441ea12" or - hash.sha256(0, filesize) == "c558b2ee059ef8140788cbaefd648aad7879c34dc3b61d966229dba5afd36122" or - hash.sha256(0, filesize) == "ecaa89e4a358c33ac20e9a397a67cecba620d30d77dd7ec27ef92316d9264f3d" or - hash.sha256(0, filesize) == "966610c19fb620f90de6d7f35f469662824bad66c3091e0df1de1fd903df04c9" or - hash.sha256(0, filesize) == "d48aa85bc434a30463e3b258899efb0d94b30a1609a18ba094153806cdacbf30" or - hash.sha256(0, filesize) == "fcd50490bf5498f9204519077f312930a1d689c8a07a1b30a90e0f2969416a1f" or - hash.sha256(0, filesize) == "0c02e49d3924b04c6bc42515cc926e59bf319f42f55afcc0b0da14d228bcbd7a" or - hash.sha256(0, filesize) == "a5afb65975b5dddeda124b0151a14df5706c42ca50cbc68b34ca4c8b25f1e54e" or - hash.sha256(0, filesize) == "4eba5182826becfc842315a0ce85f9e03aada8cc73d1e54ed0b55754ab89d9e0" or - 12 of them -} - -rule PNGDropper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? ?? 6A ?? 6A ?? 03 ?? 8D ?? ?? 5? 03 ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_1 = { 49 ?? ?? 44 ?? ?? BA ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_2 = { FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 01 ?? ?? 0F B7 ?? ?? 83 ?? ?? 83 ?? ?? FF 4? ?? 39 ?? ?? 72 } - $block_3 = { 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_4 = { 8B ?? ?? 03 ?? 6A ?? 6A ?? 89 ?? ?? 8D ?? ?? 5? 03 ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_5 = { 8B ?? ?? 2B ?? ?? 2B ?? 99 2B ?? 8B ?? 8B ?? ?? 2B ?? 2B ?? 99 2B ?? D1 ?? 03 ?? ?? D1 ?? 03 } - $block_6 = { 5? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 33 ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 } - $block_7 = { 5? 6A ?? 8D ?? ?? 5? 5? FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_8 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? 73 } - $block_9 = { 8D ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 95 ?? 80 B? ?? ?? ?? ?? ?? 75 } - $block_10 = { 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 6A ?? 5? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_11 = { C6 ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 4? 81 C? ?? ?? ?? ?? 3B ?? 0F 82 } - $block_12 = { 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 6A ?? 5? 8D ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 2B ?? 0F 84 } - $block_13 = { FF B? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_14 = { 0F B7 ?? ?? 68 ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_15 = { 8D ?? ?? ?? ?? ?? 5? FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_16 = { 6A ?? E8 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_17 = { 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_18 = { 8B ?? ?? A5 A5 A5 8D ?? ?? 5? A5 E8 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 75 } - $block_19 = { 5? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 5? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_20 = { 5? 33 ?? 33 ?? 0F A2 5? 8D ?? ?? 89 ?? 89 ?? ?? 6A ?? 89 ?? ?? 5? 89 ?? ?? 39 ?? ?? 7D } - $block_21 = { 89 ?? ?? 89 ?? ?? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_22 = { 8B ?? ?? DD ?? 8B ?? ?? DD ?? DD ?? DD ?? DD ?? 8B ?? ?? 89 ?? 8B ?? ?? 89 ?? ?? C9 C3 } - $block_23 = { 4C ?? ?? 48 ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? BB ?? ?? ?? ?? 48 ?? ?? ?? 0F 44 ?? 8B } - $block_24 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? A1 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_25 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 33 ?? 3B ?? 0F 84 } - $block_26 = { 8B ?? ?? A5 A5 A5 A5 83 ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? E8 ?? ?? ?? ?? C2 } - $block_27 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_28 = { FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 01 ?? ?? 0F B7 ?? ?? 83 ?? ?? 83 ?? ?? 4? 3B ?? 72 } - $block_29 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? 73 } - $block_30 = { 8B ?? ?? 8B ?? ?? 6A ?? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_31 = { 5? E8 ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_32 = { 6A ?? 6A ?? 8D ?? ?? 5? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 33 ?? 3B ?? 0F 85 } - $block_33 = { 8B ?? ?? 8B ?? ?? 5? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_34 = { 8B ?? ?? 03 ?? ?? 8B ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_35 = { 5? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_36 = { 5? 5? 8B ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? 8B ?? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_37 = { 83 ?? ?? ?? 68 ?? ?? ?? ?? 5? 0F 94 ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_38 = { 5? 8B ?? 8B ?? ?? 8B ?? ?? 03 ?? 0F B7 ?? ?? 8D ?? ?? ?? 0F B7 ?? ?? 4? 74 } - $block_39 = { 8D ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_40 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 39 ?? ?? 73 } - $block_41 = { 33 ?? 0F A2 8D ?? ?? 89 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 4? } - $block_42 = { 5? 5? FF 7? ?? 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 } - $block_43 = { 8B ?? 2B ?? 99 B9 ?? ?? ?? ?? F7 ?? 33 ?? 4? 89 ?? ?? ?? ?? ?? 3B ?? 7D } - $block_44 = { 8B ?? ?? 8B ?? ?? 89 ?? F7 ?? 1B ?? 25 ?? ?? ?? ?? 05 ?? ?? ?? ?? C9 C3 } - $block_45 = { 8D ?? ?? ?? 0F B7 ?? ?? 8B ?? 25 ?? ?? ?? ?? 03 ?? C1 ?? ?? 83 ?? ?? 74 } - $block_46 = { 5? 6A ?? 8D ?? ?? 5? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 85 } - $block_47 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? 66 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? E9 } - $block_48 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? 66 ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? EB } - $block_49 = { 8B ?? ?? 03 ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_50 = { 5? 8B ?? 8B ?? ?? 8B ?? 5? 8B ?? ?? 2B ?? 5? 99 2B ?? 8B ?? D1 ?? 79 } - $block_51 = { 8B ?? ?? 8B ?? A5 A5 A5 A5 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_52 = { 6A ?? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 33 ?? 3B ?? 0F 85 } - $block_53 = { FF 8? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? ?? ?? ?? ?? 0F 8C } - $block_54 = { 0F B6 ?? ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? 0F B6 ?? ?? C1 ?? ?? 0B ?? EB } - $block_55 = { 0F B7 ?? ?? 33 ?? 8D ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 73 } - $block_56 = { 2B ?? 8B ?? ?? ?? 33 ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_57 = { 5? 8B ?? 5? 5? 8B ?? ?? 5? 33 ?? 89 ?? 8B ?? ?? 5? 5? 3B ?? 0F 84 } - $block_58 = { 68 ?? ?? ?? ?? FF B? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_59 = { 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? A5 A5 A5 A5 EB } - $block_60 = { 6A ?? 5? 03 ?? 0F B6 ?? 0F B6 ?? ?? C1 ?? ?? 8D ?? ?? ?? 3B ?? 7F } - $block_61 = { E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 8E } - $block_62 = { 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? 8B ?? C1 ?? ?? 03 ?? 3B ?? 0F 9F } - $block_63 = { 8D ?? ?? ?? ?? ?? ?? 9? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_64 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 95 ?? 88 ?? ?? EB } - $block_65 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_66 = { 5? 6A ?? 8D ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_67 = { 5? 5? 8B ?? ?? 8B ?? 33 ?? C7 ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_68 = { C6 ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 8F } - $block_69 = { 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 80 7? ?? ?? 0F 85 } - $block_70 = { 8B ?? ?? 8B ?? ?? 2B ?? 2B ?? ?? 0F AF ?? 8B ?? ?? 3B ?? 7E } - $block_71 = { BF ?? ?? ?? ?? 89 ?? ?? 45 ?? ?? 41 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_72 = { 0F BE ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 75 } - $block_73 = { 8B ?? ?? ?? ?? ?? 0F B7 ?? 8B ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_74 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_75 = { 0F B7 ?? ?? 03 ?? 8B ?? ?? 4? 83 ?? ?? 89 ?? ?? 3B ?? 72 } - $block_76 = { 8D ?? ?? 5? 03 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_77 = { 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 80 B? ?? ?? ?? ?? ?? 0F 84 } - $block_78 = { 83 ?? ?? D1 ?? 0F B7 ?? 33 ?? 89 ?? ?? 89 ?? ?? 85 ?? 74 } - $block_79 = { 38 ?? ?? ?? ?? ?? 0F 94 ?? 89 ?? ?? 5? 3A ?? 8B ?? 0F 84 } - $block_80 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_81 = { 5? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 8C } - $block_82 = { C6 ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 8E } - $block_83 = { FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 5? 3B ?? 0F 84 } - $block_84 = { 83 ?? ?? 6A ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 3B ?? 0F 8E } - $block_85 = { 89 ?? ?? 8B ?? ?? ?? ?? ?? 5? 38 ?? ?? ?? ?? ?? 0F 84 } - $block_86 = { 8B ?? ?? 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_87 = { 0F BE ?? E8 ?? ?? ?? ?? 88 ?? ?? 48 ?? ?? 48 ?? ?? 75 } - $block_88 = { 2B ?? ?? 0F B7 ?? 89 ?? ?? 0F B7 ?? 3B ?? ?? 0F 87 } - $block_89 = { E8 ?? ?? ?? ?? 33 ?? 8B ?? 39 ?? ?? ?? ?? ?? 0F 8E } - $block_90 = { 8B ?? ?? 5? 5? 8B ?? 33 ?? 5? E8 ?? ?? ?? ?? C9 C3 } - $block_91 = { 2B ?? ?? 0F B7 ?? 89 ?? ?? 0F B7 ?? 3B ?? ?? 0F 83 } - $block_92 = { 0F B7 ?? ?? ?? ?? ?? ?? 8B ?? 48 ?? ?? 49 ?? ?? 72 } - $block_93 = { 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 0F 84 } - $block_94 = { 83 ?? ?? D1 ?? 0F B7 ?? 33 ?? 89 ?? ?? 85 ?? 74 } - $block_95 = { 5? C6 ?? ?? ?? ?? ?? ?? FF D? 85 ?? 0F 94 ?? 88 } - $block_96 = { 03 ?? 6A ?? 99 5? F7 ?? 39 ?? ?? ?? ?? ?? 0F 9F } - $block_97 = { 66 ?? ?? 0F 95 ?? ?? 33 ?? 66 ?? ?? 66 ?? ?? 74 } - $block_98 = { 8B ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_99 = { 0F B7 ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? 75 } - - condition: - hash.sha256(0, filesize) == "b52285393bd75897662c662bcfef0d3e3a0b185fd297c325ffe283abafa93f65" or - hash.sha256(0, filesize) == "1950d2e706fbc6263d376c0c4f16bd5acfd543248ee072657ba3dd62da8427eb" or - hash.sha256(0, filesize) == "eeb7784b77d86627bac32e4db20da382cb4643ff8eb86ab1abaebaa56a650158" or - hash.sha256(0, filesize) == "ff22dbefce16adfc684fb79f4b8cd441a7f08fa34ba1d9b28724e7b32dbd62b4" or - hash.sha256(0, filesize) == "3a5918c69b6ee801ab8bfc4fc872ac32cc96a47b53c3525723cc27f150e0bfa3" or - hash.sha256(0, filesize) == "10bca4fbbd39a86211d8b18622de1760992e81d4a45c1b45c8062faf30bbb7f8" or - hash.sha256(0, filesize) == "69389f0d35d003ec3c9506243fd264afefe099d99fcc0e7d977007a12290a290" or - hash.sha256(0, filesize) == "6ed939f59476fd31dc4d99e96136e928fbd88aec0d9c59846092c0e93a3c0e27" or - hash.sha256(0, filesize) == "80cf8753ef6e1efd55f5f7afb20571472030e589ceb9423f91384dae51dfca36" or - 12 of them -} - -rule CarbonDropper_v3_77_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_2 = { 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_3 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 75 } - $block_4 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 75 } - $block_5 = { 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_6 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? 75 } - $block_7 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_8 = { 0F B7 ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 75 } - $block_9 = { 48 ?? ?? ?? 33 ?? 48 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_10 = { 0F B7 ?? ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? 75 } - $block_11 = { 0F B7 ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? ?? 66 ?? ?? 75 } - $block_12 = { 0F B7 ?? 48 ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? 75 } - - condition: - hash.sha256(0, filesize) == "aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c" or - 12 of them -} - -rule GazerCommunicationModule_x64_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 48 ?? ?? ?? 41 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 44 ?? ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 4C ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? 45 ?? ?? ?? 41 ?? ?? 49 ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_1 = { 8B ?? 48 ?? ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 41 ?? ?? ?? ?? ?? ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? 0F 85 } - $block_2 = { 8B ?? 48 ?? ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? 0F 85 } - $block_3 = { 8B ?? 48 ?? ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 8B ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 41 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? ?? 8B ?? 44 ?? ?? 48 ?? ?? ?? 49 ?? ?? 48 ?? ?? ?? 49 ?? ?? 8B ?? ?? ?? ?? ?? ?? 33 ?? ?? ?? ?? ?? ?? 41 ?? ?? 4D ?? ?? 48 ?? ?? ?? 49 ?? ?? 33 ?? ?? ?? ?? ?? ?? 42 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? 49 ?? ?? 0F 85 } - $block_4 = { 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 41 ?? 41 ?? 44 ?? ?? ?? 0F B6 ?? ?? 49 ?? ?? 44 ?? ?? ?? ?? 41 ?? ?? ?? 48 ?? ?? ?? 44 ?? ?? 0F B6 ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? BD ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 44 ?? ?? 0F B6 ?? ?? 41 ?? ?? ?? 44 ?? ?? 0F B6 ?? ?? 44 ?? ?? 0F B6 ?? ?? 41 ?? ?? ?? 44 ?? ?? 0F B6 ?? ?? 41 ?? ?? ?? 44 ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? 23 ?? 44 ?? ?? C1 ?? ?? 44 ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? 0F B7 ?? 44 ?? ?? C1 ?? ?? 44 ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? 41 ?? ?? 4C ?? ?? ?? ?? ?? ?? 44 ?? ?? C1 ?? ?? 44 ?? ?? 45 ?? ?? 41 ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? 45 ?? ?? 41 ?? ?? 45 ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 45 ?? ?? ?? 41 ?? ?? 41 } - $block_5 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 5? 41 ?? 41 ?? 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 8B ?? 4C ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 44 ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 89 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 49 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 } - $block_6 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? B1 ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 88 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? B1 ?? 4C ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 88 ?? ?? FF 1? ?? ?? ?? ?? 8A ?? ?? ?? ?? ?? 8A ?? 48 ?? ?? ?? ?? 4C ?? ?? 80 E? ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 88 ?? ?? FF 1? ?? ?? ?? ?? C0 ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 8A ?? 4C ?? ?? E8 ?? ?? ?? ?? 4D ?? ?? C6 ?? ?? ?? 88 ?? ?? B8 ?? ?? ?? ?? 45 ?? ?? ?? 45 ?? ?? F7 ?? 8B ?? C1 ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 6B ?? ?? 2B ?? 89 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 48 ?? ?? ?? ?? 99 2B ?? D1 ?? 8D ?? ?? 89 } - $block_7 = { 41 ?? ?? 44 ?? ?? C1 ?? ?? 41 ?? ?? ?? 44 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? 48 ?? ?? ?? 33 ?? 41 ?? ?? 47 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 44 ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? 41 ?? ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? ?? 41 ?? ?? 41 ?? ?? 4C ?? ?? ?? 33 ?? 89 ?? 43 ?? ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? C1 ?? ?? 33 ?? 49 ?? ?? 48 ?? ?? ?? 33 ?? 43 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 4D ?? ?? 49 ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? 45 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 41 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 45 ?? ?? 0F 84 } - $block_8 = { 41 ?? ?? 44 ?? ?? C1 ?? ?? 41 ?? ?? ?? 44 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 8B ?? C1 ?? ?? 44 ?? ?? C1 ?? ?? 33 ?? 48 ?? ?? ?? 33 ?? 41 ?? ?? 47 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 41 ?? ?? 41 ?? ?? ?? 41 ?? ?? ?? ?? ?? C1 ?? ?? 41 ?? ?? 41 ?? ?? 33 ?? 41 ?? ?? 43 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 8B ?? C1 ?? ?? 4D ?? ?? C1 ?? ?? 49 ?? ?? ?? 33 ?? 48 ?? ?? ?? 33 ?? 43 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? 4D ?? ?? 49 ?? ?? 4D ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? 45 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? 8B ?? ?? F7 ?? 41 ?? ?? ?? ?? ?? ?? 83 ?? ?? 44 ?? ?? 41 ?? ?? C1 ?? ?? 83 ?? ?? 89 ?? ?? 45 ?? ?? 0F 84 } - $block_9 = { 4C ?? ?? 33 ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 8B ?? 41 ?? ?? 44 ?? ?? ?? C1 ?? ?? 41 ?? ?? 41 ?? ?? C1 ?? ?? 41 ?? ?? 8B ?? 0F B6 ?? 41 ?? ?? C1 ?? ?? C1 ?? ?? 41 ?? ?? C1 ?? ?? 0F B6 ?? 03 ?? 48 ?? ?? ?? ?? ?? ?? 03 ?? 41 ?? ?? ?? 41 ?? ?? ?? 03 ?? B8 ?? ?? ?? ?? 03 ?? 41 ?? ?? F7 ?? 41 ?? ?? 41 ?? ?? ?? C1 ?? ?? 41 ?? ?? 03 ?? 41 ?? ?? 41 ?? ?? 6B ?? ?? 2B ?? F7 ?? 41 ?? ?? C1 ?? ?? 69 ?? ?? ?? ?? ?? 2B ?? F7 ?? C1 ?? ?? 69 ?? ?? ?? ?? ?? 2B ?? FF 1? ?? ?? ?? ?? 49 ?? ?? ?? BA ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? B3 } - - condition: - hash.sha256(0, filesize) == "93e36c336b5b20b3c33b7d0f8844572ddcc10046d1fe91b7b106d78c7fea932c" or - 10 of them -} - -rule Nautilus { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 48 ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? F2 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 0F 8A } - $block_1 = { 44 ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 8D ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_2 = { 49 ?? ?? 48 ?? ?? 48 ?? ?? A8 ?? 0F 95 ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 44 ?? ?? 85 ?? 75 } - $block_3 = { 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? ?? 48 ?? ?? 44 ?? ?? E8 ?? ?? ?? ?? 8B ?? 48 ?? ?? E8 } - $block_4 = { 8B ?? 8B ?? C1 ?? ?? 83 ?? ?? 0F B6 ?? 4C ?? ?? 4D ?? ?? 4D ?? ?? 4B ?? ?? ?? 83 ?? ?? 0F 8F } - $block_5 = { 48 ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_6 = { 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_7 = { 44 ?? ?? ?? 48 ?? ?? 41 ?? ?? F6 ?? 41 ?? ?? F6 ?? 0F B6 ?? 48 ?? ?? ?? 4C ?? ?? 49 ?? ?? 72 } - $block_8 = { 41 ?? ?? ?? 4D ?? ?? 33 ?? 8B ?? 89 ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 4C ?? ?? ?? ?? 4D ?? ?? 48 ?? ?? 48 ?? ?? 4C ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_10 = { 8B ?? 41 ?? ?? 4D ?? ?? ?? 24 ?? F6 ?? 8D ?? ?? 1B ?? 83 ?? ?? 33 ?? 0F B6 ?? 4C ?? ?? 75 } - $block_11 = { 48 ?? ?? ?? 0F B6 ?? ?? C7 ?? ?? ?? ?? ?? ?? FF C? 83 ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? EB } - $block_12 = { FF 0? ?? ?? ?? ?? 45 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_13 = { B8 ?? ?? ?? ?? 41 ?? ?? 44 ?? ?? 41 ?? ?? ?? 44 ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? ?? 0F 8F } - $block_14 = { 0F B6 ?? 44 ?? ?? 44 ?? ?? 44 ?? ?? ?? ?? 45 ?? ?? 4C ?? ?? 89 ?? ?? ?? 48 ?? ?? ?? ?? 48 } - $block_15 = { 44 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_16 = { 44 ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_17 = { A8 ?? 8B ?? 48 ?? ?? 0F 95 ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 44 ?? ?? 85 ?? 0F 85 } - $block_18 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? FF C? 81 F? ?? ?? ?? ?? 89 ?? ?? 0F 44 ?? 89 } - $block_19 = { 48 ?? ?? ?? 41 ?? ?? F6 ?? 41 ?? ?? C0 ?? ?? E8 ?? ?? ?? ?? 33 ?? 44 ?? ?? 85 ?? 0F 85 } - $block_20 = { FF 0? ?? ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_21 = { FF 0? ?? ?? ?? ?? 4D ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_22 = { E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 0F 84 } - $block_23 = { 8B ?? ?? 69 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? 40 ?? ?? ?? 0F 84 } - $block_24 = { 4C ?? ?? ?? ?? 8B ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 85 } - $block_25 = { 48 ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_26 = { FF 0? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_27 = { FF 0? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 4C ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_28 = { 0F 10 ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? F3 ?? ?? ?? 48 ?? ?? ?? 5? C3 } - $block_29 = { 41 ?? ?? ?? 45 ?? ?? ?? 4D ?? ?? C1 ?? ?? 44 ?? ?? ?? ?? 49 ?? ?? 49 ?? ?? ?? 0F 8C } - $block_30 = { 0F B6 ?? ?? E8 ?? ?? ?? ?? 88 ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? 72 } - $block_31 = { 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_32 = { 48 ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? 8B ?? 83 ?? ?? 83 ?? ?? 83 ?? ?? 0F 87 } - $block_33 = { 44 ?? ?? ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_34 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_35 = { 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_36 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? FE ?? 0F B6 ?? FF 1? ?? ?? ?? ?? 8B ?? 89 } - $block_37 = { BA ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_38 = { 4D ?? ?? ?? 48 ?? ?? ?? 4D ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_39 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 85 ?? 0F 84 } - $block_40 = { 44 ?? ?? ?? ?? 41 ?? ?? 41 ?? ?? 41 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? 85 ?? 7E } - $block_41 = { BA ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_42 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 85 } - $block_43 = { 41 ?? ?? ?? ?? ?? ?? 48 ?? ?? 8D ?? ?? 41 ?? ?? 48 ?? ?? ?? 3B ?? 0F 8C } - $block_44 = { 48 ?? ?? ?? ?? 44 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 80 7? ?? ?? ?? 0F 85 } - $block_45 = { 8A ?? ?? B9 ?? ?? ?? ?? 40 ?? ?? C0 ?? ?? 41 ?? ?? D2 ?? 84 ?? 0F 85 } - $block_46 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 89 } - $block_47 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_48 = { 44 ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 3B ?? 0F 8C } - $block_49 = { 4C ?? ?? ?? 4D ?? ?? 49 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_50 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_51 = { 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 8D ?? ?? ?? ?? ?? ?? 4C ?? ?? 72 } - $block_52 = { 4B ?? ?? ?? 03 ?? 48 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 41 ?? ?? 0F 8F } - $block_53 = { 4C ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_54 = { 0F 28 ?? ?? BE ?? ?? ?? ?? 48 ?? ?? ?? ?? 44 ?? ?? ?? 0F 11 } - $block_55 = { 0F B6 ?? 3B ?? 0F 4F ?? 3B ?? 0F 4C ?? 48 ?? ?? 48 ?? ?? 75 } - $block_56 = { 48 ?? ?? ?? BB ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 0F 88 } - $block_57 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_58 = { 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_59 = { 0F 28 ?? ?? 41 ?? ?? ?? 45 ?? ?? ?? 48 ?? ?? ?? ?? 0F 11 } - $block_60 = { 8B ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 } - $block_61 = { 48 ?? ?? ?? ?? 4C ?? ?? ?? ?? 4D ?? ?? ?? 4C ?? ?? 0F 82 } - $block_62 = { 4C ?? ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_63 = { 49 ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 4C ?? ?? 48 ?? ?? 0F 84 } - $block_64 = { 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_65 = { 48 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_66 = { 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_67 = { 45 ?? ?? ?? 4D ?? ?? 66 ?? ?? ?? ?? 41 ?? ?? ?? 0F 8C } - $block_68 = { 49 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_69 = { 49 ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_70 = { 41 ?? ?? 41 ?? ?? 44 ?? ?? 45 ?? ?? 45 ?? ?? 0F 8F } - $block_71 = { 49 ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 49 ?? ?? ?? 0F 86 } - $block_72 = { 48 ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_73 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 10 ?? F3 } - $block_74 = { 49 ?? ?? ?? 8B ?? 8B ?? C1 ?? ?? 0F B6 ?? 85 ?? 7E } - $block_75 = { 4C ?? ?? ?? 44 ?? ?? ?? 44 ?? ?? ?? 44 ?? ?? 0F 84 } - $block_76 = { 48 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_77 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_78 = { 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 87 } - $block_79 = { 48 ?? ?? ?? 48 ?? ?? B8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_80 = { 83 ?? ?? ?? 8B ?? ?? 4C ?? ?? ?? 49 ?? ?? 0F 85 } - $block_81 = { 41 ?? ?? ?? ?? ?? ?? 44 ?? ?? ?? 44 ?? ?? 0F 8C } - $block_82 = { 49 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "cefc5cf4d46abb86fb0f7c81549777cf1a2a5bfbe1ce9e7d08128ab8bfc978f8" or - 24 of them -} - -rule CarbonOrchestrator_v3_81_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? 48 ?? ?? ?? ?? 8B ?? ?? 2B ?? 8B ?? 89 ?? ?? ?? EB } - $block_1 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_2 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 } - $block_3 = { 4C ?? ?? ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 } - $block_4 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_5 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 } - $block_6 = { 66 ?? ?? ?? 6A ?? 8D ?? ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 85 } - $block_7 = { 89 ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 85 } - $block_8 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 } - $block_9 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 66 ?? ?? ?? EB } - $block_10 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 84 ?? 0F 84 } - $block_11 = { FF 7? ?? ?? 8B ?? ?? ?? FF 7? ?? ?? E8 ?? ?? ?? ?? 33 ?? 5? 5? 89 ?? ?? ?? 39 ?? ?? ?? 0F 85 } - $block_12 = { 5? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 5? 89 ?? ?? ?? FF D? 5? 5? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_13 = { FF 7? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_14 = { 0F BE ?? ?? ?? BA ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 7C } - $block_15 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_16 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 } - $block_17 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - $block_18 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? EB } - $block_19 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_20 = { FF 1? ?? ?? ?? ?? FF 7? ?? 8B ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 84 } - $block_21 = { 8B ?? ?? 89 ?? ?? 8D ?? ?? 5? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_22 = { 8B ?? 99 F7 ?? 83 ?? ?? ?? 8A ?? 83 ?? ?? ?? 33 ?? 4? 89 ?? ?? 88 ?? ?? 89 ?? ?? 85 ?? 7E } - $block_23 = { 8B ?? ?? 6A ?? 8D ?? ?? ?? 5? 5? 5? FF 7? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 } - $block_24 = { 8B ?? ?? ?? 44 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_25 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 } - $block_26 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 75 } - $block_27 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? C7 } - $block_28 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_29 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_30 = { 0F B6 ?? 23 ?? ?? 8B ?? ?? D3 ?? 8B ?? ?? D2 ?? 0A ?? FF 4? ?? 83 ?? ?? ?? 8B ?? ?? 7C } - $block_31 = { 6A ?? 8D ?? ?? ?? 5? 5? FF 7? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_32 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? 73 } - $block_33 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 } - $block_34 = { 48 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_35 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 0F 85 } - $block_36 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_37 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? E9 } - $block_38 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_39 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? EB } - $block_40 = { 8B ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 89 ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? ?? 0F 82 } - $block_41 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_42 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_43 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_44 = { 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_45 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_46 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_47 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 } - $block_48 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_49 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? 0F 85 } - $block_50 = { 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 85 ?? 74 } - $block_51 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 66 ?? ?? ?? ?? EB } - $block_52 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_53 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? ?? ?? 0F 87 } - $block_54 = { 0F B6 ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? 8B ?? 0F B6 ?? ?? ?? 03 ?? 8B ?? 88 } - $block_55 = { 8B ?? ?? ?? ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 } - $block_56 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 } - $block_57 = { 48 ?? ?? ?? ?? 8B ?? ?? 99 83 ?? ?? 03 ?? C1 ?? ?? 39 ?? ?? ?? 7E } - $block_58 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? ?? 77 } - $block_59 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_60 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 3D ?? ?? ?? ?? 0F 8C } - $block_61 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_62 = { 0F B6 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 85 ?? 0F 84 } - $block_63 = { 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 75 } - $block_64 = { 8B ?? ?? ?? FF C? 89 ?? ?? ?? 0F B7 ?? ?? ?? 39 ?? ?? ?? 0F 83 } - $block_65 = { 48 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 } - $block_66 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_67 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 } - $block_68 = { 8B ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 } - $block_69 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 75 } - $block_70 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7D } - $block_71 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 75 } - $block_72 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7F } - $block_73 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 85 } - $block_74 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_75 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 8E } - $block_76 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_77 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 83 } - $block_78 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 } - $block_79 = { B2 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_80 = { 8B ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_81 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_82 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 74 } - $block_83 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 86 } - $block_84 = { 33 ?? 8B ?? ?? ?? F7 ?? ?? ?? FF C? 0F AF ?? ?? ?? 89 } - $block_85 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 0F 85 } - $block_86 = { 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_87 = { 0F B7 ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_88 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 3B ?? 7D } - $block_89 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 39 ?? ?? ?? 0F 85 } - $block_90 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_91 = { 48 ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_92 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 75 } - $block_93 = { 8B ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 } - $block_94 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 } - $block_95 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 } - $block_96 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 85 } - $block_97 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_98 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 } - $block_99 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 8D } - - condition: - hash.sha256(0, filesize) == "d1ad698567b04ea5ce8197c0316444ad8ee0350b46e0414f53f54c278b393a19" or - hash.sha256(0, filesize) == "e82d4b6d037568a4602e70f099005572b587c220793afd8f90c13cb7bbde61ed" or - hash.sha256(0, filesize) == "7fa4482bfbca550ce296d8e791b1091d60d733ea8042167fd0eb853530584452" or - 24 of them -} - -rule CarbonCommunicationLibrary_v4_00_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 } - $block_1 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 84 ?? 0F 84 } - $block_2 = { 89 ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 85 } - $block_3 = { 6A ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F B7 ?? 5? 6A ?? 89 ?? ?? FF D? 5? 5? 85 ?? 74 } - $block_4 = { 66 ?? ?? ?? 6A ?? 8D ?? ?? 5? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 85 } - $block_5 = { 8B ?? ?? 4F ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_6 = { FF 7? ?? FF 1? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_7 = { 48 ?? ?? ?? ?? 5? 5? 5? 41 ?? 41 ?? 41 ?? 41 ?? 48 ?? ?? ?? 48 ?? ?? 48 ?? ?? 83 ?? ?? 0F 8E } - $block_8 = { 8B ?? 99 F7 ?? 83 ?? ?? ?? 8A ?? 83 ?? ?? ?? 33 ?? 4? 89 ?? ?? 88 ?? ?? 89 ?? ?? 85 ?? 7E } - $block_9 = { 8B ?? ?? 89 ?? ?? 8D ?? ?? 5? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_10 = { 8B ?? ?? 6A ?? 8D ?? ?? ?? 5? 5? 5? FF 7? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 85 } - $block_11 = { 8B ?? ?? 48 ?? ?? ?? 4C ?? ?? ?? 48 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_12 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_13 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_14 = { 0F B6 ?? 23 ?? ?? 8B ?? ?? D3 ?? 8B ?? ?? D2 ?? 0A ?? FF 4? ?? 83 ?? ?? ?? 8B ?? ?? 7C } - $block_15 = { 6A ?? 8D ?? ?? ?? ?? ?? 5? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 85 } - $block_16 = { FF 7? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_17 = { FF 3? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E } - $block_18 = { 6A ?? 8D ?? ?? 5? 6A ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 85 } - $block_19 = { 5? FF 7? ?? E8 ?? ?? ?? ?? 01 ?? ?? 0F B7 ?? ?? 83 ?? ?? 83 ?? ?? FF 4? ?? 39 ?? ?? 72 } - $block_20 = { 6A ?? 8D ?? ?? ?? 5? 5? FF 7? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_21 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E } - $block_22 = { 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_23 = { 44 ?? ?? 4C ?? ?? 33 ?? 48 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_24 = { 41 ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 41 ?? ?? 49 ?? ?? ?? 44 ?? ?? 0F B7 ?? ?? 44 ?? ?? 72 } - $block_25 = { 5? FF 7? ?? FF 1? ?? ?? ?? ?? 4? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 85 } - $block_26 = { 8B ?? ?? 03 ?? ?? 03 ?? ?? 5? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_27 = { 89 ?? ?? FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 85 } - $block_28 = { FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 8B ?? ?? 85 ?? 0F 85 } - $block_29 = { 41 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? 45 ?? ?? 44 ?? ?? ?? 45 ?? ?? 89 ?? ?? 85 ?? 0F 8E } - $block_30 = { 48 ?? ?? ?? ?? 44 ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_31 = { 89 ?? FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 85 } - $block_32 = { 8B ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? FF D? 5? 5? 85 ?? 0F 84 } - $block_33 = { 83 ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? ?? ?? ?? 5? FF D? } - $block_34 = { 6A ?? 8D ?? ?? 5? 6A ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_35 = { 41 ?? ?? 48 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 74 } - $block_36 = { 48 ?? ?? ?? ?? ?? ?? ?? 44 ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_37 = { 38 ?? ?? 0F 94 ?? ?? 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_38 = { 8A ?? ?? 8B ?? ?? 21 ?? ?? 88 ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 84 ?? 0F 84 } - $block_39 = { 38 ?? ?? 0F 94 ?? ?? 8D ?? ?? 5? 8B ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 3B ?? 0F 85 } - $block_40 = { FF 7? ?? 5? 5? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_41 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_42 = { FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_43 = { 48 ?? ?? ?? 48 ?? ?? ?? FF 1? ?? ?? ?? ?? BF ?? ?? ?? ?? 85 ?? 0F 44 ?? 8B } - $block_44 = { 48 ?? ?? ?? 48 ?? ?? ?? FF 1? ?? ?? ?? ?? BB ?? ?? ?? ?? 85 ?? 0F 44 ?? 8B } - $block_45 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_46 = { FF 7? ?? 68 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 8B ?? 3B ?? 0F 85 } - $block_47 = { 38 ?? ?? 0F 94 ?? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? 85 ?? 0F 85 } - $block_48 = { 8B ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 0F 84 } - $block_49 = { 8D ?? ?? 5? 8B ?? ?? 4? 5? FF 1? ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_50 = { 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? 03 ?? 8B ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 84 } - $block_51 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_52 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_53 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? 0F 84 } - $block_54 = { 44 ?? ?? 48 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_55 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? 25 ?? ?? ?? ?? 03 ?? C1 ?? ?? 83 ?? ?? 74 } - $block_56 = { FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_57 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 86 } - $block_58 = { 4C ?? ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_59 = { FF 7? ?? 8D ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 3B ?? 0F 85 } - $block_60 = { 83 ?? ?? ?? 83 ?? ?? D1 ?? 0F B7 ?? 8D ?? ?? ?? 89 ?? ?? 85 ?? 74 } - $block_61 = { 5? 8B ?? 83 ?? ?? 5? 33 ?? 5? 8B ?? ?? 89 ?? 89 ?? ?? 39 ?? 0F 84 } - $block_62 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 33 ?? 5? 89 ?? 89 ?? ?? 39 ?? 0F 84 } - $block_63 = { 8B ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? 89 ?? ?? 83 ?? ?? 0F 8C } - $block_64 = { 8B ?? 99 F7 ?? ?? 33 ?? 33 ?? 89 ?? ?? 89 ?? ?? 32 ?? 39 ?? ?? 7E } - $block_65 = { 8B ?? ?? 03 ?? ?? 5? 99 2B ?? 5? 8B ?? ?? 8B ?? D1 ?? 5? 3B ?? 7D } - $block_66 = { FF 7? ?? 6A ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_67 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 5? FF 1? ?? ?? ?? ?? EB } - $block_68 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_69 = { 8B ?? ?? 8B ?? ?? 03 ?? 0F B7 ?? ?? BE ?? ?? ?? ?? 66 ?? ?? 75 } - $block_70 = { 5? 8B ?? A1 ?? ?? ?? ?? 83 ?? ?? 5? 5? 33 ?? 33 ?? 3B ?? 0F 84 } - $block_71 = { 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_72 = { 2B ?? ?? ?? 0F B7 ?? 89 ?? ?? ?? 0F B7 ?? 3B ?? ?? ?? 0F 87 } - $block_73 = { 8B ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 3B ?? 0F 85 } - $block_74 = { FF 7? ?? 6A ?? FF 3? ?? ?? ?? ?? FF D? 89 ?? ?? 3B ?? 0F 84 } - $block_75 = { 8B ?? ?? ?? E8 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 84 ?? 0F 85 } - $block_76 = { 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 85 } - $block_77 = { FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_78 = { 68 ?? ?? ?? ?? 6A ?? 5? FF D? A3 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_79 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 2B ?? 2B } - $block_80 = { 2B ?? ?? ?? C6 ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 3B ?? 0F 87 } - $block_81 = { FF 3? FF 7? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? B0 ?? C9 C3 } - $block_82 = { 5? 6A ?? 8D ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_83 = { FF 7? ?? A1 ?? ?? ?? ?? FF 5? ?? 8B ?? ?? 3B ?? ?? 0F 82 } - $block_84 = { 68 ?? ?? ?? ?? 5? FF D? 5? 5? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_85 = { FF 3? FF 1? ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? 85 ?? 0F 84 } - $block_86 = { FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 5? 8B ?? 3B ?? 0F 85 } - $block_87 = { FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 } - $block_88 = { FF 3? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 85 ?? 0F 84 } - $block_89 = { 68 ?? ?? ?? ?? 5? FF D? 5? 5? 89 ?? ?? 3B ?? 0F 84 } - $block_90 = { 8D ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 5? 5? 84 ?? 0F 85 } - $block_91 = { FF 3? ?? ?? ?? ?? FF B? ?? ?? ?? ?? 39 ?? ?? 0F 85 } - $block_92 = { FF 0? 03 ?? 89 ?? 89 ?? ?? 89 ?? ?? 3B ?? ?? 0F 8C } - $block_93 = { 8B ?? ?? 2B ?? ?? 8D ?? ?? ?? ?? ?? 89 ?? ?? 0F 85 } - $block_94 = { 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 85 ?? 0F 85 } - $block_95 = { FF 7? ?? 5? 5? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_96 = { 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_97 = { FF 3? ?? ?? ?? ?? FF 7? ?? FF D? 5? 5? 85 ?? 0F 85 } - $block_98 = { 2B ?? ?? ?? 69 ?? ?? ?? ?? ?? 3B ?? ?? ?? 0F 82 } - $block_99 = { C6 ?? ?? ?? ?? 0F B7 ?? ?? 89 ?? ?? ?? 39 ?? 75 } - - condition: - hash.sha256(0, filesize) == "2dc0f9e08bde378e8fe4e408b1b5f4bbbeacb251901009f25189a5a41a53ab47" or - hash.sha256(0, filesize) == "e959e1fa1993f906cd1d8f014c82025b2eb77a67a3e0dc0f44be685700cdb76b" or - hash.sha256(0, filesize) == "d581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db" or - hash.sha256(0, filesize) == "995d2b3924d5f517a795c0acc392e3d47f07787f58c77bb42ac2248393533f16" or - hash.sha256(0, filesize) == "c3b85bc12c84b8d050e2b9f682df06d93ceaeb4a18480227358baa99f4989e47" or - 12 of them -} - -rule CarbonLoader_v3_81_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 83 ?? ?? 81 E? ?? ?? ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 88 ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 33 ?? 83 ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 39 ?? ?? 0F 84 } - $block_1 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 5? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_2 = { 0F B7 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? FF D? 83 ?? ?? 6A ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_3 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? FF D? 68 ?? ?? ?? ?? 8B ?? FF D? 83 ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_4 = { 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? A3 ?? ?? ?? ?? 3B ?? 0F 84 } - $block_5 = { 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_6 = { 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 } - - condition: - hash.sha256(0, filesize) == "0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65" or - 7 of them -} - -rule ComRAT { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_1 = { 83 ?? ?? 5? 5? 5? 5? 8B ?? 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_2 = { 66 ?? ?? ?? D1 ?? 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 0F B7 ?? 79 } - $block_3 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_4 = { 33 ?? 44 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 3D ?? ?? ?? ?? 0F 8D } - $block_5 = { 5? 68 ?? ?? ?? ?? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 84 } - $block_6 = { 0F B7 ?? 89 ?? ?? 33 ?? 66 ?? ?? 5? 0F 95 ?? 5? 5? 5? 4? 83 ?? ?? 83 ?? ?? 0F B7 ?? 83 ?? ?? C3 } - $block_7 = { 3B ?? 89 ?? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? 0F 84 } - $block_8 = { 8B ?? ?? ?? 8B ?? 0F B7 ?? 5? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 } - $block_9 = { E8 ?? ?? ?? ?? 33 ?? F7 ?? 8B ?? 03 ?? 9B 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 8B ?? 5? C2 } - $block_10 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 8D } - $block_11 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 80 C? ?? 88 ?? ?? ?? ?? ?? ?? 4? 81 F? ?? ?? ?? ?? 72 } - $block_12 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF D? 3B ?? 0F 84 } - $block_13 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 85 ?? 75 } - $block_14 = { 8B ?? ?? ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 89 ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? 0F 86 } - $block_15 = { 6A ?? 89 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? 89 ?? ?? ?? 0F 84 } - $block_16 = { 0F B7 ?? 8B ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 66 ?? ?? C1 ?? ?? 83 ?? ?? 83 ?? ?? 0F B7 ?? 75 } - $block_17 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? 66 ?? ?? 83 ?? ?? 25 ?? ?? ?? ?? 0F B7 ?? 79 } - $block_18 = { 6A ?? 5? 5? E8 ?? ?? ?? ?? FF 7? ?? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3D ?? ?? ?? ?? 0F 8D } - $block_19 = { 8D ?? ?? 6A ?? 5? C7 ?? ?? ?? ?? ?? ?? FF D? 5? 8B ?? FF 1? ?? ?? ?? ?? 33 ?? 3B ?? 0F 84 } - $block_20 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 8B ?? 8B ?? ?? 5? 5? FF 5? ?? 85 ?? 0F 85 } - $block_21 = { 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_22 = { 89 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_23 = { 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_24 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 81 E? ?? ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? FF D? 83 ?? ?? 0F 84 } - $block_25 = { 8D ?? ?? 8B ?? ?? 8D ?? ?? 8D ?? ?? 8D ?? ?? 8B ?? ?? ?? C1 ?? ?? 03 ?? 3B ?? 0F 8C } - $block_26 = { 8D ?? ?? 6A ?? 5? C7 ?? ?? ?? ?? ?? ?? FF D? 5? 8B ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_27 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 0F B7 ?? 33 ?? 5? C1 ?? ?? 5? 0B ?? 5? 5? C3 } - $block_28 = { 8B ?? ?? ?? 33 ?? 66 ?? ?? ?? 5? 0F 95 ?? 5? 5? 5? 4? 83 ?? ?? 83 ?? ?? 83 ?? ?? C3 } - $block_29 = { 8B ?? ?? 0F B7 ?? 33 ?? 89 ?? ?? ?? 89 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 74 } - $block_30 = { 0F B6 ?? ?? 0F B6 ?? ?? 83 ?? ?? 03 ?? 03 ?? C1 ?? ?? 0B ?? 0F BE ?? ?? ?? ?? ?? EB } - $block_31 = { 8D ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_32 = { 33 ?? 0F B7 ?? 8B ?? C1 ?? ?? 0B ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? F3 ?? 33 ?? EB } - $block_33 = { 66 ?? ?? ?? ?? ?? ?? ?? 66 ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? C1 ?? ?? 0B ?? 5? C3 } - $block_34 = { 40 ?? 5? 41 ?? 48 ?? ?? ?? 49 ?? ?? 4C ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_35 = { 68 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 } - $block_36 = { 0F B7 ?? 8B ?? 5? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 83 } - $block_37 = { 0F BE ?? ?? 5? 8D ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 8D } - $block_38 = { 88 ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 83 ?? ?? 3B ?? 0F 84 } - $block_39 = { E8 ?? ?? ?? ?? 8B ?? 8B ?? 0F AF ?? 4? 99 F7 ?? 4? 03 ?? 81 F? ?? ?? ?? ?? 7C } - $block_40 = { C6 ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? C1 ?? ?? 8D ?? ?? 83 ?? ?? 0F 82 } - $block_41 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 89 ?? ?? 85 ?? 0F 85 } - $block_42 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 8D ?? ?? 5? 5? FF D? 85 ?? 0F 85 } - $block_43 = { 8D ?? ?? ?? 5? 5? 89 ?? ?? ?? FF D? 5? 8B ?? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_44 = { E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8D } - $block_45 = { 85 ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? C6 ?? ?? ?? ?? 0F 84 } - $block_46 = { 0F B7 ?? ?? ?? ?? ?? ?? 66 ?? ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 0F B7 ?? 79 } - $block_47 = { 5? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? 33 ?? 8D ?? ?? ?? 0F AF ?? 85 ?? 76 } - $block_48 = { 8D ?? ?? 5? 5? A1 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 85 ?? 0F 84 } - $block_49 = { 81 E? ?? ?? ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_50 = { 68 ?? ?? ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_51 = { 66 ?? ?? 66 ?? ?? 0F B7 ?? 0F B7 ?? 0F B7 ?? C1 ?? ?? 0B ?? 5? 5? C3 } - $block_52 = { 5? 8B ?? C1 ?? ?? 89 ?? ?? 0F B6 ?? ?? ?? 8B ?? 81 E? ?? ?? ?? ?? 79 } - $block_53 = { DF ?? ?? ?? DF ?? ?? ?? D8 ?? DC ?? ?? ?? ?? ?? DF ?? F6 ?? ?? 0F 85 } - $block_54 = { 8D ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? FF D? 83 ?? ?? 85 ?? 0F 85 } - $block_55 = { 8B ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_56 = { 48 ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 88 ?? ?? ?? FF C? 89 ?? ?? ?? EB } - $block_57 = { BA ?? ?? ?? ?? D3 ?? 8B ?? ?? C1 ?? ?? 0F B7 ?? ?? 23 ?? 3B ?? 75 } - $block_58 = { 8A ?? ?? 0F BE ?? 34 ?? 03 ?? 88 ?? ?? 0F BE ?? 03 ?? 4? 3B ?? 72 } - $block_59 = { 5? 5? 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? FF D? 8B ?? 3B ?? 0F 84 } - $block_60 = { 8D ?? ?? 5? 8B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 3B ?? 0F 84 } - $block_61 = { 8B ?? ?? ?? 83 ?? ?? C1 ?? ?? 8D ?? ?? 89 ?? ?? ?? 3B ?? 0F 86 } - $block_62 = { 68 ?? ?? ?? ?? FF 3? E8 ?? ?? ?? ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 } - $block_63 = { 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_64 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 5? 6A ?? 5? FF D? 83 ?? ?? 0F 85 } - $block_65 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E } - $block_66 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_67 = { 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_68 = { 8B ?? ?? ?? 8D ?? ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_69 = { 8B ?? ?? ?? 5? 5? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_70 = { C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 88 ?? ?? ?? 3B ?? 0F 85 } - $block_71 = { 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_72 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? 0F 84 } - $block_73 = { 8B ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_74 = { A1 ?? ?? ?? ?? 8B ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E } - $block_75 = { 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_76 = { C1 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? 85 ?? 0F 86 } - $block_77 = { 5? A1 ?? ?? ?? ?? 8B ?? ?? FF D? 39 ?? ?? ?? ?? ?? 0F 85 } - $block_78 = { 5? E8 ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? 5? 5? 5? 85 ?? 0F 84 } - $block_79 = { 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_80 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_81 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 } - $block_82 = { 4? C1 ?? ?? 8D ?? ?? ?? 0F B7 ?? 33 ?? 66 ?? ?? 0F 83 } - $block_83 = { 8B ?? ?? 64 ?? ?? ?? ?? ?? ?? 5? 5? 5? 83 ?? ?? C9 C3 } - $block_84 = { 2B ?? D1 ?? 8D ?? ?? 89 ?? ?? 0F B7 ?? ?? 89 ?? ?? E9 } - $block_85 = { 5? 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_86 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? 3D ?? ?? ?? ?? 0F 86 } - $block_87 = { 8B ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 39 ?? ?? ?? 0F 85 } - $block_88 = { 8B ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 82 } - $block_89 = { 0F B7 ?? 66 ?? ?? ?? 66 ?? ?? 0F B7 ?? 66 ?? ?? 73 } - $block_90 = { 0F B6 ?? 83 ?? ?? C1 ?? ?? 4? 0F AF ?? 4? 85 ?? 75 } - $block_91 = { 83 ?? ?? 5? 8B ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_92 = { 8D ?? ?? ?? ?? ?? ?? 6A ?? 5? FF D? 85 ?? 0F 84 } - $block_93 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_94 = { 8D ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_95 = { 4? 99 2B ?? D1 ?? 8D ?? ?? 81 E? ?? ?? ?? ?? 79 } - $block_96 = { 4? 0F B7 ?? 0F B7 ?? C1 ?? ?? 33 ?? 85 ?? 0F 8E } - $block_97 = { 8B ?? ?? ?? ?? ?? ?? 0F BF ?? 66 ?? ?? ?? ?? 77 } - $block_98 = { 8B ?? 8B ?? 8B ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? 74 } - $block_99 = { 8B ?? ?? ?? D1 ?? 8D ?? ?? ?? 8B ?? 3B ?? 0F 83 } - - condition: - hash.sha256(0, filesize) == "be44044d4bfeb43a6ba5608fe911be7d83bee4faf2b13a16d9690c8ac5f62aa3" or - hash.sha256(0, filesize) == "bd865c5d092832d6b55484ec430440540d1bbb77c533fad21f10330b526aaca9" or - hash.sha256(0, filesize) == "5e0165b3af7f5d4ef0c6fcb62e53e4e408ffb290967a65f042442c7d638ceef7" or - hash.sha256(0, filesize) == "cfebcc3aa8217abaedcc856d7ec32d1d66398807819afd9902420f24959e27c6" or - hash.sha256(0, filesize) == "a1b2016cb9f9d9a57e1ce3465bdfa5b4e01674c85499a10c1545ab9e90fd32d4" or - hash.sha256(0, filesize) == "de8954dc69d3f3b5d1423479ef5f1054a9b0df9085b1926ca939a4d3d11c49ee" or - hash.sha256(0, filesize) == "e42b9c5df92299e17581c52972516b24d2ccc872d780f6d9ecc3af2b0683631d" or - hash.sha256(0, filesize) == "1fad246cb0a0a0cda8d77e8dd417a380d133229ffba6d38ed32edcc3718a39da" or - hash.sha256(0, filesize) == "02e218f14ca02878ed75183e42d79948a6d8c99495a09d9b1897f6bb70b84087" or - hash.sha256(0, filesize) == "37e8ae6d5fb27b003441d73a2dc995b5672d47a82ddb3d8751a31697f3d3fc9b" or - hash.sha256(0, filesize) == "80013a27dc3a51dffe6427745a09403d9680561bfc28548401fefb35e99c211d" or - hash.sha256(0, filesize) == "172072b2f5b2888fd3c9d3f28b1acb5f5bd57dc24ad8d2d1b62321b156b4cfdb" or - hash.sha256(0, filesize) == "0e0045d2c4bfff4345d460957a543e2e7f1638de745644f6bf58555c1d287286" or - hash.sha256(0, filesize) == "32395c102c5dbc7b881869c8d6c2bf949c02774acb4a785d41cb46ff878572e4" or - hash.sha256(0, filesize) == "d585936aac6120718be1582a393c35157422a2e83ba9f60d6ac1e68a39fb2dc9" or - hash.sha256(0, filesize) == "dd140d9bac962cdb91b00cb123f69e6b1fb55b94fb93591802fd45222357de86" or - hash.sha256(0, filesize) == "208f0339fb6cd0c2a10bda7e42deb9938ab279f56db28a017d27269dfc0802a8" or - hash.sha256(0, filesize) == "5a7f334d6580e95a692943a5c9d73e8ae2342927604ddc5839849c4f77804e39" or - hash.sha256(0, filesize) == "06b0bfbd69a2e2ee50d7066fe0a5261c85c32494557b6df1383038583902a1db" or - hash.sha256(0, filesize) == "a36a04fa6a23a6d6cc1be52e5f05c7f5802c5007bc9900e5c17f6d2c3e03afb8" or - hash.sha256(0, filesize) == "fa249ee039e0b2d41d27b8f3590a87c1abc65487fe55dea791f804ae5636d884" or - hash.sha256(0, filesize) == "a89f27758bb6e207477f92527b2174090012e2ac23dfc44cdf6effd539c15ada" or - hash.sha256(0, filesize) == "43871bb12c446a589eedcd8faae94d60734f595f04e52fc754b89d407249af21" or - hash.sha256(0, filesize) == "5ec8a86a0ab982d016153bd318602cfa2ee39c1f0a962c86168a5284afce169d" or - hash.sha256(0, filesize) == "08d69145a78f99ab04154aa5e80e9bd28835dade0b95017d5033a0fa6391b1e1" or - hash.sha256(0, filesize) == "dc68688aa61102f18b958346bcab167b22e307ecdf2bb05e05d5f19e8fc41f5b" or - hash.sha256(0, filesize) == "0977898deb6e5ebd16b1db80ff904a4818fe7ba8039b7f23f0fe329ade03d65b" or - hash.sha256(0, filesize) == "7759a16584847737c650b7051514c1aa58c957cbfaaa4bc609b288a87d55f2ce" or - hash.sha256(0, filesize) == "7923ead3971a6e8dd4df5c87f22fd3edcb78c48714fa19d01e900eeb10ae13fd" or - hash.sha256(0, filesize) == "a777049f779a7c42842568a681030305209b57cc93dc9604a48682df5e9429b6" or - hash.sha256(0, filesize) == "2a625986f5761b59ee4967ea5255e895a6cdd64763696bc7d378c609228d70b6" or - hash.sha256(0, filesize) == "bc90772a93b7a54645b3e3df205f59a98166df5245cbf86c4e3d417b15aa6bd3" or - hash.sha256(0, filesize) == "39a8cf3f2916daea03f8b8600e202725101b338a67fc4a7d1b9c48ff5239293f" or - hash.sha256(0, filesize) == "9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426" or - hash.sha256(0, filesize) == "9751b5c3645f33677e31aafd4ff04a8e61d529a30d2f324a4ea73a519599f5e2" or - hash.sha256(0, filesize) == "a7f9e42680cf6f46af48987384ea13aff9dd5df5835a9c214ee9697a63c3d8c9" or - hash.sha256(0, filesize) == "d932551bb748cafb13a5825233e24c2b1ba0b17098dddfe569943e431c45efe4" or - hash.sha256(0, filesize) == "60fd95d9b415ecd8d3e799f22b54e5fbd0117d22cf3fce172a65d05167715df8" or - hash.sha256(0, filesize) == "90876ed03885118da45bad0c5acccc8c5ce6940d6e239fe0ad254a996e9b1e97" or - hash.sha256(0, filesize) == "514b4db0717fb282f8071d55a75b387c053b6d183e2180f5f4e47c34b16d545d" or - hash.sha256(0, filesize) == "e5c187392b8376352880470a5068eeeb1a00926a9f06a5100a5d8426509291c6" or - hash.sha256(0, filesize) == "bb4ea71368dd7fed4f19cb64a51c9a21cf2e7e19111a2fccf161837a7ec97751" or - hash.sha256(0, filesize) == "d002e2eaee5a47af4f779e5210fd35cc1cb339efd6e9cebb57b233a7e9e62005" or - hash.sha256(0, filesize) == "300cb016ef9666bcc3672c2ee14a8516566a8c4982bdcac78501a9ad79e4e094" or - hash.sha256(0, filesize) == "0cf936dd2adcd6bf575b85e51961d72bbbf8b3d3f2db9e8e378ded5ec60c2f55" or - hash.sha256(0, filesize) == "87d4edd9d833a41b776bbbbb2ecde0513ae0aa3d228caf3c85d2298c9977e89f" or - hash.sha256(0, filesize) == "9d3c846d37eff281e30954ed0b7b52030574367b793330ff7e2eeced52ea68b4" or - hash.sha256(0, filesize) == "14f04ff36d4c571d2cc7e2fc0b31f9666d687c61d05d8646cf5e56b4240f5592" or - hash.sha256(0, filesize) == "bca6e6aa3bc8092e4b85f22a223fd67e80c1bd80afc9aa3fd9192338c8d9b982" or - hash.sha256(0, filesize) == "3a4a0c6585d160e42d40f3ba343af5d45469597d452ea311465029e115e470ae" or - hash.sha256(0, filesize) == "22350671a2b605351839a3e22437de71d58efbfce24a1b562bedc7e6f3c0154c" or - hash.sha256(0, filesize) == "b51aa5c5e8e783ef7a55f29205a989223f0ef8bfee47ab9274acf37e39f2834f" or - hash.sha256(0, filesize) == "5d2a8d367ea383a8cc3d4389a1858bb645cef2a2217c65f7fcf9d3eecb0e8255" or - hash.sha256(0, filesize) == "035e51a1575ecb21353166287530840b3c2c54c237acda4223f1c45e6b47d3b2" or - hash.sha256(0, filesize) == "4bc2a21aba604dc22af1322a661d8929587f558ab3ffe3d6cb946cadfe7f6570" or - hash.sha256(0, filesize) == "22b9f9bbddec318700f46ba778bb61f2bb07bd3560af98501b030ff7160db062" or - hash.sha256(0, filesize) == "a1d26fc17409a30ca48337306317863e8c4064e36c060158885322bb71dc9069" or - hash.sha256(0, filesize) == "e092a2ec64a264779ca8211483693789f4a1f14e42c2f65df15833583f964b81" or - hash.sha256(0, filesize) == "9c9d5540cd2902e941f34887ea546d214120d92ab0bbc1e38bbcc8805a5589d8" or - hash.sha256(0, filesize) == "193844bd22c37e2725927fa0bcddc199932f1dc3536b97da250b77ef68c66d63" or - hash.sha256(0, filesize) == "50067ebcc2d2069b3613a20b81f9d61f2cd5be9c85533c4ea34edbefaeb8a15f" or - hash.sha256(0, filesize) == "67a283a8ddd2ca7976e46010505a1c3ca699405bb9a77f7129c1ac8219995e5f" or - 12 of them -} - -rule KSL0TKeylogger { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 03 ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 03 ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 83 ?? ?? 3B ?? 75 } - $block_1 = { 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8D ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 2B ?? 8A ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_2 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 03 ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 03 ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? E9 } - $block_3 = { 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8D ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 2B ?? 8A ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_4 = { 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8D ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 2B ?? 8A ?? ?? ?? ?? ?? 8B ?? ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_5 = { 0F B6 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? BB ?? ?? ?? ?? BD ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? 2B ?? 83 ?? ?? 2B ?? 89 ?? ?? ?? C7 } - $block_6 = { 5? FF 1? ?? ?? ?? ?? 5? 5? 6A ?? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 5? 8B ?? ?? 8B ?? 5? FF 1? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 5? 6A ?? 8B ?? 5? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? } - $block_7 = { B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? 03 ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? B8 ?? ?? ?? ?? 2B ?? 0F B6 ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 75 } - $block_8 = { B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 8D ?? ?? 03 ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? 6B ?? ?? 8B ?? 2B ?? 0F B6 ?? ?? ?? ?? ?? 30 ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? 75 } - $block_9 = { 5? 8B ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? 5? 83 ?? ?? 5? 5? 5? A1 ?? ?? ?? ?? 31 ?? ?? 33 ?? 5? 8D ?? ?? 64 ?? ?? ?? ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "4f724e8ecf781fe1c160581d7b35d1eb951f7abf079e7ec8aa79783ec44e9d1a" or - hash.sha256(0, filesize) == "13dcbab502b7a291c4e56396ea369729c57268c099c59fc76a1eb6eb9ed3f0b4" or - hash.sha256(0, filesize) == "3b7060063814ff7dbdda98b30d35282a5686e0b965e79ee89b1d9d279b5c125a" or - hash.sha256(0, filesize) == "740b27fc5552e5ac3c3655e9c598ed5711cfce442cc64e39af7dca8c468aad09" or - hash.sha256(0, filesize) == "800fa6a256a1c026a905ccd650d818929e749bbae1129d309f40c7227449450c" or - 10 of them -} - -rule MosquitoInstaller { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 33 ?? ?? 89 ?? ?? 8B ?? ?? 0B ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_1 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 0F AF ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_2 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_3 = { E8 ?? ?? ?? ?? 10 ?? 00 ?? ?? 6C 65 ?? 06 8B ?? 01 ?? 8B ?? 8B ?? ?? 3D ?? ?? ?? ?? 84 ?? ?? 75 } - $block_4 = { 08 ?? ?? ?? ?? ?? F7 ?? 4? 4? FF C? FF 7? ?? 3A ?? 80 7? ?? ?? CC CC CC CC CC CC CC CC CC CC CC } - $block_5 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 0B ?? ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_6 = { 5? 68 ?? ?? ?? ?? 10 ?? ?? 68 ?? ?? ?? ?? 4? 61 68 ?? ?? ?? ?? 8B ?? 5? 85 ?? 8C ?? ?? 00 ?? E9 } - $block_7 = { 8B ?? ?? 03 ?? ?? BA ?? ?? ?? ?? 6B ?? ?? 0F B7 ?? ?? 8B ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 75 } - $block_8 = { 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 23 ?? ?? 81 F? ?? ?? ?? ?? 0F 86 } - $block_9 = { F1 C4 ?? ?? 85 ?? ?? ?? 00 ?? ?? 00 ?? ?? ?? ?? ?? 20 ?? FF 0? 4? 00 ?? ?? FF B? ?? ?? ?? ?? 72 } - $block_10 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 } - $block_11 = { EC 07 80 8? ?? ?? ?? ?? ?? 5? 5? 5? 8B ?? ?? ?? ?? ?? CC FF 1? ?? ?? ?? ?? 24 ?? 8B ?? 5? 5? 79 } - $block_12 = { EC 83 ?? ?? 83 ?? ?? 83 ?? ?? ?? 33 ?? 8B ?? ?? 5? 5? 8D ?? ?? ?? AB AB AB 8B ?? ?? 3B ?? ?? 72 } - $block_13 = { 8B ?? 5? 8B ?? 83 ?? ?? 5? 5? 5? 33 ?? 89 ?? ?? 8B ?? 89 ?? ?? 8B ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_14 = { F8 10 ?? ?? ?? ?? ?? 63 ?? 00 ?? ?? ?? ?? ?? 8B ?? 4? 08 ?? E8 ?? ?? ?? ?? 10 ?? 5? 5? EC 5? 74 } - $block_15 = { FF 5? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? FF 4? ?? 08 ?? 8D ?? ?? ?? 02 ?? 9D 4? 16 02 ?? E9 } - $block_16 = { 69 ?? ?? ?? ?? ?? ?? 0F 74 ?? ?? 00 ?? ?? 4? 08 ?? ?? 89 ?? ?? 88 ?? ?? ?? ?? ?? 00 ?? ?? C9 74 } - $block_17 = { 00 ?? ?? 5? 4? 24 ?? E8 ?? ?? ?? ?? 00 ?? ?? 0F 20 ?? 8D ?? ?? ?? ?? ?? 00 ?? ?? ?? 85 ?? 0F 85 } - $block_18 = { 15 ?? ?? ?? ?? 00 ?? ?? 4? 6C 00 ?? E8 ?? ?? ?? ?? 00 ?? ?? 5? CE E8 ?? ?? ?? ?? CC 8B ?? ?? 79 } - $block_19 = { 4? C0 ?? ?? ?? ?? C9 00 ?? ?? ?? ?? ?? 4? FC 07 8B ?? ?? 10 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 70 } - $block_20 = { CC B8 ?? ?? ?? ?? FF 7? ?? ?? 9D 4? 5? FF F? 0F 10 ?? ?? ?? ?? ?? 5? FF 8? ?? ?? ?? ?? FF C? 74 } - $block_21 = { 8B ?? 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 33 ?? 5? 5? 8D ?? ?? 89 ?? ?? AB AB AB 8B ?? ?? 85 ?? 75 } - $block_22 = { 8B ?? ?? 23 ?? ?? 89 ?? ?? 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_23 = { 8B ?? 04 ?? 00 ?? 6F 62 ?? ?? 68 ?? ?? ?? ?? 3F 4? 29 ?? 68 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 72 } - $block_24 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 3D ?? ?? ?? ?? 0F 83 } - $block_25 = { 89 ?? 61 F6 ?? ?? 6A ?? 00 ?? ?? FF 8? ?? ?? ?? ?? 3C ?? 00 ?? 8D ?? ?? ?? ?? ?? 00 ?? ?? 74 } - $block_26 = { 63 ?? ?? 89 ?? ?? ?? ?? ?? FF 8? ?? ?? ?? ?? 8B ?? 0E 00 ?? ?? ?? ?? ?? 15 ?? ?? ?? ?? 0F 85 } - $block_27 = { EC 83 ?? ?? ?? 15 ?? ?? ?? ?? 8B ?? 24 ?? 00 ?? ?? ?? FF 5? ?? 14 ?? C9 FF C? FF 5? ?? 4? EF } - $block_28 = { 8D ?? ?? ?? ?? ?? 8B ?? ?? 5? FF 0? 65 ?? ?? 6A ?? 83 ?? ?? ?? 33 ?? 16 02 ?? ?? ?? ?? ?? 14 } - $block_29 = { 00 ?? ?? B8 ?? ?? ?? ?? 5? FF 0? 00 ?? ?? ?? ?? ?? FC C0 ?? ?? ?? 00 ?? 00 ?? ?? 00 ?? 5? 72 } - $block_30 = { FF 9? ?? ?? ?? ?? FF 0? 8D ?? ?? A1 ?? ?? ?? ?? 5? 8B ?? CC CC 13 ?? ?? 8B ?? ?? 00 ?? ?? 75 } - $block_31 = { 3C ?? 65 ?? ?? ?? ?? ?? ?? 5? 8B ?? ?? 85 ?? 0F 33 F6 ?? ?? EC 83 ?? ?? 8B ?? ?? 8B ?? ?? 72 } - $block_32 = { 8B ?? 8B ?? 8B ?? 5? E8 ?? ?? ?? ?? 01 ?? 8D ?? ?? 08 ?? ?? FC 8B ?? ?? 89 ?? ?? ?? ?? ?? 89 } - $block_33 = { 4? FC 85 ?? C7 ?? ?? ?? ?? ?? ?? 0F 67 ?? 6C 00 ?? 6B ?? ?? ?? 24 ?? 0C ?? 02 ?? ?? 5? FF 5? } - $block_34 = { 64 ?? ?? 8B ?? ?? ?? ?? ?? 5? 00 ?? ?? E8 ?? ?? ?? ?? 5? FF 0? 00 ?? ?? 4? F8 83 ?? ?? FF 2? } - $block_35 = { 00 ?? 68 ?? ?? ?? ?? 30 ?? 63 ?? 69 ?? ?? ?? ?? ?? ?? 6E 8B ?? 69 ?? ?? ?? ?? ?? 00 ?? 74 } - $block_36 = { 61 9? 10 ?? 00 ?? 29 ?? ?? 4? 6F EC 8B ?? ?? EC 8B ?? 9? 00 ?? ?? 24 ?? E8 ?? ?? ?? ?? 70 } - $block_37 = { E8 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 ?? ?? FC 33 ?? 33 ?? 3F 4? 10 ?? ?? 5? F3 ?? ?? 5? 73 } - $block_38 = { 68 ?? ?? ?? ?? 24 ?? 4? FC F4 05 ?? ?? ?? ?? 29 ?? 61 63 ?? 04 ?? 69 ?? ?? ?? ?? ?? ?? 5? } - $block_39 = { 0E 00 ?? ?? 01 ?? 89 ?? ?? 8D ?? ?? 89 ?? ?? ?? ?? ?? 00 ?? ?? F8 63 ?? 5? 5? 00 ?? ?? 74 } - $block_40 = { CC CC CC CC CC CC CC CC CC CC CC CC 8B ?? 5? 8B ?? 5? 5? 8B ?? 33 ?? 5? 8B ?? 85 ?? 0F 84 } - $block_41 = { 30 ?? 8D ?? ?? 00 ?? 5? 5? 8D ?? ?? ?? ?? ?? CC B8 ?? ?? ?? ?? FF 0? 00 ?? ?? ?? ?? ?? 75 } - $block_42 = { 5? 5? F6 ?? ?? 00 ?? D6 8B ?? 85 ?? 4? 24 ?? 65 ?? ?? ?? ?? 02 ?? 8B ?? ?? 85 ?? 8B ?? 75 } - $block_43 = { F6 ?? ?? 4? FF 0? 61 FF 1? ?? ?? ?? ?? 07 8B ?? ?? ?? ?? ?? 5? 0E 00 ?? 83 ?? ?? 14 ?? 79 } - $block_44 = { FF C? F4 05 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 5? 5? 4? 4? 69 ?? ?? ?? ?? ?? ?? CC 63 ?? 74 } - $block_45 = { 03 ?? ?? ?? ?? ?? E4 ?? 4? FC E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? C6 ?? ?? ?? 85 ?? 74 } - $block_46 = { EC 00 ?? 8D ?? ?? 24 ?? 00 ?? ?? 6E 61 2E ?? BC ?? ?? ?? ?? 04 ?? 24 ?? 2F 13 ?? 74 } - $block_47 = { 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 01 ?? 13 ?? ?? 3D ?? ?? ?? ?? 24 ?? 8B ?? 61 74 } - $block_48 = { 6C 65 ?? 8B ?? FF 5? ?? 00 ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? F4 24 ?? FF 0? 20 ?? ?? 74 } - $block_49 = { 0C ?? 0E F0 ?? ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? 8B ?? ?? 6A ?? 83 ?? ?? 5? 3B ?? 76 } - $block_50 = { 00 ?? ?? 1C ?? 8B ?? ?? 00 ?? ?? B8 ?? ?? ?? ?? FF 5? ?? 8B ?? ?? EC 8B ?? ?? 70 } - $block_51 = { 01 ?? ?? ?? 6F 02 ?? FB FF 7? ?? 00 ?? 8B ?? 00 ?? ?? 00 ?? ?? ?? 5? 00 ?? ?? 72 } - $block_52 = { FB FF 5? ?? C6 ?? ?? ?? FF 7? ?? 00 ?? ?? 00 ?? ?? 6F 61 69 ?? ?? ?? ?? ?? ?? 70 } - $block_53 = { 8B ?? ?? 8D ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? A5 C7 ?? ?? ?? ?? ?? ?? A5 A5 A5 } - $block_54 = { FB FF 6? ?? ?? 24 ?? 68 ?? ?? ?? ?? 64 ?? ?? 6E 8D ?? ?? ?? ?? ?? 13 ?? ?? 74 } - $block_55 = { 6E 64 ?? ?? ?? E8 ?? ?? ?? ?? 13 ?? ?? 10 ?? ?? ?? 6D 6D 00 ?? ?? ?? ?? ?? 74 } - $block_56 = { 8B ?? 6F 6E 5? FF 5? ?? 05 ?? ?? ?? ?? 20 ?? E8 ?? ?? ?? ?? FF 6? ?? 8B ?? 10 } - $block_57 = { F6 ?? 6A ?? 24 ?? 8B ?? ?? 85 ?? A5 A5 9? 10 ?? 3A ?? ?? 33 ?? 00 ?? 5? 5? 6D } - $block_58 = { 00 ?? 4? 4? 61 08 ?? 00 ?? F6 ?? ?? ?? 08 ?? 9? 10 ?? 00 ?? ?? ?? ?? ?? E9 } - $block_59 = { 00 ?? 00 ?? ?? 00 ?? ?? 02 ?? C8 ?? ?? ?? BC ?? ?? ?? ?? 04 ?? 6C 63 ?? 74 } - $block_60 = { 29 ?? 00 ?? 00 ?? ?? ?? ?? ?? 84 ?? ?? 6C 8B ?? 04 ?? 00 ?? ?? 85 ?? FF 6? } - $block_61 = { 4? 4? 10 ?? ?? 1C ?? 05 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? FB 2E ?? 61 74 } - $block_62 = { 8D ?? ?? ?? ?? ?? ?? FC 13 ?? ?? 5? F4 05 ?? ?? ?? ?? C0 ?? ?? ?? ?? 75 } - $block_63 = { 5? 3A ?? 5? 8B ?? EC 8B ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 65 ?? ?? ?? 00 } - $block_64 = { 00 ?? 00 ?? 65 ?? ?? 00 ?? ?? 00 ?? FF 6? ?? 63 ?? 6A ?? 3A ?? CC 6F 70 } - $block_65 = { 8B ?? 0C ?? 6F 6D 00 ?? ?? 8B ?? 01 ?? 01 ?? 4? 4? 00 ?? ?? ?? ?? ?? 70 } - $block_66 = { 2F 4? 65 ?? ?? ?? ?? ?? ?? 5? 3A ?? ?? 64 ?? 5? 5? BC ?? ?? ?? ?? 6F 63 } - $block_67 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 86 } - $block_68 = { 8B ?? ?? 6A ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_69 = { 04 ?? 4? 04 ?? 4? 04 ?? 5? 04 ?? 05 ?? ?? ?? ?? 0E 8B ?? ?? 3B ?? 75 } - $block_70 = { 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 83 } - $block_71 = { 6D 6D 00 ?? ?? 00 ?? ?? ?? ?? ?? 00 ?? ?? ?? 20 ?? 20 ?? ?? 0C ?? 74 } - $block_72 = { 02 ?? 2F 62 ?? ?? 10 ?? 8B ?? 20 ?? 2E ?? ?? 85 ?? 6F 6E 0C ?? 6D } - $block_73 = { 4? 61 10 ?? 08 ?? 4? 61 00 ?? ?? ?? 5? 24 ?? 5? 00 ?? 00 ?? ?? 20 } - $block_74 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 0B ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_75 = { CC 00 ?? ?? ?? ?? ?? 10 ?? ?? ?? ?? ?? 06 8B ?? ?? ?? ?? ?? 61 74 } - $block_76 = { FD FF 0? C6 ?? ?? 3F 4? 00 ?? ?? 15 ?? ?? ?? ?? 5? 61 63 ?? ?? 70 } - $block_77 = { 8B ?? ?? 33 ?? 6B ?? ?? 03 ?? 8B ?? AB AB AB AB AB 5? 85 ?? 74 } - $block_78 = { 8B ?? ?? C1 ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 84 } - $block_79 = { A5 6C 65 ?? ?? 00 ?? ?? 4? 69 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? 84 } - $block_80 = { 24 ?? 69 ?? ?? ?? ?? ?? 8B ?? ?? 00 ?? ?? 00 ?? ?? A5 A5 61 72 } - $block_81 = { 6A ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_82 = { 5? 8B ?? ?? ?? FF 5? ?? 61 69 ?? ?? ?? ?? ?? ?? ?? ?? ?? 2F } - $block_83 = { F7 ?? ?? ?? ?? ?? 6A ?? 4? 06 8B ?? ?? ?? ?? ?? 01 ?? ?? C2 } - $block_84 = { 24 ?? 08 ?? ?? ?? ?? ?? 01 ?? 2F 00 ?? 6A ?? 6C CC 8B ?? 8D } - $block_85 = { 10 ?? ?? 00 ?? 4? 00 ?? 8D ?? 2F 5? 61 63 ?? 08 ?? ?? FF 6? } - $block_86 = { 8B ?? ?? 8D ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? A5 A5 A5 A5 33 } - $block_87 = { FC E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? C6 ?? ?? ?? 85 ?? 74 } - $block_88 = { FF C? 3D ?? ?? ?? ?? 6D 08 ?? ?? ?? ?? ?? 29 ?? 33 ?? 70 } - $block_89 = { 8B ?? 5? 8B ?? 5? 5? 8B ?? 33 ?? 5? 8B ?? 85 ?? 0F 84 } - $block_90 = { 69 ?? ?? ?? ?? ?? ?? 5? 0C ?? 65 ?? ?? 2E ?? ?? 6F 72 } - $block_91 = { 8B ?? ?? 0F AF ?? ?? 89 ?? ?? C7 ?? ?? ?? ?? ?? ?? EB } - $block_92 = { 00 ?? 3D ?? ?? ?? ?? 4? 1C ?? 00 ?? 4? 08 ?? ?? 06 70 } - $block_93 = { FF 8? ?? ?? ?? ?? 00 ?? ?? 08 ?? ?? 5? 5? F7 ?? 6F 72 } - $block_94 = { 00 ?? ?? ?? ?? ?? 00 ?? ?? 61 10 ?? 5? 4? 3A ?? 06 8B } - $block_95 = { 8B ?? ?? 5? 5? 5? 8B ?? FF 5? ?? 8B ?? 85 ?? 0F 88 } - $block_96 = { 0F B7 ?? ?? 0F B7 ?? ?? 66 ?? ?? 0F 92 ?? 84 ?? 75 } - $block_97 = { CC CC CC 8B ?? 5? 8B ?? 83 ?? ?? 8B ?? ?? 5? 5? 75 } - $block_98 = { 6D 62 ?? ?? 5? 24 ?? 6C 00 ?? 61 6E 8B ?? ?? 72 } - $block_99 = { 69 ?? ?? ?? ?? ?? F7 ?? FF 1? ?? 08 ?? ?? CC 72 } - - condition: - hash.sha256(0, filesize) == "b362b235539b762734a1833c7e6c366c1b46474f05dc17b3a631b3bff95a5eec" or - hash.sha256(0, filesize) == "2e6dba522e5ca03c5ca5bc60ecec212177482898c7ec81a0871b19a67cf124e8" or - hash.sha256(0, filesize) == "f667680df596631fba58754c16c3041fae12ed6bf25d6068e6981ee68a6c9d0a" or - hash.sha256(0, filesize) == "fc9961e78890f044c5fc769f74d8440fcecf71e0f72b4d33ce470e920a4a24c3" or - hash.sha256(0, filesize) == "2a61b4d0a7c5d7dc13f4f1dd5e0e3117036a86638dbafaec6ae96da507fb7624" or - hash.sha256(0, filesize) == "ecfa113838c5542f6db62dbe8b27d4ff099afe711048ccf76924799044dd4ab6" or - hash.sha256(0, filesize) == "5e0dd729c21cd507bdb2a40954917685628f83171280bd34120cfe20c51ce4bf" or - hash.sha256(0, filesize) == "b295032919143f5b6b3c87ad22bcf8b55ecc9244aa9f6f88fc28f36f5aa2925e" or - 12 of them -} - -rule CarbonOrchestrator_v3_77_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_1 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? 48 ?? ?? ?? ?? 8B ?? ?? 2B ?? 8B ?? 89 ?? ?? ?? EB } - $block_2 = { 4C ?? ?? ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 } - $block_3 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 } - $block_4 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 } - $block_5 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 66 ?? ?? ?? EB } - $block_6 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? EB } - $block_7 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_8 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - $block_10 = { 0F BE ?? ?? ?? BA ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 7C } - $block_11 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 } - $block_12 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_13 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 75 } - $block_14 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? C7 } - $block_15 = { 8B ?? ?? ?? 44 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_16 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_17 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 } - $block_18 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 } - $block_19 = { 48 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_20 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? 73 } - $block_21 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_22 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? EB } - $block_23 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_24 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? E9 } - $block_25 = { 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_26 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_27 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_28 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_29 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_30 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_31 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 0F 85 } - $block_32 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_33 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 } - $block_34 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? 0F 85 } - $block_35 = { 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 85 ?? 74 } - $block_36 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_37 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 66 ?? ?? ?? ?? EB } - $block_38 = { 0F B6 ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? 8B ?? 0F B6 ?? ?? ?? 03 ?? 8B ?? 88 } - $block_39 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? ?? ?? 0F 87 } - $block_40 = { 8B ?? ?? ?? ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 } - $block_41 = { 48 ?? ?? ?? ?? 8B ?? ?? 99 83 ?? ?? 03 ?? C1 ?? ?? 39 ?? ?? ?? 7E } - $block_42 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 } - $block_43 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 3D ?? ?? ?? ?? 0F 8C } - $block_44 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? ?? 77 } - $block_45 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_46 = { 8B ?? ?? ?? FF C? 89 ?? ?? ?? 0F B7 ?? ?? ?? 39 ?? ?? ?? 0F 83 } - $block_47 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_48 = { 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 75 } - $block_49 = { 0F B6 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 85 ?? 0F 84 } - $block_50 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_51 = { 48 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 } - $block_52 = { 8B ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 } - $block_53 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 } - $block_54 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 75 } - $block_55 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 85 } - $block_56 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 75 } - $block_57 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7F } - $block_58 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_59 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7D } - $block_60 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 8E } - $block_61 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_62 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 86 } - $block_63 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 74 } - $block_64 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_65 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 83 } - $block_66 = { B2 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_67 = { 8B ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_68 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 } - $block_69 = { 33 ?? 8B ?? ?? ?? F7 ?? ?? ?? FF C? 0F AF ?? ?? ?? 89 } - $block_70 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 3B ?? 7D } - $block_71 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 0F 85 } - $block_72 = { 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_73 = { 48 ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_74 = { 0F B7 ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_75 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 39 ?? ?? ?? 0F 85 } - $block_76 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_77 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 } - $block_78 = { 8B ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 } - $block_79 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 } - $block_80 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 75 } - $block_81 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 } - $block_82 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 8D } - $block_83 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 85 } - $block_84 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - - condition: - hash.sha256(0, filesize) == "af0e455f640b621c50d5c11efc3c8649691a9a661fa1bcf658aae48c007ff3c4" or - 24 of them -} - -rule MosquitoBackdoor { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 0B ?? ?? 89 ?? ?? 8B ?? ?? 23 ?? ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_1 = { 5? FF F? 02 ?? 89 ?? ?? ?? ?? ?? 04 ?? 6E 00 ?? ?? 10 ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 02 ?? CC 8B } - $block_2 = { 8B ?? ?? 33 ?? 6A ?? 4? 5? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? 5? 72 } - $block_3 = { F4 64 ?? 00 ?? ?? 00 ?? ?? 8B ?? ?? EC 83 ?? ?? 08 ?? ?? ?? 5? 68 ?? ?? ?? ?? 6E 83 ?? ?? 72 } - $block_4 = { 08 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 5? 0C ?? CC 8B ?? 68 ?? ?? ?? ?? 8B ?? 10 ?? 00 ?? ?? 73 } - $block_5 = { 5? 05 ?? ?? ?? ?? 00 ?? 6D CC 8B ?? ?? ?? ?? ?? 8B ?? 8D ?? ?? ?? ?? ?? FF 1? 83 ?? ?? 4? 73 } - $block_6 = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 5? 8B ?? 5? 5? 5? 8B ?? ?? 5? 8B ?? 5? 8B ?? ?? 3B ?? 0F 82 } - $block_7 = { E8 ?? ?? ?? ?? 5? FF 7? ?? 8B ?? 8B ?? 68 ?? ?? ?? ?? FF 5? ?? 8B ?? ?? 2B ?? 83 ?? ?? 0F 82 } - $block_8 = { FF 7? ?? ?? 39 ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? 5? 0F 43 ?? ?? ?? 6A ?? 5? 5? FF 7? ?? ?? FF 1? } - $block_9 = { 89 ?? FF 7? ?? ?? 68 ?? ?? ?? ?? 4? FC 30 ?? FF 8? ?? ?? ?? ?? 5? 5? 15 ?? ?? ?? ?? 5? 74 } - $block_10 = { 00 ?? CC 00 ?? ?? EC 8B ?? ?? 5? 00 ?? 8B ?? 85 ?? 00 ?? 63 ?? 5? A1 ?? ?? ?? ?? 01 ?? 70 } - $block_11 = { EC 8B ?? ?? A3 ?? ?? ?? ?? 5? 8B ?? ?? 00 ?? ?? 00 ?? ?? ?? 31 ?? 68 ?? ?? ?? ?? 04 ?? 75 } - $block_12 = { C6 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? 8D ?? ?? ?? 0F 43 ?? ?? ?? 5? 5? E9 } - $block_13 = { 6A ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? FF 7? ?? ?? FF D? 85 ?? 0F 85 } - $block_14 = { 83 ?? ?? ?? ?? 5? 0F 43 ?? ?? ?? 5? 6A ?? 6A ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 74 } - $block_15 = { 00 ?? ?? 0F C1 ?? 00 ?? 32 ?? ?? 4? 04 ?? FC 00 ?? ?? 10 ?? ?? 00 ?? ?? ?? 89 ?? ?? 9? } - $block_16 = { 8B ?? 5? FF 7? ?? 8B ?? FF 5? ?? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 3B ?? ?? 0F 85 } - $block_17 = { 5? 89 ?? ?? ?? ?? ?? 05 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 4? FF 6? ?? EC 6E 00 ?? ?? 74 } - $block_18 = { 83 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_19 = { 8D ?? ?? ?? ?? ?? 5? 5? 8B ?? ?? ?? ?? ?? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_20 = { EC 83 ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 80 7? ?? ?? 5? B1 ?? 5? 8B ?? 88 ?? ?? 75 } - $block_21 = { 8B ?? ?? ?? ?? ?? 8B ?? 83 ?? ?? ?? ?? ?? ?? 0F 43 ?? ?? ?? ?? ?? 8B ?? 5? FF 5? } - $block_22 = { CC 8B ?? ?? ?? 00 ?? ?? 85 ?? 4? 4? 8B ?? 8D ?? ?? 15 ?? ?? ?? ?? 8B ?? ?? 74 } - $block_23 = { 6A ?? 5? 6A ?? 5? 8D ?? ?? 5? FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_24 = { 2B ?? 33 ?? D1 ?? 8D ?? ?? F7 ?? 0F 90 ?? F7 ?? 0B ?? 5? E8 ?? ?? ?? ?? 5? 89 } - $block_25 = { 6A ?? E8 ?? ?? ?? ?? 8B ?? 5? 89 ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_26 = { 8B ?? ?? 0F AF ?? ?? 89 ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? 8B ?? ?? 8B ?? ?? 89 } - $block_27 = { 8B ?? 2B ?? 5? 8B ?? ?? 3B ?? 0F 42 ?? 83 ?? ?? 2B ?? ?? 2B ?? 3B ?? 0F 86 } - $block_28 = { 4? 04 ?? 9? 00 ?? 3F 24 ?? 00 ?? 61 64 ?? ?? 01 ?? ?? 00 ?? ?? ?? 4? 73 } - $block_29 = { 6A ?? 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_30 = { E8 ?? ?? ?? ?? CC 5? 8B ?? 5? 8B ?? 5? 5? 8B ?? ?? 3D ?? ?? ?? ?? 0F 83 } - $block_31 = { 4? 68 ?? ?? ?? ?? 89 ?? ?? F4 64 ?? ?? ?? 00 ?? 20 ?? CC 85 ?? FF 1? } - $block_32 = { 8B ?? CC 5? 5? A3 ?? ?? ?? ?? 89 ?? 00 ?? ?? ?? ?? ?? 4? 3F 24 ?? 75 } - $block_33 = { 84 ?? ?? 00 ?? 10 ?? 00 ?? 01 ?? 33 ?? 06 03 ?? ?? ?? ?? ?? 4? 6F } - $block_34 = { 8B ?? 64 ?? ?? ?? ?? ?? 00 ?? ?? ?? 00 ?? CC 8B ?? 8B ?? 8B ?? 75 } - $block_35 = { E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? 8D ?? ?? ?? 0F 43 ?? ?? ?? 5? FF 7? } - $block_36 = { 83 ?? ?? ?? ?? 0F 43 ?? ?? ?? 5? FF 7? ?? ?? FF 1? ?? ?? ?? ?? EB } - $block_37 = { 8B ?? ?? 23 ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? ?? 0F 84 } - $block_38 = { 4? C4 ?? ?? C0 ?? ?? ?? ?? ?? ?? 31 ?? 0C ?? 4? CC CC CC CC CC } - $block_39 = { 5? 8B ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? FF 4? ?? 0F 85 } - $block_40 = { EC 5? 8D ?? ?? 89 ?? ?? ?? ?? ?? F4 64 ?? 00 ?? C1 ?? ?? 75 } - $block_41 = { 63 ?? 00 ?? 4? FC 8B ?? 08 ?? ?? ?? ?? ?? 6A ?? 00 ?? 5? } - $block_42 = { 8B ?? ?? ?? 89 ?? ?? D2 ?? ?? ?? ?? ?? 00 ?? 6C 0F 84 } - $block_43 = { 8D ?? ?? 16 00 ?? ?? F4 89 ?? ?? 4? 8B ?? ?? 00 ?? 72 } - $block_44 = { EC 1D ?? ?? ?? ?? 00 ?? 8B ?? ?? ?? ?? ?? D0 ?? ?? 8B } - $block_45 = { 5? 8B ?? 5? 8B ?? 5? 5? 8B ?? ?? 3D ?? ?? ?? ?? 0F 83 } - $block_46 = { 00 ?? ?? 83 ?? ?? 89 ?? CC CE FF 6? ?? 00 ?? ?? 5? } - $block_47 = { 8B ?? ?? CE C5 ?? ?? 4? 10 ?? ?? ?? 00 ?? ?? 5? 6E } - $block_48 = { 4? 61 00 ?? ?? C7 ?? ?? ?? ?? ?? ?? C9 02 ?? 4? } - $block_49 = { 89 ?? ?? 64 ?? 0C ?? CE 64 ?? ?? 0F 40 ?? ?? CF } - $block_50 = { 8B ?? ?? 10 ?? C1 ?? ?? 4? 30 ?? 00 ?? 4? FC 74 } - $block_51 = { FF B? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_52 = { 8B ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "b79cdf929d4a340bdd5f29b3aeccd3c65e39540d4529b64e50ebeacd9cdee5e9" or - hash.sha256(0, filesize) == "e7fd14ca45818044690ca67f201cc8cfb916ccc941a105927fc4c932c72b425d" or - 12 of them -} - -rule Uroburos { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { FF 7? ?? 8B ?? 69 ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? 03 ?? 8D ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 85 ?? 75 } - $block_1 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? 2B ?? 8B ?? ?? 88 ?? ?? 8B ?? ?? C6 ?? ?? ?? 33 ?? 75 } - $block_2 = { 8B ?? ?? ?? ?? ?? ?? 33 ?? 39 ?? ?? ?? ?? ?? 5? 5? 0F 94 ?? 5? 33 ?? E8 ?? ?? ?? ?? 8B ?? 5? C3 } - $block_3 = { 8B ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? 0F 85 } - $block_4 = { 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? ?? ?? ?? ?? 5? 8B ?? 85 ?? 89 ?? ?? ?? 0F 84 } - $block_5 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 0F BE ?? 83 ?? ?? 75 } - $block_6 = { 0F B6 ?? ?? C1 ?? ?? 05 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? ?? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? EB } - $block_7 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? C1 ?? ?? 81 C? ?? ?? ?? ?? 8B ?? ?? 89 } - $block_8 = { 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 85 } - $block_9 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? F7 ?? 1B ?? 83 ?? ?? 83 ?? ?? 8B ?? ?? 88 ?? ?? ?? ?? ?? E9 } - $block_10 = { 5? 8B ?? 83 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_11 = { 8D ?? ?? 5? 68 ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_12 = { D9 ?? E8 ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? DB ?? ?? ?? D9 ?? D8 ?? D8 ?? DF ?? F6 ?? ?? 0F 8B } - $block_13 = { 8B ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 } - $block_14 = { 8B ?? ?? 6B ?? ?? 8B ?? ?? 8B ?? ?? ?? 8B ?? ?? 8D ?? ?? 89 ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_15 = { 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 0F B6 ?? ?? 85 ?? 75 } - $block_16 = { 8B ?? ?? 0F B7 ?? 5? 8B ?? ?? 5? 8B ?? ?? 81 C? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 } - $block_17 = { 0F B6 ?? ?? F7 ?? 1B ?? 83 ?? ?? 88 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 0F 84 } - $block_18 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_19 = { 8B ?? ?? ?? ?? ?? 69 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 75 } - $block_20 = { 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 88 ?? ?? 0F B6 ?? ?? 83 ?? ?? 0F 85 } - $block_21 = { 0F B7 ?? ?? 83 ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 5? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 75 } - $block_22 = { 8B ?? 8B ?? 8B ?? 8B ?? ?? ?? 89 ?? ?? ?? 8B ?? 8B ?? 8B ?? 33 ?? 85 ?? 0F 94 ?? 89 } - $block_23 = { 8B ?? ?? ?? C1 ?? ?? 5? 5? 5? E8 ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? ?? 89 ?? ?? ?? 0F 8E } - $block_24 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 81 E? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_25 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 8B ?? ?? 8D ?? ?? ?? 89 ?? ?? 83 ?? ?? ?? 7C } - $block_26 = { 8A ?? ?? 5? 8B ?? ?? 0F B6 ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? EB } - $block_27 = { 0F B6 ?? ?? F7 ?? 1B ?? 83 ?? ?? 88 ?? ?? C7 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 74 } - $block_28 = { 8B ?? ?? 0F AF ?? ?? 8B ?? ?? 8D ?? ?? 5? 8B ?? ?? 5? 8B ?? ?? 5? E8 ?? ?? ?? ?? EB } - $block_29 = { 6A ?? 6A ?? 6A ?? 6A ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 0F 85 } - $block_30 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 87 } - $block_31 = { 8B ?? ?? ?? 5? 5? 8B ?? ?? ?? 5? 8B ?? ?? ?? 8B ?? 5? C1 ?? ?? 0F B7 ?? 2B ?? C7 } - $block_32 = { 8B ?? ?? 69 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? ?? ?? ?? ?? 0F 83 } - $block_33 = { 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_34 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 0F 85 } - $block_35 = { 8B ?? ?? 8B ?? ?? 03 ?? ?? 89 ?? ?? 8B ?? ?? 0F B7 ?? ?? 81 F? ?? ?? ?? ?? 75 } - $block_36 = { 8B ?? ?? ?? 8B ?? 0B ?? 89 ?? ?? ?? 5? 23 ?? 5? 33 ?? 85 ?? 5? 0F 95 ?? 5? C3 } - $block_37 = { 83 ?? ?? 5? 8B ?? ?? ?? 5? 8B ?? 83 ?? ?? 5? 8D ?? ?? ?? 5? 89 ?? ?? ?? 0F 8D } - $block_38 = { 83 ?? ?? ?? 83 ?? ?? D1 ?? 0F B7 ?? 0F B7 ?? 85 ?? 8D ?? ?? ?? 89 ?? ?? 76 } - $block_39 = { 2B ?? ?? 8B ?? ?? 89 ?? ?? 33 ?? 85 ?? C7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 0F 86 } - $block_40 = { 0F B7 ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 39 ?? ?? 73 } - $block_41 = { 6A ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 5? FF 1? ?? ?? ?? ?? 0F B6 ?? ?? 85 ?? 74 } - $block_42 = { 8B ?? ?? 0F B6 ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? 7C } - $block_43 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 33 ?? 83 ?? ?? 0F 95 ?? 83 ?? ?? 8B ?? EB } - $block_44 = { 8B ?? ?? 0F B6 ?? ?? 89 ?? ?? 8B ?? ?? 83 ?? ?? 89 ?? ?? 83 ?? ?? ?? 77 } - $block_45 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 1B ?? 83 ?? ?? 83 ?? ?? EB } - $block_46 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_47 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? F7 ?? 1B ?? 83 ?? ?? 83 ?? ?? 8B ?? ?? 88 } - $block_48 = { 8B ?? ?? ?? ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 81 C? ?? ?? ?? ?? C9 C3 } - $block_49 = { 8B ?? ?? 8B ?? ?? 2B ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 8B ?? ?? 3B ?? ?? 76 } - $block_50 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_51 = { D9 ?? B9 ?? ?? ?? ?? 2B ?? ?? ?? D8 ?? 89 ?? ?? ?? DF ?? F6 ?? ?? 0F 84 } - $block_52 = { 8B ?? ?? ?? ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 8B ?? 81 F? ?? ?? ?? ?? 0F 84 } - $block_53 = { 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 84 } - $block_54 = { 8B ?? ?? 0F B7 ?? ?? 8B ?? 25 ?? ?? ?? ?? 03 ?? C1 ?? ?? 83 ?? ?? 74 } - $block_55 = { 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 0F 85 } - $block_56 = { 8B ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_57 = { 8D ?? ?? ?? ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_58 = { 8B ?? ?? 8B ?? ?? 0F B6 ?? C1 ?? ?? 0B ?? FF 4? ?? 4? 89 ?? ?? 75 } - $block_59 = { 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 89 ?? ?? ?? 0F 84 } - $block_60 = { 8B ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? ?? 03 ?? ?? 0F BE ?? 83 ?? ?? 74 } - $block_61 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? C1 ?? ?? 83 ?? ?? 83 ?? ?? 75 } - $block_62 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? C1 ?? ?? 83 ?? ?? 83 ?? ?? 74 } - $block_63 = { 0F B7 ?? ?? 8B ?? ?? 8B ?? ?? 89 ?? ?? 8B ?? ?? 8B ?? ?? 3B ?? 72 } - $block_64 = { 88 ?? 83 ?? ?? 6A ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_65 = { 0F B6 ?? ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 0F B6 ?? ?? 83 ?? ?? 75 } - $block_66 = { 8B ?? ?? 8D ?? ?? 5? 5? FF 1? ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 } - $block_67 = { 5? 8B ?? 5? 8B ?? ?? 0F B6 ?? ?? 8B ?? ?? 0F B6 ?? ?? 3B ?? 74 } - $block_68 = { 8D ?? ?? 99 83 ?? ?? 03 ?? 8B ?? C1 ?? ?? 03 ?? 03 ?? 85 ?? 7E } - $block_69 = { 8B ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? 99 F7 ?? 89 ?? ?? ?? 3B ?? 7D } - $block_70 = { 8B ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? 0F 89 } - $block_71 = { 8D ?? ?? 99 83 ?? ?? 03 ?? 8B ?? C1 ?? ?? 3B ?? ?? ?? ?? ?? 7E } - $block_72 = { 8B ?? ?? ?? B8 ?? ?? ?? ?? 2B ?? 99 F7 ?? 89 ?? ?? ?? 3B ?? 7C } - $block_73 = { 5? 6A ?? 8D ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_74 = { 8B ?? ?? ?? 83 ?? ?? 83 ?? ?? 3B ?? ?? ?? 89 ?? ?? ?? 0F 8C } - $block_75 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_76 = { 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? A3 ?? ?? ?? ?? 0F 85 } - $block_77 = { 6A ?? 83 ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 84 } - $block_78 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_79 = { 33 ?? ?? ?? 83 ?? ?? 89 ?? ?? 8B ?? 8D ?? ?? 83 ?? ?? 0F 82 } - $block_80 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? ?? 2B ?? 2B } - $block_81 = { 8B ?? ?? 2B ?? ?? 66 ?? ?? ?? 0F B7 ?? ?? 3B ?? ?? 76 } - $block_82 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 0F B6 ?? 3D ?? ?? ?? ?? 7F } - $block_83 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 89 ?? ?? 83 ?? ?? ?? 0F 84 } - $block_84 = { 8B ?? ?? 5? 5? 33 ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C9 C3 } - $block_85 = { 5? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_86 = { 83 ?? ?? 83 ?? ?? ?? ?? 5? 5? 5? 5? 8B ?? 8B ?? 0F 8E } - $block_87 = { 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 0F 85 } - $block_88 = { 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_89 = { 8B ?? ?? C7 ?? ?? ?? ?? ?? 0F B6 ?? ?? 83 ?? ?? 75 } - $block_90 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 81 3? ?? ?? ?? ?? 0F 85 } - $block_91 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 81 F? ?? ?? ?? ?? 75 } - $block_92 = { 0F B6 ?? ?? C1 ?? ?? 81 C? ?? ?? ?? ?? 8B ?? ?? 89 } - $block_93 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 83 ?? ?? C1 ?? ?? 74 } - $block_94 = { E8 ?? ?? ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_95 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? 39 ?? ?? ?? ?? ?? 0F 84 } - $block_96 = { 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_97 = { 8B ?? ?? 0F B6 ?? ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 } - $block_98 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 3B ?? 0F 83 } - $block_99 = { 5? 8B ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - - condition: - hash.sha256(0, filesize) == "0d1fe4ab3b074b5ef47aca88c5d1b8262a1293d51111d59c4e563980a873c5a6" or - hash.sha256(0, filesize) == "bb975dc17d871535ddeadfb6ec34089ba02eef3f2432e7a4f37065b53d67c00a" or - hash.sha256(0, filesize) == "9897d726cfccefd8f444c167cfaa34949449104a1a343a047dda2c257c4c9a31" or - hash.sha256(0, filesize) == "615b0bdff7cfa88cd55f5629505ed6212e7e8c022e00b33fc12e5f33356d5872" or - hash.sha256(0, filesize) == "b34cf1c74d4c4ce873543d41fc03be06a403b4872bcd1adbe16cfaa4201df115" or - hash.sha256(0, filesize) == "4c8b2e001dbf9e8b285c79514319e0a14dbb839998dd4d643d51fb11767d0cf9" or - hash.sha256(0, filesize) == "3b903a93f1fd2bd81b7b73daefd2d298a2fbb0137b786449e07176abd5cdde74" or - hash.sha256(0, filesize) == "7e2ae0a57bc676aab0926babe934cc2c89ef194a1660ee175182237f837c45eb" or - hash.sha256(0, filesize) == "43b8ce99af9c59376d3b077a87ce7afe720022987f3cf62f51504d22330a516b" or - hash.sha256(0, filesize) == "93742b415f28f57c61e7ce7d55208f71d5c4880dc66616da52f3c274b20b43b0" or - hash.sha256(0, filesize) == "30fc7f6e8623ee65e56fd4514169a2b01d1e35af06dda347ff4efe94c3d2329f" or - hash.sha256(0, filesize) == "e8044c11f46b204a7dec5600cf3a0a5252951b9a026a9a41abcce96e0f1adf90" or - hash.sha256(0, filesize) == "2fc6bc0683f9e9f20aae1fb257a1a05be63ddbbc600876bff6cd622879518d6e" or - hash.sha256(0, filesize) == "50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed" or - hash.sha256(0, filesize) == "09bc2a5f3de9dbcf54eb94e0f3a67c846403b34ad11dff23c9c8627bb9a16529" or - hash.sha256(0, filesize) == "c55fa19ac18710c56045e39724f3b6a83a916508ae23a14bb2a108e71eac64a0" or - hash.sha256(0, filesize) == "2956ef7470a504a8ea7aab211442febee740b3a0d39bb4fae1a2e578689167d6" or - hash.sha256(0, filesize) == "152c867667517a0ec0b3231beece8ff46ff954bfc2493ca3bdfdfc6ea6b1bde9" or - hash.sha256(0, filesize) == "85e6ab75e96dc7df18dd97d7c0eaeb0ed8d4fa33a4ecc09c196b9cf4795ca368" or - hash.sha256(0, filesize) == "92c2023095420de3ca7d53a55ed689e7c0086195dc06a4369e0ee58a803c17bb" or - hash.sha256(0, filesize) == "3de0ba77fa2d8b26e4226fd28edc3ab8448434d851f6b2b268ec072c5da92ade" or - hash.sha256(0, filesize) == "6e9bf792c8247e612d3a8dfc5ea139c624e1d6c8bf116ff5ce280e7dc07ec4d4" or - hash.sha256(0, filesize) == "655f1fdcd8b60425426dd4c22e50e79374b9790d44415cb9c0e51f64e73d4de4" or - hash.sha256(0, filesize) == "f4554db7998e0a3467fa35d6a4fee1e34ae9db6381751e45f889fcaacd95c985" or - hash.sha256(0, filesize) == "67bc775cc1a58930201ef247ace86cc5c8569057d4911a8e910ac2263c8eb880" or - hash.sha256(0, filesize) == "846bdce641d7acbfaf28891d0351620fec954e02b2145cb7cd13aa6bdc8fe647" or - hash.sha256(0, filesize) == "8c0e21756d659b383e206d603dfd3be41f0ea2d8277dae7bc1b6a2e1dc64e5c6" or - hash.sha256(0, filesize) == "7fabb245a35ad61406627bac9a2c232e5990da5ec5f144d43af59167200f971a" or - hash.sha256(0, filesize) == "e4ff7d8c1cdf48039640454025ff17cbe0f7e79bd561bd5ad8ff1e7aa5073754" or - hash.sha256(0, filesize) == "c6b9ade2f5885ccebff30c4e7b279e17d981ff153936735d75874f52735ad556" or - hash.sha256(0, filesize) == "cf1b968a37fb4ac317e4ec89c57974ae4ce88c6f9119bd9343bbb4834ea8d2f3" or - hash.sha256(0, filesize) == "bf1cfc65b78f5222d35dc3bd2f0a87c9798bce5a48348649dd271ce395656341" or - hash.sha256(0, filesize) == "e2e5cc06f3814c48a14af0a587c947eb098f3803383fe8ac3162ab1027f991f9" or - hash.sha256(0, filesize) == "5e72cdb489133c984ae3b807bffbc788d14ceefb2385b5f2dff3618d85ffffd8" or - hash.sha256(0, filesize) == "a5d557e91716997925119dfb7dd007732e37a21d9abba2282565ce583b5d6eca" or - hash.sha256(0, filesize) == "61bd32dbe2d08c31a23094dee2a2920c1fc3e9b4fbfbe2d3341b8dfed62cfab4" or - hash.sha256(0, filesize) == "f3e4e1dece0a14bedbd02b123996316d90a99b8ba581dd1c45b52f33ee56f2e5" or - hash.sha256(0, filesize) == "8931663da74657c87ce2bf76ba501a3dd9cb7a952063d6122996d1dbc6227093" or - hash.sha256(0, filesize) == "a10a0c729e5100c979d446b5f87251b0743fd108a305d9f9ea85832729ced6a8" or - hash.sha256(0, filesize) == "b262292e049ee75d235164df98fa8ed09a9e2a30c5432623856bafd4bd44d801" or - hash.sha256(0, filesize) == "5d21324eddb511fd4630a46d78673d73777383d62fc3ac2c966fd922f7f21256" or - hash.sha256(0, filesize) == "831ea1e478093409733708256086529f8971e7ed8849d4d146d8fe28602f1d2a" or - hash.sha256(0, filesize) == "b7aeb8b1bbcf9db4c6a37ceecb0a29f0a5efe8dda72b4563f547e0b18afb0a50" or - hash.sha256(0, filesize) == "e943923f6b2d5c915cc34d1ca81498a64329d7151fd7c42ca92a315f97e8ce82" or - hash.sha256(0, filesize) == "ba15a26408613936c6bc192f1b143e15914cd578074e91ba4fcff6a042c4f9e7" or - hash.sha256(0, filesize) == "d5757c6f93b94fb3819363b4c2b3046a2e714968652a5992a6756f180d30cd25" or - hash.sha256(0, filesize) == "20f7a38a5e3c4fec43978be3a4c4ea91ecbb94ccc0151dd770cda3100dc79d99" or - hash.sha256(0, filesize) == "fea3d7271bf2ad43e2534e8be050b6f8830991375e301403817d4d57e87ed624" or - hash.sha256(0, filesize) == "2b30fc3afac6220d1e4b0f87ec23681ef27b617d5724421803a3e8d4e7135f60" or - hash.sha256(0, filesize) == "e2bbb2b9bb5cd97371150d8ae64efeca90a6e7162cd0080613854d1b189fd5a6" or - hash.sha256(0, filesize) == "1d93015012993265d64c9f5494ca40ff75a8c850ea57357f0a8668d56bf6b160" or - hash.sha256(0, filesize) == "fc68026b83392aa227e9adf9c71289cb51ba03427f6de67a73ae872e19ef6ff9" or - hash.sha256(0, filesize) == "89ead864cb4117eb5ec548ead783a292db5aec8c2ddbb7873e81de7ce73f570a" or - hash.sha256(0, filesize) == "b8c477c2f8c38b7d726b18e925f5b15a7fa2dd8ec19a73eb688844f40f50b914" or - hash.sha256(0, filesize) == "0ac463de10eaf57cfcf2d41bdfbc827844dd7b8d908905fca9bc105c200c9362" or - hash.sha256(0, filesize) == "b9620603662fe681ce714f78905d806c946b599b44505e0a6e4a14e97e2c973a" or - hash.sha256(0, filesize) == "c8bee88458f89f6aee9bb213c397ef1b9ff4588169b1bba5bec7b840879170fc" or - hash.sha256(0, filesize) == "dc06a54b55edf5ae48d3721c038a3e57d92e321505bed80a0e22defdf1312f76" or - hash.sha256(0, filesize) == "71b3b876702f2405832444b761c6b3bdb854a77aea0bf650d1fee346479fa6ff" or - hash.sha256(0, filesize) == "93c8db29ec3707f13bf5a96d5b8a3dc33c2f5b870acd3df07292c724ce10a13f" or - hash.sha256(0, filesize) == "bb2b25b2a161914a23d1f3d68e852b5305a27e827431b538703735e6199d518d" or - hash.sha256(0, filesize) == "168f8c29c14880a5f1b13b24c11f4707c40bbd24593b90908b44192f73b6c2d6" or - hash.sha256(0, filesize) == "0e3842bd092db5c0c70c62e8351649d6e3f75e97d39bbfd0c0975b8c462a65ca" or - hash.sha256(0, filesize) == "3a6ade7e2278d39ea74ef86144b256780d76e4db29431873e9271b20e4614696" or - hash.sha256(0, filesize) == "100bd3acec48872863523ecc25731d647f9c1baeb9c320aa89cc1f9dfb57b3db" or - hash.sha256(0, filesize) == "4f18b90cd644ea28bcb964622855145afca6a34e2381a10d731ec0f1bb46dd3b" or - hash.sha256(0, filesize) == "f28f406c2fcd5139d8838b52da703fc6ffb8e5c00261d86aec90c28a20cfaa5b" or - hash.sha256(0, filesize) == "a7701723cddf597309f9c5813cb962e74751c80203db31d14e2e05971ac6378c" or - hash.sha256(0, filesize) == "9fd6dadb312d9d9d2dd3c151c7c58103e0e0062162428f578de95c2f192aa8b0" or - hash.sha256(0, filesize) == "8fb20f80f0ee6ba3bb60e05079aceb05cbad17d73659665db21ce78b6898ce88" or - hash.sha256(0, filesize) == "6b9419b2e6ea7dbe2054b4b2568bd5c61c08706f33788c55649fd4991a28c476" or - hash.sha256(0, filesize) == "1321c78aa2abefd7f59994376b02159e5c2c81665f01b6a18707bd4fc3861116" or - hash.sha256(0, filesize) == "d9498b9a806a8c7e706020dab600b1842eaa4bf3909e69144a8410db1f5e6e83" or - hash.sha256(0, filesize) == "f85f66e45cc232223e8db39ac0b1cec1332b6267e0d2505926fe4c07427ff0d6" or - hash.sha256(0, filesize) == "369b23b794f487653ab5d410c35c26a72c9affe0a4e49062f034b4d08e254d77" or - hash.sha256(0, filesize) == "a15c351b940046bc80c8d0a69b8d5f6c4198cb20f68ad830dc3b1036ba8d34e4" or - hash.sha256(0, filesize) == "0f5ec3b9535d4f956330351c5310626ffaa17f146ff51a8b3b10ea0a7039eadc" or - hash.sha256(0, filesize) == "d2bef8242f3295c1815fb7ee32228a221b0e59f0be43259e4f41bd18c7e7dcf1" or - hash.sha256(0, filesize) == "7032c7bb7ebd3f8b886aa175d2c52138ef00fc3313b61dae87cfc80d1c8a7ec3" or - hash.sha256(0, filesize) == "2f5aa8a71df89858b6681cddbe72d30dded5c808e6018ff723c4660ab53b1a93" or - hash.sha256(0, filesize) == "253c92fee41941aaef4dfe269240ff7025cf902cae3d8b3318eeb6c7f31742aa" or - hash.sha256(0, filesize) == "f56b1248cdecffd25dbf8a2895105fec38f0a4ce03241571c8eb8daafc9a168f" or - hash.sha256(0, filesize) == "39050386f17b2d34bdbd118eec62ed6b2f386e21500a740362454ed73ea362e8" or - hash.sha256(0, filesize) == "571633025b6ff979a946186b892d9217be26c4078e7911b2ebccaa4dcda6aeab" or - hash.sha256(0, filesize) == "ca69e85a5752d4a5ffe88c3d45d0d14f329e518aab56e8fc948138db23810233" or - hash.sha256(0, filesize) == "99ac651da4a17a667a0b05009bafde945cbcd93ada8f241d9c3ad8654095fcc4" or - hash.sha256(0, filesize) == "47247719f62f8409aae68867d9750e8c2a792b241efea1c1eac58baca3f146ee" or - hash.sha256(0, filesize) == "09bd85c522a23396e1ab57680eb515ff29f4dd72baa5ba49637020ae2336b6b1" or - hash.sha256(0, filesize) == "746a3aa794e77a83806747649de68109baca26fe7bdd985af1b73a2285a7df10" or - hash.sha256(0, filesize) == "43e71b993d6e7c977caaf2ed7610a71758734d87ec2ceb20a84e573ea05a01b3" or - hash.sha256(0, filesize) == "11016f63ca3c35ae4bcba8705854a787420af27d3d6953b1c563cf694f1811c5" or - hash.sha256(0, filesize) == "79cdaebb65c04758a5fce3bbd19973af21de4cc0c4cf659ece8cc153f441fc19" or - hash.sha256(0, filesize) == "b3746bf1c21b70a367c1b9de9f5d8c7f1a4803a014e0e6300ddd4adeb45feeff" or - hash.sha256(0, filesize) == "ea4b2d5e2c47ba8ce92a90b6e2fe6a48d22dbafd6ec4dab7465c8cef28e19515" or - hash.sha256(0, filesize) == "35ed1d87b31d238b3bdcffb13b5902cceba3c25aebfd9f54789d79d33bc6ce7a" or - hash.sha256(0, filesize) == "9611d0b1837e933b9d938e19791b757aa56669ec75b8fd671bdd1371eede03bb" or - hash.sha256(0, filesize) == "57b8c2f5cfeaca97da58cfcdaf10c88dbc2c987c436ddc1ad7b7ed31879cb665" or - hash.sha256(0, filesize) == "e534a8c4c126dfa35dd5c0a34582f244a51c08e446e9ffd5ccde9f5a37564c03" or - hash.sha256(0, filesize) == "caa22575a53cbd65b5b6b22132279f1817f26a832612e854cb08dd50f93790c2" or - hash.sha256(0, filesize) == "cced33b6fe42e56355118a7dbae8bc2fded8d218615616f2edbbf0f6795a1473" or - hash.sha256(0, filesize) == "5bda2aefda5802d716c8a849c409af40f78f7208222f3e08c9323c5eea76e5a9" or - hash.sha256(0, filesize) == "36494d7f0aeaf36bd6fa49e08636ffe6f20fdd60c13a0dc1bfc97e4d9d4e54ba" or - hash.sha256(0, filesize) == "129380c4955be84330ead54c8939dfb55c91d9f08a9964a73434692fb6bf9d74" or - hash.sha256(0, filesize) == "c14c04f8c41407e1ddb100f1b6c5f2af5d1815edd9f024e9b76686ddf8b368bc" or - hash.sha256(0, filesize) == "36e44ea38c8d48a34df0dc88cf1e1203f8f97bd52f035eccd338112e57f6f9f3" or - hash.sha256(0, filesize) == "12be398511efb74fb99b496229fce2648a71c5bccd85b45adfd14f5af5b7dbda" or - hash.sha256(0, filesize) == "4c49c9d601ebf16534d24d2dd1cab53fde6e03902758ef6cff86be740b720038" or - hash.sha256(0, filesize) == "a6bf9cc1f64ac190e42cfce47564ef71492a788543d438408b522e40a716610c" or - hash.sha256(0, filesize) == "77e68d7aa595231067597d9a1c176fe2f3c4f53ae3f6509f11e2c314d286f4e6" or - hash.sha256(0, filesize) == "ff2a292ef76b5040fda8635ca95a652ff81ff57bb602a229ff7c74da31fe4d8b" or - hash.sha256(0, filesize) == "94f05acb7e004e66875c02f7f903f1874f7085a772742e351ea9c0237a1079e2" or - hash.sha256(0, filesize) == "55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452" or - hash.sha256(0, filesize) == "5a64928debca2d9f1ffa4194f541c9188b32430cad4bdabac8f5bbdc514a0685" or - hash.sha256(0, filesize) == "527b6a2bf5a250c06378b8f0f2b0ba4a1a121bf460ac70ecb3bf8b41ac1b06b4" or - hash.sha256(0, filesize) == "8c12da9df42c74afbefebfa5f601cd8e18cb4ef8eced56b319cb1011324ff198" or - hash.sha256(0, filesize) == "07e29254c525f67a7c3c815440bb8ba4454faf1e7f502a3a5f27f813b97e6b11" or - hash.sha256(0, filesize) == "dfb513ae1ae4d661194781c52e8135ea15a252e4df7130ed564e286d83a4ad11" or - hash.sha256(0, filesize) == "33460a8f849550267910b7893f0867afe55a5a24452d538f796d9674e629acc4" or - hash.sha256(0, filesize) == "54107d0498f12b53ae49e9311f3a599dbbc3c555358a26a33f9b797c0c5f377c" or - hash.sha256(0, filesize) == "564ee49a4703de53bfa1bdc6a5b71f111ea23e38a6ff441e0bf2ff7c28d95525" or - hash.sha256(0, filesize) == "f697aa0bb10ae7141fb1ee62e854616e1d650397121041fc7d502c091c4234eb" or - hash.sha256(0, filesize) == "54d5a7313ec9522b76fea9759fce7193335b924d073c0513bc528bf6d86194aa" or - hash.sha256(0, filesize) == "eb8d87c6684dcbbcbb49bf60724c1ab15942b9ba52bf7f866d33e07b4b82c905" or - hash.sha256(0, filesize) == "bd48c953163785c5f682b742ea5b25a611b2bf551a1dd36fb8abb2c07d9189de" or - hash.sha256(0, filesize) == "afb0ae6e0f130b9200949c191561b013c2762f392717b36c87964b0a34a0f632" or - hash.sha256(0, filesize) == "ef444eaef804955cb7a5902e30b43201c3d45c0f35aaa0b0ea73f3af916688ae" or - hash.sha256(0, filesize) == "583132e0aab63507f6bd15a5d37aa883279ded69fa18e04fd299b0c2df845d54" or - hash.sha256(0, filesize) == "65fdaf08e562611ce58f1d427f198f8743d88a68e1c4d92afe6dc6251e8a3112" or - hash.sha256(0, filesize) == "4a9e6fdafba6bddc8600f51aae4eb6119c0abe1f6ebdfc025a76627372e223a4" or - hash.sha256(0, filesize) == "448df2684c495bb54ee87214bba4b3b6b4b8d0989bf698ced04962cbcc0865a8" or - hash.sha256(0, filesize) == "d597e4a61d94180044dfb616701e5e539f27eeecfae827fb024c114e30c54914" or - hash.sha256(0, filesize) == "9bcde3bb10a88644393bb598e3b2498b3522b68299bea6e4f24cc4eeb5cfe231" or - hash.sha256(0, filesize) == "099ad10b55e74e1b99424d8e739107534004ba5b1e6c051cf8b942ed32dabca6" or - hash.sha256(0, filesize) == "198388dc0f81a5915def5414b62f485f6f2a8e12c28592a810518059a2eb5a36" or - hash.sha256(0, filesize) == "beac78638a18b7de1861845797ff3adfae22607dceee42b99e17d191045244ed" or - 12 of them -} - -rule CarbonOrchestrator_v3_79_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { C7 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 } - $block_1 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_2 = { E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 ?? 8B ?? 48 ?? ?? ?? ?? 8B ?? ?? 2B ?? 8B ?? 89 ?? ?? ?? EB } - $block_3 = { 4C ?? ?? ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 } - $block_4 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 } - $block_5 = { 0F B7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 48 ?? ?? ?? ?? 66 ?? ?? ?? EB } - $block_6 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 0F 84 } - $block_7 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_8 = { 4C ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_9 = { 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 } - $block_10 = { 0F BE ?? ?? ?? BA ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 7C } - $block_11 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? EB } - $block_12 = { 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 88 ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 85 ?? 74 } - $block_13 = { 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_14 = { 8B ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - $block_15 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 75 } - $block_16 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B6 ?? ?? 88 ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? C7 } - $block_17 = { 8B ?? ?? ?? 44 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_18 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 33 ?? B9 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? 73 } - $block_19 = { 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 } - $block_20 = { 48 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_21 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_22 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 0F 85 } - $block_23 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? E9 } - $block_24 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_25 = { 0F BF ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 89 ?? C7 ?? ?? ?? ?? ?? ?? ?? EB } - $block_26 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_27 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_28 = { FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 81 B? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_29 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_30 = { 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? ?? ?? 0F 85 } - $block_31 = { 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 } - $block_32 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_33 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 } - $block_34 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? 0F 85 } - $block_35 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? FF 9? ?? ?? ?? ?? 66 ?? ?? ?? ?? EB } - $block_36 = { 48 ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 85 ?? 74 } - $block_37 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_38 = { 0F B6 ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? 8B ?? 0F B6 ?? ?? ?? 03 ?? 8B ?? 88 } - $block_39 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 8B ?? ?? 2B ?? 3B ?? ?? ?? 0F 87 } - $block_40 = { 8B ?? ?? ?? ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 } - $block_41 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 8B ?? ?? ?? 39 ?? ?? ?? 77 } - $block_42 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 3D ?? ?? ?? ?? 0F 8C } - $block_43 = { 48 ?? ?? ?? ?? 8B ?? ?? 99 83 ?? ?? 03 ?? C1 ?? ?? 39 ?? ?? ?? 7E } - $block_44 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_45 = { 0F BE ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 } - $block_46 = { 48 ?? ?? ?? ?? 0F B6 ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 83 ?? ?? 75 } - $block_47 = { B2 ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_48 = { 0F B6 ?? ?? ?? ?? ?? ?? 88 ?? ?? ?? 0F B6 ?? ?? ?? 85 ?? 0F 84 } - $block_49 = { 8B ?? ?? ?? FF C? 89 ?? ?? ?? 0F B7 ?? ?? ?? 39 ?? ?? ?? 0F 83 } - $block_50 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 0F 85 } - $block_51 = { 8B ?? ?? ?? FF C? 48 ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 } - $block_52 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 84 } - $block_53 = { 48 ?? ?? ?? ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 } - $block_54 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 83 ?? ?? 75 } - $block_55 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 75 } - $block_56 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7F } - $block_57 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 85 } - $block_58 = { 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? ?? 2B ?? 8B ?? 85 ?? 0F 8E } - $block_59 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_60 = { 0F B7 ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? ?? 3B ?? 7D } - $block_61 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 74 } - $block_62 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 85 } - $block_63 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 0F 86 } - $block_64 = { 33 ?? 8B ?? ?? ?? F7 ?? ?? ?? FF C? 0F AF ?? ?? ?? 89 } - $block_65 = { B2 ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 75 } - $block_66 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 83 } - $block_67 = { 8B ?? ?? ?? 8B ?? ?? ?? FF C? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_68 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_69 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 3D ?? ?? ?? ?? 75 } - $block_70 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_71 = { 0F B7 ?? ?? ?? 48 ?? ?? ?? ?? 0F B7 ?? ?? 3B ?? 7D } - $block_72 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? 39 ?? ?? ?? 0F 85 } - $block_73 = { 8B ?? ?? ?? 48 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 0F 85 } - $block_74 = { 0F B7 ?? ?? ?? ?? ?? ?? 25 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_75 = { 48 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_76 = { 48 ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_77 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 } - $block_78 = { 8B ?? ?? ?? ?? ?? ?? 0F BE ?? ?? ?? 83 ?? ?? 74 } - $block_79 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? 75 } - $block_80 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 83 } - $block_81 = { 8B ?? ?? ?? ?? ?? ?? 39 ?? ?? ?? ?? ?? ?? 0F 8D } - $block_82 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? 0F 85 } - $block_83 = { 48 ?? ?? ?? ?? ?? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 } - $block_84 = { B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 ?? 85 ?? 74 } - - condition: - hash.sha256(0, filesize) == "9184be433426f5c9fe8ce27e8df89d7849c6af61779a3835c89ad46815abe839" or - 24 of them -} - -rule UroburosCVE20083431 { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? 5? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_1 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 } - $block_2 = { 0F B6 ?? ?? 0F B6 ?? C1 ?? ?? C1 ?? ?? 03 ?? 2B ?? 83 ?? ?? 3B ?? 0F 84 } - $block_3 = { 8B ?? 99 F7 ?? ?? ?? ?? ?? 4? 8A ?? ?? 30 ?? ?? ?? 3B ?? ?? ?? ?? ?? 72 } - $block_4 = { 5? 8B ?? 83 ?? ?? 5? 5? 8B ?? ?? B8 ?? ?? ?? ?? 33 ?? 66 ?? ?? 0F 85 } - $block_5 = { 8A ?? 88 ?? 8A ?? ?? 88 ?? ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 } - $block_6 = { 5? 8B ?? 8B ?? ?? BA ?? ?? ?? ?? 83 ?? ?? 33 ?? 66 ?? ?? 0F 85 } - $block_7 = { 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 } - $block_8 = { 8A ?? 88 ?? 8A ?? ?? 88 ?? ?? 8B ?? ?? 5? 5? C9 C3 } - $block_9 = { 0F B7 ?? 48 ?? ?? ?? 66 ?? ?? 66 ?? ?? ?? ?? 75 } - $block_10 = { 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "8afa5f4d3cf330b44266b49c480ad4136c367fdb3c5bbca9db577a6ea6321aba" or - hash.sha256(0, filesize) == "2233dd70fe18f92d398e0f9265714255af1f3431ed512fd5ea174c7630df1fe4" or - hash.sha256(0, filesize) == "38b10be0618576f4a2285362b7576975f997980f1120e9d6470654f48503c179" or - hash.sha256(0, filesize) == "8f4f4c3469235da8c371cdbf3de0d81e31f71d5648da1fdfc76ad2290178836a" or - 11 of them -} - -rule GazerOrchestrator_x32_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 8B ?? 05 ?? ?? ?? ?? 5? FF 3? 8B ?? ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - $block_1 = { 8B ?? ?? 4? 89 ?? ?? 8D ?? ?? 5? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_2 = { FF 3? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8A ?? ?? 83 ?? ?? 5? 5? C9 C3 } - $block_3 = { 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 5? C9 C3 } - $block_4 = { 8B ?? ?? 83 ?? ?? ?? ?? 83 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { 5? FF 7? ?? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 } - $block_6 = { 2B ?? 33 ?? 8B ?? F7 ?? 8B ?? 0F AF ?? 2B ?? 0F B7 ?? ?? C1 ?? ?? 0B ?? 0F B7 ?? 8B ?? 0F AF } - $block_7 = { 5? FF 1? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_8 = { 8D ?? ?? 5? FF 7? ?? 8B ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 8B ?? ?? 33 ?? 4? 83 ?? ?? 3B ?? 0F 86 } - $block_9 = { 8B ?? ?? ?? ?? ?? 03 ?? 5? FF D? FF 1? ?? ?? ?? ?? 0F AF ?? 5? FF D? 5? 5? 5? B0 ?? 5? C9 C2 } - $block_10 = { 0F B6 ?? 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 8A ?? 5? C9 C2 } - $block_11 = { 8B ?? 8B ?? ?? 83 ?? ?? 5? FF 3? 8B ?? ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 89 ?? 85 ?? 0F 84 } - $block_12 = { FF 7? ?? FF D? 5? 8D ?? ?? ?? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_13 = { FF 7? ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_14 = { 68 ?? ?? ?? ?? 6A ?? FF 7? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 3B ?? 0F 84 } - $block_15 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? BB ?? ?? ?? ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_16 = { 5? 8B ?? 5? 5? 5? 5? 8B ?? 8D ?? ?? 5? FF 7? ?? 33 ?? 89 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_17 = { 8B ?? ?? ?? 8B ?? ?? 8B ?? 89 ?? ?? ?? 8B ?? ?? ?? 03 ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 87 } - $block_18 = { 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 5? C9 C2 } - $block_19 = { 8B ?? ?? 83 ?? ?? 5? 6A ?? FF 3? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_20 = { 5? 5? 8B ?? ?? ?? ?? ?? BD ?? ?? ?? ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_21 = { 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 1? 8B ?? 8B ?? ?? ?? 8B ?? 5? FF 5? ?? 3B ?? 0F 8C } - $block_22 = { 8B ?? 83 ?? ?? 8B ?? 8D ?? ?? ?? A5 A5 A5 8B ?? A3 ?? ?? ?? ?? A5 FF 5? ?? 84 ?? 0F 84 } - $block_23 = { 8B ?? ?? ?? 8B ?? 6A ?? 5? 5? FF 5? ?? 8B ?? 8B ?? ?? ?? 8B ?? 5? FF 5? ?? 3B ?? 0F 9D } - $block_24 = { 8B ?? ?? FF 0? 8B ?? ?? 6A ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_25 = { 8D ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_26 = { 5? 5? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 } - $block_27 = { 8B ?? ?? ?? ?? ?? 8B ?? 83 ?? ?? 8B ?? 8D ?? ?? ?? A5 A5 A5 A5 FF 5? ?? 84 ?? 0F 84 } - $block_28 = { 8B ?? ?? 8B ?? 8B ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? A5 A5 A5 A5 89 ?? ?? 3B ?? 0F 85 } - $block_29 = { 5? 5? 8B ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_30 = { 8B ?? ?? 8B ?? 8B ?? ?? FF 0? 6A ?? 6A ?? FF 3? FF D? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_31 = { 8B ?? ?? ?? 8B ?? ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 89 ?? ?? ?? 89 ?? ?? ?? 3B ?? 0F 83 } - $block_32 = { FF 7? ?? ?? 8B ?? FF 3? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? FF 5? ?? 84 ?? 0F 85 } - $block_33 = { 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 5? 5? 8B ?? 5? C9 C2 } - $block_34 = { 0F B6 ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? C9 C2 } - $block_35 = { 8B ?? ?? ?? ?? ?? 8B ?? 83 ?? ?? 8B ?? 8D ?? ?? ?? A5 A5 A5 A5 FF 5? ?? 84 ?? 74 } - $block_36 = { 83 ?? ?? ?? 83 ?? ?? ?? 5? FF 7? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_37 = { 8B ?? ?? 83 ?? ?? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? 85 ?? 0F 84 } - $block_38 = { FF 7? ?? 8B ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 0F 82 } - $block_39 = { 8B ?? ?? ?? 8D ?? ?? ?? 8B ?? 89 ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 3B ?? ?? ?? 0F 86 } - $block_40 = { 8D ?? ?? 5? 5? 33 ?? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_41 = { 8B ?? ?? 8B ?? ?? C1 ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_42 = { 8B ?? 6B ?? ?? 8D ?? ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 5? 89 ?? ?? 85 ?? 0F 85 } - $block_43 = { 5? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8B ?? 5? 5? C9 C2 } - $block_44 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_45 = { 8B ?? ?? 8B ?? ?? 83 ?? ?? 5? 8B ?? ?? 6A ?? FF 7? ?? FF D? 8B ?? 85 ?? 0F 84 } - $block_46 = { 6A ?? 6A ?? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 85 ?? 0F 84 } - $block_47 = { 8B ?? ?? 03 ?? ?? 6A ?? 68 ?? ?? ?? ?? FF 7? ?? 5? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_48 = { 8B ?? 6A ?? 8B ?? FF 1? 6A ?? 8D ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_49 = { 8B ?? ?? 03 ?? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 } - $block_50 = { 8B ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 7? ?? FF D? 8B ?? 33 ?? 3B ?? 0F 84 } - $block_51 = { 8D ?? ?? ?? 5? FF 7? ?? ?? 5? 6A ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_52 = { FF 4? ?? 81 6? ?? ?? ?? ?? ?? FF 4? ?? 29 ?? ?? 4? 83 ?? ?? ?? 89 ?? ?? 0F 8F } - $block_53 = { 8B ?? ?? 8B ?? ?? ?? ?? ?? 03 ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 3B ?? 0F 84 } - $block_54 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 5? 8B ?? ?? 5? 8B ?? 89 ?? ?? 89 ?? ?? 0F 84 } - $block_55 = { 8B ?? ?? 6A ?? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 } - $block_56 = { 8D ?? ?? ?? 5? 6A ?? 6A ?? 6A ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_57 = { FF 7? ?? 8B ?? ?? FF 7? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 } - $block_58 = { 8B ?? ?? ?? FF 4? ?? FF 4? ?? ?? 8B ?? ?? ?? 8B ?? 8B ?? ?? ?? 3B ?? 0F 82 } - $block_59 = { 8D ?? ?? 5? 6A ?? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_60 = { 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 85 ?? 0F 85 } - $block_61 = { 8D ?? ?? 5? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_62 = { 6A ?? 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_63 = { FF 3? 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 83 ?? ?? 85 ?? 0F 85 } - $block_64 = { FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? 0F AF ?? FF 4? ?? 39 ?? ?? 7C } - $block_65 = { 5? 8B ?? 83 ?? ?? 33 ?? 83 ?? ?? 5? 5? 89 ?? ?? 89 ?? ?? 89 ?? ?? 0F 84 } - $block_66 = { 8B ?? ?? ?? ?? ?? FF 3? ?? ?? ?? ?? 8B ?? FF 9? ?? ?? ?? ?? 84 ?? 0F 84 } - $block_67 = { 5? 5? 8B ?? ?? 5? 8D ?? ?? A5 33 ?? 66 ?? 66 ?? ?? ?? 4? 66 ?? ?? ?? 75 } - $block_68 = { FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 } - $block_69 = { 8D ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 } - $block_70 = { 5? 6A ?? FF 7? ?? FF D? 8B ?? ?? ?? 8B ?? 8B ?? 8B ?? ?? 3B ?? ?? 0F 85 } - $block_71 = { 83 ?? ?? 8B ?? 8D ?? ?? ?? A5 A5 A5 89 ?? ?? 8B ?? A5 FF 5? ?? 84 ?? 75 } - $block_72 = { 8D ?? ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_73 = { 8B ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? A5 A5 A5 8B ?? ?? ?? 33 ?? 2B ?? 0F 84 } - $block_74 = { 8B ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 3B ?? 0F 8E } - $block_75 = { FF 4? ?? FF 7? ?? FF 1? ?? ?? ?? ?? FF 4? ?? 8B ?? ?? 3B ?? ?? 0F 82 } - $block_76 = { 89 ?? ?? 8B ?? 89 ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 8F } - $block_77 = { 8B ?? ?? ?? 8B ?? 6A ?? 5? 5? FF 5? ?? 85 ?? 8B ?? ?? ?? 8B ?? 0F 88 } - $block_78 = { 5? 5? 5? 5? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 33 ?? 3B ?? 0F 84 } - $block_79 = { 8B ?? ?? ?? 83 ?? ?? 8D ?? ?? ?? A5 A5 A5 8B ?? ?? ?? 83 ?? ?? 0F 84 } - $block_80 = { 5? FF D? 5? 8D ?? ?? ?? 5? 6A ?? FF 7? ?? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_81 = { FF 1? ?? ?? ?? ?? 8D ?? ?? 5? FF 7? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_82 = { 8D ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? A5 A5 A5 A5 8B ?? ?? ?? 33 ?? 4? } - $block_83 = { 8B ?? ?? 6A ?? 6A ?? FF 3? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_84 = { 8B ?? ?? 8B ?? 8D ?? ?? ?? 5? 68 ?? ?? ?? ?? 5? FF 1? 85 ?? 0F 88 } - $block_85 = { 8B ?? 89 ?? ?? 8B ?? ?? 8B ?? 83 ?? ?? ?? 83 ?? ?? 8D ?? ?? 0F 86 } - $block_86 = { FF D? 8B ?? FF D? 0F AF ?? 83 ?? ?? ?? 89 ?? ?? 8B ?? ?? 85 ?? 7E } - $block_87 = { 8D ?? ?? 8B ?? E8 ?? ?? ?? ?? 8B ?? ?? 8B ?? 8B ?? ?? 0F AF ?? 89 } - $block_88 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? 83 ?? ?? ?? 5? 5? 5? C6 ?? ?? ?? 0F 84 } - $block_89 = { 8D ?? ?? 5? 8D ?? ?? 5? FF 7? ?? 8B ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_90 = { 8D ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 81 7? ?? ?? ?? ?? ?? 0F 85 } - $block_91 = { 8B ?? ?? ?? ?? ?? 8D ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_92 = { 5? 8D ?? ?? ?? 5? 8D ?? ?? ?? 5? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_93 = { FF 7? ?? FF 3? E8 ?? ?? ?? ?? 33 ?? 5? 5? 89 ?? ?? 3B ?? 0F 84 } - $block_94 = { 8B ?? ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? 5? FF D? 83 ?? ?? 0F 84 } - $block_95 = { 8B ?? ?? 8D ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 3B ?? 0F 86 } - $block_96 = { 8D ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 8B ?? 5? 5? 85 ?? 0F 85 } - $block_97 = { 2B ?? 5? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 8B ?? 5? 85 ?? 0F 85 } - $block_98 = { 68 ?? ?? ?? ?? FF 7? ?? ?? FF 1? ?? ?? ?? ?? 5? 5? 85 ?? 0F 84 } - $block_99 = { 8B ?? ?? FF 4? ?? FF 4? ?? 8B ?? ?? 8B ?? 8B ?? ?? 3B ?? 0F 82 } - - condition: - hash.sha256(0, filesize) == "09da9e80e4554be5c2734ced0e70a6a08eb9ddacb8c1d9155c44ad8f0cbad8d2" or - 12 of them -} - -rule CarbonOrchestrator_v3_71_ { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { E8 ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 85 } - $block_1 = { BF ?? ?? ?? ?? 44 ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_2 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 } - $block_3 = { 44 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? 41 ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 84 } - $block_4 = { 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 40 ?? ?? 0F 84 } - $block_5 = { 45 ?? ?? 45 ?? ?? 48 ?? ?? 41 ?? ?? ?? 4C ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } - $block_6 = { 48 ?? ?? ?? ?? 49 ?? ?? ?? 41 ?? ?? ?? ?? ?? 4D ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_7 = { 8B ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 83 ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? ?? 0F 8C } - $block_8 = { 41 ?? ?? 41 ?? ?? 41 ?? ?? 41 ?? ?? 3B ?? 0F 4C ?? 41 ?? ?? 2B ?? 83 ?? ?? 85 ?? 48 ?? ?? 7E } - $block_9 = { 89 ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 99 83 ?? ?? 03 ?? 83 ?? ?? 2B ?? 49 ?? ?? 8D ?? ?? ?? 75 } - $block_10 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 33 ?? 8B ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 } - $block_11 = { 44 ?? ?? ?? 8B ?? ?? ?? 49 ?? ?? 4C ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_12 = { 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_13 = { 41 ?? ?? 44 ?? ?? 41 ?? ?? 45 ?? ?? 41 ?? ?? 41 ?? ?? 0F 4C ?? 8B ?? 2B ?? 85 ?? 48 ?? ?? 7E } - $block_14 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? 0F 85 } - $block_15 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 ?? ?? 0F 84 } - $block_16 = { 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? 0F 84 } - $block_17 = { 48 ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 40 ?? ?? ?? 85 ?? 0F 44 ?? 40 ?? ?? 75 } - $block_18 = { 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_19 = { 8B ?? ?? 8B ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 0F BA ?? ?? 8B ?? 73 } - $block_20 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 85 } - $block_21 = { 4C ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 84 } - $block_22 = { 8B ?? 45 ?? ?? 45 ?? ?? 99 4C ?? ?? F7 ?? 41 ?? ?? ?? 44 ?? ?? 85 ?? 4C ?? ?? 4C ?? ?? 7E } - $block_23 = { 8B ?? 33 ?? 45 ?? ?? 21 ?? ?? ?? 99 45 ?? ?? 45 ?? ?? 4D ?? ?? 41 ?? ?? 85 ?? 4C ?? ?? 7E } - $block_24 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? 29 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 0F 85 } - $block_25 = { 8D ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 84 } - $block_26 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_27 = { 41 ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? ?? 2B ?? 99 83 ?? ?? F7 ?? 8D ?? ?? 48 ?? ?? ?? ?? EB } - $block_28 = { FF 1? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? 8B ?? 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_29 = { 33 ?? 48 ?? ?? 49 ?? ?? 66 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 0F B7 ?? ?? ?? ?? ?? 66 } - $block_30 = { 48 ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 33 ?? 85 ?? 0F 95 ?? 89 } - $block_31 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 44 ?? ?? ?? 4C ?? ?? ?? ?? 4C ?? ?? ?? 0F 85 } - $block_32 = { 48 ?? ?? ?? ?? ?? ?? 4C ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_33 = { 48 ?? ?? B8 ?? ?? ?? ?? 83 ?? ?? ?? 0F 45 ?? 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? ?? 83 } - $block_34 = { 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? BA ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_35 = { E8 ?? ?? ?? ?? 48 ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_36 = { 8B ?? ?? ?? ?? ?? 48 ?? ?? ?? 8D ?? ?? 41 ?? ?? ?? 3B ?? 48 ?? ?? ?? ?? ?? ?? ?? 0F 8C } - $block_37 = { 44 ?? ?? 4C ?? ?? 33 ?? 48 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_38 = { 48 ?? ?? ?? ?? 45 ?? ?? 48 ?? ?? ?? ?? ?? ?? 45 ?? ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 85 } - $block_39 = { 48 ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? 33 ?? 48 ?? ?? 49 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 0F 84 } - $block_40 = { 45 ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_41 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 } - $block_42 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } - $block_43 = { 44 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? 0F B6 ?? ?? 2B ?? ?? ?? ?? ?? ?? 75 } - $block_44 = { 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 33 ?? 44 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 } - $block_45 = { 49 ?? ?? ?? 33 ?? 48 ?? ?? 49 ?? ?? 66 ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0F 82 } - $block_46 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 } - $block_47 = { E8 ?? ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 0F 84 } - $block_48 = { 48 ?? ?? ?? ?? ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 0F B6 ?? 85 ?? 0F 44 ?? 40 ?? ?? 0F 85 } - $block_49 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_50 = { E8 ?? ?? ?? ?? 8B ?? 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_51 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_52 = { 49 ?? ?? 8B ?? 48 ?? ?? ?? 83 ?? ?? 0F A3 ?? ?? 41 ?? ?? 44 ?? ?? ?? 41 ?? ?? 79 } - $block_53 = { 33 ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 45 ?? ?? 45 ?? ?? 41 ?? ?? 8B ?? 48 ?? ?? 0F 86 } - $block_54 = { 45 ?? ?? 49 ?? ?? 45 ?? ?? 49 ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? ?? ?? 4C ?? ?? 0F 8E } - $block_55 = { 48 ?? ?? ?? 45 ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_56 = { 48 ?? ?? ?? ?? ?? ?? 44 ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_57 = { 8B ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 3C ?? 0F 85 } - $block_58 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 } - $block_59 = { 41 ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_60 = { 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_61 = { 48 ?? ?? ?? ?? ?? ?? 4D ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 4C ?? ?? 0F 84 } - $block_62 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? 45 ?? ?? FF 1? ?? ?? ?? ?? 41 ?? ?? 0F 85 } - $block_63 = { 4D ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 48 ?? ?? 8B ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_64 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_65 = { 41 ?? ?? B9 ?? ?? ?? ?? 2B ?? 3B ?? 0F 4C ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 74 } - $block_66 = { 8B ?? ?? ?? ?? ?? ?? 8D ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 0F 84 } - $block_67 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 33 ?? 48 ?? ?? 0F 85 } - $block_68 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_69 = { 48 ?? ?? ?? ?? 41 ?? ?? ?? ?? ?? 49 ?? ?? 45 ?? ?? 41 ?? ?? 48 ?? ?? 0F 84 } - $block_70 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? 4C ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_71 = { 33 ?? 49 ?? ?? 48 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 49 ?? ?? 49 ?? ?? 0F 85 } - $block_72 = { 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 41 ?? ?? 0F 85 } - $block_73 = { 33 ?? 49 ?? ?? 48 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 49 ?? ?? 48 ?? ?? 0F 85 } - $block_74 = { 48 ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? ?? 8B ?? ?? 39 ?? ?? 0F 8F } - $block_75 = { 49 ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? 49 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 0F 84 } - $block_76 = { 8B ?? 89 ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? 99 33 ?? 2B ?? 3D ?? ?? ?? ?? 7F } - $block_77 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 48 ?? ?? 0F 84 } - $block_78 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 0F 84 } - $block_79 = { 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? E8 ?? ?? ?? ?? 41 ?? ?? 8B ?? 0F 85 } - $block_80 = { 48 ?? ?? ?? E8 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 85 ?? 8B ?? 0F 85 } - $block_81 = { C6 ?? ?? ?? ?? ?? ?? ?? 0F B7 ?? ?? 66 ?? ?? ?? ?? 48 ?? ?? ?? ?? 75 } - $block_82 = { 48 ?? ?? ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_83 = { 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B ?? 0F 85 } - $block_84 = { 48 ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? FF 1? ?? ?? ?? ?? 83 ?? ?? 0F 84 } - $block_85 = { BA ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 0F 84 } - $block_86 = { 48 ?? ?? ?? ?? 48 ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 85 } - $block_87 = { 41 ?? ?? 44 ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? 0F 84 } - $block_88 = { 8B ?? ?? ?? 41 ?? ?? ?? ?? 0F BA ?? ?? 83 ?? ?? 41 ?? ?? 0F 8E } - $block_89 = { 48 ?? ?? ?? ?? 48 ?? ?? E8 ?? ?? ?? ?? 45 ?? ?? 41 ?? ?? 0F 84 } - $block_90 = { 48 ?? ?? 33 ?? 48 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 84 } - $block_91 = { 4C ?? ?? ?? ?? ?? ?? ?? 8B ?? E8 ?? ?? ?? ?? 8A ?? 3C ?? 0F 85 } - $block_92 = { 48 ?? ?? 44 ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? ?? ?? ?? ?? 0F 8F } - $block_93 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? FF 1? ?? ?? ?? ?? 49 ?? ?? 0F 85 } - $block_94 = { 8B ?? 85 ?? 0F 44 ?? C1 ?? ?? 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? 75 } - $block_95 = { 48 ?? ?? ?? 33 ?? 48 ?? ?? ?? ?? F2 ?? 48 ?? ?? 48 ?? ?? 0F 82 } - $block_96 = { 33 ?? 48 ?? ?? ?? ?? 49 ?? ?? F2 ?? 48 ?? ?? 49 ?? ?? 0F 84 } - $block_97 = { 48 ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? 48 ?? ?? ?? ?? ?? ?? 0F 85 } - $block_98 = { 48 ?? ?? ?? ?? 48 ?? ?? 8B ?? E8 ?? ?? ?? ?? 41 ?? ?? 0F 84 } - $block_99 = { 4C ?? ?? ?? ?? ?? ?? ?? 41 ?? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "ffb0e35cfab750c8532f7d49deb8a71284fa420660710b8be632dacdd0a5cf45" or - hash.sha256(0, filesize) == "1311759943aabfe55ef2d42677432f14ed8fb549619473e5fb56f8a92d2daf72" or - 24 of them -} - -rule BadRabbitInstaller { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 5? 8B ?? 81 E? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 8B ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 33 ?? 5? 5? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_1 = { 5? 8B ?? 83 ?? ?? 5? 5? 33 ?? 5? 5? 6A ?? 5? 6A ?? 68 ?? ?? ?? ?? 5? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_2 = { 5? 8B ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 89 ?? ?? 5? 8B ?? ?? ?? ?? ?? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_3 = { 8D ?? ?? ?? ?? ?? 5? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_4 = { 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_5 = { 5? 2B ?? 8B ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_6 = { 8B ?? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? ?? ?? 03 ?? 8D ?? ?? ?? 0F B7 ?? ?? 85 ?? 7E } - - condition: - hash.sha256(0, filesize) == "630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da" or - 7 of them -} - -rule BadRabbitWiper { - meta: - Author = "Intezer Analyze" - Reference = "https://apt-ecosystem.com" - - strings: - $block_0 = { 8B ?? ?? 8B ?? ?? 8B ?? ?? 0F B7 ?? ?? 0F A4 ?? ?? C1 ?? ?? 89 ?? 89 ?? ?? 8B ?? ?? C1 ?? ?? 89 } - $block_1 = { 5? 5? 5? 6A ?? 5? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 83 ?? ?? 0F 84 } - $block_2 = { 5? 8B ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5? 5? 5? 33 ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 0F 84 } - $block_3 = { 69 ?? ?? ?? ?? ?? 5? 5? 8D ?? ?? 5? 33 ?? 39 ?? ?? 0F 95 ?? 4? 5? FF 1? ?? ?? ?? ?? 3B ?? 0F 84 } - $block_4 = { 5? 8B ?? 83 ?? ?? 8B ?? ?? ?? ?? ?? 8B ?? ?? 83 ?? ?? ?? 03 ?? 5? 8B ?? ?? ?? ?? ?? 03 ?? 0F 84 } - $block_5 = { 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? 6A ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_6 = { 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 88 } - $block_7 = { 8B ?? ?? 8D ?? ?? 5? FF 7? ?? 0F B7 ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 74 } - $block_8 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 6A ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_9 = { 2B ?? D1 ?? 0F B7 ?? 68 ?? ?? ?? ?? 6A ?? 89 ?? ?? FF D? 5? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_10 = { 0F B7 ?? ?? 89 ?? ?? 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? ?? 0F B7 ?? 83 ?? ?? 3B ?? 0F 87 } - $block_11 = { 8B ?? ?? ?? ?? ?? 83 ?? ?? 5? 6A ?? 89 ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_12 = { 8D ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 83 ?? ?? 0F 84 } - $block_13 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 6A ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_14 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? 0F B7 ?? ?? 6A ?? 03 ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_15 = { 21 ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_16 = { 8B ?? ?? 8B ?? ?? 8B ?? A5 A5 A5 A5 8B ?? 89 ?? ?? 8B ?? ?? 89 ?? ?? 33 ?? 66 ?? ?? ?? 75 } - $block_17 = { 5? 8B ?? 83 ?? ?? 5? FF 3? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 33 ?? A3 ?? ?? ?? ?? 3B ?? 0F 84 } - $block_18 = { 8B ?? ?? 8D ?? ?? 5? 6A ?? 6A ?? 5? C7 ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_19 = { 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_20 = { A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_21 = { 5? 8B ?? 5? 6A ?? 6A ?? 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_22 = { 0F B6 ?? ?? 33 ?? BB ?? ?? ?? ?? F7 ?? 4? 8A ?? ?? ?? ?? ?? 88 ?? ?? ?? 83 ?? ?? 72 } - $block_23 = { 5? 5? 6A ?? 5? 5? 68 ?? ?? ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 0F 84 } - $block_24 = { 8B ?? ?? 0F B7 ?? ?? FF 7? ?? 8D ?? ?? 89 ?? ?? E8 ?? ?? ?? ?? 89 ?? ?? 83 ?? ?? 74 } - $block_25 = { 5? 5? 8D ?? ?? 5? FF 7? ?? 5? FF 7? ?? FF 7? ?? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_26 = { 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 8D ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_27 = { 8B ?? ?? 8B ?? FF 1? ?? ?? ?? ?? 0F B7 ?? ?? 83 ?? ?? ?? 0F B7 ?? 89 ?? ?? 8B ?? 8D } - $block_28 = { 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_29 = { 6A ?? 5? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 8D ?? ?? BF ?? ?? ?? ?? 3B ?? 0F 83 } - $block_30 = { 5? 8B ?? 83 ?? ?? 5? 68 ?? ?? ?? ?? 33 ?? FF 1? ?? ?? ?? ?? 89 ?? ?? 85 ?? 0F 84 } - $block_31 = { 8D ?? ?? ?? 0F B6 ?? 33 ?? 6A ?? 5? F7 ?? 4? 8A ?? ?? ?? ?? ?? 88 ?? 83 ?? ?? 72 } - $block_32 = { 5? 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_33 = { 6A ?? 6A ?? FF 1? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_34 = { 66 ?? ?? ?? ?? ?? ?? 66 ?? ?? ?? 33 ?? 0F B7 ?? 4? 66 ?? ?? 8B ?? 8D ?? ?? 75 } - $block_35 = { 68 ?? ?? ?? ?? 8D ?? ?? 5? FF 7? ?? 6A ?? FF 7? ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_36 = { 8D ?? ?? ?? ?? ?? ?? 8B ?? 2B ?? 0F B7 ?? 66 ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 } - $block_37 = { 0F B7 ?? ?? 5? 89 ?? ?? 83 ?? ?? 5? 6A ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_38 = { 0F B7 ?? ?? 5? 83 ?? ?? 5? 6A ?? 89 ?? ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_39 = { 6A ?? 6A ?? C6 ?? ?? C7 ?? ?? ?? ?? ?? ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_40 = { 8D ?? ?? 5? 5? 5? 89 ?? ?? 8B ?? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_41 = { 8D ?? ?? 5? 8B ?? ?? 6A ?? FF 7? ?? 03 ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_42 = { 0F B6 ?? 33 ?? 81 E? ?? ?? ?? ?? C1 ?? ?? 33 ?? ?? ?? ?? ?? ?? 4? 4? 75 } - $block_43 = { 68 ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_44 = { 6A ?? 6A ?? C6 ?? ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? 33 ?? 3B ?? 0F 84 } - $block_45 = { 6A ?? BF ?? ?? ?? ?? 5? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E } - $block_46 = { 8B ?? ?? 8B ?? 0F B6 ?? ?? 6A ?? 5? 2B ?? 89 ?? ?? 33 ?? 4? 66 ?? ?? 75 } - $block_47 = { 8D ?? ?? ?? 5? 5? C7 ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_48 = { 83 ?? ?? ?? 8D ?? ?? 5? FF 7? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_49 = { 8B ?? ?? 6A ?? 68 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E } - $block_50 = { 8D ?? ?? 5? 8B ?? ?? 8B ?? ?? FF 3? ?? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 85 } - $block_51 = { 0F B7 ?? ?? 83 ?? ?? ?? 5? 5? 0F B7 ?? ?? 8D ?? ?? ?? 89 ?? ?? 85 ?? 7E } - $block_52 = { 8D ?? ?? ?? ?? ?? ?? 9? 8B ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_53 = { 5? 5? FF 1? ?? ?? ?? ?? 5? FF 7? ?? 33 ?? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_54 = { 6A ?? 68 ?? ?? ?? ?? FF 7? ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E } - $block_55 = { 8D ?? ?? 5? 0F B7 ?? 5? 8D ?? ?? 5? FF 7? ?? E8 ?? ?? ?? ?? 84 ?? 74 } - $block_56 = { 5? 68 ?? ?? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? 3B ?? 0F 84 } - $block_57 = { 2B ?? 5? 83 ?? ?? 5? 6A ?? 89 ?? ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_58 = { 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 } - $block_59 = { 0F 31 89 ?? ?? A1 ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? 33 ?? EB } - $block_60 = { 8B ?? ?? 8B ?? ?? 6A ?? 6A ?? 5? 5? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_61 = { 6A ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 88 } - $block_62 = { 6A ?? 6A ?? C7 ?? ?? ?? ?? ?? ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_63 = { FF 7? ?? ?? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 89 ?? ?? ?? 3B ?? 0F 84 } - $block_64 = { 8B ?? ?? 6A ?? 6A ?? 89 ?? ?? FF D? 5? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_65 = { FF 7? ?? 8B ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 84 } - $block_66 = { 5? 8B ?? 83 ?? ?? 83 ?? ?? ?? 5? 8B ?? ?? 5? 5? 8B ?? ?? 0F 8C } - $block_67 = { 8B ?? ?? 5? 6A ?? 89 ?? ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_68 = { 0F B7 ?? ?? 5? FF 1? ?? ?? ?? ?? B9 ?? ?? ?? ?? 66 ?? ?? 0F 87 } - $block_69 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 33 ?? F6 ?? ?? ?? ?? ?? ?? 0F 84 } - $block_70 = { 5? 8B ?? 5? 5? 66 ?? ?? ?? ?? 5? 5? 5? 8B ?? C6 ?? ?? ?? 0F 82 } - $block_71 = { 0F B7 ?? ?? 8D ?? ?? ?? ?? ?? ?? 89 ?? ?? 33 ?? 66 ?? ?? ?? 75 } - $block_72 = { 8B ?? ?? 6A ?? 6A ?? 89 ?? FF D? 5? FF D? 89 ?? ?? 85 ?? 0F 84 } - $block_73 = { 0F B7 ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 83 ?? ?? 66 ?? ?? 75 } - $block_74 = { 0F B7 ?? ?? 33 ?? 83 ?? ?? 33 ?? 33 ?? 89 ?? ?? 3B ?? 0F 8C } - $block_75 = { 8D ?? ?? 5? FF 7? ?? 8B ?? ?? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_76 = { FF 7? ?? 6A ?? FF D? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_77 = { 0F B6 ?? 8A ?? ?? ?? ?? ?? FE ?? F6 ?? 88 ?? ?? 80 F? ?? 72 } - $block_78 = { 5? 8B ?? 81 E? ?? ?? ?? ?? 5? 33 ?? 89 ?? ?? 39 ?? ?? 0F 84 } - $block_79 = { 5? 5? 68 ?? ?? ?? ?? 5? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_80 = { 0F B7 ?? ?? 03 ?? 8B ?? ?? 81 F? ?? ?? ?? ?? 89 ?? ?? 0F 85 } - $block_81 = { 5? 68 ?? ?? ?? ?? 5? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 8E } - $block_82 = { 6A ?? 6A ?? 5? 5? 8D ?? ?? ?? ?? ?? 5? FF D? 85 ?? 0F 84 } - $block_83 = { 5? 6A ?? 6A ?? FF D? 5? FF D? 8B ?? 89 ?? ?? 85 ?? 0F 84 } - $block_84 = { 5? 68 ?? ?? ?? ?? 6A ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_85 = { 8B ?? ?? 83 ?? ?? 33 ?? 8B ?? F3 ?? 8B ?? ?? 0F 94 ?? 89 } - $block_86 = { 0F B7 ?? ?? 83 ?? ?? ?? 2B ?? 4? 89 ?? ?? 8B ?? 32 ?? 8D } - $block_87 = { 8B ?? ?? 8B ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 85 ?? 0F 85 } - $block_88 = { 6A ?? 8D ?? ?? 5? 6A ?? 5? 5? FF 7? ?? FF D? 85 ?? 0F 85 } - $block_89 = { 8B ?? ?? 5? 6A ?? FF 1? ?? ?? ?? ?? 8B ?? 85 ?? 0F 84 } - $block_90 = { 8B ?? ?? 33 ?? 85 ?? 0F 94 ?? 8B ?? 89 ?? 85 ?? 0F 84 } - $block_91 = { 68 ?? ?? ?? ?? 6A ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 } - $block_92 = { 8D ?? ?? 5? 8D ?? ?? 5? 5? E8 ?? ?? ?? ?? 84 ?? 0F 84 } - $block_93 = { 68 ?? ?? ?? ?? FF 1? ?? ?? ?? ?? 5? 8B ?? 5? 5? C9 C2 } - $block_94 = { 8B ?? ?? 5? E8 ?? ?? ?? ?? 33 ?? 89 ?? ?? 3B ?? 0F 84 } - $block_95 = { 33 ?? 83 ?? ?? 0F 95 ?? 89 ?? ?? 4? 89 ?? 33 ?? EB } - $block_96 = { 0F B7 ?? ?? 2B ?? 4? 83 ?? ?? ?? 89 ?? ?? 8B ?? 8D } - $block_97 = { 5? 5? 6A ?? FF 7? ?? FF 1? ?? ?? ?? ?? 85 ?? 0F 84 } - $block_98 = { 0F B7 ?? 66 ?? ?? 83 ?? ?? 83 ?? ?? 66 ?? ?? 75 } - $block_99 = { 5? 6A ?? 6A ?? FF D? 5? FF D? 8B ?? 85 ?? 0F 84 } - - condition: - hash.sha256(0, filesize) == "579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648" or - hash.sha256(0, filesize) == "8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93" or - 12 of them -} diff --git a/yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar b/yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar deleted file mode 100644 index 8a49fb3..0000000 --- a/yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule TeamViwer_backdoor -{ - -meta: -date = "2019-04-14" -description = "Detects malicious TeamViewer DLLs" -reference = "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/" - -strings: - -// PostMessageW hook function -$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8} - -condition: -uint16(0) == 0x5a4d and $x1 -} diff --git a/yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar b/yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar deleted file mode 100644 index fcab6f7..0000000 --- a/yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule ZZ_breakwin_config { - meta: - description = "Detects the header of the encrypted config files, assuming known encryption key." - reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" - author = "Check Point Research" - date = "22-07-2021" - hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed" - hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22" - hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7" - strings: - $conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22} - condition: - $conf_header at 0 -} diff --git a/yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar b/yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar deleted file mode 100644 index 1bb9026..0000000 --- a/yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar +++ /dev/null @@ -1,23 +0,0 @@ -rule ZZ_breakwin_meteor_batch_files { - meta: - description = "Detect the batch files used in the attacks" - reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" - author = "Check Point Research" - date = "22-07-2021" - strings: - $filename_0 = "mscap.bmp" - $filename_1 = "mscap.jpg" - $filename_2 = "msconf.conf" - $filename_3 = "msmachine.reg" - $filename_4 = "mssetup.exe" - $filename_5 = "msuser.reg" - $filename_6 = "msapp.exe" - $filename_7 = "bcd.rar" - $filename_8 = "bcd.bat" - $filename_9 = "msrun.bat" - $command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%" - $command_line_1 = "start /b \"\" update.bat hackemall" - condition: - 4 of ($filename_*) or - any of ($command_line_*) -} diff --git a/yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar b/yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar deleted file mode 100644 index cc93fa1..0000000 --- a/yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar +++ /dev/null @@ -1,20 +0,0 @@ -rule ZZ_breakwin_stardust_vbs { - meta: - description = "Detect the VBS files that where found in the attacks on targets in Syria" - reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" - author = "Check Point Research" - date = "22-07-2021" - hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933" - hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0" - hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58" - hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0" - hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad" - strings: - $url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st=" - $compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r" - $compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8" - $uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN=" - $is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then" - condition: - any of them -} diff --git a/yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar b/yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar deleted file mode 100644 index cbd5058..0000000 --- a/yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar +++ /dev/null @@ -1,120 +0,0 @@ -rule ZZ_breakwin_wiper { - meta: - description = "Detects the BreakWin wiper that was used in attacks in Syria" - reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" - author = "Check Point Research" - date = "22-07-2021" - hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b" - hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4" - hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e" - strings: - $debug_str_meteor_1 = "the program received an invalid number of arguments" wide - $debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide - $debug_str_meteor_0 = "failed to initialize configuration from file" wide - $debug_str_meteor_3 = "Meteor is still alive." wide - $debug_str_meteor_4 = "Exiting main function because of some error" wide - $debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide - $debug_str_meteor_6 = "Meteor has started." wide - $debug_str_meteor_7 = "Could not hide current console." wide - $debug_str_meteor_8 = "Could not get the window handle used by the console." wide - $debug_str_meteor_9 = "Failed to find base-64 data size" wide - $debug_str_meteor_10 = "Running locker thread" wide - $debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide - $debug_str_meteor_12 = "Wiper operation failed." wide - $debug_str_meteor_13 = "Screen saver disable failed." wide - $debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide - $debug_str_meteor_15 = "Failed to delete boot configuration" wide - $debug_str_meteor_16 = "Could not delete all BCD entries." wide - $debug_str_meteor_17 = "Finished deleting BCD entries." wide - $debug_str_meteor_18 = "Failed to change lock screen" wide - $debug_str_meteor_19 = "Boot configuration deleted successfully" wide - $debug_str_meteor_20 = "Failed to kill all winlogon processes" wide - $debug_str_meteor_21 = "Changing passwords of all users to" wide - $debug_str_meteor_22 = "Failed to change the passwords of all users" wide - $debug_str_meteor_23 = "Failed to run the locker thread" wide - $debug_str_meteor_24 = "Screen saver disabled successfully." wide - $debug_str_meteor_25 = "Generating random password failed" wide - $debug_str_meteor_26 = "Locker installation failed" wide - $debug_str_meteor_27 = "Failed to set auto logon." wide - $debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide - $debug_str_meteor_29 = "Succeeded setting auto logon for" wide - $debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide - $debug_str_meteor_31 = "Failed disabling the first logon animation." wide - $debug_str_meteor_32 = "Waiting for new winlogon process" wide - $debug_str_meteor_33 = "Failed to isolate from domain" wide - $debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide - $debug_str_meteor_35 = "Failed to get the new token of winlogon." wide - $debug_str_meteor_36 = "Failed adding new admin user." wide - $debug_str_meteor_37 = "Failed changing settings for the created new user." wide - $debug_str_meteor_38 = "Failed disabling recovery mode." wide - $debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide - $debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide - $debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide - $debug_str_meteor_42 = "Succeeded disabling recovery mode" wide - $debug_str_meteor_43 = "Failed to log off all sessions" wide - $debug_str_meteor_44 = "Failed to delete shadowcopies." wide - $debug_str_meteor_45 = "Failed logging off session: " wide - $debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide - $debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide - $debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide - $debug_str_meteor_49 = "Killing all winlogon processes" wide - $debug_str_meteor_50 = "Logging off users in Windows 7" wide - $debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide - $debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide - $debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide - $debug_str_meteor_54 = "Logging off users in Windows XP" wide - $debug_str_meteor_55 = "Failed changing settings for the created new user." wide - $debug_str_meteor_56 = "Could not open file %s. error message: %s" wide - $debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide - $debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide - $debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide - $debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide - $debug_str_meteor_61 = "Failed to wipe file %s" wide - $debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide - $debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide - $debug_str_meteor_64 = "Failed to wipe file %s" wide - $debug_str_meteor_65 = "failed to get configuration value with key %s" wide - $debug_str_meteor_66 = "failed to parse the configuration from file %s" wide - $debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide - $debug_str_meteor_68 = "Failed posting to server, received std::exception" wide - $debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide - $debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide - $debug_str_meteor_71 = "failed to write message to log file %s" wide - $debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide - $debug_str_stardust_0 = "Stardust has started." wide - $debug_str_stardust_1 = "0Vy0qMGO" ascii wide - $debug_str_comet_0 = "Comet has started." wide - $debug_str_comet_1 = "Comet has finished." wide - $str_lock_my_pc = "Lock My PC 4" ascii wide - $config_entry_0 = "state_path" ascii - $config_entry_1 = "state_encryption_key" ascii - $config_entry_2 = "log_server_port" ascii - $config_entry_3 = "log_file_path" ascii - $config_entry_4 = "log_encryption_key" ascii - $config_entry_5 = "log_server_ip" ascii - $config_entry_6 = "processes_to_kill" ascii - $config_entry_7 = "process_termination_timeout" ascii - $config_entry_8 = "paths_to_wipe" ascii - $config_entry_9 = "wiping_stage_logger_interval" ascii - $config_entry_10 = "locker_exe_path" ascii - $config_entry_11 = "locker_background_image_jpg_path" ascii - $config_entry_12 = "auto_logon_path" ascii - $config_entry_13 = "locker_installer_path" ascii - $config_entry_14 = "locker_password_hash" ascii - $config_entry_15 = "users_password" ascii - $config_entry_16 = "locker_background_image_bmp_path" ascii - $config_entry_17 = "locker_registry_settings_files" ascii - $config_entry_18 = "cleanup_script_path" ascii - $config_entry_19 = "is_alive_loop_interval" ascii - $config_entry_20 = "cleanup_scheduled_task_name" ascii - $config_entry_21 = "self_scheduled_task_name" ascii - $encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08} - $random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7} - condition: - uint16(0) == 0x5A4D and - ( - 6 of them or - $encryption_asm or - $random_string_generation - ) -} diff --git a/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar b/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar deleted file mode 100644 index b5d06ac..0000000 --- a/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar +++ /dev/null @@ -1,39 +0,0 @@ -rule apt3_bemstour_implant_byte_patch -{ -meta: - -description = "Detects an implant used by Bemstour exploitation tool (APT3)" -reference = "https://research.checkpoint.com/2019/upsynergy/" -author = "Mark Lechtik" -company = "Check Point Software Technologies LTD." -date = "2019-06-25" -sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a" - -/* - -0x41b7e1L C745B8558BEC83 mov dword ptr [ebp - 0x48], 0x83ec8b55 -0x41b7e8L C745BCEC745356 mov dword ptr [ebp - 0x44], 0x565374ec -0x41b7efL C745C08B750833 mov dword ptr [ebp - 0x40], 0x3308758b -0x41b7f6L C745C4C957C745 mov dword ptr [ebp - 0x3c], 0x45c757c9 -0x41b7fdL C745C88C4C6F61 mov dword ptr [ebp - 0x38], 0x616f4c8c - -*/ - -strings: - -$chunk_1 = { - -C7 45 ?? 55 8B EC 83 -C7 45 ?? EC 74 53 56 -C7 45 ?? 8B 75 08 33 -C7 45 ?? C9 57 C7 45 -C7 45 ?? 8C 4C 6F 61 - -} - -condition: - any of them -} - - - diff --git a/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_command_stack_variable.yar b/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_command_stack_variable.yar deleted file mode 100644 index b0d0721..0000000 --- a/yara-mikesxrs/Checkpoint/apt3_bemstour_implant_command_stack_variable.yar +++ /dev/null @@ -1,169 +0,0 @@ -rule apt3_bemstour_implant_command_stack_variable -{ -meta: - -description = "Detecs an implant used by Bemstour exploitation tool (APT3)" -reference = "https://research.checkpoint.com/2019/upsynergy/" -author = "Mark Lechtik" -company = "Check Point Software Technologies LTD." -date = "2019-06-25" -sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a" - - -strings: - - -/* - -0x41ba18L C78534FFFFFF636D642E mov dword ptr [ebp - 0xcc], 0x2e646d63 -0x41ba22L C78538FFFFFF65786520 mov dword ptr [ebp - 0xc8], 0x20657865 -0x41ba2cL C7853CFFFFFF2F632063 mov dword ptr [ebp - 0xc4], 0x6320632f -0x41ba36L C78540FFFFFF6F707920 mov dword ptr [ebp - 0xc0], 0x2079706f -0x41ba40L C78544FFFFFF2577696E mov dword ptr [ebp - 0xbc], 0x6e697725 -0x41ba4aL C78548FFFFFF64697225 mov dword ptr [ebp - 0xb8], 0x25726964 -0x41ba54L C7854CFFFFFF5C737973 mov dword ptr [ebp - 0xb4], 0x7379735c -0x41ba5eL C78550FFFFFF74656D33 mov dword ptr [ebp - 0xb0], 0x336d6574 -0x41ba68L C78554FFFFFF325C636D mov dword ptr [ebp - 0xac], 0x6d635c32 -0x41ba72L C78558FFFFFF642E6578 mov dword ptr [ebp - 0xa8], 0x78652e64 -0x41ba7cL C7855CFFFFFF65202577 mov dword ptr [ebp - 0xa4], 0x77252065 -0x41ba86L C78560FFFFFF696E6469 mov dword ptr [ebp - 0xa0], 0x69646e69 -0x41ba90L C78564FFFFFF72255C73 mov dword ptr [ebp - 0x9c], 0x735c2572 -0x41ba9aL C78568FFFFFF79737465 mov dword ptr [ebp - 0x98], 0x65747379 -0x41baa4L C7856CFFFFFF6D33325C mov dword ptr [ebp - 0x94], 0x5c32336d -0x41baaeL C78570FFFFFF73657468 mov dword ptr [ebp - 0x90], 0x68746573 -0x41bab8L C78574FFFFFF632E6578 mov dword ptr [ebp - 0x8c], 0x78652e63 -0x41bac2L C78578FFFFFF65202F79 mov dword ptr [ebp - 0x88], 0x792f2065 -0x41baccL 83A57CFFFFFF00 and dword ptr [ebp - 0x84], 0 - -*/ - -$chunk_1 = { - -C7 85 ?? ?? ?? ?? 63 6D 64 2E -C7 85 ?? ?? ?? ?? 65 78 65 20 -C7 85 ?? ?? ?? ?? 2F 63 20 63 -C7 85 ?? ?? ?? ?? 6F 70 79 20 -C7 85 ?? ?? ?? ?? 25 77 69 6E -C7 85 ?? ?? ?? ?? 64 69 72 25 -C7 85 ?? ?? ?? ?? 5C 73 79 73 -C7 85 ?? ?? ?? ?? 74 65 6D 33 -C7 85 ?? ?? ?? ?? 32 5C 63 6D -C7 85 ?? ?? ?? ?? 64 2E 65 78 -C7 85 ?? ?? ?? ?? 65 20 25 77 -C7 85 ?? ?? ?? ?? 69 6E 64 69 -C7 85 ?? ?? ?? ?? 72 25 5C 73 -C7 85 ?? ?? ?? ?? 79 73 74 65 -C7 85 ?? ?? ?? ?? 6D 33 32 5C -C7 85 ?? ?? ?? ?? 73 65 74 68 -C7 85 ?? ?? ?? ?? 63 2E 65 78 -C7 85 ?? ?? ?? ?? 65 20 2F 79 -83 A5 ?? ?? ?? ?? 00 -} - - - - -/* - -0x41baeeL C785D8FEFFFF636D6420 mov dword ptr [ebp - 0x128], 0x20646d63 -0x41baf8L C785DCFEFFFF2F632022 mov dword ptr [ebp - 0x124], 0x2220632f -0x41bb02L C785E0FEFFFF6E657420 mov dword ptr [ebp - 0x120], 0x2074656e -0x41bb0cL C785E4FEFFFF75736572 mov dword ptr [ebp - 0x11c], 0x72657375 -0x41bb16L C785E8FEFFFF20636573 mov dword ptr [ebp - 0x118], 0x73656320 -0x41bb20L C785ECFEFFFF73757070 mov dword ptr [ebp - 0x114], 0x70707573 -0x41bb2aL C785F0FEFFFF6F727420 mov dword ptr [ebp - 0x110], 0x2074726f -0x41bb34L C785F4FEFFFF3171617A mov dword ptr [ebp - 0x10c], 0x7a617131 -0x41bb3eL C785F8FEFFFF23454443 mov dword ptr [ebp - 0x108], 0x43444523 -0x41bb48L C785FCFEFFFF202F6164 mov dword ptr [ebp - 0x104], 0x64612f20 -0x41bb52L C78500FFFFFF64202626 mov dword ptr [ebp - 0x100], 0x26262064 -0x41bb5cL C78504FFFFFF206E6574 mov dword ptr [ebp - 0xfc], 0x74656e20 -0x41bb66L C78508FFFFFF206C6F63 mov dword ptr [ebp - 0xf8], 0x636f6c20 -0x41bb70L C7850CFFFFFF616C6772 mov dword ptr [ebp - 0xf4], 0x72676c61 -0x41bb7aL C78510FFFFFF6F757020 mov dword ptr [ebp - 0xf0], 0x2070756f -0x41bb84L C78514FFFFFF61646D69 mov dword ptr [ebp - 0xec], 0x696d6461 -0x41bb8eL C78518FFFFFF6E697374 mov dword ptr [ebp - 0xe8], 0x7473696e -0x41bb98L C7851CFFFFFF7261746F mov dword ptr [ebp - 0xe4], 0x6f746172 -0x41bba2L C78520FFFFFF72732063 mov dword ptr [ebp - 0xe0], 0x63207372 -0x41bbacL C78524FFFFFF65737375 mov dword ptr [ebp - 0xdc], 0x75737365 -0x41bbb6L C78528FFFFFF70706F72 mov dword ptr [ebp - 0xd8], 0x726f7070 -0x41bbc0L C7852CFFFFFF74202F61 mov dword ptr [ebp - 0xd4], 0x612f2074 -0x41bbcaL C78530FFFFFF64642200 mov dword ptr [ebp - 0xd0], 0x226464 -0x41bbd4L 6A5C push 0x5c - -*/ - -$chunk_2 = { - -C7 85 ?? ?? ?? ?? 63 6D 64 20 -C7 85 ?? ?? ?? ?? 2F 63 20 22 -C7 85 ?? ?? ?? ?? 6E 65 74 20 -C7 85 ?? ?? ?? ?? 75 73 65 72 -C7 85 ?? ?? ?? ?? 20 63 65 73 -C7 85 ?? ?? ?? ?? 73 75 70 70 -C7 85 ?? ?? ?? ?? 6F 72 74 20 -C7 85 ?? ?? ?? ?? 31 71 61 7A -C7 85 ?? ?? ?? ?? 23 45 44 43 -C7 85 ?? ?? ?? ?? 20 2F 61 64 -C7 85 ?? ?? ?? ?? 64 20 26 26 -C7 85 ?? ?? ?? ?? 20 6E 65 74 -C7 85 ?? ?? ?? ?? 20 6C 6F 63 -C7 85 ?? ?? ?? ?? 61 6C 67 72 -C7 85 ?? ?? ?? ?? 6F 75 70 20 -C7 85 ?? ?? ?? ?? 61 64 6D 69 -C7 85 ?? ?? ?? ?? 6E 69 73 74 -C7 85 ?? ?? ?? ?? 72 61 74 6F -C7 85 ?? ?? ?? ?? 72 73 20 63 -C7 85 ?? ?? ?? ?? 65 73 73 75 -C7 85 ?? ?? ?? ?? 70 70 6F 72 -C7 85 ?? ?? ?? ?? 74 20 2F 61 -C7 85 ?? ?? ?? ?? 64 64 22 00 -6A 5C - -} - -/* - -0x41be22L C745D057696E45 mov dword ptr [ebp - 0x30], 0x456e6957 -0x41be29L C745D478656300 mov dword ptr [ebp - 0x2c], 0x636578 -0x41be30L C7459C47657450 mov dword ptr [ebp - 0x64], 0x50746547 -0x41be37L C745A0726F6341 mov dword ptr [ebp - 0x60], 0x41636f72 -0x41be3eL C745A464647265 mov dword ptr [ebp - 0x5c], 0x65726464 -0x41be45L C745A873730000 mov dword ptr [ebp - 0x58], 0x7373 -0x41be4cL C745C443726561 mov dword ptr [ebp - 0x3c], 0x61657243 -0x41be53L C745C874654669 mov dword ptr [ebp - 0x38], 0x69466574 -0x41be5aL C745CC6C654100 mov dword ptr [ebp - 0x34], 0x41656c -0x41be61L C745B857726974 mov dword ptr [ebp - 0x48], 0x74697257 -0x41be68L C745BC6546696C mov dword ptr [ebp - 0x44], 0x6c694665 -0x41be6fL C745C065000000 mov dword ptr [ebp - 0x40], 0x65 -0x41be76L C745AC436C6F73 mov dword ptr [ebp - 0x54], 0x736f6c43 -0x41be7dL C745B06548616E mov dword ptr [ebp - 0x50], 0x6e614865 -0x41be84L C745B4646C6500 mov dword ptr [ebp - 0x4c], 0x656c64 -0x41be8bL 894DE8 mov dword ptr [ebp - 0x18], ecx - -*/ - -$chunk_3 = { - -C7 45 ?? 57 69 6E 45 -C7 45 ?? 78 65 63 00 -C7 45 ?? 47 65 74 50 -C7 45 ?? 72 6F 63 41 -C7 45 ?? 64 64 72 65 -C7 45 ?? 73 73 00 00 -C7 45 ?? 43 72 65 61 -C7 45 ?? 74 65 46 69 -C7 45 ?? 6C 65 41 00 -C7 45 ?? 57 72 69 74 -C7 45 ?? 65 46 69 6C -C7 45 ?? 65 00 00 00 -C7 45 ?? 43 6C 6F 73 -C7 45 ?? 65 48 61 6E -C7 45 ?? 64 6C 65 00 -89 4D ?? - -} - - -condition: - any of them -} diff --git a/yara-mikesxrs/Checkpoint/apt3_bemstour_strings.yar b/yara-mikesxrs/Checkpoint/apt3_bemstour_strings.yar deleted file mode 100644 index d8bdb58..0000000 --- a/yara-mikesxrs/Checkpoint/apt3_bemstour_strings.yar +++ /dev/null @@ -1,68 +0,0 @@ -rule apt3_bemstour_strings -{ -meta: - -description = "Detects strings used by the Bemstour exploitation tool" -reference = "https://research.checkpoint.com/2019/upsynergy/" -author = "Mark Lechtik" -company = "Check Point Software Technologies LTD." -date = "2019-06-25" -sha256 = "0b28433a2b7993da65e95a45c2adf7bc37edbd2a8db717b85666d6c88140698a" -strings: - -$dbg_print_1 = "leaked address is 0x%llx" ascii wide -$dbg_print_2 = "========== %s ==========" ascii wide -$dbg_print_3 = "detailVersion:%d" ascii wide -$dbg_print_4 = "create pipe twice failed" ascii wide -$dbg_print_5 = "WSAStartup function failed with error: %d" ascii wide -$dbg_print_6 = "can't open input file." ascii wide -$dbg_print_7 = "Allocate Buffer Failed." ascii wide -$dbg_print_8 = "Connect to target failed." ascii wide -$dbg_print_9 = "connect successful." ascii wide -$dbg_print_10 = "not supported Platform" ascii wide -$dbg_print_11 = "Wait several seconds." ascii wide -$dbg_print_12 = "not set where to write ListEntry ." ascii wide -$dbg_print_13 = "backdoor not installed." ascii wide -$dbg_print_14 = "REConnect to target failed." ascii wide -$dbg_print_15 = "Construct TreeConnectAndX Request Failed." ascii wide -$dbg_print_16 = "Construct NTCreateAndXRequest Failed." ascii wide -$dbg_print_17 = "Construct Trans2 Failed." ascii wide -$dbg_print_18 = "Construct ConsWXR Failed." ascii wide -$dbg_print_19 = "Construct ConsTransSecondary Failed." ascii wide -$dbg_print_20 = "if you don't want to input password , use server2003 version.." ascii wide - -$cmdline_1 = "Command format %s TargetIp domainname username password 2" ascii wide -$cmdline_2 = "Command format %s TargetIp domainname username password 1" ascii wide -$cmdline_3 = "cmd.exe /c net user test test /add && cmd.exe /c net localgroup administrators test /add" ascii wide -$cmdline_4 = "hello.exe \"C:\\WINDOWS\\DEBUG\\test.exe\"" ascii wide -$cmdline_5 = "parameter not right" ascii wide - -$smb_param_1 = "browser" ascii wide -$smb_param_2 = "spoolss" ascii wide -$smb_param_3 = "srvsvc" ascii wide -$smb_param_4 = "\\PIPE\\LANMAN" ascii wide -$smb_param_5 = "Werttys for Workgroups 3.1a" ascii wide -$smb_param_6 = "PC NETWORK PROGRAM 1.0" ascii wide -$smb_param_7 = "LANMAN1.0" ascii wide -$smb_param_8 = "LM1.2X002" ascii wide -$smb_param_9 = "LANMAN2.1" ascii wide -$smb_param_10 = "NT LM 0.12" ascii wide -$smb_param_12 = "WORKGROUP" ascii wide -$smb_param_13 = "Windows Server 2003 3790 Service Pack 2" ascii wide -$smb_param_14 = "Windows Server 2003 5.2" ascii wide -$smb_param_15 = "Windows 2002 Service Pack 2 2600" ascii wide -$smb_param_16 = "Windows 2002 5.1" ascii wide -$smb_param_17 = "PC NETWORK PROGRAM 1.0" ascii wide -$smb_param_18 = "Windows 2002 5.1" ascii wide -$smb_param_19 = "Windows for Workgroups 3.1a" ascii wide - -$unique_str_1 = "WIN-NGJ7GKNROVS" -$unique_str_2 = "XD-A31C2E0087B2" - -condition: - uint16(0) == 0x5a4d and (5 of ($dbg_print*) or 2 of ($cmdline*) or 1 of ($unique_str*)) and 3 of ($smb_param*) -} - - - - diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar deleted file mode 100644 index 5413ce0..0000000 --- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar +++ /dev/null @@ -1,34 +0,0 @@ -rule apt_CN_TwistedPanda_64bit_Loader { - meta: - author = "Check Point Research" - description = "Detect the 64bit Loader DLL used by TwistedPanda" - reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" - date = "2022-04-14" - hash = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f" - - strings: - // 48 8D ?? ?? ?? ?? ?? ?? ?? lea rdx, ds:2[rdx*2] - // 48 8B C1 mov rax, rcx - // 48 81 ?? ?? ?? ?? ?? cmp rdx, 1000h - // 72 ?? jb short loc_7FFDF0BA1B48 - $path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 } - // 48 8B D0 mov rdx, rax ; lpBuffer - // 41 B8 F0 16 00 00 mov r8d, 16F0h ; nNumberOfBytesToRead - // 48 8B CF mov rcx, rdi ; hFile - // 48 8B D8 mov rbx, rax - // FF ?? ?? ?? ?? call cs:ReadFile - $shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF} - // BA F0 16 00 00 mov edx, 16F0h ; dwSize - // 44 8D 4E 40 lea r9d, [rsi+40h] ; flProtect - // 33 C9 xor ecx, ecx ; lpAddress - // 41 B8 00 30 00 00 mov r8d, 3000h ; flAllocationType - // FF ?? ?? ?? ?? ?? call cs:VirtualAlloc - $shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF } - condition: - // MZ signature at offset 0 and ... - uint16(0) == 0x5A4D and - - // ... PE signature at offset stored in MZ header at 0x3C - uint32(uint32(0x3C)) == 0x00004550 and - filesize < 3000KB and $path_check and $shellcode_allocate and $shellcode_read -} diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_1.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_1.yar deleted file mode 100644 index dfd48c3..0000000 --- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_1.yar +++ /dev/null @@ -1,33 +0,0 @@ -rule apt_CN_TwistedPanda_SPINNER_1 { - meta: - author = "Check Point Research" - description = "Detect the obfuscated variant of SPINNER payload used by TwistedPanda" - reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" - date = "2022-04-14" - hash = "a9fb7bb40de8508606a318866e0e5ff79b98f314e782f26c7044622939dfde81" - - strings: - // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? - // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? - // C6 mov byte ptr [eax], 0 - $config_init = { C7 ?? ?? ?? 00 00 00 C7 ?? ?? ?? 00 00 00 C6 } - $c2_cmd_1 = { 01 00 03 10} - $c2_cmd_2 = { 02 00 01 10} - $c2_cmd_3 = { 01 00 01 10} - // 8D 83 ?? ?? ?? ?? lea eax, xor_key[ebx] - // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h - // 89 F1 mov ecx, esi ; this - // 6A 01 push 1 ; Size - // 50 push eax ; Src - // E8 ?? ?? ?? ?? call str_append - // 80 B3 ?? ?? ?? ?? ?? xor xor_key[ebx], 50h - $decryption = { 8D 83 [4] 80 B3 [5] 89 F1 6A 01 50 E8 [4] 80 B3 } - - condition: - // MZ signature at offset 0 and ... - uint16(0) == 0x5A4D and - - // ... PE signature at offset stored in MZ header at 0x3C - uint32(uint32(0x3C)) == 0x00004550 and - filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption -} diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_2.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_2.yar deleted file mode 100644 index ee2792d..0000000 --- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_2.yar +++ /dev/null @@ -1,35 +0,0 @@ -rule apt_CN_TwistedPanda_SPINNER_2 { - meta: - author = "Check Point Research" - description = "Detect an older variant of SPINNER payload used by TwistedPanda" - reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" - date = "2022-04-14" - hash = "28ecd1127bac08759d018787484b1bd16213809a2cc414514dc1ea87eb4c5ab8" - - strings: - // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? - // C7 ?? ?? ?? 00 00 00 mov dword ptr [eax+??], ?? - // C6 mov byte ptr [eax], 0 - $config_init = { C7 [3] 00 00 00 C7 [3] 00 00 00 C6 } - $c2_cmd_1 = { 01 00 03 10 } - $c2_cmd_2 = { 02 00 01 10 } - $c2_cmd_3 = { 01 00 01 10 } - $c2_cmd_4 = { 01 00 00 10 } - $c2_cmd_5 = { 02 00 00 10 } - // 80 B3 ?? ?? ?? ?? ?? xor ds:dd_encrypted_url[ebx], 50h - // 8D BB ?? ?? ?? ?? lea edi, dd_encrypted_url[ebx] - // 8B 56 14 mov edx, [esi+14h] - // 8B C2 mov eax, edx - // 8B 4E 10 mov ecx, [esi+10h] - // 2B C1 sub eax, ecx - // 83 F8 01 cmp eax, 1 - $decryption = { 80 B3 [5] 8D BB [4] 8B 56 14 8B C2 8B 4E 10 2B C1 83 F8 01 } - - condition: - // MZ signature at offset 0 and ... - uint16(0) == 0x5A4D and - - // ... PE signature at offset stored in MZ header at 0x3C - uint32(uint32(0x3C)) == 0x00004550 and - filesize < 3000KB and #config_init > 10 and 2 of ($c2_cmd_*) and $decryption -} diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_droppers.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_droppers.yar deleted file mode 100644 index 8262709..0000000 --- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_droppers.yar +++ /dev/null @@ -1,36 +0,0 @@ -rule apt_CN_TwistedPanda_droppers { - meta: - author = "Check Point Research" - description = "Detect droppers used by TwistedPanda" - reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" - date = "2022-04-14" - hash = "59dea38da6e515af45d6df68f8959601e2bbf0302e35b7989e741e9aba2f0291" - hash = "8b04479fdf22892cdfebd6e6fbed180701e036806ed0ddbe79f0b29f73449248" - hash = "f29a0cda6e56fc0e26efa3b6628c6bcaa0819a3275a10e9da2a8517778152d66" - - strings: - // 81 FA ?? ?? ?? ?? cmp edx, 4BED1896h - // 75 ?? jnz short loc_140001829 - // E8 ?? ?? ?? ?? call sub_1400019D0 - // 48 89 05 ?? ?? ?? ?? mov cs:qword_14001ED38, rax - // E? ?? ?? ?? ?? jmp loc_1400018DD - $switch_control = { 81 FA [4] 75 ?? E8 [4] 48 89 05 [4] E? } - // 41 0F ?? ?? movsx edx, byte ptr [r9] - // 44 ?? ?? or r8d, edx - // 41 ?? ?? 03 rol r8d, 3 - // 41 81 ?? ?? ?? ?? ?? xor r8d, 0EF112233h - // 41 ?? ?? mov eax, r10d - $byte_manipulation = { 41 0F [2] 44 [2] 41 [2] 03 41 81 [5] 41 } - // %public% - $stack_strings_1 = { 25 00 70 00 } - $stack_strings_2 = { 75 00 62 00 } - $stack_strings_3 = { 6C 00 69 00 } - $stack_strings_4 = { 63 00 25 00 } - condition: - // MZ signature at offset 0 and ... - uint16(0) == 0x5A4D and - - // ... PE signature at offset stored in MZ header at 0x3C - uint32(uint32(0x3C)) == 0x00004550 and - filesize < 3000KB and #switch_control > 8 and all of ($stack_strings_*) and $byte_manipulation -} diff --git a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_loader.yar b/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_loader.yar deleted file mode 100644 index 903b24b..0000000 --- a/yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_loader.yar +++ /dev/null @@ -1,42 +0,0 @@ -rule apt_CN_TwistedPanda_loader { - meta: - author = "Check Point Research" - reference = "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" - description = "Detect loader used by TwistedPanda" - date = "2022-04-14" - hash = "5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0" - hash = "efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198" - - strings: - - // 6A 40 push 40h ; '@' - // 68 00 30 00 00 push 3000h - $seq1 = { 6A 40 68 00 30 00 00 } - - // 6A 00 push 0 ; lpOverlapped - // 50 push eax ; lpNumberOfBytesRead - // 6A 14 push 14h ; nNumberOfBytesToRead - // 8D ?? ?? ?? ?? ?? lea eax, [ebp+Buffer] - // 50 push eax ; lpBuffer - // 53 push ebx ; hFile - // FF 15 04 D0 4C 70 call ds:ReadFile - $seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF } - // 6A 00 push 0 - // 6A 00 push 0 - // 6A 03 push 3 - // 6A 00 push 0 - // 6A 03 push 3 - // 68 00 00 00 80 push 80000000h - $seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 } - - // Decryption sequence - $decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? } - - condition: - // MZ signature at offset 0 and ... - uint16(0) == 0x5A4D and - - // ... PE signature at offset stored in MZ header at 0x3C - uint32(uint32(0x3C)) == 0x00004550 and - filesize < 3000KB and all of ($seq*) and $decryption -} diff --git a/yara-mikesxrs/Checkpoint/apt_WebAssistant_TcahfUpdate.yar b/yara-mikesxrs/Checkpoint/apt_WebAssistant_TcahfUpdate.yar deleted file mode 100644 index bef2cc8..0000000 --- a/yara-mikesxrs/Checkpoint/apt_WebAssistant_TcahfUpdate.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule apt_WebAssistant_TcahfUpdate { -meta: - description = "Rule for detecting the fake WebAssistant and TcahfUpdate applications used to target the Uyghur minority" - reference = "https://research.checkpoint.com/2021/uyghurs-a-turkic-ethnic-minority-in-china-targeted-via-fake-foundations/" - version = "1.0" - last_modified = "2021-05-06" - hash = "2f7492423586a3061e5641b5b271ca54" - hash = "1b5dbd351bb7159eb08868c46a3fe3a6" - hash = "90fcbd5c904326466c3b6af1ca34aae1" -strings: - $url = {2f 00 63 00 67 00 69 00 2d 00 62 00 69 00 6e 00 2f [0-50] 2e 00 70 00 79 00 3f 00} - $lib = "Newtonsoft.Json" - $mac = "MACAddress Is Not NULL" wide -condition: - uint16(0)==0x5A4D and $url and $lib and $mac - and filesize < 1MB -} diff --git a/yara-mikesxrs/Checkpoint/apt_nazar_component_guids.yar b/yara-mikesxrs/Checkpoint/apt_nazar_component_guids.yar deleted file mode 100644 index 2097782..0000000 --- a/yara-mikesxrs/Checkpoint/apt_nazar_component_guids.yar +++ /dev/null @@ -1,32 +0,0 @@ -rule apt_nazar_component_guids -{ - meta: - description = "Detect Nazar Components by COM Objects' GUID" - author = "Itay Cohen" - date = "2020-04-27" - reference = "" - reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/" - hash = "1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f" - hash = "1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390" - hash = "2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e" - hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6" - hash = "460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8" - hash = "4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca" - hash = "75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6" - hash = "8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec" - hash = "967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b" - hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728" - hash = "d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65" - hash = "d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61" - hash = "eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3" - strings: - $guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID - $guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID - $guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown - $guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLSID - $guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll TypeLib IID - $guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll - - condition: - any of them -} diff --git a/yara-mikesxrs/Checkpoint/apt_nazar_svchost_commands.yar b/yara-mikesxrs/Checkpoint/apt_nazar_svchost_commands.yar deleted file mode 100644 index e4ef01e..0000000 --- a/yara-mikesxrs/Checkpoint/apt_nazar_svchost_commands.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule apt_nazar_svchost_commands -{ - meta: - description = "Detect Nazar's svchost based on supported commands" - author = "Itay Cohen" - date = "2020-04-26" - reference = "" - reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/" - hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6" - hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728" - strings: - $str1 = { 33 31 34 00 36 36 36 00 33 31 33 00 } - $str2 = { 33 31 32 00 33 31 35 00 35 35 35 00 } - $str3 = { 39 39 39 00 35 39 39 00 34 39 39 00 } - $str4 = { 32 30 39 00 32 30 31 00 32 30 30 00 } - $str5 = { 31 39 39 00 31 31 39 00 31 38 39 00 31 33 39 00 33 31 31 00 } - condition: - 4 of them -} diff --git a/yara-mikesxrs/Checkpoint/checkpoint_index.yara b/yara-mikesxrs/Checkpoint/checkpoint_index.yara deleted file mode 100644 index 175adf5..0000000 --- a/yara-mikesxrs/Checkpoint/checkpoint_index.yara +++ /dev/null @@ -1,206 +0,0 @@ -rule explosive_exe -{ - meta: - author = "Check Point Software Technologies Inc." - info = "Explosive EXE" - strings: - $MZ = "MZ" - $DLD_S = "DLD-S:" - $DLD_E = "DLD-E:" - condition: - $MZ at 0 and all of them -} - -import "pe" -rule explosive_dll - -{ - meta: - author = "Check Point Software Technologies Inc." - info = "Explosive DLL" - reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" - - - condition: - pe.DLL - and ( pe.exports("PathProcess") or pe.exports("_PathProcess@4") ) and -pe.exports("CON") -} - -rule ZZ_breakwin_config { - meta: - description = "Detects the header of the encrypted config files, assuming known encryption key." - reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" - author = "Check Point Research" - date = "22-07-2021" - hash = "948febaab71727217303e0aabb9126f242aa51f89caa7f070a3da76c4f5699ed" - hash = "2d35bb7c02062ff2fba4424a267c5c83351405281a1870f52d02f3712a547a22" - hash = "68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7" - strings: - $conf_header = {1A 69 45 47 5E 46 4A 06 03 E4 34 0B 06 1D ED 2F 02 15 02 E5 57 4D 59 59 D1 40 20 22} - condition: - $conf_header at 0 -} -rule ZZ_breakwin_wiper { - meta: - description = "Detects the BreakWin wiper that was used in attacks in Syria" - reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" - author = "Check Point Research" - date = "22-07-2021" - hash = "2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b" - hash = "6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4" - hash = "d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e" - strings: - $debug_str_meteor_1 = "the program received an invalid number of arguments" wide - $debug_str_meteor_2 = "End interval logger. Resuming writing every log" wide - $debug_str_meteor_0 = "failed to initialize configuration from file" wide - $debug_str_meteor_3 = "Meteor is still alive." wide - $debug_str_meteor_4 = "Exiting main function because of some error" wide - $debug_str_meteor_5 = "Meteor has finished. This shouldn't be possible because of the is-alive loop." wide - $debug_str_meteor_6 = "Meteor has started." wide - $debug_str_meteor_7 = "Could not hide current console." wide - $debug_str_meteor_8 = "Could not get the window handle used by the console." wide - $debug_str_meteor_9 = "Failed to find base-64 data size" wide - $debug_str_meteor_10 = "Running locker thread" wide - $debug_str_meteor_11 = "Failed to encode wide-character string as Base64" wide - $debug_str_meteor_12 = "Wiper operation failed." wide - $debug_str_meteor_13 = "Screen saver disable failed." wide - $debug_str_meteor_14 = "Failed to generate password of length %s. Generating a default one." wide - $debug_str_meteor_15 = "Failed to delete boot configuration" wide - $debug_str_meteor_16 = "Could not delete all BCD entries." wide - $debug_str_meteor_17 = "Finished deleting BCD entries." wide - $debug_str_meteor_18 = "Failed to change lock screen" wide - $debug_str_meteor_19 = "Boot configuration deleted successfully" wide - $debug_str_meteor_20 = "Failed to kill all winlogon processes" wide - $debug_str_meteor_21 = "Changing passwords of all users to" wide - $debug_str_meteor_22 = "Failed to change the passwords of all users" wide - $debug_str_meteor_23 = "Failed to run the locker thread" wide - $debug_str_meteor_24 = "Screen saver disabled successfully." wide - $debug_str_meteor_25 = "Generating random password failed" wide - $debug_str_meteor_26 = "Locker installation failed" wide - $debug_str_meteor_27 = "Failed to set auto logon." wide - $debug_str_meteor_28 = "Failed to initialize interval logger. Using a dummy logger instead." wide - $debug_str_meteor_29 = "Succeeded setting auto logon for" wide - $debug_str_meteor_30 = "Failed disabling the first logon privacy settings user approval." wide - $debug_str_meteor_31 = "Failed disabling the first logon animation." wide - $debug_str_meteor_32 = "Waiting for new winlogon process" wide - $debug_str_meteor_33 = "Failed to isolate from domain" wide - $debug_str_meteor_34 = "Failed creating scheduled task for system with name %s." wide - $debug_str_meteor_35 = "Failed to get the new token of winlogon." wide - $debug_str_meteor_36 = "Failed adding new admin user." wide - $debug_str_meteor_37 = "Failed changing settings for the created new user." wide - $debug_str_meteor_38 = "Failed disabling recovery mode." wide - $debug_str_meteor_39 = "Logging off users on Windows version 8 or above" wide - $debug_str_meteor_40 = "Succeeded setting boot policy to ignore all errors." wide - $debug_str_meteor_41 = "Succeeded creating scheduled task for system with name" wide - $debug_str_meteor_42 = "Succeeded disabling recovery mode" wide - $debug_str_meteor_43 = "Failed to log off all sessions" wide - $debug_str_meteor_44 = "Failed to delete shadowcopies." wide - $debug_str_meteor_45 = "Failed logging off session: " wide - $debug_str_meteor_46 = "Failed setting boot policy to ignore all errors." wide - $debug_str_meteor_47 = "Successfully logged off all local sessions, except winlogon." wide - $debug_str_meteor_48 = "Succeeded creating scheduled task with name %s for user %s." wide - $debug_str_meteor_49 = "Killing all winlogon processes" wide - $debug_str_meteor_50 = "Logging off users in Windows 7" wide - $debug_str_meteor_51 = "Failed logging off all local sessions, except winlogon." wide - $debug_str_meteor_52 = "Failed creating scheduled task with name %s for user %s." wide - $debug_str_meteor_53 = "Succeeded deleting shadowcopies." wide - $debug_str_meteor_54 = "Logging off users in Windows XP" wide - $debug_str_meteor_55 = "Failed changing settings for the created new user." wide - $debug_str_meteor_56 = "Could not open file %s. error message: %s" wide - $debug_str_meteor_57 = "Could not write to file %s. error message: %s" wide - $debug_str_meteor_58 = "tCould not tell file pointer location on file %s." wide - $debug_str_meteor_59 = "Could not set file pointer location on file %s to offset %s." wide - $debug_str_meteor_60 = "Could not read from file %s. error message: %s" wide - $debug_str_meteor_61 = "Failed to wipe file %s" wide - $debug_str_meteor_62 = "attempted to access encrypted file in offset %s, but it only supports offset 0" wide - $debug_str_meteor_63 = "Failed to create thread. Error message: %s" wide - $debug_str_meteor_64 = "Failed to wipe file %s" wide - $debug_str_meteor_65 = "failed to get configuration value with key %s" wide - $debug_str_meteor_66 = "failed to parse the configuration from file %s" wide - $debug_str_meteor_67 = "Failed posting to server, received unknown exception" wide - $debug_str_meteor_68 = "Failed posting to server, received std::exception" wide - $debug_str_meteor_69 = "Skipping %s logs. Writing log number %s:" wide - $debug_str_meteor_70 = "Start interval logger. Writing logs with an interval of %s logs." wide - $debug_str_meteor_71 = "failed to write message to log file %s" wide - $debug_str_meteor_72 = "The log message is too big: %s/%s characters." wide - $debug_str_stardust_0 = "Stardust has started." wide - $debug_str_stardust_1 = "0Vy0qMGO" ascii wide - $debug_str_comet_0 = "Comet has started." wide - $debug_str_comet_1 = "Comet has finished." wide - $str_lock_my_pc = "Lock My PC 4" ascii wide - $config_entry_0 = "state_path" ascii - $config_entry_1 = "state_encryption_key" ascii - $config_entry_2 = "log_server_port" ascii - $config_entry_3 = "log_file_path" ascii - $config_entry_4 = "log_encryption_key" ascii - $config_entry_5 = "log_server_ip" ascii - $config_entry_6 = "processes_to_kill" ascii - $config_entry_7 = "process_termination_timeout" ascii - $config_entry_8 = "paths_to_wipe" ascii - $config_entry_9 = "wiping_stage_logger_interval" ascii - $config_entry_10 = "locker_exe_path" ascii - $config_entry_11 = "locker_background_image_jpg_path" ascii - $config_entry_12 = "auto_logon_path" ascii - $config_entry_13 = "locker_installer_path" ascii - $config_entry_14 = "locker_password_hash" ascii - $config_entry_15 = "users_password" ascii - $config_entry_16 = "locker_background_image_bmp_path" ascii - $config_entry_17 = "locker_registry_settings_files" ascii - $config_entry_18 = "cleanup_script_path" ascii - $config_entry_19 = "is_alive_loop_interval" ascii - $config_entry_20 = "cleanup_scheduled_task_name" ascii - $config_entry_21 = "self_scheduled_task_name" ascii - $encryption_asm = {33 D2 8B C3 F7 75 E8 8B 41 04 8B 4E 04 8A 04 02 02 C3 32 04 1F 88 45 F3 39 4E 08} - $random_string_generation = {33 D2 59 F7 F1 83 ?? ?? 08 66 0F BE 82 ?? ?? ?? 00 0F B7 C8 8B C7} - condition: - uint16(0) == 0x5A4D and - ( - 6 of them or - $encryption_asm or - $random_string_generation - ) -} -rule ZZ_breakwin_stardust_vbs { - meta: - description = "Detect the VBS files that where found in the attacks on targets in Syria" - reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" - author = "Check Point Research" - date = "22-07-2021" - hash = "38a419cd9456e40961c781e16ceee99d970be4e9235ccce0b316efe68aba3933" - hash = "62a984981d14b562939294df9e479ac0d65dfc412d0449114ccb2a0bc93769b0" - hash = "4d994b864d785abccef829d84f91d949562d0af934114b65056315bf59c1ef58" - hash = "eb5237d56c0467b5def9a92e445e34eeed9af2fee28f3a2d2600363724d6f8b0" - hash = "5553ba3dc141cd63878a7f9f0a0e67fb7e887010c0614efd97bbc6c0be9ec2ad" - strings: - $url_template = "progress.php?hn=\" & CN & \"&dt=\" & DT & \"&st=" - $compression_password_1 = "YWhZMFU1VlZGdGNFNWlhMVlVMnhTMWtOVlJVWWNGTk9iVTQxVW10V0ZFeFJUMD0r" - $compression_password_2 = "YWlvcyBqQCNAciNxIGpmc2FkKnIoOUZURjlVSjBSRjJRSlJGODlKSDIzRmloIG8" - $uninstall_kaspersky = "Shell.Run \"msiexec.exe /x \" & productcode & \" KLLOGIN=" - $is_avp_running = "isProcessRunning(\".\", \"avp.exe\") Then" - condition: - any of them -} -rule ZZ_breakwin_meteor_batch_files { - meta: - description = "Detect the batch files used in the attacks" - reference = "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" - author = "Check Point Research" - date = "22-07-2021" - strings: - $filename_0 = "mscap.bmp" - $filename_1 = "mscap.jpg" - $filename_2 = "msconf.conf" - $filename_3 = "msmachine.reg" - $filename_4 = "mssetup.exe" - $filename_5 = "msuser.reg" - $filename_6 = "msapp.exe" - $filename_7 = "bcd.rar" - $filename_8 = "bcd.bat" - $filename_9 = "msrun.bat" - $command_line_0 = "powershell -Command \"%exclude_command% '%defender_exclusion_folder%" - $command_line_1 = "start /b \"\" update.bat hackemall" - condition: - 4 of ($filename_*) or - any of ($command_line_*) -} diff --git a/yara-mikesxrs/Checkpoint/explosive_dll.yar b/yara-mikesxrs/Checkpoint/explosive_dll.yar deleted file mode 100644 index 0c6c0be..0000000 --- a/yara-mikesxrs/Checkpoint/explosive_dll.yar +++ /dev/null @@ -1,15 +0,0 @@ -import "pe" -rule explosive_dll - -{ - meta: - author = "Check Point Software Technologies Inc." - info = "Explosive DLL" - reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" - - - condition: - pe.DLL - and ( pe.exports("PathProcess") or pe.exports("_PathProcess@4") ) and -pe.exports("CON") -} \ No newline at end of file diff --git a/yara-mikesxrs/Checkpoint/explosive_exe.yar b/yara-mikesxrs/Checkpoint/explosive_exe.yar deleted file mode 100644 index 37b8d07..0000000 --- a/yara-mikesxrs/Checkpoint/explosive_exe.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule explosive_exe -{ - meta: - author = "Check Point Software Technologies Inc." - info = "Explosive EXE" - reference = "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" - - strings: - $MZ = "MZ" - $DLD_S = "DLD-S:" - $DLD_E = "DLD-E:" - - condition: - $MZ at 0 and all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/Checkpoint/goziv3_trojan.yar b/yara-mikesxrs/Checkpoint/goziv3_trojan.yar deleted file mode 100644 index 28da682..0000000 --- a/yara-mikesxrs/Checkpoint/goziv3_trojan.yar +++ /dev/null @@ -1,11 +0,0 @@ -rule goziv3: trojan { - meta: - module = "goziv3" - reference = "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/" - strings: - $dec_bss = {D3 C0 83 F3 01 89 02 83 C2 04 FF 4C 24 0C} - $gen_serpent = {33 44 24 04 33 44 24 08 C2 08 00} - condition: - ($dec_bss and $gen_serpent) and (uint16(0) == 0x5A4D or uint16(0) == 0x5850 ) -} - diff --git a/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX.yar b/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX.yar deleted file mode 100644 index d95abc6..0000000 --- a/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX.yar +++ /dev/null @@ -1,58 +0,0 @@ -rule injector_ZZ_dotRunpeX { - meta: - description = "Detects new version of dotRunpeX - configurable .NET injector" - author = "Jiri Vinopal (jiriv)" - date = "2022-10-30" - hash1 = "373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232" // injects Formbook - hash2 = "41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636" // injects Formbook - hash3 = "5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80" // injects AsyncRat - hash4 = "8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504" // injects Remcos - hash5 = "8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591" // injects Formbook - hash6 = "cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db" // injects AgentTesla - hash7 = "fa8a67642514b69731c2ce6d9e980e2a9c9e409b3947f2c9909d81f6eac81452" // injects AsyncRat - hash8 = "eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5" // injects SnakeKeylogger - report = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/" - strings: - // Used ImplMap imports (PInvoke) - $implmap1 = "VirtualAllocEx" - $implmap2 = "CreateProcess" - $implmap3 = "CreateRemoteThread" - $implmap4 = "Wow64SetThreadContext" - $implmap5 = "Wow64GetThreadContext" - $implmap6 = "NtResumeThread" - $implmap7 = "ZwUnmapViewOfSection" - $implmap8 = "NtWriteVirtualMemory" - $implmap9 = "MessageBox" // ImplMap not presented in all samples - maybe different versions? - $implmap10 = "Wow64DisableWow64FsRedirection" - $implmap11 = "Wow64RevertWow64FsRedirection" - $implmap12 = "CreateFile" - $implmap13 = "RtlInitUnicodeString" - $implmap14 = "NtLoadDriver" - $implmap15 = "NtUnloadDriver" - $implmap16 = "OpenProcessToken" - $implmap17 = "LookupPrivilegeValue" - $implmap18 = "AdjustTokenPrivileges" - $implmap19 = "CloseHandle" - $implmap20 = "NtQuerySystemInformation" - $implmap21 = "DeviceIoControl" - $implmap22 = "GetProcessHeap" - $implmap23 = "HeapFree" - $implmap24 = "HeapAlloc" - $implmap25 = "GetProcAddress" - $implmap26 = "CopyMemory" // ImplMap added by KoiVM Protector used by this injector - $modulerefKernel1 = "Kernel32" - $modulerefKernel2 = "kernel32" - $modulerefNtdll1 = "Ntdll" - $modulerefNtdll2 = "ntdll" - $modulerefAdvapi1 = "Advapi32" - $modulerefAdvapi2 = "advapi32" - - $regPath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" wide // Registry path for installing Sysinternals Procexp driver - $rsrcName = "BIDEN_HARRIS_PERFECT_ASSHOLE" wide - $koiVM1 = "KoiVM" - $koiVM2 = "#Koi" - condition: - uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and ($regPath or $rsrcName or 1 of ($koiVM*)) and - 24 of ($implmap*) and 1 of ($modulerefKernel*) and 1 of ($modulerefNtdll*) and 1 of ($modulerefAdvapi*) - -} \ No newline at end of file diff --git a/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar b/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar deleted file mode 100644 index 638e559..0000000 --- a/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar +++ /dev/null @@ -1,45 +0,0 @@ -rule injector_ZZ_dotRunpeX_oldnew { - meta: - description = "Detects new and old version of dotRunpeX - configurable .NET injector" - author = "Jiri Vinopal (jiriv)" - date = "2022-10-30" - hash1_New = "373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232" // injects Formbook - hash2_New = "41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636" // injects Formbook - hash3_New = "5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80" // injects AsyncRat - hash4_New = "8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504" // injects Remcos - hash5_New = "8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591" // injects Formbook - hash6_New = "cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db" // injects AgentTesla - hash7_New = "fa8a67642514b69731c2ce6d9e980e2a9c9e409b3947f2c9909d81f6eac81452" // injects AsyncRat - hash8_New = "eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5" // injects SnakeKeylogger - hash1_Old = "1e7614f757d40a2f5e2f4bd5597d04878768a9c01aa5f9f23d6c87660f7f0fbc" // injects Lokibot - hash2_Old = "317e6817bba0f54e1547dd9acf24ee17a4cda1b97328cc69dc1ec16e11c258fc" // injects Redline - hash3_Old = "65cac67ed2a084beff373d6aba6f914b8cba0caceda254a857def1df12f5154b" // injects SnakeKeylogger - hash4_Old = "68ae2ee5ed7e793c1a49cbf1b0dd7f5a3de9cb783b51b0953880994a79037326" // injects Lokibot - hash5_Old = "81763d8e3b42d07d76b0a74eda4e759981971635d62072c8da91251fc849b91e" // injects SnakeKeylogger - report = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/" - strings: - // Used ImplMap imports (PInvoke) - $implmap1 = "VirtualAllocEx" - $implmap2 = "CreateProcess" - $implmap3 = "CreateRemoteThread" - $implmap4 = "Wow64SetThreadContext" - $implmap5 = "Wow64GetThreadContext" - $implmap6 = "RtlInitUnicodeString" - $implmap7 = "NtLoadDriver" - $implmap8 = "LoadLibrary" - $implmap9 = "VirtualProtect" - $implmap10 = "AdjustTokenPrivileges" - $implmap11 = "GetProcAddress" - $modulerefKernel1 = "Kernel32" - $modulerefKernel2 = "kernel32" - $modulerefNtdll1 = "Ntdll" - $modulerefNtdll2 = "ntdll" - - $regPath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" wide // Registry path for installing Sysinternals Procexp driver - $rsrcName = "BIDEN_HARRIS_PERFECT_ASSHOLE" wide - $koiVM1 = "KoiVM" - $koiVM2 = "#Koi" - condition: - uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and ($regPath or $rsrcName or 1 of ($koiVM*)) and - 9 of ($implmap*) and 1 of ($modulerefKernel*) and 1 of ($modulerefNtdll*) -} \ No newline at end of file diff --git a/yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar b/yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar deleted file mode 100644 index 8910ca1..0000000 --- a/yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar +++ /dev/null @@ -1,29 +0,0 @@ -rule lyceum_dotnet_dns_backdoor -{ - meta: - author = "CPR" - reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" - hash1 = "8199f14502e80581000bd5b3bda250ee" - hash2 = "d79687676d2d152aec4143c852bdbc4a" - hash3 = "bcb465cc2257e5777bab431690ca5039" - hash4 = "2bc2abefc1a721908bc805894b62227d" - hash5 = "37a1514a7a5f9b2c6786096129a30721" - strings: - $log1 = "MSG SIZE rcvd" wide - $log2 = "Empty output" wide - $log3 = "Big Output. lines: " wide - $com1 = "Enddd" wide - $com2 = "uploaddd" wide - $com3 = "downloaddd" wide - $dga = "trailers.apple.com" wide - $replace1 = "BackSlashh" wide - $replace2 = "QuotationMarkk" wide - $re_pattern = "60\\s+IN\\s+TXT" wide - $func1 = "comRun" - $func2 = "PlaceDot" - $func3 = "sendAns" - $heijden1 = "Heijden.DNS" - $heijden2 = "DnsHeijden" - condition: - uint16(0)==0x5a4d and (all of ($log*) or all of ($com*) or all of ($replace*) or all of ($func*) or (any of ($heijden*) and $re_pattern and $dga)) -} diff --git a/yara-mikesxrs/Checkpoint/lyceum_dotnet_http_backdoor.yar b/yara-mikesxrs/Checkpoint/lyceum_dotnet_http_backdoor.yar deleted file mode 100644 index 055025d..0000000 --- a/yara-mikesxrs/Checkpoint/lyceum_dotnet_http_backdoor.yar +++ /dev/null @@ -1,52 +0,0 @@ -rule lyceum_dotnet_http_backdoor -{ - meta: - author = "CPR" - reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" - hash1 = "1c444ebeba24dcba8628b7dfe5fec7c6" - hash2 = "85ca334f87667bd7fa0c47ae6149353e" - hash3 = "73bddd5f1a0847ae5f5d55e7d9c177f6" - hash4 = "9fb86915db1b7c00f1a4587de4e052de" - hash5 = "37fe608983d4b06a5549247f0e16bc11" - hash6 = "5916e5189ef0050dfcc3cc19382d08d5" - strings: - $class1 = "Funcss" - $class2 = "Constantss" - $class3 = "Reqss" - $class4 = "Screenss" - $class5 = "Shll" - $class6 = "test_A1" - $class7 = "Uploadss" - $class8 = "WebDL" - $cnc_uri1 = "/upload" wide - $cnc_uri2 = "/screenshot" wide - $cnc_pattern_hex1 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 0d 0a 0d 0a} - $cnc_pattern_hex2 = {6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75 6e 64 61 72 79 3d 7b 30 7d} - $cnc_pattern_hex3 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 7b 31 7d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 7b 32 7d 0d 0a 0d 0a} - $constant1 = "FILE_DIR_SEPARATOR" - $constant2 = "APPS_PARAMS_SEPARATOR" - $constant3 = "TYPE_SENDTOKEN" - $constant4 = "TYPE_DATA1" - $constant5 = "TYPE_SEND_RESPONSE_IN_SOCKET" - $constant6 = "TYPE_FILES_LIST" - $constant7 = "TYPE_FILES_DELETE" - $constant8 = "TYPE_FILES_RUN" - $constant9 = "TYPE_FILES_UPLOAD_TO_SERVER" - $constant10 = "TYPE_FILES_DELETE_FOLDER" - $constant11 = "TYPE_FILES_CREATE_FOLDER" - $constant12 = "TYPE_FILES_DOWNLOAD_URL" - $constant13 = "TYPE_OPEN_CMD" - $constant14 = "TYPE_CMD_RES" - $constant15 = "TYPE_CLOSE_CMD" - $constant16 = "TYPE_CMD_REQ" - $constant17 = "TYPE_INSTALLED_APPS" - $constant18 = "TYPE_SCREENSHOT" - $constant19 = "_RG_APP_NAME_" - $constant20 = "_RG_APP_VERSION_" - $constant21 = "_RG_APP_DATE_" - $constant22 = "_RG_APP_PUB_" - $constant23 = "_RG_APP_SEP_" - $constant24 = "_SC_EXT_" - condition: - uint16(0)==0x5a4d and (4 of ($class*) or 4 of ($cnc_*) or 4 of ($constant*)) -} diff --git a/yara-mikesxrs/Checkpoint/lyceum_golang_backdoor.yar b/yara-mikesxrs/Checkpoint/lyceum_golang_backdoor.yar deleted file mode 100644 index 9791576..0000000 --- a/yara-mikesxrs/Checkpoint/lyceum_golang_backdoor.yar +++ /dev/null @@ -1,37 +0,0 @@ -rule lyceum_golang_backdoor -{ - meta: - author = "CPR" - reference = "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" - hash1 = "a437f997d45bc14e76d0f2482f572a34" - hash2 = "23d174e6a0905fd59b2613d5ac106261" - hash3 = "bcb465cc2257e5777bab431690ca5039" - strings: - $func1 = "main.Ase256" - $func2 = "main.DecryptAse256" - $func3 = "main.IsServerUp" - $func4 = "main.register" - $func5 = "main.commandforrun" - $func6 = "main.UPLOAD" - $func7 = "main.commandforanswer" - $func8 = "main.GetMD5Hash" - $func9 = "main.get_uid" - $func10 = "main.commandrun" - $func11 = "main.download" - $func12 = "main.postFile" - $func13 = "main.sendAns" - $func14 = "main.comRun" - $cnc_uri1 = "/GO/1.php" - $cnc_uri2 = "/GO/2.php" - $cnc_uri3 = "/GO/3.php" - $auth_token = "auth_token=\"XXXXXXX\"" - $log1 = "client registred" - $log2 = "no command" - $log3 = "can not create file" - $log4 = "errorGettingUserName" - $log5 = "New record created successfully" - $log6 = "SERVER_IS_DOWN" - $dga = "trailers.apple.com." - condition: - uint16(0)==0x5a4d and ((10 of ($func*) or any of ($cnc_uri*) or $auth_token or 3 of ($log*)) or ($dga and 4 of them)) -} diff --git a/yara-mikesxrs/Checkpoint/malware_bumblebee_packed.yar b/yara-mikesxrs/Checkpoint/malware_bumblebee_packed.yar deleted file mode 100644 index 480b8e4..0000000 --- a/yara-mikesxrs/Checkpoint/malware_bumblebee_packed.yar +++ /dev/null @@ -1,31 +0,0 @@ -rule malware_bumblebee_packed { - meta: - author = "Marc Salinas @ CheckPoint Research" - malware_family = "BumbleBee" - date = "13/07/2022" - description = "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic." - dll_jul = "6bc2ab410376c1587717b2293f2f3ce47cb341f4c527a729da28ce00adaaa8db" - dll_jun = "82aab01a3776e83695437f63dacda88a7e382af65af4af1306b5dbddbf34f9eb" - dll_may = "a5bcb48c0d29fbe956236107b074e66ffc61900bc5abfb127087bb1f4928615c" - iso_jul = "ca9da17b4b24bb5b24cc4274cc7040525092dffdaa5922f4a381e5e21ebf33aa" - iso_jun = "13c573cad2740d61e676440657b09033a5bec1e96aa1f404eed62ba819858d78" - iso_may = "b2c28cdc4468f65e6fe2f5ef3691fa682057ed51c4347ad6b9672a9e19b5565e" - zip_jun = "7024ec02c9670d02462764dcf99b9a66b29907eae5462edb7ae974fe2efeebad" - zip_may = "68ac44d1a9d77c25a97d2c443435459d757136f0d447bfe79027f7ef23a89fce" - report = "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/" - strings: - $heapalloc = { - 48 8? EC [1-6] // sub rsp, 80h - FF 15 ?? ?? 0? 00 [0-5] // call cs:GetProcessHeap - 33 D2 // xor edx, edx ; dwFlags - 4? [2-5] // mov rcx, rax ; hHeap - 4? ?? ?? // mov r8d, ebx ; dwBytes - FF 15 ?? ?? 0? 00 // call cs:HeapAlloc - [8 - 11] // (load params) - 48 89 05 ?? ?? ?? 00 // mov cs:HeapBufferPtr, rax - E8 ?? ?? ?? ?? // call memset - 4? 8B ?? ?? ?? ?? 00 // mov r14, cs:HeapBufferPtr - } - condition: - $heapalloc -} \ No newline at end of file diff --git a/yara-mikesxrs/Checkpoint/nazar_component_guids.yar b/yara-mikesxrs/Checkpoint/nazar_component_guids.yar deleted file mode 100644 index 2097782..0000000 --- a/yara-mikesxrs/Checkpoint/nazar_component_guids.yar +++ /dev/null @@ -1,32 +0,0 @@ -rule apt_nazar_component_guids -{ - meta: - description = "Detect Nazar Components by COM Objects' GUID" - author = "Itay Cohen" - date = "2020-04-27" - reference = "" - reference2 = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/" - hash = "1110c3e34b6bbaadc5082fabbdd69f492f3b1480724b879a3df0035ff487fd6f" - hash = "1afe00b54856628d760b711534779da16c69f542ddc1bb835816aa92ed556390" - hash = "2caedd0b2ea45761332a530327f74ca5b1a71301270d1e2e670b7fa34b6f338e" - hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6" - hash = "460eba344823766fe7c8f13b647b4d5d979ce4041dd5cb4a6d538783d96b2ef8" - hash = "4d0ab3951df93589a874192569cac88f7107f595600e274f52e2b75f68593bca" - hash = "75e4d73252c753cd8e177820eb261cd72fecd7360cc8ec3feeab7bd129c01ff6" - hash = "8fb9a22b20a338d90c7ceb9424d079a61ca7ccb7f78ffb7d74d2f403ae9fbeec" - hash = "967ac245e8429e3b725463a5c4c42fbdf98385ee6f25254e48b9492df21f2d0b" - hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728" - hash = "d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65" - hash = "d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61" - hash = "eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3" - strings: - $guid1_godown = { 98 B3 E5 F6 DF E3 6B 49 A2 AD C2 0F EA 30 DB FE } // Godown.dll IID - $guid2_godown = { 31 4B CB DB B8 21 0F 4A BC 69 0C 3C E3 B6 6D 00 } // Godown.dll CLSID - $guid3_godown = { AF 94 4E B6 6B D5 B4 48 B1 78 AF 07 23 E7 2A B5 } // probably Godown - $guid4_filesystem = { 79 27 AB 37 34 F2 9D 4D B3 FB 59 A3 FA CB 8D 60 } // Filesystem.dll CLSID - $guid6_filesystem = { 2D A1 2B 77 62 8A D3 4D B3 E8 92 DA 70 2E 6F 3D } // Filesystem.dll TypeLib IID - $guid5_filesystem = { AB D3 13 CF 1C 6A E8 4A A3 74 DE D5 15 5D 6A 88 } // Filesystem.dll - - condition: - any of them -} diff --git a/yara-mikesxrs/Checkpoint/qbot_vbs.yar b/yara-mikesxrs/Checkpoint/qbot_vbs.yar deleted file mode 100644 index 68b74b9..0000000 --- a/yara-mikesxrs/Checkpoint/qbot_vbs.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule qbot_vbs -{ - meta: - description = "Catches QBot VBS files" - reference = "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/" - author = "Alex Ilgayev" - date = "2020-06-07" - strings: - $s3 = "ms.Send" - $s4 = "for i=1 to 6" - $s5 = "if ms.readyState = 4 Then" - $s6 = "if len(ms.responseBody) <> 0 then" - $s7 = /if left\(ms.responseText, \w*?\) = \"MZ\" then/ - condition: - filesize > 20MB and $s3 and $s4 and $s5 and $s6 and $s7 -} diff --git a/yara-mikesxrs/Checkpoint/ransomware_ZZ_azov_wiper.yar b/yara-mikesxrs/Checkpoint/ransomware_ZZ_azov_wiper.yar deleted file mode 100644 index 8f68ee4..0000000 --- a/yara-mikesxrs/Checkpoint/ransomware_ZZ_azov_wiper.yar +++ /dev/null @@ -1,18 +0,0 @@ -import "pe" - -rule ransomware_ZZ_azov_wiper { - meta: - description = "Detects original and backdoored files with new and old versions of azov ransomware - polymorphic wiper" - author = "Jiri Vinopal (jiriv)" - date = "2022-11-14" - hash_azov_new = "650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e" - hash_azov_old = "b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801" - report = "https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/" - strings: - // Opcodes of allocating and decrypting shellcode routine - $unpacking_azov_new = { 48 83 ec ?? 58 48 01 c8 48 81 ec ?? ?? ?? ?? 48 83 ec ?? 40 80 e4 ?? c6 45 ?? 56 c6 45 ?? 69 c6 45 ?? 72 c6 45 ?? 74 c6 45 ?? 75 c6 45 ?? 61 c6 45 ?? 6c c6 45 ?? 41 c6 45 ?? 6c c6 45 ?? 6c c6 45 ?? 6f c6 45 ?? 63 c6 45 ?? 00 48 89 74 24 ?? 48 83 ec ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 8d 55 ?? ff d0 48 83 ec ?? 48 c7 04 24 ?? ?? ?? ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 c7 c2 ?? ?? ?? ?? 49 c7 c0 ?? ?? ?? ?? 49 c7 c1 ?? ?? ?? ?? ff d0 48 c7 c1 ?? ?? ?? ?? 4c 8d 0d ?? ?? ?? ?? 48 ff c9 41 8a 14 09 88 14 08 48 85 c9 75 ?? 48 c7 c1 ?? ?? ?? ?? 41 b9 ?? ?? ?? ?? 41 ba ?? ?? ?? ?? 48 ff c9 8a 14 08 44 30 ca 88 14 08 41 81 ea ?? ?? ?? ?? 45 01 d1 41 81 c1 ?? ?? ?? ?? 41 81 c2 ?? ?? ?? ?? 41 d1 c1 48 85 c9 } - $unpacking_azov_old = { 48 01 c8 48 05 ?? ?? ?? ?? 48 81 c1 ?? ?? ?? ?? 48 81 ec ?? ?? ?? ?? 48 83 ec ?? 40 80 e4 ?? c6 45 ?? 56 c6 45 ?? 69 c6 45 ?? 72 c6 45 ?? 74 c6 45 ?? 75 c6 45 ?? 61 c6 45 ?? 6c c6 45 ?? 41 c6 45 ?? 6c c6 45 ?? 6c c6 45 ?? 6f c6 45 ?? 63 c6 45 ?? 00 48 83 e1 ?? 48 01 f1 48 8d 55 ?? ff d0 48 83 ec ?? 48 c7 04 24 ?? ?? ?? ?? 48 83 c4 ?? 48 8b 4c 24 ?? 48 c7 c2 ?? ?? ?? ?? 49 c7 c0 ?? ?? ?? ?? 49 c7 c1 ?? ?? ?? ?? ff d0 48 c7 c1 ?? ?? ?? ?? 4c 8d 0d ?? ?? ?? ?? 48 ff c9 41 8a 14 09 88 14 08 48 85 c9 } - condition: - uint16(0) == 0x5a4d and pe.is_64bit() and - any of ($unpacking_azov_*) -} diff --git a/yara-mikesxrs/CyberDefenses/installmonstr.yar b/yara-mikesxrs/CyberDefenses/installmonstr.yar deleted file mode 100644 index a1ea795..0000000 --- a/yara-mikesxrs/CyberDefenses/installmonstr.yar +++ /dev/null @@ -1,22 +0,0 @@ -rule installmonstr { -meta: - description = "adware, trojan, riskware" - author = "Monty St John" - company = "Cyberdefenses, inc." - date = "2017/01/25" - hash1 = "000be3b9991eaf28b3794d96ce08e883" - hash2 = "1c21a4b1151921398b2c2fe9ea9892f8" - hash3 = "be6eb42ea9e789d2a4425f61155f4664" - hash4 = "001dd4fdd6973f4e6cb9d11bd9ba7eb3" - -strings: - $a = "" - $b = "%s%s" - $c = "GoIdHTTPWork" - $d = "sslvSSLv2sslvSSLv23sslvSSLv3sslvTLSv1" - $e = "sslvSSLv23 sslvSSLv3 sslvTLSv1" - $f = "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" - -condition: - 5 of them -} diff --git a/yara-mikesxrs/CyberDefenses/u34.yar b/yara-mikesxrs/CyberDefenses/u34.yar deleted file mode 100644 index a61c94d..0000000 --- a/yara-mikesxrs/CyberDefenses/u34.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule php_shell_U34 { -meta: - description = "Web Shell - file ans.php" - author = "Monty St John" - company = "Cyberdefenses, inc." - date = "2017/01/25" - hash = "5be3b1bc76677a70553a66575f289a0a" -strings: -$a = "'\".((strpos(@$_POST['" -$b = "'],\"\\n\")!==false)?'':htmlspecialchars(@$_POST['" -$c = "'],ENT_QUOTES)).\"';" -$d = "posix_getpwuid" -condition: - all of them -} diff --git a/yara-mikesxrs/CyberDefenses/wirenet_dropper.yar b/yara-mikesxrs/CyberDefenses/wirenet_dropper.yar deleted file mode 100644 index 8a5b609..0000000 --- a/yara-mikesxrs/CyberDefenses/wirenet_dropper.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule wirenet_dropper - { -meta: - description = "Wirenet backdoor dropper Invoice_SKMBT_20170601.doc" - author = "Chris Rogers" - company = "Cyberdefenses, inc." - date = "2017/07/11" - hash = "954d7c15577f118171cc8adcc9f9ac94" -strings: -$a = "C:\Users\user\Desktop\JAVA\docinvoice.exe" -$b = "C:\Users\user\AppData\Local\Temp\docinvoice.exe" -$c = "ZTUWVSPRTj" -$d = "IE(AL("%s",4),"AL(\"%0:s\",3)"" -condition: - all of them -} diff --git a/yara-mikesxrs/Fidelis/AlienSpy.yar b/yara-mikesxrs/Fidelis/AlienSpy.yar deleted file mode 100644 index bb6859e..0000000 --- a/yara-mikesxrs/Fidelis/AlienSpy.yar +++ /dev/null @@ -1,34 +0,0 @@ -rule AlienSpy { -meta: - description = "AlienSpy" - author = "Fidelis Cybersecurity" - reference = "Fidelis Threat Advisory #1015 - Ratting on AlienSpy - Apr 08, 2015" - -strings: - $sa_1 = "META-INF/MANIFEST.MF" - $sa_2 = "Main.classPK" - $sa_3 = "plugins/Server.classPK" - $sa_4 = "IDPK" - - $sb_1 = "config.iniPK" - $sb_2 = "password.iniPK" - $sb_3 = "plugins/Server.classPK" - $sb_4 = "LoadStub.classPK" - $sb_5 = "LoadStubDecrypted.classPK" - $sb_7 = "LoadPassword.classPK" - $sb_8 = "DecryptStub.classPK" - $sb_9 = "ClassLoaders.classPK" - - $sc_1 = "config.xml" - $sc_2 = "options" - $sc_3 = "plugins" - $sc_4 = "util" - $sc_5 = "util/OSHelper" - $sc_6 = "Start.class" - $sc_7 = "AlienSpy" - $sc_8 = "PK" - -condition: - (all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)) - -} \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/DarkComet.yar b/yara-mikesxrs/Fidelis/DarkComet.yar deleted file mode 100644 index 5bfeacb..0000000 --- a/yara-mikesxrs/Fidelis/DarkComet.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule DarkComet -{ -meta: - description = "DarkComet RAT" - author = "Fidelis Cybersecurity" - reference = "Fidelis Threat Advisory #1018 - Looking at the Sky for a DarkComet - August 4, 2015" - date = "2015-07-22" - -strings: - $s1 = "#KCMDDC" - $s2 = "DCDATA" - $s3 = "#BOT#CloseServer" - $s4 = "#BOT#SvrUninstall" - $s5 = "#BOT#URLDownload" -condition: - uint16(0) == 0x5a4d and filesize < 50MB and all of ($s*) -} - diff --git a/yara-mikesxrs/Fidelis/DarkCometDownloader.yar b/yara-mikesxrs/Fidelis/DarkCometDownloader.yar deleted file mode 100644 index f8d4cc2..0000000 --- a/yara-mikesxrs/Fidelis/DarkCometDownloader.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule DarkCometDownloader { -meta: - description = "DarkComet RAT Downloader" - author = "Fidelis Cybersecurity" - reference = "Fidelis Threat Advisory #1018 - Looking at the Sky for a DarkComet - August 4, 2015" - date = "2015-07-22" - -strings: - $s1 = {6A00FF15F0304000A30D1040006A0A68261040006A00FF15F4304000A311104000FF 35111040006A00FF15F8304000A315104000FF35111040006A00FF15FC304000A3191 04000FF3515104000FF1500314000A31D104000FF3519104000FF351D104000682C11 4000FF1508314000FF3515104000FF150C31400031C0682C104000682C104000FF151 43140006805104000682C104000FF1510314000682C104000FF15183140006A006A00 682C104000682C1140006A00FF15803040006A056A006A00682C10400068001040006 A00FF15A83040006A00FF1504314000} -condition: - uint16(0) == 0x5a4d and filesize < 10KB and all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/Scanbox.yar b/yara-mikesxrs/Fidelis/Scanbox.yar deleted file mode 100644 index 9c1491b..0000000 --- a/yara-mikesxrs/Fidelis/Scanbox.yar +++ /dev/null @@ -1,44 +0,0 @@ - rule apt_all_JavaScript_ScanboxFramework_obfuscated - -{ - meta: - author = "Fidelis Security" - reference = "https://www.fidelissecurity.com/TradeSecret" - - strings: - - $sa1 = /(var|new|return)\s[_\$]+\s?/ - - $sa2 = "function" - - $sa3 = "toString" - - $sa4 = "toUpperCase" - - $sa5 = "arguments.length" - - $sa6 = "return" - - $sa7 = "while" - - $sa8 = "unescape(" - - $sa9 = "365*10*24*60*60*1000" - - $sa10 = ">> 2" - - $sa11 = "& 3) << 4" - - $sa12 = "& 15) << 2" - - $sa13 = ">> 6) | 192" - - $sa14 = "& 63) | 128" - - $sa15 = ">> 12) | 224" - - condition: - - all of them - -} diff --git a/yara-mikesxrs/Fidelis/Ursnif_report_variant_memory.yar b/yara-mikesxrs/Fidelis/Ursnif_report_variant_memory.yar deleted file mode 100644 index c9cec98..0000000 --- a/yara-mikesxrs/Fidelis/Ursnif_report_variant_memory.yar +++ /dev/null @@ -1,20 +0,0 @@ -rule Ursnif_report_variant_memory -{ -meta: - description = "Ursnif" - author = "Fidelis Cybersecurity" - reference = "New Ursnif Variant Targeting Italy and U.S - June 7, 2016" - -strings: - $isfb1 = "/data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s" - $isfb2 = "client.dll" - $ursnif1 = "soft=1&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x" - $a1 = "grabs=" - $a2 = "HIDDEN" - $ursnif2 = "/images/" - $randvar = "%s=%s&" - $specialchar = "%c%02X" nocase - $serpent_setkey = {8b 70 ec 33 70 f8 33 70 08 33 30 33 f1 81 f6 b9 79 37 9e c1 c6 0b 89 70 08 41 81 f9 84 [0-3] 72 db} -condition: - 7 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/XenonCrypter.yar b/yara-mikesxrs/Fidelis/XenonCrypter.yar deleted file mode 100644 index 1c06e57..0000000 --- a/yara-mikesxrs/Fidelis/XenonCrypter.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule XenonCrypter -{ -meta: - author = "jason reaves" - author2 = "Fidelis Cybersecurity" - description = "Xenon Crypter" -strings: - $b1 = "Xenon2FF\\Bin\\StubNew.pdb” nocase - $b2 = “XenonNew\\Bin\\StubNew.pdb” nocase -condition: - any of ($b*) -} diff --git a/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_SharedMemCreation.yar b/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_SharedMemCreation.yar deleted file mode 100644 index ee4fb06..0000000 --- a/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_SharedMemCreation.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule apt_nix_elf_Derusbi_Linux_SharedMemCreation -{ - meta: - author = "Fidelis Cybersecurity" - reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux" - strings: - $byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 } - condition: - (uint32(0) == 0x464C457F) and (any of them) -} - - - diff --git a/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_Strings.yar b/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_Strings.yar deleted file mode 100644 index 4f08ba4..0000000 --- a/yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_Strings.yar +++ /dev/null @@ -1,28 +0,0 @@ -rule apt_nix_elf_Derusbi_Linux_Strings -{ - meta: - author = "Fidelis Cybersecurity" - reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux" - strings: - $a1 = "loadso" wide ascii fullword - $a2 = "\nuname -a\n\n" wide ascii - $a3 = "/dev/shm/.x11.id" wide ascii - $a4 = "LxMain64" wide ascii nocase - $a5 = "# \\u@\\h:\\w \\$ " wide ascii - $b1 = "0123456789abcdefghijklmnopqrstuvwxyz" wide - $b2 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" wide - $b3 = "ret %d" wide fullword - $b4 = "uname -a\n\n" wide ascii - $b5 = "/proc/%u/cmdline" wide ascii - $b6 = "/proc/self/exe" wide ascii - $b7 = "cp -a %s %s" wide ascii - $c1 = "/dev/pts/4" wide ascii fullword - $c2 = "/tmp/1408.log" wide ascii fullword - condition: - uint32(0) == 0x464C457F and - ((1 of ($a*) and 4 of ($b*)) or - (1 of ($a*) and 1 of ($c*)) or - 2 of ($a*) or - all of ($b*)) -} - diff --git a/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar b/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar deleted file mode 100644 index 3b78cdb..0000000 --- a/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar +++ /dev/null @@ -1,48 +0,0 @@ -rule apt_nix_elf_derusbi -{ - meta: - author = "Fidelis Cybersecurity" - reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux" - strings: - $ = "LxMain" - $ = "execve" - $ = "kill" - $ = "cp -a %s %s" - $ = "%s &" - $ = "dbus-daemon" - $ = "--noprofile" - $ = "--norc" - $ = "TERM=vt100" - $ = "/proc/%u/cmdline" - $ = "loadso" - $ = "/proc/self/exe" - $ = "Proxy-Connection: Keep-Alive" - $ = "Connection: Keep-Alive" - $ = "CONNECT %s" - $ = "HOST: %s:%d" - $ = "User-Agent: Mozilla/4.0" - $ = "Proxy-Authorization: Basic %s" - $ = "Server: Apache" - $ = "Proxy-Authenticate" - $ = "gettimeofday" - $ = "pthread_create" - $ = "pthread_join" - $ = "pthread_mutex_init" - $ = "pthread_mutex_destroy" - $ = "pthread_mutex_lock" - $ = "getsockopt" - $ = "socket" - $ = "setsockopt" - $ = "select" - $ = "bind" - $ = "shutdown" - $ = "listen" - $ = "opendir" - $ = "readdir" - $ = "closedir" - $ = "rename" - - condition: - (uint32(0) == 0x4464c457f) and (all of them) -} - diff --git a/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi_kernelModule.yar b/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi_kernelModule.yar deleted file mode 100644 index f52e4ed..0000000 --- a/yara-mikesxrs/Fidelis/apt_nix_elf_derusbi_kernelModule.yar +++ /dev/null @@ -1,30 +0,0 @@ -rule apt_nix_elf_derusbi_kernelModule -{ - meta: - author = "Fidelis Cybersecurity" - reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux" - strings: - $ = "__this_module" - $ = "init_module" - $ = "unhide_pid" - $ = "is_hidden_pid" - $ = "clear_hidden_pid" - $ = "hide_pid" - $ = "license" - $ = "description" - $ = "srcversion=" - $ = "depends=" - $ = "vermagic=" - $ = "current_task" - $ = "sock_release" - $ = "module_layout" - $ = "init_uts_ns" - $ = "init_net" - $ = "init_task" - $ = "filp_open" - $ = "__netlink_kernel_create" - $ = "kfree_skb" - - condition: - (uint32(0) == 0x4464c457f) and (all of them) -} diff --git a/yara-mikesxrs/Fidelis/apt_win32_dll_bergard_pgv_pvid_variant.yar b/yara-mikesxrs/Fidelis/apt_win32_dll_bergard_pgv_pvid_variant.yar deleted file mode 100644 index 6532e98..0000000 --- a/yara-mikesxrs/Fidelis/apt_win32_dll_bergard_pgv_pvid_variant.yar +++ /dev/null @@ -1,40 +0,0 @@ -rule apt_win32_dll_bergard_pgv_pvid_variant - -{ - - meta: - - copyright = “Fidelis Cybersecurity” - reference = "http://www.threatgeek.com/2016/05/" - - strings: - - $ = "Accept:" - - $ = "User-Agent: %s" - - $ = "Host: %s:%d" - - $ = "Cache-Control: no-cache" - - $ = "Connection: Keep-Alive" - - $ = "Cookie: pgv_pvid=" - - $ = "Content-Type: application/x-octet-stream" - - $ = "User-Agent: %s" - - $ = "Host: %s:%d" - - $ = "Pragma: no-cache" - - $ = "Connection: Keep-Alive" - - $ = "HTTP/1.0" - - condition: - - (uint16(0) == 0x5A4D) and (all of them) - - } \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/apt_win32_dll_rat_hiZorRAT.yar b/yara-mikesxrs/Fidelis/apt_win32_dll_rat_hiZorRAT.yar deleted file mode 100644 index 08cf597..0000000 --- a/yara-mikesxrs/Fidelis/apt_win32_dll_rat_hiZorRAT.yar +++ /dev/null @@ -1,30 +0,0 @@ -rule apt_win32_dll_rat_hiZorRAT -{ - meta: - hash1 = "75d3d1f23628122a64a2f1b7ef33f5cf" - hash2 = "d9821468315ccd3b9ea03161566ef18e" - hash3 = "b9af5f5fd434a65d7aa1b55f5441c90a" - ref1 = "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" - ref2 = "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf" - - strings: - - // Part of the encoded User-Agent = Mozilla - $ = { c7 [5] 40 00 62 00 c7 [5] 77 00 64 00 c7 [5] 61 00 61 00 c7 [5] 6c 00 } - - // XOR to decode User-Agent after string stacking 0x10001630 - $ = { 66 [7] 0d 40 83 ?? ?? 7c ?? } - - // XOR with 0x2E - 0x10002EF6 - - $ = { 80 [2] 2e 40 3b ?? 72 ?? } - - $ = "CmdProcessExited" wide ascii - $ = "rootDir" wide ascii - $ = "DllRegisterServer" wide ascii - $ = "GetNativeSystemInfo" wide ascii - $ = "%08x%08x%08x%08x" wide ascii - - condition: - (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them) -} \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/apt_win_exe_trojan_derusbi.yar b/yara-mikesxrs/Fidelis/apt_win_exe_trojan_derusbi.yar deleted file mode 100644 index 2176cd6..0000000 --- a/yara-mikesxrs/Fidelis/apt_win_exe_trojan_derusbi.yar +++ /dev/null @@ -1,61 +0,0 @@ -rule apt_win_exe_trojan_derusbi -{ - meta: - author = "Fidelis Cybersecurity" - reference = "https://www.fidelissecurity.com/resources/turbo-campaign-featuring-derusbi-64-bit-linux" - strings: - $sa_1 = "USB" wide ascii - $sa_2 = "RAM" wide ascii - $sa_3 = "SHARE" wide ascii - $sa_4 = "HOST: %s:%d" - $sa_5 = "POST" - $sa_6 = "User-Agent: Mozilla" - $sa_7 = "Proxy-Connection: Keep-Alive" - $sa_8 = "Connection: Keep-Alive" - $sa_9 = "Server: Apache" - $sa_10 = "HTTP/1.1" - $sa_11 = "ImagePath" - $sa_12 = "ZwUnloadDriver" - $sa_13 = "ZwLoadDriver" - $sa_14 = "ServiceMain" - $sa_15 = "regsvr32.exe" - $sa_16 = "/s /u" wide ascii - $sa_17 = "rand" - $sa_18 = "_time64" - $sa_19 = "DllRegisterServer" - $sa_20 = "DllUnregisterServer" - $sa_21 = { 8b [5] 8b ?? d3 ?? 83 ?? 08 30 [5] 40 3b [5] 72 } // Decode Driver - - $sb_1 = "PCC_CMD_PACKET" - $sb_2 = "PCC_CMD" - $sb_3 = "PCC_BASEMOD" - $sb_4 = "PCC_PROXY" - $sb_5 = "PCC_SYS" - $sb_6 = "PCC_PROCESS" - $sb_7 = "PCC_FILE" - $sb_8 = "PCC_SOCK" - - $sc_1 = "bcdedit -set testsigning" wide ascii - $sc_2 = "update.microsoft.com" wide ascii - $sc_3 = "_crt_debugger_hook" wide ascii - $sc_4 = "ue8G5" wide ascii - - $sd_1 = "NET" wide ascii - $sd_2 = "\\\\.\\pipe\\%s" wide ascii - $sd_3 = ".dat" wide ascii - $sd_4 = "CONNECT %s:%d" wide ascii - $sd_5 = "\\Device\\" wide ascii - - $se_1 = "-%s-%04d" wide ascii - $se_2 = "-%04d" wide ascii - $se_3 = "FAL" wide ascii - $se_4 = "OK" wide ascii - $se_5 = "2.03" wide ascii - $se_6 = "XXXXXXXXXXXXXXX" wide ascii - - condition: - (uint16(0) == 0x5A4D) and ( (all of ($sa_*)) or ( - (13 of ($sa_*)) and - ( (5 of ($sb_*)) or (3 of ($sc_*)) or (all of ($sd_*)) or - ( (1 of ($sc_*)) and (all of ($se_*)) ) ) ) ) -} \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/crime_win32_exe_rat_netwire.yar b/yara-mikesxrs/Fidelis/crime_win32_exe_rat_netwire.yar deleted file mode 100644 index 0d4ee30..0000000 --- a/yara-mikesxrs/Fidelis/crime_win32_exe_rat_netwire.yar +++ /dev/null @@ -1,51 +0,0 @@ -rule crime_win32_exe_rat_netwire{ -meta: - description = "AlienSpy" - author = "Fidelis Cybersecurity" - reference = "Fidelis Threat Advisory #1017 - Phishing in Plain Sight - June 9, 2015" - hash = "fd5a753347416484ab01712786c407c4" - -strings: - $sa = "StubPath" - $sa = "CONNECT" - $sa = "200 OK" - $sa = "GET" - $sa = "Host" - $sa = "Connection" - $sa = "Firefox" - $sa = "Chrome" - $sa = "Opera" - $sa = "Outlook" - $sa = "NSS_Shutdown" - $sa = "NSSBase64_DecodeBuffer" - $sa = "NSS_Init" - $sa = "NSS_Shutdown" - $sa = "name" nocase - $sa = "password" - $sa = "Server" - $sa = "LANMANNT" - $sa = "SERVERNT" - $sa = "[Backspace]" - $sa = "[Enter]" - $sa = "[Tab]" - $sa = "[Print Screen]" - $sa = "mozsqlite" - $sa = "nssutil" - $sa = "sqlite" - $sa = "Email" - $sa = "POP3 User" - $sa = "POP3 Server" - $sa = "POP3 Password" - $sa = "IMAP User" - $sa = "IMAP Server" - $sa = "IMAP Password" - $sa = "HTTP User" - $sa = "HTTP Server" - $sa = "HTTP Password" - $sa = "SMTP User" - $sa = "SMTP Server" - $sa = "SMTP Password" - -condition: - (uint16(0) == 0x5A4D) and (all of them) -} \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/crime_win_PWS_Fareit.yar b/yara-mikesxrs/Fidelis/crime_win_PWS_Fareit.yar deleted file mode 100644 index dedcbf6..0000000 --- a/yara-mikesxrs/Fidelis/crime_win_PWS_Fareit.yar +++ /dev/null @@ -1,28 +0,0 @@ -rule crime_win_PWS_Fareit -{ -meta: - description = "Fareit password stealer" - author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team" - reference = "https://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdf" - date = "20150414" - filetype = "exe" - hash_1 = "e93799591429756b7a5ad6e44197c020" - hash_2 = "891823de9b05e17def459e04fb574f94" - hash_3 = "6e54267c787fc017a2b2cc5dc5273a0a" - hash_4 = "40165ee6b1d69c58d3c0d2f4701230fa" - hash_5 = "de3b206a8066db48e9d7b0a42d50c5cd" - hash_6 = "b988944f831c478f5a6d71f9e06fbc22" - hash_7 = "7b7584d86efa2df42fe504213a3d1d2c" - hash_8 = "f088b291af1a3710f99c33fa37f68602" -strings: - $mz = {4d5a} - $s1 = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins" - $s2 = "gate.php" - $s3 = "STATUS-IMPORT-OK" - $s4 = "Client Hash" - $s5 = "YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0" - $c1 = "wiseftpsrvs.bin" - $c2 = "out.bin" -condition: - $mz at 0 and filesize < 105KB and all of ($s*) and ($c1 or $c2) -} \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/network_traffic_njRAT.yar b/yara-mikesxrs/Fidelis/network_traffic_njRAT.yar deleted file mode 100644 index e6fec5e..0000000 --- a/yara-mikesxrs/Fidelis/network_traffic_njRAT.yar +++ /dev/null @@ -1,47 +0,0 @@ -rule network_traffic_njRAT -{ -meta: -author = "info@fidelissecurity.com" -descripion = "njRAT - Remote Access Trojan" -comment = "Rule to alert on network traffic indicators" -filetype = "PCAP - Network Traffic" -date = "2013-07-15" -version = "1.0" -hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b" -hash2 ="3576d40ce18bb0349f9dfa42b8911c3a" -hash3 ="24cc5b811a7f9591e7f2cb9a818be104" -hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52" -hash5 = "a98b4c99f64315aac9dd992593830f35" -hash6 = "5fcb5282da1a2a0f053051c8da1686ef" -hash7 = "a669c0da6309a930af16381b18ba2f9d" -hash8 = "79dce17498e1997264346b162b09bde8" -hash9 = "fc96a7e27b1d3dab715b2732d5c86f80" -ref1 = "http://bit.ly/19tlf4s" -ref2 = "http://www.fidelissecurity.com/threatadvisory" -ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html" -ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf" - -strings: -$string1 = "FM|'|'|" // File Manager -$string2 = "nd|'|'|" // File Manager -$string3 = "rn|'|'|" // Run File -$string4 = "sc~|'|'|" // Remote Desktop -$string5 = "scPK|'|'|" // Remote Desktop -$string6 = "CAM|'|'|" // Remote Cam -$string7 = "USB Video Device[endof]" // Remote Cam -$string8 = "rs|'|'|" // Reverse Shell -$string9 = "proc|'|'|" // Process Manager -$string10 = "k|'|'|" // Process Manager -$string11 = "RG|'|'|~|'|'|" // Registry Manipulation -$string12 = "kl|'|'|" // Keylogger file -$string13 = "ret|'|'|" // Get Browser Passwords -$string14 = "pl|'|'|" // Get Browser Passwords -$string15 = "lv|'|'|" // General -$string16 = "prof|'|'|~|'|'|" // Server rename -$string17 = "un|'|'|~[endof]" // Uninstall -$idle_string = "P[endof]" // Idle Connection - -condition: -any of ($string*) or #idle_string > 4 - -} \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/win_exe_njRAT.yar b/yara-mikesxrs/Fidelis/win_exe_njRAT.yar deleted file mode 100644 index fce09d9..0000000 --- a/yara-mikesxrs/Fidelis/win_exe_njRAT.yar +++ /dev/null @@ -1,45 +0,0 @@ -rule win_exe_njRAT -{ -meta: -author = "info@fidelissecurity.com" -descripion = "njRAT - Remote Access Trojan" -comment = "Variants have also been observed obfuscated with .NET Reactor" -filetype = "pe" -date = "2013-07-15" -version = "1.0" -hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b" -hash2 = "3576d40ce18bb0349f9dfa42b8911c3a" -hash3 = "24cc5b811a7f9591e7f2cb9a818be104" -hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52" -hash5 = "a98b4c99f64315aac9dd992593830f35" -hash6 ="5fcb5282da1a2a0f053051c8da1686ef" -hash7 = "a669c0da6309a930af16381b18ba2f9d" -hash8 = "79dce17498e1997264346b162b09bde8" -hash9 = "fc96a7e27b1d3dab715b2732d5c86f80" -ref1 = "http://bit.ly/19tlf4s" -ref2 = "http://www.fidelissecurity.com/threatadvisory" -ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njratuncovered.html" -ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf" - -strings: -$magic = "MZ" -$string_setA_1 = "FromBase64String" -$string_setA_2 = "Base64String" -$string_setA_3 = "Connected" wide ascii -$string_setA_4 = "Receive" -$string_setA_5 = "DeleteSubKey" wide ascii -$string_setA_6 = "get_MachineName" -$string_setA_7 = "get_UserName" -$string_setA_8 = "get_LastWriteTime" -$string_setA_9 = "GetVolumeInformation" - -$string_setB_1 = "OSFullName" wide ascii -$string_setB_2 = "Send" wide ascii -$string_setB_3 = "Connected" wide ascii -$string_setB_4 = "DownloadData" wide ascii -$string_setB_5 = "netsh firewall" wide -$string_setB_6 = "cmd.exe /k ping 0 & del" wide - -condition: -($magic at 0) and ( all of ($string_setA*) or all of ($string_setB*) ) -} \ No newline at end of file diff --git a/yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara b/yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara deleted file mode 100644 index e63f4c3..0000000 --- a/yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara +++ /dev/null @@ -1,128 +0,0 @@ -rule win_vbs_rat_hworm - -{ - meta: - author = "Fidelis Cybersecurity" - reference = "http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html" - strings: - - $sa1 = "CONFIG" - - $sa2 = "MYCODE" - - $sa3 = "SHELLOBJ.EXPANDENVIRONMENTSTRINGS" - - $sa4 = "BASE64TOHEX" - - $sa5 = "DCOM.VIRTUALALLOC" - - $sa6 = "LOADER_" - - $sa7 = "PE_PTR" - - $sa8 = "OBJWMISERVICE.EXECQUERY" - - $sa9 = "WSCRIPT.EXE" nocase - - $sa10 = "FUNCTION" - - $sa11 = "DIM" - - $sa12 = "END SUB" - - $sb1 = "HOST_FILE" - - $sb2 = "FILE_NAME" - - $sb3 = "INSTALL_DIR" - - $sb4 = "START_UP_REG" - - $sb5 = "START_UP_TASK" - - $sb6 = "START_UP_FOLDER" - - $sc1 = "DCOM_DATA" - - $sc2 = "LOADER_DATA" - - $sc3 = "FILE_DATA" - - $sc4 = "(1)" - - $sc5 = "(2)" - - $sc6 = "(3)" - - $sc7 = "FILE_SIZE" - - condition: - - (all of ($sa*)) and ( (all of ($sb*)) or (all of ($sc*)) ) - -} - -rule win_exe_rat_hworm - -{ - meta: - author = "Fidelis Cybersecurity" - reference = "http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html" - strings: - - $sa1 = "connection_host" wide ascii - - $sa2 = "connection_port" wide ascii - - $sa3 = "install_folder" wide ascii - - $sa4 = "install_name" wide ascii - - $sa5 = "nickname_id" wide ascii - - $sa6 = "password" wide ascii - - $sa7 = "injection" wide ascii - - $sa8 = "startup_registry" wide ascii - - $sa9 = "startup_folder" wide ascii - - $sa10 = "startup_task" wide ascii - - $sa11 = "process_name" wide ascii - - $sa12 = "fkeylogger_host" wide ascii - - $sa13 = "fkeylogger_port" wide ascii - - $sa14 = "keylogger_init" wide ascii - - $sa15 = "keylogger_offline" wide ascii - - $sa16 = "file_manager" wide ascii - - $sa17 = "usb" wide ascii - - $sa18 = "password" wide ascii - - $sa19 = "filemanager" wide ascii - - $sa20 = "keylogger" wide ascii - - $sa21 = "screenshot" wide ascii - - $sa22 = "show" nocase wide ascii - - $sa23 = "open" wide ascii - - $sa25 = "create" wide ascii - - $sa26 = "Self" wide ascii - - $sa27 = "createsuspended" wide ascii - - condition: - - (uint16(0) == 0x5A4D) and (all of them) - diff --git a/yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara b/yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara deleted file mode 100644 index e73e61a..0000000 --- a/yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara +++ /dev/null @@ -1,113 +0,0 @@ -rule FE_LEGALSTRIKE_MACRO { - meta:version=".1" - filetype="MACRO" - author="Ian.Ahl@fireeye.com @TekDefense" - date="2017-06-02" - description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7." - reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html -strings: - // OBSFUCATION - $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide - $ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide - $ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide - $ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide - $ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide - $ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide - $ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide - $ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide - $obreg1 = /(\w{5}\s&\s){7}\w{5}/ - $obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/ - // wscript - $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide - $wsobj2 = "Obj.Run " ascii wide - -condition: - ( - ( - (uint16(0) != 0x5A4D) - ) - and - ( - all of ($wsobj*) and 3 of ($ob*) - or - all of ($wsobj*) and all of ($obreg*) - ) - ) -} - -rule FE_LEGALSTRIKE_MACRO_2 { - meta:version=".1" - filetype="MACRO" - author="Ian.Ahl@fireeye.com @TekDefense" - date="2017-06-02" - description="This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4." - reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html -strings: - // Setting the environment - $env1 = "Arch = Environ(\"PROCESSOR_ARCHITECTURE\")" ascii wide - $env2 = "windir = Environ(\"windir\")" ascii wide - $env3 = "windir + \"\\syswow64\\windowspowershell\\v1.0\\powershell.exe\"" ascii wide - // powershell command fragments - $ps1 = "-NoP" ascii wide - $ps2 = "-NonI" ascii wide - $ps3 = "-W Hidden" ascii wide - $ps4 = "-Command" ascii wide - $ps5 = "New-Object IO.StreamReader" ascii wide - $ps6 = "IO.Compression.DeflateStream" ascii wide - $ps7 = "IO.MemoryStream" ascii wide - $ps8 = ",$([Convert]::FromBase64String" ascii wide - $ps9 = "ReadToEnd();" ascii wide - $psregex1 = /\W\w+\s+\s\".+\"/ -condition: - ( - ( - (uint16(0) != 0x5A4D) - ) - and - ( - all of ($env*) and 6 of ($ps*) - or - all of ($env*) and 4 of ($ps*) and all of ($psregex*) - ) - ) -} - -rule FE_LEGALSTRIKE_RTF { - meta: - version=".1" - filetype="MACRO" - author="joshua.kim@FireEye.com" - date="2017-06-02" - description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom" - reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html - - strings: - $header = "{\\rt" - - $lnkinfo = "4c0069006e006b0049006e0066006f" - - $encoded1 = "4f4c45324c696e6b" - $encoded2 = "52006f006f007400200045006e007400720079" - $encoded3 = "4f0062006a0049006e0066006f" - $encoded4 = "4f006c0065" - - $http1 = "68{" - $http2 = "74{" - $http3 = "07{" - - // 2bunny.com - $domain1 = "32{\\" - $domain2 = "62{\\" - $domain3 = "75{\\" - $domain4 = "6e{\\" - $domain5 = "79{\\" - $domain6 = "2e{\\" - $domain7 = "63{\\" - $domain8 = "6f{\\" - $domain9 = "6d{\\" - - $datastore = "\\*\\datastore" - - condition: - $header at 0 and all of them -} diff --git a/yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar b/yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar deleted file mode 100644 index 5e6d569..0000000 --- a/yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule APT32_ActiveMime_Lure{ - meta: - filetype = "MIME entity" - author = "Ian Ahl (@TekDefense) and Nick Carr (@ItsReallyNick)" - date = "2017-03-02" - description = "Developed to detect APT32 (OceanLotus Group phishing lures used to target Fireeye Customers in 2016 and 2017" - reference = "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - strings: - $a1 = "office_text" wide ascii - $a2 = "schtasks /create /tn" wide ascii - $a3 = "scrobj.dll" wide ascii - $a4 = "new-object net.webclient" wide ascii - $a5 = "GetUserName" wide ascii - $a6 = "WSHnet.UserDomain" wide ascii - $a7 = "WSHnet.UserName" wide ascii - condition: - 4 of them -} diff --git a/yara-mikesxrs/Fireeye/APT_DeputyDog_Strings.yar b/yara-mikesxrs/Fireeye/APT_DeputyDog_Strings.yar deleted file mode 100644 index 9dc50a2..0000000 --- a/yara-mikesxrs/Fireeye/APT_DeputyDog_Strings.yar +++ /dev/null @@ -1,20 +0,0 @@ -rule APT_DeputyDog_Strings -{ - - meta: - - author = "FireEye Labs" - version = "1.0" - description = "detects string seen in samples used in 2013-3893 0day attacks" - reference = "8aba4b5184072f2a50cbc5ecfe326701" - - strings: - - $mz = {4d 5a} - $a = "DGGYDSYRL" - - condition: - - ($mz at 0) and $a - -} \ No newline at end of file diff --git a/yara-mikesxrs/Fireeye/BadRabbit.yar b/yara-mikesxrs/Fireeye/BadRabbit.yar deleted file mode 100644 index 6d610f3..0000000 --- a/yara-mikesxrs/Fireeye/BadRabbit.yar +++ /dev/null @@ -1,120 +0,0 @@ -rule FE_Hunting_BADRABBIT { - meta:version=".2" - filetype="PE" - author="ian.ahl @TekDefense & nicholas.carr @itsreallynick" - reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html" - date="2017-10-24" - md5 = "b14d8faf7f0cbcfad051cefe5f39645f" -strings: - // Messages - $msg1 = "Incorrect password" nocase ascii wide - $msg2 = "Oops! Your files have been encrypted." ascii wide - $msg3 = "If you see this text, your files are no longer accessible." ascii wide - $msg4 = "You might have been looking for a way to recover your files." ascii wide - $msg5 = "Don't waste your time. No one will be able to recover them without our" ascii wide - $msg6 = "Visit our web service at" ascii wide - $msg7 = "Your personal installation key#1:" ascii wide - $msg8 = "Run DECRYPT app at your desktop after system boot" ascii wide - $msg9 = "Password#1" nocase ascii wide - $msg10 = "caforssztxqzf2nm.onion" nocase ascii wide - $msg11 = /partition (unbootable|not (found|mounted))/ nocase ascii wide - - // File references - $fref1 = "C:\\Windows\\cscc.dat" nocase ascii wide - $fref2 = "\\\\.\\dcrypt" nocase ascii wide - $fref3 = "Readme.txt" ascii wide - $fref4 = "\\Desktop\\DECRYPT.lnk" nocase ascii wide - $fref5 = "dispci.exe" nocase ascii wide - $fref6 = "C:\\Windows\\infpub.dat" nocase ascii wide - // META - $meta1 = "http://diskcryptor.net/" nocase ascii wide - $meta2 = "dispci.exe" nocase ascii wide - $meta3 = "GrayWorm" ascii wide - $meta4 = "viserion" nocase ascii wide - //commands - $com1 = "ComSpec" ascii wide - $com2 = "\\cmd.exe" nocase ascii wide - $com3 = "schtasks /Create" nocase ascii wide - $com4 = "schtasks /Delete /F /TN %ws" nocase ascii wide -condition: - (uint16(0) == 0x5A4D) - and - (8 of ($msg*) and 3 of ($fref*) and 2 of ($com*)) - or - (all of ($meta*) and 8 of ($msg*)) - } - -rule FE_Trojan_BADRABBIT_DROPPER - { - meta: - author = "muhammad.umair" - md5 = "fbbdc39af1139aebba4da004475e8839" - reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html" - rev = 1 - strings: - $api1 = "GetSystemDirectoryW" fullword - $api2 = "GetModuleFileNameW" fullword - $dropped_dll = "infpub.dat" ascii fullword wide - $exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide - $extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D 8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 } - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them - } - -rule FE_Worm_BADRABBIT - { - meta: - author = "muhammad.umair" - md5 = "1d724f95c61f1055f0d02c2154bbccd3" - reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html" - rev = 1 - strings: - $api1 = "WNetAddConnection2W" fullword - $api2 = "CredEnumerateW" fullword - $api3 = "DuplicateTokenEx" fullword - $api4 = "GetIpNetTable" - $del_tasks = "schtasks /Delete /F /TN drogon" ascii fullword wide - $dropped_driver = "cscc.dat" ascii fullword wide - $exec_fmt_str = "%ws C:\\Windows\\%ws,#1 %ws" ascii fullword wide - $iter_encrypt = { 8D 44 24 3C 50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66 3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ?? } - $share_fmt_str = "\\\\%ws\\admin$\\%ws" ascii fullword wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them - } - -rule FE_Trojan_BADRABBIT_MIMIKATZ - { - meta: - author = "muhammad.umair" - md5 = "37945c44a897aa42a66adcab68f560e0" - reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html" - rev = 1 - strings: - $api1 = "WriteProcessMemory" fullword - $api2 = "SetSecurityDescriptorDacl" fullword - $api_str1 = "BCryptDecrypt" ascii fullword wide - $mimi_str = "CredentialKeys" ascii fullword wide - $wait_pipe_seq = { FF 15 ?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24 1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 75 3B } - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them - } - -rule FE_Trojan_BADRABBIT_DISKENCRYPTOR - { - meta: - author = "muhammad.umair" - md5 = "b14d8faf7f0cbcfad051cefe5f39645f" - reference = "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html" - rev = 1 - strings: - $api1 = "CryptAcquireContextW" fullword - $api2 = "CryptEncrypt" fullword - $api3 = "NetWkstaGetInfo" fullword - $decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8 00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8 56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F } - $msg1 = "Disk decryption progress..." ascii fullword wide - $task_fmt_str = "schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" ascii fullword wide - $tok1 = "\\\\.\\dcrypt" ascii fullword wide - $tok2 = "C:\\Windows\\cscc.dat" ascii fullword wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 150KB and all of them - } diff --git a/yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar b/yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar deleted file mode 100644 index 76db8e5..0000000 --- a/yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule FE_APT_9002_rat - -{ - - meta: - author = "FireEye Labs" - reference = "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html" - - strings: - - $mz = {4d 5a} - - $a = "rat_UnInstall" wide ascii - - condition: - - ($mz at 0) and $a - -} \ No newline at end of file diff --git a/yara-mikesxrs/Fireeye/FE_petya_ransomware,yar b/yara-mikesxrs/Fireeye/FE_petya_ransomware,yar deleted file mode 100644 index 6c6c7cc..0000000 --- a/yara-mikesxrs/Fireeye/FE_petya_ransomware,yar +++ /dev/null @@ -1,75 +0,0 @@ -rule FE_CPE_MS17_010_RANSOMWARE { -meta:version="1.1" - //filetype="PE" - author="Ian.Ahl@fireeye.com @TekDefense, Nicholas.Carr@mandiant.com @ItsReallyNick" - date="2017-06-27" - description="Probable PETYA ransomware using ETERNALBLUE, WMIC, PsExec" - reference = "https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html" -strings: - // DRIVE USAGE - $dmap01 = "\\\\.\\PhysicalDrive" nocase ascii wide - $dmap02 = "\\\\.\\PhysicalDrive0" nocase ascii wide - $dmap03 = "\\\\.\\C:" nocase ascii wide - $dmap04 = "TERMSRV" nocase ascii wide - $dmap05 = "\\admin$" nocase ascii wide - $dmap06 = "GetLogicalDrives" nocase ascii wide - $dmap07 = "GetDriveTypeW" nocase ascii wide - - // RANSOMNOTE - $msg01 = "WARNING: DO NOT TURN OFF YOUR PC!" nocase ascii wide - $msg02 = "IF YOU ABORT THIS PROCESS" nocase ascii wide - $msg03 = "DESTROY ALL OF YOUR DATA!" nocase ascii wide - $msg04 = "PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" nocase ascii wide - $msg05 = "your important files are encrypted" ascii wide - $msg06 = "Your personal installation key" nocase ascii wide - $msg07 = "worth of Bitcoin to following address" nocase ascii wide - $msg08 = "CHKDSK is repairing sector" nocase ascii wide - $msg09 = "Repairing file system on " nocase ascii wide - $msg10 = "Bitcoin wallet ID" nocase ascii wide - $msg11 = "wowsmith123456@posteo.net" nocase ascii wide - $msg12 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" nocase ascii wide - $msg_pcre = /(en|de)crypt(ion|ed\.)/ - - // FUNCTIONALITY, APIS - $functions01 = "need dictionary" nocase ascii wide - $functions02 = "comspec" nocase ascii wide - $functions03 = "OpenProcessToken" nocase ascii wide - $functions04 = "CloseHandle" nocase ascii wide - $functions05 = "EnterCriticalSection" nocase ascii wide - $functions06 = "ExitProcess" nocase ascii wide - $functions07 = "GetCurrentProcess" nocase ascii wide - $functions08 = "GetProcAddress" nocase ascii wide - $functions09 = "LeaveCriticalSection" nocase ascii wide - $functions10 = "MultiByteToWideChar" nocase ascii wide - $functions11 = "WideCharToMultiByte" nocase ascii wide - $functions12 = "WriteFile" nocase ascii wide - $functions13 = "CoTaskMemFree" nocase ascii wide - $functions14 = "NamedPipe" nocase ascii wide - $functions15 = "Sleep" nocase ascii wide // imported, not in strings - - // COMMANDS - // -- Clearing event logs & USNJrnl - $cmd01 = "wevtutil cl Setup" ascii wide nocase - $cmd02 = "wevtutil cl System" ascii wide nocase - $cmd03 = "wevtutil cl Security" ascii wide nocase - $cmd04 = "wevtutil cl Application" ascii wide nocase - $cmd05 = "fsutil usn deletejournal" ascii wide nocase - // -- Scheduled task - $cmd06 = "schtasks " nocase ascii wide - $cmd07 = "/Create /SC " nocase ascii wide - $cmd08 = " /TN " nocase ascii wide - $cmd09 = "at %02d:%02d %ws" nocase ascii wide - $cmd10 = "shutdown.exe /r /f" nocase ascii wide - // -- Sysinternals/PsExec and WMIC - $cmd11 = "-accepteula -s" nocase ascii wide - $cmd12 = "wmic" - $cmd13 = "/node:" nocase ascii wide - $cmd14 = "process call create" nocase ascii wide - -condition: - // (uint16(0) == 0x5A4D) - 3 of ($dmap*) - and 2 of ($msg*) - and 9 of ($functions*) - and 7 of ($cmd*) -} diff --git a/yara-mikesxrs/Fireeye/Fireeye_red_team_tool_countermeasures.yar b/yara-mikesxrs/Fireeye/Fireeye_red_team_tool_countermeasures.yar deleted file mode 100644 index cb545f0..0000000 --- a/yara-mikesxrs/Fireeye/Fireeye_red_team_tool_countermeasures.yar +++ /dev/null @@ -1,2947 +0,0 @@ -// Copyright 2020 by FireEye, Inc. -// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at: -// https://github.com/fireeye/red_team_tool_countermeasures/blob/master/LICENSE.txt -import "pe" - -rule HackTool_MSIL_Rubeus_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project." - md5 = "66e0681a500c726ed52e5ea9423d2654" - rev = 4 - author = "FireEye" - strings: - $typelibguid = "658C8B7F-3664-4A95-9572-A3E5871DFC06" ascii nocase wide - condition: - uint16(0) == 0x5A4D and $typelibguid -} -rule Trojan_Raw_Generic_4 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - md5 = "f41074be5b423afb02a74bc74222e35d" - rev = 1 - author = "FireEye" - strings: - $s0 = { 83 ?? 02 [1-16] 40 [1-16] F3 A4 [1-16] 40 [1-16] E8 [4-32] FF ( D? | 5? | 1? ) } - $s1 = { 0F B? [1-16] 4D 5A [1-32] 3C [16-64] 50 45 [8-32] C3 } - condition: - uint16(0) != 0x5A4D and all of them -} -rule HackTool_Win32_AndrewSpecial_1 -{ - meta: - date_created = "2020-11-25" - date_modified = "2020-11-25" - md5 = "e89efa88e3fda86be48c0cc8f2ef7230" - rev = 4 - author = "FireEye" - strings: - $dump = { 6A 00 68 FF FF 1F 00 FF 15 [4] 89 45 ?? 83 [2] 00 [1-50] 6A 00 68 80 00 00 00 6A 02 6A 00 6A 00 68 00 00 00 10 68 [4] FF 15 [4] 89 45 [10-70] 6A 00 6A 00 6A 00 6A 02 8B [2-4] 5? 8B [2-4] 5? 8B [2-4] 5? E8 [4-20] FF 15 } - $shellcode_x86 = { B8 3C 00 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00 83 C4 04 C2 14 00 } - $shellcode_x86_inline = { C6 45 ?? B8 C6 45 ?? 3C C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 33 C6 45 ?? C9 C6 45 ?? 8D C6 45 ?? 54 C6 45 ?? 24 C6 45 ?? 04 C6 45 ?? 64 C6 45 ?? FF C6 45 ?? 15 C6 45 ?? C0 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 00 C6 45 ?? 83 C6 45 ?? C4 C6 45 ?? 04 C6 45 ?? C2 C6 45 ?? 14 C6 45 ?? 00 } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and $dump and any of ($shellcode*) -} -rule APT_Backdoor_Win_GORAT_3 -{ - meta: - description = "This rule uses the same logic as FE_APT_Trojan_Win_GORAT_1_FEBeta with the addition of one check, to look for strings that are known to be in the Gorat implant when a certain cleaning script is not run against it." - md5 = "995120b35db9d2f36d7d0ae0bfc9c10d" - rev = 5 - author = "FireEye" - strings: - $dirty1 = "fireeye" ascii nocase wide - $dirty2 = "kulinacs" ascii nocase wide - $dirty3 = "RedFlare" ascii nocase wide - $dirty4 = "gorat" ascii nocase wide - $dirty5 = "flare" ascii nocase wide - $go1 = "go.buildid" ascii wide - $go2 = "Go build ID:" ascii wide - $json1 = "json:\"pid\"" ascii wide - $json2 = "json:\"key\"" ascii wide - $json3 = "json:\"agent_time\"" ascii wide - $json4 = "json:\"rid\"" ascii wide - $json5 = "json:\"ports\"" ascii wide - $json6 = "json:\"agent_platform\"" ascii wide - $rat = "rat" ascii wide - $str1 = "handleCommand" ascii wide - $str2 = "sendBeacon" ascii wide - $str3 = "rat.AgentVersion" ascii wide - $str4 = "rat.Core" ascii wide - $str5 = "rat/log" ascii wide - $str6 = "rat/comms" ascii wide - $str7 = "rat/modules" ascii wide - $str8 = "murica" ascii wide - $str9 = "master secret" ascii wide - $str10 = "TaskID" ascii wide - $str11 = "rat.New" ascii wide - condition: - uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10MB and all of ($go*) and all of ($json*) and all of ($str*) and #rat > 1000 and any of ($dirty*) -} -rule CredTheft_Win_EXCAVATOR_1 -{ - meta: - description = "This rule looks for the binary signature of the 'Inject' method found in the main Excavator PE." - md5 = "f7d9961463b5110a3d70ee2e97842ed3" - rev = 4 - author = "FireEye" - strings: - $bytes1 = { 48 89 74 24 10 48 89 7C 24 18 4C 89 74 24 20 55 48 8D 6C 24 E0 48 81 EC 20 01 00 00 48 8B 05 75 BF 01 00 48 33 C4 48 89 45 10 0F 57 C0 45 33 F6 8B F1 4C 89 74 24 60 48 8D 0D 12 A1 01 00 4C 89 74 24 68 0F 11 45 A0 41 8B FE 4C 89 74 24 70 0F 11 45 B0 0F 11 45 C0 0F 11 45 D0 0F 11 45 E0 0F 11 45 F0 0F 11 45 00 FF 15 CB 1F 01 00 48 85 C0 75 1B FF 15 80 1F 01 00 8B D0 48 8D 0D DF A0 01 00 E8 1A FF FF FF 33 C0 E9 B4 02 00 00 48 8D 15 D4 A0 01 00 48 89 9C 24 30 01 00 00 48 8B C8 FF 15 4B 1F 01 00 48 8B D8 48 85 C0 75 19 FF 15 45 1F 01 00 8B D0 48 8D 0D A4 A0 01 00 E8 DF FE FF FF E9 71 02 00 00 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA 00 00 00 02 FF D3 85 C0 75 45 66 66 0F 1F 84 00 00 00 00 00 48 8B 4C 24 60 FF 15 4D 1F 01 00 3B C6 74 22 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA 00 00 00 02 FF D3 85 C0 74 D1 EB 0A 48 8B 44 24 60 48 89 44 24 70 66 0F 6F 15 6D A0 01 00 48 8D 05 A6 C8 01 00 B9 C8 05 00 00 90 F3 0F 6F 40 F0 48 8D 40 40 66 0F 6F CA 66 0F EF C8 F3 0F 7F 48 B0 66 0F 6F CA F3 0F 6F 40 C0 66 0F EF C8 F3 0F 7F 48 C0 66 0F 6F CA F3 0F 6F 40 D0 66 0F EF C8 F3 0F 7F 48 D0 F3 0F 6F 40 E0 66 0F EF C2 F3 0F 7F 40 E0 48 83 E9 01 75 B2 FF 15 CC 1E 01 00 4C 8D 44 24 78 BA 0A 00 00 00 48 8B C8 FF 15 01 1E 01 00 85 C0 0F 84 66 01 00 00 48 8B 4C 24 78 48 8D 45 80 41 B9 02 00 00 00 48 89 44 24 28 45 33 C0 C7 44 24 20 02 00 00 00 41 8D 51 09 FF 15 D8 1D 01 00 85 C0 0F 84 35 01 00 00 45 33 C0 4C 8D 4C 24 68 33 C9 41 8D 50 01 FF 15 5C 1E 01 00 FF 15 06 1E 01 00 4C 8B 44 24 68 33 D2 48 8B C8 FF 15 DE 1D 01 00 48 8B F8 48 85 C0 0F 84 FF 00 00 00 45 33 C0 4C 8D 4C 24 68 48 8B C8 41 8D 50 01 FF 15 25 1E 01 00 85 C0 0F 84 E2 00 00 00 4C 89 74 24 30 4C 8D 4C 24 70 4C 89 74 24 28 33 D2 41 B8 00 00 02 00 48 C7 44 24 20 08 00 00 00 48 8B CF FF 15 6C 1D 01 00 85 C0 0F 84 B1 00 00 00 48 8B 4D 80 48 8D 45 88 48 89 44 24 50 4C 8D 05 58 39 03 00 48 8D 45 A0 48 89 7D 08 48 89 44 24 48 45 33 C9 4C 89 74 24 40 33 D2 4C 89 74 24 38 C7 44 24 30 04 00 08 00 44 89 74 24 28 4C 89 74 24 20 FF 15 0C 1D 01 00 85 C0 74 65 48 8B 4C 24 70 8B 5D 98 FF 15 1A 1D 01 00 48 8B 4D 88 FF 15 10 1D 01 00 48 8B 4D 90 FF 15 06 1D 01 00 44 8B C3 33 D2 B9 3A 04 00 00 FF 15 4E 1D 01 00 48 8B D8 48 85 C0 74 2B 48 8B C8 E8 4E 06 00 00 48 85 C0 74 1E BA FF FF FF FF 48 8B C8 FF 15 3B 1D 01 00 48 8B CB FF 15 CA 1C 01 00 B8 01 00 00 00 EB 24 FF 15 DD 1C 01 00 8B D0 48 8D 0D 58 9E 01 00 E8 77 FC FF FF 48 85 FF 74 09 48 8B CF FF 15 A9 1C 01 00 33 C0 48 8B 9C 24 30 01 00 00 48 8B 4D 10 48 33 CC E8 03 07 00 00 4C 8D 9C 24 20 01 00 00 49 8B 73 18 49 8B 7B 20 4D 8B 73 28 49 8B E3 5D C3 } - $bytes2 = { 48 89 74 24 10 48 89 7C 24 18 4C 89 74 24 20 55 48 8D 6C 24 E0 48 81 EC 2? ?1 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 33 C4 48 89 45 10 0F 57 C0 45 33 F6 8B F1 4C 89 74 24 60 48 ?? ?? ?? ?? ?? ?? 4C 89 74 24 68 0F 11 45 A0 41 8B FE 4C 89 74 24 70 0F 11 45 B0 0F 11 45 C0 0F 11 45 D0 0F 11 45 E0 0F 11 45 F0 0F 11 45 ?? FF ?? ?? ?? ?? ?? 48 85 C0 75 ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 9C 24 3? ?1 ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B D8 48 85 C0 75 ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA ?? ?? ?? ?? FF D3 85 C0 75 ?? 66 66 0F 1F 84 ?? ?? ?? ?? ?? 48 8B 4C 24 60 FF ?? ?? ?? ?? ?? 3B C6 74 ?? 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA ?? ?? ?? ?? FF D3 85 C0 74 ?? EB ?? 48 8B 44 24 60 48 89 44 24 70 66 0F 6F 15 6D A? ?1 ?? 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 90 F3 0F 6F 40 F0 48 8D 40 40 66 0F 6F CA 66 0F EF C8 F3 0F 7F 48 B0 66 0F 6F CA F3 0F 6F 40 C0 66 0F EF C8 F3 0F 7F 48 C0 66 0F 6F CA F3 0F 6F 40 D0 66 0F EF C8 F3 0F 7F 48 D0 F3 0F 6F 40 E0 66 0F EF C2 F3 0F 7F 40 E0 48 83 E9 01 75 ?? FF ?? ?? ?? ?? ?? 4C 8D 44 24 78 BA 0A ?? ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4C 24 78 48 8D 45 80 41 B9 02 ?? ?? ?? 48 89 44 24 28 45 33 C0 C7 44 24 2? ?2 ?? ?? ?? 41 8D 51 09 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 68 33 C9 41 8D 5? ?1 FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 4C 8B 44 24 68 33 D2 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B F8 48 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 68 48 8B C8 41 8D 5? ?1 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 4C 89 74 24 30 4C 8D 4C 24 70 4C 89 74 24 28 33 D2 41 ?? ?? ?? ?? ?? 48 C7 44 24 2? ?8 ?? ?? ?? 48 8B CF FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4D 80 48 8D 45 88 48 89 44 24 50 4C ?? ?? ?? ?? ?? ?? 48 8D 45 A0 48 89 7D 08 48 89 44 24 48 45 33 C9 4C 89 74 24 40 33 D2 4C 89 74 24 38 C7 ?? ?? ?? ?? ?? ?? ?? 44 89 74 24 28 4C 89 74 24 20 FF ?? ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 70 8B 5D 98 FF ?? ?? ?? ?? ?? 48 8B 4D 88 FF ?? ?? ?? ?? ?? 48 8B 4D 90 FF ?? ?? ?? ?? ?? 44 8B C3 33 D2 B9 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 48 8B C8 E8 ?? ?? ?? ?? 48 85 C0 74 ?? BA ?? ?? ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B CB FF ?? ?? ?? ?? ?? B8 01 ?? ?? ?? EB ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 FF 74 ?? 48 8B CF FF ?? ?? ?? ?? ?? 33 C0 48 8B 9C 24 3? ?1 ?? ?? 48 8B 4D 10 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 2? ?1 ?? ?? 49 8B 73 18 49 8B 7B 20 4D 8B 73 28 49 8B E3 5D C3 } - $bytes3 = { 48 89 74 24 10 48 89 7C 24 18 4C 89 74 24 20 55 48 8D 6C 24 E0 48 81 EC 2? ?1 ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 33 C4 48 89 45 10 0F 57 C0 45 33 F6 8B F1 4C 89 74 24 60 48 ?? ?? ?? ?? ?? ?? 4C 89 74 24 68 0F 11 45 A0 41 8B FE 4C 89 74 24 70 0F 11 45 B0 0F 11 45 C0 0F 11 45 D0 0F 11 45 E0 0F 11 45 F0 0F 11 45 ?? FF ?? ?? ?? ?? ?? 48 85 C0 75 ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 9C 24 3? ?1 ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B D8 48 85 C0 75 ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA ?? ?? ?? ?? FF D3 85 C0 75 ?? 66 66 0F 1F 84 ?? ?? ?? ?? ?? 48 8B 4C 24 60 FF ?? ?? ?? ?? ?? 3B C6 74 ?? 48 8B 4C 24 60 48 8D 44 24 60 45 33 C9 48 89 44 24 20 45 33 C0 BA ?? ?? ?? ?? FF D3 85 C0 74 ?? EB ?? 48 8B 44 24 60 48 89 44 24 70 66 0F 6F 15 6D A? ?1 ?? 48 ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 90 F3 0F 6F 40 F0 48 8D 40 40 66 0F 6F CA 66 0F EF C8 F3 0F 7F 48 B0 66 0F 6F CA F3 0F 6F 40 C0 66 0F EF C8 F3 0F 7F 48 C0 66 0F 6F CA F3 0F 6F 40 D0 66 0F EF C8 F3 0F 7F 48 D0 F3 0F 6F 40 E0 66 0F EF C2 F3 0F 7F 40 E0 48 83 E9 01 75 ?? FF ?? ?? ?? ?? ?? 4C 8D 44 24 78 BA 0A ?? ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4C 24 78 48 8D 45 80 41 B9 02 ?? ?? ?? 48 89 44 24 28 45 33 C0 C7 44 24 2? ?2 ?? ?? ?? 41 8D 51 09 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 68 33 C9 41 8D 5? ?1 FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 4C 8B 44 24 68 33 D2 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B F8 48 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 68 48 8B C8 41 8D 5? ?1 FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 4C 89 74 24 30 4C 8D 4C 24 70 4C 89 74 24 28 33 D2 41 ?? ?? ?? ?? ?? 48 C7 44 24 2? ?8 ?? ?? ?? 48 8B CF FF ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4D 80 48 8D 45 88 48 89 44 24 50 4C ?? ?? ?? ?? ?? ?? 48 8D 45 A0 48 89 7D 08 48 89 44 24 48 45 33 C9 4C 89 74 24 40 33 D2 4C 89 74 24 38 C7 ?? ?? ?? ?? ?? ?? ?? 44 89 74 24 28 4C 89 74 24 20 FF ?? ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 70 8B 5D 98 FF ?? ?? ?? ?? ?? 48 8B 4D 88 FF ?? ?? ?? ?? ?? 48 8B 4D 90 FF ?? ?? ?? ?? ?? 44 8B C3 33 D2 B9 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 48 8B C8 E8 ?? ?? ?? ?? 48 85 C0 74 ?? BA ?? ?? ?? ?? 48 8B C8 FF ?? ?? ?? ?? ?? 48 8B CB FF ?? ?? ?? ?? ?? B8 01 ?? ?? ?? EB ?? FF ?? ?? ?? ?? ?? 8B D0 48 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 FF 74 ?? 48 8B CF FF ?? ?? ?? ?? ?? 33 C0 48 8B 9C 24 3? ?1 ?? ?? 48 8B 4D 10 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 2? ?1 ?? ?? 49 8B 73 18 49 8B 7B 20 4D 8B 73 28 49 8B E3 5D C3 } - $bytes4 = { 48 89 74 24 ?? 48 89 7C 24 ?? 4C 89 74 24 ?? 55 48 8D 6C 24 ?? 48 81 EC 20 01 00 00 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 45 ?? 0F 57 C0 45 33 F6 8B F1 4C 89 74 24 ?? 48 8D 0D ?? ?? ?? ?? 4C 89 74 24 ?? 0F 11 45 ?? 41 8B FE 4C 89 74 24 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? FF 15 ?? ?? ?? ?? 48 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B D0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B D0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 BA 00 00 00 02 FF D3 85 C0 75 ?? 66 66 0F 1F 84 00 ?? ?? 00 00 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? 3B C6 74 ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 45 33 C0 BA 00 00 00 02 FF D3 85 C0 74 ?? EB ?? 48 8B 44 24 ?? 48 89 44 24 ?? 66 0F 6F 15 ?? ?? 01 00 48 8D 05 ?? ?? ?? ?? B9 C8 05 00 00 90 F3 0F 6F 40 ?? 48 8D 40 ?? 66 0F 6F CA 66 0F EF C8 F3 0F 7F 48 ?? 66 0F 6F CA F3 0F 6F 40 ?? 66 0F EF C8 F3 0F 7F 48 ?? 66 0F 6F CA F3 0F 6F 40 ?? 66 0F EF C8 F3 0F 7F 48 ?? F3 0F 6F 40 ?? 66 0F EF C2 F3 0F 7F 40 ?? 48 83 E9 01 75 ?? FF 15 ?? ?? ?? ?? 4C 8D 44 24 ?? BA 0A 00 00 00 48 8B C8 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8D 45 ?? 41 B9 02 00 00 00 48 89 44 24 ?? 45 33 C0 C7 44 24 ?? 02 00 00 00 41 8D 51 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 ?? 33 C9 41 8D 50 ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 4C 8B 44 24 ?? 33 D2 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B F8 48 85 C0 0F 84 ?? ?? ?? ?? 45 33 C0 4C 8D 4C 24 ?? 48 8B C8 41 8D 50 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 4C 89 74 24 ?? 4C 8D 4C 24 ?? 4C 89 74 24 ?? 33 D2 41 B8 00 00 02 00 48 C7 44 24 ?? 08 00 00 00 48 8B CF FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4D ?? 48 8D 45 ?? 48 89 44 24 ?? 4C 8D 05 ?? ?? ?? ?? 48 8D 45 ?? 48 89 7D ?? 48 89 44 24 ?? 45 33 C9 4C 89 74 24 ?? 33 D2 4C 89 74 24 ?? C7 44 24 ?? 04 00 08 00 44 89 74 24 ?? 4C 89 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 ?? 8B 5D ?? FF 15 ?? ?? ?? ?? 48 8B 4D ?? FF 15 ?? ?? ?? ?? 48 8B 4D ?? FF 15 ?? ?? ?? ?? 44 8B C3 33 D2 B9 3A 04 00 00 FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 48 8B C8 E8 ?? ?? ?? ?? 48 85 C0 74 ?? BA FF FF FF FF 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? FF 15 ?? ?? ?? ?? 8B D0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 FF 74 ?? 48 8B CF FF 15 ?? ?? ?? ?? 33 C0 48 8B 9C 24 ?? ?? ?? ?? 48 8B 4D ?? 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 73 ?? 49 8B 7B ?? 4D 8B 73 ?? 49 8B E3 5D C3 } - condition: - uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and any of ($bytes*) -} -rule APT_Loader_Win64_REDFLARE_1 -{ - meta: - date_created = "2020-11-27" - date_modified = "2020-11-27" - md5 = "f20824fa6e5c81e3804419f108445368" - rev = 1 - author = "FireEye" - strings: - $alloc_n_load = { 41 B9 40 00 00 00 41 B8 00 30 00 00 33 C9 [1-10] FF 50 [4-80] F3 A4 [30-120] 48 6B C9 28 [3-20] 48 6B C9 28 } - $const_values = { 0F B6 ?? 83 C? 20 83 F? 6D [2-20] 83 C? 20 83 F? 7A } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them -} -rule APT_Loader_Raw64_REDFLARE_1 -{ - meta: - date_created = "2020-11-27" - date_modified = "2020-11-27" - md5 = "5e14f77f85fd9a5be46e7f04b8a144f5" - rev = 1 - author = "FireEye" - strings: - $load = { EB ?? 58 48 8B 10 4C 8B 48 ?? 48 8B C8 [1-10] 48 83 C1 ?? 48 03 D1 FF } - condition: - (uint16(0) != 0x5A4D) and all of them -} -rule HackTool_MSIL_SHARPZEROLOGON_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public 'sharpzerologon' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 3 - author = "FireEye" - strings: - $typelibguid0 = "15ce9a3c-4609-4184-87b2-e29fc5e2b770" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule HackTool_MSIL_CoreHound_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'CoreHound' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 1 - author = "FireEye" - strings: - $typelibguid0 = "1fff2aee-a540-4613-94ee-4f208b30c599" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule Loader_MSIL_NETAssemblyInject_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NET-Assembly-Inject' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 2 - author = "FireEye" - strings: - $typelibguid0 = "af09c8c3-b271-4c6c-8f48-d5f0e1d1cac6" ascii nocase wide - $typelibguid1 = "c5e56650-dfb0-4cd9-8d06-51defdad5da1" ascii nocase wide - $typelibguid2 = "e8fa7329-8074-4675-9588-d73f88a8b5b6" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule Hunting_GadgetToJScript_1 -{ - meta: - description = "This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling." - md5 = "7af24305a409a2b8f83ece27bb0f7900" - rev = 4 - author = "FireEye" - strings: - $s1 = "GF6eU5ldFRvSnNjcmlwdExvYWRl" - $s2 = "henlOZXRUb0pzY3JpcHRMb2Fk" - $s3 = "YXp5TmV0VG9Kc2NyaXB0TG9hZGV" - condition: - any of them -} -rule Trojan_MSIL_GORAT_Plugin_DOTNET_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Plugin - .NET' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 1 - author = "FireEye" - strings: - $typelibguid0 = "cd9407d0-fc8d-41ed-832d-da94daa3e064" ascii nocase wide - $typelibguid1 = "fc3daedf-1d01-4490-8032-b978079d8c2d" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_Trojan_Win_REDFLARE_1 -{ - meta: - date_created = "2020-11-27" - date_modified = "2020-11-27" - md5 = "100d73b35f23b2fe84bf7cd37140bf4d,4e7e90c7147ee8aa01275894734f4492" - rev = 3 - author = "FireEye" - strings: - $1 = "initialize" fullword - $2 = "runCommand" fullword - $3 = "stop" fullword - $4 = "fini" fullword - $5 = "VirtualAllocEx" fullword - $6 = "WriteProcessMemory" fullword - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_Dropper_Win64_MATRYOSHKA_1 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - description = "matryoshka_dropper.rs" - md5 = "edcd58ba5b1b87705e95089002312281" - rev = 1 - author = "FireEye" - strings: - $sb1 = { 8D 8D [4] E8 [4] 49 89 D0 C6 [2-6] 01 C6 [2-6] 01 [0-8] C7 44 24 ?? 0E 00 00 00 4C 8D 0D [4] 48 8D 8D [4] 48 89 C2 E8 [4] C6 [2-6] 01 C6 [2-6] 01 48 89 E9 48 8D 95 [4] E8 [4] 83 [2] 01 0F 8? [4] 48 01 F3 48 29 F7 48 [2] 08 48 89 85 [4] C6 [2-6] 01 C6 [2-6] 01 C6 [2-6] 01 48 8D 8D [4] 48 89 DA 49 89 F8 E8 } - $sb2 = { 0F 29 45 ?? 48 C7 45 ?? 00 00 00 00 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 0F 29 45 ?? 48 C7 45 ?? 00 00 00 00 C7 45 ?? 68 00 00 00 48 8B [2] 48 8D [2] 48 89 [3] 48 89 [3] 0F 11 44 24 ?? C7 44 24 ?? 08 00 00 0C C7 44 24 ?? 00 00 00 00 31 ?? 48 89 ?? 31 ?? 45 31 ?? 45 31 ?? E8 [4] 83 F8 01 } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them -} -rule APT_HackTool_MSIL_SHARPGOPHER_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpgopher' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 2 - author = "FireEye" - strings: - $typelibguid0 = "83413a89-7f5f-4c3f-805d-f4692bc60173" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule HackTool_MSIL_KeeFarce_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'KeeFarce' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 3 - author = "FireEye" - strings: - $typelibguid0 = "17589ea6-fcc9-44bb-92ad-d5b3eea6af03" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_Backdoor_Win_GORAT_1 -{ - meta: - description = "This detects if a sample is less than 50KB and has a number of strings found in the Gorat shellcode (stage0 loader). The loader contains an embedded DLL (stage0.dll) that contains a number of unique strings. The 'Cookie' string found in this loader is important as this cookie is needed by the C2 server to download the Gorat implant (stage1 payload)." - md5 = "66cdaa156e4d372cfa3dea0137850d20" - rev = 4 - author = "FireEye" - strings: - $s1 = "httpComms.dll" ascii wide - $s2 = "Cookie: SID1=%s" ascii wide - $s3 = "Global\\" ascii wide - $s4 = "stage0.dll" ascii wide - $s5 = "runCommand" ascii wide - $s6 = "getData" ascii wide - $s7 = "initialize" ascii wide - $s8 = "Windows NT %d.%d;" ascii wide - $s9 = "!This program cannot be run in DOS mode." ascii wide - condition: - filesize < 50KB and all of them -} -rule APT_Dropper_Win_MATRYOSHKA_1 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - description = "matryoshka_dropper.rs" - md5 = "edcd58ba5b1b87705e95089002312281" - rev = 1 - author = "FireEye" - strings: - $s1 = "\x00matryoshka.exe\x00" - $s2 = "\x00Unable to write data\x00" - $s3 = "\x00Error while spawning process. NTStatus: \x0a\x00" - $s4 = "\x00.execmdstart/Cfailed to execute process\x00" - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule Loader_Win_Generic_20 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - md5 = "5125979110847d35a338caac6bff2aa8" - rev = 1 - author = "FireEye" - strings: - $s0 = { 8B [1-16] 89 [1-16] E8 [4-32] F3 A4 [0-16] 89 [1-8] E8 } - $s2 = { 83 EC [4-24] 00 10 00 00 [4-24] C7 44 24 ?? ?? 00 00 00 [0-8] FF 15 [4-24] 89 [1-4] 89 [1-4] 89 [1-8] FF 15 [4-16] 3? ?? 7? [4-24] 20 00 00 00 [4-24] FF 15 [4-32] F3 A5 } - $si1 = "VirtualProtect" fullword - $si2 = "malloc" fullword - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_Loader_Win32_PGF_2 -{ - meta: - date_created = "2020-11-25" - date_modified = "2020-11-25" - description = "base dlls: /lib/payload/techniques/dllmain/" - md5 = "04eb45f8546e052fe348fda2425b058c" - rev = 1 - author = "FireEye" - strings: - $sb1 = { 6A ?? FF 15 [4-16] 8A ?? 04 [0-16] 8B ?? 1C [0-64] 0F 10 ?? 66 0F EF C8 0F 11 [0-32] 30 [2] 8D [2] 4? 83 [2] 7? } - $sb2 = { 8B ?? 08 [0-16] 6A 40 68 00 30 00 00 5? 6A 00 [0-32] FF 15 [4-32] 5? [0-16] E8 [4-64] C1 ?? 04 [0-32] 8A [2] 3? [2] 4? 3? ?? 24 ?? 7? } - $sb3 = { 8B ?? 3C [0-16] 03 [1-64] 0F B? ?? 14 [0-32] 83 ?? 18 [0-32] 66 3? ?? 06 [4-32] 68 [4] 5? FF 15 [4-16] 85 C0 [2-32] 83 ?? 28 0F B? ?? 06 } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them -} -rule APT_HackTool_MSIL_REDTEAMMATERIALS_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'red_team_materials' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 3 - author = "FireEye" - strings: - $typelibguid0 = "86c95a99-a2d6-4ebe-ad5f-9885b06eab12" ascii nocase wide - $typelibguid1 = "e06f1411-c7f8-4538-bbb9-46c928732245" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_Trojan_Win_REDFLARE_7 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - md5 = "e7beece34bdf67cbb8297833c5953669, 8025bcbe3cc81fc19021ad0fbc11cf9b" - rev = 1 - author = "FireEye" - strings: - $1 = "initialize" fullword - $2 = "getData" fullword - $3 = "putData" fullword - $4 = "fini" fullword - $5 = "NamedPipe" - $named_pipe = { 88 13 00 00 [1-8] E8 03 00 00 [20-60] 00 00 00 00 [1-8] 00 00 00 00 [1-40] ( 6A 00 6A 00 6A 03 6A 00 6A 00 68 | 00 00 00 00 [1-6] 00 00 00 00 [1-6] 03 00 00 00 45 33 C? 45 33 C? BA ) 00 00 00 C0 [2-10] FF 15 [4-30] FF 15 [4-7] E7 00 00 00 [4-40] FF 15 [4] 85 C0 } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_Trojan_Win_REDFLARE_8 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - md5 = "9c8eb908b8c1cda46e844c24f65d9370, 9e85713d615bda23785faf660c1b872c" - rev = 1 - author = "FireEye" - strings: - $1 = "PSRunner.PSRunner" fullword - $2 = "CorBindToRuntime" fullword - $3 = "ReportEventW" fullword - $4 = "InvokePS" fullword wide - $5 = "runCommand" fullword - $6 = "initialize" fullword - $trap = { 03 40 00 80 E8 [4] CC } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_Backdoor_Win_GORAT_5 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - md5 = "cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f" - rev = 1 - author = "FireEye" - strings: - $1 = "comms.BeaconData" fullword - $2 = "comms.CommandResponse" fullword - $3 = "rat.BaseChannel" fullword - $4 = "rat.Config" fullword - $5 = "rat.Core" fullword - $6 = "platforms.AgentPlatform" fullword - $7 = "GetHostID" fullword - $8 = "/rat/cmd/gorat_shared/dllmain.go" fullword - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_HackTool_MSIL_GPOHUNT_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'gpohunt' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 3 - author = "FireEye" - strings: - $typelibguid0 = "751a9270-2de0-4c81-9e29-872cd6378303" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_HackTool_MSIL_JUSTASK_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'justask' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 2 - author = "FireEye" - strings: - $typelibguid0 = "aa59be52-7845-4fed-9ea5-1ea49085d67a" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_Trojan_Win_REDFLARE_4 -{ - meta: - date_created = "2020-12-01" - date_modified = "2020-12-01" - md5 = "a8b5dcfea5e87bf0e95176daa243943d, 9dcb6424662941d746576e62712220aa" - rev = 2 - author = "FireEye" - strings: - $s1 = "LogonUserW" fullword - $s2 = "ImpersonateLoggedOnUser" fullword - $s3 = "runCommand" fullword - $user_logon = { 22 02 00 00 [1-10] 02 02 00 00 [0-4] E8 [4-40] ( 09 00 00 00 [1-10] 03 00 00 00 | 6A 03 6A 09 ) [4-30] FF 15 [4] 85 C0 7? } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_HackTool_MSIL_TITOSPECIAL_1 -{ - meta: - date_created = "2020-11-25" - date_modified = "2020-11-25" - md5 = "4bf96a7040a683bd34c618431e571e26" - rev = 5 - author = "FireEye" - strings: - $ind_dump = { 1F 10 16 28 [2] 00 0A 6F [2] 00 0A [50-200] 18 19 18 73 [2] 00 0A 13 [1-4] 06 07 11 ?? 6F [2] 00 0A 18 7E [2] 00 0A 7E [2] 00 0A 7E [2] 00 0A 28 [2] 00 06 } - $ind_s1 = "NtReadVirtualMemory" fullword wide - $ind_s2 = "WriteProcessMemory" fullword - $shellcode_x64 = { 4C 8B D1 B8 3C 00 00 00 0F 05 C3 } - $shellcode_x86 = { B8 3C 00 00 00 33 C9 8D 54 24 04 64 FF 15 C0 00 00 00 83 C4 04 C2 14 00 } - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($ind*) and any of ($shellcode* ) -} -rule Dropper_LNK_LNKSmasher_1 -{ - meta: - description = "The LNKSmasher project contains a prebuilt LNK file that has pieces added based on various configuration items. Because of this, several artifacts are present in every single LNK file generated by LNKSmasher, including the Drive Serial #, the File Droid GUID, and the GUID CLSID." - md5 = "0a86d64c3b25aa45428e94b6e0be3e08" - rev = 6 - author = "FireEye" - strings: - $drive_serial = { 12 F7 26 BE } - $file_droid_guid = { BC 96 28 4F 0A 46 54 42 81 B8 9F 48 64 D7 E9 A5 } - $guid_clsid = { E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D } - $header = { 4C 00 00 00 01 14 02 } - condition: - $header at 0 and all of them -} -rule HackTool_MSIL_SharpSchtask_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpSchtask' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 1 - author = "FireEye" - strings: - $typelibguid0 = "0a64a5f4-bdb6-443c-bdc7-f6f0bf5b5d6c" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_Controller_Linux_REDFLARE_1 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - md5 = "79259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e" - rev = 1 - author = "FireEye" - strings: - $1 = "/RedFlare/gorat_server" - $2 = "RedFlare/sandals" - $3 = "goratsvr.CommandResponse" fullword - $4 = "goratsvr.CommandRequest" fullword - condition: - (uint32(0) == 0x464c457f) and all of them -} -rule APT_HackTool_MSIL_WMISPY_2 -{ - meta: - description = "wql searches" - md5 = "3651f252d53d2f46040652788499d65a" - rev = 4 - author = "FireEye" - strings: - $MSIL = "_CorExeMain" - $str1 = "root\\cimv2" wide - $str2 = "root\\standardcimv2" wide - $str3 = "from MSFT_NetNeighbor" wide - $str4 = "from Win32_NetworkLoginProfile" wide - $str5 = "from Win32_IP4RouteTable" wide - $str6 = "from Win32_DCOMApplication" wide - $str7 = "from Win32_SystemDriver" wide - $str8 = "from Win32_Share" wide - $str9 = "from Win32_Process" wide - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and $MSIL and all of ($str*) -} -rule HackTool_MSIL_SharPersist_2 -{ - meta: - md5 = "98ecf58d48a3eae43899b45cec0fc6b7" - rev = 1 - author = "FireEye" - strings: - $a1 = "SharPersist.lib" - $a2 = "SharPersist.exe" - $b1 = "ERROR: Invalid hotkey location option given." ascii wide - $b2 = "ERROR: Invalid hotkey given." ascii wide - $b3 = "ERROR: Keepass configuration file not found." ascii wide - $b4 = "ERROR: Keepass configuration file was not found." ascii wide - $b5 = "ERROR: That value already exists in:" ascii wide - $b6 = "ERROR: Failed to delete hidden registry key." ascii wide - $pdb1 = "\\SharPersist\\" - $pdb2 = "\\SharPersist.pdb" - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and ((@pdb2[1] < @pdb1[1] + 50) or (1 of ($a*) and 2 of ($b*))) -} -rule APT_Loader_Win_MATRYOSHKA_1 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - description = "matryoshka_process_hollow.rs" - md5 = "44887551a47ae272d7873a354d24042d" - rev = 1 - author = "FireEye" - strings: - $s1 = "ZwQueryInformationProcess" fullword - $s2 = "WriteProcessMemory" fullword - $s3 = "CreateProcessW" fullword - $s4 = "WriteProcessMemory" fullword - $s5 = "\x00Invalid NT Signature!\x00" - $s6 = "\x00Error while creating and mapping section. NTStatus: " - $s7 = "\x00Error no process information - NTSTATUS:" - $s8 = "\x00Error while erasing pe header. NTStatus: " - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them -} -rule Builder_MSIL_SinfulOffice_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SinfulOffice' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 1 - author = "FireEye" - strings: - $typelibguid0 = "9940e18f-e3c7-450f-801a-07dd534ccb9a" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule Loader_MSIL_SharPy_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharPy' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 1 - author = "FireEye" - strings: - $typelibguid0 = "f6cf1d3b-3e43-4ecf-bb6d-6731610b4866" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_Loader_MSIL_WILDCHILD_1 -{ - meta: - date_created = "2020-12-01" - date_modified = "2020-12-01" - md5 = "6f04a93753ae3ae043203437832363c4" - rev = 1 - author = "FireEye" - strings: - $s1 = "\x00QueueUserAPC\x00" - $s2 = "\x00WriteProcessMemory\x00" - $sb1 = { 6F [2] 00 0A 28 [2] 00 0A 6F [2] 00 0A 13 ?? 28 [2] 00 0A 28 [2] 00 0A 13 ?? 11 ?? 11 ?? 28 [2] 00 0A [0-16] 7B [2] 00 04 1? 20 [4] 28 [2] 00 0A 11 ?? 28 [2] 00 0A 28 [2] 00 0A 7E [2] 00 0A 7E [2] 00 0A 28 [2] 00 06 [0-16] 14 7E [2] 00 0A 7E [2] 00 0A 1? 20 04 00 08 08 7E [2] 00 0A 14 12 ?? 12 ?? 28 [2] 00 06 [0-16] 7B [2] 00 04 7E [2] 00 0A [0-16] 8E ?? 7E [2] 00 04 7E [2] 00 04 28 [2] 00 06 [4-120] 28 [2] 00 06 [0-80] 6F [2] 00 0A 6F [2] 00 0A 28 [2] 00 06 13 ?? 11 ?? 11 ?? 7E [2] 00 0A 28 [2] 00 06 } - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule Loader_Win_Generic_18 -{ - meta: - date_created = "2020-11-25" - date_modified = "2020-11-25" - md5 = "c74ebb6c238bbfaefd5b32d2bf7c7fcc" - rev = 3 - author = "FireEye" - strings: - $s0 = { 89 [1-16] FF 15 [4-16] 89 [1-24] E8 [4-16] 89 C6 [4-24] 8D [1-8] 89 [1-4] 89 [1-4] E8 [4-16] 89 [1-8] E8 [4-24] 01 00 00 00 [1-8] 89 [1-8] E8 [4-64] 8A [1-8] 88 } - $s2 = { 83 EC [4-24] 00 10 00 00 [4-24] C7 44 24 ?? ?? 00 00 00 [0-8] FF 15 [4-24] 89 [1-4] 89 [1-4] 89 [1-8] FF 15 [4-16] 3? ?? 7? [4-24] 20 00 00 00 [4-24] FF 15 [4-32] F3 A5 } - $si1 = "fread" fullword - $si2 = "fwrite" fullword - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule HackTool_MSIL_HOLSTER_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the a customized version of the 'DUEDLLIGENCE' project." - md5 = "a91bf61cc18705be2288a0f6f125068f" - rev = 2 - author = "FireEye" - strings: - $typelibguid1 = "a8bdbba4-7291-49d1-9a1b-372de45a9d88" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_Loader_MSIL_TRIMBISHOP_1 -{ - meta: - date_created = "2020-12-03" - date_modified = "2020-12-03" - md5 = "e91670423930cbbd3dbf5eac1f1a7cb6" - rev = 1 - author = "FireEye" - strings: - $sb1 = { 28 [2] 00 06 0A 06 7B [2] 00 04 [12-64] 06 7B [2] 00 04 6E 28 [2] 00 06 0B 07 7B [2] 00 04 [12-64] 0? 7B [2] 00 04 0? 7B [2] 00 04 0? 7B [2] 00 04 6E 28 [2] 00 06 0? 0? 7B [2] 00 04 [12-80] 0? 7B [2] 00 04 1? 0? 7B [2] 00 04 } - $sb2 = { 0F ?? 7C [2] 00 04 28 [2] 00 0A 8C [2] 00 01 [20-80] 28 [2] 00 06 0? 0? 7E [2] 00 0A 28 [2] 00 0A [12-80] 7E [2] 00 0A 13 ?? 0? 7B [2] 00 04 28 [2] 00 0A 0? 28 [2] 00 0A 58 28 [2] 00 0A 13 [1-32] 28 [2] 00 0A [0-32] D0 [2] 00 02 28 [2] 00 0A 28 [2] 00 0A 74 [2] 00 02 } - $ss1 = "\x00NtMapViewOfSection\x00" - $ss2 = "\x00NtOpenProcess\x00" - $ss3 = "\x00NtAlertResumeThread\x00" - $ss4 = "\x00LdrGetProcedureAddress\x00" - $tb1 = "\x00DTrim.Execution.DynamicInvoke\x00" - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and (@sb1[1] < @sb2[1]) and (all of ($ss*)) and (all of ($tb*)) -} -rule APT_Loader_MSIL_TRIMBISHOP_2 -{ - meta: - date_created = "2020-12-03" - date_modified = "2020-12-03" - md5 = "c0598321d4ad4cf1219cc4f84bad4094" - rev = 1 - author = "FireEye" - strings: - $ss1 = "\x00NtMapViewOfSection\x00" - $ss2 = "\x00NtOpenProcess\x00" - $ss3 = "\x00NtAlertResumeThread\x00" - $ss4 = "\x00LdrGetProcedureAddress\x00" - $ss5 = "\x2f(\x00?\x00i\x00)\x00(\x00-\x00|\x00-\x00-\x00|\x00/\x00)\x00(\x00i\x00|\x00I\x00n\x00j\x00e\x00c\x00t\x00)\x00$\x00" - $ss6 = "\x2d(\x00?\x00i\x00)\x00(\x00-\x00|\x00-\x00-\x00|\x00/\x00)\x00(\x00c\x00|\x00C\x00l\x00e\x00a\x00n\x00)\x00$\x00" - $tb1 = "\x00DTrim.Execution.DynamicInvoke\x00" - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_Backdoor_Win_DShell_3 -{ - meta: - description = "This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell" - md5 = "cf752e9cd2eccbda5b8e4c29ab5554b6" - rev = 3 - author = "FireEye" - strings: - $dlang1 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\utf.d" ascii wide - $dlang2 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\file.d" ascii wide - $dlang3 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\format.d" ascii wide - $dlang4 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\base64.d" ascii wide - $dlang5 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide - $dlang6 = "\\..\\..\\src\\phobos\\std\\utf.d" ascii wide - $dlang7 = "\\..\\..\\src\\phobos\\std\\file.d" ascii wide - $dlang8 = "\\..\\..\\src\\phobos\\std\\format.d" ascii wide - $dlang9 = "\\..\\..\\src\\phobos\\std\\base64.d" ascii wide - $dlang10 = "\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide - $dlang11 = "Unexpected '\\n' when converting from type const(char)[] to type int" ascii wide - $e0 = ",0," - $e1 = ",1," - $e2 = ",2," - $e3 = ",3," - $e4 = ",4," - $e5 = ",5," - $e6 = ",6," - $e7 = ",7," - $e8 = ",8," - $e9 = ",9," - $e10 = ",10," - $e11 = ",11," - $e12 = ",12," - $e13 = ",13," - $e14 = ",14," - $e15 = ",15," - $e16 = ",16," - $e17 = ",17," - $e18 = ",18," - $e19 = ",19," - $e20 = ",20," - $e21 = ",21," - $e22 = ",22," - $e23 = ",23," - $e24 = ",24," - $e25 = ",25," - $e26 = ",26," - $e27 = ",27," - $e28 = ",28," - $e29 = ",29," - $e30 = ",30," - $e31 = ",31," - $e32 = ",32," - $e33 = ",33," - $e34 = ",34," - $e35 = ",35," - $e36 = ",36," - $e37 = ",37," - $e38 = ",38," - $e39 = ",39," - $e40 = ",40," - $e41 = ",41," - $e42 = ",42," - $e43 = ",43," - $e44 = ",44," - $e45 = ",45," - $e46 = ",46," - $e47 = ",47," - $e48 = ",48," - $e49 = ",49," - $e50 = ",50," - $e51 = ",51," - $e52 = ",52," - $e53 = ",53," - $e54 = ",54," - $e55 = ",55," - $e56 = ",56," - $e57 = ",57," - $e58 = ",58," - $e59 = ",59," - $e60 = ",60," - $e61 = ",61," - $e62 = ",62," - $e63 = ",63," - $e64 = ",64," - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize > 500KB and filesize < 1500KB and 40 of ($e*) and 1 of ($dlang*) -} -rule APT_HackTool_MSIL_SHARPSTOMP_1 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - md5 = "83ed748cd94576700268d35666bf3e01" - rev = 3 - author = "FireEye" - strings: - $s0 = "mscoree.dll" fullword nocase - $s1 = "timestompfile" fullword nocase - $s2 = "sharpstomp" fullword nocase - $s3 = "GetLastWriteTime" fullword - $s4 = "SetLastWriteTime" fullword - $s5 = "GetCreationTime" fullword - $s6 = "SetCreationTime" fullword - $s7 = "GetLastAccessTime" fullword - $s8 = "SetLastAccessTime" fullword - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_HackTool_MSIL_SHARPPATCHCHECK_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharppatchcheck' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 2 - author = "FireEye" - strings: - $typelibguid0 = "528b8df5-6e5e-4f3b-b617-ac35ed2f8975" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule HackTool_MSIL_SAFETYKATZ_4 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project." - md5 = "45736deb14f3a68e88b038183c23e597" - rev = 3 - author = "FireEye" - strings: - $typelibguid1 = "8347E81B-89FC-42A9-B22C-F59A6A572DEC" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $typelibguid1 -} -rule APT_Backdoor_MacOS_GORAT_1 -{ - meta: - description = "This rule is looking for specific strings associated with network activity found within the MacOS generated variant of GORAT" - md5 = "68acf11f5e456744262ff31beae58526" - rev = 3 - author = "FireEye" - strings: - $s1 = "SID1=%s" ascii wide - $s2 = "http/http.dylib" ascii wide - $s3 = "Mozilla/" ascii wide - $s4 = "User-Agent" ascii wide - $s5 = "Cookie" ascii wide - condition: - ((uint32(0) == 0xBEBAFECA) or (uint32(0) == 0xFEEDFACE) or (uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xCEFAEDFE)) and all of them -} -rule CredTheft_MSIL_ADPassHunt_2 -{ - meta: - md5 = "6efb58cf54d1bb45c057efcfbbd68a93" - rev = 1 - author = "FireEye" - strings: - $pdb1 = "\\ADPassHunt\\" - $pdb2 = "\\ADPassHunt.pdb" - $s1 = "Usage: .\\ADPassHunt.exe" - $s2 = "[ADA] Searching for accounts with msSFU30Password attribute" - $s3 = "[ADA] Searching for accounts with userpassword attribute" - $s4 = "[GPP] Searching for passwords now" - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and ((@pdb2[1] < @pdb1[1] + 50) or 2 of ($s*)) -} -rule APT_Loader_Win64_PGF_4 -{ - meta: - date_created = "2020-11-26" - date_modified = "2020-11-26" - md5 = "3bb34ebd93b8ab5799f4843e8cc829fa" - rev = 1 - author = "FireEye" - strings: - $sb1 = { 41 B9 04 00 00 00 41 B8 00 10 00 00 BA [4] B9 00 00 00 00 [0-32] FF [1-24] 7? [1-150] 8B 45 [0-32] 44 0F B? ?? 8B [2-16] B? CD CC CC CC [0-16] C1 ?? 04 [0-16] C1 ?? 02 [0-16] C1 ?? 02 [0-16] 48 8? 05 [4-32] 31 [1-4] 88 } - $sb2 = { C? 45 ?? 48 [0-32] B8 [0-64] FF [0-32] E0 [0-32] 41 B8 40 00 00 00 BA 0C 00 00 00 48 8B [2] 48 8B [2-32] FF [1-16] 48 89 10 8B 55 ?? 89 ?? 08 48 8B [2] 48 8D ?? 02 48 8B 45 18 48 89 02 } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them -} -rule APT_Loader_Win32_PGF_4 -{ - meta: - date_created = "2020-11-26" - date_modified = "2020-11-26" - md5 = "4414953fa397a41156f6fa4f9462d207" - rev = 1 - author = "FireEye" - strings: - $sb1 = { C7 44 24 0C 04 00 00 00 C7 44 24 08 00 10 00 00 [4-32] C7 04 24 00 00 00 00 [0-32] FF [1-16] 89 45 ?? 83 7D ?? 00 [2-150] 0F B? ?? 8B [2] B? CD CC CC CC 89 ?? F7 ?? C1 ?? 04 89 ?? C1 ?? 02 [0-32] 0F B? [5-32] 3? [1-16] 88 } - $sb2 = { C? 45 ?? B8 [0-4] C? 45 ?? 00 [0-64] FF [0-32] E0 [0-32] C7 44 24 08 40 00 00 00 [0-32] C7 44 24 04 07 00 00 00 [0-32] FF [1-64] 89 ?? 0F B? [2-3] 89 ?? 04 0F B? [2] 88 ?? 06 8B ?? 08 8D ?? 01 8B 45 0C } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them -} -rule CredTheft_MSIL_ADPassHunt_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public ADPassHunt project." - md5 = "6efb58cf54d1bb45c057efcfbbd68a93" - rev = 4 - author = "FireEye" - strings: - $typelibguid = "15745B9E-A059-4AF1-A0D8-863E349CD85D" ascii nocase wide - condition: - uint16(0) == 0x5A4D and $typelibguid -} -rule HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the recon utility 'getdomainpasswordpolicy' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 4 - author = "FireEye" - strings: - $typelibguid0 = "a5da1897-29aa-45f4-a924-561804276f08" ascii nocase wide - condition: - filesize < 10MB and (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule HackTool_MSIL_SharPivot_1 -{ - meta: - date_created = "2020-11-25" - date_modified = "2020-11-25" - md5 = "e4efa759d425e2f26fbc29943a30f5bd" - rev = 3 - author = "FireEye" - strings: - $s2 = { 73 ?? 00 00 0A 0A 06 1F ?? 1F ?? 6F ?? 00 00 0A 0B 73 ?? 00 00 0A 0C 16 13 04 2B 5E 23 [8] 06 6F ?? 00 00 0A 5A 23 [8] 58 28 ?? 00 00 0A 28 ?? 00 00 0A 28 ?? 00 00 0A } - $s3 = "cmd_rpc" wide - $s4 = "costura" - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_Loader_Win32_PGF_3 -{ - meta: - description = "PGF payload, generated rule based on symfunc/c02594972dbab6d489b46c5dee059e66. Identifies dllmain_hook x86 payloads." - md5 = "4414953fa397a41156f6fa4f9462d207" - rev = 4 - author = "FireEye" - strings: - $cond1 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 2C F9 FF FF 90 EE 01 6D C7 85 30 F9 FF FF 6C FE 01 6D 8D 85 34 F9 FF FF 89 28 BA CC 19 00 6D 89 50 04 89 60 08 8D 85 14 F9 FF FF 89 04 24 E8 BB A6 00 00 A1 48 A1 05 6D C7 85 18 F9 FF FF FF FF FF FF FF D0 C7 44 24 08 04 01 00 00 8D 95 B6 FD FF FF 89 54 24 04 89 04 24 E8 B8 AE 00 00 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 8B 03 00 00 8D 45 BF 89 C1 E8 56 0B 01 00 8D 85 9C FD FF FF 8D 55 BF 89 54 24 04 8D 95 B6 FD FF FF 89 14 24 C7 85 18 F9 FF FF 01 00 00 00 89 C1 E8 DF B5 01 00 83 EC 08 8D 45 BF 89 C1 E8 52 0B 01 00 A1 4C A1 05 6D C7 85 18 F9 FF FF 02 00 00 00 FF D0 89 44 24 04 C7 04 24 08 00 00 00 E8 51 AE 00 00 83 EC 08 89 45 D0 83 7D D0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 8C 02 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 85 74 F9 FF FF 28 04 00 00 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 EF AD 00 00 83 EC 08 89 45 DC 83 7D DC 00 74 67 8D 85 9C FD FF FF C7 44 24 04 00 00 00 00 8D 95 74 F9 FF FF 83 C2 20 89 14 24 89 C1 E8 82 FF 00 00 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 12 8B 85 88 F9 FF FF 89 45 E4 8B 85 8C F9 FF FF 89 45 E0 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 84 AD 00 00 83 EC 08 89 45 DC EB 93 8B 45 D0 89 04 24 A1 2C A1 05 6D C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 83 7D E4 00 74 06 83 7D E0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 AD 01 00 00 C7 04 24 0C 40 05 6D A1 5C A1 05 6D C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 C7 44 24 04 18 40 05 6D 89 04 24 A1 60 A1 05 6D FF D0 83 EC 08 89 45 CC 89 E8 89 45 D8 8D 85 6C F9 FF FF 89 44 24 04 8D 85 70 F9 FF FF 89 04 24 A1 54 A1 05 6D FF D0 83 EC 08 C7 45 D4 00 00 00 00 8B 55 D8 8B 85 6C F9 FF FF 39 C2 0F 83 F5 00 00 00 8B 45 D8 8B 00 3D FF 0F 00 00 0F 86 D8 00 00 00 8B 45 D8 8B 00 39 45 CC 73 19 8B 45 D8 8B 00 8B 55 CC 81 C2 00 10 00 00 39 D0 73 07 C7 45 D4 01 00 00 00 83 7D D4 00 0F 84 AF 00 00 00 8B 45 D8 8B 00 39 45 E4 0F 83 A1 00 00 00 8B 45 D8 8B 00 8B 4D E4 8B 55 E0 01 CA 39 D0 0F 83 8C 00 00 00 B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 50 F9 FF FF 83 C0 04 39 D0 72 F2 8B 45 D8 8B 00 C7 44 24 08 1C 00 00 00 8D 95 50 F9 FF FF 89 54 24 04 89 04 24 A1 9C A1 05 6D C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 0C 8B 85 64 F9 FF FF 83 E0 20 85 C0 74 2E 8B 45 D8 8B 00 C7 44 24 04 30 14 00 6D 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 59 FC FF FF C7 85 10 F9 FF FF 00 00 00 00 EB 58 90 EB 01 90 83 45 D8 04 E9 FA FE FF FF 8B 45 E4 89 45 C8 8B 45 C8 8B 40 3C 89 C2 8B 45 E4 01 D0 89 45 C4 8B 45 C4 8B 50 28 8B 45 E4 01 D0 89 45 C0 C7 44 24 04 30 14 00 6D 8B 45 C0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 FF FB FF FF C7 85 10 F9 FF FF 01 00 00 00 8D 85 9C FD FF FF 89 C1 E8 5D BC 01 00 83 BD 10 F9 FF FF 01 EB 70 8B 95 1C F9 FF FF 8B 85 18 F9 FF FF 85 C0 74 0C 83 E8 01 85 C0 74 2D 83 E8 01 0F 0B 89 95 10 F9 FF FF 8D 45 BF 89 C1 E8 48 08 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 A0 A6 00 00 89 95 10 F9 FF FF 8D 85 9C FD FF FF 89 C1 E8 FD BB 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 75 A6 00 00 90 8D 85 14 F9 FF FF 89 04 24 E8 76 A3 00 00 8D 65 F4 5B 5E 5F 5D C3 } - $cond2 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 2C F9 FF FF B0 EF 3D 6A C7 85 30 F9 FF FF 8C FF 3D 6A 8D 85 34 F9 FF FF 89 28 BA F4 1A 3C 6A 89 50 04 89 60 08 8D 85 14 F9 FF FF 89 04 24 E8 B3 A6 00 00 A1 64 A1 41 6A C7 85 18 F9 FF FF FF FF FF FF FF D0 C7 44 24 08 04 01 00 00 8D 95 B6 FD FF FF 89 54 24 04 89 04 24 E8 B0 AE 00 00 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 8B 03 00 00 8D 45 BF 89 C1 E8 4E 0B 01 00 8D 85 9C FD FF FF 8D 55 BF 89 54 24 04 8D 95 B6 FD FF FF 89 14 24 C7 85 18 F9 FF FF 01 00 00 00 89 C1 E8 D7 B5 01 00 83 EC 08 8D 45 BF 89 C1 E8 4A 0B 01 00 A1 68 A1 41 6A C7 85 18 F9 FF FF 02 00 00 00 FF D0 89 44 24 04 C7 04 24 08 00 00 00 E8 49 AE 00 00 83 EC 08 89 45 D0 83 7D D0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 8C 02 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 85 74 F9 FF FF 28 04 00 00 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 E7 AD 00 00 83 EC 08 89 45 DC 83 7D DC 00 74 67 8D 85 9C FD FF FF C7 44 24 04 00 00 00 00 8D 95 74 F9 FF FF 83 C2 20 89 14 24 89 C1 E8 7A FF 00 00 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 12 8B 85 88 F9 FF FF 89 45 E4 8B 85 8C F9 FF FF 89 45 E0 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 7C AD 00 00 83 EC 08 89 45 DC EB 93 8B 45 D0 89 04 24 A1 44 A1 41 6A C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 83 7D E4 00 74 06 83 7D E0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 AD 01 00 00 C7 04 24 62 40 41 6A A1 78 A1 41 6A C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 C7 44 24 04 6E 40 41 6A 89 04 24 A1 7C A1 41 6A FF D0 83 EC 08 89 45 CC 89 E8 89 45 D8 8D 85 6C F9 FF FF 89 44 24 04 8D 85 70 F9 FF FF 89 04 24 A1 70 A1 41 6A FF D0 83 EC 08 C7 45 D4 00 00 00 00 8B 55 D8 8B 85 6C F9 FF FF 39 C2 0F 83 F5 00 00 00 8B 45 D8 8B 00 3D FF 0F 00 00 0F 86 D8 00 00 00 8B 45 D8 8B 00 39 45 CC 73 19 8B 45 D8 8B 00 8B 55 CC 81 C2 00 10 00 00 39 D0 73 07 C7 45 D4 01 00 00 00 83 7D D4 00 0F 84 AF 00 00 00 8B 45 D8 8B 00 39 45 E4 0F 83 A1 00 00 00 8B 45 D8 8B 00 8B 4D E4 8B 55 E0 01 CA 39 D0 0F 83 8C 00 00 00 B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 50 F9 FF FF 83 C0 04 39 D0 72 F2 8B 45 D8 8B 00 C7 44 24 08 1C 00 00 00 8D 95 50 F9 FF FF 89 54 24 04 89 04 24 A1 C8 A1 41 6A C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 0C 8B 85 64 F9 FF FF 83 E0 20 85 C0 74 2E 8B 45 D8 8B 00 C7 44 24 04 30 14 3C 6A 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 59 FC FF FF C7 85 10 F9 FF FF 00 00 00 00 EB 58 90 EB 01 90 83 45 D8 04 E9 FA FE FF FF 8B 45 E4 89 45 C8 8B 45 C8 8B 40 3C 89 C2 8B 45 E4 01 D0 89 45 C4 8B 45 C4 8B 50 28 8B 45 E4 01 D0 89 45 C0 C7 44 24 04 30 14 3C 6A 8B 45 C0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 FF FB FF FF C7 85 10 F9 FF FF 01 00 00 00 8D 85 9C FD FF FF 89 C1 E8 55 BC 01 00 83 BD 10 F9 FF FF 01 EB 70 8B 95 1C F9 FF FF 8B 85 18 F9 FF FF 85 C0 74 0C 83 E8 01 85 C0 74 2D 83 E8 01 0F 0B 89 95 10 F9 FF FF 8D 45 BF 89 C1 E8 40 08 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 98 A6 00 00 89 95 10 F9 FF FF 8D 85 9C FD FF FF 89 C1 E8 F5 BB 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 6D A6 00 00 90 8D 85 14 F9 FF FF 89 04 24 E8 6E A3 00 00 8D 65 F4 5B 5E 5F 5D C3 } - $cond3 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 2C F9 FF FF F0 EF D5 63 C7 85 30 F9 FF FF CC FF D5 63 8D 85 34 F9 FF FF 89 28 BA 28 1B D4 63 89 50 04 89 60 08 8D 85 14 F9 FF FF 89 04 24 E8 BF A6 00 00 A1 64 A1 D9 63 C7 85 18 F9 FF FF FF FF FF FF FF D0 C7 44 24 08 04 01 00 00 8D 95 B6 FD FF FF 89 54 24 04 89 04 24 E8 BC AE 00 00 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 8B 03 00 00 8D 45 BF 89 C1 E8 5A 0B 01 00 8D 85 9C FD FF FF 8D 55 BF 89 54 24 04 8D 95 B6 FD FF FF 89 14 24 C7 85 18 F9 FF FF 01 00 00 00 89 C1 E8 E3 B5 01 00 83 EC 08 8D 45 BF 89 C1 E8 56 0B 01 00 A1 68 A1 D9 63 C7 85 18 F9 FF FF 02 00 00 00 FF D0 89 44 24 04 C7 04 24 08 00 00 00 E8 55 AE 00 00 83 EC 08 89 45 D0 83 7D D0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 8C 02 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 85 74 F9 FF FF 28 04 00 00 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 F3 AD 00 00 83 EC 08 89 45 DC 83 7D DC 00 74 67 8D 85 9C FD FF FF C7 44 24 04 00 00 00 00 8D 95 74 F9 FF FF 83 C2 20 89 14 24 89 C1 E8 86 FF 00 00 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 12 8B 85 88 F9 FF FF 89 45 E4 8B 85 8C F9 FF FF 89 45 E0 8D 85 74 F9 FF FF 89 44 24 04 8B 45 D0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 88 AD 00 00 83 EC 08 89 45 DC EB 93 8B 45 D0 89 04 24 A1 44 A1 D9 63 C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 83 7D E4 00 74 06 83 7D E0 00 75 0F C7 85 10 F9 FF FF 00 00 00 00 E9 AD 01 00 00 C7 04 24 7E 40 D9 63 A1 7C A1 D9 63 C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 04 C7 44 24 04 8A 40 D9 63 89 04 24 A1 80 A1 D9 63 FF D0 83 EC 08 89 45 CC 89 E8 89 45 D8 8D 85 6C F9 FF FF 89 44 24 04 8D 85 70 F9 FF FF 89 04 24 A1 70 A1 D9 63 FF D0 83 EC 08 C7 45 D4 00 00 00 00 8B 55 D8 8B 85 6C F9 FF FF 39 C2 0F 83 F5 00 00 00 8B 45 D8 8B 00 3D FF 0F 00 00 0F 86 D8 00 00 00 8B 45 D8 8B 00 39 45 CC 73 19 8B 45 D8 8B 00 8B 55 CC 81 C2 00 10 00 00 39 D0 73 07 C7 45 D4 01 00 00 00 83 7D D4 00 0F 84 AF 00 00 00 8B 45 D8 8B 00 39 45 E4 0F 83 A1 00 00 00 8B 45 D8 8B 00 8B 4D E4 8B 55 E0 01 CA 39 D0 0F 83 8C 00 00 00 B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 50 F9 FF FF 83 C0 04 39 D0 72 F2 8B 45 D8 8B 00 C7 44 24 08 1C 00 00 00 8D 95 50 F9 FF FF 89 54 24 04 89 04 24 A1 C8 A1 D9 63 C7 85 18 F9 FF FF 02 00 00 00 FF D0 83 EC 0C 8B 85 64 F9 FF FF 83 E0 20 85 C0 74 2E 8B 45 D8 8B 00 C7 44 24 04 30 14 D4 63 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 59 FC FF FF C7 85 10 F9 FF FF 00 00 00 00 EB 58 90 EB 01 90 83 45 D8 04 E9 FA FE FF FF 8B 45 E4 89 45 C8 8B 45 C8 8B 40 3C 89 C2 8B 45 E4 01 D0 89 45 C4 8B 45 C4 8B 50 28 8B 45 E4 01 D0 89 45 C0 C7 44 24 04 30 14 D4 63 8B 45 C0 89 04 24 C7 85 18 F9 FF FF 02 00 00 00 E8 FF FB FF FF C7 85 10 F9 FF FF 01 00 00 00 8D 85 9C FD FF FF 89 C1 E8 61 BC 01 00 83 BD 10 F9 FF FF 01 EB 70 8B 95 1C F9 FF FF 8B 85 18 F9 FF FF 85 C0 74 0C 83 E8 01 85 C0 74 2D 83 E8 01 0F 0B 89 95 10 F9 FF FF 8D 45 BF 89 C1 E8 4C 08 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 A4 A6 00 00 89 95 10 F9 FF FF 8D 85 9C FD FF FF 89 C1 E8 01 BC 01 00 8B 85 10 F9 FF FF 89 04 24 C7 85 18 F9 FF FF FF FF FF FF E8 79 A6 00 00 90 8D 85 14 F9 FF FF 89 04 24 E8 7A A3 00 00 8D 65 F4 5B 5E 5F 5D C3 } - $cond4 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 ?? ?? ?? ?? 90 EE 01 6D C7 85 ?? ?? ?? ?? 6C FE 01 6D 8D 85 ?? ?? ?? ?? 89 28 BA CC 19 00 6D 89 50 ?? 89 60 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? FF FF FF FF FF D0 C7 44 24 ?? 04 01 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 55 ?? 89 54 24 ?? 8D 95 ?? ?? ?? ?? 89 14 24 C7 85 ?? ?? ?? ?? 01 00 00 00 89 C1 E8 ?? ?? ?? ?? 83 EC 08 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 89 44 24 ?? C7 04 24 08 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 28 04 00 00 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 74 ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? 00 00 00 00 8D 95 ?? ?? ?? ?? 83 C2 20 89 14 24 89 C1 E8 ?? ?? ?? ?? 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? EB ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 83 7D ?? 00 74 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 04 24 0C 40 05 6D A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 C7 44 24 ?? 18 40 05 6D 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 89 45 ?? 89 E8 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 C7 45 ?? 00 00 00 00 8B 55 ?? 8B 85 ?? ?? ?? ?? 39 C2 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 3D FF 0F 00 00 0F 86 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 73 ?? 8B 45 ?? 8B 00 8B 55 ?? 81 C2 00 10 00 00 39 D0 73 ?? C7 45 ?? 01 00 00 00 83 7D ?? 00 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 8B 4D ?? 8B 55 ?? 01 CA 39 D0 0F 83 ?? ?? ?? ?? B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 ?? ?? ?? ?? 83 C0 04 39 D0 72 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 1C 00 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 0C 8B 85 ?? ?? ?? ?? 83 E0 20 85 C0 74 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 30 14 00 6D 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 EB ?? 90 EB ?? 90 83 45 ?? 04 E9 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 8B 40 ?? 89 C2 8B 45 ?? 01 D0 89 45 ?? 8B 45 ?? 8B 50 ?? 8B 45 ?? 01 D0 89 45 ?? C7 44 24 ?? 30 14 00 6D 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 01 00 00 00 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 01 EB ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 01 85 C0 74 ?? 83 E8 01 0F 0B 89 95 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 90 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C3 } - $cond5 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 ?? ?? ?? ?? B0 EF 3D 6A C7 85 ?? ?? ?? ?? 8C FF 3D 6A 8D 85 ?? ?? ?? ?? 89 28 BA F4 1A 3C 6A 89 50 ?? 89 60 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? FF FF FF FF FF D0 C7 44 24 ?? 04 01 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 55 ?? 89 54 24 ?? 8D 95 ?? ?? ?? ?? 89 14 24 C7 85 ?? ?? ?? ?? 01 00 00 00 89 C1 E8 ?? ?? ?? ?? 83 EC 08 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 89 44 24 ?? C7 04 24 08 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 28 04 00 00 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 74 ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? 00 00 00 00 8D 95 ?? ?? ?? ?? 83 C2 20 89 14 24 89 C1 E8 ?? ?? ?? ?? 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? EB ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 83 7D ?? 00 74 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 04 24 62 40 41 6A A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 C7 44 24 ?? 6E 40 41 6A 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 89 45 ?? 89 E8 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 C7 45 ?? 00 00 00 00 8B 55 ?? 8B 85 ?? ?? ?? ?? 39 C2 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 3D FF 0F 00 00 0F 86 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 73 ?? 8B 45 ?? 8B 00 8B 55 ?? 81 C2 00 10 00 00 39 D0 73 ?? C7 45 ?? 01 00 00 00 83 7D ?? 00 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 8B 4D ?? 8B 55 ?? 01 CA 39 D0 0F 83 ?? ?? ?? ?? B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 ?? ?? ?? ?? 83 C0 04 39 D0 72 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 1C 00 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 0C 8B 85 ?? ?? ?? ?? 83 E0 20 85 C0 74 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 30 14 3C 6A 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 EB ?? 90 EB ?? 90 83 45 ?? 04 E9 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 8B 40 ?? 89 C2 8B 45 ?? 01 D0 89 45 ?? 8B 45 ?? 8B 50 ?? 8B 45 ?? 01 D0 89 45 ?? C7 44 24 ?? 30 14 3C 6A 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 01 00 00 00 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 01 EB ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 01 85 C0 74 ?? 83 E8 01 0F 0B 89 95 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 90 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C3 } - $cond6 = { 55 89 E5 57 56 53 81 EC FC 06 00 00 C7 85 ?? ?? ?? ?? F0 EF D5 63 C7 85 ?? ?? ?? ?? CC FF D5 63 8D 85 ?? ?? ?? ?? 89 28 BA 28 1B D4 63 89 50 ?? 89 60 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? FF FF FF FF FF D0 C7 44 24 ?? 04 01 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC 0C 85 C0 0F 94 C0 84 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 55 ?? 89 54 24 ?? 8D 95 ?? ?? ?? ?? 89 14 24 C7 85 ?? ?? ?? ?? 01 00 00 00 89 C1 E8 ?? ?? ?? ?? 83 EC 08 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 89 44 24 ?? C7 04 24 08 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 28 04 00 00 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? 83 7D ?? 00 74 ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? 00 00 00 00 8D 95 ?? ?? ?? ?? 83 C2 20 89 14 24 89 C1 E8 ?? ?? ?? ?? 83 EC 08 83 F8 FF 0F 95 C0 84 C0 74 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? 83 EC 08 89 45 ?? EB ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 83 7D ?? 00 74 ?? 83 7D ?? 00 75 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 E9 ?? ?? ?? ?? C7 04 24 7E 40 D9 63 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 04 C7 44 24 ?? 8A 40 D9 63 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 89 45 ?? 89 E8 89 45 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC 08 C7 45 ?? 00 00 00 00 8B 55 ?? 8B 85 ?? ?? ?? ?? 39 C2 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 3D FF 0F 00 00 0F 86 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 73 ?? 8B 45 ?? 8B 00 8B 55 ?? 81 C2 00 10 00 00 39 D0 73 ?? C7 45 ?? 01 00 00 00 83 7D ?? 00 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 00 39 45 ?? 0F 83 ?? ?? ?? ?? 8B 45 ?? 8B 00 8B 4D ?? 8B 55 ?? 01 CA 39 D0 0F 83 ?? ?? ?? ?? B9 00 00 00 00 B8 1C 00 00 00 83 E0 FC 89 C2 B8 00 00 00 00 89 8C 05 ?? ?? ?? ?? 83 C0 04 39 D0 72 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 1C 00 00 00 8D 95 ?? ?? ?? ?? 89 54 24 ?? 89 04 24 A1 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 02 00 00 00 FF D0 83 EC 0C 8B 85 ?? ?? ?? ?? 83 E0 20 85 C0 74 ?? 8B 45 ?? 8B 00 C7 44 24 ?? 30 14 D4 63 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 EB ?? 90 EB ?? 90 83 45 ?? 04 E9 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 8B 40 ?? 89 C2 8B 45 ?? 01 D0 89 45 ?? 8B 45 ?? 8B 50 ?? 8B 45 ?? 01 D0 89 45 ?? C7 44 24 ?? 30 14 D4 63 8B 45 ?? 89 04 24 C7 85 ?? ?? ?? ?? 02 00 00 00 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 01 00 00 00 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 01 EB ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 01 85 C0 74 ?? 83 E8 01 0F 0B 89 95 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 90 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C3 } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and any of them -} -rule APT_Loader_Win32_REDFLARE_2 -{ - meta: - date_created = "2020-11-27" - date_modified = "2020-11-27" - md5 = "4e7e90c7147ee8aa01275894734f4492" - rev = 1 - author = "FireEye" - strings: - $inject = { 83 F8 01 [4-50] 6A 00 6A 00 68 04 00 00 08 6A 00 6A 00 6A 00 6A 00 5? [10-70] FF 15 [4] 85 C0 [1-20] 6A 04 68 00 10 00 00 5? 6A 00 5? [1-10] FF 15 [4-8] 85 C0 [1-20] 5? 5? 5? 8B [1-4] 5? 5? FF 15 [4] 85 C0 [1-20] 6A 20 [4-20] FF 15 [4] 85 C0 [1-40] 01 00 01 00 [2-20] FF 15 [4] 85 C0 [1-30] FF 15 [4] 85 C0 [1-20] FF 15 [4] 83 F8 FF } - $s1 = "ResumeThread" - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them -} -rule APT_HackTool_MSIL_SHARPSTOMP_2 -{ - meta: - date_created = "2020-12-02" - date_modified = "2020-12-02" - md5 = "83ed748cd94576700268d35666bf3e01" - rev = 3 - author = "FireEye" - strings: - $f0 = "mscoree.dll" fullword nocase - $s0 = { 06 72 [4] 6F [4] 2C ?? 06 72 [4] 6F [4] 2D ?? 72 [4] 28 [4] 28 [4] 2A } - $s1 = { 02 28 [4] 0A 02 28 [4] 0B 02 28 [4] 0C 72 [4] 28 [4] 72 } - $s2 = { 28 [4] 02 28 [4] 0D 12 ?? 03 6C 28 [4] 28 [4] 02 28 [4] 0D 12 ?? 03 6C 28 [4] 28 [4] 02 28 [4] 0D 12 ?? 03 6C 28 [4] 28 [4] 72 } - $s3 = "SetCreationTime" fullword - $s4 = "GetLastAccessTime" fullword - $s5 = "SetLastAccessTime" fullword - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule Loader_MSIL_NetshShellCodeRunner_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NetshShellCodeRunner' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 2 - author = "FireEye" - strings: - $typelibguid0 = "49c045bc-59bb-4a00-85c3-4beb59b2ee12" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule HackTool_MSIL_SharPivot_4 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharPivot project." - md5 = "e4efa759d425e2f26fbc29943a30f5bd" - rev = 3 - author = "FireEye" - strings: - $typelibguid1 = "44B83A69-349F-4A3E-8328-A45132A70D62" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $typelibguid1 -} -rule APT_Backdoor_Win_GoRat_Memory -{ - meta: - description = "Identifies GoRat malware in memory based on strings." - md5 = "3b926b5762e13ceec7ac3a61e85c93bb" - rev = 1 - author = "FireEye" - strings: - $murica = "murica" fullword - $rat1 = "rat/modules/socks.(*HTTPProxyClient).beacon" fullword - $rat2 = "rat.(*Core).generateBeacon" fullword - $rat3 = "rat.gJitter" fullword - $rat4 = "rat/comms.(*protectedChannel).SendCmdResponse" fullword - $rat5 = "rat/modules/filemgmt.(*acquire).NewCommandExecution" fullword - $rat6 = "rat/modules/latlisten.(*latlistensrv).handleCmd" fullword - $rat7 = "rat/modules/netsweeper.(*netsweeperRunner).runSweep" fullword - $rat8 = "rat/modules/netsweeper.(*Pinger).listen" fullword - $rat9 = "rat/modules/socks.(*HTTPProxyClient).beacon" fullword - $rat10 = "rat/platforms/win/dyloader.(*memoryLoader).ExecutePluginFunction" fullword - $rat11 = "rat/platforms/win/modules/namedpipe.(*dummy).Open" fullword - $winblows = "rat/platforms/win.(*winblows).GetStage" fullword - condition: - $winblows or #murica > 10 or 3 of ($rat*) -} -rule Loader_MSIL_AllTheThings_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'AllTheThings' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 2 - author = "FireEye" - strings: - $typelibguid0 = "542ccc64-c4c3-4c03-abcd-199a11b26754" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_Loader_Win64_PGF_1 -{ - meta: - date_created = "2020-11-25" - date_modified = "2020-11-25" - description = "base dlls: /lib/payload/techniques/unmanaged_exports/" - md5 = "2b686a8b83f8e1d8b455976ae70dab6e" - rev = 1 - author = "FireEye" - strings: - $sb1 = { B9 14 00 00 00 FF 15 [4-32] 0F B6 ?? 04 [0-32] F3 A4 [0-64] 0F B6 [2-3] 0F B6 [2-3] 33 [0-32] 88 [1-9] EB } - $sb2 = { 41 B8 00 30 00 00 [0-32] FF 15 [8-64] 83 ?? 01 [4-80] 0F B6 [1-64] 33 [1-32] 88 [1-64] FF ( D? | 5? ) } - $sb3 = { 48 89 4C 24 08 [4-64] 48 63 48 3C [0-32] 48 03 C1 [0-64] 0F B7 48 14 [0-64] 48 8D 44 08 18 [8-64] 0F B7 40 06 [2-32] 48 6B C0 28 } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them -} -rule APT_Trojan_Win_REDFLARE_5 -{ - meta: - date_created = "2020-12-01" - date_modified = "2020-12-01" - md5 = "dfbb1b988c239ade4c23856e42d4127b, 3322fba40c4de7e3de0fda1123b0bf5d" - rev = 3 - author = "FireEye" - strings: - $s1 = "AdjustTokenPrivileges" fullword - $s2 = "LookupPrivilegeValueW" fullword - $s3 = "ImpersonateLoggedOnUser" fullword - $s4 = "runCommand" fullword - $steal_token = { FF 15 [4] 85 C0 [1-40] C7 44 24 ?? 01 00 00 00 [0-20] C7 44 24 ?? 02 00 00 00 [0-20] FF 15 [4] FF [1-5] 85 C0 [4-40] 00 04 00 00 FF 15 [4-5] 85 C0 [2-20] ( BA 0F 00 00 00 | 6A 0F ) [1-4] FF 15 [4] 85 C0 74 [1-20] FF 15 [4] 85 C0 74 [1-20] ( 6A 0B | B9 0B 00 00 00 ) E8 } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule CredTheft_MSIL_TitoSpecial_1 -{ - meta: - description = "This rule looks for .NET PE files that have the strings of various method names in the TitoSpecial code." - md5 = "4bf96a7040a683bd34c618431e571e26" - rev = 4 - author = "FireEye" - strings: - $str1 = "Minidump" ascii wide - $str2 = "dumpType" ascii wide - $str3 = "WriteProcessMemory" ascii wide - $str4 = "bInheritHandle" ascii wide - $str5 = "GetProcessById" ascii wide - $str6 = "SafeHandle" ascii wide - $str7 = "BeginInvoke" ascii wide - $str8 = "EndInvoke" ascii wide - $str9 = "ConsoleApplication1" ascii wide - $str10 = "getOSInfo" ascii wide - $str11 = "OpenProcess" ascii wide - $str12 = "LoadLibrary" ascii wide - $str13 = "GetProcAddress" ascii wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($str*) -} -rule Builder_MSIL_G2JS_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the Gadget2JScript project." - md5 = "fa255fdc88ab656ad9bc383f9b322a76" - rev = 2 - author = "FireEye" - strings: - $typelibguid1 = "AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $typelibguid1 -} -rule APT_Loader_Win32_DShell_2 -{ - meta: - date_created = "2020-11-27" - date_modified = "2020-11-27" - md5 = "590d98bb74879b52b97d8a158af912af" - rev = 2 - author = "FireEye" - strings: - $sb1 = { 6A 40 68 00 30 00 00 [4-32] E8 [4-8] 50 [0-16] E8 [4-150] 6A FF [1-32] 6A 00 6A 00 5? 6A 00 6A 00 [0-32] E8 [4] 50 } - $ss1 = "\x00CreateThread\x00" - $ss2 = "base64.d" fullword - $ss3 = "core.sys.windows" fullword - $ss4 = "C:\\Users\\config.ini" fullword - $ss5 = "Invalid config file" fullword - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them -} -rule HackTool_MSIL_SharPivot_3 -{ - meta: - description = "This rule looks for .NET PE files that have the strings of various method names in the SharPivot code." - md5 = "e4efa759d425e2f26fbc29943a30f5bd" - rev = 3 - author = "FireEye" - strings: - $msil = "_CorExeMain" ascii wide - $str1 = "SharPivot" ascii wide - $str2 = "ParseArgs" ascii wide - $str3 = "GenRandomString" ascii wide - $str4 = "ScheduledTaskExists" ascii wide - $str5 = "ServiceExists" ascii wide - $str6 = "lpPassword" ascii wide - $str7 = "execute" ascii wide - $str8 = "WinRM" ascii wide - $str9 = "SchtaskMod" ascii wide - $str10 = "PoisonHandler" ascii wide - $str11 = "SCShell" ascii wide - $str12 = "SchtaskMod" ascii wide - $str13 = "ServiceHijack" ascii wide - $str14 = "commandArg" ascii wide - $str15 = "payloadPath" ascii wide - $str16 = "Schtask" ascii wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $msil and all of ($str*) -} -rule APT_HackTool_MSIL_FLUFFY_2 -{ - meta: - date_created = "2020-12-04" - date_modified = "2020-12-04" - md5 = "11b5aceb428c3e8c61ed24a8ca50553e" - rev = 1 - author = "FireEye" - strings: - $s1 = "\x00Asktgt\x00" - $s2 = "\x00Kerberoast\x00" - $s3 = "\x00HarvestCommand\x00" - $s4 = "\x00EnumerateTickets\x00" - $s5 = "[*] Action: " wide - $s6 = "\x00Fluffy.Commands\x00" - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule APT_HackTool_MSIL_FLUFFY_1 -{ - meta: - date_created = "2020-12-04" - date_modified = "2020-12-04" - md5 = "11b5aceb428c3e8c61ed24a8ca50553e" - rev = 1 - author = "FireEye" - strings: - $sb1 = { 0E ?? 1? 72 [4] 28 [2] 00 06 [0-16] 28 [2] 00 0A [2-80] 1F 58 0? [0-32] 28 [2] 00 06 [2-32] 1? 28 [2] 00 06 0? 0? 6F [2] 00 06 [2-4] 1F 0B } - $sb2 = { 73 [2] 00 06 13 ?? 11 ?? 11 ?? 7D [2] 00 04 11 ?? 73 [2] 00 0A 7D [2] 00 04 0E ?? 2D ?? 11 ?? 7B [2] 00 04 72 [4] 28 [2] 00 0A [2-32] 0? 28 [2] 00 0A [2-16] 11 ?? 7B [2] 00 04 0? 28 [2] 00 0A 1? 28 [2] 00 0A [2-32] 7E [2] 00 0A [0-32] FE 15 [2] 00 02 [0-16] 7D [2] 00 04 28 [2] 00 06 [2-32] 7B [2] 00 04 7D [2] 00 04 [2-32] 7C [2] 00 04 FE 15 [2] 00 02 [0-16] 11 ?? 8C [2] 00 02 28 [2] 00 0A 28 [2] 00 0A [2-80] 8C [2] 00 02 28 [2] 00 0A 12 ?? 12 ?? 12 ?? 28 [2] 00 06 } - $ss1 = "\x00Fluffy\x00" - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule HackTool_MSIL_SEATBELT_1 -{ - meta: - description = "This rule looks for .NET PE files that have regex and format strings found in the public tool SeatBelt. Due to the nature of the regex and format strings used for detection, this rule should detect custom variants of the SeatBelt project." - md5 = "848837b83865f3854801be1f25cb9f4d" - rev = 3 - author = "FireEye" - strings: - $msil = "_CorExeMain" ascii wide - $str1 = "{ Process = {0}, Path = {1}, CommandLine = {2} }" ascii nocase wide - $str2 = "Domain=\"(.*)\",Name=\"(.*)\"" ascii nocase wide - $str3 = "LogonId=\"(\\d+)\"" ascii nocase wide - $str4 = "{0}.{1}.{2}.{3}" ascii nocase wide - $str5 = "^\\W*([a-z]:\\\\.+?(\\.exe|\\.dll|\\.sys))\\W*" ascii nocase wide - $str6 = "*[System/EventID={0}]" ascii nocase wide - $str7 = "*[System[TimeCreated[@SystemTime >= '{" ascii nocase wide - $str8 = "(http|ftp|https|file)://([\\w_-]+(?:(?:\\.[\\w_-]+)+))([\\w.,@?^=%&:/~+#-]*[\\w@?^=%&/~+#-])?" ascii nocase wide - $str9 = "{0}" ascii nocase wide - $str10 = "{0,-23}" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $msil and all of ($str*) -} -rule HackTool_MSIL_INVEIGHZERO_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'inveighzero' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 2 - author = "FireEye" - strings: - $typelibguid0 = "113ae281-d1e5-42e7-9cc2-12d30757baf1" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule Loader_MSIL_RURALBISHOP_1 -{ - meta: - date_created = "2020-12-03" - date_modified = "2020-12-03" - md5 = "e91670423930cbbd3dbf5eac1f1a7cb6" - rev = 1 - author = "FireEye" - strings: - $sb1 = { 28 [2] 00 06 0A 06 7B [2] 00 04 [12-64] 06 7B [2] 00 04 6E 28 [2] 00 06 0B 07 7B [2] 00 04 [12-64] 0? 7B [2] 00 04 0? 7B [2] 00 04 0? 7B [2] 00 04 6E 28 [2] 00 06 0? 0? 7B [2] 00 04 [12-80] 0? 7B [2] 00 04 1? 0? 7B [2] 00 04 } - $sb2 = { 0F ?? 7C [2] 00 04 28 [2] 00 0A 8C [2] 00 01 [20-80] 28 [2] 00 06 0? 0? 7E [2] 00 0A 28 [2] 00 0A [12-80] 7E [2] 00 0A 13 ?? 0? 7B [2] 00 04 28 [2] 00 0A 0? 28 [2] 00 0A 58 28 [2] 00 0A 13 [1-32] 28 [2] 00 0A [0-32] D0 [2] 00 02 28 [2] 00 0A 28 [2] 00 0A 74 [2] 00 02 } - $ss1 = "\x00NtMapViewOfSection\x00" - $ss2 = "\x00NtOpenProcess\x00" - $ss3 = "\x00NtAlertResumeThread\x00" - $ss4 = "\x00LdrGetProcedureAddress\x00" - $tb1 = "\x00SharpSploit.Execution.DynamicInvoke\x00" - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and (@sb1[1] < @sb2[1]) and (all of ($ss*)) and (all of ($tb*)) -} -rule Loader_MSIL_RURALBISHOP_2 -{ - meta: - date_created = "2020-12-03" - date_modified = "2020-12-03" - md5 = "e91670423930cbbd3dbf5eac1f1a7cb6" - rev = 1 - author = "FireEye" - strings: - $ss1 = "\x00NtMapViewOfSection\x00" - $ss2 = "\x00NtOpenProcess\x00" - $ss3 = "\x00NtAlertResumeThread\x00" - $ss4 = "\x00LdrGetProcedureAddress\x00" - $ss5 = "\x2f(\x00?\x00i\x00)\x00(\x00-\x00|\x00-\x00-\x00|\x00/\x00)\x00(\x00i\x00|\x00I\x00n\x00j\x00e\x00c\x00t\x00)\x00$\x00" - $ss6 = "\x2d(\x00?\x00i\x00)\x00(\x00-\x00|\x00-\x00-\x00|\x00/\x00)\x00(\x00c\x00|\x00C\x00l\x00e\x00a\x00n\x00)\x00$\x00" - $tb1 = "\x00SharpSploit.Execution.DynamicInvoke\x00" - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them -} -rule HackTool_MSIL_PrepShellcode_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'PrepShellcode' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 2 - author = "FireEye" - strings: - $typelibguid0 = "d16ed275-70d5-4ae5-8ce7-d249f967616c" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule APT_Downloader_Win32_REDFLARE_1 -{ - meta: - date_created = "2020-11-27" - date_modified = "2020-11-27" - md5 = "05b99d438dac63a5a993cea37c036673" - rev = 1 - author = "FireEye" - strings: - $const = "Cookie: SID1=%s" fullword - $http_req = { 00 00 08 80 81 3D [4] BB 01 00 00 75 [1-10] 00 00 80 00 [1-4] 00 10 00 00 [1-4] 00 20 00 00 89 [1-10] 6A 00 8B [1-8] 5? 6A 00 6A 00 6A 00 8B [1-8] 5? 68 [4] 8B [1-8] 5? FF 15 [4-40] 6A 14 E8 } - condition: - (uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them -} -rule Loader_MSIL_WMIRunner_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMIRunner' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 1 - author = "FireEye" - strings: - $typelibguid0 = "6cc61995-9fd5-4649-b3cc-6f001d60ceda" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule HackTool_MSIL_SharpStomp_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharpStomp project." - md5 = "83ed748cd94576700268d35666bf3e01" - rev = 4 - author = "FireEye" - strings: - $typelibguid1 = "41f35e79-2034-496a-8c82-86443164ada2" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $typelibguid1 -} -rule Tool_MSIL_SharpGrep_1 -{ - meta: - description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpGrep' project." - md5 = "dd8805d0e470e59b829d98397507d8c2" - rev = 1 - author = "FireEye" - strings: - $typelibguid0 = "f65d75b5-a2a6-488f-b745-e67fc075f445" ascii nocase wide - condition: - (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them -} -rule Dropper_HTA_WildChild_1 -{ - meta: - description = "This rule looks for strings present in unobfuscated HTAs generated by the WildChild builder." - md5 = "3e61ca5057633459e96897f79970a46d" - rev = 5 - author = "FireEye" - strings: - $s1 = "processpath" ascii wide - $s2 = "v4.0.30319" ascii wide - $s3 = "v2.0.50727" ascii wide - $s4 = "COMPLUS_Version" ascii wide - $s5 = "FromBase64Transform" ascii wide - $s6 = "MemoryStream" ascii wide - $s7 = "entry_class" ascii wide - $s8 = "DynamicInvoke" ascii wide - $s9 = "Sendoff" ascii wide - $script_header = "" - condition: - all of them -} -rule FSO_s_EFSO_2_2 { - meta: - description = "Webshells Auto-generated - file EFSO_2.asp" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "a341270f9ebd01320a7490c12cb2e64c" - strings: - $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV" - $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j" - condition: - all of them -} -rule byshell063_ntboot_2 { - meta: - description = "Webshells Auto-generated - file ntboot.dll" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d" - strings: - $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)" - condition: - all of them -} -rule u_uay { - meta: - description = "Webshells Auto-generated - file uay.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4" - strings: - $s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe" - $s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security" - condition: - 1 of them -} -rule bin_wuaus { - meta: - description = "Webshells Auto-generated - file wuaus.dll" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "46a365992bec7377b48a2263c49e4e7d" - strings: - $s1 = "9(90989@9V9^9f9n9v9" - $s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:" - $s3 = ";(=@=G=O=T=X=\\=" - $s4 = "TCP Send Error!!" - $s5 = "1\"1;1X1^1e1m1w1~1" - $s8 = "=$=)=/=<=Y=_=j=p=z=" - condition: - all of them -} -rule pwreveal { - meta: - description = "Webshells Auto-generated - file pwreveal.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "b4e8447826a45b76ca45ba151a97ad50" - strings: - $s0 = "*NetBios Name: \\\\\" & Snet.ComputerName &" - condition: - all of them -} -rule cmdShell { - meta: - description = "Webshells Auto-generated - file cmdShell.asp" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "8a9fef43209b5d2d4b81dfbb45182036" - strings: - $s1 = "if cmdPath=\"wscriptShell\" then" - condition: - all of them -} -rule ZXshell2_0_rar_Folder_nc { - meta: - description = "Webshells Auto-generated - file nc.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "2cd1bf15ae84c5f6917ddb128827ae8b" - strings: - $s0 = "WSOCK32.dll" - $s1 = "?bSUNKNOWNV" - $s7 = "p@gram Jm6h)" - $s8 = "ser32.dllCONFP@" - condition: - all of them -} -rule portlessinst { - meta: - description = "Webshells Auto-generated - file portlessinst.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "74213856fc61475443a91cd84e2a6c2f" - strings: - $s2 = "Fail To Open Registry" - $s3 = "f<-WLEggDr\"" - $s6 = "oMemoryCreateP" - condition: - all of them -} -rule SetupBDoor { - meta: - description = "Webshells Auto-generated - file SetupBDoor.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "41f89e20398368e742eda4a3b45716b6" - strings: - $s1 = "\\BDoor\\SetupBDoor" - condition: - all of them -} -rule phpshell_3 { - meta: - description = "Webshells Auto-generated - file phpshell.php" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "e8693a2d4a2ffea4df03bb678df3dc6d" - strings: - $s3 = "

" - $s5 = " echo \"\\n\";" - condition: - all of them -} -rule BIN_Server { - meta: - description = "Webshells Auto-generated - file Server.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "1d5aa9cbf1429bb5b8bf600335916dcd" - strings: - $s0 = "configserver" - $s1 = "GetLogicalDrives" - $s2 = "WinExec" - $s4 = "fxftest" - $s5 = "upfileok" - $s7 = "upfileer" - condition: - all of them -} -rule HYTop2006_rar_Folder_2006 { - meta: - description = "Webshells Auto-generated - file 2006.asp" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "c19d6f4e069188f19b08fa94d44bc283" - strings: - $s6 = "strBackDoor = strBackDoor " - condition: - all of them -} -rule r57shell_3 { - meta: - description = "Webshells Auto-generated - file r57shell.php" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "87995a49f275b6b75abe2521e03ac2c0" - strings: - $s1 = "\".$_POST['cmd']" - condition: - all of them -} -rule HDConfig { - meta: - description = "Webshells Auto-generated - file HDConfig.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "7d60e552fdca57642fd30462416347bd" - strings: - $s0 = "An encryption key is derived from the password hash. " - $s3 = "A hash object has been created. " - $s4 = "Error during CryptCreateHash!" - $s5 = "A new key container has been created." - $s6 = "The password has been added to the hash. " - condition: - all of them -} -rule FSO_s_ajan_2 { - meta: - description = "Webshells Auto-generated - file ajan.asp" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "22194f8c44524f80254e1b5aec67b03e" - strings: - $s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")" - $s3 = "/file.zip" - condition: - all of them -} - -rule Webshell_and_Exploit_CN_APT_HK : Webshell -{ -meta: - author = "Florian Roth" - description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters" - date = "10.10.2014" - score = 50 -strings: - $a0 = "" - condition: - all of them -} -rule FSO_s_EFSO_2_2 { - meta: - description = "Webshells Auto-generated - file EFSO_2.asp" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "a341270f9ebd01320a7490c12cb2e64c" - strings: - $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV" - $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j" - condition: - all of them -} -rule byshell063_ntboot_2 { - meta: - description = "Webshells Auto-generated - file ntboot.dll" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d" - strings: - $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)" - condition: - all of them -} -rule u_uay { - meta: - description = "Webshells Auto-generated - file uay.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4" - strings: - $s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe" - $s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security" - condition: - 1 of them -} -rule bin_wuaus { - meta: - description = "Webshells Auto-generated - file wuaus.dll" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "46a365992bec7377b48a2263c49e4e7d" - strings: - $s1 = "9(90989@9V9^9f9n9v9" - $s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:" - $s3 = ";(=@=G=O=T=X=\\=" - $s4 = "TCP Send Error!!" - $s5 = "1\"1;1X1^1e1m1w1~1" - $s8 = "=$=)=/=<=Y=_=j=p=z=" - condition: - all of them -} -rule pwreveal { - meta: - description = "Webshells Auto-generated - file pwreveal.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "b4e8447826a45b76ca45ba151a97ad50" - strings: - $s0 = "*NetBios Name: \\\\\" & Snet.ComputerName &" - condition: - all of them -} -rule cmdShell { - meta: - description = "Webshells Auto-generated - file cmdShell.asp" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "8a9fef43209b5d2d4b81dfbb45182036" - strings: - $s1 = "if cmdPath=\"wscriptShell\" then" - condition: - all of them -} -rule ZXshell2_0_rar_Folder_nc { - meta: - description = "Webshells Auto-generated - file nc.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "2cd1bf15ae84c5f6917ddb128827ae8b" - strings: - $s0 = "WSOCK32.dll" - $s1 = "?bSUNKNOWNV" - $s7 = "p@gram Jm6h)" - $s8 = "ser32.dllCONFP@" - condition: - all of them -} -rule portlessinst { - meta: - description = "Webshells Auto-generated - file portlessinst.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "74213856fc61475443a91cd84e2a6c2f" - strings: - $s2 = "Fail To Open Registry" - $s3 = "f<-WLEggDr\"" - $s6 = "oMemoryCreateP" - condition: - all of them -} -rule SetupBDoor { - meta: - description = "Webshells Auto-generated - file SetupBDoor.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "41f89e20398368e742eda4a3b45716b6" - strings: - $s1 = "\\BDoor\\SetupBDoor" - condition: - all of them -} -rule phpshell_3 { - meta: - description = "Webshells Auto-generated - file phpshell.php" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "e8693a2d4a2ffea4df03bb678df3dc6d" - strings: - $s3 = "

" - $s5 = " echo \"\\n\";" - condition: - all of them -} -rule BIN_Server { - meta: - description = "Webshells Auto-generated - file Server.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "1d5aa9cbf1429bb5b8bf600335916dcd" - strings: - $s0 = "configserver" - $s1 = "GetLogicalDrives" - $s2 = "WinExec" - $s4 = "fxftest" - $s5 = "upfileok" - $s7 = "upfileer" - condition: - all of them -} -rule HYTop2006_rar_Folder_2006 { - meta: - description = "Webshells Auto-generated - file 2006.asp" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "c19d6f4e069188f19b08fa94d44bc283" - strings: - $s6 = "strBackDoor = strBackDoor " - condition: - all of them -} -rule r57shell_3 { - meta: - description = "Webshells Auto-generated - file r57shell.php" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "87995a49f275b6b75abe2521e03ac2c0" - strings: - $s1 = "\".$_POST['cmd']" - condition: - all of them -} -rule HDConfig { - meta: - description = "Webshells Auto-generated - file HDConfig.exe" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "7d60e552fdca57642fd30462416347bd" - strings: - $s0 = "An encryption key is derived from the password hash. " - $s3 = "A hash object has been created. " - $s4 = "Error during CryptCreateHash!" - $s5 = "A new key container has been created." - $s6 = "The password has been added to the hash. " - condition: - all of them -} -rule FSO_s_ajan_2 { - meta: - description = "Webshells Auto-generated - file ajan.asp" - author = "Yara Bulk Rule Generator by Florian Roth" - hash = "22194f8c44524f80254e1b5aec67b03e" - strings: - $s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")" - $s3 = "/file.zip" - condition: - all of them -} - -rule Webshell_and_Exploit_CN_APT_HK : Webshell -{ -meta: - author = "Florian Roth" - description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters" - date = "10.10.2014" - score = 50 -strings: - $a0 = "" -condition: - 16 of them -} - -rule phoenix_html9 -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Phoenix Exploit Kit Detection" - hash0 = "742d012b9df0c27ed6ccf3b234db20db" - sample_filetype = "js-html" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "tute)bbr:" - $string1 = "nfho(tghRx" - $string2 = "()irfE/Rt..cOcC" - $string3 = "NcEnevbf" - $string4 = "63FB8B4296BBC290A0.'0000079'Fh20216B6A6arA;<" - $string5 = "wHe(cLnyeyet(a.i,r.{.." - $string6 = "tute)bbdfiiix'bcr" - $string7 = "itifdf)d1L2f'asau%d004u%8e00u%0419u%a58du%2093u%ec10u%0050u%00d4u%4622u%bcd1u%b1ceu%5000u%f7f5u%5606" - $string8 = "2F4693529783'82F076676C38'te" - $string9 = "sm(teoeoi)cfh))pihnipeeeo}.,(.((" - $string10 = "ao)ntavlll{))ynlcoix}hiN.il'tes1ad)bm;" - $string11 = "i)}m0f(eClei(/te" - $string12 = "}aetsc" - $string13 = "irefnig.pT" - $string14 = "a0mrIif/tbne,(wsk," - $string15 = "500F14B06000000630E6B72636F60632C6E711C6E762E646F147F44767F650A0804061901020009006B120005A2006L" - $string16 = ".hB.Csf)ddeSs" - $string17 = "tnne,IPd4Le" - $string18 = "hMdarc'nBtpw" -condition: - 18 of them -} - -rule phoenix_jar -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Phoenix Exploit Kit Detection" - hash0 = "a8a18219b02d30f44799415ff19c518e" - sample_filetype = "unknown" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "r.JM,IM" - $string1 = "qX$8$a" - $string2 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProvider5" - $string3 = "a.classPK" - $string4 = "6;\\Q]Q" - $string5 = "h[s] X" - $string6 = "ToolsDemoSubClass.classPK" - $string7 = "a.class" - $string8 = "META-INF/MANIFEST.MFPK" - $string9 = "ToolsDemoSubClass.classeO" - $string10 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProviderPK" -condition: - 10 of them -} - -rule phoenix_jar2 -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Phoenix Exploit Kit Detection" - hash0 = "989c5b5eaddf48010e62343d7a4db6f4" - sample_filetype = "unknown" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "a66d578f084.classeQ" - $string1 = "a4cb9b1a8a5.class" - $string2 = ")szNu\\MutK" - $string3 = "qCCwBU" - $string4 = "META-INF/MANIFEST.MF" - $string5 = "QR,GOX" - $string6 = "ab5601d4848.classmT" - $string7 = "a6a7a760c0e[" - $string8 = "2ZUK[L" - $string9 = "2VT(Au5" - $string10 = "a6a7a760c0ePK" - $string11 = "aa79d1019d8.class" - $string12 = "aa79d1019d8.classPK" - $string13 = "META-INF/MANIFEST.MFPK" - $string14 = "ab5601d4848.classPK" -condition: - 14 of them -} - -rule phoenix_jar3 -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Phoenix Exploit Kit Detection" - hash0 = "c5655c496949f8071e41ea9ac011cab2" - sample_filetype = "unknown" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "'> >$>" - $string1 = "bpac/PK" - $string2 = "bpac/purok$1.classmP]K" - $string3 = "bpac/KAVS.classmQ" - $string4 = "'n n$n" - $string5 = "bpac/purok$1.classPK" - $string6 = "$.4aX,Gt<" - $string7 = "bpac/KAVS.classPK" - $string8 = "bpac/b.classPK" - $string9 = "bpac/b.class" -condition: - 9 of them -} - -rule phoenix_pdf -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Phoenix Exploit Kit Detection" - hash0 = "16de68e66cab08d642a669bf377368da" - hash1 = "bab281fe0cf3a16a396550b15d9167d5" - sample_filetype = "pdf" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "0000000254 00000 n" - $string1 = "0000000295 00000 n" - $string2 = "trailer<>" - $string3 = "0000000000 65535 f" - $string4 = "3 0 obj<>endobj" - $string5 = "0000000120 00000 n" - $string6 = "%PDF-1.0" - $string7 = "startxref" - $string8 = "0000000068 00000 n" - $string9 = "endobjxref" - $string10 = ")6 0 R ]>>endobj" - $string11 = "0000000010 00000 n" -condition: - 11 of them -} - -rule phoenix_pdf2 -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Phoenix Exploit Kit Detection" - hash0 = "33cb6c67f58609aa853e80f718ab106a" - sample_filetype = "pdf" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "\\nQb<%" - $string1 = "0000000254 00000 n" - $string2 = ":S3>v0$EF" - $string3 = "trailer<>" - $string4 = "%PDF-1.0" - $string5 = "0000000000 65535 f" - $string6 = "endstream" - $string7 = "0000000010 00000 n" - $string8 = "6 0 obj<>endobj" - $string9 = "3 0 obj<>endobj" - $string10 = "}pr2IE" - $string11 = "0000000157 00000 n" - $string12 = "1 0 obj<>endobj" - $string13 = "5 0 obj<= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07))) -} - -rule maldoc_find_kernel32_base_method_3 : maldoc -{ - meta: - author = "Didier Stevens (https://DidierStevens.com)" - strings: - $a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??} - condition: - for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07))) -} - -rule mwi_document: exploitdoc maldoc -{ - meta: - description = "MWI generated document" - author = "@Ydklijnsma" - source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample" - - strings: - $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE" - $mwistat_url = ".php?id=" - $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}" - - condition: - all of them -} - diff --git a/yara-mikesxrs/codewatchorg/crimepack_jar.yar b/yara-mikesxrs/codewatchorg/crimepack_jar.yar deleted file mode 100644 index 6b597ec..0000000 --- a/yara-mikesxrs/codewatchorg/crimepack_jar.yar +++ /dev/null @@ -1,20 +0,0 @@ -rule crimepack_jar -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "CrimePack Exploit Kit Detection" - hash0 = "d48e70d538225bc1807842ac13a8e188" - sample_filetype = "unknown" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "r.JM,IM" - $string1 = "cpak/Crimepack$1.classPK" - $string2 = "cpak/KAVS.classPK" - $string3 = "cpak/KAVS.classmQ" - $string4 = "cpak/Crimepack$1.classmP[O" - $string5 = "META-INF/MANIFEST.MF" - $string6 = "META-INF/MANIFEST.MFPK" -condition: - 6 of them -} diff --git a/yara-mikesxrs/codewatchorg/crimepack_jar3.yar b/yara-mikesxrs/codewatchorg/crimepack_jar3.yar deleted file mode 100644 index 444c3b3..0000000 --- a/yara-mikesxrs/codewatchorg/crimepack_jar3.yar +++ /dev/null @@ -1,25 +0,0 @@ -rule crimepack_jar3 -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "CrimePack Exploit Kit Detection" - hash0 = "40ed977adc009e1593afcb09d70888c4" - sample_filetype = "unknown" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "payload.serPK" - $string1 = "vE/JD[j" - $string2 = "payload.ser[" - $string3 = "Exploit$2.classPK" - $string4 = "Exploit$2.class" - $string5 = "Ho((i/" - $string6 = "META-INF/MANIFEST.MF" - $string7 = "H5641Yk" - $string8 = "Exploit$1.classPK" - $string9 = "Payloader.classPK" - $string10 = "%p6$MCS" - $string11 = "Exploit$1$1.classPK" -condition: - 11 of them -} diff --git a/yara-mikesxrs/codewatchorg/cve_2013_0074.yar b/yara-mikesxrs/codewatchorg/cve_2013_0074.yar deleted file mode 100644 index fe6d0b6..0000000 --- a/yara-mikesxrs/codewatchorg/cve_2013_0074.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule cve_2013_0074 -{ -meta: - author = "Kaspersky Lab" - filetype = "Win32 EXE" - date = "2015-07-23" - version = "1.0" - -strings: - $b2="Can't find Payload() address" ascii wide - $b3="/SilverApp1;component/App.xaml" ascii wide - $b4="Can't allocate ums after buf[]" ascii wide - $b5="------------ START ------------" - -condition: - ( (2 of ($b*)) ) -} \ No newline at end of file diff --git a/yara-mikesxrs/codewatchorg/cve_2013_0422.yar b/yara-mikesxrs/codewatchorg/cve_2013_0422.yar deleted file mode 100644 index 1063df2..0000000 --- a/yara-mikesxrs/codewatchorg/cve_2013_0422.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule CVE_2013_0422 -{ - meta: - description = "Java Applet JMX Remote Code Execution" - cve = "CVE-2013-0422" - ref = "http://pastebin.com/JVedyrCe" - author = "adnan.shukor@gmail.com" - date = "12-Jan-2013" - version = "1" - impact = 4 - hide = false - strings: - $0422_1 = "com/sun/jmx/mbeanserver/JmxMBeanServer" fullword - $0422_2 = "com/sun/jmx/mbeanserver/JmxMBeanServerBuilder" fullword - $0422_3 = "com/sun/jmx/mbeanserver/MBeanInstantiator" fullword - $0422_4 = "findClass" fullword - $0422_5 = "publicLookup" fullword - $class = /sun\.org\.mozilla\.javascript\.internal\.(Context|GeneratedClassLoader)/ fullword - condition: - (all of ($0422_*)) or (all of them) -} diff --git a/yara-mikesxrs/codewatchorg/eleonore_jar.yar b/yara-mikesxrs/codewatchorg/eleonore_jar.yar deleted file mode 100644 index 8fa07eb..0000000 --- a/yara-mikesxrs/codewatchorg/eleonore_jar.yar +++ /dev/null @@ -1,26 +0,0 @@ -rule eleonore_jar -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Eleonore Exploit Kit Detection" - hash0 = "ad829f4315edf9c2611509f3720635d2" - sample_filetype = "unknown" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "r.JM,IM" - $string1 = "dev/s/DyesyasZ.classPK" - $string2 = "k4kjRv" - $string3 = "dev/s/LoaderX.class}V[t" - $string4 = "dev/s/PK" - $string5 = "Hsz6%y" - $string6 = "META-INF/MANIFEST.MF" - $string7 = "dev/PK" - $string8 = "dev/s/AdgredY.class" - $string9 = "dev/s/DyesyasZ.class" - $string10 = "dev/s/LoaderX.classPK" - $string11 = "eS0L5d" - $string12 = "8E{4ON" -condition: - 12 of them -} diff --git a/yara-mikesxrs/codewatchorg/eleonore_jar2.yar b/yara-mikesxrs/codewatchorg/eleonore_jar2.yar deleted file mode 100644 index 6aca137..0000000 --- a/yara-mikesxrs/codewatchorg/eleonore_jar2.yar +++ /dev/null @@ -1,28 +0,0 @@ -rule eleonore_jar2 -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Eleonore Exploit Kit Detection" - hash0 = "94e99de80c357d01e64abf7dc5bd0ebd" - sample_filetype = "unknown" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "META-INF/MANIFEST.MFManifest-Version: 1.0" - $string1 = "wPVvVyz" - $string2 = "JavaFX.class" - $string3 = "{%D@'\\" - $string4 = "JavaFXColor.class" - $string5 = "bWxEBI}Y" - $string6 = "$(2}UoD" - $string7 = "j%4muR" - $string8 = "vqKBZi" - $string9 = "l6gs8;" - $string10 = "JavaFXTrueColor.classeSKo" - $string11 = "ZyYQx " - $string12 = "META-INF/" - $string13 = "JavaFX.classPK" - $string14 = ";Ie8{A" -condition: - 14 of them -} diff --git a/yara-mikesxrs/codewatchorg/eleonore_jar3.yar b/yara-mikesxrs/codewatchorg/eleonore_jar3.yar deleted file mode 100644 index b9ab449..0000000 --- a/yara-mikesxrs/codewatchorg/eleonore_jar3.yar +++ /dev/null @@ -1,26 +0,0 @@ -rule eleonore_jar3 -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Eleonore Exploit Kit Detection" - hash0 = "f65f3b9b809ebf221e73502480ab6ea7" - sample_filetype = "unknown" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string0 = "16lNYF2V" - $string1 = "META-INF/MANIFEST.MFPK" - $string2 = "ghsdr/Jewredd.classPK" - $string3 = "ghsdr/Gedsrdc.class" - $string4 = "e[= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07))) -} - -rule maldoc_find_kernel32_base_method_3 : maldoc -{ - meta: - author = "Didier Stevens (https://DidierStevens.com)" - strings: - $a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??} - condition: - for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07))) -} - -rule mwi_document: exploitdoc maldoc -{ - meta: - description = "MWI generated document" - author = "@Ydklijnsma" - source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample" - - strings: - $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE" - $mwistat_url = ".php?id=" - $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}" - - condition: - all of them -} - -rule macrocheck : maldoc -{ - meta: - Author = "Fireeye Labs" - Date = "2014/11/30" - Description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)." - Reference = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html" - - strings: - $PARAMpword = "pword=" ascii wide - $PARAMmsg = "msg=" ascii wide - $PARAMuname = "uname=" ascii - $userform = "UserForm" ascii wide - $userloginform = "UserLoginForm" ascii wide - $invalid = "Invalid username or password" ascii wide - $up1 = "uploadPOST" ascii wide - $up2 = "postUpload" ascii wide - - condition: - all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2)) -} - -rule Office_AutoOpen_Macro : maldoc { - meta: - description = "Detects an Microsoft Office file that contains the AutoOpen Macro function" - author = "Florian Roth" - date = "2015-05-28" - score = 60 - hash1 = "4d00695d5011427efc33c9722c61ced2" - hash2 = "63f6b20cb39630b13c14823874bd3743" - hash3 = "66e67c2d84af85a569a04042141164e6" - hash4 = "a3035716fe9173703941876c2bde9d98" - hash5 = "7c06cab49b9332962625b16f15708345" - hash6 = "bfc30332b7b91572bfe712b656ea8a0c" - hash7 = "25285b8fe2c41bd54079c92c1b761381" - strings: - $s1 = "AutoOpen" ascii fullword - $s2 = "Macros" wide fullword - condition: - uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000 -} - -rule Embedded_EXE_Cloaking : maldoc { - meta: - description = "Detects an embedded executable in a non-executable file" - author = "Florian Roth" - date = "2015/02/27" - score = 80 - strings: - $noex_png = { 89 50 4E 47 } - $noex_pdf = { 25 50 44 46 } - $noex_rtf = { 7B 5C 72 74 66 31 } - $noex_jpg = { FF D8 FF E0 } - $noex_gif = { 47 49 46 38 } - $mz = { 4D 5A } - $a1 = "This program cannot be run in DOS mode" - $a2 = "This program must be run under Win32" - condition: - ( - ( $noex_png at 0 ) or - ( $noex_pdf at 0 ) or - ( $noex_rtf at 0 ) or - ( $noex_jpg at 0 ) or - ( $noex_gif at 0 ) - ) - and - for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) ) -} diff --git a/yara-mikesxrs/codewatchorg/malicious_pdf.yar b/yara-mikesxrs/codewatchorg/malicious_pdf.yar deleted file mode 100644 index f1e699c..0000000 --- a/yara-mikesxrs/codewatchorg/malicious_pdf.yar +++ /dev/null @@ -1,456 +0,0 @@ -rule malicious_author : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 5 - - strings: - $magic = { 25 50 44 46 } - - $reg0 = /Creator.?\(yen vaw\)/ - $reg1 = /Title.?\(who cis\)/ - $reg2 = /Author.?\(ser pes\)/ - condition: - $magic at 0 and all of ($reg*) -} - -rule suspicious_version : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 3 - - strings: - $magic = { 25 50 44 46 } - $ver = /%PDF-1.\d{1}/ - condition: - $magic at 0 and not $ver -} - -rule suspicious_creation : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 2 - - strings: - $magic = { 25 50 44 46 } - $header = /%PDF-1\.(3|4|6)/ - - $create0 = /CreationDate \(D:20101015142358\)/ - $create1 = /CreationDate \(2008312053854\)/ - condition: - $magic at 0 and $header and 1 of ($create*) -} - -rule suspicious_title : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 4 - - strings: - $magic = { 25 50 44 46 } - $header = /%PDF-1\.(3|4|6)/ - - $title0 = "who cis" - $title1 = "P66N7FF" - $title2 = "Fohcirya" - condition: - $magic at 0 and $header and 1 of ($title*) -} - -rule suspicious_author : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 4 - - strings: - $magic = { 25 50 44 46 } - $header = /%PDF-1\.(3|4|6)/ - - $author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1" - $author1 = "ser pes" - $author2 = "Miekiemoes" - $author3 = "Nsarkolke" - condition: - $magic at 0 and $header and 1 of ($author*) -} - -rule suspicious_producer : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 2 - - strings: - $magic = { 25 50 44 46 } - $header = /%PDF-1\.(3|4|6)/ - - $producer0 = /Producer \(Scribus PDF Library/ - $producer1 = "Notepad" - condition: - $magic at 0 and $header and 1 of ($producer*) -} - -rule suspicious_creator : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 3 - - strings: - $magic = { 25 50 44 46 } - $header = /%PDF-1\.(3|4|6)/ - - $creator0 = "yen vaw" - $creator1 = "Scribus" - $creator2 = "Viraciregavi" - condition: - $magic at 0 and $header and 1 of ($creator*) -} - -rule possible_exploit : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 3 - - strings: - $magic = { 25 50 44 46 } - - $attrib0 = /\/JavaScript / - $attrib3 = /\/ASCIIHexDecode/ - $attrib4 = /\/ASCII85Decode/ - - $action0 = /\/Action/ - $action1 = "Array" - $shell = "A" - $cond0 = "unescape" - $cond1 = "String.fromCharCode" - - $nop = "%u9090%u9090" - condition: - $magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop) -} - -rule shellcode_blob_metadata : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded" - weight = 4 - strings: - $magic = { 25 50 44 46 } - - $reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode - $reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/ - $reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/ - $reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/ - $reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/ - $reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/ - - condition: - $magic at 0 and 1 of ($reg*) -} - -rule multiple_filtering : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.2" - weight = 3 - - strings: - $magic = { 25 50 44 46 } - $attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/ - // left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt - - condition: - $magic at 0 and $attrib -} - -rule suspicious_js : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 3 - - strings: - $magic = { 25 50 44 46 } - - $attrib0 = /\/OpenAction / - $attrib1 = /\/JavaScript / - - $js0 = "eval" - $js1 = "Array" - $js2 = "String.fromCharCode" - - condition: - $magic at 0 and all of ($attrib*) and 2 of ($js*) -} - -rule suspicious_launch_action : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 2 - - strings: - $magic = { 25 50 44 46 } - - $attrib0 = /\/Launch/ - $attrib1 = /\/URL / - $attrib2 = /\/Action/ - $attrib3 = /\/F / - - condition: - $magic at 0 and 3 of ($attrib*) -} - -rule suspicious_embed : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/" - weight = 2 - - strings: - $magic = { 25 50 44 46 } - - $meth0 = /\/Launch/ - $meth1 = /\/GoTo(E|R)/ //means go to embedded or remote - $attrib0 = /\/URL / - $attrib1 = /\/Action/ - $attrib2 = /\/Filespec/ - - condition: - $magic at 0 and 1 of ($meth*) and 2 of ($attrib*) -} - -rule suspicious_obfuscation : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 2 - - strings: - $magic = { 25 50 44 46 } - $reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/ - - condition: - $magic at 0 and #reg > 5 -} - -rule invalid_XObject_js : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - description = "XObject's require v1.4+" - ref = "https://blogs.adobe.com/ReferenceXObjects/" - version = "0.1" - weight = 2 - - strings: - $magic = { 25 50 44 46 } - $ver = /%PDF-1\.[4-9]/ - - $attrib0 = /\/XObject/ - $attrib1 = /\/JavaScript/ - - condition: - $magic at 0 and not $ver and all of ($attrib*) -} - -rule invalid_trailer_structure : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - weight = 1 - - strings: - $magic = { 25 50 44 46 } - // Required for a valid PDF - $reg0 = /trailer\r?\n?.*\/Size.*\r?\n?\.*/ - $reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/ - - condition: - $magic at 0 and not $reg0 and not $reg1 -} - -rule multiple_versions : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - description = "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed" - weight = 0 - - strings: - $magic = { 25 50 44 46 } - $s0 = "trailer" - $s1 = "%%EOF" - - condition: - $magic at 0 and #s0 > 1 and #s1 > 1 -} - -rule js_wrong_version : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - description = "JavaScript was introduced in v1.3" - ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf" - version = "0.1" - weight = 2 - - strings: - $magic = { 25 50 44 46 } - $js = /\/JavaScript/ - $ver = /%PDF-1\.[3-9]/ - - condition: - $magic at 0 and $js and not $ver -} - -rule JBIG2_wrong_version : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - description = "JBIG2 was introduced in v1.4" - ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf" - version = "0.1" - weight = 1 - - strings: - $magic = { 25 50 44 46 } - $js = /\/JBIG2Decode/ - $ver = /%PDF-1\.[4-9]/ - - condition: - $magic at 0 and $js and not $ver -} - -rule FlateDecode_wrong_version : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - description = "Flate was introduced in v1.2" - ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf" - version = "0.1" - weight = 1 - - strings: - $magic = { 25 50 44 46 } - $js = /\/FlateDecode/ - $ver = /%PDF-1\.[2-9]/ - - condition: - $magic at 0 and $js and not $ver -} - -rule embed_wrong_version : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - description = "EmbeddedFiles were introduced in v1.3" - ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf" - version = "0.1" - weight = 1 - - strings: - $magic = { 25 50 44 46 } - $embed = /\/EmbeddedFiles/ - $ver = /%PDF-1\.[3-9]/ - - condition: - $magic at 0 and $embed and not $ver -} - -rule invalid_xref_numbers : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - description = "The first entry in a cross-reference table is always free and has a generation number of 65,535" - notes = "This can be also be in a stream..." - weight = 1 - - strings: - $magic = { 25 50 44 46 } - $reg0 = /xref\r?\n?.*\r?\n?.*65535\sf/ - $reg1 = /endstream.*?\r?\n?endobj.*?\r?\n?startxref/ - condition: - $magic at 0 and not $reg0 and not $reg1 -} - -rule js_splitting : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - description = "These are commonly used to split up JS code" - weight = 2 - - strings: - $magic = { 25 50 44 46 } - $js = /\/JavaScript/ - $s0 = "getAnnots" - $s1 = "getPageNumWords" - $s2 = "getPageNthWord" - $s3 = "this.info" - - condition: - $magic at 0 and $js and 1 of ($s*) -} - -rule BlackHole_v2 : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html" - weight = 3 - - strings: - $magic = { 25 50 44 46 } - $content = "Index[5 1 7 1 9 4 23 4 50" - - condition: - $magic at 0 and $content -} - - -rule XDP_embedded_PDF : PDF -{ - meta: - author = "Glenn Edwards (@hiddenillusion)" - version = "0.1" - ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp" - weight = 1 - - strings: - $s1 = "" - $s3 = "" - $header0 = "%PDF" - $header1 = "JVBERi0" - - condition: - all of ($s*) and 1 of ($header*) -} diff --git a/yara-mikesxrs/codewatchorg/phoenix_html.yar b/yara-mikesxrs/codewatchorg/phoenix_html.yar deleted file mode 100644 index 1062807..0000000 --- a/yara-mikesxrs/codewatchorg/phoenix_html.yar +++ /dev/null @@ -1,23 +0,0 @@ -rule phoenix_html -{ -meta: - author = "Josh Berry" - date = "2016-06-26" - description = "Phoenix Exploit Kit Detection" - hash0 = "8395f08f1371eb7b2a2e131b92037f9a" - sample_filetype = "js-html" - yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" -strings: - $string1 = "'> 0) or - - (uint16(uint32(0x3c)+24) == 0x020b and - - uint32(uint32(0x3c)+248) > 0)) - -} \ No newline at end of file diff --git a/yara-mikesxrs/crowdstrike/CrowdStrike_PutterPanda_01 - fourh_stack_strings putterpanda.yar b/yara-mikesxrs/crowdstrike/CrowdStrike_PutterPanda_01 - fourh_stack_strings putterpanda.yar deleted file mode 100644 index 6b41bcf..0000000 --- a/yara-mikesxrs/crowdstrike/CrowdStrike_PutterPanda_01 - fourh_stack_strings putterpanda.yar +++ /dev/null @@ -1,59 +0,0 @@ -rule CrowdStrike_PutterPanda_01 : fourh_stack_strings putterpanda - { - meta: - description = "PUTTER PANDA - 4H RAT" - author = "CrowdStrike" - date = "2014-03-30" - version = "1.0" - in_the_wild = true - copyright = "CrowdStrike, Inc." - actor = "PUTTER PANDA" - yara_version = ">=1.6" - - strings: - $key_combined_1 = { C6 44 24 ?? 34 C6 44 24 ?? 36 C6 44 24 ?? 21 C6 44 24 ?? 79 C6 44 24 ?? 6F C6 44 24 ?? 00 } - - - // ebp - $keyfrag_ebp_1 = { C6 45 ?? 6C } // ld66!yo - $keyfrag_ebp_2 = { C6 45 ?? 64 } - $keyfrag_ebp_3 = { C6 45 ?? 34 } - $keyfrag_ebp_4 = { C6 45 ?? 36 } - $keyfrag_ebp_5 = { C6 45 ?? 21 } - $keyfrag_ebp_6 = { C6 45 ?? 79 } - $keyfrag_ebp_7 = { C6 45 ?? 6F } - - // esp - $keyfrag_esp_1 = { c6 44 ?? 6C } // ld66!yo - $keyfrag_esp_2 = { c6 44 ?? 64 } - $keyfrag_esp_3 = { c6 44 ?? 34 } - $keyfrag_esp_4 = { c6 44 ?? 36 } - $keyfrag_esp_5 = { c6 44 ?? 21 } - $keyfrag_esp_6 = { c6 44 ?? 79 } - $keyfrag_esp_7 = { c6 44 ?? 6F } - - // reduce FPs by checking for some common strings - $check_zeroes = "0000000" - $check_param = "Invalid parameter" - $check_ercv = "ercv= %d" - $check_unk = "unknown" - - condition: - any of ($key_combined*) or - (1 of ($check_*) and - ( - ( - all of ($keyfrag_ebp_*) and - for any i in (1..#keyfrag_ebp_5) : ( - for all of ($keyfrag_ebp_*): ($ in (@keyfrag_ebp_5[i]-100..@keyfrag_ebp_5[i]+100)) - ) - ) - or - ( - for any i in (1..#keyfrag_esp_5) : ( - for all of ($keyfrag_esp_*): ($ in (@keyfrag_esp_5[i]-100..@keyfrag_esp_5[i]+100)) - ) - ) - ) - ) - } \ No newline at end of file diff --git a/yara-mikesxrs/crowdstrike/Crowdstrike_index.yara b/yara-mikesxrs/crowdstrike/Crowdstrike_index.yara deleted file mode 100644 index f7d9df2..0000000 --- a/yara-mikesxrs/crowdstrike/Crowdstrike_index.yara +++ /dev/null @@ -1,293 +0,0 @@ -rule CrowdStrike_PutterPanda_01 : fourh_stack_strings putterpanda - { - meta: - description = "PUTTER PANDA - 4H RAT" - author = "CrowdStrike" - date = "2014-03-30" - version = "1.0" - in_the_wild = true - copyright = "CrowdStrike, Inc." - actor = "PUTTER PANDA" - yara_version = ">=1.6" - - strings: - $key_combined_1 = { C6 44 24 ?? 34 C6 44 24 ?? 36 C6 44 24 ?? 21 C6 44 24 ?? 79 C6 44 24 ?? 6F C6 44 24 ?? 00 } - - - // ebp - $keyfrag_ebp_1 = { C6 45 ?? 6C } // ld66!yo - $keyfrag_ebp_2 = { C6 45 ?? 64 } - $keyfrag_ebp_3 = { C6 45 ?? 34 } - $keyfrag_ebp_4 = { C6 45 ?? 36 } - $keyfrag_ebp_5 = { C6 45 ?? 21 } - $keyfrag_ebp_6 = { C6 45 ?? 79 } - $keyfrag_ebp_7 = { C6 45 ?? 6F } - - // esp - $keyfrag_esp_1 = { c6 44 ?? 6C } // ld66!yo - $keyfrag_esp_2 = { c6 44 ?? 64 } - $keyfrag_esp_3 = { c6 44 ?? 34 } - $keyfrag_esp_4 = { c6 44 ?? 36 } - $keyfrag_esp_5 = { c6 44 ?? 21 } - $keyfrag_esp_6 = { c6 44 ?? 79 } - $keyfrag_esp_7 = { c6 44 ?? 6F } - - // reduce FPs by checking for some common strings - $check_zeroes = "0000000" - $check_param = "Invalid parameter" - $check_ercv = "ercv= %d" - $check_unk = "unknown" - - condition: - any of ($key_combined*) or - (1 of ($check_*) and - ( - ( - all of ($keyfrag_ebp_*) and - for any i in (1..#keyfrag_ebp_5) : ( - for all of ($keyfrag_ebp_*): ($ in (@keyfrag_ebp_5[i]-100..@keyfrag_ebp_5[i]+100)) - ) - ) - or - ( - for any i in (1..#keyfrag_esp_5) : ( - for all of ($keyfrag_esp_*): ($ in (@keyfrag_esp_5[i]-100..@keyfrag_esp_5[i]+100)) - ) - ) - ) - ) - } - -rule CrowdStrike_PutterPanda_02 : rc4_dropper putterpanda - { - meta: - description = "PUTTER PANDA - RC4 dropper" - date = "2014-03-30" - version = "1.0" - in_the_wild = true - copyright = "CrowdStrike, Inc." - actor = "PUTTER PANDA" - - strings: - $res_lock = "LockResource" - $res_size = "SizeofResource" - $res_load = "LoadResource" - - $com = "COMSPEC" - - //$stack_h = { C6 4? [1-2] 68 } - //$stack_o = { C6 4? [1-2] 6F } - //$stack_v = { C6 4? [1-2] 76 } - //$stack_c = { C6 4? [1-2] 63 } - //$stack_x = { C6 4? [1-2] 78 } - //$stack_dot = { C6 4? [1-2] 2E } - - $cryptaq = "CryptAcquireContextA" - - condition: - uint16(0) == 0x5A4D and - (all of ($res_*)) and - /*(all of ($stack_*)) and*/ - $cryptaq and $com - } - -rule CrowdStrike_PutterPanda_03 : threepara_para_implant putterpanda - { - meta: - description = "PUTTER PANDA - 3PARA RAT" - date = "2014-03-30" - version = "1.0" - in_the_wild = true - copyright = "CrowdStrike, Inc." - actor = "PUTTER PANDA" - - strings: - $parafmt = "%s%dpara1=%dpara2=%dpara3=%d" - $class_attribe = "CCommandAttribe" - $class_cd = "CCommandCD" - $class_cmd = "CCommandCMD" - $class_nop = "CCommandNop" - - condition: - $parafmt or all of ($class_*) - } - - rule CrowdStrike_PutterPanda_04: pngdowner putterpanda - { - meta: - description = "PUTTER PANDA - PNGDOWNER" - date = "2014-03-30" - version = "1.0" - in_the_wild = true - copyright = "CrowdStrike, Inc." - actor = "PUTTER PANDA" - - strings: - $myagent = "myAgent" - $readfile = "read file error:" - $downfile = "down file success" - $avail = "Avaliable data:%u bytes" - - condition: - 3 of them - } - -rule CrowdStrike_PutterPanda_05 : httpclient putterpanda - { - meta: - description = "PUTTER PANDA - HTTPCLIENT" - date = "2014-03-30" - version = "1.0" - in_the_wild = true - copyright = "CrowdStrike, Inc." - actor = "PUTTER PANDA" - - strings: - $recv_wrong = "Error:recv worng" - - condition: - any of them - } - -rule CrowdStrike_PutterPanda_06 : xor_dropper putterpanda - { - meta: - description = "PUTTER PANDA - XOR based dropper" - date = "2014-03-30" - version = "1.0" - in_the_wild = true - copyright = "CrowdStrike, Inc." - actor = "PUTTER PANDA" - - strings: - $xorloop = { 8b d0 83 e2 0f 8a 54 14 04 30 14 01 83 c0 01 3b c6 7c ed } - - condition: - $xorloop - } - -rule CrowdStrike_CSIT_14003_03 : installer - -{ - - meta: - - copyright = "CrowdStrike, Inc" - - description = "Flying Kitten Installer" - - version = "1.0" - - actor = "FLYING KITTEN" - - in_the_wild = true - - reference = "http://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" - - strings: - - $exename = "IntelRapidStart.exe" - - $confname = "IntelRapidStart.exe.config" - - $cabhdr = { 4d 53 43 46 00 00 00 00 } - - condition: - - all of them - -} - -rule CrowdStrike_FlyingKitten : rat -{ -meta: - - copyright = "CrowdStrike, Inc" - - description = "Flying Kitten RAT" - - version = "1.0" - - actor = "FLYING KITTEN" - - in_the_wild = true - - strings: - - $classpath = "Stealer.Properties.Resources.resources" - - //$pdbstr = "\Stealer\obj\x86\Release\Stealer.pdb" - - condition: - - all of them and - - uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and - - uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and - - ((uint16(uint32(0x3c)+24) == 0x010b and - - uint32(uint32(0x3c)+232) > 0) or - - (uint16(uint32(0x3c)+24) == 0x020b and - - uint32(uint32(0x3c)+248) > 0)) - -} - -/* - -//error with rule no $i - -rule CrowdStrike_P2P_Zeus -{ - meta: - copyright = "CrowdStrike, Inc" - author = "Crowdstrike, Inc" - description = "P2P Zeus (Gameover)" - version = "1.0" - last_modified = "2013-11-21" - actor = "Gameover Spider" - malware_family = "P2P Zeus" - in_the_wild = true - - condition: - any of them or - for any i in (0..filesize) : - ( - uint32(i) ^ uint32(i+4) == 0x00002606 - and uint32(i) ^ uint32(i+8) == 0x31415154 - and uint32(i) ^ uint32(i+12) == 0x00000a06 - and uint32(i) ^ uint32(i+16) == 0x00010207 - and uint32(i) ^ uint32(i+20) == 0x7cf1aa2d - and uint32(i) ^ uint32(i+24) == 0x4390ca7b - and uint32(i) ^ uint32(i+28) == 0xa96afd9d - and uint32(i) ^ uint32(i+32) == 0x0b039138 - and uint32(i) ^ uint32(i+36) == 0xb3e50578 - and uint32(i) ^ uint32(i+40) == 0x896eaf36 - and uint32(i) ^ uint32(i+44) == 0x37a3f8c9 - and uint32(i) ^ uint32(i+48) == 0xb1c31bcb - and uint32(i) ^ uint32(i+52) == 0xcb58f22c - and uint32(i) ^ uint32(i+56) == 0x00491be8 - and uint32(i) ^ uint32(i+60) == 0x0a2a748f - ) -} - -*/ - -rule CrowdStrike_CVE_2014_4113 { -meta: - copyright = "CrowdStrike, Inc" - description = "CVE-2014-4113 Microsoft Windows x64 Local Privilege Escalation Exploit" - version = "1.0" - last_modified = "2014-10-14" - in_the_wild = true -strings: - $const1 = { fb ff ff ff } - $const2 = { 0b 00 00 00 01 00 00 00 } - $const3 = { 25 00 00 00 01 00 00 00 } - $const4 = { 8b 00 00 00 01 00 00 00 } -condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/crowdstrike/Crowdstrike_target_breach.yar b/yara-mikesxrs/crowdstrike/Crowdstrike_target_breach.yar deleted file mode 100644 index 0439403..0000000 --- a/yara-mikesxrs/crowdstrike/Crowdstrike_target_breach.yar +++ /dev/null @@ -1,88 +0,0 @@ -rule CrowdStrike_targetbreach_exfil - -{ - - meta: - - description = "Tool Responsible for Exfiltration of CC Data." - - last_modified = "2014-01-16" - - version = "1.0" - - in_the_wild = true - - copyright = "CrowdStrike, Inc" - - reference = "https://www.crowdstrike.com/blog/actionable-indicators-detection-signs-compromise-target-related-breaches/" - - strings: - - $fmt = "data_%d_%d_%d_%d_%d.txt" - - $scramble1 = ""-BFr423mI_6uaMtg$bxl\sd1iU/0ok.cpe" - - $scramble2 = "gBb63-t2p_.rkd0uaeU/x1c$s\o4il" - - $scramble3 = "x"a-201Mt6b3sI$ /ceBok_i\m.rdpU4Fulg" - - $scramble4 = "omv3.a 1%tNd\4ils60n2Te_w" - - $scramble5 = "4mei gd2%rob-" - - $scramble6 = "8pCt1wq_hynlsc0.u9a" - - condition: - - $fmt and 1 of ($scramble*) - -} - - - -rule CrowdStrike_blackpos_memscanner - -{ - - meta: - - description = "Tool Responsible for Scanning Memory For CC Data." - - last_modified = "2014-01-16" - - version = "1.0" - - in_the_wild = true - - copyright = "CrowdStrike, Inc" - - reference = "https://www.crowdstrike.com/blog/actionable-indicators-detection-signs-compromise-target-related-breaches/" - - - strings: - - $message1 = "S region:" - - $message2 = " found [" - - $message3 = "] bytes of pattern:[" - - $message4 = "CC2 region:" - - $message5 = "CC memregion:" - - $message6 = "KAPTOXA" - - $message7 = "=== pid:" - - $message8 = "scan process with pid for kartoxa and string pattern:" - - $message9 = "scan process with pid for kartoxa:" - - $message11 = "scan all processes for string pattern:" - - condition: - - 2 of ($message*) - -} diff --git a/yara-mikesxrs/crowdstrike/gameover zeus.yar b/yara-mikesxrs/crowdstrike/gameover zeus.yar deleted file mode 100644 index 1460a90..0000000 --- a/yara-mikesxrs/crowdstrike/gameover zeus.yar +++ /dev/null @@ -1,39 +0,0 @@ -/* - -//error with rule no $i - -rule CrowdStrike_P2P_Zeus -{ - meta: - copyright = "CrowdStrike, Inc" - author = "Crowdstrike, Inc" - description = "P2P Zeus (Gameover)" - version = "1.0" - last_modified = "2013-11-21" - actor = "Gameover Spider" - malware_family = "P2P Zeus" - in_the_wild = true - - condition: - any of them or - for any i in (0..filesize) : - ( - uint32(i) ^ uint32(i+4) == 0x00002606 - and uint32(i) ^ uint32(i+8) == 0x31415154 - and uint32(i) ^ uint32(i+12) == 0x00000a06 - and uint32(i) ^ uint32(i+16) == 0x00010207 - and uint32(i) ^ uint32(i+20) == 0x7cf1aa2d - and uint32(i) ^ uint32(i+24) == 0x4390ca7b - and uint32(i) ^ uint32(i+28) == 0xa96afd9d - and uint32(i) ^ uint32(i+32) == 0x0b039138 - and uint32(i) ^ uint32(i+36) == 0xb3e50578 - and uint32(i) ^ uint32(i+40) == 0x896eaf36 - and uint32(i) ^ uint32(i+44) == 0x37a3f8c9 - and uint32(i) ^ uint32(i+48) == 0xb1c31bcb - and uint32(i) ^ uint32(i+52) == 0xcb58f22c - and uint32(i) ^ uint32(i+56) == 0x00491be8 - and uint32(i) ^ uint32(i+60) == 0x0a2a748f - ) -} - -*/ \ No newline at end of file diff --git a/yara-mikesxrs/crowdstrike/rule CrowdStrike_PutterPanda_04_ pngdowner putterpanda.yar b/yara-mikesxrs/crowdstrike/rule CrowdStrike_PutterPanda_04_ pngdowner putterpanda.yar deleted file mode 100644 index 738ef04..0000000 --- a/yara-mikesxrs/crowdstrike/rule CrowdStrike_PutterPanda_04_ pngdowner putterpanda.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule CrowdStrike_PutterPanda_04: pngdowner putterpanda - { - meta: - description = "PUTTER PANDA - PNGDOWNER" - date = "2014-03-30" - version = "1.0" - in_the_wild = true - copyright = "CrowdStrike, Inc." - actor = "PUTTER PANDA" - - strings: - $myagent = "myAgent" - $readfile = "read file error:" - $downfile = "down file success" - $avail = "Avaliable data:%u bytes" - - condition: - 3 of them - } \ No newline at end of file diff --git a/yara-mikesxrs/cylance/BackDoorLogger.yar b/yara-mikesxrs/cylance/BackDoorLogger.yar deleted file mode 100644 index 923cd47..0000000 --- a/yara-mikesxrs/cylance/BackDoorLogger.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule BackDoorLogger -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "BackDoorLogger" - $s2 = "zhuAddress" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/Hkdoor_DLL.yar b/yara-mikesxrs/cylance/Hkdoor_DLL.yar deleted file mode 100644 index 5ea5c5b..0000000 --- a/yara-mikesxrs/cylance/Hkdoor_DLL.yar +++ /dev/null @@ -1,22 +0,0 @@ - -import "pe" - -rule hkdoor_backdoor_dll { - meta: - author = "Cylance" - description = "Hacker's Door Backdoor DLL" - reference = "https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html" - - strings: - $s1 = "The version of personal hacker's door server is" fullword ascii - $s2 = "The connect back interval is %d (minutes)" fullword ascii - $s3 = "I'mhackeryythac1977" fullword ascii - $s4 = "Welcome to http://www.yythac.com" fullword ascii - $s5 = "SeLoadDriverPrivilege" fullword ascii - - condition: - uint16(0) == 0x5a4d and filesize < 400KB and ( 3 of ($s*) ) and pe.characteristics & pe.DLL and pe.imports("ws2_32.dll", "WSAStartup") and pe.imports("ws2_32.dll", "sendto") -} - - - diff --git a/yara-mikesxrs/cylance/Hkdoor_backdoor.yar b/yara-mikesxrs/cylance/Hkdoor_backdoor.yar deleted file mode 100644 index 4fbe80d..0000000 --- a/yara-mikesxrs/cylance/Hkdoor_backdoor.yar +++ /dev/null @@ -1,24 +0,0 @@ -import "pe" - -rule hkdoor_backdoor { - meta: - author = "Cylance" - description = "Hacker's Door Backdoor" - reference = "https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html" - - - strings: - $s1 = "http://www.yythac.com" fullword ascii - $s2 = "Example:%s 192.168.1.100 139 -p yyt_hac -t 1" fullword ascii - $s3 = "password-----------The hacker's door's password" fullword ascii - $s4 = "It is the client of hacker's door %d.%d public version" fullword ascii - $s5 = "hkdoordll.dll" fullword ascii - $s6 = "http://www.yythac.com/images/mm.jpg" fullword ascii - $s7 = "I'mhackeryythac1977" fullword ascii - $s8 = "yythac.yeah.net" fullword ascii - - condition: - uint16(0) == 0x5a4d and - filesize < 400KB and - ( 4 of ($s*) ) -} diff --git a/yara-mikesxrs/cylance/Hkdoor_driver.yar b/yara-mikesxrs/cylance/Hkdoor_driver.yar deleted file mode 100644 index 749f23a..0000000 --- a/yara-mikesxrs/cylance/Hkdoor_driver.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule hkdoor_driver { - meta: - author = "Cylance" - description = "Hacker's Door Driver" - reference = "https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html" - - strings: - $s1 = "ipfltdrv.sys" fullword ascii - $s2 = "Patch Success." fullword ascii - $s3 = "\\DosDevices\\kifes" fullword ascii - $s4 = "\\Device\\kifes" fullword ascii - $s5 = {75 28 22 36 30 5b 4a 77 7b 58 4d 6c 3f 73 63 5e 38 47 7c 7d 7a 40 3a 41 2a 45 4e 44 79 64 67 6d 65 74 21 39 23 3c 20 49 43 69 4c 3b 31 57 2f 55 3e 26 59 62 61 54 53 5a 2d 25 78 35 5c 76 3d 34 27 6b 5f 72 2c 32 4f 2b 71 66 42 33 37 56 52 60 5d 29 4b 51 2e 6f 50 68 6e 6a 24 48 7e 46 70} - - condition: - uint16(0) == 0x5a4d and - pe.subsystem == pe.SUBSYSTEM_NATIVE and - ( 4 of ($s*) ) - -} diff --git a/yara-mikesxrs/cylance/Hkdoor_dropper.yar b/yara-mikesxrs/cylance/Hkdoor_dropper.yar deleted file mode 100644 index cb22332..0000000 --- a/yara-mikesxrs/cylance/Hkdoor_dropper.yar +++ /dev/null @@ -1,28 +0,0 @@ -import "pe" - -rule hkdoor_dropper { - meta: - description = "Hacker's Door Dropper" - author = "Cylance" - reference = "https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html" - - strings: - $s1 = "The version of personal hacker's door server is" fullword ascii - $s2 = "The connect back interval is %d (minutes)" fullword ascii - $s3 = "I'mhackeryythac1977" fullword ascii - $s4 = "Welcome to http://www.yythac.com" fullword ascii - $s5 = "SeLoadDriverPrivilege" fullword ascii - $s6 = "\\drivers\\ntfs.sys" fullword ascii - $s7 = "kifes" fullword ascii - - condition: - uint16(0) == 0x5a4d and - filesize < 1000KB and - ( 4 of ($s*) ) and - pe.number_of_resources > 0 and - for any i in (0..pe.number_of_resources - 1): - (pe.resources[i].type_string == "B\x00I\x00N\x00" and - uint16(pe.resources[i].offset) == 0x5A4D) and - pe.imports("KERNEL32.dll", "FindResourceW") and - pe.imports("KERNEL32.dll", "LoadResource") -} diff --git a/yara-mikesxrs/cylance/Jasus.yar b/yara-mikesxrs/cylance/Jasus.yar deleted file mode 100644 index 94c7e9f..0000000 --- a/yara-mikesxrs/cylance/Jasus.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule Jasus -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "pcap_dump_open" - $s2 = "Resolving IPs to poison..." - $s3 = "WARNNING: Gateway IP can not be found" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/LoggerModule.yar b/yara-mikesxrs/cylance/LoggerModule.yar deleted file mode 100644 index 744c1f8..0000000 --- a/yara-mikesxrs/cylance/LoggerModule.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule LoggerModule -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "%s-%02d%02d%02d%02d%02d.r" - $s2 = "C:\\Users\\%s\\AppData\\Cookies\\" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/MiSType_Backdoor_Packed.yar b/yara-mikesxrs/cylance/MiSType_Backdoor_Packed.yar deleted file mode 100644 index feddd0d..0000000 --- a/yara-mikesxrs/cylance/MiSType_Backdoor_Packed.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule MiSType_Backdoor_Packed -{ - meta: - author = "Cylance SPEAR Team" - note = "Probably Prone to False Positive" - - strings: - $upx = {33 2E 30 33 00 55 50 58 21} - $send_httpquery = {00 00 00 48 74 74 70 51 75 65 72 79 49 6E 66 6F 41 00 00 73 65 6E 64 00 00} - $delphi_sec_pe = {50 45 00 00 4C 01 03 00 19 5E 42 2A} - - condition: - filesize < 100KB and $upx and $send_httpquery and $delphi_sec_pe -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/Misdat_Backdoor.yar b/yara-mikesxrs/cylance/Misdat_Backdoor.yar deleted file mode 100644 index 48d692d..0000000 --- a/yara-mikesxrs/cylance/Misdat_Backdoor.yar +++ /dev/null @@ -1,28 +0,0 @@ -rule Misdat_Backdoor -{ - meta: - author = "Cylance SPEAR Team" - /* Decode Function - CODE:00406C71 8B 55 F4 mov edx, [ebp+var_C] - CODE:00406C74 8A 54 1A FF mov dl, [edx+ebx-1] - CODE:00406C78 8B 4D F8 mov ecx, [ebp+var_8] - CODE:00406C7B C1 E9 08 shr ecx, 8 - CODE:00406C7E 32 D1 xor dl, cl - CODE:00406C80 88 54 18 FF mov [eax+ebx-1], dl - CODE:00406C84 8B 45 F4 mov eax, [ebp+var_C] - CODE:00406C87 0F B6 44 18 FF movzx eax, byte ptr [eax+ebx-1] - CODE:00406C8C 03 45 F8 add eax, [ebp+var_8] - CODE:00406C8F 69 C0 D9 DB 00 00 imul eax, 0DBD9h - CODE:00406C95 05 3B DA 00 00 add eax, 0DA3Bh - CODE:00406C9A 89 45 F8 mov [ebp+var_8], eax - CODE:00406C9D 43 inc ebx - CODE:00406C9E 4E dec esi - CODE:00406C9F 75 C9 jnz short loc_406C6A - */ - strings: - $imul = {03 45 F8 69 C0 D9 DB 00 00 05 3B DA 00 00} - $delphi = {50 45 00 00 4C 01 08 00 19 5E 42 2A} - - condition: - $imul and $delphi -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/Misdat_Backdoor_Packed.yar b/yara-mikesxrs/cylance/Misdat_Backdoor_Packed.yar deleted file mode 100644 index 52ccfeb..0000000 --- a/yara-mikesxrs/cylance/Misdat_Backdoor_Packed.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule Misdat_Backdoor_Packed -{ - meta: - author = "Cylance SPEAR Team" - note = "Probably Prone to False Positive" - - strings: - $upx = {33 2E 30 33 00 55 50 58 21} - $send = {00 00 00 73 65 6E 64 00 00 00} - $delphi_sec_pe = {50 45 00 00 4C 01 03 00 19 5E 42 2A} - $shellexec = {00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 57 00 00 00} - - condition: - filesize < 100KB and $upx and $send and $delphi_sec_pe and $shellexec -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/NetC.yar b/yara-mikesxrs/cylance/NetC.yar deleted file mode 100644 index afd0dc9..0000000 --- a/yara-mikesxrs/cylance/NetC.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule NetC -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "NetC.exe" wide - $s2 = "Net Service" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/SType_Backdoor.yar b/yara-mikesxrs/cylance/SType_Backdoor.yar deleted file mode 100644 index cce3d5a..0000000 --- a/yara-mikesxrs/cylance/SType_Backdoor.yar +++ /dev/null @@ -1,33 +0,0 @@ -rule SType_Backdoor -{ - meta: - author = "Cylance SPEAR Team" - - /* Decode Function - 8B 1A mov ebx, [edx] - 8A 1B mov bl, [ebx] - 80 EB 02 sub bl, 2 - 8B 74 24 08 mov esi, [esp+14h+var_C] - 32 1E xor bl, [esi] - 8B 31 mov esi, [ecx] - 88 1E mov [esi], bl - 8B 1A mov ebx, [edx] - 43 inc ebx - 89 1A mov [edx], ebx - 8B 19 mov ebx, [ecx] - 43 inc ebx - 89 19 mov [ecx], ebx - 48 dec eax - 75 E2 jnz short loc_40EAC6 - */ - - strings: - $stype = "stype=info&data=" - $mmid = "?mmid=" - $status = "&status=run succeed" - $mutex = "_KB10B2D1_CIlFD2C" - $decode = {8B 1A 8A 1B 80 EB 02 8B 74 24 08 32 1E 8B 31 88 1E 8B 1A 43} - - condition: - $stype or ($mmid and $status) or $mutex or $decode -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/ShellCreator2.yar b/yara-mikesxrs/cylance/ShellCreator2.yar deleted file mode 100644 index a92dc3c..0000000 --- a/yara-mikesxrs/cylance/ShellCreator2.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule ShellCreator2 -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "ShellCreator2.Properties" - $s2 = "set_IV" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/SmartCopy2.yar b/yara-mikesxrs/cylance/SmartCopy2.yar deleted file mode 100644 index 186f693..0000000 --- a/yara-mikesxrs/cylance/SmartCopy2.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule SmartCopy2 -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "SmartCopy2.Properties" - $s2 = "ZhuFrameWork" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/StreamEX.yar b/yara-mikesxrs/cylance/StreamEX.yar deleted file mode 100644 index 4081854..0000000 --- a/yara-mikesxrs/cylance/StreamEX.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule StreamEx -{ -meta: - author = "Cylance" - description = "StreamEX shell crew" - reference = "https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" - -strings: - $a = "0r+8DQY97XGB5iZ4Vf3KsEt61HLoTOuIqJPp2AlncRCgSxUWyebhMdmzvFjNwka=" - $b = {34 ?? 88 04 11 48 63 C3 48 FF C1 48 3D D8 03 00 00} - $bb = {81 86 ?? ?? 00 10 34 ?? 88 86 ?? ?? 00 10 46 81 FE D8 03 00 00} - $c = "greendll" - $d = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36" wide - $f = {26 5E 25 24 23 91 91 91 91} - $g = "D:\\pdb\\ht_d6.pdb" - -condition: - $a or $b or $bb or ($c and $d) or $f or $g diff --git a/yara-mikesxrs/cylance/SynFlooder.yar b/yara-mikesxrs/cylance/SynFlooder.yar deleted file mode 100644 index 3dd2100..0000000 --- a/yara-mikesxrs/cylance/SynFlooder.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule SynFlooder -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "Unable to resolve [ %s ]. ErrorCode %d" - $s2 = "your target's IP is : %s" - $s3 = "Raw TCP Socket Created successfully." - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/TinyZBot.yar b/yara-mikesxrs/cylance/TinyZBot.yar deleted file mode 100644 index 325aa07..0000000 --- a/yara-mikesxrs/cylance/TinyZBot.yar +++ /dev/null @@ -1,20 +0,0 @@ -rule TinyZBot -{ - - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "NetScp" wide - $s2 = "TinyZBot.Properties.Resources.resources" - $s3 = "Aoao WaterMark" - $s4 = "Run_a_exe" - $s5 = "netscp.exe" - $s6 = "get_MainModule_WebReference_DefaultWS" - $s7 = "remove_CheckFileMD5Completed" - $s8 = "http://tempuri.org/" - $s9 = "Zhoupin_Cleaver" - - condition: - ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9 - } \ No newline at end of file diff --git a/yara-mikesxrs/cylance/WannaCryptor.yar b/yara-mikesxrs/cylance/WannaCryptor.yar deleted file mode 100644 index 8e29afe..0000000 --- a/yara-mikesxrs/cylance/WannaCryptor.yar +++ /dev/null @@ -1,41 +0,0 @@ -import "pe" - -rule WannaCry_Ransomware_Dropper -{ - meta: - description = "WannaCry Ransomware Dropper" - reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html" - date = "2017-05-12" - - strings: - $s1 = "cmd.exe /c \"%s\"" fullword ascii - $s2 = "tasksche.exe" fullword ascii - $s3 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii - $s4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii - - condition: - uint16(0) == 0x5a4d and - filesize < 4MB and - all of them -} - -rule WannaCry_SMB_Exploit -{ - meta: - description = "WannaCry SMB Exploit" - reference = "https://www.cylance.com/en_us/blog/threat-spotlight-inside-the-wannacry-attack.html" - date = "2017-05-12" - - strings: - $s1 = { 53 4D 42 72 00 00 00 00 18 53 C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 00 40 00 00 62 00 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 33 2E 31 61 00 02 4C 4D 31 2E 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00 00 00 00 00 00 00 88 FF 53 4D 42 73 00 00 00 00 18 07 C0 } - - condition: - uint16(0) == 0x5a4d and - filesize < 4MB and - all of them and - pe.imports("ws2_32.dll", "connect") and - pe.imports("ws2_32.dll", "send") and - pe.imports("ws2_32.dll", "recv") and - pe.imports("ws2_32.dll", "socket") and - pe.imports("ws2_32.dll", "closesocket") -} diff --git a/yara-mikesxrs/cylance/ZhoupinExploitCrew.yar b/yara-mikesxrs/cylance/ZhoupinExploitCrew.yar deleted file mode 100644 index 0324d26..0000000 --- a/yara-mikesxrs/cylance/ZhoupinExploitCrew.yar +++ /dev/null @@ -1,11 +0,0 @@ -rule ZhoupinExploitCrew -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "zhoupin exploit crew" nocase - $s2 = "zhopin exploit crew" nocase - condition: - 1 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/Zlib_Backdoor.yar b/yara-mikesxrs/cylance/Zlib_Backdoor.yar deleted file mode 100644 index bcdeb95..0000000 --- a/yara-mikesxrs/cylance/Zlib_Backdoor.yar +++ /dev/null @@ -1,43 +0,0 @@ -rule Zlib_Backdoor -{ - meta: - author = "Cylance SPEAR Team" - - /* String - C7 45 FC 00 04 00 00 mov [ebp+Memory], 400h - C6 45 D8 50 mov [ebp+Str], 'P' - C6 45 D9 72 mov [ebp+var_27], 'r' - C6 45 DA 6F mov [ebp+var_26], 'o' - C6 45 DB 78 mov [ebp+var_25], 'x' - C6 45 DC 79 mov [ebp+var_24], 'y' - C6 45 DD 2D mov [ebp+var_23], '-' - C6 45 DE 41 mov [ebp+var_22], 'A' - C6 45 DF 75 mov [ebp+var_21], 'u' - C6 45 E0 74 mov [ebp+var_20], 't' - C6 45 E1 68 mov [ebp+var_1F], 'h' - C6 45 E2 65 mov [ebp+var_1E], 'e' - C6 45 E3 6E mov [ebp+var_1D], 'n' - C6 45 E4 74 mov [ebp+var_1C], 't' - C6 45 E5 69 mov [ebp+var_1B], 'i' - C6 45 E6 63 mov [ebp+var_1A], 'c' - C6 45 E7 61 mov [ebp+var_19], 'a' - C6 45 E8 74 mov [ebp+var_18], 't' - C6 45 E9 65 mov [ebp+var_17], 'e' - C6 45 EA 3A mov [ebp+var_16], ':' - C6 45 EB 20 mov [ebp+var_15], ' ' - C6 45 EC 4E mov [ebp+var_14], 'N' - C6 45 ED 54 mov [ebp+var_13], 'T' - C6 45 EE 4C mov [ebp+var_12], 'L' - C6 45 EF 4D mov [ebp+var_11], 'M' - C6 45 F0 20 mov [ebp+var_10], ' ' - */ - - - strings: - $auth = {C6 45 D8 50 C6 45 D9 72 C6 45 DA 6F C6 45 DB 78 C6 45 DC 79 C6 45 DD 2D} - $auth2 = {C7 45 FC 00 04 00 00 C6 45 ?? 50 C6 45 ?? 72 C6 45 ?? 6F} - $ntlm = "NTLM" wide - - condition: - ($auth or $auth2) and $ntlm -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/antivirusdetector.yar b/yara-mikesxrs/cylance/antivirusdetector.yar deleted file mode 100644 index 609fbff..0000000 --- a/yara-mikesxrs/cylance/antivirusdetector.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule antivirusdetector -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "getShadyProcess" - $s2 = "getSystemAntiviruses" - $s3 = "AntiVirusDetector" - - condition: - all of them -} diff --git a/yara-mikesxrs/cylance/baijiu.yar b/yara-mikesxrs/cylance/baijiu.yar deleted file mode 100644 index 8299c93..0000000 --- a/yara-mikesxrs/cylance/baijiu.yar +++ /dev/null @@ -1,57 +0,0 @@ -rule Lionrock_Powershell -{ -meta: - author = "Cylance" - description = "Lionrock backdoor" - reference = "https://www.cylance.com/en_us/blog/baijiu.html" -strings: - $http = "hffbZ]]" - $geo = "www\\ue}qifies\\xb]" -condition: - $http or $geo -} - -rule Typhoon_Downloader -{ -meta: - author = "Cylance" - description = "Typhoon downloader" - reference = "https://www.cylance.com/en_us/blog/baijiu.html" -strings: - $ps = "<<<:resource" - $exp = "start_adobeup" - $e = "W78D432S34A9" - $f = "!SJ1B0RSWRKK" - $b = "wyy}EBB" - $geo = "hhhCjzbnvyvzlCg}B" -condition: - $ps or $exp or ($e and $f) or $b or $geo -} - -rule Lionrock_Loader -{ -meta: - author = "Cylance" - description = "Lionrock Loader" - reference = "https://www.cylance.com/en_us/blog/baijiu.html" -strings: - $a = "sfarfdk|amiqd|s" - $b = "s1-s{wlsz,s" - $c = "q}llyer|eldll" -condition: - ($a and $b) or $c -} - -rule Lionrock_Backdoor -{ -meta: - author = "Cylance" - description = "Lionrock Backdoor" - reference = "https://www.cylance.com/en_us/blog/baijiu.html" -strings: - $a = "windows\\currentversion\\run;reglist" - $power = "b}wershell\\eje@M|}br}tile@)|v}yeM1}mma|d@Msqribfpl}qy{DbafhOUEsU[DdafaO5efM1}|fe|f@Dbafh[t}reaqhHDqmd@i|@DdafaI{iej@Dqmd[oo"              $b = "agf}ejeqdir" - $c = "sfarfdk|amiqd|s" -condition: - $power or $b or ($a and $c) -} diff --git a/yara-mikesxrs/cylance/csext.yar b/yara-mikesxrs/cylance/csext.yar deleted file mode 100644 index 85a301a..0000000 --- a/yara-mikesxrs/cylance/csext.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule csext -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "COM+ System Extentions" - $s2 = "csext.exe" - $s3 = "COM_Extentions_bin" - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/cylance_index.yara b/yara-mikesxrs/cylance/cylance_index.yara deleted file mode 100644 index 48f18ee..0000000 --- a/yara-mikesxrs/cylance/cylance_index.yara +++ /dev/null @@ -1,392 +0,0 @@ -rule antivirusdetector -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "getShadyProcess" - $s2 = "getSystemAntiviruses" - $s3 = "AntiVirusDetector" - - condition: - all of them -} - -rule BackDoorLogger -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "BackDoorLogger" - $s2 = "zhuAddress" - - condition: - all of them -} - -rule csext -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "COM+ System Extentions" - $s2 = "csext.exe" - $s3 = "COM_Extentions_bin" - condition: - all of them -} - -rule Misdat_Backdoor_Packed -{ - meta: - author = "Cylance SPEAR Team" - note = "Probably Prone to False Positive" - - strings: - $upx = {33 2E 30 33 00 55 50 58 21} - $send = {00 00 00 73 65 6E 64 00 00 00} - $delphi_sec_pe = {50 45 00 00 4C 01 03 00 19 5E 42 2A} - $shellexec = {00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 57 00 00 00} - - condition: - filesize < 100KB and $upx and $send and $delphi_sec_pe and $shellexec -} - -rule MiSType_Backdoor_Packed -{ - meta: - author = "Cylance SPEAR Team" - note = "Probably Prone to False Positive" - - strings: - $upx = {33 2E 30 33 00 55 50 58 21} - $send_httpquery = {00 00 00 48 74 74 70 51 75 65 72 79 49 6E 66 6F 41 00 00 73 65 6E 64 00 00} - $delphi_sec_pe = {50 45 00 00 4C 01 03 00 19 5E 42 2A} - - condition: - filesize < 100KB and $upx and $send_httpquery and $delphi_sec_pe -} - -rule Misdat_Backdoor -{ - meta: - author = "Cylance SPEAR Team" - /* Decode Function - CODE:00406C71 8B 55 F4 mov edx, [ebp+var_C] - CODE:00406C74 8A 54 1A FF mov dl, [edx+ebx-1] - CODE:00406C78 8B 4D F8 mov ecx, [ebp+var_8] - CODE:00406C7B C1 E9 08 shr ecx, 8 - CODE:00406C7E 32 D1 xor dl, cl - CODE:00406C80 88 54 18 FF mov [eax+ebx-1], dl - CODE:00406C84 8B 45 F4 mov eax, [ebp+var_C] - CODE:00406C87 0F B6 44 18 FF movzx eax, byte ptr [eax+ebx-1] - CODE:00406C8C 03 45 F8 add eax, [ebp+var_8] - CODE:00406C8F 69 C0 D9 DB 00 00 imul eax, 0DBD9h - CODE:00406C95 05 3B DA 00 00 add eax, 0DA3Bh - CODE:00406C9A 89 45 F8 mov [ebp+var_8], eax - CODE:00406C9D 43 inc ebx - CODE:00406C9E 4E dec esi - CODE:00406C9F 75 C9 jnz short loc_406C6A - */ - strings: - $imul = {03 45 F8 69 C0 D9 DB 00 00 05 3B DA 00 00} - $delphi = {50 45 00 00 4C 01 08 00 19 5E 42 2A} - - condition: - $imul and $delphi -} - -rule SType_Backdoor -{ - meta: - author = "Cylance SPEAR Team" - - /* Decode Function - 8B 1A mov ebx, [edx] - 8A 1B mov bl, [ebx] - 80 EB 02 sub bl, 2 - 8B 74 24 08 mov esi, [esp+14h+var_C] - 32 1E xor bl, [esi] - 8B 31 mov esi, [ecx] - 88 1E mov [esi], bl - 8B 1A mov ebx, [edx] - 43 inc ebx - 89 1A mov [edx], ebx - 8B 19 mov ebx, [ecx] - 43 inc ebx - 89 19 mov [ecx], ebx - 48 dec eax - 75 E2 jnz short loc_40EAC6 - */ - - strings: - $stype = "stype=info&data=" - $mmid = "?mmid=" - $status = "&status=run succeed" - $mutex = "_KB10B2D1_CIlFD2C" - $decode = {8B 1A 8A 1B 80 EB 02 8B 74 24 08 32 1E 8B 31 88 1E 8B 1A 43} - - condition: - $stype or ($mmid and $status) or $mutex or $decode -} - -rule Zlib_Backdoor -{ - meta: - author = "Cylance SPEAR Team" - - /* String - C7 45 FC 00 04 00 00 mov [ebp+Memory], 400h - C6 45 D8 50 mov [ebp+Str], 'P' - C6 45 D9 72 mov [ebp+var_27], 'r' - C6 45 DA 6F mov [ebp+var_26], 'o' - C6 45 DB 78 mov [ebp+var_25], 'x' - C6 45 DC 79 mov [ebp+var_24], 'y' - C6 45 DD 2D mov [ebp+var_23], '-' - C6 45 DE 41 mov [ebp+var_22], 'A' - C6 45 DF 75 mov [ebp+var_21], 'u' - C6 45 E0 74 mov [ebp+var_20], 't' - C6 45 E1 68 mov [ebp+var_1F], 'h' - C6 45 E2 65 mov [ebp+var_1E], 'e' - C6 45 E3 6E mov [ebp+var_1D], 'n' - C6 45 E4 74 mov [ebp+var_1C], 't' - C6 45 E5 69 mov [ebp+var_1B], 'i' - C6 45 E6 63 mov [ebp+var_1A], 'c' - C6 45 E7 61 mov [ebp+var_19], 'a' - C6 45 E8 74 mov [ebp+var_18], 't' - C6 45 E9 65 mov [ebp+var_17], 'e' - C6 45 EA 3A mov [ebp+var_16], ':' - C6 45 EB 20 mov [ebp+var_15], ' ' - C6 45 EC 4E mov [ebp+var_14], 'N' - C6 45 ED 54 mov [ebp+var_13], 'T' - C6 45 EE 4C mov [ebp+var_12], 'L' - C6 45 EF 4D mov [ebp+var_11], 'M' - C6 45 F0 20 mov [ebp+var_10], ' ' - */ - - - strings: - $auth = {C6 45 D8 50 C6 45 D9 72 C6 45 DA 6F C6 45 DB 78 C6 45 DC 79 C6 45 DD 2D} - $auth2 = {C7 45 FC 00 04 00 00 C6 45 ?? 50 C6 45 ?? 72 C6 45 ?? 6F} - $ntlm = "NTLM" wide - - condition: - ($auth or $auth2) and $ntlm -} - -rule Jasus -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "pcap_dump_open" - $s2 = "Resolving IPs to poison..." - $s3 = "WARNNING: Gateway IP can not be found" - - condition: - all of them -} - -rule kagent -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "kill command is in last machine, going back" - $s2 = "message data length in B64: %d Bytes" - - condition: - all of them -} - -rule LoggerModule -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "%s-%02d%02d%02d%02d%02d.r" - $s2 = "C:\\Users\\%s\\AppData\\Cookies\\" - - condition: - all of them -} - -rule mimikatzWrapper -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "mimikatzWrapper" - $s2 = "get_mimikatz" - - condition: - all of them -} - -rule NetC -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "NetC.exe" wide - $s2 = "Net Service" - - condition: - all of them -} - -rule pvz_in -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "LAST_TIME=00/00/0000:00:00PM$" - $s2 = "if %%ERRORLEVEL%% == 1 GOTO line" - - condition: - all of them -} - -rule pvz_out -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "Network Connectivity Module" wide - $s2 = "OSPPSVC" wide - - condition: - all of them -} - -rule ShellCreator2 -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "ShellCreator2.Properties" - $s2 = "set_IV" - - condition: - all of them -} - -rule SmartCopy2 -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "SmartCopy2.Properties" - $s2 = "ZhuFrameWork" - - condition: - all of them -} - -rule SynFlooder -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "Unable to resolve [ %s ]. ErrorCode %d" - $s2 = "your target's IP is : %s" - $s3 = "Raw TCP Socket Created successfully." - - condition: - all of them -} - -rule TinyZBot -{ - - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "NetScp" wide - $s2 = "TinyZBot.Properties.Resources.resources" - $s3 = "Aoao WaterMark" - $s4 = "Run_a_exe" - $s5 = "netscp.exe" - $s6 = "get_MainModule_WebReference_DefaultWS" - $s7 = "remove_CheckFileMD5Completed" - $s8 = "http://tempuri.org/" - $s9 = "Zhoupin_Cleaver" - - condition: - ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or $s9 - } - - -rule wndTest -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "[Alt]" wide - $s2 = "<< %s >>:" wide - $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;" - condition: - all of them -} - -rule zhCat -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "zhCat -l -h -tp 1234" - $s2 = "ABC ( A Big Company )" wide - condition: - all of them -} - -rule zhLookUp -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "zhLookUp.Properties" - - condition: - all of them -} - -rule zhmimikatz -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "MimikatzRunner" - $s2 = "zhmimikatz" - condition: - all of them -} - -rule ZhoupinExploitCrew -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "zhoupin exploit crew" nocase - $s2 = "zhopin exploit crew" nocase - condition: - 1 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/kagent.yar b/yara-mikesxrs/cylance/kagent.yar deleted file mode 100644 index d93db71..0000000 --- a/yara-mikesxrs/cylance/kagent.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule kagent -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "kill command is in last machine, going back" - $s2 = "message data length in B64: %d Bytes" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/mimikatzWrapper.yar b/yara-mikesxrs/cylance/mimikatzWrapper.yar deleted file mode 100644 index ea145ba..0000000 --- a/yara-mikesxrs/cylance/mimikatzWrapper.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule mimikatzWrapper -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "mimikatzWrapper" - $s2 = "get_mimikatz" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/pvz_in.yar b/yara-mikesxrs/cylance/pvz_in.yar deleted file mode 100644 index 076100e..0000000 --- a/yara-mikesxrs/cylance/pvz_in.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule pvz_in -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "LAST_TIME=00/00/0000:00:00PM$" - $s2 = "if %%ERRORLEVEL%% == 1 GOTO line" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/pvz_out.yar b/yara-mikesxrs/cylance/pvz_out.yar deleted file mode 100644 index d7b87b4..0000000 --- a/yara-mikesxrs/cylance/pvz_out.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule pvz_out -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "Network Connectivity Module" wide - $s2 = "OSPPSVC" wide - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/snakewine.yar b/yara-mikesxrs/cylance/snakewine.yar deleted file mode 100644 index dc4a04f..0000000 --- a/yara-mikesxrs/cylance/snakewine.yar +++ /dev/null @@ -1,24 +0,0 @@ -rule Ham_backdoor -{ -meta: - author = "Cylance Spear Team" - reference = "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" -strings: -  $a = {8D 14 3E 8B 7D FC 8A 0C 11 32 0C 38 40 8B 7D 10 88 0A 8B 4D 08 3B C3} -  $b = {8D 0C 1F 8B 5D F8 8A 04 08 32 04 1E 46 8B 5D 10 88 01 8B 45 08 3B F2} -condition: -  $a or $b -} - -rule Tofu_Backdoor -{ -meta: - author = "Cylance Spear Team" - reference = "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" -strings: - $a = "Cookies: Sym1.0" - $b = "\\\\.\\pipe\\1[12345678]" - $c = {66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0} -condition: - $a or $b or $c -} diff --git a/yara-mikesxrs/cylance/wndTest.yar b/yara-mikesxrs/cylance/wndTest.yar deleted file mode 100644 index f6a7e79..0000000 --- a/yara-mikesxrs/cylance/wndTest.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule wndTest -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "[Alt]" wide - $s2 = "<< %s >>:" wide - $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;" - condition: - all of them -} diff --git a/yara-mikesxrs/cylance/zhCat.yar b/yara-mikesxrs/cylance/zhCat.yar deleted file mode 100644 index 3aacd34..0000000 --- a/yara-mikesxrs/cylance/zhCat.yar +++ /dev/null @@ -1,11 +0,0 @@ -rule zhCat -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "zhCat -l -h -tp 1234" - $s2 = "ABC ( A Big Company )" wide - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/zhLookUp.yar b/yara-mikesxrs/cylance/zhLookUp.yar deleted file mode 100644 index 0b2638d..0000000 --- a/yara-mikesxrs/cylance/zhLookUp.yar +++ /dev/null @@ -1,11 +0,0 @@ -rule zhLookUp -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "zhLookUp.Properties" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/cylance/zhmimikatz.yar b/yara-mikesxrs/cylance/zhmimikatz.yar deleted file mode 100644 index c5ff881..0000000 --- a/yara-mikesxrs/cylance/zhmimikatz.yar +++ /dev/null @@ -1,11 +0,0 @@ -rule zhmimikatz -{ - meta: - reference = "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" - - strings: - $s1 = "MimikatzRunner" - $s2 = "zhmimikatz" - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/eset/Animal_Farm.yar b/yara-mikesxrs/eset/Animal_Farm.yar deleted file mode 100644 index 78a21ef..0000000 --- a/yara-mikesxrs/eset/Animal_Farm.yar +++ /dev/null @@ -1,96 +0,0 @@ -// Animal Farm yara rules -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -rule ramFS -{ - meta: - Author = "Joan Calvet" - Date = "2015/07/14" - Description = "RamFS -- custom file system used by Animal Farm malware" - Reference = "http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $mz = { 4d 5a } - - // Debug strings in RamFS - $s01 = "Check: Error in File_List" - $s02 = "Check: Error in FreeFileHeader_List" - $s03 = "CD-->[%s]" - $s04 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" - // RamFS parameters stored in the configuration - $s05 = "tr4qa589" fullword - $s06 = "xT0rvwz" fullword - - // RamFS commands - $c01 = "INSTALL" fullword - $c02 = "EXTRACT" fullword - $c03 = "DELETE" fullword - $c04 = "EXEC" fullword - $c05 = "INJECT" fullword - $c06 = "SLEEP" fullword - $c07 = "KILL" fullword - $c08 = "AUTODEL" fullword - $c09 = "CD" fullword - $c10 = "MD" fullword - - condition: - ( $mz at 0 ) and - ((1 of ($s*)) or (all of ($c*))) -} - -rule dino -{ - meta: - Author = "Joan Calvet" - Date = "2015/07/14" - Description = "Dino backdoor" - Reference = "http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $ = "PsmIsANiceM0du1eWith0SugarInsideA" - $ = "destroyPSM" - $ = "FM_PENDING_DOWN_%X" - $ = "%s was canceled after %d try (reached MaxTry parameter)" - $ = "you forgot value name" - $ = "wakeup successfully scheduled in %d minutes" - $ = "BD started at %s" - $ = "decyphering failed on bd" - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/eset/ESET_index.yara b/yara-mikesxrs/eset/ESET_index.yara deleted file mode 100644 index 360524d..0000000 --- a/yara-mikesxrs/eset/ESET_index.yara +++ /dev/null @@ -1,3788 +0,0 @@ -// Animal Farm yara rules -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -rule ramFS -{ - meta: - Author = "Joan Calvet" - Date = "2015/07/14" - Description = "RamFS -- custom file system used by Animal Farm malware" - Reference = "http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $mz = { 4d 5a } - - // Debug strings in RamFS - $s01 = "Check: Error in File_List" - $s02 = "Check: Error in FreeFileHeader_List" - $s03 = "CD-->[%s]" - $s04 = "!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]" - // RamFS parameters stored in the configuration - $s05 = "tr4qa589" fullword - $s06 = "xT0rvwz" fullword - - // RamFS commands - $c01 = "INSTALL" fullword - $c02 = "EXTRACT" fullword - $c03 = "DELETE" fullword - $c04 = "EXEC" fullword - $c05 = "INJECT" fullword - $c06 = "SLEEP" fullword - $c07 = "KILL" fullword - $c08 = "AUTODEL" fullword - $c09 = "CD" fullword - $c10 = "MD" fullword - - condition: - ( $mz at 0 ) and - ((1 of ($s*)) or (all of ($c*))) -} - -rule dino -{ - meta: - Author = "Joan Calvet" - Date = "2015/07/14" - Description = "Dino backdoor" - Reference = "http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $ = "PsmIsANiceM0du1eWith0SugarInsideA" - $ = "destroyPSM" - $ = "FM_PENDING_DOWN_%X" - $ = "%s was canceled after %d try (reached MaxTry parameter)" - $ = "you forgot value name" - $ = "wakeup successfully scheduled in %d minutes" - $ = "BD started at %s" - $ = "decyphering failed on bd" - - condition: - any of them -} - -// Linux/Moose yara rules -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -private rule is_elf -{ - strings: - $header = { 7F 45 4C 46 } - - condition: - $header at 0 -} - -rule moose -{ - meta: - Author = "Thomas Dupuy" - Date = "2015/04/21" - Description = "Linux/Moose malware" - Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s0 = "Status: OK" - $s1 = "--scrypt" - $s2 = "stratum+tcp://" - $s3 = "cmd.so" - $s4 = "/Challenge" - $s7 = "processor" - $s9 = "cpu model" - $s21 = "password is wrong" - $s22 = "password:" - $s23 = "uthentication failed" - $s24 = "sh" - $s25 = "ps" - $s26 = "echo -n -e " - $s27 = "chmod" - $s28 = "elan2" - $s29 = "elan3" - $s30 = "chmod: not found" - $s31 = "cat /proc/cpuinfo" - $s32 = "/proc/%s/cmdline" - $s33 = "kill %s" - - condition: - is_elf and all of them -} - -// Mumblehard packer yara rule -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -rule mumblehard_packer -{ - meta: - description = "Mumblehard i386 assembly code responsible for decrypting Perl code" - author = "Marc-Etienne M. Leveille" - date = "2015-04-07" - reference = "http://www.welivesecurity.com" - version = "1" - - strings: - $decrypt = { 31 db [1-10] ba ?? 00 00 00 [0-6] (56 5f | 89 F7) - 39 d3 75 13 81 fa ?? 00 00 00 75 02 31 d2 81 c2 ?? 00 00 - 00 31 db 43 ac 30 d8 aa 43 e2 e2 } - condition: - $decrypt -} - -// Operation Potao yara rules -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -private rule PotaoDecoy -{ - strings: - $mz = { 4d 5a } - $str1 = "eroqw11" - $str2 = "2sfsdf" - $str3 = "RtlDecompressBuffer" - $wiki_str = "spanned more than 100 years and ruined three consecutive" wide - - $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)} - $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00} - condition: - ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str ) -} -private rule PotaoDll -{ - strings: - $mz = { 4d 5a } - - $dllstr1 = "?AVCncBuffer@@" - $dllstr2 = "?AVCncRequest@@" - $dllstr3 = "Petrozavodskaya, 11, 9" - $dllstr4 = "_Scan@0" - $dllstr5 = "\x00/sync/document/" - $dllstr6 = "\\temp.temp" - - $dllname1 = "node69MainModule.dll" - $dllname2 = "node69-main.dll" - $dllname3 = "node69MainModuleD.dll" - $dllname4 = "task-diskscanner.dll" - $dllname5 = "\x00Screen.dll" - $dllname6 = "Poker2.dll" - $dllname7 = "PasswordStealer.dll" - $dllname8 = "KeyLog2Runner.dll" - $dllname9 = "GetAllSystemInfo.dll" - $dllname10 = "FilePathStealer.dll" - condition: - ($mz at 0) and (any of ($dllstr*) and any of ($dllname*)) -} -private rule PotaoUSB -{ - strings: - $mz = { 4d 5a } - - $binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 } - $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3} - condition: - ($mz at 0) and any of ($binary*) -} -private rule PotaoSecondStage -{ - strings: - $mz = { 4d 5a } - // hash of CryptBinaryToStringA and CryptStringToBinaryA - $binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8} - // old hash of CryptBinaryToStringA and CryptStringToBinaryA - $binary2 = {5F 21 63 DD [10-30] EC FD 33 02} - $binary3 = {CA 77 67 57 [10-30] BA 08 20 7A} - - $str1 = "?AVCrypt32Import@@" - $str2 = "%.5llx" - condition: - ($mz at 0) and any of ($binary*) and any of ($str*) -} -rule Potao -{ - meta: - Author = "Anton Cherepanov" - Date = "2015/07/29" - Description = "Operation Potao" - Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "threatintel@eset.com" - License = "BSD 2-Clause" - condition: - PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage -} - -// Operation Windigo yara rules -// For feedback or questions contact us at: windigo@eset.sk -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2014, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -rule onimiki -{ - meta: - description = "Linux/Onimiki malicious DNS server" - malware = "Linux/Onimiki" - operation = "Windigo" - author = "Olivier Bilodeau " - created = "2014-02-06" - reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf" - contact = "windigo@eset.sk" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - strings: - // code from offset: 0x46CBCD - $a1 = {43 0F B6 74 2A 0E 43 0F B6 0C 2A 8D 7C 3D 00 8D} - $a2 = {74 35 00 8D 4C 0D 00 89 F8 41 F7 E3 89 F8 29 D0} - $a3 = {D1 E8 01 C2 89 F0 C1 EA 04 44 8D 0C 92 46 8D 0C} - $a4 = {8A 41 F7 E3 89 F0 44 29 CF 29 D0 D1 E8 01 C2 89} - $a5 = {C8 C1 EA 04 44 8D 04 92 46 8D 04 82 41 F7 E3 89} - $a6 = {C8 44 29 C6 29 D0 D1 E8 01 C2 C1 EA 04 8D 04 92} - $a7 = {8D 04 82 29 C1 42 0F B6 04 21 42 88 84 14 C0 01} - $a8 = {00 00 42 0F B6 04 27 43 88 04 32 42 0F B6 04 26} - $a9 = {42 88 84 14 A0 01 00 00 49 83 C2 01 49 83 FA 07} - - condition: - all of them -} - - -// Keydnap packer yara rule -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2016, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - - -rule keydnap_backdoor -{ - meta: - description = "Unpacked OSX/Keydnap backdoor" - author = "Marc-Etienne M. Leveille" - date = "2016-07-06" - reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" - version = "1" - - strings: - $ = "api/osx/get_task" - $ = "api/osx/cmd_executed" - $ = "Loader-" - $ = "u2RLhh+!LGd9p8!ZtuKcN" - $ = "com.apple.iCloud.sync.daemon" - condition: - 2 of them -} -rule keydnap_downloader -{ - meta: - description = "OSX/Keydnap Downloader" - author = "Marc-Etienne M. Leveille" - date = "2016-07-06" - reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" - version = "1" - - strings: - $ = "icloudsyncd" - $ = "killall Terminal" - $ = "open %s" - - condition: - 2 of them -} - -rule keydnap_backdoor_packer -{ - meta: - description = "OSX/Keydnap packed backdoor" - author = "Marc-Etienne M. Leveille" - date = "2016-07-06" - reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" - version = "1" - - strings: - $upx_string = "This file is packed with the UPX" - $packer_magic = "ASS7" - $upx_magic = "UPX!" - - condition: - $upx_string and $packer_magic and not $upx_magic -} - - -rule kobalos -{ - meta: - description = "Kobalos malware" - author = "Marc-Etienne M.Léveillé" - date = "2020-11-02" - reference = "http://www.welivesecurity.com" - reference2 = "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $encrypted_strings_sizes = { - 05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00 - 08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00 - 01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00 - 05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00 - } - $password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C } - $rsa_512_mod_header = { 10 11 02 00 09 02 00 } - $strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE } - - condition: - any of them -} - -rule kobalos_ssh_credential_stealer { - meta: - description = "Kobalos SSH credential stealer seen in OpenSSH client" - author = "Marc-Etienne M.Léveillé" - date = "2020-11-02" - reference = "http://www.welivesecurity.com" - reference2 = "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $ = "user: %.128s host: %.128s port %05d user: %.128s password: %.128s" - - condition: - any of them -} - -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2018, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -private rule not_ms { - condition: - not for any i in (0..pe.number_of_signatures - 1): - ( - pe.signatures[i].issuer contains "Microsoft Corporation" - ) -} - -rule turla_outlook_gen { - meta: - author = "ESET Research" - date = "05-09-2018" - description = "Turla Outlook malware" - version = 2 - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - $s1 = "Outlook Express" ascii wide - $s2 = "Outlook watchdog" ascii wide - $s3 = "Software\\RIT\\The Bat!" ascii wide - $s4 = "Mail Event Window" ascii wide - $s5 = "Software\\Mozilla\\Mozilla Thunderbird\\Profiles" ascii wide - $s6 = "%%PDF-1.4\n%%%c%c\n" ascii wide - $s7 = "%Y-%m-%dT%H:%M:%S+0000" ascii wide - $s8 = "rctrl_renwnd32" ascii wide - $s9 = "NetUIHWND" ascii wide - $s10 = "homePostalAddress" ascii wide - $s11 = "/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=" ascii wide - $s12 = "Re:|FWD:|AW:|FYI:|NT|QUE:" ascii wide - $s13 = "IPM.Note" ascii wide - $s14 = "MAPILogonEx" ascii wide - $s15 = "pipe\\The Bat! %d CmdLine" ascii wide - $s16 = "PowerShellRunner.dll" ascii wide - $s17 = "cmd container" ascii wide - $s18 = "mapid.tlb" ascii wide nocase - $s19 = "Content-Type: F)*+" ascii wide fullword - condition: - not_ms and 5 of them -} - -rule turla_outlook_filenames { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "Turla Outlook filenames" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - $s1 = "mapid.tlb" - $s2 = "msmime.dll" - $s3 = "scawrdot.db" - condition: - any of them -} - -rule turla_outlook_log { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "First bytes of the encrypted Turla Outlook logs" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - //Log begin: [...] TVer - $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} - condition: - $s1 at 0 -} - -rule turla_outlook_exports { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "Export names of Turla Outlook Malware" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - condition: - (pe.exports("install") or pe.exports("Install")) and - pe.exports("TBP_Initialize") and - pe.exports("TBP_Finalize") and - pe.exports("TBP_GetName") and - pe.exports("DllRegisterServer") and - pe.exports("DllGetClassObject") -} - -rule turla_outlook_pdf { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "Detect PDF documents generated by Turla Outlook malware" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - $s1 = "Adobe PDF Library 9.0" ascii wide nocase - $s2 = "Acrobat PDFMaker 9.0" ascii wide nocase - $s3 = {FF D8 FF E0 00 10 4A 46 49 46} - $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} - $s5 = "W5M0MpCehiHzreSzNTczkc9d" ascii wide nocase - $s6 = "PDF-1.4" ascii wide nocase - condition: - 5 of them -} - -rule outlook_misty1 { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "Detects the Turla MISTY1 implementation" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - //and edi, 1FFh - $o1 = {81 E7 FF 01 00 00} - //shl ecx, 9 - $s1 = {C1 E1 09} - //xor ax, si - $s2 = {66 33 C6} - //shr eax, 7 - $s3 = {C1 E8 07} - $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} - condition: - $o2 and for all i in (1..#o1): - (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) -} - -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2019, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -rule skip20_sqllang_hook -{ - meta: - author = "Mathieu Tartare " - date = "21-10-2019" - description = "YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - - strings: - $1_0 = {ff f3 55 56 57 41 56 48 81 ec c0 01 00 00 48 c7 44 24 38 fe ff ff ff} - $1_1 = {48 8b c3 4c 8d 9c 24 a0 00 00 00 49 8b 5b 10 49 8b 6b 18 49 8b 73 20 49 8b 7b 28 49 8b e3 41 5e c3 90 90 90 90 90 90 90 ff 25} - $2_0 = {ff f3 55 57 41 55 48 83 ec 58 65 48 8b 04 25 30 00 00 00} - $2_1 = {48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ff 25} - $3_0 = {89 4c 24 08 4c 8b dc 49 89 53 10 4d 89 43 18 4d 89 4b 20 57 48 81 ec 90 00 00 00} - $3_1 = {4c 8d 9c 24 20 01 00 00 49 8b 5b 40 49 8b 73 48 49 8b e3 41 5f 41 5e 41 5c 5f 5d c3} - $4_0 = {ff f5 41 56 41 57 48 81 ec 90 00 00 00 48 8d 6c 24 50 48 c7 45 28 fe ff ff ff 48 89 5d 60 48 89 75 68 48 89 7d 70 4c 89 65 78} - $4_1 = {8b c1 48 8b 8c 24 30 02 00 00 48 33 cc} - $5_0 = {48 8b c4 57 41 54 41 55 41 56 41 57 48 81 ec 90 03 00 00 48 c7 80 68 fd ff ff fe ff ff ff 48 89 58 18 48 89 70 20} - $5_1 = {48 c7 80 68 fd ff ff fe ff ff ff 48 89 58 18 48 89 70 20} - $6_0 = {44 88 4c 24 20 44 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 53 56 57 41 54 41 55 41 56 41 57 48 81 ec 80 01 00 00} - $6_1 = {48 89 4c 24 08 53 56 57 41 54 41 55 41 56 41 57 48 81 ec 80 01 00 00 48 c7 84 24 e8 00 00 00 fe ff ff ff} - $7_0 = {08 48 89 74 24 10 57 48 83 ec 20 49 63 d8 48 8b f2 48 8b f9 45 85 c0} - $7_1 = {20 49 63 d8 48 8b f2 48 8b f9 45 85} - $8_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [11300-] ff f5 56 57 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 70} - $9_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [40050-] 48 8b c4 55 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 60} - $10_0 = {41 56 48 83 ec 50 48 c7 44 24 20 fe ff ff ff 48 89 5c 24 60 48 89 6c 24 68 48 89 74 24 70 48 89 7c 24 78 48 8b d9 33 ed 8b f5 89 6c} - $10_1 = {48 8b 42 18 4c 89 90 f0 00 00 00 44 89 90 f8 00 00 00 c7 80 fc 00 00 00 1b 00 00 00 48 8b c2 c3 90 90 90} - $11_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [40700-] 48 8b c4 55 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 60} - $12_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [10650-] 48 8b c4 55 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 60} - $13_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [41850-] ff f5 56 57 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 70} - $14_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [42600-] ff f7 48 83 ec 50 48 c7 44 24 20 fe ff ff ff} - - condition: - any of them -} - - -// Operation Potao yara rules -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -private rule PotaoDecoy -{ - strings: - $mz = { 4d 5a } - $str1 = "eroqw11" - $str2 = "2sfsdf" - $str3 = "RtlDecompressBuffer" - $wiki_str = "spanned more than 100 years and ruined three consecutive" wide - - $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)} - $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00} - condition: - ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str ) -} -private rule PotaoDll -{ - strings: - $mz = { 4d 5a } - - $dllstr1 = "?AVCncBuffer@@" - $dllstr2 = "?AVCncRequest@@" - $dllstr3 = "Petrozavodskaya, 11, 9" - $dllstr4 = "_Scan@0" - $dllstr5 = "\x00/sync/document/" - $dllstr6 = "\\temp.temp" - - $dllname1 = "node69MainModule.dll" - $dllname2 = "node69-main.dll" - $dllname3 = "node69MainModuleD.dll" - $dllname4 = "task-diskscanner.dll" - $dllname5 = "\x00Screen.dll" - $dllname6 = "Poker2.dll" - $dllname7 = "PasswordStealer.dll" - $dllname8 = "KeyLog2Runner.dll" - $dllname9 = "GetAllSystemInfo.dll" - $dllname10 = "FilePathStealer.dll" - condition: - ($mz at 0) and (any of ($dllstr*) and any of ($dllname*)) -} -private rule PotaoUSB -{ - strings: - $mz = { 4d 5a } - - $binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 } - $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3} - condition: - ($mz at 0) and any of ($binary*) -} -private rule PotaoSecondStage -{ - strings: - $mz = { 4d 5a } - // hash of CryptBinaryToStringA and CryptStringToBinaryA - $binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8} - // old hash of CryptBinaryToStringA and CryptStringToBinaryA - $binary2 = {5F 21 63 DD [10-30] EC FD 33 02} - $binary3 = {CA 77 67 57 [10-30] BA 08 20 7A} - - $str1 = "?AVCrypt32Import@@" - $str2 = "%.5llx" - condition: - ($mz at 0) and any of ($binary*) and any of ($str*) -} -rule Potao -{ - meta: - Author = "Anton Cherepanov" - Date = "2015/07/29" - Description = "Operation Potao" - Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "threatintel@eset.com" - License = "BSD 2-Clause" - condition: - PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage -} - -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These YARA rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2021, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -private rule InvisiMole_Blob { - meta: - description = "Detects InvisiMole blobs by magic values" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $magic_old_32 = {F9 FF D0 DE} - $magic_old_64 = {64 FF D0 DE} - $magic_new_32 = {86 DA 11 CE} - $magic_new_64 = {64 DA 11 CE} - - condition: - ($magic_old_32 at 0) or ($magic_old_64 at 0) or ($magic_new_32 at 0) or ($magic_new_64 at 0) -} - -rule apt_Windows_InvisiMole_Logs { - meta: - description = "Detects log files with collected created by InvisiMole's RC2CL backdoor" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - condition: - uint32(0) == 0x08F1CAA1 or - uint32(0) == 0x08F1CAA2 or - uint32(0) == 0x08F1CCC0 or - uint32(0) == 0x08F2AFC0 or - uint32(0) == 0x083AE4DF or - uint32(0) == 0x18F2CBB1 or - uint32(0) == 0x1900ABBA or - uint32(0) == 0x24F2CEA1 or - uint32(0) == 0xDA012193 or - uint32(0) == 0xDA018993 or - uint32(0) == 0xDA018995 or - uint32(0) == 0xDD018991 -} - -rule apt_Windows_InvisiMole_SFX_Dropper { - - meta: - description = "Detects trojanized InvisiMole files: patched RAR SFX droppers with added InvisiMole blobs (config encrypted XOR 2A at the end of a file)" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $encrypted_config = {5F 59 4F 58 19 18 04 4E 46 46 2A 5D 59 5A 58 43 44 5E 4C 7D 2A 0F 2A 59 2A 78 2A 4B 2A 58 2A 0E 2A 6F 2A 72 2A 4B 2A 0F 2A 4E 2A 04 2A 0F 2A 4E 2A 76 2A 0F 2A 79 2A 2A 2A 79 42 4F 46 46 6F 52 4F 49 5F 5E 4F 7D 2A 79 42 4F 46 46 19 18 04 4E 46 46 2A 7C 43 58 5E 5F 4B 46 6B 46 46 45 49 2A 66 45 4B 4E 66 43 48 58 4B 58 53 6B} - - condition: - uint16(0) == 0x5A4D and $encrypted_config -} - -rule apt_Windows_InvisiMole_CPL_Loader { - meta: - description = "CPL loader" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "WScr%steObject(\"WScr%s.Run(\"::{20d04fe0-3a%s30309d}\\\\::{21EC%sDD-08002B3030%s\", 0);" - $s2 = "\\Control.js" wide - $s3 = "\\Control Panel.lnk" wide - $s4 = "FPC 3.0.4 [2019/04/13] for x86_64 - Win64" - $s5 = "FPC 3.0.4 [2019/04/13] for i386 - Win32" - $s6 = "imageapplet.dat" wide - $s7 = "wkssvmtx" - - condition: - uint16(0) == 0x5A4D and (3 of them) -} - -rule apt_Windows_InvisiMole_Wrapper_DLL { - meta: - description = "Detects InvisiMole wrapper DLL with embedded RC2CL and RC2FM backdoors, by export and resource names" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - condition: - pe.exports("GetDataLength") and - for any y in (0..pe.number_of_resources - 1): ( - pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00C\x00L\x00" - ) and - for any y in (0..pe.number_of_resources - 1): ( - pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00F\x00M\x00" - ) -} - -rule apt_Windows_InvisiMole_DNS_Downloader { - - meta: - description = "InvisiMole DNS downloader" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $d = "DnsQuery_A" - - $s1 = "Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B}" xor - $s2 = "AddIns\\" ascii wide xor - $s3 = "pcornomeex." xor - $s4 = "weriahsek.rxe" xor - $s5 = "dpmupaceex." xor - $s6 = "TCPViewClass" xor - $s7 = "PROCMON_WINDOW_CLASS" xor - $s8 = "Key%C" - $s9 = "AutoEx%C" xor - $s10 = "MSO~" - $s11 = "MDE~" - $s12 = "DNS PLUGIN, Step %d" xor - $s13 = "rundll32.exe \"%s\",StartUI" - - condition: - ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $d and 5 of ($s*) -} - -rule apt_Windows_InvisiMole_RC2CL_Backdoor { - - meta: - description = "InvisiMole RC2CL backdoor" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "RC2CL" wide - - $s2 = "hp12KsNh92Dwd" wide - $s3 = "ZLib package %s: files: %d, total size: %d" wide - $s4 = "\\Un4seen" wide - $s5 = {9E 01 3A AD} // encryption key - - $s6 = "~mrc_" wide - $s7 = "~src_" wide - $s8 = "~wbc_" wide - $s9 = "zdf_" wide - $s10 = "~S0PM" wide - $s11 = "~A0FM" wide - $s12 = "~70Z63\\" wide - $s13 = "~E070C" wide - $s14 = "~N031E" wide - - $s15 = "%szdf_%s.data" wide - $s16 = "%spicture.crd" wide - $s17 = "%s70zf_%s.cab" wide - $s18 = "%spreview.crd" wide - - $s19 = "Value_Bck" wide - $s20 = "Value_WSFX_ZC" wide - $s21 = "MachineAccessStateData" wide - $s22 = "SettingsSR2" wide - - condition: - ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and 5 of ($s*) -} - -rule apt_Windows_InvisiMole { - - meta: - description = "InvisiMole magic values, keys and strings" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "CryptProtectData" - $s2 = "CryptUnprotectData" - $s3 = {9E 01 3A AD} - $s4 = "GET /getversion2a/%d%.2X%.2X/U%sN HTTP/1.1" - $s5 = "PULSAR_LOADER.dll" - - /* - cmp reg, 0DED0FFF9h - */ - $check_magic_old_32 = {3? F9 FF D0 DE} - - /* - cmp reg, 0DED0FF64h - */ - $check_magic_old_64 = {3? 64 FF D0 DE} - - /* - cmp dword ptr [reg], 0CE11DA86h - */ - $check_magic_new_32 = {81 3? 86 DA 11 CE} - - /* - cmp dword ptr [reg], 0CE11DA64h - */ - $check_magic_new_64 = {81 3? 64 DA 11 CE} - - condition: - ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and (any of ($check_magic*)) and (2 of ($s*)) -} - -rule apt_Windows_InvisiMole_C2 { - - meta: - description = "InvisiMole C&C servers" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "46.165.220.228" ascii wide - $s2 = "80.255.3.66" ascii wide - $s3 = "85.17.26.174" ascii wide - $s4 = "185.193.38.55" ascii wide - $s5 = "194.187.249.157" ascii wide - $s6 = "195.154.255.211" ascii wide - $s7 = "153.re" ascii wide fullword - $s8 = "adstat.red" ascii wide - $s9 = "adtrax.net" ascii wide - $s10 = "akamai.sytes.net" ascii wide - $s11 = "amz-eu401.com" ascii wide - $s12 = "blabla234342.sytes.net" ascii wide - $s13 = "mx1.be" ascii wide fullword - $s14 = "statad.de" ascii wide - $s15 = "time.servehttp.com" ascii wide - $s16 = "upd.re" ascii wide fullword - $s17 = "update.xn--6frz82g" ascii wide - $s18 = "updatecloud.sytes.net" ascii wide - $s19 = "updchecking.sytes.net" ascii wide - $s20 = "wlsts.net" ascii wide - $s21 = "ro2.host" ascii wide fullword - $s22 = "2ld.xyz" ascii wide fullword - $s23 = "the-haba.com" ascii wide - $s24 = "82.202.172.134" ascii wide - $s25 = "update.xn--6frz82g" ascii wide - - condition: - ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $s21 and any of them -} - -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2021, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" -rule SparklingGoblin_ChaCha20Loader_RichHeader -{ - meta: - author = "ESET Research" - copyright = "ESET Research" - description = "Rule matching ChaCha20 loaders rich header" - date = "2021-03-30" - reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - hash = "09FFE37A54BC4EBEBD8D56098E4C76232F35D821" - hash = "29B147B76BB0D9E09F7297487CB972E6A2905586" - hash = "33F2C3DE2457B758FC5824A2B253AD7C7C2E9E37" - hash = "45BEF297CE78521EAC6EE39E7603E18360E67C5A" - hash = "4CEC7CDC78D95C70555A153963064F216DAE8799" - hash = "4D4C1A062A0390B20732BA4D65317827F2339B80" - hash = "4F6949A4906B834E83FF951E135E0850FE49D5E4" - - condition: - pe.rich_signature.length >= 104 and pe.rich_signature.length <= 112 and - pe.rich_signature.toolid(241, 40116) >= 5 and pe.rich_signature.toolid(241, 40116) <= 10 and - pe.rich_signature.toolid(147, 30729) == 11 and - pe.rich_signature.toolid(264, 24215) >= 15 and pe.rich_signature.toolid(264, 24215) <= 16 -} - -rule SparklingGoblin_ChaCha20 -{ - meta: - author = "ESET Research" - copyright = "ESET Research" - description = "SparklingGoblin ChaCha20 implementations" - date = "2021-05-20" - reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B" - hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F" - hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF" - hash = "4668302969FE122874FB2447A80378DCB671C86B" - hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B" - hash = "9CE7650F2C08C391A35D69956E171932D116B8BD" - hash = "91B32E030A1F286E7D502CA17E107D4BFBD7394A" - - strings: - // 32-bits version - $chunk_1 = { - 8B 4D ?? - 56 - 8B 75 ?? - 57 - 8B 7D ?? - 8B 04 BB - 01 04 93 - 8B 04 B3 - 33 04 93 - C1 C0 10 - 89 04 B3 - 01 04 8B - 8B 04 BB - 33 04 8B - C1 C0 0C - 89 04 BB - 01 04 93 - 8B 04 B3 - 33 04 93 - C1 C0 08 - 89 04 B3 - 01 04 8B - 8B 04 BB - 33 04 8B - C1 C0 07 - 89 04 BB - } - // 64-bits version - $chunk_2 = { - 03 4D ?? - 44 03 C0 - 03 55 ?? - 33 F1 - 45 33 D8 - C1 C6 10 - 44 33 F2 - 41 C1 C3 10 - 41 03 FB - 41 C1 C6 10 - 45 03 E6 - 41 03 DA - 44 33 CB - 44 03 EE - 41 C1 C1 10 - 8B C7 - 33 45 ?? - 45 03 F9 - C1 C0 0C - 44 03 C0 - 45 33 D8 - 44 89 45 ?? - 41 C1 C3 08 - 41 03 FB - 44 8B C7 - 44 33 C0 - 41 8B C5 - 33 45 ?? - C1 C0 0C - 03 C8 - 41 C1 C0 07 - 33 F1 - 89 4D ?? - C1 C6 08 - 44 03 EE - 41 8B CD - 33 C8 - 41 8B C4 - 33 45 ?? - C1 C0 0C - 03 D0 - C1 C1 07 - 44 33 F2 - 89 55 ?? - 41 C1 C6 08 - 45 03 E6 - 41 8B D4 - 33 D0 - 41 8B C7 - 41 33 C2 - C1 C2 07 - C1 C0 0C - 03 D8 - 44 33 CB - 41 C1 C1 08 - 45 03 F9 - 45 8B D7 - 44 33 D0 - 8B 45 ?? - 03 C1 - 41 C1 C2 07 - 44 33 C8 - 89 45 ?? - 41 C1 C1 10 - 45 03 E1 - 41 8B C4 - 33 C1 - 8B 4D ?? - C1 C0 0C - 03 C8 - 44 33 C9 - 89 4D ?? - 89 4D ?? - 41 C1 C1 08 - 45 03 E1 - 41 8B CC - 33 C8 - 8B 45 ?? - C1 C1 07 - 89 4D ?? - 89 4D ?? - 03 C2 - 41 03 D8 - 89 45 ?? - 41 33 C3 - C1 C0 10 - 44 03 F8 - 41 8B CF - 33 CA - 8B 55 ?? - } - $chunk_3 = { - C7 45 ?? 65 78 70 61 - 4C 8D 45 ?? - C7 45 ?? 6E 64 20 33 - 4D 8B F9 - C7 45 ?? 32 2D 62 79 - 4C 2B C1 - C7 45 ?? 74 65 20 6B - } - $chunk_4 = { - 0F B6 02 - 0F B6 4A ?? - C1 E1 08 - 0B C8 - 0F B6 42 ?? - C1 E1 08 - 0B C8 - 0F B6 42 ?? - C1 E1 08 - 0B C8 - 41 89 0C 10 - 48 8D 52 ?? - 49 83 E9 01 - } - // 64-bits version - $chunk_5 = { - 03 4D ?? - 44 03 C0 - 03 55 ?? - 33 F1 - 41 33 F8 - C1 C6 10 - 44 33 F2 - C1 C7 10 - 44 03 DF - 41 C1 C6 10 - 45 03 E6 - 44 03 CB - 45 33 D1 - 44 03 EE - 41 C1 C2 10 - 41 8B C3 - 33 45 ?? - 45 03 FA - C1 C0 0C - 44 03 C0 - 41 33 F8 - 44 89 45 ?? - C1 C7 08 - 44 03 DF - 45 8B C3 - 44 33 C0 - 41 8B C5 - 33 45 ?? - C1 C0 0C - 03 C8 - 41 C1 C0 07 - 33 F1 - 89 4D ?? - C1 C6 08 - 44 03 EE - 41 8B CD - 33 C8 - 41 8B C4 - 33 45 ?? - C1 C0 0C - 03 D0 - C1 C1 07 - 44 33 F2 - 89 55 ?? - 41 C1 C6 08 - 45 03 E6 - 41 8B D4 - 33 D0 - 41 8B C7 - 33 C3 - C1 C2 07 - C1 C0 0C - 44 03 C8 - 45 33 D1 - 41 C1 C2 08 - 45 03 FA - 41 8B DF - 33 D8 - 8B 45 ?? - 03 C1 - C1 C3 07 - 44 33 D0 - 89 45 ?? - 41 C1 C2 10 - 45 03 E2 - 41 8B C4 - 33 C1 - 8B 4D ?? - C1 C0 0C - 03 C8 - 44 33 D1 - 89 4D ?? - 89 4D ?? - 41 C1 C2 08 - 45 03 E2 - 41 8B CC - 33 C8 - 8B 45 ?? - C1 C1 07 - 89 4D ?? - 89 4D ?? - 03 C2 - 45 03 C8 - 89 45 ?? - 33 C7 - C1 C0 10 - 44 03 F8 - 41 8B CF - 33 CA - 8B 55 ?? - C1 C1 0C - 03 D1 - 8B FA - 89 55 ?? - 33 F8 - 89 55 ?? - 8B 55 ?? - 03 D3 - C1 C7 08 - 44 03 FF - 41 8B C7 - 33 C1 - C1 C0 07 - 89 45 ?? - 89 45 ?? - 8B C2 - 33 C6 - C1 C0 10 - 44 03 D8 - 41 33 DB - C1 C3 0C - 03 D3 - 8B F2 - 89 55 ?? - 33 F0 - 41 8B C1 - 41 33 C6 - C1 C6 08 - C1 C0 10 - 44 03 DE - 44 03 E8 - 41 33 DB - 41 8B CD - C1 C3 07 - 41 33 C8 - 44 8B 45 ?? - C1 C1 0C - 44 03 C9 - 45 8B F1 - 44 33 F0 - 41 C1 C6 08 - 45 03 EE - 41 8B C5 - 33 C1 - 8B 4D ?? - C1 C0 07 - } - - condition: - any of them and filesize < 450KB - -} - -rule SparklingGoblin_EtwEventWrite -{ - meta: - author = "ESET Research" - copyright = "ESET Research" - description = "SparklingGoblin EtwEventWrite patching" - date = "2021-05-20" - reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B" - hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F" - hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF" - hash = "4668302969FE122874FB2447A80378DCB671C86B" - hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B" - hash = "9CE7650F2C08C391A35D69956E171932D116B8BD" - - strings: - // 64-bits version - $chunk_1 = { - 48 8D 0D ?? ?? ?? ?? - C7 44 24 ?? 48 31 C0 C3 - FF 15 ?? ?? ?? ?? - 48 8B C8 - 48 8D 15 ?? ?? ?? ?? - FF 15 ?? ?? ?? ?? - 83 64 24 ?? 00 - 4C 8D 4C 24 ?? - BF 04 00 00 00 - 48 8B C8 - 8B D7 - 48 8B D8 - 44 8D 47 ?? - FF 15 ?? ?? ?? ?? - 44 8B C7 - 48 8D 54 24 ?? - 48 8B CB - E8 ?? ?? ?? ?? - 44 8B 44 24 ?? - 4C 8D 4C 24 ?? - 8B D7 - 48 8B CB - FF 15 ?? ?? ?? ?? - 48 8B 05 ?? ?? ?? ?? - } - // 32-bits version - $chunk_2 = { - 55 - 8B EC - 51 - 51 - 57 - 68 08 1A 41 00 - 66 C7 45 ?? C2 14 - C6 45 ?? 00 - FF 15 ?? ?? ?? ?? - 68 10 1A 41 00 - 50 - FF 15 ?? ?? ?? ?? - 83 65 ?? 00 - 8B F8 - 8D 45 ?? - 50 - 6A 40 - 6A 03 - 57 - FF 15 ?? ?? ?? ?? - 6A 03 - 8D 45 ?? - 50 - 57 - E8 ?? ?? ?? ?? - 83 C4 0C - 8D 45 ?? - 50 - FF 75 ?? - 6A 03 - 57 - FF 15 ?? ?? ?? ?? - } - // 64-bits version - $chunk_3 = { - 48 8D 0D ?? ?? ?? ?? - C7 44 24 ?? 48 31 C0 C3 - FF 15 ?? ?? ?? ?? - 48 8B C8 - 48 8D 15 ?? ?? ?? ?? - FF 15 ?? ?? ?? ?? - } - - condition: - any of them -} - -rule SparklingGoblin_Mutex -{ - meta: - author = "ESET Research" - copyright = "ESET Research" - description = "SparklingGoblin ChaCha20 loaders mutexes" - date = "2021-05-20" - reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B" - hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F" - hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF" - hash = "4668302969FE122874FB2447A80378DCB671C86B" - hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B" - hash = "9CE7650F2C08C391A35D69956E171932D116B8BD" - - strings: - $mutex_1 = "kREwdFrOlvASgP4zWZyV89m6T2K0bIno" - $mutex_2 = "v5EPQFOImpTLaGZes3Nl1JSKHku8AyCw" - - condition: - any of them -} - - -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2018, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -private rule ssh_client : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH client (ssh)" - author = "Marc-Etienne M.Leveille" - email = "leveille@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: ssh [" - $old_version = "-L listen-port:host:port" - - condition: - $usage or $old_version -} - -private rule ssh_daemon : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH daemon (sshd)" - author = "Marc-Etienne M.Leveille" - email = "leveille@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: sshd [" - $old_version = "Listen on the specified port (default: 22)" - - condition: - $usage or $old_version -} - -private rule ssh_add : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH add (ssh-add)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: %s [options] [file ...]\n" - $log = "Could not open a connection to your authentication agent.\n" - - condition: - $usage and $log -} - -private rule ssh_agent : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH agent (ssh-agent)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: %s [options] [command [arg ...]]" - - condition: - $usage -} - -private rule ssh_askpass : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH daemon (sshd)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $pass = "Enter your OpenSSH passphrase:" - $log = "Could not grab %s. A malicious client may be eavesdropping on you" - - condition: - $pass and $log -} - -private rule ssh_keygen : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH keygen (ssh-keygen)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $pass = "Enter new passphrase (empty for no passphrase):" - $log = "revoking certificates by key ID requires specification of a CA key" - - condition: - $pass and $log -} - -private rule ssh_keyscan : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH keyscan (ssh-keyscan)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]" - - condition: - $usage -} - -private rule ssh_binary : sshdoor { - meta: - description = "Signature to match any clean (or not) SSH binary" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - - condition: - ssh_client or ssh_daemon or ssh_add or ssh_askpass or ssh_keygen or ssh_keyscan -} - -private rule stack_string { - meta: - description = "Rule to detect use of string-stacking" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - // single byte offset from base pointer - $bp = /(\xC6\x45.{2}){25}/ - // dword ss with single byte offset from base pointer - $bp_dw = /(\xC7\x45.{5}){20}/ - // 4-bytes offset from base pointer - $bp_off = /(\xC6\x85.{5}){25}/ - // single byte offset from stack pointer - $sp = /(\xC6\x44\x24.{2}){25}/ - // 4-bytes offset from stack pointer - $sp_off = /(\xC6\x84\x24.{5}){25}/ - - condition: - any of them -} - -rule abafar { - meta: - description = "Rule to detect Abafar family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log_c = "%s:%s@%s" - $log_d = "%s:%s from %s" - - condition: - ssh_binary and any of them -} - -rule akiva { - meta: - description = "Rule to detect Akiva family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = /(To|From):\s(%s\s\-\s)?%s:%s\n/ - - condition: - ssh_binary and $log -} - -rule alderaan { - meta: - description = "Rule to detect Alderaan family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = /login\s(in|at):\s(%s\s)?%s:%s\n/ - - condition: - ssh_binary and $log -} - -rule ando { - meta: - description = "Rule to detect Ando family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "%s:%s\n" - $s2 = "HISTFILE" - $i = "fopen64" - $m1 = "cat " - $m2 = "mail -s" - - condition: - ssh_binary and all of ($s*) and ($i or all of ($m*)) -} - -rule anoat { - meta: - description = "Rule to detect Anoat family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = "%s at: %s | user: %s, pass: %s\n" - - condition: - ssh_binary and $log -} - -rule atollon { - meta: - description = "Rule to detect Atollon family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $f1 = "PEM_read_RSA_PUBKEY" - $f2 = "RAND_add" - $log = "%s:%s" - $rand = "/dev/urandom" - - condition: - ssh_binary and stack_string and all of them -} - -rule batuu { - meta: - description = "Rule to detect Batuu family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $args = "ssh: ~(av[%d]: %s\n)" - $log = "readpass: %s\n" - - condition: - ssh_binary and any of them -} - -rule bespin { - meta: - description = "Rule to detect Bespin family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log1 = "%Y-%m-%d %H:%M:%S" - $log2 = "%s %s%s" - $log3 = "[%s]" - - condition: - ssh_binary and all of them -} - -rule bonadan { - meta: - description = "Rule to detect Bonadan family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "g_server" - $s2 = "mine.sock" - $s3 = "tspeed" - $e1 = "6106#x=%d#%s#%s#speed=%s" - $e2 = "usmars.mynetgear.com" - $e3 = "user=%s#os=%s#eip=%s#cpu=%s#mem=%s" - - condition: - ssh_binary and any of them -} - -rule borleias { - meta: - description = "Rule to detect Borleias family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = "%Y-%m-%d %H:%M:%S [%s]" - - condition: - ssh_binary and all of them -} - -rule chandrila { - meta: - description = "Rule to detect Chandrila family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = "S%s %s:%s" - $magic = { 05 71 92 7D } - - condition: - ssh_binary and all of them -} - -rule coruscant { - meta: - description = "Rule to detect Coruscant family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "%s:%s@%s\n" - $s2 = "POST" - $s3 = "HTTP/1.1" - - condition: - ssh_binary and all of them -} - -rule crait { - meta: - description = "Signature to detect Crait family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $i1 = "flock" - $i2 = "fchmod" - $i3 = "sendto" - - condition: - ssh_binary and 2 of them -} - -rule endor { - meta: - description = "Rule to detect Endor family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $u = "user: %s" - $p = "password: %s" - - condition: - ssh_binary and $u and $p in (@u..@u+20) -} - -rule jakuu { - meta: - description = "Rule to detect Jakuu family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - notes = "Strings can be encrypted" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $dec = /GET\s\/\?(s|c)id=/ - $enc1 = "getifaddrs" - $enc2 = "usleep" - $ns = "gethostbyname" - $log = "%s:%s" - $rc4 = { A1 71 31 17 11 1A 22 27 55 00 66 A3 10 FE C2 10 22 32 6E 95 90 84 F9 11 73 62 95 5F 4D 3B DB DC } - - condition: - ssh_binary and $log and $ns and ($dec or all of ($enc*) or $rc4) -} - -rule kamino { - meta: - description = "Rule to detect Kamino family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "/var/log/wtmp" - $s2 = "/var/log/secure" - $s3 = "/var/log/auth.log" - $s4 = "/var/log/messages" - $s5 = "/var/log/audit/audit.log" - $s6 = "/var/log/httpd-access.log" - $s7 = "/var/log/httpd-error.log" - $s8 = "/var/log/xferlog" - $i1 = "BIO_f_base64" - $i2 = "PEM_read_bio_RSA_PUBKEY" - $i3 = "srand" - $i4 = "gethostbyname" - - condition: - ssh_binary and 5 of ($s*) and 3 of ($i*) -} - -rule kessel { - meta: - description = "Rule to detect Kessel family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $rc4 = "Xee5chu1Ohshasheed1u" - $s1 = "ssh:%s:%s:%s:%s" - $s2 = "sshkey:%s:%s:%s:%s:%s" - $s3 = "sshd:%s:%s" - $i1 = "spy_report" - $i2 = "protoShellCMD" - $i3 = "protoUploadFile" - $i4 = "protoSendReport" - $i5 = "tunRecvDNS" - $i6 = "tunPackMSG" - - condition: - ssh_binary and (2 of ($s*) or 2 of ($i*) or $rc4) -} - -rule mimban { - meta: - description = "Rule to detect Mimban family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "<|||%s|||%s|||%d|||>" - $s2 = />\|\|\|%s\|\|\|%s\|\|\|\d\|\|\|%s\|\|\|%s\|\|\|%s\|\|\|%s\|\|\| %s:%s\n" - $client = /user(,|:)(a,)?password@host \-\-> %s(,|:)(b,)?%s@%s\n/ - - condition: - ssh_binary and ($daemon or $client) -} - -rule polis_massa { - meta: - description = "Rule to detect Polis Massa family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = /\b\w+(:|\s-+>)\s%s(:%d)?\s\t(\w+)?:\s%s\s\t(\w+)?:\s%s/ - - condition: - ssh_binary and $log -} - -rule quarren { - meta: - description = "Rule to detect Quarren family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = "h: %s, u: %s, p: %s\n" - - condition: - ssh_binary and $log -} - -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These YARA rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2021, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -private rule IIS_Native_Module { - meta: - description = "Signature to match an IIS native module (clean or malicious)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $e1 = "This module subscribed to event" - $e2 = "CHttpModule::OnBeginRequest" - $e3 = "CHttpModule::OnPostBeginRequest" - $e4 = "CHttpModule::OnAuthenticateRequest" - $e5 = "CHttpModule::OnPostAuthenticateRequest" - $e6 = "CHttpModule::OnAuthorizeRequest" - $e7 = "CHttpModule::OnPostAuthorizeRequest" - $e8 = "CHttpModule::OnResolveRequestCache" - $e9 = "CHttpModule::OnPostResolveRequestCache" - $e10 = "CHttpModule::OnMapRequestHandler" - $e11 = "CHttpModule::OnPostMapRequestHandler" - $e12 = "CHttpModule::OnAcquireRequestState" - $e13 = "CHttpModule::OnPostAcquireRequestState" - $e14 = "CHttpModule::OnPreExecuteRequestHandler" - $e15 = "CHttpModule::OnPostPreExecuteRequestHandler" - $e16 = "CHttpModule::OnExecuteRequestHandler" - $e17 = "CHttpModule::OnPostExecuteRequestHandler" - $e18 = "CHttpModule::OnReleaseRequestState" - $e19 = "CHttpModule::OnPostReleaseRequestState" - $e20 = "CHttpModule::OnUpdateRequestCache" - $e21 = "CHttpModule::OnPostUpdateRequestCache" - $e22 = "CHttpModule::OnLogRequest" - $e23 = "CHttpModule::OnPostLogRequest" - $e24 = "CHttpModule::OnEndRequest" - $e25 = "CHttpModule::OnPostEndRequest" - $e26 = "CHttpModule::OnSendResponse" - $e27 = "CHttpModule::OnMapPath" - $e28 = "CHttpModule::OnReadEntity" - $e29 = "CHttpModule::OnCustomRequestNotification" - $e30 = "CHttpModule::OnAsyncCompletion" - $e31 = "CGlobalModule::OnGlobalStopListening" - $e32 = "CGlobalModule::OnGlobalCacheCleanup" - $e33 = "CGlobalModule::OnGlobalCacheOperation" - $e34 = "CGlobalModule::OnGlobalHealthCheck" - $e35 = "CGlobalModule::OnGlobalConfigurationChange" - $e36 = "CGlobalModule::OnGlobalFileChange" - $e37 = "CGlobalModule::OnGlobalApplicationStart" - $e38 = "CGlobalModule::OnGlobalApplicationResolveModules" - $e39 = "CGlobalModule::OnGlobalApplicationStop" - $e40 = "CGlobalModule::OnGlobalRSCAQuery" - $e41 = "CGlobalModule::OnGlobalTraceEvent" - $e42 = "CGlobalModule::OnGlobalCustomNotification" - $e43 = "CGlobalModule::OnGlobalThreadCleanup" - $e44 = "CGlobalModule::OnGlobalApplicationPreload" - - condition: - uint16(0) == 0x5A4D and pe.exports("RegisterModule") and any of ($e*) -} - -rule IIS_Group01_IISRaid { - - meta: - description = "Detects Group 1 native IIS malware family (IIS-Raid derivates)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "cmd.exe" ascii wide - $s2 = "CMD" - $s3 = "PIN" - $s4 = "INJ" - $s5 = "DMP" - $s6 = "UPL" - $s7 = "DOW" - $s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide - - $p1 = "C:\\Windows\\Temp\\creds.db" - $p2 = "C:\\Windows\\Temp\\thumbs.db" - $p3 = "C:\\Windows\\Temp\\AAD30E0F.tmp" - $p4 = "X-Chrome-Variations" - $p5 = "X-Cache" - $p6 = "X-Via" - $p7 = "COM_InterProt" - $p8 = "X-FFEServer" - $p9 = "X-Content-Type-Options" - $p10 = "Strict-Transport-Security" - $p11 = "X-Password" - $p12 = "XXXYYY-Ref" - $p13 = "X-BLOG" - $p14 = "X-BlogEngine" - - condition: - IIS_Native_Module and 3 of ($s*) and any of ($p*) -} - -rule IIS_Group02 { - - meta: - description = "Detects Group 2 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "HttpModule.pdb" ascii wide - $s2 = "([\\w+%]+)=([^&]*)" - $s3 = "([\\w+%]+)=([^!]*)" - $s4 = "cmd.exe" - $s5 = "C:\\Users\\Iso\\Documents\\Visual Studio 2013\\Projects\\IIS 5\\x64\\Release\\Vi.pdb" ascii wide - $s6 = "AVRSAFunction" - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group03 { - - meta: - description = "Detects Group 3 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "IIS-Backdoor.dll" - $s2 = "CryptStringToBinaryA" - $s3 = "CreateProcessA" - $s4 = "X-Cookie" - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group04_RGDoor { - - meta: - description = "Detects Group 4 native IIS malware family (RGDoor)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - reference = "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $i1 = "RGSESSIONID=" - $s2 = "upload$" - $s3 = "download$" - $s4 = "cmd$" - $s5 = "cmd.exe" - - condition: - IIS_Native_Module and ($i1 or all of ($s*)) -} - -rule IIS_Group05_IIStealer { - - meta: - description = "Detects Group 5 native IIS malware family (IIStealer)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "tojLrGzFMbcDTKcH" ascii wide - $s2 = "4vUOj3IutgtrpVwh" ascii wide - $s3 = "SoUnRCxgREXMu9bM" ascii wide - $s4 = "9Zr1Z78OkgaXj1Xr" ascii wide - $s5 = "cache.txt" ascii wide - $s6 = "/checkout/checkout.aspx" ascii wide - $s7 = "/checkout/Payment.aspx" ascii wide - $s8 = "/privacy.aspx" - $s9 = "X-IIS-Data" - $s10 = "POST" - - // string stacking of "/checkout/checkout.aspx" - $s11 = {C7 ?? CF 2F 00 63 00 C7 ?? D3 68 00 65 00 C7 ?? D7 63 00 6B 00 C7 ?? DB 6F 00 75 00 C7 ?? DF 74 00 2F 00 C7 ?? E3 63 00 68 00 C7 ?? E7 65 00 63 00 C7 ?? EB 6B 00 6F 00 C7 ?? EF 75 00 74 00 C7 ?? F3 2E 00 61 00 C7 ?? F7 73 00 70 00 C7 ?? FB 78 00 00 00} - - // string stacking of "/privacy.aspx" - $s12 = {C7 ?? AF 2F 00 70 00 C7 ?? B3 72 00 69 00 C7 ?? B7 76 00 61 00 C7 ?? BB 63 00 79 00 C7 ?? BF 2E 00 61 00 C7 ?? C3 73 00 70 00 C7 ?? C7 78 00 00 00} - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group06_ISN { - - meta: - description = "Detects Group 6 native IIS malware family (ISN)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - reference = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "isn7 config reloaded" - $s2 = "isn7 config NOT reloaded, not found or empty" - $s3 = "isn7 log deleted" - $s4 = "isn7 log not deleted, ERROR 0x%X" - $s5 = "isn7 log NOT found" - $s6 = "isn_reloadconfig" - $s7 = "D:\\soft\\Programming\\C++\\projects\\isapi\\isn7" - $s8 = "get POST failed %d" - $s9 = "isn7.dll" - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group07_IISpy { - - meta: - description = "Detects Group 7 native IIS malware family (IISpy)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "/credential/username" - $s2 = "/credential/password" - $s3 = "/computer/domain" - $s4 = "/computer/name" - $s5 = "/password" - $s6 = "/cmd" - $s7 = "%.8s%.8s=%.8s%.16s%.8s%.16s" - $s8 = "ImpersonateLoggedOnUser" - $s9 = "WNetAddConnection2W" - - $t1 = "X-Forwarded-Proto" - $t2 = "Sec-Fetch-Mode" - $t3 = "Sec-Fetch-Site" - $t4 = "Cookie" - - // PNG IEND - $t5 = {49 45 4E 44 AE 42 60 82} - - // PNG HEADER - $t6 = {89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52} - - condition: - IIS_Native_Module and 2 of ($s*) and any of ($t*) -} - -rule IIS_Group08 { - - meta: - description = "Detects Group 8 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $i1 = "FliterSecurity.dll" - $i2 = "IIS7NativeModule.dll" - $i3 = "Ver1.0." - - $s1 = "Cmd" - $s2 = "Realy path : %s" - $s3 = "Logged On Users : %d" - $s4 = "Connect OK!" - $s5 = "You are fucked!" - $s6 = "Shit!Error" - $s7 = "Where is the God!!" - $s8 = "Shit!Download False!" - $s9 = "Good!Run OK!" - $s10 = "Shit!Run False!" - $s11 = "Good!Download OK!" - $s12 = "[%d]safedog" - $s13 = "ed81bfc09d069121" - $s14 = "a9478ef01967d190" - $s15 = "af964b7479e5aea2" - $s16 = "1f9e6526bea65b59" - $s17 = "2b9e9de34f782d31" - $s18 = "33cc5da72ac9d7bb" - $s19 = "b1d71f4c2596cd55" - $s20 = "101fb9d9e86d9e6c" - - condition: - IIS_Native_Module and 1 of ($i*) and 3 of ($s*) -} - -rule IIS_Group09 { - - meta: - description = "Detects Group 9 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $i1 = "FliterSecurity.dll" - $i2 = {56565656565656565656565656565656} - $i3 = "app|hot|alp|svf|fkj|mry|poc|doc|20" xor - $i4 = "yisouspider|yisou|soso|sogou|m.sogou|sogo|sogou|so.com|baidu|bing|360" xor - $i5 = "baidu|m.baidu|soso|sogou|m.sogou|sogo|sogou|so.com|google|youdao" xor - $i6 = "118|abc|1go|evk" xor - - $s1 = "AVCFuckHttpModuleFactory" - $s2 = "X-Forward" - $s3 = "fuck32.dat" - $s4 = "fuck64.dat" - $s5 = "&ipzz1=" - $s6 = "&ipzz2=" - $s7 = "&uuu=" - - $s8 = "http://20.3323sf.c" xor - $s9 = "http://bj.whtjz.c" xor - $s10 = "http://bj2.wzrpx.c" xor - $s11 = "http://cs.whtjz.c" xor - $s12 = "http://df.e652.c" xor - $s13 = "http://dfcp.yyphw.c" xor - $s14 = "http://es.csdsx.c" xor - $s15 = "http://hz.wzrpx.c" xor - $s16 = "http://id.3323sf.c" xor - $s17 = "http://qp.008php.c" xor - $s18 = "http://qp.nmnsw.c" xor - $s19 = "http://sc.300bt.c" xor - $s20 = "http://sc.wzrpx.c" xor - $s21 = "http://sf2223.c" xor - $s22 = "http://sx.cmdxb.c" xor - $s23 = "http://sz.ycfhx.c" xor - $s24 = "http://xpq.0660sf.c" xor - $s25 = "http://xsc.b1174.c" xor - - condition: - IIS_Native_Module and any of ($i*) and 3 of ($s*) -} - -rule IIS_Group10 { - - meta: - description = "Detects Group 10 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "IIS7.dll" - $s2 = "(.*?)title(.*?)>" - $s3 = "<meta(.*?)name(.*?)=(.*?)keywords(.*?)>" - $s4 = "<meta(.*?)name(.*?)=(.*?)description(.*?)>" - $s5 = "js.breakavs.co" - $s6 = "微信群-赛车PK10群【进群微信fun57644】_幸运飞艇_幸运28群" - $s7 = "北京赛车微信群,北京微信赛车群,北京赛车微信群,PK10群,北京赛车pk10微信群,PK10微信群,赛车微信群,北京赛车群," - $s8 = "北京赛车微信群,北京微信赛车群【进群微信号fun57644】北京微信赛车群,北京微信赛车" - - $e1 = "Baiduspider" - $e2 = "Sosospider" - $e3 = "Sogou web spider" - $e4 = "360Spider" - $e5 = "YisouSpider" - $e6 = "sogou.com" - $e7 = "soso.com" - $e8 = "uc.cn" - $e9 = "baidu.com" - $e10 = "sm.cn" - - condition: - IIS_Native_Module and 2 of ($e*) and 3 of ($s*) -} - -rule IIS_Group11 { - - meta: - description = "Detects Group 11 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "DnsQuery_A" - $s2 = "&reurl=" - $s3 = "&jump=1" - - // encrypted "HTTP_cmd" (SUB 2) - $s4 = "JVVRaeof" - - // encrypted "lanke88" (SUB 2) - $s5 = "ncpmg::0" - - // encrypted "xinxx.allsoulu[.]com" (SUB 2) - $s6 = "zkpzz0cnnuqwnw0eqo" - - // encrypted "http://www.allsoulu[.]com/1.php?cmdout=" (SUB 2) - $s7 = "jvvr<11yyy0cnnuqwnw0eqo130rjrAeofqwv?" - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group12 { - - meta: - description = "Detects Group 12 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "C:\\inetpub\\temp\\IIS Temporary Compressed Files\\" - $s2 = "F5XFFHttpModule.dll" - $s3 = "gtest_redir" - $s4 = "\\cmd.exe" nocase - $s5 = "iuuq;00" // encrypted "http://" (ADD 1) - $s6 = "?xhost=" - $s7 = "&reurl=" - $s8 = "?jump=1" - $s9 = "app|zqb" - $s10 = "ifeng|ivc|sogou|so.com|baidu|google|youdao|yahoo|bing|118114|biso|gougou|sooule|360|sm|uc" - $s11 = "sogou|so.com|baidu|google|youdao|yahoo|bing|gougou|sooule|360|sm.cn|uc" - $s12 = "Hotcss/|Hotjs/" - $s13 = "HotImg/|HotPic/" - $s14 = "msf connect error !!" - $s15 = "download ok !!" - $s16 = "download error !! " - $s17 = "param error !!" - $s18 = "Real Path: " - $s19 = "unknown cmd !" - - // hardcoded hash values - $b1 = {15 BD 01 2E [-] 5E 40 08 97 [-] CF 8C BE 30 [-] 28 42 C6 3B} - $b2 = {E1 0A DC 39 [-] 49 BA 59 AB [-] BE 56 E0 57 [-] F2 0F 88 3E} - - condition: - IIS_Native_Module and 5 of them -} - -rule IIS_Group13_IISerpent { - - meta: - description = "Detects Group 13 native IIS malware family (IISerpent)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "/mconfig/lunlian.txt" - $s2 = "http://sb.qrfy.ne" - $s3 = "folderlinkpath" - $s4 = "folderlinkcount" - $s5 = "onlymobilespider" - $s6 = "redirectreferer" - $s7 = "loadSuccessfull : " - $s8 = "spider" - $s9 = "<a href=" - $s11 = "?ReloadModuleConfig=1" - $s12 = "?DisplayModuleConfig=1" - - condition: - IIS_Native_Module and 5 of them -} - -rule IIS_Group14 { - - meta: - description = "Detects Group 14 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $i1 = "agent-self: %s" - $i2 = "/utf.php?key=" - $i3 = "/self.php?v=" - $i4 = "<script type=\"text/javascript\" src=\"//speed.wlaspsd.co" - $i5 = "now.asmkpo.co" - - $s1 = "Baiduspider" - $s2 = "360Spider" - $s3 = "Sogou" - $s4 = "YisouSpider" - $s6 = "HTTP_X_FORWARDED_FOR" - - - condition: - IIS_Native_Module and 2 of ($i*) or 5 of them -} - -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2022, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -rule apt_Windows_TA410_Tendyron_dropper -{ - meta: - description = "TA410 Tendyron Dropper" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-12-09" - strings: - $s1 = "Global\\{F473B3BE-08EE-4710-A727-9E248F804F4A}" wide - $s2 = "Global\\8D32CCB321B2" wide - $s3 = "Global\\E4FE94F75490" wide - $s4 = "Program Files (x86)\\Internet Explorer\\iexplore.exe" wide - $s5 = "\\RPC Control\\OLE" wide - $s6 = "ALPC Port" wide - condition: - int16(0) == 0x5A4D and 4 of them -} - -rule apt_Windows_TA410_Tendyron_installer -{ - meta: - description = "TA410 Tendyron Installer" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-12-09" - strings: - $s1 = "Tendyron" wide - $s2 = "OnKeyToken_KEB.dll" wide - $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide - $s4 = "Global\\8D32CCB321B2" - $s5 = "\\RTFExploit\\" - condition: - int16(0) == 0x5A4D and 3 of them -} - -rule apt_Windows_TA410_Tendyron_Downloader -{ - meta: - description = "TA410 Tendyron Downloader" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-12-09" - strings: - /* - 0x401250 8A10 mov dl, byte ptr [eax] - 0x401252 80F25C xor dl, 0x5c - 0x401255 80C25C add dl, 0x5c - 0x401258 8810 mov byte ptr [eax], dl - 0x40125a 40 inc eax - 0x40125b 83E901 sub ecx, 1 - 0x40125e 75F0 jne 0x401250 - */ - $chunk_1 = { - 8A 10 - 80 F2 5C - 80 C2 5C - 88 10 - 40 - 83 E9 01 - 75 ?? - } - $s1 = "startModule" fullword - condition: - int16(0) == 0x5A4D and all of them -} - -rule apt_Windows_TA410_X4_strings -{ - meta: - description = "Matches various strings found in TA410 X4" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-10-09" - strings: - $s1 = "[X]InLoadSC" ascii wide nocase - $s3 = "MachineKeys\\Log\\rsa.txt" ascii wide nocase - $s4 = "MachineKeys\\Log\\output.log" ascii wide nocase - condition: - any of them -} - -rule apt_Windows_TA410_X4_hash_values -{ - meta: - description = "Matches X4 hash function found in TA410 X4" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-10-09" - strings: - $s1 = {D1 10 76 C2 B6 03} - $s2 = {71 3E A8 0D} - $s3 = {DC 78 94 0E} - $s4 = {40 0D E7 D6 06} - $s5 = {83 BB FD E8 06} - $s6 = {92 9D 9B FF EC 03} - $s7 = {DD 0E FC FA F5 03} - $s8 = {15 60 1E FB F5 03} - condition: - uint16(0) == 0x5a4d and 4 of them - -} - -rule apt_Windows_TA410_X4_hash_fct -{ - meta: - description = "Matches X4 hash function found in TA410 X4" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-10-09" - - /* - 0x6056cc2150 0FB601 movzx eax, byte ptr [rcx] - 0x6056cc2153 84C0 test al, al - 0x6056cc2155 7416 je 0x6056cc216d - 0x6056cc2157 4869D283000000 imul rdx, rdx, 0x83 - 0x6056cc215e 480FBEC0 movsx rax, al - 0x6056cc2162 4803D0 add rdx, rax - 0x6056cc2165 48FFC1 inc rcx - 0x6056cc2168 E9E3FFFFFF jmp 0x6056cc2150 - */ - strings: - $chunk_1 = { - 0F B6 01 - 84 C0 - 74 ?? - 48 69 D2 83 00 00 00 - 48 0F BE C0 - 48 03 D0 - 48 FF C1 - E9 ?? ?? ?? ?? - } - - condition: - uint16(0) == 0x5a4d and any of them - -} - -rule apt_Windows_TA410_LookBack_decryption -{ - meta: - description = "Matches encryption/decryption function used by LookBack." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $initialize = { - 8B C6 //mov eax, esi - 99 //cdq - 83 E2 03 //and edx, 3 - 03 C2 //add eax, edx - C1 F8 02 //sar eax, 2 - 8A C8 //mov cl, al - 02 C0 //add al, al - 02 C8 //add cl, al - 88 4C 34 10 //mov byte ptr [esp + esi + 0x10], cl - 46 //inc esi - 81 FE 00 01 00 00 //cmp esi, 0x100 - 72 ?? - } - $generate = { - 8A 94 1C 10 01 ?? ?? //mov dl, byte ptr [esp + ebx + 0x110] - 8D 8C 24 10 01 ?? ?? //lea ecx, [esp + 0x110] - 0F B6 C3 //movzx eax, bl - 0F B6 44 04 10 //movzx eax, byte ptr [esp + eax + 0x10] - 32 C2 //xor al, dl - 02 F0 //add dh, al - 0F B6 C6 //movzx eax, dh - 03 C8 //add ecx, eax - 0F B6 01 //movzx eax, byte ptr [ecx] - 88 84 1C 10 01 ?? ?? //mov byte ptr [esp + ebx + 0x110], al - 43 //inc ebx - 88 11 //mov byte ptr [ecx], dl - 81 FB 00 06 00 00 //cmp ebx, 0x600 - 72 ?? //jb 0x10025930 - } - $decrypt = { - 0F B6 C6 //movzx eax, dh - 8D 8C 24 10 01 ?? ?? //lea ecx, [esp + 0x110] - 03 C8 //add ecx, eax - 8A 19 //mov bl, byte ptr [ecx] - 8A C3 //mov al, bl - 02 C6 //add al, dh - FE C6 //inc dh - 02 F8 //add bh, al - 0F B6 C7 //movzx eax, bh - 8A 94 04 10 01 ?? ?? //mov dl, byte ptr [esp + eax + 0x110] - 88 9C 04 10 01 ?? ?? //mov byte ptr [esp + eax + 0x110], bl - 88 11 //mov byte ptr [ecx], dl - 0F B6 C2 //movzx eax, dl - 0F B6 CB //movzx ecx, bl - 33 C8 //xor ecx, eax - 8A 84 0C 10 01 ?? ?? //mov al, byte ptr [esp + ecx + 0x110] - 30 04 2E //xor byte ptr [esi + ebp], al - 46 //inc esi - 3B F7 //cmp esi, edi - 7C ?? //jl 0x10025980 - } - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_LookBack_loader -{ - meta: - description = "Matches the modified function in LookBack libcurl loader." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $chunk_1 = { - FF 15 ?? ?? ?? ?? //call dword ptr [0x100530e0] - 6A 40 //push 0x40 - 68 00 10 00 00 //push 0x1000 - 68 F0 04 00 00 //push 0x4f0 - 6A 00 //push 0 - FF 15 ?? ?? ?? ?? //call dword ptr [0x100530d4] - 8B E8 //mov ebp, eax - B9 3C 01 00 00 //mov ecx, 0x13c - BE 60 30 06 10 //mov esi, 0x10063060 - 8B FD //mov edi, ebp - 68 F0 04 00 00 //push 0x4f0 - F3 A5 //rep movsd dword ptr es:[edi], dword ptr [esi] - 55 //push ebp - E8 ?? ?? ?? ?? //call 0x100258d0 - 8B 0D ?? ?? ?? ?? //mov ecx, dword ptr [0x100530e4] - A1 ?? ?? ?? ?? //mov eax, dword ptr [0x100530c8] - 68 6C 02 00 00 //push 0x26c - 89 4C 24 ?? //mov dword ptr [esp + 0x1c], ecx - 89 44 24 ?? //mov dword ptr [esp + 0x20], eax - FF 15 ?? ?? ?? ?? //call dword ptr [0x10063038] - 8B D8 //mov ebx, eax - B9 9B 00 00 00 //mov ecx, 0x9b - BE 50 35 06 10 //mov esi, 0x10063550 - 8B FB //mov edi, ebx - 68 6C 02 00 00 //push 0x26c - F3 A5 //rep movsd dword ptr es:[edi], dword ptr [esi] - 53 //push ebx - E8 ?? ?? ?? ?? //call 0x100258d0 - 83 C4 14 //add esp, 0x14 - 8D 44 24 ?? //lea eax, [esp + 0x10] - 50 //push eax - 53 //push ebx - 8D 44 24 ?? //lea eax, [esp + 0x3c] - 50 //push eax - A1 ?? ?? ?? ?? //mov eax, dword ptr [0x10063058] - FF 74 24 ?? //push dword ptr [esp + 0x28] - 03 C5 //add eax, ebp - FF D0 //call eax - } - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_LookBack_strings -{ - meta: - description = "Matches multiple strings and export names in TA410 LookBack." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = "SodomMainFree" ascii wide - $s2 = "SodomMainInit" ascii wide - $s3 = "SodomNormal.bin" ascii wide - $s4 = "SodomHttp.bin" ascii wide - $s5 = "sodom.ini" ascii wide - $s6 = "SodomMainProc" ascii wide - - condition: - uint16(0) == 0x5a4d and (2 of them or pe.exports("SodomBodyLoad") or pe.exports("SodomBodyLoadTest")) -} - -rule apt_Windows_TA410_LookBack_HTTP -{ - meta: - description = "Matches LookBack's hardcoded HTTP request" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = "POST http://%s/status.php?r=%d%d HTTP/1.1\x0d\nAccept: text/html, application/xhtml+xml, */*\x0d\nAccept-Language: en-us\x0d\nUser-Agent: %s\x0d\nContent-Type: application/x-www-form-urlencoded\x0d\nAccept-Encoding: gzip, deflate\x0d\nHost: %s\x0d\nContent-Length: %d\x0d\nConnection: Keep-Alive\x0d\nCache-Control: no-cache\x0d\n\x0d\n" ascii wide - $s2 = "id=1&op=report&status=" - - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_LookBack_magic -{ - meta: - description = "Matches message header creation in LookBack." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = { - C7 03 C2 2E AB 48 //mov dword ptr [ebx], 0x48ab2ec2 - ( A1 | 8B 15 ) ?? ?? ?? ?? //mov (eax | edx), x - [0-1] //push ebp - 89 ?3 04 //mov dword ptr [ebc + 4], reg - 8B 4? 24 ?? //mov reg, dword ptr [esp + X] - 89 4? 08 //mov dword ptr [ebx + 8], ?? - 89 ?? 0C //mov dword ptr [ebx + 0xc], ?? - 8B 4? 24 ?? //mov reg, dword ptr [esp + X] - [1-2] //push 1 or 2 args - E8 ?? ?? ?? ?? //call - } - - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_FlowCloud_loader_strings -{ - meta: - description = "Matches various strings found in TA410 FlowCloud first stage." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $key = "y983nfdicu3j2dcn09wur9*^&initialize(y4r3inf;'fdskaf'SKF" - $s2 = "startModule" fullword - $s4 = "auto_start_module" wide - $s5 = "load_main_module_after_install" wide - $s6 = "terminate_if_fail" wide - $s7 = "clear_run_mru" wide - $s8 = "install_to_vista" wide - $s9 = "load_ext_module" wide - $s10= "sll_only" wide - $s11= "fail_if_already_installed" wide - $s12= "clear_hardware_info" wide - $s13= "av_check" wide fullword - $s14= "check_rs" wide - $s15= "check_360" wide - $s16= "responsor.dat" wide ascii - $s17= "auto_start_after_install_check_anti" wide fullword - $s18= "auto_start_after_install" wide fullword - $s19= "extern_config.dat" wide fullword - $s20= "is_hhw" wide fullword - $s21= "SYSTEM\\Setup\\PrintResponsor" wide - $event= "Global\\Event_{201a283f-e52b-450e-bf44-7dc436037e56}" wide ascii - $s23= "invalid encrypto hdr while decrypting" - - condition: - uint16(0) == 0x5a4d and ($key or $event or 5 of ($s*)) -} - -rule apt_Windows_TA410_FlowCloud_header_decryption -{ - meta: - description = "Matches the function used to decrypt resources headers in TA410 FlowCloud" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - /* - 0x416a70 8B1E mov ebx, dword ptr [esi] - 0x416a72 8BCF mov ecx, edi - 0x416a74 D3CB ror ebx, cl - 0x416a76 8D0C28 lea ecx, [eax + ebp] - 0x416a79 83C706 add edi, 6 - 0x416a7c 3018 xor byte ptr [eax], bl - 0x416a7e 8B1E mov ebx, dword ptr [esi] - 0x416a80 D3CB ror ebx, cl - 0x416a82 8D0C02 lea ecx, [edx + eax] - 0x416a85 305801 xor byte ptr [eax + 1], bl - 0x416a88 8B1E mov ebx, dword ptr [esi] - 0x416a8a D3CB ror ebx, cl - 0x416a8c 8B4C240C mov ecx, dword ptr [esp + 0xc] - 0x416a90 03C8 add ecx, eax - 0x416a92 305802 xor byte ptr [eax + 2], bl - 0x416a95 8B1E mov ebx, dword ptr [esi] - 0x416a97 D3CB ror ebx, cl - 0x416a99 8B4C2410 mov ecx, dword ptr [esp + 0x10] - 0x416a9d 03C8 add ecx, eax - 0x416a9f 305803 xor byte ptr [eax + 3], bl - 0x416aa2 8B1E mov ebx, dword ptr [esi] - 0x416aa4 D3CB ror ebx, cl - 0x416aa6 8B4C2414 mov ecx, dword ptr [esp + 0x14] - 0x416aaa 03C8 add ecx, eax - 0x416aac 83C006 add eax, 6 - 0x416aaf 3058FE xor byte ptr [eax - 2], bl - 0x416ab2 8B1E mov ebx, dword ptr [esi] - 0x416ab4 D3CB ror ebx, cl - 0x416ab6 3058FF xor byte ptr [eax - 1], bl - 0x416ab9 83FF10 cmp edi, 0x10 - 0x416abc 72B2 jb 0x416a70 - */ - strings: - $chunk_1 = { - 8B 1E - 8B CF - D3 CB - 8D 0C 28 - 83 C7 06 - 30 18 - 8B 1E - D3 CB - 8D 0C 02 - 30 58 ?? - 8B 1E - D3 CB - 8B 4C 24 ?? - 03 C8 - 30 58 ?? - 8B 1E - D3 CB - 8B 4C 24 ?? - 03 C8 - 30 58 ?? - 8B 1E - D3 CB - 8B 4C 24 ?? - 03 C8 - 83 C0 06 - 30 58 ?? - 8B 1E - D3 CB - 30 58 ?? - 83 FF 10 - 72 ?? - } - - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_FlowCloud_dll_hijacking_strings -{ - meta: - description = "Matches filenames inside TA410 FlowCloud malicious DLL." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $dat1 = "emedres.dat" wide - $dat2 = "vviewres.dat" wide - $dat3 = "setlangloc.dat" wide - $dll1 = "emedres.dll" wide - $dll2 = "vviewres.dll" wide - $dll3 = "setlangloc.dll" wide - condition: - uint16(0) == 0x5a4d and (all of ($dat*) or all of ($dll*)) -} - -rule apt_Windows_TA410_FlowCloud_malicious_dll_antianalysis -{ - meta: - description = "Matches anti-analysis techniques used in TA410 FlowCloud hijacking DLL." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - /* - 33C0 xor eax, eax - E8320C0000 call 0x10001d30 - 83C010 add eax, 0x10 - 3D00000080 cmp eax, 0x80000000 - 7D01 jge +3 - EBFF jmp +1 / jmp eax - E050 loopne 0x1000115c / push eax - C3 ret - */ - $chunk_1 = { - 33 C0 - E8 ?? ?? ?? ?? - 83 C0 10 - 3D 00 00 00 80 - 7D 01 - EB FF - E0 50 - C3 - } - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_FlowCloud_pdb -{ - meta: - description = "Matches PDB paths found in TA410 FlowCloud." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - - condition: - uint16(0) == 0x5a4d and (pe.pdb_path contains "\\FlowCloud\\trunk\\" or pe.pdb_path contains "\\flowcloud\\trunk\\") -} - -rule apt_Windows_TA410_FlowCloud_shellcode_decryption -{ - meta: - description = "Matches the decryption function used in TA410 FlowCloud self-decrypting DLL" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - /* - 0x211 33D2 xor edx, edx - 0x213 8B4510 mov eax, dword ptr [ebp + 0x10] - 0x216 BB6B040000 mov ebx, 0x46b - 0x21b F7F3 div ebx - 0x21d 81C2A8010000 add edx, 0x1a8 - 0x223 81E2FF000000 and edx, 0xff - 0x229 8B7D08 mov edi, dword ptr [ebp + 8] - 0x22c 33C9 xor ecx, ecx - 0x22e EB07 jmp 0x237 - 0x230 301439 xor byte ptr [ecx + edi], dl - 0x233 001439 add byte ptr [ecx + edi], dl - 0x236 41 inc ecx - 0x237 3B4D0C cmp ecx, dword ptr [ebp + 0xc] - 0x23a 72F4 jb 0x230 - */ - strings: - $chunk_1 = { - 33 D2 - 8B 45 ?? - BB 6B 04 00 00 - F7 F3 - 81 C2 A8 01 00 00 - 81 E2 FF 00 00 00 - 8B 7D ?? - 33 C9 - EB ?? - 30 14 39 - 00 14 39 - 41 - 3B 4D ?? - 72 ?? - } - - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_FlowCloud_fcClient_strings -{ - meta: - description = "Strings found in fcClient/rescure.dat module." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = "df257bdd-847c-490e-9ef9-1d7dc883d3c0" - $s2 = "\\{2AFF264E-B722-4359-8E0F-947B85594A9A}" - $s3 = "Global\\{26C96B51-2B5D-4D7B-BED1-3DCA4848EDD1}" wide - $s4 = "{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" wide - $s5 = "{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" wide - $s6 = "XXXModule_func.dll" - $driver1 = "\\drivers\\hidmouse.sys" wide fullword - $driver2 = "\\drivers\\hidusb.sys" wide fullword - - condition: - uint16(0) == 0x5a4d and (any of ($s*) or all of ($driver*)) -} - -rule apt_Windows_TA410_FlowCloud_fcClientDll_strings -{ - meta: - description = "Strings found in fcClientDll/responsor.dat module." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = "http://%s/html/portlet/ext/draco/resources/draco_manager.swf/[[DYNAMIC]]/1" - $s2 = "Cookie: COOKIE_SUPPORT=true; JSESSIONID=5C7E7A60D01D2891F40648DAB6CB3DF4.jvm1; COMPANY_ID=10301; ID=666e7375545678695645673d; PASSWORD=7a4b48574d746470447a303d; LOGIN=6863303130; SCREEN_NAME=4a2b455377766b657451493d; GUEST_LANGUAGE_ID=en-US" - $fc_msg = ".fc_net.msg" - $s4 = "\\pipe\\namedpipe_keymousespy_english" wide - $s5 = "8932910381748^&*^$58876$%^ghjfgsa413901280dfjslajflsdka&*(^7867=89^&*F(^&*5678f5ds765f76%&*%&*5" - $s6 = "cls_{CACB140B-0B82-4340-9B05-7983017BA3A4}" wide - $s7 = "HTTP/1.1 200 OK\x0d\nServer: Apache-Coyote/1.1\x0d\nPragma: No-cache\x0d\nCache-Control: no-cache\x0d\nExpires: Thu, 01 Jan 1970 08:00:00 CST\x0d\nLast-Modified: Fri, 27 Apr 2012 08:11:04 GMT\x0d\nContent-Type: application/xml\x0d\nContent-Length: %d\x0d\nDate: %s GMT" - $sql1 = "create table if not exists table_filed_space" - $sql2 = "create table if not exists clipboard" - $sql3 = "create trigger if not exists file_after_delete after delete on file" - $sql4 = "create trigger if not exists file_data_after_insert after insert on file_data" - $sql5 = "create trigger if not exists file_data_after_delete after delete on file_data" - $sql6 = "create trigger if not exists file_data_after_update after update on file_data" - $sql7 = "insert into file_data(file_id, ofs, data, status)" - - condition: - uint16(0) == 0x5a4d and (any of ($s*) or #fc_msg >= 8 or 4 of ($sql*)) -} - -rule apt_Windows_TA410_Rootkit_strings -{ - meta: - description = "Strings found in TA410's Rootkit" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $driver1 = "\\Driver\\kbdclass" wide - $driver2 = "\\Driver\\mouclass" wide - $device1 = "\\Device\\KeyboardClass0" wide - $device2 = "\\Device\\PointerClass0" wide - $driver3 = "\\Driver\\tcpip" wide - $device3 = "\\Device\\tcp" wide - $driver4 = "\\Driver\\nsiproxy" wide - $device4 = "\\Device\\Nsi" wide - $reg1 = "\\Registry\\Machine\\SYSTEM\\Setup\\AllowStart\\ceipCommon" wide - $reg2 = "RHH%d" wide - $reg3 = "RHP%d" wide - $s1 = "\\SystemRoot\\System32\\drivers\\hidmouse.sys" wide - - condition: - uint16(0) == 0x5a4d and all of ($s1,$reg*) and (all of ($driver*) or all of ($device*)) -} - -rule apt_Windows_TA410_FlowCloud_v5_resources -{ - meta: - description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 5.0.2" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - condition: - uint16(0) == 0x5a4d and pe.number_of_resources >= 13 and - for 12 resource in pe.resources: - ( resource.type == 10 and resource.language == 1033 and - //resource name is one of 100, 1000, 10000, 1001, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 2000, 2001 as widestring - (resource.name_string == "1\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x000\x00" or - resource.name_string == "1\x000\x000\x001\x00" or resource.name_string == "1\x000\x001\x00" or resource.name_string == "1\x000\x002\x00" or - resource.name_string == "1\x000\x003\x00" or resource.name_string == "1\x000\x004\x00" or resource.name_string == "1\x000\x005\x00" or - resource.name_string == "1\x000\x006\x00" or resource.name_string == "1\x000\x007\x00" or resource.name_string == "1\x000\x008\x00" or - resource.name_string == "1\x000\x009\x00" or resource.name_string == "1\x001\x000\x00" or resource.name_string == "2\x000\x000\x000\x00" or resource.name_string == "2\x000\x000\x001\x00") - ) -} - -rule apt_Windows_TA410_FlowCloud_v4_resources -{ - meta: - description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 4.1.3" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - condition: - uint16(0) == 0x5a4d and pe.number_of_resources >= 6 and - for 5 resource in pe.resources: - ( resource.type == 10 and resource.language == 1033 and - // resource name is one of 10000, 10001, 10002, 10003, 10004, 10005, 10100 as wide string - (resource.name_string == "1\x000\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x001\x00" or - resource.name_string == "1\x000\x000\x000\x002\x00" or resource.name_string == "1\x000\x000\x000\x003\x00" or - resource.name_string == "1\x000\x000\x000\x004\x00" or resource.name_string == "1\x000\x000\x000\x005\x00" or resource.name_string == "1\x000\x001\x000\x000\x00") - ) -} - - - -// Stantinko yara rules -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2017, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -rule beds_plugin { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "Stantinko BEDS' plugins" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - condition: - pe.exports("CheckDLLStatus") and - pe.exports("GetPluginData") and - pe.exports("InitializePlugin") and - pe.exports("IsReleased") and - pe.exports("ReleaseDLL") -} - -rule beds_dropper { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "BEDS dropper" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - condition: - pe.imphash() == "a7ead4ef90d9981e25728e824a1ba3ef" - -} - -rule facebook_bot { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "Stantinko's Facebook bot" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "m_upload_pic&return_uri=https%3A%2F%2Fm.facebook.com%2Fprofile.php" fullword ascii - $s2 = "D:\\work\\brut\\cms\\facebook\\facebookbot\\Release\\facebookbot.pdb" fullword ascii - $s3 = "https%3A%2F%2Fm.facebook.com%2Fcomment%2Freplies%2F%3Fctoken%3D" fullword ascii - $s4 = "reg_fb_gate=https%3A%2F%2Fm.facebook.com%2Freg" fullword ascii - $s5 = "reg_fb_ref=https%3A%2F%2Fm.facebook.com%2Freg%2F" fullword ascii - $s6 = "&return_uri_error=https%3A%2F%2Fm.facebook.com%2Fprofile.php" fullword ascii - - $x1 = "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" fullword ascii - $x2 = "registration@facebookmail.com" fullword ascii - $x3 = "https://m.facebook.com/profile.php?mds=" fullword ascii - $x4 = "https://upload.facebook.com/_mupload_/composer/?profile&domain=" fullword ascii - $x5 = "http://staticxx.facebook.com/connect/xd_arbiter.php?version=42#cb=ff43b202c" fullword ascii - $x6 = "https://upload.facebook.com/_mupload_/photo/x/saveunpublished/" fullword ascii - $x7 = "m.facebook.com&ref=m_upload_pic&waterfall_source=" fullword ascii - $x8 = "payload.commentID" fullword ascii - $x9 = "profile.login" fullword ascii - - condition: - ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($s*) or 3 of ($x*) ) ) or ( all of them ) -} - -rule pds_plugins { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "Stantinko PDS' plugins" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "std::_Vector_val<CHTTPPostItem *,std::allocator<CHTTPPostItem *> >" fullword ascii - $s2 = "std::_Vector_val<CHTTPHeader *,std::allocator<CHTTPHeader *> >" fullword ascii - $s3 = "std::vector<CHTTPHeader *,std::allocator<CHTTPHeader *> >" fullword ascii - $s4 = "std::vector<CHTTPPostItem *,std::allocator<CHTTPPostItem *> >" fullword ascii - $s5 = "CHTTPHeaderManager" fullword ascii - $s6 = "CHTTPPostItemManager *" fullword ascii - $s7 = "CHTTPHeaderManager *" fullword ascii - $s8 = "CHTTPPostItemManager" fullword ascii - $s9 = "CHTTPHeader" fullword ascii - $s10 = "CHTTPPostItem" fullword ascii - $s11 = "std::vector<CCookie *,std::allocator<CCookie *> >" fullword ascii - $s12 = "std::_Vector_val<CCookie *,std::allocator<CCookie *> >" fullword ascii - $s13 = "CCookieManager *" fullword ascii - - condition: - ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 2 of ($s*) ) ) -} - -rule stantinko_pdb { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "Stantinko malware family PDB path" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "D:\\work\\service\\service\\" ascii - - condition: - all of them -} - -rule stantinko_droppers { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko droppers" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - // Bytes from the encrypted payload - $s1 = {55 8B EC 83 EC 08 53 56 BE 80 F4 45 00 57 81 EE 80 0E 41 00 56 E8 6D 23 00 00 56 8B D8 68 80 0E 41 00 53 89 5D F8 E8 65 73 00 00 8B 0D FC F5 45} - - // Keys to decrypt payload - $s2 = {7E 5E 7F 8C 08 46 00 00 AB 57 1A BB 91 5C 00 00 FA CC FD 76 90 3A 00 00} - - condition: - uint16(0) == 0x5A4D and 1 of them -} - -rule stantinko_d3d { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko d3dadapter component" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - condition: - pe.exports("EntryPoint") and - pe.exports("ServiceMain") and - pe.imports("WININET.DLL", "HttpAddRequestHeadersA") -} - -rule stantinko_ihctrl32 { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko ihctrl32 component" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "ihctrl32.dll" - $s2 = "win32_hlp" - $s3 = "Ihctrl32Main" - $s4 = "I%citi%c%size%s%c%ci%s" - $s5 = "Global\\Intel_hctrl32" - - condition: - 2 of them -} - -rule stantinko_wsaudio { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko wsaudio component" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - // Export - $s1 = "GetInterface" - $s2 = "wsaudio.dll" - - // Event name - $s3 = "Global\\Wsaudio_Initialize" - $s4 = "SOFTWARE\\Classes\\%s.FieldListCtrl.1\\" - - condition: - 2 of them -} - -rule stantinko_ghstore { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko ghstore component" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "G%cost%sSt%c%s%s%ce%sr" wide - $s2 = "%cho%ct%sS%sa%c%s%crve%c" wide - $s3 = "Par%c%ce%c%c%s" wide - $s4 = "S%c%curity%c%s%c%s" wide - $s5 = "Sys%c%s%c%c%su%c%s%clS%c%s%serv%s%ces" wide - - condition: - 3 of them -} diff --git a/yara-mikesxrs/eset/Gazer.yar b/yara-mikesxrs/eset/Gazer.yar deleted file mode 100644 index 1bf3766..0000000 --- a/yara-mikesxrs/eset/Gazer.yar +++ /dev/null @@ -1,41 +0,0 @@ -import “pe” -import “math” -import “hash” -rule Gazer_certificate_subject { - meta: - author = "ESET" - reference = "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" - condition: - for any i in (0..pe.number_of_signatures - 1): - (pe.signatures[i].subject contains “Solid Loop” or -pe.signatures[i].subject contains “Ultimate Computer Support”) -} - -rule Gazer_certificate -{ - meta: - author = "ESET" - reference = "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" - strings: - $certif1 = {52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02} - $certif2 = {12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c} - condition: - (uint16(0) == 0x5a4d) and 1 of them and filesize < 2MB -} - -rule Gazer_logfile_name -{ - meta: - author = "ESET" - reference = "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" - strings: - $s1 = “CVRG72B5.tmp.cvr” - $s2 = “CVRG1A6B.tmp.cvr” - $s3 = “CVRG38D9.tmp.cvr” - condition: - (uint16(0) == 0x5a4d) and 1 of them -} - - - - diff --git a/yara-mikesxrs/eset/InvisiMole.yar b/yara-mikesxrs/eset/InvisiMole.yar deleted file mode 100644 index 867903f..0000000 --- a/yara-mikesxrs/eset/InvisiMole.yar +++ /dev/null @@ -1,297 +0,0 @@ -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These YARA rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2021, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -private rule InvisiMole_Blob { - meta: - description = "Detects InvisiMole blobs by magic values" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $magic_old_32 = {F9 FF D0 DE} - $magic_old_64 = {64 FF D0 DE} - $magic_new_32 = {86 DA 11 CE} - $magic_new_64 = {64 DA 11 CE} - - condition: - ($magic_old_32 at 0) or ($magic_old_64 at 0) or ($magic_new_32 at 0) or ($magic_new_64 at 0) -} - -rule apt_Windows_InvisiMole_Logs { - meta: - description = "Detects log files with collected created by InvisiMole's RC2CL backdoor" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - condition: - uint32(0) == 0x08F1CAA1 or - uint32(0) == 0x08F1CAA2 or - uint32(0) == 0x08F1CCC0 or - uint32(0) == 0x08F2AFC0 or - uint32(0) == 0x083AE4DF or - uint32(0) == 0x18F2CBB1 or - uint32(0) == 0x1900ABBA or - uint32(0) == 0x24F2CEA1 or - uint32(0) == 0xDA012193 or - uint32(0) == 0xDA018993 or - uint32(0) == 0xDA018995 or - uint32(0) == 0xDD018991 -} - -rule apt_Windows_InvisiMole_SFX_Dropper { - - meta: - description = "Detects trojanized InvisiMole files: patched RAR SFX droppers with added InvisiMole blobs (config encrypted XOR 2A at the end of a file)" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $encrypted_config = {5F 59 4F 58 19 18 04 4E 46 46 2A 5D 59 5A 58 43 44 5E 4C 7D 2A 0F 2A 59 2A 78 2A 4B 2A 58 2A 0E 2A 6F 2A 72 2A 4B 2A 0F 2A 4E 2A 04 2A 0F 2A 4E 2A 76 2A 0F 2A 79 2A 2A 2A 79 42 4F 46 46 6F 52 4F 49 5F 5E 4F 7D 2A 79 42 4F 46 46 19 18 04 4E 46 46 2A 7C 43 58 5E 5F 4B 46 6B 46 46 45 49 2A 66 45 4B 4E 66 43 48 58 4B 58 53 6B} - - condition: - uint16(0) == 0x5A4D and $encrypted_config -} - -rule apt_Windows_InvisiMole_CPL_Loader { - meta: - description = "CPL loader" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "WScr%steObject(\"WScr%s.Run(\"::{20d04fe0-3a%s30309d}\\\\::{21EC%sDD-08002B3030%s\", 0);" - $s2 = "\\Control.js" wide - $s3 = "\\Control Panel.lnk" wide - $s4 = "FPC 3.0.4 [2019/04/13] for x86_64 - Win64" - $s5 = "FPC 3.0.4 [2019/04/13] for i386 - Win32" - $s6 = "imageapplet.dat" wide - $s7 = "wkssvmtx" - - condition: - uint16(0) == 0x5A4D and (3 of them) -} - -rule apt_Windows_InvisiMole_Wrapper_DLL { - meta: - description = "Detects InvisiMole wrapper DLL with embedded RC2CL and RC2FM backdoors, by export and resource names" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - condition: - pe.exports("GetDataLength") and - for any y in (0..pe.number_of_resources - 1): ( - pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00C\x00L\x00" - ) and - for any y in (0..pe.number_of_resources - 1): ( - pe.resources[y].type == pe.RESOURCE_TYPE_RCDATA and pe.resources[y].name_string == "R\x00C\x002\x00F\x00M\x00" - ) -} - -rule apt_Windows_InvisiMole_DNS_Downloader { - - meta: - description = "InvisiMole DNS downloader" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $d = "DnsQuery_A" - - $s1 = "Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B}" xor - $s2 = "AddIns\\" ascii wide xor - $s3 = "pcornomeex." xor - $s4 = "weriahsek.rxe" xor - $s5 = "dpmupaceex." xor - $s6 = "TCPViewClass" xor - $s7 = "PROCMON_WINDOW_CLASS" xor - $s8 = "Key%C" - $s9 = "AutoEx%C" xor - $s10 = "MSO~" - $s11 = "MDE~" - $s12 = "DNS PLUGIN, Step %d" xor - $s13 = "rundll32.exe \"%s\",StartUI" - - condition: - ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $d and 5 of ($s*) -} - -rule apt_Windows_InvisiMole_RC2CL_Backdoor { - - meta: - description = "InvisiMole RC2CL backdoor" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "RC2CL" wide - - $s2 = "hp12KsNh92Dwd" wide - $s3 = "ZLib package %s: files: %d, total size: %d" wide - $s4 = "\\Un4seen" wide - $s5 = {9E 01 3A AD} // encryption key - - $s6 = "~mrc_" wide - $s7 = "~src_" wide - $s8 = "~wbc_" wide - $s9 = "zdf_" wide - $s10 = "~S0PM" wide - $s11 = "~A0FM" wide - $s12 = "~70Z63\\" wide - $s13 = "~E070C" wide - $s14 = "~N031E" wide - - $s15 = "%szdf_%s.data" wide - $s16 = "%spicture.crd" wide - $s17 = "%s70zf_%s.cab" wide - $s18 = "%spreview.crd" wide - - $s19 = "Value_Bck" wide - $s20 = "Value_WSFX_ZC" wide - $s21 = "MachineAccessStateData" wide - $s22 = "SettingsSR2" wide - - condition: - ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and 5 of ($s*) -} - -rule apt_Windows_InvisiMole { - - meta: - description = "InvisiMole magic values, keys and strings" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "CryptProtectData" - $s2 = "CryptUnprotectData" - $s3 = {9E 01 3A AD} - $s4 = "GET /getversion2a/%d%.2X%.2X/U%sN HTTP/1.1" - $s5 = "PULSAR_LOADER.dll" - - /* - cmp reg, 0DED0FFF9h - */ - $check_magic_old_32 = {3? F9 FF D0 DE} - - /* - cmp reg, 0DED0FF64h - */ - $check_magic_old_64 = {3? 64 FF D0 DE} - - /* - cmp dword ptr [reg], 0CE11DA86h - */ - $check_magic_new_32 = {81 3? 86 DA 11 CE} - - /* - cmp dword ptr [reg], 0CE11DA64h - */ - $check_magic_new_64 = {81 3? 64 DA 11 CE} - - condition: - ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and (any of ($check_magic*)) and (2 of ($s*)) -} - -rule apt_Windows_InvisiMole_C2 { - - meta: - description = "InvisiMole C&C servers" - author = "ESET Research" - date = "2021-05-17" - reference = "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "46.165.220.228" ascii wide - $s2 = "80.255.3.66" ascii wide - $s3 = "85.17.26.174" ascii wide - $s4 = "185.193.38.55" ascii wide - $s5 = "194.187.249.157" ascii wide - $s6 = "195.154.255.211" ascii wide - $s7 = "153.re" ascii wide fullword - $s8 = "adstat.red" ascii wide - $s9 = "adtrax.net" ascii wide - $s10 = "akamai.sytes.net" ascii wide - $s11 = "amz-eu401.com" ascii wide - $s12 = "blabla234342.sytes.net" ascii wide - $s13 = "mx1.be" ascii wide fullword - $s14 = "statad.de" ascii wide - $s15 = "time.servehttp.com" ascii wide - $s16 = "upd.re" ascii wide fullword - $s17 = "update.xn--6frz82g" ascii wide - $s18 = "updatecloud.sytes.net" ascii wide - $s19 = "updchecking.sytes.net" ascii wide - $s20 = "wlsts.net" ascii wide - $s21 = "ro2.host" ascii wide fullword - $s22 = "2ld.xyz" ascii wide fullword - $s23 = "the-haba.com" ascii wide - $s24 = "82.202.172.134" ascii wide - $s25 = "update.xn--6frz82g" ascii wide - - condition: - ((uint16(0) == 0x5A4D) or InvisiMole_Blob) and $s21 and any of them -} diff --git a/yara-mikesxrs/eset/Linux_Moose.yar b/yara-mikesxrs/eset/Linux_Moose.yar deleted file mode 100644 index 0cd9f61..0000000 --- a/yara-mikesxrs/eset/Linux_Moose.yar +++ /dev/null @@ -1,76 +0,0 @@ -// Linux/Moose yara rules -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -private rule is_elf -{ - strings: - $header = { 7F 45 4C 46 } - - condition: - $header at 0 -} - -rule moose -{ - meta: - Author = "Thomas Dupuy" - Date = "2015/04/21" - Description = "Linux/Moose malware" - Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s0 = "Status: OK" - $s1 = "--scrypt" - $s2 = "stratum+tcp://" - $s3 = "cmd.so" - $s4 = "/Challenge" - $s7 = "processor" - $s9 = "cpu model" - $s21 = "password is wrong" - $s22 = "password:" - $s23 = "uthentication failed" - $s24 = "sh" - $s25 = "ps" - $s26 = "echo -n -e " - $s27 = "chmod" - $s28 = "elan2" - $s29 = "elan3" - $s30 = "chmod: not found" - $s31 = "cat /proc/cpuinfo" - $s32 = "/proc/%s/cmdline" - $s33 = "kill %s" - - condition: - is_elf and all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/eset/Mumblehard_packer.yar b/yara-mikesxrs/eset/Mumblehard_packer.yar deleted file mode 100644 index 477cb46..0000000 --- a/yara-mikesxrs/eset/Mumblehard_packer.yar +++ /dev/null @@ -1,47 +0,0 @@ -// Mumblehard packer yara rule -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -rule mumblehard_packer -{ - meta: - description = "Mumblehard i386 assembly code responsible for decrypting Perl code" - author = "Marc-Etienne M. Leveille" - date = "2015-04-07" - reference = "http://www.welivesecurity.com" - version = "1" - - strings: - $decrypt = { 31 db [1-10] ba ?? 00 00 00 [0-6] (56 5f | 89 F7) - 39 d3 75 13 81 fa ?? 00 00 00 75 02 31 d2 81 c2 ?? 00 00 - 00 31 db 43 ac 30 d8 aa 43 e2 e2 } - condition: - $decrypt -} \ No newline at end of file diff --git a/yara-mikesxrs/eset/OSX_Keydnap_backdoor.yar b/yara-mikesxrs/eset/OSX_Keydnap_backdoor.yar deleted file mode 100644 index bab6c45..0000000 --- a/yara-mikesxrs/eset/OSX_Keydnap_backdoor.yar +++ /dev/null @@ -1,50 +0,0 @@ -// Keydnap packer yara rule -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2016, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - - -rule keydnap_backdoor -{ - meta: - description = "Unpacked OSX/Keydnap backdoor" - author = "Marc-Etienne M. Leveille" - date = "2016-07-06" - reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" - version = "1" - - strings: - $ = "api/osx/get_task" - $ = "api/osx/cmd_executed" - $ = "Loader-" - $ = "u2RLhh+!LGd9p8!ZtuKcN" - $ = "com.apple.iCloud.sync.daemon" - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/eset/OSX_Keydnap_packer.yar b/yara-mikesxrs/eset/OSX_Keydnap_packer.yar deleted file mode 100644 index 0e8d92a..0000000 --- a/yara-mikesxrs/eset/OSX_Keydnap_packer.yar +++ /dev/null @@ -1,51 +0,0 @@ -// Keydnap packer yara rule -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2016, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - - -rule keydnap_backdoor_packer -{ - meta: - description = "OSX/Keydnap packed backdoor" - author = "Marc-Etienne M. Leveille" - date = "2016-07-06" - reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" - version = "1" - - strings: - $upx_string = "This file is packed with the UPX" - $packer_magic = "ASS7" - $upx_magic = "UPX!" - - condition: - $upx_string and $packer_magic and not $upx_magic -} - - diff --git a/yara-mikesxrs/eset/OSX_keydnap_downloader.yar b/yara-mikesxrs/eset/OSX_keydnap_downloader.yar deleted file mode 100644 index 0e18384..0000000 --- a/yara-mikesxrs/eset/OSX_keydnap_downloader.yar +++ /dev/null @@ -1,49 +0,0 @@ -// Keydnap packer yara rule -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2016, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - - -rule keydnap_downloader -{ - meta: - description = "OSX/Keydnap Downloader" - author = "Marc-Etienne M. Leveille" - date = "2016-07-06" - reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" - version = "1" - - strings: - $ = "icloudsyncd" - $ = "killall Terminal" - $ = "open %s" - - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/eset/Operation Potao.yar b/yara-mikesxrs/eset/Operation Potao.yar deleted file mode 100644 index 82cb183..0000000 --- a/yara-mikesxrs/eset/Operation Potao.yar +++ /dev/null @@ -1,108 +0,0 @@ -// Operation Potao yara rules -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -private rule PotaoDecoy -{ - strings: - $mz = { 4d 5a } - $str1 = "eroqw11" - $str2 = "2sfsdf" - $str3 = "RtlDecompressBuffer" - $wiki_str = "spanned more than 100 years and ruined three consecutive" wide - - $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)} - $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00} - condition: - ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str ) -} -private rule PotaoDll -{ - strings: - $mz = { 4d 5a } - - $dllstr1 = "?AVCncBuffer@@" - $dllstr2 = "?AVCncRequest@@" - $dllstr3 = "Petrozavodskaya, 11, 9" - $dllstr4 = "_Scan@0" - $dllstr5 = "\x00/sync/document/" - $dllstr6 = "\\temp.temp" - - $dllname1 = "node69MainModule.dll" - $dllname2 = "node69-main.dll" - $dllname3 = "node69MainModuleD.dll" - $dllname4 = "task-diskscanner.dll" - $dllname5 = "\x00Screen.dll" - $dllname6 = "Poker2.dll" - $dllname7 = "PasswordStealer.dll" - $dllname8 = "KeyLog2Runner.dll" - $dllname9 = "GetAllSystemInfo.dll" - $dllname10 = "FilePathStealer.dll" - condition: - ($mz at 0) and (any of ($dllstr*) and any of ($dllname*)) -} -private rule PotaoUSB -{ - strings: - $mz = { 4d 5a } - - $binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 } - $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3} - condition: - ($mz at 0) and any of ($binary*) -} -private rule PotaoSecondStage -{ - strings: - $mz = { 4d 5a } - // hash of CryptBinaryToStringA and CryptStringToBinaryA - $binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8} - // old hash of CryptBinaryToStringA and CryptStringToBinaryA - $binary2 = {5F 21 63 DD [10-30] EC FD 33 02} - $binary3 = {CA 77 67 57 [10-30] BA 08 20 7A} - - $str1 = "?AVCrypt32Import@@" - $str2 = "%.5llx" - condition: - ($mz at 0) and any of ($binary*) and any of ($str*) -} -rule Potao -{ - meta: - Author = "Anton Cherepanov" - Date = "2015/07/29" - Description = "Operation Potao" - Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "threatintel@eset.com" - License = "BSD 2-Clause" - condition: - PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage -} diff --git a/yara-mikesxrs/eset/Operation Windigo.yar b/yara-mikesxrs/eset/Operation Windigo.yar deleted file mode 100644 index a0b7ed8..0000000 --- a/yara-mikesxrs/eset/Operation Windigo.yar +++ /dev/null @@ -1,59 +0,0 @@ -// Operation Windigo yara rules -// For feedback or questions contact us at: windigo@eset.sk -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2014, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -rule onimiki -{ - meta: - description = "Linux/Onimiki malicious DNS server" - malware = "Linux/Onimiki" - operation = "Windigo" - author = "Olivier Bilodeau <bilodeau@eset.com>" - created = "2014-02-06" - reference = "http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf" - contact = "windigo@eset.sk" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - strings: - // code from offset: 0x46CBCD - $a1 = {43 0F B6 74 2A 0E 43 0F B6 0C 2A 8D 7C 3D 00 8D} - $a2 = {74 35 00 8D 4C 0D 00 89 F8 41 F7 E3 89 F8 29 D0} - $a3 = {D1 E8 01 C2 89 F0 C1 EA 04 44 8D 0C 92 46 8D 0C} - $a4 = {8A 41 F7 E3 89 F0 44 29 CF 29 D0 D1 E8 01 C2 89} - $a5 = {C8 C1 EA 04 44 8D 04 92 46 8D 04 82 41 F7 E3 89} - $a6 = {C8 44 29 C6 29 D0 D1 E8 01 C2 C1 EA 04 8D 04 92} - $a7 = {8D 04 82 29 C1 42 0F B6 04 21 42 88 84 14 C0 01} - $a8 = {00 00 42 0F B6 04 27 43 88 04 32 42 0F B6 04 26} - $a9 = {42 88 84 14 A0 01 00 00 49 83 C2 01 49 83 FA 07} - - condition: - all of them -} diff --git a/yara-mikesxrs/eset/PotaoNew.yara b/yara-mikesxrs/eset/PotaoNew.yara deleted file mode 100644 index 82cb183..0000000 --- a/yara-mikesxrs/eset/PotaoNew.yara +++ /dev/null @@ -1,108 +0,0 @@ -// Operation Potao yara rules -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2015, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// -private rule PotaoDecoy -{ - strings: - $mz = { 4d 5a } - $str1 = "eroqw11" - $str2 = "2sfsdf" - $str3 = "RtlDecompressBuffer" - $wiki_str = "spanned more than 100 years and ruined three consecutive" wide - - $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)} - $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00} - condition: - ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str ) -} -private rule PotaoDll -{ - strings: - $mz = { 4d 5a } - - $dllstr1 = "?AVCncBuffer@@" - $dllstr2 = "?AVCncRequest@@" - $dllstr3 = "Petrozavodskaya, 11, 9" - $dllstr4 = "_Scan@0" - $dllstr5 = "\x00/sync/document/" - $dllstr6 = "\\temp.temp" - - $dllname1 = "node69MainModule.dll" - $dllname2 = "node69-main.dll" - $dllname3 = "node69MainModuleD.dll" - $dllname4 = "task-diskscanner.dll" - $dllname5 = "\x00Screen.dll" - $dllname6 = "Poker2.dll" - $dllname7 = "PasswordStealer.dll" - $dllname8 = "KeyLog2Runner.dll" - $dllname9 = "GetAllSystemInfo.dll" - $dllname10 = "FilePathStealer.dll" - condition: - ($mz at 0) and (any of ($dllstr*) and any of ($dllname*)) -} -private rule PotaoUSB -{ - strings: - $mz = { 4d 5a } - - $binary1 = { 33 C0 8B C8 83 E1 03 BA ?? ?? ?? 00 2B D1 8A 0A 32 88 ?? ?? ?? 00 2A C8 FE C9 88 88 ?? ?? ?? 00 40 3D ?? ?? 00 00 7C DA C3 } - $binary2 = { 55 8B EC 51 56 C7 45 FC 00 00 00 00 EB 09 8B 45 FC 83 C0 01 89 45 FC 81 7D FC ?? ?? 00 00 7D 3D 8B 4D FC 0F BE 89 ?? ?? ?? 00 8B 45 FC 33 D2 BE 04 00 00 00 F7 F6 B8 03 00 00 00 2B C2 0F BE 90 ?? ?? ?? 00 33 CA 2B 4D FC 83 E9 01 81 E1 FF 00 00 00 8B 45 FC 88 88 ?? ?? ?? 00 EB B1 5E 8B E5 5D C3} - condition: - ($mz at 0) and any of ($binary*) -} -private rule PotaoSecondStage -{ - strings: - $mz = { 4d 5a } - // hash of CryptBinaryToStringA and CryptStringToBinaryA - $binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8} - // old hash of CryptBinaryToStringA and CryptStringToBinaryA - $binary2 = {5F 21 63 DD [10-30] EC FD 33 02} - $binary3 = {CA 77 67 57 [10-30] BA 08 20 7A} - - $str1 = "?AVCrypt32Import@@" - $str2 = "%.5llx" - condition: - ($mz at 0) and any of ($binary*) and any of ($str*) -} -rule Potao -{ - meta: - Author = "Anton Cherepanov" - Date = "2015/07/29" - Description = "Operation Potao" - Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "threatintel@eset.com" - License = "BSD 2-Clause" - condition: - PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage -} diff --git a/yara-mikesxrs/eset/Prikormka.yar b/yara-mikesxrs/eset/Prikormka.yar deleted file mode 100644 index 8b27db2..0000000 --- a/yara-mikesxrs/eset/Prikormka.yar +++ /dev/null @@ -1,165 +0,0 @@ -// Operation Groundbait yara rules -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2016, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -private rule PrikormkaDropper -{ - meta: - Author = "Anton Cherepanov" - Date = "2016/05/10" - Description = "Operation Groundbait" - Source = "https://github.com/eset/malware-ioc/" - Contact = "threatintel@eset.com" - License = "BSD 2-Clause" - - strings: - $mz = { 4D 5A } - - $kd = "KDSTORAGE" wide - $kd = "KDSTORAGE_64" wide - $kd = "KDRUNDRV32" wide - $kd = "KDRAR" wide - - $bin = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F} - $bin = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16} - $bin = {4D 00 4D 00 43 00 00 00 67 00 75 00 69 00 64 00 56 00 47 00 41 00 00 00 5F 00 73 00 76 00 67 00} - - $inj = "?AVCinj2008Dlg@@" ascii - $inj = "?AVCinj2008App@@" ascii - condition: - ($mz at 0) and ((any of ($bin)) or (3 of ($kd)) or (all of ($inj))) -} - -private rule PrikormkaModule -{ - meta: - Author = "Anton Cherepanov" - Date = "2016/05/10" - Description = "Operation Groundbait" - Source = "https://github.com/eset/malware-ioc/" - Contact = "threatintel@eset.com" - License = "BSD 2-Clause" - - strings: - $mz = { 4D 5A } - - // binary - $str = {6D 70 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00} - $str = {68 6C 70 75 63 74 66 2E 64 6C 6C 00 43 79 63 6C 65} - $str = {00 6B 6C 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67 00} - $str = {69 6F 6D 75 73 2E 64 6C 6C 00 53 74 61 72 74 69 6E 67} - $str = {61 74 69 6D 6C 2E 64 6C 6C 00 4B 69 63 6B 49 6E 50 6F 69 6E 74} - $str = {73 6E 6D 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64} - $str = {73 63 72 73 68 2E 64 6C 6C 00 47 65 74 52 65 61 64 79 46 6F 72 44 65 61 64} - - // encrypted - $str = {50 52 55 5C 17 51 58 17 5E 4A} - $str = {60 4A 55 55 4E 53 58 4B 17 52 57 17 5E 4A} - $str = {55 52 5D 4E 5B 4A 5D 17 51 58 17 5E 4A} - $str = {60 4A 55 55 4E 61 17 51 58 17 5E 4A} - $str = {39 5D 17 1D 1C 0A 3C 57 59 3B 1C 1E 57 58 4C 54 0F} - - // mutex - $str = "ZxWinDeffContex" ascii wide - $str = "Paramore756Contex43" wide - $str = "Zw_&one@ldrContext43" wide - - // other - $str = "A95BL765MNG2GPRS" - - // dll names - $str = "helpldr.dll" wide fullword - $str = "swma.dll" wide fullword - $str = "iomus.dll" wide fullword - $str = "atiml.dll" wide fullword - $str = "hlpuctf.dll" wide fullword - $str = "hauthuid.dll" ascii wide fullword - - // rbcon - $str = "[roboconid][%s]" ascii fullword - $str = "[objectset][%s]" ascii fullword - $str = "rbcon.ini" wide fullword - - // files and logs - $str = "%s%02d.%02d.%02d_%02d.%02d.%02d.skw" ascii fullword - $str = "%02d.%02d.%02d_%02d.%02d.%02d.%02d.rem" wide fullword - - // pdb strings - $str = ":\\!PROJECTS!\\Mina\\2015\\" ascii - $str = "\\PZZ\\RMO\\" ascii - $str = ":\\work\\PZZ" ascii - $str = "C:\\Users\\mlk\\" ascii - $str = ":\\W o r k S p a c e\\" ascii - $str = "D:\\My\\Projects_All\\2015\\" ascii - $str = "\\TOOLS PZZ\\Bezzahod\\" ascii - - condition: - ($mz at 0) and (any of ($str)) -} - -private rule PrikormkaEarlyVersion -{ - meta: - Author = "Anton Cherepanov" - Date = "2016/05/10" - Description = "Operation Groundbait" - Source = "https://github.com/eset/malware-ioc/" - Contact = "threatintel@eset.com" - License = "BSD 2-Clause" - - strings: - $mz = { 4D 5A } - - $str = "IntelRestore" ascii fullword - $str = "Resent" wide fullword - $str = "ocp8.1" wide fullword - $str = "rsfvxd.dat" ascii fullword - $str = "tsb386.dat" ascii fullword - $str = "frmmlg.dat" ascii fullword - $str = "smdhost.dll" ascii fullword - $str = "KDLLCFX" wide fullword - $str = "KDLLRUNDRV" wide fullword - condition: - ($mz at 0) and (2 of ($str)) -} - -rule Prikormka -{ - meta: - Author = "Anton Cherepanov" - Date = "2016/05/10" - Description = "Operation Groundbait" - Source = "https://github.com/eset/malware-ioc/" - Contact = "threatintel@eset.com" - License = "BSD 2-Clause" - condition: - PrikormkaDropper or PrikormkaModule or PrikormkaEarlyVersion -} diff --git a/yara-mikesxrs/eset/SparklingGoblin.yar b/yara-mikesxrs/eset/SparklingGoblin.yar deleted file mode 100644 index 8c1b827..0000000 --- a/yara-mikesxrs/eset/SparklingGoblin.yar +++ /dev/null @@ -1,489 +0,0 @@ -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2021, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" -rule SparklingGoblin_ChaCha20Loader_RichHeader -{ - meta: - author = "ESET Research" - copyright = "ESET Research" - description = "Rule matching ChaCha20 loaders rich header" - date = "2021-03-30" - reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - hash = "09FFE37A54BC4EBEBD8D56098E4C76232F35D821" - hash = "29B147B76BB0D9E09F7297487CB972E6A2905586" - hash = "33F2C3DE2457B758FC5824A2B253AD7C7C2E9E37" - hash = "45BEF297CE78521EAC6EE39E7603E18360E67C5A" - hash = "4CEC7CDC78D95C70555A153963064F216DAE8799" - hash = "4D4C1A062A0390B20732BA4D65317827F2339B80" - hash = "4F6949A4906B834E83FF951E135E0850FE49D5E4" - - condition: - pe.rich_signature.length >= 104 and pe.rich_signature.length <= 112 and - pe.rich_signature.toolid(241, 40116) >= 5 and pe.rich_signature.toolid(241, 40116) <= 10 and - pe.rich_signature.toolid(147, 30729) == 11 and - pe.rich_signature.toolid(264, 24215) >= 15 and pe.rich_signature.toolid(264, 24215) <= 16 -} - -rule SparklingGoblin_ChaCha20 -{ - meta: - author = "ESET Research" - copyright = "ESET Research" - description = "SparklingGoblin ChaCha20 implementations" - date = "2021-05-20" - reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B" - hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F" - hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF" - hash = "4668302969FE122874FB2447A80378DCB671C86B" - hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B" - hash = "9CE7650F2C08C391A35D69956E171932D116B8BD" - hash = "91B32E030A1F286E7D502CA17E107D4BFBD7394A" - - strings: - // 32-bits version - $chunk_1 = { - 8B 4D ?? - 56 - 8B 75 ?? - 57 - 8B 7D ?? - 8B 04 BB - 01 04 93 - 8B 04 B3 - 33 04 93 - C1 C0 10 - 89 04 B3 - 01 04 8B - 8B 04 BB - 33 04 8B - C1 C0 0C - 89 04 BB - 01 04 93 - 8B 04 B3 - 33 04 93 - C1 C0 08 - 89 04 B3 - 01 04 8B - 8B 04 BB - 33 04 8B - C1 C0 07 - 89 04 BB - } - // 64-bits version - $chunk_2 = { - 03 4D ?? - 44 03 C0 - 03 55 ?? - 33 F1 - 45 33 D8 - C1 C6 10 - 44 33 F2 - 41 C1 C3 10 - 41 03 FB - 41 C1 C6 10 - 45 03 E6 - 41 03 DA - 44 33 CB - 44 03 EE - 41 C1 C1 10 - 8B C7 - 33 45 ?? - 45 03 F9 - C1 C0 0C - 44 03 C0 - 45 33 D8 - 44 89 45 ?? - 41 C1 C3 08 - 41 03 FB - 44 8B C7 - 44 33 C0 - 41 8B C5 - 33 45 ?? - C1 C0 0C - 03 C8 - 41 C1 C0 07 - 33 F1 - 89 4D ?? - C1 C6 08 - 44 03 EE - 41 8B CD - 33 C8 - 41 8B C4 - 33 45 ?? - C1 C0 0C - 03 D0 - C1 C1 07 - 44 33 F2 - 89 55 ?? - 41 C1 C6 08 - 45 03 E6 - 41 8B D4 - 33 D0 - 41 8B C7 - 41 33 C2 - C1 C2 07 - C1 C0 0C - 03 D8 - 44 33 CB - 41 C1 C1 08 - 45 03 F9 - 45 8B D7 - 44 33 D0 - 8B 45 ?? - 03 C1 - 41 C1 C2 07 - 44 33 C8 - 89 45 ?? - 41 C1 C1 10 - 45 03 E1 - 41 8B C4 - 33 C1 - 8B 4D ?? - C1 C0 0C - 03 C8 - 44 33 C9 - 89 4D ?? - 89 4D ?? - 41 C1 C1 08 - 45 03 E1 - 41 8B CC - 33 C8 - 8B 45 ?? - C1 C1 07 - 89 4D ?? - 89 4D ?? - 03 C2 - 41 03 D8 - 89 45 ?? - 41 33 C3 - C1 C0 10 - 44 03 F8 - 41 8B CF - 33 CA - 8B 55 ?? - } - $chunk_3 = { - C7 45 ?? 65 78 70 61 - 4C 8D 45 ?? - C7 45 ?? 6E 64 20 33 - 4D 8B F9 - C7 45 ?? 32 2D 62 79 - 4C 2B C1 - C7 45 ?? 74 65 20 6B - } - $chunk_4 = { - 0F B6 02 - 0F B6 4A ?? - C1 E1 08 - 0B C8 - 0F B6 42 ?? - C1 E1 08 - 0B C8 - 0F B6 42 ?? - C1 E1 08 - 0B C8 - 41 89 0C 10 - 48 8D 52 ?? - 49 83 E9 01 - } - // 64-bits version - $chunk_5 = { - 03 4D ?? - 44 03 C0 - 03 55 ?? - 33 F1 - 41 33 F8 - C1 C6 10 - 44 33 F2 - C1 C7 10 - 44 03 DF - 41 C1 C6 10 - 45 03 E6 - 44 03 CB - 45 33 D1 - 44 03 EE - 41 C1 C2 10 - 41 8B C3 - 33 45 ?? - 45 03 FA - C1 C0 0C - 44 03 C0 - 41 33 F8 - 44 89 45 ?? - C1 C7 08 - 44 03 DF - 45 8B C3 - 44 33 C0 - 41 8B C5 - 33 45 ?? - C1 C0 0C - 03 C8 - 41 C1 C0 07 - 33 F1 - 89 4D ?? - C1 C6 08 - 44 03 EE - 41 8B CD - 33 C8 - 41 8B C4 - 33 45 ?? - C1 C0 0C - 03 D0 - C1 C1 07 - 44 33 F2 - 89 55 ?? - 41 C1 C6 08 - 45 03 E6 - 41 8B D4 - 33 D0 - 41 8B C7 - 33 C3 - C1 C2 07 - C1 C0 0C - 44 03 C8 - 45 33 D1 - 41 C1 C2 08 - 45 03 FA - 41 8B DF - 33 D8 - 8B 45 ?? - 03 C1 - C1 C3 07 - 44 33 D0 - 89 45 ?? - 41 C1 C2 10 - 45 03 E2 - 41 8B C4 - 33 C1 - 8B 4D ?? - C1 C0 0C - 03 C8 - 44 33 D1 - 89 4D ?? - 89 4D ?? - 41 C1 C2 08 - 45 03 E2 - 41 8B CC - 33 C8 - 8B 45 ?? - C1 C1 07 - 89 4D ?? - 89 4D ?? - 03 C2 - 45 03 C8 - 89 45 ?? - 33 C7 - C1 C0 10 - 44 03 F8 - 41 8B CF - 33 CA - 8B 55 ?? - C1 C1 0C - 03 D1 - 8B FA - 89 55 ?? - 33 F8 - 89 55 ?? - 8B 55 ?? - 03 D3 - C1 C7 08 - 44 03 FF - 41 8B C7 - 33 C1 - C1 C0 07 - 89 45 ?? - 89 45 ?? - 8B C2 - 33 C6 - C1 C0 10 - 44 03 D8 - 41 33 DB - C1 C3 0C - 03 D3 - 8B F2 - 89 55 ?? - 33 F0 - 41 8B C1 - 41 33 C6 - C1 C6 08 - C1 C0 10 - 44 03 DE - 44 03 E8 - 41 33 DB - 41 8B CD - C1 C3 07 - 41 33 C8 - 44 8B 45 ?? - C1 C1 0C - 44 03 C9 - 45 8B F1 - 44 33 F0 - 41 C1 C6 08 - 45 03 EE - 41 8B C5 - 33 C1 - 8B 4D ?? - C1 C0 07 - } - - condition: - any of them and filesize < 450KB - -} - -rule SparklingGoblin_EtwEventWrite -{ - meta: - author = "ESET Research" - copyright = "ESET Research" - description = "SparklingGoblin EtwEventWrite patching" - date = "2021-05-20" - reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B" - hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F" - hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF" - hash = "4668302969FE122874FB2447A80378DCB671C86B" - hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B" - hash = "9CE7650F2C08C391A35D69956E171932D116B8BD" - - strings: - // 64-bits version - $chunk_1 = { - 48 8D 0D ?? ?? ?? ?? - C7 44 24 ?? 48 31 C0 C3 - FF 15 ?? ?? ?? ?? - 48 8B C8 - 48 8D 15 ?? ?? ?? ?? - FF 15 ?? ?? ?? ?? - 83 64 24 ?? 00 - 4C 8D 4C 24 ?? - BF 04 00 00 00 - 48 8B C8 - 8B D7 - 48 8B D8 - 44 8D 47 ?? - FF 15 ?? ?? ?? ?? - 44 8B C7 - 48 8D 54 24 ?? - 48 8B CB - E8 ?? ?? ?? ?? - 44 8B 44 24 ?? - 4C 8D 4C 24 ?? - 8B D7 - 48 8B CB - FF 15 ?? ?? ?? ?? - 48 8B 05 ?? ?? ?? ?? - } - // 32-bits version - $chunk_2 = { - 55 - 8B EC - 51 - 51 - 57 - 68 08 1A 41 00 - 66 C7 45 ?? C2 14 - C6 45 ?? 00 - FF 15 ?? ?? ?? ?? - 68 10 1A 41 00 - 50 - FF 15 ?? ?? ?? ?? - 83 65 ?? 00 - 8B F8 - 8D 45 ?? - 50 - 6A 40 - 6A 03 - 57 - FF 15 ?? ?? ?? ?? - 6A 03 - 8D 45 ?? - 50 - 57 - E8 ?? ?? ?? ?? - 83 C4 0C - 8D 45 ?? - 50 - FF 75 ?? - 6A 03 - 57 - FF 15 ?? ?? ?? ?? - } - // 64-bits version - $chunk_3 = { - 48 8D 0D ?? ?? ?? ?? - C7 44 24 ?? 48 31 C0 C3 - FF 15 ?? ?? ?? ?? - 48 8B C8 - 48 8D 15 ?? ?? ?? ?? - FF 15 ?? ?? ?? ?? - } - - condition: - any of them -} - -rule SparklingGoblin_Mutex -{ - meta: - author = "ESET Research" - copyright = "ESET Research" - description = "SparklingGoblin ChaCha20 loaders mutexes" - date = "2021-05-20" - reference = "http://welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - - hash = "2EDBEA43F5C40C867E5B6BBD93CC972525DF598B" - hash = "B6D245D3D49B06645C0578804064CE0C072CBE0F" - hash = "8BE6D5F040D0085C62B1459AFC627707B0DE89CF" - hash = "4668302969FE122874FB2447A80378DCB671C86B" - hash = "9BDECB08E16A23D271D0A3E836D9E7F83D7E2C3B" - hash = "9CE7650F2C08C391A35D69956E171932D116B8BD" - - strings: - $mutex_1 = "kREwdFrOlvASgP4zWZyV89m6T2K0bIno" - $mutex_2 = "v5EPQFOImpTLaGZes3Nl1JSKHku8AyCw" - - condition: - any of them -} diff --git a/yara-mikesxrs/eset/Turla_Carbon.yar b/yara-mikesxrs/eset/Turla_Carbon.yar deleted file mode 100644 index c0d3ef3..0000000 --- a/yara-mikesxrs/eset/Turla_Carbon.yar +++ /dev/null @@ -1,28 +0,0 @@ -import “pe” - -rule generic_carbon -{ - meta: - author = "ESET Research" - date = "2017-03-30" - description = "Turla Carbon malware" - reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" -strings: - $s1 = “ModStart” - $s2 = “ModuleStart” - $t1 = “STOP|OK” - $t2 = “STOP|KILL” -condition: - (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*)) -} - -rule carbon_metadata -{ - meta: - author = "ESET Research" - date = "2017-03-30" - description = "Turla Carbon malware" - reference = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" -condition: - (pe.version_info[“InternalName”] contains “SERVICE.EXE” or pe.version_info[“InternalName”] contains “MSIMGHLP.DLL” or pe.version_info[“InternalName”] contains “MSXIML.DLL”) and pe.version_info[“CompanyName”] contains “Microsoft Corporation” -} diff --git a/yara-mikesxrs/eset/badiis.yar b/yara-mikesxrs/eset/badiis.yar deleted file mode 100644 index b9502c5..0000000 --- a/yara-mikesxrs/eset/badiis.yar +++ /dev/null @@ -1,552 +0,0 @@ -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These YARA rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2021, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -private rule IIS_Native_Module { - meta: - description = "Signature to match an IIS native module (clean or malicious)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $e1 = "This module subscribed to event" - $e2 = "CHttpModule::OnBeginRequest" - $e3 = "CHttpModule::OnPostBeginRequest" - $e4 = "CHttpModule::OnAuthenticateRequest" - $e5 = "CHttpModule::OnPostAuthenticateRequest" - $e6 = "CHttpModule::OnAuthorizeRequest" - $e7 = "CHttpModule::OnPostAuthorizeRequest" - $e8 = "CHttpModule::OnResolveRequestCache" - $e9 = "CHttpModule::OnPostResolveRequestCache" - $e10 = "CHttpModule::OnMapRequestHandler" - $e11 = "CHttpModule::OnPostMapRequestHandler" - $e12 = "CHttpModule::OnAcquireRequestState" - $e13 = "CHttpModule::OnPostAcquireRequestState" - $e14 = "CHttpModule::OnPreExecuteRequestHandler" - $e15 = "CHttpModule::OnPostPreExecuteRequestHandler" - $e16 = "CHttpModule::OnExecuteRequestHandler" - $e17 = "CHttpModule::OnPostExecuteRequestHandler" - $e18 = "CHttpModule::OnReleaseRequestState" - $e19 = "CHttpModule::OnPostReleaseRequestState" - $e20 = "CHttpModule::OnUpdateRequestCache" - $e21 = "CHttpModule::OnPostUpdateRequestCache" - $e22 = "CHttpModule::OnLogRequest" - $e23 = "CHttpModule::OnPostLogRequest" - $e24 = "CHttpModule::OnEndRequest" - $e25 = "CHttpModule::OnPostEndRequest" - $e26 = "CHttpModule::OnSendResponse" - $e27 = "CHttpModule::OnMapPath" - $e28 = "CHttpModule::OnReadEntity" - $e29 = "CHttpModule::OnCustomRequestNotification" - $e30 = "CHttpModule::OnAsyncCompletion" - $e31 = "CGlobalModule::OnGlobalStopListening" - $e32 = "CGlobalModule::OnGlobalCacheCleanup" - $e33 = "CGlobalModule::OnGlobalCacheOperation" - $e34 = "CGlobalModule::OnGlobalHealthCheck" - $e35 = "CGlobalModule::OnGlobalConfigurationChange" - $e36 = "CGlobalModule::OnGlobalFileChange" - $e37 = "CGlobalModule::OnGlobalApplicationStart" - $e38 = "CGlobalModule::OnGlobalApplicationResolveModules" - $e39 = "CGlobalModule::OnGlobalApplicationStop" - $e40 = "CGlobalModule::OnGlobalRSCAQuery" - $e41 = "CGlobalModule::OnGlobalTraceEvent" - $e42 = "CGlobalModule::OnGlobalCustomNotification" - $e43 = "CGlobalModule::OnGlobalThreadCleanup" - $e44 = "CGlobalModule::OnGlobalApplicationPreload" - - condition: - uint16(0) == 0x5A4D and pe.exports("RegisterModule") and any of ($e*) -} - -rule IIS_Group01_IISRaid { - - meta: - description = "Detects Group 1 native IIS malware family (IIS-Raid derivates)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "cmd.exe" ascii wide - $s2 = "CMD" - $s3 = "PIN" - $s4 = "INJ" - $s5 = "DMP" - $s6 = "UPL" - $s7 = "DOW" - $s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide - - $p1 = "C:\\Windows\\Temp\\creds.db" - $p2 = "C:\\Windows\\Temp\\thumbs.db" - $p3 = "C:\\Windows\\Temp\\AAD30E0F.tmp" - $p4 = "X-Chrome-Variations" - $p5 = "X-Cache" - $p6 = "X-Via" - $p7 = "COM_InterProt" - $p8 = "X-FFEServer" - $p9 = "X-Content-Type-Options" - $p10 = "Strict-Transport-Security" - $p11 = "X-Password" - $p12 = "XXXYYY-Ref" - $p13 = "X-BLOG" - $p14 = "X-BlogEngine" - - condition: - IIS_Native_Module and 3 of ($s*) and any of ($p*) -} - -rule IIS_Group02 { - - meta: - description = "Detects Group 2 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "HttpModule.pdb" ascii wide - $s2 = "([\\w+%]+)=([^&]*)" - $s3 = "([\\w+%]+)=([^!]*)" - $s4 = "cmd.exe" - $s5 = "C:\\Users\\Iso\\Documents\\Visual Studio 2013\\Projects\\IIS 5\\x64\\Release\\Vi.pdb" ascii wide - $s6 = "AVRSAFunction" - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group03 { - - meta: - description = "Detects Group 3 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "IIS-Backdoor.dll" - $s2 = "CryptStringToBinaryA" - $s3 = "CreateProcessA" - $s4 = "X-Cookie" - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group04_RGDoor { - - meta: - description = "Detects Group 4 native IIS malware family (RGDoor)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - reference = "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $i1 = "RGSESSIONID=" - $s2 = "upload$" - $s3 = "download$" - $s4 = "cmd$" - $s5 = "cmd.exe" - - condition: - IIS_Native_Module and ($i1 or all of ($s*)) -} - -rule IIS_Group05_IIStealer { - - meta: - description = "Detects Group 5 native IIS malware family (IIStealer)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "tojLrGzFMbcDTKcH" ascii wide - $s2 = "4vUOj3IutgtrpVwh" ascii wide - $s3 = "SoUnRCxgREXMu9bM" ascii wide - $s4 = "9Zr1Z78OkgaXj1Xr" ascii wide - $s5 = "cache.txt" ascii wide - $s6 = "/checkout/checkout.aspx" ascii wide - $s7 = "/checkout/Payment.aspx" ascii wide - $s8 = "/privacy.aspx" - $s9 = "X-IIS-Data" - $s10 = "POST" - - // string stacking of "/checkout/checkout.aspx" - $s11 = {C7 ?? CF 2F 00 63 00 C7 ?? D3 68 00 65 00 C7 ?? D7 63 00 6B 00 C7 ?? DB 6F 00 75 00 C7 ?? DF 74 00 2F 00 C7 ?? E3 63 00 68 00 C7 ?? E7 65 00 63 00 C7 ?? EB 6B 00 6F 00 C7 ?? EF 75 00 74 00 C7 ?? F3 2E 00 61 00 C7 ?? F7 73 00 70 00 C7 ?? FB 78 00 00 00} - - // string stacking of "/privacy.aspx" - $s12 = {C7 ?? AF 2F 00 70 00 C7 ?? B3 72 00 69 00 C7 ?? B7 76 00 61 00 C7 ?? BB 63 00 79 00 C7 ?? BF 2E 00 61 00 C7 ?? C3 73 00 70 00 C7 ?? C7 78 00 00 00} - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group06_ISN { - - meta: - description = "Detects Group 6 native IIS malware family (ISN)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - reference = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "isn7 config reloaded" - $s2 = "isn7 config NOT reloaded, not found or empty" - $s3 = "isn7 log deleted" - $s4 = "isn7 log not deleted, ERROR 0x%X" - $s5 = "isn7 log NOT found" - $s6 = "isn_reloadconfig" - $s7 = "D:\\soft\\Programming\\C++\\projects\\isapi\\isn7" - $s8 = "get POST failed %d" - $s9 = "isn7.dll" - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group07_IISpy { - - meta: - description = "Detects Group 7 native IIS malware family (IISpy)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "/credential/username" - $s2 = "/credential/password" - $s3 = "/computer/domain" - $s4 = "/computer/name" - $s5 = "/password" - $s6 = "/cmd" - $s7 = "%.8s%.8s=%.8s%.16s%.8s%.16s" - $s8 = "ImpersonateLoggedOnUser" - $s9 = "WNetAddConnection2W" - - $t1 = "X-Forwarded-Proto" - $t2 = "Sec-Fetch-Mode" - $t3 = "Sec-Fetch-Site" - $t4 = "Cookie" - - // PNG IEND - $t5 = {49 45 4E 44 AE 42 60 82} - - // PNG HEADER - $t6 = {89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52} - - condition: - IIS_Native_Module and 2 of ($s*) and any of ($t*) -} - -rule IIS_Group08 { - - meta: - description = "Detects Group 8 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $i1 = "FliterSecurity.dll" - $i2 = "IIS7NativeModule.dll" - $i3 = "Ver1.0." - - $s1 = "Cmd" - $s2 = "Realy path : %s" - $s3 = "Logged On Users : %d" - $s4 = "Connect OK!" - $s5 = "You are fucked!" - $s6 = "Shit!Error" - $s7 = "Where is the God!!" - $s8 = "Shit!Download False!" - $s9 = "Good!Run OK!" - $s10 = "Shit!Run False!" - $s11 = "Good!Download OK!" - $s12 = "[%d]safedog" - $s13 = "ed81bfc09d069121" - $s14 = "a9478ef01967d190" - $s15 = "af964b7479e5aea2" - $s16 = "1f9e6526bea65b59" - $s17 = "2b9e9de34f782d31" - $s18 = "33cc5da72ac9d7bb" - $s19 = "b1d71f4c2596cd55" - $s20 = "101fb9d9e86d9e6c" - - condition: - IIS_Native_Module and 1 of ($i*) and 3 of ($s*) -} - -rule IIS_Group09 { - - meta: - description = "Detects Group 9 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $i1 = "FliterSecurity.dll" - $i2 = {56565656565656565656565656565656} - $i3 = "app|hot|alp|svf|fkj|mry|poc|doc|20" xor - $i4 = "yisouspider|yisou|soso|sogou|m.sogou|sogo|sogou|so.com|baidu|bing|360" xor - $i5 = "baidu|m.baidu|soso|sogou|m.sogou|sogo|sogou|so.com|google|youdao" xor - $i6 = "118|abc|1go|evk" xor - - $s1 = "AVCFuckHttpModuleFactory" - $s2 = "X-Forward" - $s3 = "fuck32.dat" - $s4 = "fuck64.dat" - $s5 = "&ipzz1=" - $s6 = "&ipzz2=" - $s7 = "&uuu=" - - $s8 = "http://20.3323sf.c" xor - $s9 = "http://bj.whtjz.c" xor - $s10 = "http://bj2.wzrpx.c" xor - $s11 = "http://cs.whtjz.c" xor - $s12 = "http://df.e652.c" xor - $s13 = "http://dfcp.yyphw.c" xor - $s14 = "http://es.csdsx.c" xor - $s15 = "http://hz.wzrpx.c" xor - $s16 = "http://id.3323sf.c" xor - $s17 = "http://qp.008php.c" xor - $s18 = "http://qp.nmnsw.c" xor - $s19 = "http://sc.300bt.c" xor - $s20 = "http://sc.wzrpx.c" xor - $s21 = "http://sf2223.c" xor - $s22 = "http://sx.cmdxb.c" xor - $s23 = "http://sz.ycfhx.c" xor - $s24 = "http://xpq.0660sf.c" xor - $s25 = "http://xsc.b1174.c" xor - - condition: - IIS_Native_Module and any of ($i*) and 3 of ($s*) -} - -rule IIS_Group10 { - - meta: - description = "Detects Group 10 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "IIS7.dll" - $s2 = "<title>(.*?)title(.*?)>" - $s3 = "<meta(.*?)name(.*?)=(.*?)keywords(.*?)>" - $s4 = "<meta(.*?)name(.*?)=(.*?)description(.*?)>" - $s5 = "js.breakavs.co" - $s6 = "微信群-赛车PK10群【进群微信fun57644】_幸运飞艇_幸运28群" - $s7 = "北京赛车微信群,北京微信赛车群,北京赛车微信群,PK10群,北京赛车pk10微信群,PK10微信群,赛车微信群,北京赛车群," - $s8 = "北京赛车微信群,北京微信赛车群【进群微信号fun57644】北京微信赛车群,北京微信赛车" - - $e1 = "Baiduspider" - $e2 = "Sosospider" - $e3 = "Sogou web spider" - $e4 = "360Spider" - $e5 = "YisouSpider" - $e6 = "sogou.com" - $e7 = "soso.com" - $e8 = "uc.cn" - $e9 = "baidu.com" - $e10 = "sm.cn" - - condition: - IIS_Native_Module and 2 of ($e*) and 3 of ($s*) -} - -rule IIS_Group11 { - - meta: - description = "Detects Group 11 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "DnsQuery_A" - $s2 = "&reurl=" - $s3 = "&jump=1" - - // encrypted "HTTP_cmd" (SUB 2) - $s4 = "JVVRaeof" - - // encrypted "lanke88" (SUB 2) - $s5 = "ncpmg::0" - - // encrypted "xinxx.allsoulu[.]com" (SUB 2) - $s6 = "zkpzz0cnnuqwnw0eqo" - - // encrypted "http://www.allsoulu[.]com/1.php?cmdout=" (SUB 2) - $s7 = "jvvr<11yyy0cnnuqwnw0eqo130rjrAeofqwv?" - - condition: - IIS_Native_Module and 3 of ($s*) -} - -rule IIS_Group12 { - - meta: - description = "Detects Group 12 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "C:\\inetpub\\temp\\IIS Temporary Compressed Files\\" - $s2 = "F5XFFHttpModule.dll" - $s3 = "gtest_redir" - $s4 = "\\cmd.exe" nocase - $s5 = "iuuq;00" // encrypted "http://" (ADD 1) - $s6 = "?xhost=" - $s7 = "&reurl=" - $s8 = "?jump=1" - $s9 = "app|zqb" - $s10 = "ifeng|ivc|sogou|so.com|baidu|google|youdao|yahoo|bing|118114|biso|gougou|sooule|360|sm|uc" - $s11 = "sogou|so.com|baidu|google|youdao|yahoo|bing|gougou|sooule|360|sm.cn|uc" - $s12 = "Hotcss/|Hotjs/" - $s13 = "HotImg/|HotPic/" - $s14 = "msf connect error !!" - $s15 = "download ok !!" - $s16 = "download error !! " - $s17 = "param error !!" - $s18 = "Real Path: " - $s19 = "unknown cmd !" - - // hardcoded hash values - $b1 = {15 BD 01 2E [-] 5E 40 08 97 [-] CF 8C BE 30 [-] 28 42 C6 3B} - $b2 = {E1 0A DC 39 [-] 49 BA 59 AB [-] BE 56 E0 57 [-] F2 0F 88 3E} - - condition: - IIS_Native_Module and 5 of them -} - -rule IIS_Group13_IISerpent { - - meta: - description = "Detects Group 13 native IIS malware family (IISerpent)" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $s1 = "/mconfig/lunlian.txt" - $s2 = "http://sb.qrfy.ne" - $s3 = "folderlinkpath" - $s4 = "folderlinkcount" - $s5 = "onlymobilespider" - $s6 = "redirectreferer" - $s7 = "loadSuccessfull : " - $s8 = "spider" - $s9 = "<a href=" - $s11 = "?ReloadModuleConfig=1" - $s12 = "?DisplayModuleConfig=1" - - condition: - IIS_Native_Module and 5 of them -} - -rule IIS_Group14 { - - meta: - description = "Detects Group 14 native IIS malware family" - author = "ESET Research" - date = "2021-08-04" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $i1 = "agent-self: %s" - $i2 = "/utf.php?key=" - $i3 = "/self.php?v=" - $i4 = "<script type=\"text/javascript\" src=\"//speed.wlaspsd.co" - $i5 = "now.asmkpo.co" - - $s1 = "Baiduspider" - $s2 = "360Spider" - $s3 = "Sogou" - $s4 = "YisouSpider" - $s6 = "HTTP_X_FORWARDED_FOR" - - - condition: - IIS_Native_Module and 2 of ($i*) or 5 of them -} diff --git a/yara-mikesxrs/eset/kobalos.yar b/yara-mikesxrs/eset/kobalos.yar deleted file mode 100644 index 17207d7..0000000 --- a/yara-mikesxrs/eset/kobalos.yar +++ /dev/null @@ -1,57 +0,0 @@ -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These YARA rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2020, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -rule kobalos -{ - meta: - description = "Kobalos malware" - author = "Marc-Etienne M.Léveillé" - date = "2020-11-02" - reference = "http://www.welivesecurity.com" - reference2 = "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $encrypted_strings_sizes = { - 05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00 - 08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00 - 01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00 - 05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00 - } - $password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C } - $rsa_512_mod_header = { 10 11 02 00 09 02 00 } - $strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE } - - condition: - any of them -} diff --git a/yara-mikesxrs/eset/kobalos_ssh_credential_stealer.yar b/yara-mikesxrs/eset/kobalos_ssh_credential_stealer.yar deleted file mode 100644 index c13ba95..0000000 --- a/yara-mikesxrs/eset/kobalos_ssh_credential_stealer.yar +++ /dev/null @@ -1,50 +0,0 @@ - -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These YARA rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2020, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -rule kobalos_ssh_credential_stealer { - meta: - description = "Kobalos SSH credential stealer seen in OpenSSH client" - author = "Marc-Etienne M.Léveillé" - date = "2020-11-02" - reference = "http://www.welivesecurity.com" - reference2 = "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - - strings: - $ = "user: %.128s host: %.128s port %05d user: %.128s password: %.128s" - - condition: - any of them -} - diff --git a/yara-mikesxrs/eset/linux_rakos.yar b/yara-mikesxrs/eset/linux_rakos.yar deleted file mode 100644 index 6904c92..0000000 --- a/yara-mikesxrs/eset/linux_rakos.yar +++ /dev/null @@ -1,53 +0,0 @@ -// Linux/Rakos yara rule -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2016, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - - -rule linux_rakos -{ - meta: - description = "Linux/Rakos.A executable" - author = "Peter Kálnai" - date = "2016-12-13" - reference = "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" - version = "1" - contact = "threatintel@eset.com" - license = "BSD 2-Clause" - - - strings: - $ = "upgrade/vars.yaml" - $ = "MUTTER" - $ = "/tmp/.javaxxx" - $ = "uckmydi" - - condition: - 3 of them -} diff --git a/yara-mikesxrs/eset/skip20_sqllang_hook.yar b/yara-mikesxrs/eset/skip20_sqllang_hook.yar deleted file mode 100644 index e469163..0000000 --- a/yara-mikesxrs/eset/skip20_sqllang_hook.yar +++ /dev/null @@ -1,69 +0,0 @@ -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2019, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -rule skip20_sqllang_hook -{ - meta: - author = "Mathieu Tartare <mathieu.tartare@eset.com>" - date = "21-10-2019" - description = "YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - - strings: - $1_0 = {ff f3 55 56 57 41 56 48 81 ec c0 01 00 00 48 c7 44 24 38 fe ff ff ff} - $1_1 = {48 8b c3 4c 8d 9c 24 a0 00 00 00 49 8b 5b 10 49 8b 6b 18 49 8b 73 20 49 8b 7b 28 49 8b e3 41 5e c3 90 90 90 90 90 90 90 ff 25} - $2_0 = {ff f3 55 57 41 55 48 83 ec 58 65 48 8b 04 25 30 00 00 00} - $2_1 = {48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ff 25} - $3_0 = {89 4c 24 08 4c 8b dc 49 89 53 10 4d 89 43 18 4d 89 4b 20 57 48 81 ec 90 00 00 00} - $3_1 = {4c 8d 9c 24 20 01 00 00 49 8b 5b 40 49 8b 73 48 49 8b e3 41 5f 41 5e 41 5c 5f 5d c3} - $4_0 = {ff f5 41 56 41 57 48 81 ec 90 00 00 00 48 8d 6c 24 50 48 c7 45 28 fe ff ff ff 48 89 5d 60 48 89 75 68 48 89 7d 70 4c 89 65 78} - $4_1 = {8b c1 48 8b 8c 24 30 02 00 00 48 33 cc} - $5_0 = {48 8b c4 57 41 54 41 55 41 56 41 57 48 81 ec 90 03 00 00 48 c7 80 68 fd ff ff fe ff ff ff 48 89 58 18 48 89 70 20} - $5_1 = {48 c7 80 68 fd ff ff fe ff ff ff 48 89 58 18 48 89 70 20} - $6_0 = {44 88 4c 24 20 44 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 53 56 57 41 54 41 55 41 56 41 57 48 81 ec 80 01 00 00} - $6_1 = {48 89 4c 24 08 53 56 57 41 54 41 55 41 56 41 57 48 81 ec 80 01 00 00 48 c7 84 24 e8 00 00 00 fe ff ff ff} - $7_0 = {08 48 89 74 24 10 57 48 83 ec 20 49 63 d8 48 8b f2 48 8b f9 45 85 c0} - $7_1 = {20 49 63 d8 48 8b f2 48 8b f9 45 85} - $8_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [11300-] ff f5 56 57 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 70} - $9_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [40050-] 48 8b c4 55 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 60} - $10_0 = {41 56 48 83 ec 50 48 c7 44 24 20 fe ff ff ff 48 89 5c 24 60 48 89 6c 24 68 48 89 74 24 70 48 89 7c 24 78 48 8b d9 33 ed 8b f5 89 6c} - $10_1 = {48 8b 42 18 4c 89 90 f0 00 00 00 44 89 90 f8 00 00 00 c7 80 fc 00 00 00 1b 00 00 00 48 8b c2 c3 90 90 90} - $11_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [40700-] 48 8b c4 55 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 60} - $12_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [10650-] 48 8b c4 55 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 60} - $13_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [41850-] ff f5 56 57 41 54 41 55 41 56 41 57 48 8b ec 48 83 ec 70} - $14_0 = {48 89 01 48 8b c2 48 c7 41 08 04 00 00 00 c3 90 90 90 90 90 90 90 90 90 90 89 91 40 [42600-] ff f7 48 83 ec 50 48 c7 44 24 20 fe ff ff ff} - - condition: - any of them -} diff --git a/yara-mikesxrs/eset/sshdoor.yar b/yara-mikesxrs/eset/sshdoor.yar deleted file mode 100644 index adcce57..0000000 --- a/yara-mikesxrs/eset/sshdoor.yar +++ /dev/null @@ -1,572 +0,0 @@ -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2018, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -private rule ssh_client : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH client (ssh)" - author = "Marc-Etienne M.Leveille" - email = "leveille@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: ssh [" - $old_version = "-L listen-port:host:port" - - condition: - $usage or $old_version -} - -private rule ssh_daemon : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH daemon (sshd)" - author = "Marc-Etienne M.Leveille" - email = "leveille@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: sshd [" - $old_version = "Listen on the specified port (default: 22)" - - condition: - $usage or $old_version -} - -private rule ssh_add : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH add (ssh-add)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: %s [options] [file ...]\n" - $log = "Could not open a connection to your authentication agent.\n" - - condition: - $usage and $log -} - -private rule ssh_agent : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH agent (ssh-agent)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: %s [options] [command [arg ...]]" - - condition: - $usage -} - -private rule ssh_askpass : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH daemon (sshd)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $pass = "Enter your OpenSSH passphrase:" - $log = "Could not grab %s. A malicious client may be eavesdropping on you" - - condition: - $pass and $log -} - -private rule ssh_keygen : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH keygen (ssh-keygen)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $pass = "Enter new passphrase (empty for no passphrase):" - $log = "revoking certificates by key ID requires specification of a CA key" - - condition: - $pass and $log -} - -private rule ssh_keyscan : sshdoor { - meta: - description = "Signature to match the clean (or not) OpenSSH keyscan (ssh-keyscan)" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $usage = "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]" - - condition: - $usage -} - -private rule ssh_binary : sshdoor { - meta: - description = "Signature to match any clean (or not) SSH binary" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - - condition: - ssh_client or ssh_daemon or ssh_add or ssh_askpass or ssh_keygen or ssh_keyscan -} - -private rule stack_string { - meta: - description = "Rule to detect use of string-stacking" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - // single byte offset from base pointer - $bp = /(\xC6\x45.{2}){25}/ - // dword ss with single byte offset from base pointer - $bp_dw = /(\xC7\x45.{5}){20}/ - // 4-bytes offset from base pointer - $bp_off = /(\xC6\x85.{5}){25}/ - // single byte offset from stack pointer - $sp = /(\xC6\x44\x24.{2}){25}/ - // 4-bytes offset from stack pointer - $sp_off = /(\xC6\x84\x24.{5}){25}/ - - condition: - any of them -} - -rule abafar { - meta: - description = "Rule to detect Abafar family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log_c = "%s:%s@%s" - $log_d = "%s:%s from %s" - - condition: - ssh_binary and any of them -} - -rule akiva { - meta: - description = "Rule to detect Akiva family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = /(To|From):\s(%s\s\-\s)?%s:%s\n/ - - condition: - ssh_binary and $log -} - -rule alderaan { - meta: - description = "Rule to detect Alderaan family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = /login\s(in|at):\s(%s\s)?%s:%s\n/ - - condition: - ssh_binary and $log -} - -rule ando { - meta: - description = "Rule to detect Ando family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "%s:%s\n" - $s2 = "HISTFILE" - $i = "fopen64" - $m1 = "cat " - $m2 = "mail -s" - - condition: - ssh_binary and all of ($s*) and ($i or all of ($m*)) -} - -rule anoat { - meta: - description = "Rule to detect Anoat family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = "%s at: %s | user: %s, pass: %s\n" - - condition: - ssh_binary and $log -} - -rule atollon { - meta: - description = "Rule to detect Atollon family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $f1 = "PEM_read_RSA_PUBKEY" - $f2 = "RAND_add" - $log = "%s:%s" - $rand = "/dev/urandom" - - condition: - ssh_binary and stack_string and all of them -} - -rule batuu { - meta: - description = "Rule to detect Batuu family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $args = "ssh: ~(av[%d]: %s\n)" - $log = "readpass: %s\n" - - condition: - ssh_binary and any of them -} - -rule bespin { - meta: - description = "Rule to detect Bespin family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log1 = "%Y-%m-%d %H:%M:%S" - $log2 = "%s %s%s" - $log3 = "[%s]" - - condition: - ssh_binary and all of them -} - -rule bonadan { - meta: - description = "Rule to detect Bonadan family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "g_server" - $s2 = "mine.sock" - $s3 = "tspeed" - $e1 = "6106#x=%d#%s#%s#speed=%s" - $e2 = "usmars.mynetgear.com" - $e3 = "user=%s#os=%s#eip=%s#cpu=%s#mem=%s" - - condition: - ssh_binary and any of them -} - -rule borleias { - meta: - description = "Rule to detect Borleias family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = "%Y-%m-%d %H:%M:%S [%s]" - - condition: - ssh_binary and all of them -} - -rule chandrila { - meta: - description = "Rule to detect Chandrila family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = "S%s %s:%s" - $magic = { 05 71 92 7D } - - condition: - ssh_binary and all of them -} - -rule coruscant { - meta: - description = "Rule to detect Coruscant family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "%s:%s@%s\n" - $s2 = "POST" - $s3 = "HTTP/1.1" - - condition: - ssh_binary and all of them -} - -rule crait { - meta: - description = "Signature to detect Crait family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $i1 = "flock" - $i2 = "fchmod" - $i3 = "sendto" - - condition: - ssh_binary and 2 of them -} - -rule endor { - meta: - description = "Rule to detect Endor family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $u = "user: %s" - $p = "password: %s" - - condition: - ssh_binary and $u and $p in (@u..@u+20) -} - -rule jakuu { - meta: - description = "Rule to detect Jakuu family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - notes = "Strings can be encrypted" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $dec = /GET\s\/\?(s|c)id=/ - $enc1 = "getifaddrs" - $enc2 = "usleep" - $ns = "gethostbyname" - $log = "%s:%s" - $rc4 = { A1 71 31 17 11 1A 22 27 55 00 66 A3 10 FE C2 10 22 32 6E 95 90 84 F9 11 73 62 95 5F 4D 3B DB DC } - - condition: - ssh_binary and $log and $ns and ($dec or all of ($enc*) or $rc4) -} - -rule kamino { - meta: - description = "Rule to detect Kamino family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "/var/log/wtmp" - $s2 = "/var/log/secure" - $s3 = "/var/log/auth.log" - $s4 = "/var/log/messages" - $s5 = "/var/log/audit/audit.log" - $s6 = "/var/log/httpd-access.log" - $s7 = "/var/log/httpd-error.log" - $s8 = "/var/log/xferlog" - $i1 = "BIO_f_base64" - $i2 = "PEM_read_bio_RSA_PUBKEY" - $i3 = "srand" - $i4 = "gethostbyname" - - condition: - ssh_binary and 5 of ($s*) and 3 of ($i*) -} - -rule kessel { - meta: - description = "Rule to detect Kessel family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $rc4 = "Xee5chu1Ohshasheed1u" - $s1 = "ssh:%s:%s:%s:%s" - $s2 = "sshkey:%s:%s:%s:%s:%s" - $s3 = "sshd:%s:%s" - $i1 = "spy_report" - $i2 = "protoShellCMD" - $i3 = "protoUploadFile" - $i4 = "protoSendReport" - $i5 = "tunRecvDNS" - $i6 = "tunPackMSG" - - condition: - ssh_binary and (2 of ($s*) or 2 of ($i*) or $rc4) -} - -rule mimban { - meta: - description = "Rule to detect Mimban family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $s1 = "<|||%s|||%s|||%d|||>" - $s2 = />\|\|\|%s\|\|\|%s\|\|\|\d\|\|\|%s\|\|\|%s\|\|\|%s\|\|\|%s\|\|\|</ - $s3 = "-----BEGIN PUBLIC KEY-----" - $i1 = "BIO_f_base64" - $i2 = "PEM_read_bio_RSA_PUBKEY" - $i3 = "gethostbyname" - - condition: - ssh_binary and 2 of ($s*) and 2 of ($i*) -} - -rule ondaron { - meta: - description = "Rule to detect Ondaron family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $daemon = "user:password --> %s:%s\n" - $client = /user(,|:)(a,)?password@host \-\-> %s(,|:)(b,)?%s@%s\n/ - - condition: - ssh_binary and ($daemon or $client) -} - -rule polis_massa { - meta: - description = "Rule to detect Polis Massa family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = /\b\w+(:|\s-+>)\s%s(:%d)?\s\t(\w+)?:\s%s\s\t(\w+)?:\s%s/ - - condition: - ssh_binary and $log -} - -rule quarren { - meta: - description = "Rule to detect Quarren family" - author = "Hugo Porcher" - email = "hugo.porcher@eset.com" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" - date = "2018-12-05" - license = "BSD 2-Clause" - - strings: - $log = "h: %s, u: %s, p: %s\n" - - condition: - ssh_binary and $log -} diff --git a/yara-mikesxrs/eset/stantinko.yar b/yara-mikesxrs/eset/stantinko.yar deleted file mode 100644 index cc124cb..0000000 --- a/yara-mikesxrs/eset/stantinko.yar +++ /dev/null @@ -1,255 +0,0 @@ -// Stantinko yara rules -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2017, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -rule beds_plugin { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "Stantinko BEDS' plugins" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - condition: - pe.exports("CheckDLLStatus") and - pe.exports("GetPluginData") and - pe.exports("InitializePlugin") and - pe.exports("IsReleased") and - pe.exports("ReleaseDLL") -} - -rule beds_dropper { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "BEDS dropper" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - condition: - pe.imphash() == "a7ead4ef90d9981e25728e824a1ba3ef" - -} - -rule facebook_bot { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "Stantinko's Facebook bot" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "m_upload_pic&return_uri=https%3A%2F%2Fm.facebook.com%2Fprofile.php" fullword ascii - $s2 = "D:\\work\\brut\\cms\\facebook\\facebookbot\\Release\\facebookbot.pdb" fullword ascii - $s3 = "https%3A%2F%2Fm.facebook.com%2Fcomment%2Freplies%2F%3Fctoken%3D" fullword ascii - $s4 = "reg_fb_gate=https%3A%2F%2Fm.facebook.com%2Freg" fullword ascii - $s5 = "reg_fb_ref=https%3A%2F%2Fm.facebook.com%2Freg%2F" fullword ascii - $s6 = "&return_uri_error=https%3A%2F%2Fm.facebook.com%2Fprofile.php" fullword ascii - - $x1 = "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" fullword ascii - $x2 = "registration@facebookmail.com" fullword ascii - $x3 = "https://m.facebook.com/profile.php?mds=" fullword ascii - $x4 = "https://upload.facebook.com/_mupload_/composer/?profile&domain=" fullword ascii - $x5 = "http://staticxx.facebook.com/connect/xd_arbiter.php?version=42#cb=ff43b202c" fullword ascii - $x6 = "https://upload.facebook.com/_mupload_/photo/x/saveunpublished/" fullword ascii - $x7 = "m.facebook.com&ref=m_upload_pic&waterfall_source=" fullword ascii - $x8 = "payload.commentID" fullword ascii - $x9 = "profile.login" fullword ascii - - condition: - ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($s*) or 3 of ($x*) ) ) or ( all of them ) -} - -rule pds_plugins { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "Stantinko PDS' plugins" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "std::_Vector_val<CHTTPPostItem *,std::allocator<CHTTPPostItem *> >" fullword ascii - $s2 = "std::_Vector_val<CHTTPHeader *,std::allocator<CHTTPHeader *> >" fullword ascii - $s3 = "std::vector<CHTTPHeader *,std::allocator<CHTTPHeader *> >" fullword ascii - $s4 = "std::vector<CHTTPPostItem *,std::allocator<CHTTPPostItem *> >" fullword ascii - $s5 = "CHTTPHeaderManager" fullword ascii - $s6 = "CHTTPPostItemManager *" fullword ascii - $s7 = "CHTTPHeaderManager *" fullword ascii - $s8 = "CHTTPPostItemManager" fullword ascii - $s9 = "CHTTPHeader" fullword ascii - $s10 = "CHTTPPostItem" fullword ascii - $s11 = "std::vector<CCookie *,std::allocator<CCookie *> >" fullword ascii - $s12 = "std::_Vector_val<CCookie *,std::allocator<CCookie *> >" fullword ascii - $s13 = "CCookieManager *" fullword ascii - - condition: - ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 2 of ($s*) ) ) -} - -rule stantinko_pdb { - - meta: - Author = "Frédéric Vachon" - Date = "2017-07-17" - Description = "Stantinko malware family PDB path" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "D:\\work\\service\\service\\" ascii - - condition: - all of them -} - -rule stantinko_droppers { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko droppers" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - // Bytes from the encrypted payload - $s1 = {55 8B EC 83 EC 08 53 56 BE 80 F4 45 00 57 81 EE 80 0E 41 00 56 E8 6D 23 00 00 56 8B D8 68 80 0E 41 00 53 89 5D F8 E8 65 73 00 00 8B 0D FC F5 45} - - // Keys to decrypt payload - $s2 = {7E 5E 7F 8C 08 46 00 00 AB 57 1A BB 91 5C 00 00 FA CC FD 76 90 3A 00 00} - - condition: - uint16(0) == 0x5A4D and 1 of them -} - -rule stantinko_d3d { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko d3dadapter component" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - condition: - pe.exports("EntryPoint") and - pe.exports("ServiceMain") and - pe.imports("WININET.DLL", "HttpAddRequestHeadersA") -} - -rule stantinko_ihctrl32 { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko ihctrl32 component" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "ihctrl32.dll" - $s2 = "win32_hlp" - $s3 = "Ihctrl32Main" - $s4 = "I%citi%c%size%s%c%ci%s" - $s5 = "Global\\Intel_hctrl32" - - condition: - 2 of them -} - -rule stantinko_wsaudio { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko wsaudio component" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - // Export - $s1 = "GetInterface" - $s2 = "wsaudio.dll" - - // Event name - $s3 = "Global\\Wsaudio_Initialize" - $s4 = "SOFTWARE\\Classes\\%s.FieldListCtrl.1\\" - - condition: - 2 of them -} - -rule stantinko_ghstore { - - meta: - Author = "Marc-Etienne M.Léveillé" - Date = "2017-07-17" - Description = "Stantinko ghstore component" - Reference = "https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf" - Source = "https://github.com/eset/malware-ioc/" - Contact = "github@eset.com" - License = "BSD 2-Clause" - - strings: - $s1 = "G%cost%sSt%c%s%s%ce%sr" wide - $s2 = "%cho%ct%sS%sa%c%s%crve%c" wide - $s3 = "Par%c%ce%c%c%s" wide - $s4 = "S%c%curity%c%s%c%s" wide - $s5 = "Sys%c%s%c%c%su%c%s%clS%c%s%serv%s%ces" wide - - condition: - 3 of them -} diff --git a/yara-mikesxrs/eset/ta410.yar b/yara-mikesxrs/eset/ta410.yar deleted file mode 100644 index 0c7b9d0..0000000 --- a/yara-mikesxrs/eset/ta410.yar +++ /dev/null @@ -1,741 +0,0 @@ -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2022, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -rule apt_Windows_TA410_Tendyron_dropper -{ - meta: - description = "TA410 Tendyron Dropper" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-12-09" - strings: - $s1 = "Global\\{F473B3BE-08EE-4710-A727-9E248F804F4A}" wide - $s2 = "Global\\8D32CCB321B2" wide - $s3 = "Global\\E4FE94F75490" wide - $s4 = "Program Files (x86)\\Internet Explorer\\iexplore.exe" wide - $s5 = "\\RPC Control\\OLE" wide - $s6 = "ALPC Port" wide - condition: - int16(0) == 0x5A4D and 4 of them -} - -rule apt_Windows_TA410_Tendyron_installer -{ - meta: - description = "TA410 Tendyron Installer" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-12-09" - strings: - $s1 = "Tendyron" wide - $s2 = "OnKeyToken_KEB.dll" wide - $s3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide - $s4 = "Global\\8D32CCB321B2" - $s5 = "\\RTFExploit\\" - condition: - int16(0) == 0x5A4D and 3 of them -} - -rule apt_Windows_TA410_Tendyron_Downloader -{ - meta: - description = "TA410 Tendyron Downloader" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-12-09" - strings: - /* - 0x401250 8A10 mov dl, byte ptr [eax] - 0x401252 80F25C xor dl, 0x5c - 0x401255 80C25C add dl, 0x5c - 0x401258 8810 mov byte ptr [eax], dl - 0x40125a 40 inc eax - 0x40125b 83E901 sub ecx, 1 - 0x40125e 75F0 jne 0x401250 - */ - $chunk_1 = { - 8A 10 - 80 F2 5C - 80 C2 5C - 88 10 - 40 - 83 E9 01 - 75 ?? - } - $s1 = "startModule" fullword - condition: - int16(0) == 0x5A4D and all of them -} - -rule apt_Windows_TA410_X4_strings -{ - meta: - description = "Matches various strings found in TA410 X4" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-10-09" - strings: - $s1 = "[X]InLoadSC" ascii wide nocase - $s3 = "MachineKeys\\Log\\rsa.txt" ascii wide nocase - $s4 = "MachineKeys\\Log\\output.log" ascii wide nocase - condition: - any of them -} - -rule apt_Windows_TA410_X4_hash_values -{ - meta: - description = "Matches X4 hash function found in TA410 X4" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-10-09" - strings: - $s1 = {D1 10 76 C2 B6 03} - $s2 = {71 3E A8 0D} - $s3 = {DC 78 94 0E} - $s4 = {40 0D E7 D6 06} - $s5 = {83 BB FD E8 06} - $s6 = {92 9D 9B FF EC 03} - $s7 = {DD 0E FC FA F5 03} - $s8 = {15 60 1E FB F5 03} - condition: - uint16(0) == 0x5a4d and 4 of them - -} - -rule apt_Windows_TA410_X4_hash_fct -{ - meta: - description = "Matches X4 hash function found in TA410 X4" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2020-10-09" - - /* - 0x6056cc2150 0FB601 movzx eax, byte ptr [rcx] - 0x6056cc2153 84C0 test al, al - 0x6056cc2155 7416 je 0x6056cc216d - 0x6056cc2157 4869D283000000 imul rdx, rdx, 0x83 - 0x6056cc215e 480FBEC0 movsx rax, al - 0x6056cc2162 4803D0 add rdx, rax - 0x6056cc2165 48FFC1 inc rcx - 0x6056cc2168 E9E3FFFFFF jmp 0x6056cc2150 - */ - strings: - $chunk_1 = { - 0F B6 01 - 84 C0 - 74 ?? - 48 69 D2 83 00 00 00 - 48 0F BE C0 - 48 03 D0 - 48 FF C1 - E9 ?? ?? ?? ?? - } - - condition: - uint16(0) == 0x5a4d and any of them - -} - -rule apt_Windows_TA410_LookBack_decryption -{ - meta: - description = "Matches encryption/decryption function used by LookBack." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $initialize = { - 8B C6 //mov eax, esi - 99 //cdq - 83 E2 03 //and edx, 3 - 03 C2 //add eax, edx - C1 F8 02 //sar eax, 2 - 8A C8 //mov cl, al - 02 C0 //add al, al - 02 C8 //add cl, al - 88 4C 34 10 //mov byte ptr [esp + esi + 0x10], cl - 46 //inc esi - 81 FE 00 01 00 00 //cmp esi, 0x100 - 72 ?? - } - $generate = { - 8A 94 1C 10 01 ?? ?? //mov dl, byte ptr [esp + ebx + 0x110] - 8D 8C 24 10 01 ?? ?? //lea ecx, [esp + 0x110] - 0F B6 C3 //movzx eax, bl - 0F B6 44 04 10 //movzx eax, byte ptr [esp + eax + 0x10] - 32 C2 //xor al, dl - 02 F0 //add dh, al - 0F B6 C6 //movzx eax, dh - 03 C8 //add ecx, eax - 0F B6 01 //movzx eax, byte ptr [ecx] - 88 84 1C 10 01 ?? ?? //mov byte ptr [esp + ebx + 0x110], al - 43 //inc ebx - 88 11 //mov byte ptr [ecx], dl - 81 FB 00 06 00 00 //cmp ebx, 0x600 - 72 ?? //jb 0x10025930 - } - $decrypt = { - 0F B6 C6 //movzx eax, dh - 8D 8C 24 10 01 ?? ?? //lea ecx, [esp + 0x110] - 03 C8 //add ecx, eax - 8A 19 //mov bl, byte ptr [ecx] - 8A C3 //mov al, bl - 02 C6 //add al, dh - FE C6 //inc dh - 02 F8 //add bh, al - 0F B6 C7 //movzx eax, bh - 8A 94 04 10 01 ?? ?? //mov dl, byte ptr [esp + eax + 0x110] - 88 9C 04 10 01 ?? ?? //mov byte ptr [esp + eax + 0x110], bl - 88 11 //mov byte ptr [ecx], dl - 0F B6 C2 //movzx eax, dl - 0F B6 CB //movzx ecx, bl - 33 C8 //xor ecx, eax - 8A 84 0C 10 01 ?? ?? //mov al, byte ptr [esp + ecx + 0x110] - 30 04 2E //xor byte ptr [esi + ebp], al - 46 //inc esi - 3B F7 //cmp esi, edi - 7C ?? //jl 0x10025980 - } - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_LookBack_loader -{ - meta: - description = "Matches the modified function in LookBack libcurl loader." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $chunk_1 = { - FF 15 ?? ?? ?? ?? //call dword ptr [0x100530e0] - 6A 40 //push 0x40 - 68 00 10 00 00 //push 0x1000 - 68 F0 04 00 00 //push 0x4f0 - 6A 00 //push 0 - FF 15 ?? ?? ?? ?? //call dword ptr [0x100530d4] - 8B E8 //mov ebp, eax - B9 3C 01 00 00 //mov ecx, 0x13c - BE 60 30 06 10 //mov esi, 0x10063060 - 8B FD //mov edi, ebp - 68 F0 04 00 00 //push 0x4f0 - F3 A5 //rep movsd dword ptr es:[edi], dword ptr [esi] - 55 //push ebp - E8 ?? ?? ?? ?? //call 0x100258d0 - 8B 0D ?? ?? ?? ?? //mov ecx, dword ptr [0x100530e4] - A1 ?? ?? ?? ?? //mov eax, dword ptr [0x100530c8] - 68 6C 02 00 00 //push 0x26c - 89 4C 24 ?? //mov dword ptr [esp + 0x1c], ecx - 89 44 24 ?? //mov dword ptr [esp + 0x20], eax - FF 15 ?? ?? ?? ?? //call dword ptr [0x10063038] - 8B D8 //mov ebx, eax - B9 9B 00 00 00 //mov ecx, 0x9b - BE 50 35 06 10 //mov esi, 0x10063550 - 8B FB //mov edi, ebx - 68 6C 02 00 00 //push 0x26c - F3 A5 //rep movsd dword ptr es:[edi], dword ptr [esi] - 53 //push ebx - E8 ?? ?? ?? ?? //call 0x100258d0 - 83 C4 14 //add esp, 0x14 - 8D 44 24 ?? //lea eax, [esp + 0x10] - 50 //push eax - 53 //push ebx - 8D 44 24 ?? //lea eax, [esp + 0x3c] - 50 //push eax - A1 ?? ?? ?? ?? //mov eax, dword ptr [0x10063058] - FF 74 24 ?? //push dword ptr [esp + 0x28] - 03 C5 //add eax, ebp - FF D0 //call eax - } - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_LookBack_strings -{ - meta: - description = "Matches multiple strings and export names in TA410 LookBack." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = "SodomMainFree" ascii wide - $s2 = "SodomMainInit" ascii wide - $s3 = "SodomNormal.bin" ascii wide - $s4 = "SodomHttp.bin" ascii wide - $s5 = "sodom.ini" ascii wide - $s6 = "SodomMainProc" ascii wide - - condition: - uint16(0) == 0x5a4d and (2 of them or pe.exports("SodomBodyLoad") or pe.exports("SodomBodyLoadTest")) -} - -rule apt_Windows_TA410_LookBack_HTTP -{ - meta: - description = "Matches LookBack's hardcoded HTTP request" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = "POST http://%s/status.php?r=%d%d HTTP/1.1\x0d\nAccept: text/html, application/xhtml+xml, */*\x0d\nAccept-Language: en-us\x0d\nUser-Agent: %s\x0d\nContent-Type: application/x-www-form-urlencoded\x0d\nAccept-Encoding: gzip, deflate\x0d\nHost: %s\x0d\nContent-Length: %d\x0d\nConnection: Keep-Alive\x0d\nCache-Control: no-cache\x0d\n\x0d\n" ascii wide - $s2 = "id=1&op=report&status=" - - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_LookBack_magic -{ - meta: - description = "Matches message header creation in LookBack." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = { - C7 03 C2 2E AB 48 //mov dword ptr [ebx], 0x48ab2ec2 - ( A1 | 8B 15 ) ?? ?? ?? ?? //mov (eax | edx), x - [0-1] //push ebp - 89 ?3 04 //mov dword ptr [ebc + 4], reg - 8B 4? 24 ?? //mov reg, dword ptr [esp + X] - 89 4? 08 //mov dword ptr [ebx + 8], ?? - 89 ?? 0C //mov dword ptr [ebx + 0xc], ?? - 8B 4? 24 ?? //mov reg, dword ptr [esp + X] - [1-2] //push 1 or 2 args - E8 ?? ?? ?? ?? //call - } - - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_FlowCloud_loader_strings -{ - meta: - description = "Matches various strings found in TA410 FlowCloud first stage." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $key = "y983nfdicu3j2dcn09wur9*^&initialize(y4r3inf;'fdskaf'SKF" - $s2 = "startModule" fullword - $s4 = "auto_start_module" wide - $s5 = "load_main_module_after_install" wide - $s6 = "terminate_if_fail" wide - $s7 = "clear_run_mru" wide - $s8 = "install_to_vista" wide - $s9 = "load_ext_module" wide - $s10= "sll_only" wide - $s11= "fail_if_already_installed" wide - $s12= "clear_hardware_info" wide - $s13= "av_check" wide fullword - $s14= "check_rs" wide - $s15= "check_360" wide - $s16= "responsor.dat" wide ascii - $s17= "auto_start_after_install_check_anti" wide fullword - $s18= "auto_start_after_install" wide fullword - $s19= "extern_config.dat" wide fullword - $s20= "is_hhw" wide fullword - $s21= "SYSTEM\\Setup\\PrintResponsor" wide - $event= "Global\\Event_{201a283f-e52b-450e-bf44-7dc436037e56}" wide ascii - $s23= "invalid encrypto hdr while decrypting" - - condition: - uint16(0) == 0x5a4d and ($key or $event or 5 of ($s*)) -} - -rule apt_Windows_TA410_FlowCloud_header_decryption -{ - meta: - description = "Matches the function used to decrypt resources headers in TA410 FlowCloud" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - /* - 0x416a70 8B1E mov ebx, dword ptr [esi] - 0x416a72 8BCF mov ecx, edi - 0x416a74 D3CB ror ebx, cl - 0x416a76 8D0C28 lea ecx, [eax + ebp] - 0x416a79 83C706 add edi, 6 - 0x416a7c 3018 xor byte ptr [eax], bl - 0x416a7e 8B1E mov ebx, dword ptr [esi] - 0x416a80 D3CB ror ebx, cl - 0x416a82 8D0C02 lea ecx, [edx + eax] - 0x416a85 305801 xor byte ptr [eax + 1], bl - 0x416a88 8B1E mov ebx, dword ptr [esi] - 0x416a8a D3CB ror ebx, cl - 0x416a8c 8B4C240C mov ecx, dword ptr [esp + 0xc] - 0x416a90 03C8 add ecx, eax - 0x416a92 305802 xor byte ptr [eax + 2], bl - 0x416a95 8B1E mov ebx, dword ptr [esi] - 0x416a97 D3CB ror ebx, cl - 0x416a99 8B4C2410 mov ecx, dword ptr [esp + 0x10] - 0x416a9d 03C8 add ecx, eax - 0x416a9f 305803 xor byte ptr [eax + 3], bl - 0x416aa2 8B1E mov ebx, dword ptr [esi] - 0x416aa4 D3CB ror ebx, cl - 0x416aa6 8B4C2414 mov ecx, dword ptr [esp + 0x14] - 0x416aaa 03C8 add ecx, eax - 0x416aac 83C006 add eax, 6 - 0x416aaf 3058FE xor byte ptr [eax - 2], bl - 0x416ab2 8B1E mov ebx, dword ptr [esi] - 0x416ab4 D3CB ror ebx, cl - 0x416ab6 3058FF xor byte ptr [eax - 1], bl - 0x416ab9 83FF10 cmp edi, 0x10 - 0x416abc 72B2 jb 0x416a70 - */ - strings: - $chunk_1 = { - 8B 1E - 8B CF - D3 CB - 8D 0C 28 - 83 C7 06 - 30 18 - 8B 1E - D3 CB - 8D 0C 02 - 30 58 ?? - 8B 1E - D3 CB - 8B 4C 24 ?? - 03 C8 - 30 58 ?? - 8B 1E - D3 CB - 8B 4C 24 ?? - 03 C8 - 30 58 ?? - 8B 1E - D3 CB - 8B 4C 24 ?? - 03 C8 - 83 C0 06 - 30 58 ?? - 8B 1E - D3 CB - 30 58 ?? - 83 FF 10 - 72 ?? - } - - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_FlowCloud_dll_hijacking_strings -{ - meta: - description = "Matches filenames inside TA410 FlowCloud malicious DLL." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $dat1 = "emedres.dat" wide - $dat2 = "vviewres.dat" wide - $dat3 = "setlangloc.dat" wide - $dll1 = "emedres.dll" wide - $dll2 = "vviewres.dll" wide - $dll3 = "setlangloc.dll" wide - condition: - uint16(0) == 0x5a4d and (all of ($dat*) or all of ($dll*)) -} - -rule apt_Windows_TA410_FlowCloud_malicious_dll_antianalysis -{ - meta: - description = "Matches anti-analysis techniques used in TA410 FlowCloud hijacking DLL." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - /* - 33C0 xor eax, eax - E8320C0000 call 0x10001d30 - 83C010 add eax, 0x10 - 3D00000080 cmp eax, 0x80000000 - 7D01 jge +3 - EBFF jmp +1 / jmp eax - E050 loopne 0x1000115c / push eax - C3 ret - */ - $chunk_1 = { - 33 C0 - E8 ?? ?? ?? ?? - 83 C0 10 - 3D 00 00 00 80 - 7D 01 - EB FF - E0 50 - C3 - } - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_FlowCloud_pdb -{ - meta: - description = "Matches PDB paths found in TA410 FlowCloud." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - - condition: - uint16(0) == 0x5a4d and (pe.pdb_path contains "\\FlowCloud\\trunk\\" or pe.pdb_path contains "\\flowcloud\\trunk\\") -} - -rule apt_Windows_TA410_FlowCloud_shellcode_decryption -{ - meta: - description = "Matches the decryption function used in TA410 FlowCloud self-decrypting DLL" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - /* - 0x211 33D2 xor edx, edx - 0x213 8B4510 mov eax, dword ptr [ebp + 0x10] - 0x216 BB6B040000 mov ebx, 0x46b - 0x21b F7F3 div ebx - 0x21d 81C2A8010000 add edx, 0x1a8 - 0x223 81E2FF000000 and edx, 0xff - 0x229 8B7D08 mov edi, dword ptr [ebp + 8] - 0x22c 33C9 xor ecx, ecx - 0x22e EB07 jmp 0x237 - 0x230 301439 xor byte ptr [ecx + edi], dl - 0x233 001439 add byte ptr [ecx + edi], dl - 0x236 41 inc ecx - 0x237 3B4D0C cmp ecx, dword ptr [ebp + 0xc] - 0x23a 72F4 jb 0x230 - */ - strings: - $chunk_1 = { - 33 D2 - 8B 45 ?? - BB 6B 04 00 00 - F7 F3 - 81 C2 A8 01 00 00 - 81 E2 FF 00 00 00 - 8B 7D ?? - 33 C9 - EB ?? - 30 14 39 - 00 14 39 - 41 - 3B 4D ?? - 72 ?? - } - - condition: - uint16(0) == 0x5a4d and all of them -} - -rule apt_Windows_TA410_FlowCloud_fcClient_strings -{ - meta: - description = "Strings found in fcClient/rescure.dat module." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = "df257bdd-847c-490e-9ef9-1d7dc883d3c0" - $s2 = "\\{2AFF264E-B722-4359-8E0F-947B85594A9A}" - $s3 = "Global\\{26C96B51-2B5D-4D7B-BED1-3DCA4848EDD1}" wide - $s4 = "{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" wide - $s5 = "{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" wide - $s6 = "XXXModule_func.dll" - $driver1 = "\\drivers\\hidmouse.sys" wide fullword - $driver2 = "\\drivers\\hidusb.sys" wide fullword - - condition: - uint16(0) == 0x5a4d and (any of ($s*) or all of ($driver*)) -} - -rule apt_Windows_TA410_FlowCloud_fcClientDll_strings -{ - meta: - description = "Strings found in fcClientDll/responsor.dat module." - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $s1 = "http://%s/html/portlet/ext/draco/resources/draco_manager.swf/[[DYNAMIC]]/1" - $s2 = "Cookie: COOKIE_SUPPORT=true; JSESSIONID=5C7E7A60D01D2891F40648DAB6CB3DF4.jvm1; COMPANY_ID=10301; ID=666e7375545678695645673d; PASSWORD=7a4b48574d746470447a303d; LOGIN=6863303130; SCREEN_NAME=4a2b455377766b657451493d; GUEST_LANGUAGE_ID=en-US" - $fc_msg = ".fc_net.msg" - $s4 = "\\pipe\\namedpipe_keymousespy_english" wide - $s5 = "8932910381748^&*^$58876$%^ghjfgsa413901280dfjslajflsdka&*(^7867=89^&*F(^&*5678f5ds765f76%&*%&*5" - $s6 = "cls_{CACB140B-0B82-4340-9B05-7983017BA3A4}" wide - $s7 = "HTTP/1.1 200 OK\x0d\nServer: Apache-Coyote/1.1\x0d\nPragma: No-cache\x0d\nCache-Control: no-cache\x0d\nExpires: Thu, 01 Jan 1970 08:00:00 CST\x0d\nLast-Modified: Fri, 27 Apr 2012 08:11:04 GMT\x0d\nContent-Type: application/xml\x0d\nContent-Length: %d\x0d\nDate: %s GMT" - $sql1 = "create table if not exists table_filed_space" - $sql2 = "create table if not exists clipboard" - $sql3 = "create trigger if not exists file_after_delete after delete on file" - $sql4 = "create trigger if not exists file_data_after_insert after insert on file_data" - $sql5 = "create trigger if not exists file_data_after_delete after delete on file_data" - $sql6 = "create trigger if not exists file_data_after_update after update on file_data" - $sql7 = "insert into file_data(file_id, ofs, data, status)" - - condition: - uint16(0) == 0x5a4d and (any of ($s*) or #fc_msg >= 8 or 4 of ($sql*)) -} - -rule apt_Windows_TA410_Rootkit_strings -{ - meta: - description = "Strings found in TA410's Rootkit" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - strings: - $driver1 = "\\Driver\\kbdclass" wide - $driver2 = "\\Driver\\mouclass" wide - $device1 = "\\Device\\KeyboardClass0" wide - $device2 = "\\Device\\PointerClass0" wide - $driver3 = "\\Driver\\tcpip" wide - $device3 = "\\Device\\tcp" wide - $driver4 = "\\Driver\\nsiproxy" wide - $device4 = "\\Device\\Nsi" wide - $reg1 = "\\Registry\\Machine\\SYSTEM\\Setup\\AllowStart\\ceipCommon" wide - $reg2 = "RHH%d" wide - $reg3 = "RHP%d" wide - $s1 = "\\SystemRoot\\System32\\drivers\\hidmouse.sys" wide - - condition: - uint16(0) == 0x5a4d and all of ($s1,$reg*) and (all of ($driver*) or all of ($device*)) -} - -rule apt_Windows_TA410_FlowCloud_v5_resources -{ - meta: - description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 5.0.2" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - condition: - uint16(0) == 0x5a4d and pe.number_of_resources >= 13 and - for 12 resource in pe.resources: - ( resource.type == 10 and resource.language == 1033 and - //resource name is one of 100, 1000, 10000, 1001, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 2000, 2001 as widestring - (resource.name_string == "1\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x000\x00" or - resource.name_string == "1\x000\x000\x001\x00" or resource.name_string == "1\x000\x001\x00" or resource.name_string == "1\x000\x002\x00" or - resource.name_string == "1\x000\x003\x00" or resource.name_string == "1\x000\x004\x00" or resource.name_string == "1\x000\x005\x00" or - resource.name_string == "1\x000\x006\x00" or resource.name_string == "1\x000\x007\x00" or resource.name_string == "1\x000\x008\x00" or - resource.name_string == "1\x000\x009\x00" or resource.name_string == "1\x001\x000\x00" or resource.name_string == "2\x000\x000\x000\x00" or resource.name_string == "2\x000\x000\x001\x00") - ) -} - -rule apt_Windows_TA410_FlowCloud_v4_resources -{ - meta: - description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 4.1.3" - reference = "https://www.welivesecurity.com/" - source = "https://github.com/eset/malware-ioc/" - license = "BSD 2-Clause" - version = "1" - author = "ESET Research" - date = "2021-10-12" - condition: - uint16(0) == 0x5a4d and pe.number_of_resources >= 6 and - for 5 resource in pe.resources: - ( resource.type == 10 and resource.language == 1033 and - // resource name is one of 10000, 10001, 10002, 10003, 10004, 10005, 10100 as wide string - (resource.name_string == "1\x000\x000\x000\x000\x00" or resource.name_string == "1\x000\x000\x000\x001\x00" or - resource.name_string == "1\x000\x000\x000\x002\x00" or resource.name_string == "1\x000\x000\x000\x003\x00" or - resource.name_string == "1\x000\x000\x000\x004\x00" or resource.name_string == "1\x000\x000\x000\x005\x00" or resource.name_string == "1\x000\x001\x000\x000\x00") - ) -} diff --git a/yara-mikesxrs/eset/turla-outlook.yar b/yara-mikesxrs/eset/turla-outlook.yar deleted file mode 100644 index ded9d7c..0000000 --- a/yara-mikesxrs/eset/turla-outlook.yar +++ /dev/null @@ -1,169 +0,0 @@ -// For feedback or questions contact us at: github@eset.com -// https://github.com/eset/malware-ioc/ -// -// These yara rules are provided to the community under the two-clause BSD -// license as follows: -// -// Copyright (c) 2018, ESET -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are met: -// -// 1. Redistributions of source code must retain the above copyright notice, this -// list of conditions and the following disclaimer. -// -// 2. Redistributions in binary form must reproduce the above copyright notice, -// this list of conditions and the following disclaimer in the documentation -// and/or other materials provided with the distribution. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// - -import "pe" - -private rule not_ms { - condition: - not for any i in (0..pe.number_of_signatures - 1): - ( - pe.signatures[i].issuer contains "Microsoft Corporation" - ) -} - -rule turla_outlook_gen { - meta: - author = "ESET Research" - date = "05-09-2018" - description = "Turla Outlook malware" - version = 2 - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - $s1 = "Outlook Express" ascii wide - $s2 = "Outlook watchdog" ascii wide - $s3 = "Software\\RIT\\The Bat!" ascii wide - $s4 = "Mail Event Window" ascii wide - $s5 = "Software\\Mozilla\\Mozilla Thunderbird\\Profiles" ascii wide - $s6 = "%%PDF-1.4\n%%%c%c\n" ascii wide - $s7 = "%Y-%m-%dT%H:%M:%S+0000" ascii wide - $s8 = "rctrl_renwnd32" ascii wide - $s9 = "NetUIHWND" ascii wide - $s10 = "homePostalAddress" ascii wide - $s11 = "/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=" ascii wide - $s12 = "Re:|FWD:|AW:|FYI:|NT|QUE:" ascii wide - $s13 = "IPM.Note" ascii wide - $s14 = "MAPILogonEx" ascii wide - $s15 = "pipe\\The Bat! %d CmdLine" ascii wide - $s16 = "PowerShellRunner.dll" ascii wide - $s17 = "cmd container" ascii wide - $s18 = "mapid.tlb" ascii wide nocase - $s19 = "Content-Type: F)*+" ascii wide fullword - condition: - not_ms and 5 of them -} - -rule turla_outlook_filenames { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "Turla Outlook filenames" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - $s1 = "mapid.tlb" - $s2 = "msmime.dll" - $s3 = "scawrdot.db" - condition: - any of them -} - -rule turla_outlook_log { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "First bytes of the encrypted Turla Outlook logs" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - //Log begin: [...] TVer - $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} - condition: - $s1 at 0 -} - -rule turla_outlook_exports { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "Export names of Turla Outlook Malware" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - condition: - (pe.exports("install") or pe.exports("Install")) and - pe.exports("TBP_Initialize") and - pe.exports("TBP_Finalize") and - pe.exports("TBP_GetName") and - pe.exports("DllRegisterServer") and - pe.exports("DllGetClassObject") -} - -rule turla_outlook_pdf { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "Detect PDF documents generated by Turla Outlook malware" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - $s1 = "Adobe PDF Library 9.0" ascii wide nocase - $s2 = "Acrobat PDFMaker 9.0" ascii wide nocase - $s3 = {FF D8 FF E0 00 10 4A 46 49 46} - $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} - $s5 = "W5M0MpCehiHzreSzNTczkc9d" ascii wide nocase - $s6 = "PDF-1.4" ascii wide nocase - condition: - 5 of them -} - -rule outlook_misty1 { - meta: - author = "ESET Research" - date = "22-08-2018" - description = "Detects the Turla MISTY1 implementation" - reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" - source = "https://github.com/eset/malware-ioc/" - contact = "github@eset.com" - license = "BSD 2-Clause" - strings: - //and edi, 1FFh - $o1 = {81 E7 FF 01 00 00} - //shl ecx, 9 - $s1 = {C1 E1 09} - //xor ax, si - $s2 = {66 33 C6} - //shr eax, 7 - $s3 = {C1 E8 07} - $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} - condition: - $o2 and for all i in (1..#o1): - (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) -} diff --git a/yara-mikesxrs/g00dv1n/Adware.AdGazelle.yar b/yara-mikesxrs/g00dv1n/Adware.AdGazelle.yar deleted file mode 100644 index c461f2f..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.AdGazelle.yar +++ /dev/null @@ -1,20 +0,0 @@ -rule AdwareAdGazelleSample -{ - meta: - Description = "Adware.AdGazelle.vb" - ThreatLevel = "5" - - strings: - - $ = "D:\\popajar3" ascii wide - $ = "squeakychocolate" ascii wide - $ = "squeaky chocolate" ascii wide - $ = "adxloader.dll" ascii wide - $ = "adxloader.pdb" ascii wide - $ = "adxloader64.dll" ascii wide - $ = "adxloader64.pdb" ascii wide - $ = "d:\\Products\\ADX.IE.8" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Adpeak.yar b/yara-mikesxrs/g00dv1n/Adware.Adpeak.yar deleted file mode 100644 index 51c2b37..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Adpeak.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule AdwareAdpeakSample -{ - meta: - Description = "Adware.Adpeak.vb" - ThreatLevel = "5" - - strings: - - $ = "dealcabby.dll" ascii wide - $ = "getsavin.dll" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Agent.yar b/yara-mikesxrs/g00dv1n/Adware.Agent.yar deleted file mode 100644 index 47bc410..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Agent.yar +++ /dev/null @@ -1,24 +0,0 @@ -rule AdwarePricePeepSample -{ - meta: - Description = "Adware.PricePeep.vb" - ThreatLevel = "5" - - strings: - - $ = "BrandedUpdater" ascii wide - $ = "default_browser" ascii wide - $ = "LaunchDefaultBrowser" ascii wide - $ = "LaunchBrowser" ascii wide - - $a1 = "InstallUtil.pdb" ascii wide - $a2 = "C:\\managed\\root\\VTG_" ascii wide - $a3 = "InstallUtil.pdb" ascii wide - $a4 = "BrandedUpdater.pdb" ascii wide - //$a5 = "PricePeep" ascii wide - $a6 = "InstallUtil.cpp" ascii wide - $a7 = "BrandedUpdater.cpp" ascii wide - - condition: - (3 of them) or (any of ($a*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.BetterSurf.yar b/yara-mikesxrs/g00dv1n/Adware.BetterSurf.yar deleted file mode 100644 index 378023e..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.BetterSurf.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule BetterSurfASample -{ - meta: - Description = "Adware.BetterSurf.A.vb" - ThreatLevel = "5" - - strings: - $n1 = "Media Buzz" ascii wide - $n2 = "MediaBuzz" ascii wide - - //$script1 = "document.getElementById('wsu_js" ascii wide - //$script2 = "script.setAttribute('id','wsu_js" ascii wide - - condition: - all of ($n*) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.BrowseFox.yar b/yara-mikesxrs/g00dv1n/Adware.BrowseFox.yar deleted file mode 100644 index 480e19d..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.BrowseFox.yar +++ /dev/null @@ -1,31 +0,0 @@ -rule AdwareBrowseFoxSample -{ - meta: - Description = "Adware.BrowseFox.vb" - ThreatLevel = "5" - - strings: - - $a2 = ".expextdll.dll" ascii wide - $a3 = ".IEUpdate.pdb" ascii wide - $a4 = ".Repmon.dll" ascii wide - $a5 = ".BRT.Helper.exe" ascii wide - $a6 = ".BrowserAdapter.pdb" ascii wide - $a7 = ".expextdll.dll" ascii wide - $a8 = ".browseradapter64.exe" ascii wide - $a9 = ".purbrowse.exe" ascii wide - $a10 = "BrowserFilter.exe" ascii wide - $a11 = ".Bromon.dll" ascii wide - $a12 = ".OfSvc.dll" ascii wide - $a13 = ".GCUpdate.dll" ascii wide - $a14 = ".BroStats.dll" ascii wide - $a15 = ".BOAS.dll" ascii wide - $a16 = ".BrowserAdapterS.dll" ascii wide - $a17 = ".PurBrowse64.exe" ascii wide - - $b1 = "system32\\drivers\\%s.sys" ascii wide - $b2 = "FilterApp" ascii wide - - condition: - (any of ($a*)) or (all of ($b*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Conduit.yar b/yara-mikesxrs/g00dv1n/Adware.Conduit.yar deleted file mode 100644 index 00a72c9..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Conduit.yar +++ /dev/null @@ -1,37 +0,0 @@ -rule ConduitASample -{ - meta: - Description = "Adware.Conduit.A.vb" - ThreatLevel = "5" - - strings: - $ = "GetSpeedBrowserInstalled" ascii wide - $ = "SpeedBrowserAlreadyInstalled" ascii wide - $ = "Injekt SVN - client" ascii wide - - condition: - any of them -} - -rule ConduitBSample -{ - meta: - Description = "Adware.Conduit.B.vb" - ThreatLevel = "5" - - strings: - $ = "CAboutTabsInjector_" ascii wide - $ = "AboutTabsDataUrlPublisher" ascii wide - $ = "AboutTabsDataUrlConduit" ascii wide - $ = "AboutTabsUsageUrl" ascii wide - $ = "AboutTabsEnabledByUser" ascii wide - $ = "AboutTabsEnabledByConduit" ascii wide - $ = "AboutTabsEnabledByPublisher" ascii wide - $ = "SearchInNewTabContent.xml" ascii wide - $ = "CONDUIT_CHEVRON_MUTEX" ascii wide - $ = "CConduitExternalForTBAPI" ascii wide - $ = "EI_Toolbar_Update_Mutex" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.ConvertAd.yar b/yara-mikesxrs/g00dv1n/Adware.ConvertAd.yar deleted file mode 100644 index 9472477..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.ConvertAd.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule AdwareConvertAdSample -{ - meta: - Description = "Adware.ConvertAd.vb" - ThreatLevel = "5" - - strings: - - $ = "http://download-servers.com/SysInfo/adrouteservice/adrouter.php" ascii wide - $ = "ConvertAd.html" ascii wide - $ = "ConvertAd.exe" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Crossrider.yar b/yara-mikesxrs/g00dv1n/Adware.Crossrider.yar deleted file mode 100644 index 97c7c33..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Crossrider.yar +++ /dev/null @@ -1,54 +0,0 @@ -rule AdwareCrossriderSampleA -{ - meta: - Description = "Adware.Crossrider.A.sm" - ThreatLevel = "5" - - strings: - $ = "-bho.dll" ascii wide - $ = "-bho64.dll" ascii wide - $ = "-buttonutil64.dll" ascii wide - $ = "-buttonutil.dll" ascii wide - $ = "-BrowserEventSandBox" ascii wide - $ = "CrossriderApp" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\chrome.exe" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe" ascii wide - $ = "IEInject_Win32.dll" ascii wide - $ = "bg_debug.js" ascii wide - $ = "new_debug.js" ascii wide - $ = "Browser Process id" ascii wide - $ = "BHO Process id" ascii wide - $ = "BhoRunningVersion" ascii wide - $ = "-nova64.dll" ascii wide - - $str1 = "crossrider-buttonutil.pdb" ascii wide - $str2 = "AVCCrossriderButtonHelper" ascii wide - $str3 = "AVCCrossRiderLogger" ascii wide - $str5 = "AddCrossRiderSearchProvider" ascii wide - $str6 = "C:\\BUILD_AVZR2\\WhiteRabbit" ascii wide - $str7 = "CrossriderBHO" ascii wide - $str8 = "215AppVerifier" ascii wide - $str9 = "Crossrider BHO Version" ascii wide - $str10 = "brightcircleinvestments.com" ascii wide - $str11 = "CrossriderNotification.pdb" ascii wide - $str12 = "C:\\Users\\cross\\Desktop\\compilation_bot_area" ascii wide - condition: - (3 of them) or (any of ($str*)) -} - -rule AdwareCrossriderSampleB -{ - meta: - Description = "Adware.Crossrider.B.vb" - ThreatLevel = "5" - - strings: - $ = "crossbrowse/updater/{{camp_id}}/{{version}}/{{secret}}/update.json" ascii wide - $ = "Crossbrowse\\Crossbrowse\\Application\\crossbrowse.exe" ascii wide - $ = "allnetserveline.com/crossbrowse" ascii wide - $ = "C:\\workspace\\crossbrowse" ascii wide - $ = "CrossriderBrowserInstaller.pdb" ascii wide - - condition: - any of them -} diff --git a/yara-mikesxrs/g00dv1n/Adware.DealPly.yar b/yara-mikesxrs/g00dv1n/Adware.DealPly.yar deleted file mode 100644 index d4d922e..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.DealPly.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule AdwareDealPlySample -{ - meta: - Description = "Adware.DealPly.vb" - ThreatLevel = "5" - - strings: - - $ = "dealply.prq" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Dlhelper.yar b/yara-mikesxrs/g00dv1n/Adware.Dlhelper.yar deleted file mode 100644 index 5ec1378..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Dlhelper.yar +++ /dev/null @@ -1,27 +0,0 @@ -rule AdwareDlhelperAdSample -{ - meta: - Description = "Adware.Dlhelper.vb" - ThreatLevel = "5" - - strings: - - $ = "trifonov@onegbsoft.ru" ascii wide - $ = "bulovackiy@dontehnoservis.com.ua" ascii wide - $ = "contacts@dayzgames.com" ascii wide - $ = "admin@mayris.org" ascii wide - - $ = "Panel_OffersList" ascii wide - - $ = "support@dlhelper.com" ascii wide - $ = "http://dlhelper.com" ascii wide - - $ = "http://sendme9.ru" ascii wide - $ = "http://sendme3.ru" ascii wide - $ = "http://trustfile3.ru" ascii wide - $ = "http://trustfile9.ru" ascii wide - $ = "http://downloaditeasy.ru" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Downloader.yar b/yara-mikesxrs/g00dv1n/Adware.Downloader.yar deleted file mode 100644 index 2632d4b..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Downloader.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule AdwareDownloaderA -{ - meta: - Description = "Adware.Downloader.A.vb" - ThreatLevel = "5" - - strings: - - $ = "odiassi" ascii wide - $ = "stavers" ascii wide - $ = "trollimog" ascii wide - $ = "diapause" ascii wide - $ = "UserControl1" ascii wide - $ = "listboxmod01" ascii wide - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.ELEX.yar b/yara-mikesxrs/g00dv1n/Adware.ELEX.yar deleted file mode 100644 index 1440f14..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.ELEX.yar +++ /dev/null @@ -1,65 +0,0 @@ -rule AdwareELEXSampleA -{ - meta: - Description = "Adware.ELEX.A.vb" - ThreatLevel = "5" - - strings: - - $ = "www.freeappstools.com" ascii wide - $ = "dl.elex.soft365.com" ascii wide - $ = "E:\\Code\\FileSyn\\Bin" ascii wide - $ = "E:\\Code_SVN\\FileSyn\\Bin" ascii wide - - condition: - any of them -} - - -rule AdwareELEXSampleB -{ - meta: - Description = "Adware.ELEX.B.vb" - ThreatLevel = "5" - - strings: - - $pdb = "Release\\SFKEX.pdb" ascii wide - $ = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma" ascii wide - $ = "http://xa.xingcloud.com/v4/sof-everything" ascii wide - $ = "http://www.mysearch123.com" ascii wide - $ = "SFKEX.exe" ascii wide - $ = "SFKEX.dll" ascii wide - $ = "SFKURL" ascii wide - - condition: - 2 of them -} - - -rule AdwareELEXSampleCommon -{ - meta: - Description = "Adware.ELEX.vb" - ThreatLevel = "5" - - strings: - - $ = "\\Mozilla\\Firefox\\" ascii wide - $ = "profiles.ini" ascii wide - $ = "Profile0" ascii wide - $ = "\\prefs.js" ascii wide - $ = "\\Google\\Chrome\\User Data\\" ascii wide - $ = "\\Secure Preferences" ascii wide - $ = "Software\\Microsoft\\Internet Explorer\\Main" ascii wide - $ = "Start Page" ascii wide - $ = "chrome.exe" ascii wide - $ = "iexplore.exe" ascii wide - $ = "firefox.exe" ascii wide - $ = "user_pref" ascii wide - $ = "browser.startup.homepage" ascii wide - $ = "startup_urls" ascii wide - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Gen.yar b/yara-mikesxrs/g00dv1n/Adware.Gen.yar deleted file mode 100644 index abcccbe..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Gen.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule AdwareStormWatchSample -{ - meta: - Description = "Adware.StormWatch.vb" - ThreatLevel = "5" - - strings: - - $ = "localstormwatch.com" ascii wide - $ = "StormWatch.pdb" ascii wide - $ = "StormWatch.exe" ascii wide - $ = "ActiveDeals" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Genieo.yar b/yara-mikesxrs/g00dv1n/Adware.Genieo.yar deleted file mode 100644 index 0984173..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Genieo.yar +++ /dev/null @@ -1,27 +0,0 @@ -rule AdwareGenieoSample -{ - meta: - Description = "Adware.Genieo.vb" - ThreatLevel = "5" - - strings: - $h1 = "gentray.pdb" ascii wide - $h2 = "genupdater.pdb" ascii wide - $h3 = "www.genieo.com" ascii wide - $h4 = "userfeedback-genieo.appspot.com" ascii wide - $h5 = "Genieo Innovation LTD" ascii wide - - $str1 = "Software\\Genieo" ascii wide - $str2 = "SOFTWARE\\Genieo" ascii wide - - $str5 = "genieo.exe" ascii wide - $str6 = "genieutils.exe" ascii wide - $str7 = "genupdater.exe" ascii wide - - $str8 = "__Genieo_" ascii wide - $str9 = "GenieoUpdaterServiceCleaner" ascii wide - $str10 = "GENIEO_TRAY_UI" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Imali.yar b/yara-mikesxrs/g00dv1n/Adware.Imali.yar deleted file mode 100644 index bc95b8c..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Imali.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule AdwareImaliSample -{ - meta: - Description = "Adware.Imali.vb" - ThreatLevel = "5" - - strings: - - $ = "www.freemediaplayer.tv" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.InstallCore.yar b/yara-mikesxrs/g00dv1n/Adware.InstallCore.yar deleted file mode 100644 index 0175117..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.InstallCore.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule AdwareInstallCoreSample -{ - meta: - Description = "Adware.InstallCore.vb" - ThreatLevel = "5" - - strings: - - $ = "www.mynicepicks.com" ascii wide - $ = "www.ultimatepdfconverter.com" ascii wide - $ = "www.coolpdfcreator.com" ascii wide - $ = "cdnus.ironcdn.com" ascii wide - $ = "esd.baixaki.com.br" ascii wide - $ = "cdneu2.programmersupply.com" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Linkury.yar b/yara-mikesxrs/g00dv1n/Adware.Linkury.yar deleted file mode 100644 index 7552f51..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Linkury.yar +++ /dev/null @@ -1,41 +0,0 @@ -rule LinkuryASample -{ - meta: - Description = "Adware.Linkury.A.vb" - ThreatLevel = "5" - - strings: - $ = "Smartbar" ascii wide - $ = "Linkury" ascii wide - $ = "ChromeUtils" ascii wide - $ = "FirefoxUtils" ascii wide - $ = "AddBundledSoftware" ascii wide - $ = "UpdateToolbarState" ascii wide - $ = "New Tab Search" ascii wide - $ = "get_BrowserIsOpen" ascii wide - $ = "get_BetterSearchResults" ascii wide - $ = "get_AllYourBrowsers" ascii wide - $ = "get_ChangeHomepageAndSearch" ascii wide - $ = "get_BrowserSettingsProtectOk" ascii wide - $ = "get_BrowserSettingsChange" ascii wide - $ = "get_BrowserSettingsProtectChange" ascii wide - $ = "get_BrowserSettingsProtectDescription" ascii wide - $ = "get_BrowserSettingsProtectHeader" ascii wide - $ = "get_BrowserSettingsProtectKeep" ascii wide - - condition: - 2 of them -} - -rule LinkuryBSample -{ - meta: - Description = "Adware.Linkury.B.vb" - ThreatLevel = "5" - - strings: - $ = "C:\\Cranberry\\bin\\CaraDelevigne\\Cara.pdb" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.MyWebSearch.yar b/yara-mikesxrs/g00dv1n/Adware.MyWebSearch.yar deleted file mode 100644 index 270ef00..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.MyWebSearch.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule MyWebSearchSample -{ - meta: - Description = "Adware.MyWebSearch.vb" - ThreatLevel = "5" - - strings: - $ = "t8Setup1.pdb" ascii wide - $ = "t8EIPlug.pdb" ascii wide - $ = "t8EzSetp.pdb" ascii wide - $ = "NPt8EISB.pdb" ascii wide - $ = "Mindspark Interactive Network" ascii wide - $ = "mindspark.com" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.NextLive.yar b/yara-mikesxrs/g00dv1n/Adware.NextLive.yar deleted file mode 100644 index 674edba..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.NextLive.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule NextLiveSample -{ - meta: - Description = "Adware.NextLive.vb" - ThreatLevel = "5" - - strings: - - $ = "nengine.pdb" ascii wide - $ = "nengine.dll" ascii wide - $ = "D:\\svn.thecodeway.com\\private\\nlive\\trunk" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.ObronaAds.yar b/yara-mikesxrs/g00dv1n/Adware.ObronaAds.yar deleted file mode 100644 index 19706c2..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.ObronaAds.yar +++ /dev/null @@ -1,35 +0,0 @@ -rule ObronaAdsSample -{ - meta: - Description = "Adware.ObronaAds.vb" - ThreatLevel = "5" - - strings: - $i1 = "ObronaBlockAds" ascii wide - $i2 = "Obrona Block Ads" ascii wide - $i3 = "ObronaVPN" ascii wide - $i4 = "OBRONA_PROXY" ascii wide - $i5 = "SecurityAndShoppingAdvisor" ascii wide - $i6 = "SASAService" ascii wide - $i7 = "http://update.obrona.org" ascii wide - $i8 = "Proxy-agent: SASA Proxy" ascii wide - $i9 = "Proxy\\AdsInjectionContentProvider.cpp" ascii wide - - $ = "sendBrowsersHistoryKeywords" ascii wide - $ = "startWatcher" ascii wide - $ = "HelperApplication" ascii wide - $ = "enableAds" ascii wide - $ = "enableInjecting" ascii wide - $ = "disableInjecting" ascii wide - $ = "requestNewAdsUrl" ascii wide - $ = "requestAdsIgnoredDomains" ascii wide - $ = "startSendingSearchKeywords" ascii wide - $ = "AdsService" ascii wide - $ = "ServiceProxy.cpp" ascii wide - $ = "HelperApplication.cpp" ascii wide - $ = "Updater.cpp" ascii - $ = "WebProxy.cpp" ascii wide - - condition: - (any of ($i*)) or (3 of them) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.OpenCandy.yar b/yara-mikesxrs/g00dv1n/Adware.OpenCandy.yar deleted file mode 100644 index a1808b1..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.OpenCandy.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule AdwareOpenCandySample -{ - meta: - Description = "Adware.OpenCandy.vb" - ThreatLevel = "5" - - strings: - - $ = "http://cdn.opencandy.com" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.OutBrowse.yar b/yara-mikesxrs/g00dv1n/Adware.OutBrowse.yar deleted file mode 100644 index 0df695b..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.OutBrowse.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule AdwareOutBrowseSample -{ - meta: - Description = "Adware.OutBrowse.vb" - ThreatLevel = "5" - - strings: - - $ = "cdn.install.playbryte.com" ascii wide - $ = "download.2yourface.com" ascii wide - $ = "www.default-page.com" ascii wide - $ = "install2.optimum-installer.com" ascii wide - $ = "downloadzone.org" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.PullUpdate.yar b/yara-mikesxrs/g00dv1n/Adware.PullUpdate.yar deleted file mode 100644 index e2ef09f..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.PullUpdate.yar +++ /dev/null @@ -1,73 +0,0 @@ -rule AdwarePullUpdateSample -{ - meta: - Description = "Adware.PullUpdate.vb" - ThreatLevel = "5" - - strings: - $ = "gettvwizard.com" ascii wide - $ = "getsharethis.com" ascii wide - $ = "thewebguard.com" ascii wide - $ = "astro-arcade.com" ascii wide - $ = "instashareonline.com" ascii wide - $ = "safewebonline.com" ascii wide - $ = "downloadmeteoroids.com" ascii wide - $ = "moviemasterapp.com" ascii wide - $ = "watchzombieinvasion.com" ascii wide - $ = "freevideoconverterapp.com" ascii wide - - // $ = "TVWizard" ascii wide - //$ = "TV Wizard" ascii wide - $ = "AstroArcade" ascii wide - $ = "WebGuard Deleter" ascii wide - $ = "SmallIslandDevelopment" ascii wide - - $ = "AVFirefoxCookieReader" ascii wide - $ = "AVChromeCookieReader" ascii wide - $ = "AVInternetExplorerCookieReader" ascii wide - $ = "AVBrowserCookieReader" ascii wide - $ = "Data Protection Solutions" ascii wide - - - $ = "VideoDimmer.exe" ascii wide - $ = "VideoDimmerService.exe" ascii wide - - $ = "WebGuard.exe" ascii wide - $ = "WebGuardService.exe" ascii wide - - $ = "HealthAlert.exe" ascii wide - $ = "HealthAlertService.exe" ascii wide - - $ = "CrimeWatch.exe" ascii wide - $ = "CrimeWatchService.exe" ascii wide - - $ = "SafeWeb.exe" ascii wide - $ = "SafeWebService.exe" ascii wide - - $ = "Meteoroids.exe" ascii wide - $ = "MeteoroidsService.exe" ascii wide - - $ = "Websteroids.exe" ascii wide - $ = "WebsteroidsService.exe" ascii wide - - $ = "WebShield.exe" ascii wide - $ = "WebShieldService.exe" ascii wide - - $ = "ZombieNews.exe" ascii wide - $ = "ZombieNewsService.exe" ascii wide - - $ = "CelebrityAlertService.exe" ascii wide - $ = "CelebrityAlert.exe" ascii wide - - $ = "MovieMaster.exe" ascii wide - $ = "MovieMasterService.exe" ascii wide - - $ = "ZombieInvasionService.exe" ascii wide - $ = "ZombieInvasion.exe" ascii wide - - $ = "BreakingNewsAlertService.exe" ascii wide - $ = "BreakingNewsAlert.exe" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.SProtect.yar b/yara-mikesxrs/g00dv1n/Adware.SProtect.yar deleted file mode 100644 index 7041421..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.SProtect.yar +++ /dev/null @@ -1,38 +0,0 @@ -rule SearchProtectSample -{ - meta: - Description = "Adware.SProtect.vb" - ThreatLevel = "5" - - strings: - $ = "Search Protect" ascii wide - $ = "SearchProtect" ascii wide - $ = "Search Protector" ascii wide - $ = "SearchProtector" ascii wide - $ = "ClientConnect" ascii wide - $ = "SPVC32.dll" ascii wide - $ = "SPVC32Loader.dll" ascii wide - $ = "SPVC64.dll" ascii wide - $ = "SPVC64Loader.dll" ascii wide - $ = "SProtector" ascii wide - $ = "AppendInit.dll" ascii wide - $ = "{12DA0E6F-5543-440C-BAA2-28BF01070AFA}" ascii wide - $pdb1 = "CltMngSvc.pdb" ascii wide - $pdb2 = "SPtool.pdb" ascii wide - $pdb3 = "SPtool64.pdb" ascii wide - $pdb4 = "SPVC32.pdb" ascii wide - $pdb5 = "SPVC64.pdb" ascii wide - $pdb6 = "SPVC32Loader.pdb" ascii wide - $pdb7 = "SPVC64Loader.pdb" ascii wide - $pdb8 = "cltmng.pdb" ascii wide - $pdb9 = "MiniStubUtils.pdb" ascii wide - $pdb10 = "Search Protector" ascii wide - $pdb11 = "%programfiles%\\Free Offers from" ascii wide - $pdb12 = "TestSearchProtect" ascii wide - $pdb13 = "ProtectService.pdb" ascii wide - $pdb14 = "E:\\supsoft" ascii wide - $pdb15 = "BrowerWatch.dll" ascii wide - - condition: - (2 of them) or (any of ($pdb*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.SearchSuite.yar b/yara-mikesxrs/g00dv1n/Adware.SearchSuite.yar deleted file mode 100644 index cd77bec..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.SearchSuite.yar +++ /dev/null @@ -1,26 +0,0 @@ -rule SearchSuiteSample -{ - meta: - Description = "Adware.SearchSuite.vb" - ThreatLevel = "5" - - strings: - //$ = "SearchSuite" ascii wide - $ = "searchcore.net" ascii wide - $ = "searchnu.com" ascii wide - $ = "searchqu.com" ascii wide - $ = "searchsheet.com" ascii wide - $ = "adoresearch.com" ascii wide - $ = "newsearchtab.com" ascii wide - $ = "searchsupreme.com" ascii wide - $ = "mlsearch.com" ascii wide - $ = "insertsearch.com" ascii wide - $ = "gotsearch.com" ascii wide - $ = "search.ask.com" ascii wide - $ = "search-results.com" ascii wide - $ = "default-search.net" ascii wide - $ = "imesh web search" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Sendori.yar b/yara-mikesxrs/g00dv1n/Adware.Sendori.yar deleted file mode 100644 index 0da5414..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Sendori.yar +++ /dev/null @@ -1,34 +0,0 @@ -rule AdwareSendoriSample -{ - meta: - Description = "Adware.Sendori.vb" - ThreatLevel = "5" - - strings: - $ = "SendoriSvc.pdb" ascii wide - $ = "SendoriTray.pdb" ascii wide - $ = "sendori64f.sys" ascii wide - $ = "sendori64r.sys" ascii wide - $ = "sendori32.sys" ascii wide - $ = "Sendori.dll" ascii wide - $ = "SendoriProxy.dll" ascii wide - $ = "SendoriUp.exe" ascii wide - $ = "SendoriSvc.exe" ascii wide - $ = "SendoriTray.exe" ascii wide - $ = "SendoriControl.exe" ascii wide - $ = "sendori-win-upgrader.exe" ascii wide - $ = "\\\\.\\pipe\\Sendori" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Sendori" ascii wide - $ = "SOFTWARE\\Sendori" ascii wide - $ = "Sendori, Inc" ascii wide - $ = "Sendori Service" ascii wide - $ = "Service Sendori" ascii wide - $ = "Application Sendori" ascii wide - $ = "SendoriLSP" ascii wide - $ = "Sendori Elevated Service Controller" ascii wide - $ = "Sendori-Client" ascii wide - $ = "SENDORI_UPGRADE_ASSISTANT" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.SimplyTech.yar b/yara-mikesxrs/g00dv1n/Adware.SimplyTech.yar deleted file mode 100644 index 34f2169..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.SimplyTech.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule SimplyTechSample -{ - meta: - Description = "Adware.SimplyTech.vb" - ThreatLevel = "5" - - strings: - $ = "wtb_64.pdb" ascii wide - $ = "wtb_64.DLL" ascii wide - $ = "wtb.ToolbarInfo" ascii wide - $ = "Surf Canyon" ascii wide - $ = "surfcanyon" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.SmartApps.yar b/yara-mikesxrs/g00dv1n/Adware.SmartApps.yar deleted file mode 100644 index 8cfbaab..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.SmartApps.yar +++ /dev/null @@ -1,23 +0,0 @@ -rule SmartAppsSample -{ - meta: - Description = "Adware.SmartApps.vb" - ThreatLevel = "5" - - strings: - - $a1 = "Unicows.dll" ascii wide - $a2 = "FrameworkBHO.DLL" ascii wide - $a3 = "URLDownloadToFile" ascii wide - $a4 = "getExtensionFileContents" ascii wide - $a5 = "Toolbar" ascii wide - $a6 = "GdiplusStartup" ascii wide - - $b1 = "getCookieW" ascii wide - $b2 = "setCookieW" ascii wide - $b3 = "InternetSetCookieW" ascii wide - $b5 = "InternetGetCookieExW" ascii wide - - condition: - (all of ($b*)) and (any of ($a*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Solimbda.yar b/yara-mikesxrs/g00dv1n/Adware.Solimbda.yar deleted file mode 100644 index 18cf783..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Solimbda.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule AdwareSolimbdaSample -{ - meta: - Description = "Adware.Solimbda.vb" - ThreatLevel = "5" - - strings: - $ = "http://api.downloadmr.com" ascii wide - $ = "SuggestedApps" ascii wide - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Trioris.yar b/yara-mikesxrs/g00dv1n/Adware.Trioris.yar deleted file mode 100644 index e6a499f..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Trioris.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule TriorisSample -{ - meta: - Description = "Adware.Trioris.vb" - ThreatLevel = "5" - - strings: - $ = "instamarket.js" ascii wide - $ = "instamarketoff.js" ascii wide - $ = "trioris.net" ascii wide - $ = "storegid.com" ascii wide - $ = "screentoolkit.com" ascii wide - $ = "Sergey Cherezov" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Vitruvian.yar b/yara-mikesxrs/g00dv1n/Adware.Vitruvian.yar deleted file mode 100644 index d81783d..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Vitruvian.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule AdwareVitruvianSample -{ - meta: - Description = "Adware.Vitruvian.vb" - ThreatLevel = "5" - - strings: - $ = "WordProser" ascii wide - $ = "vitruvian" ascii wide - $ = "gethighlightly.com" ascii wide - $ = "betterbrainapp.com" ascii wide - $ = "wordproser.com" ascii wide - $ = "intellitermapp.com" ascii wide - $ = "BetterBrainClientIE.pdb" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.Wajam.yar b/yara-mikesxrs/g00dv1n/Adware.Wajam.yar deleted file mode 100644 index 974c471..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.Wajam.yar +++ /dev/null @@ -1,27 +0,0 @@ -rule AdwareWajamSample -{ - meta: - Description = "Adware.Wajam.vb" - ThreatLevel = "5" - - strings: - - $ = "fastnfreedownload.com" ascii wide - $ = "InternetEnhancer.exe" ascii wide - $ = "InternetEnhancerService.exe" ascii wide - $ = "WJManifest" ascii wide - $ = "WaInterEnhance" ascii wide - $ = "ping_wajam" ascii wide - $ = "D:\\jenkins\\workspace" ascii wide - $ = "WajamService" ascii wide - $ = "AVCWJService" ascii wide - $ = "Internet Enhancer Service" ascii wide - - $a1 = "WajamInternetEnhancerService.pdb" ascii wide - $a4 = "WHttpServer.pdb" ascii wide - $a2 = "Wajam. All right reserved" ascii wide - $a3 = "Wajam.Proxy" ascii wide - - condition: - (3 of them) or (any of ($a*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.WebTools.yar b/yara-mikesxrs/g00dv1n/Adware.WebTools.yar deleted file mode 100644 index b3aacd0..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.WebTools.yar +++ /dev/null @@ -1,40 +0,0 @@ -rule RootkitSampleDriverAgony -{ - meta: - Description = "Trojan.Agony.sm" - ThreatLevel = "5" - - strings: - $ = "DosDevices\\agony" ascii wide - $ = "Device\\agony" ascii wide - $ = "VOLUME.INI" ascii wide - $ = "ERVICES.EXE" ascii wide - $ = "ervices.exe" ascii wide - $ = "agony rootkit" ascii wide - $ = "agony" ascii wide - $ = "for exemple: agony -p process1.exe process2.exe" ascii wide - $a = "i386\\agony.pdb" ascii wide - - condition: - (3 of them) or $a -} - -rule AdwareSampleWebTools -{ - meta: - Description = "Adware.WebTools.sm" - ThreatLevel = "5" - - strings: - $ = "IEctrl.log" ascii wide - $ = "agony" ascii wide - $s1 = "Gates.pdb" ascii wide - $s0 = "GatesInstall.pdb" ascii wide - $s2 = "IECtrl.pdb" ascii wide - $s3 = "svch0st.exe" ascii wide - $s4 = "SESDKDummy.dll" ascii wide - $s5 = "SESDKDummy64.dll" ascii wide - - condition: - (3 of them) or (any of ($s*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.WebWatcher.yar b/yara-mikesxrs/g00dv1n/Adware.WebWatcher.yar deleted file mode 100644 index da82d73..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.WebWatcher.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule AdwareWebWatcherSample -{ - meta: - Description = "Adware.WebWatcher.vb" - ThreatLevel = "5" - - strings: - $ = "E:\\BuildSource\\7\\WindowsClient\\WindowsClient.Client.RC\\Binaries" ascii wide - $ = "Release DlpHook\\mcapp.pdb" ascii wide - $ = "Release DlpHook\\mcsc.pdb" ascii wide - $ = "Release Sonar\\Shim64.pdb" ascii wide - $ = "Release Sonar\\Shim.pdb" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.iBryte.yar b/yara-mikesxrs/g00dv1n/Adware.iBryte.yar deleted file mode 100644 index e99a6d2..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.iBryte.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule AdwareiBryteSample -{ - meta: - Description = "Adware.iBryte.vb" - ThreatLevel = "5" - - strings: - - $ = "install.ibryte.com" ascii wide - $ = "pn-installer28.com" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Adware.uKor.yar b/yara-mikesxrs/g00dv1n/Adware.uKor.yar deleted file mode 100644 index 713e9a7..0000000 --- a/yara-mikesxrs/g00dv1n/Adware.uKor.yar +++ /dev/null @@ -1,25 +0,0 @@ -rule AdwareUCSKoreaSample -{ - meta: - Description = "Adware.uKor.sm" - ThreatLevel = "5" - - strings: - $ = "_uninstall_Mutex" ascii wide - $ = "_updater_Mutex" ascii wide - $ = "_main_Mutex" ascii wide - $ = "_install_Mutex" ascii wide - $ = "main_agent" ascii wide - $ = "updater_agent" ascii wide - $ = "APP/bundle.php" ascii wide - $ = "APP/update_ck.php?v1" ascii wide - $ = "APP/bundle_stat.php?v1" ascii wide - $ = "APP/stat.php?v1" ascii wide - $ = "co.kr/mbk.php?v1" ascii wide - $ = "co.kr/etc/yak_app.htm" ascii wide - - $hex1 = { 51 a1 ?? ?? ?? ?? 56 68 80 1f 40 00 50 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 33 d2 68 b8 0b 00 00 8d ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 04 85 c0 74 ?? 68 3f 00 0f 00 6a 00 6a 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8b ?? ?? ?? ?? ?? 68 ff 01 0f 00 51 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 74 ?? 6a 00 6a 04 e8 ?? ?? ?? ?? 83 c4 08 68 c8 e8 41 00 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 6a 00 6a 01 e8 ?? ?? ?? ?? 83 c4 08 eb ?? 8b ?? ?? ?? 68 28 6e 42 00 6a 01 56 ff ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 5e 74 ?? 6a 00 ff ?? ?? ?? ?? ?? 8b d0 b8 01 00 00 00 e8 ?? ?? ?? ?? 83 c4 04 59 c2 08 00} - - condition: - (2 of them) or (any of ($hex*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Backdoor.Bladabindi.yar b/yara-mikesxrs/g00dv1n/Backdoor.Bladabindi.yar deleted file mode 100644 index 4926b5e..0000000 --- a/yara-mikesxrs/g00dv1n/Backdoor.Bladabindi.yar +++ /dev/null @@ -1,26 +0,0 @@ -rule BladabindiASample -{ - meta: - Description = "Backdoor.Bladabindi.A.vb" - ThreatLevel = "5" - - strings: - $ = "shutdown -r -t 00" ascii wide - $ = "netsh firewall add allowedprogram" ascii wide - $ = "netsh firewall delete allowedprogram" ascii wide - $ = "cmd.exe /k ping 0 & del" ascii wide - $ = "ReceiveBufferSize" ascii wide - $ = "SendBufferSize" ascii wide - $ = "restartcomputer" ascii wide - $ = "NoWindowsUpdate" ascii wide - $ = "winupdateoff" ascii wide - $ = "DisableTaskMgr" ascii wide - $ = "set cdaudio door closed" ascii wide - $ = "set cdaudio door open" ascii wide - $ = "VMDragDetectWndClass" ascii wide - $ = "%dark%" ascii wide - $ = "microwaveone.ddns.net" ascii wide - - condition: - 5 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Backdoor.Dedipros.yar b/yara-mikesxrs/g00dv1n/Backdoor.Dedipros.yar deleted file mode 100644 index 79faeee..0000000 --- a/yara-mikesxrs/g00dv1n/Backdoor.Dedipros.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule BackdoorDediprosA -{ - meta: - Description = "Backdoor.Dedipros.rc" - ThreatLevel = "5" - - strings: - $ = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/advapi32.dll" ascii wide - $ = "rundll32.exe %s, CodeMain lpServiceName" ascii wide - $ = "C:\\Windows\\System32\\Rundlla.dll" ascii wide - $ = "s%\\pmeT\\SWODNIW\\:C" ascii wide - $ = "SYSTEM\\CurrentControlSet\\Services\\%s" ascii wide - $ = "\\keylog.dat" ascii wide - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Backdoor.Fynloski.yar b/yara-mikesxrs/g00dv1n/Backdoor.Fynloski.yar deleted file mode 100644 index f3afd67..0000000 --- a/yara-mikesxrs/g00dv1n/Backdoor.Fynloski.yar +++ /dev/null @@ -1,33 +0,0 @@ -rule BackdoorWin32FynloskiASample -{ - meta: - Description = "Backdoor.Fynloski.sm" - ThreatLevel = "5" - - strings: - $ = "#BOT#VisitUrl" ascii wide - $ = "#BOT#OpenUrl" ascii wide - $ = "#BOT#Ping" ascii wide - $ = "BTRESULTPing|Res" ascii wide - $ = "#BOT#RunPrompt" ascii wide - $ = "BTRESULTClose" ascii wide - $ = "#BOT#SvrUninstal" ascii wide - $ = "#BOT#URLUpdate" ascii wide - $ = "BTERRORUpdate" ascii wide - $ = "BTRESULTUpdate" ascii wide - $ = "#BOT#URLDownload" ascii wide - $ = "BTRESULTOpen" ascii wide - $ = "BTERRORDownload" ascii wide - $ = "BTRESULTDownload" ascii wide - $ = "BTRESULTMass" ascii wide - $ = "BTRESULTHTTP" ascii wide - $ = "BTERRORVisit" ascii wide - $ = "BTRESULTSyn" ascii wide - $ = "BTRESULTUDP" ascii wide - $ = "Flood|UDP Flood task finished" ascii wide - $ = "Flood|Syn task finished" ascii wide - $ = "Flood|Http Flood task finished" ascii wide - - condition: - 3 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Backdoor.Gen.yar b/yara-mikesxrs/g00dv1n/Backdoor.Gen.yar deleted file mode 100644 index 3a86202..0000000 --- a/yara-mikesxrs/g00dv1n/Backdoor.Gen.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule BackdoorGenASample -{ - meta: - Description = "Backdoor.Gen.A.vb" - ThreatLevel = "5" - - strings: - $ = "Form1" ascii wide - $ = "Flamand" ascii wide - $ = "Afildoe.Belver" ascii wide - $ = "FromBase64String" ascii wide - $ = "TeAdor.Properties.Resources" ascii wide - - condition: - 3 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Backdoor.Liudoor.yar b/yara-mikesxrs/g00dv1n/Backdoor.Liudoor.yar deleted file mode 100644 index 900503e..0000000 --- a/yara-mikesxrs/g00dv1n/Backdoor.Liudoor.yar +++ /dev/null @@ -1,27 +0,0 @@ -rule BackdoorLiudoor -{ -meta: - author = "RSA FirstWatch" - date = "2015-07-23" - Description = "Backdoor.Liudoor.sm" - ThreatLevel = "5" - hash0 = "78b56bc3edbee3a425c96738760ee406" - hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e" - hash2 = "531d30c8ee27d62e6fbe855299d0e7de" - hash3 = "2be2ac65fd97ccc97027184f0310f2f3" - hash4 = "6093505c7f7ec25b1934d3657649ef07" - type = "Win32 DLL" - -strings: - $string0 = "Succ" ascii wide - $string1 = "Fail" ascii wide - $string2 = "pass" ascii wide - $string3 = "exit" ascii wide - $string4 = "svchostdllserver.dll" ascii wide - $string5 = "L$,PQR" ascii wide - $string6 = "0/0B0H0Q0W0k0" ascii wide - $string7 = "QSUVWh" ascii wide - $string8 = "Ht Hu[" ascii wide -condition: - all of them -} diff --git a/yara-mikesxrs/g00dv1n/Backdoor.Mirage.yar b/yara-mikesxrs/g00dv1n/Backdoor.Mirage.yar deleted file mode 100644 index 8ca5b38..0000000 --- a/yara-mikesxrs/g00dv1n/Backdoor.Mirage.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule MirageAPTBackdoorSample -{ - meta: - Description = "Backdoor.Mirage.sm" - ThreatLevel = "5" - - strings: - $a1 = "welcome to the desert of the real" ascii wide - $a2 = "Mirage" ascii wide - $b = "Encoding: gzip" ascii wide - $c = /\/[A-Za-z]*\?hl=en/ - condition: - (($a1 or $a2) or $b) and $c -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar b/yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar deleted file mode 100644 index 2e1d506..0000000 --- a/yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar +++ /dev/null @@ -1,49 +0,0 @@ -rule TrojanWin32Vawtrak_BackDoor -{ - meta: - Description = "Backdoor.Win32.sm" - ThreatLevel = "5" - - strings: - $ = "[VNC] New Client" ascii wide - $ = "[VNC] Fail init BC" ascii wide - $ = "[VNC] Fail addr proto BC" ascii wide - $ = "[VNC] Fail connect BC" ascii wide - $ = "[VNC] Fail init work:" ascii wide - $ = "[VNC] Start Sever" ascii wide - $ = "[VNC] Parse param error:" ascii wide - $ = "[VNC] Fail create process:" ascii wide - $ = "[VNC] Fail inject to process:" ascii wide - $ = "[Socks] New Client" ascii wide - $ = "[Socks] Failt Init BC" ascii wide - $ = "[Socks] Fail add proto BC" ascii wide - $ = "[Socks] Failt connect BC" ascii wide - $ = "[Socks] Fail parse param:" ascii wide - $ = "[Pony] Fail Get Pass" ascii wide - $ = "DL_EXEC Status [Pipe]" ascii wide - $ = "DL_EXEC Status[Local]" ascii wide - $ = "Start Socks addr:" ascii wide - $ = "Start Socks Status[Pipe]" ascii wide - $ = "Start Socks Status[Local]" ascii wide - $ = "Start VNC addr: %s" ascii wide - $ = "Start VNC Status[Pipe]: %u-%u-%u" ascii wide - $ = "Start VNC Status[Local]: %u" ascii wide - $ = "PID: %u [%0.2u:%0.2u:%0.2u]" ascii wide - $ = "[BC] Cmd Ver Error" ascii wide - $ = "[BC] Wait Ping error %u[%u]" ascii wide - $ = "[BC] Fail Connect" ascii wide - $ = "[BC] Fail send auth" ascii wide - $ = "[BC] Fail read cmd" ascii wide - $ = "[BC] cmd error: %u" ascii wide - $ = "[BC] Cmd need disconnect" ascii wide - $ = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins" ascii wide - - $str_0 = "T:\\Develop\\EQ2\\bin\\tmp" ascii wide - $str_1 = "T:\\Develop\\EQ2\\bin\\tmp\\client_32.pdb" ascii wide - $str_2 = "T:\\Develop\\EQ2\\bin\\tmp\\client_64.pdb" ascii wide - $str_3 = "client_64.dll" ascii wide - $str_4 = "client_32.dll" ascii wide - - condition: - (5 of them) or (any of ($str_*)) -} diff --git a/yara-mikesxrs/g00dv1n/Backdoor.Zegost.yar b/yara-mikesxrs/g00dv1n/Backdoor.Zegost.yar deleted file mode 100644 index 57bc658..0000000 --- a/yara-mikesxrs/g00dv1n/Backdoor.Zegost.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule BackdoorZegostSampleA -{ - meta: - Description = "Backdoor.Zegost.rc" - ThreatLevel = "5" - - strings: - $a = "VIPBlackDDOS" ascii wide - $b = "SynFlood" ascii wide - $c = "ICMPFlood" ascii wide - $d = "UDPFlood" ascii wide - $e = "DNSFlood" ascii wide - $f = "Game2Flood" ascii wide - $g = "HTTPGetFlood" ascii wide - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Malware.BitCoinMiner.yar b/yara-mikesxrs/g00dv1n/Malware.BitCoinMiner.yar deleted file mode 100644 index 0d9c671..0000000 --- a/yara-mikesxrs/g00dv1n/Malware.BitCoinMiner.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule MalwareBitCoinMinerSample_A -{ - meta: - Description = "Malware.BitCoinMiner.sm" - ThreatLevel = "5" - - strings: - $ = "Min3Win.exe" ascii wide - $ = "bitcoin-miner.exe" ascii wide - $ = "WINSXS32" ascii wide - $ = "http://xhuehs.cantvenlinea.ru:1942" ascii wide - $ = "bigbob0000001@gmail.com" ascii wide - - condition: - 3 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Malware.Downloader.yar b/yara-mikesxrs/g00dv1n/Malware.Downloader.yar deleted file mode 100644 index c7bd630..0000000 --- a/yara-mikesxrs/g00dv1n/Malware.Downloader.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule TinyLoaderSample -{ - meta: - Description = "Malware.TinyLoader.vb" - ThreatLevel = "5" - - strings: - - $ = "B1 Tiny Loader/1.0" ascii wide - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Malware.PWS.yar b/yara-mikesxrs/g00dv1n/Malware.PWS.yar deleted file mode 100644 index 616b054..0000000 --- a/yara-mikesxrs/g00dv1n/Malware.PWS.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule PWSPasswordsToDBApp -{ - meta: - Description = "PWS.PassDB.sm" - ThreatLevel = "5" - - strings: - - $pdb0 = "PasswordsToDB.pdb" ascii wide - $ipa0 = "82.146.47.116" ascii wide - $ipa1 = "82.146.54.187" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/PUP.SystemOptimizer.yar b/yara-mikesxrs/g00dv1n/PUP.SystemOptimizer.yar deleted file mode 100644 index 8c78963..0000000 --- a/yara-mikesxrs/g00dv1n/PUP.SystemOptimizer.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule PUPSystemOptimizerASample -{ - meta: - Description = "PUP.SystemOptimizer.vb" - ThreatLevel = "5" - - strings: - - $ = "http://bitest.softservers.net" ascii wide - $ = "http://bi.softservers.net" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/PUP.Systweak.yar b/yara-mikesxrs/g00dv1n/PUP.Systweak.yar deleted file mode 100644 index d04ff3f..0000000 --- a/yara-mikesxrs/g00dv1n/PUP.Systweak.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule PUPSystweakSample -{ - meta: - Description = "PUP.Systweak.vb" - ThreatLevel = "5" - - strings: - - $ = "Systweak Software0" ascii wide - $ = "pc-updater.com/miscservice/miscservice.asmx" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Ransom.Crypters.yar b/yara-mikesxrs/g00dv1n/Ransom.Crypters.yar deleted file mode 100644 index 4c8a321..0000000 --- a/yara-mikesxrs/g00dv1n/Ransom.Crypters.yar +++ /dev/null @@ -1,230 +0,0 @@ -rule RansomCryptoApp_A -{ - meta: - Description = "Ransom.CryptoApp.sm" - ThreatLevel = "5" - - strings: - - $pdb0 = "CryptoApp.pdb" ascii wide - $pdb1 = "KeepAlive.pdb" ascii wide - $pdb2 = "SelfDestroy.pdb" ascii wide - $pdb3 = "CoreDownloader.pdb" ascii wide - - condition: - (3 of them) or (any of ($pdb*)) -} - -rule RansomCryptoWallApp_3 -{ - meta: - Description = "Ransom.CryptoWall.sm" - ThreatLevel = "5" - - strings: - - $s0 = "spatopayforwin.com" ascii wide - $s1 = "bythepaywayall.com" ascii wide - $s2 = "lowallmoneypool.com" ascii wide - $s3 = "transoptionpay.com" ascii wide - $s4 = "HELP_DECRYPT" ascii wide nocase - - $s5 = "speralreaopio.com" ascii wide - $s6 = "vremlreafpa.com" ascii wide - $s7 = "wolfwallsreaetpay.com" ascii wide - $s8 = "askhoreasption.com" ascii wide - - condition: - any of ($s*) -} - -rule RansomCBTLockerApp -{ - meta: - Description = "Ransom.CBTLocker.sm" - ThreatLevel = "5" - - strings: - - $s0 = "Your personal files are encrypted by CTB-Locker" ascii wide - $s1 = "Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key,generated for this computer" ascii wide - $s2 = "Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key." ascii wide - $s3 = "If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program" ascii wide - - $s6 = "keme132.DLL" ascii wide - $s7 = "klospad.pdb" ascii wide - - condition: - (any of ($s*)) or (3 of them) -} - -rule RansomEncryptorRaaSApp -{ - meta: - Description = "Ransom.EncryptorRaaS.sm" - ThreatLevel = "5" - - strings: - - $s0 = "decryptoraveidf7.onion.to" ascii wide - $s1 = "encryptor_raas_readme_liesmich.txt" ascii wide - $s2 = "The files on your computer have been securely encrypted by Encryptor RaaS" ascii wide - $s3 = "Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt" ascii wide - $s4 = "encryptor3awk6px.onion" ascii wide - - condition: - any of ($s*) -} - -rule RansomSampleTeslaCryptA -{ - meta: - Description = "Ransom.TeslaCrypt.sm" - ThreatLevel = "5" - - strings: - $ = "HOWTO_RESTORE_FILES.TXT" ascii wide nocase - $ = "HOWTO_RESTORE_FILES.bmp" ascii wide nocase - $ = "HOWTO_RESTORE_FILES.HTML" ascii wide nocase - condition: - any of them -} - -rule RansomSampleTeslaCryptB -{ - meta: - Description = "Ransom.TeslaCrypt.B.sm" - ThreatLevel = "5" - - strings: - $ = "help_recover_instructions" ascii wide nocase - $ = "help_recover_instructions.TXT" ascii wide nocase - $ = "help_recover_instructions.png" ascii wide nocase - condition: - any of them -} - -rule RansomSampleChimeraB -{ - meta: - Description = "Ransom.Win32.Chimera.sm" - ThreatLevel = "5" - - strings: - $ = "YOUR_FILES_ARE_ENCRYPTED.HTML" ascii wide nocase - $ = "Projects\\Ransom\\bin\\Release\\Core.pdb" ascii wide nocase - $ = "BM-2cW44Yq9DWbHYnRSfzBLVxvE6WjadchNBt" ascii wide nocase - condition: - any of them -} - -rule RansomSampleLeChiffre -{ - meta: - Description = "Ransom.Win32.LeChiffre.sm" - ThreatLevel = "5" - - strings: - $ = "LeChiffre" ascii wide nocase - $ = "decrypt.my.files@gmail.com" ascii wide nocase - $ = "http://184.107.251.146/sipvoice.php?" ascii wide nocase - $ = "_secret_code.txt" ascii wide nocase - $ = "_How to decrypt LeChiffre files.html" ascii wide nocase - condition: - 2 of them -} - -rule RansomSampleHydraCrypt -{ - meta: - Description = "Ransom.Win32.HydraCrypt.sm" - ThreatLevel = "5" - - strings: - $ = "README_DECRYPT_HYDRA_ID_" ascii wide nocase - $ = "hydracrypt_ID_" ascii wide nocase - $ = "HYDRACRYPT" ascii wide nocase - $ = "ccc=hydra01_" ascii wide nocase - condition: - 2 of them -} - -rule RansomFilecoderA -{ - meta: - Description = "Ransom.FileCoder.A.vb" - ThreatLevel = "5" - - strings: - $ = "Guji36" ascii wide - $ = "Burnamedoxi" ascii wide - $ = "S48H1G54JSPSODKMGdfH1FD5G8DSDPSDKMFSSJJPGMCNDHS2FH5" ascii wide - condition: - any of them -} - -rule RansomSampleLockyCrypt -{ - meta: - Description = "Ransom.Win32.Locky.sm" - ThreatLevel = "5" - - strings: - $s1 = ".locky" ascii wide nocase - $ = "&encrypted=" ascii wide nocase - $s2 = "_Locky_recover_instructions.txt" ascii wide nocase - $s3 = "_Locky_recover_instructions.bmp" ascii wide nocase - $ = "94.242.57.45" ascii wide nocase - $ = "46.4.239.76" ascii wide nocase - $s6 = "Software\\Locky" ascii wide nocase - $ = "vssadmin.exe Delete Shadows" ascii wide nocase - $ = "Locky" ascii wide nocase - - $o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } // address=0x4144a7 - $o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } // address=0x413863 - - condition: - (3 of them) or (any of ($s*)) or (all of ($o*)) -} - -rule RansomLocky -{ - meta: - Description = "Ransom.Locky.ab" - ThreatLevel = "5" - strings: - $mz = { 4d 5a } - - $inst1 = "_HELP_instructions.bmp" ascii wide - $inst2 = "_HELP_instructions.html" ascii wide - $inst3 = "_HELP_instructions.txt" ascii wide - $inst4 = "_Locky_recover_instructions.bmp" ascii wide - $inst5 = "_Locky_recover_instructions.txt" ascii wide - $deleteShadows = "vssadmin.exe" ascii wide // universal Ransom detect :) - - $cyrptEP1 = {e8 95 23 ff ff 86 c8 86 ea e9 8d 23 ff ff 86 f4 e9 84 23 ff ff 86 c5} // EP paked locy - $cyrptEP2 = {55 8b ec eb 68 eb 66 eb 64 6a 00 6a 00 6a 00 6a 00 6a 00} // EP packed locy 2 - - condition: - ( $mz at 0 ) and - ( - $cyrptEP1 at entrypoint or - $cyrptEP2 at entrypoint or - (any of ($inst*)) or - $deleteShadows - ) -} - -rule RansomImportDetect -{ - meta: - Description = "Ransom.Gen.ab" - ThreatLevel = "3" - condition: - (pe.imports("Kernel32.dll", "FindFirstFileW") or pe.imports("Kernel32.dll", "FindFirstFileA")) and - (pe.imports("Kernel32.dll", "FindNextFileW") or pe.imports("Kernel32.dll", "FindNextFileA")) and - (pe.imports("Advapi32.dll", "CryptAcquireContextW") or pe.imports("Advapi32.dll", "CryptAcquireContextA")) and - pe.imports("Advapi32.dll", "CryptEncrypt") and - pe.imports("Advapi32.dll", "CryptGenRandom") -} - diff --git a/yara-mikesxrs/g00dv1n/Risk.DetectAnalysis.yar b/yara-mikesxrs/g00dv1n/Risk.DetectAnalysis.yar deleted file mode 100644 index d81fd1c..0000000 --- a/yara-mikesxrs/g00dv1n/Risk.DetectAnalysis.yar +++ /dev/null @@ -1,343 +0,0 @@ -rule VMdetectMisc -{ - meta: - Description = "Risk.VMDtc.sm" - ThreatLevel = "3" - - strings: - $vbox1 = "VBoxService" nocase ascii wide - $vbox2 = "VBoxTray" nocase ascii wide - $vbox3 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide - $vbox4 = "SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions" nocase ascii wide - - $wine1 = "wine_get_unix_file_name" ascii wide - - $vmware1 = "vmmouse.sys" ascii wide - $vmware2 = "VMware Virtual IDE Hard Drive" ascii wide - - $miscvm1 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase ascii wide - $miscvm2 = "SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum" nocase ascii wide - - $vmdrv1 = "hgfs.sys" ascii wide - $vmdrv2 = "vmhgfs.sys" ascii wide - $vmdrv3 = "prleth.sys" ascii wide - $vmdrv4 = "prlfs.sys" ascii wide - $vmdrv5 = "prlmouse.sys" ascii wide - $vmdrv6 = "prlvideo.sys" ascii wide - $vmdrv7 = "prl_pv32.sys" ascii wide - $vmdrv8 = "vpc-s3.sys" ascii wide - $vmdrv9 = "vmsrvc.sys" ascii wide - $vmdrv10 = "vmx86.sys" ascii wide - $vmdrv11 = "vmnet.sys" ascii wide - - $vmsrvc1 = "vmicheartbeat" ascii wide - $vmsrvc2 = "vmicvss" ascii wide - $vmsrvc3 = "vmicshutdown" ascii wide - $vmsrvc4 = "vmicexchange" ascii wide - $vmsrvc5 = "vmci" ascii wide - $vmsrvc6 = "vmdebug" ascii wide - $vmsrvc7 = "vmmouse" ascii wide - $vmsrvc8 = "VMTools" ascii wide - $vmsrvc9 = "VMMEMCTL" ascii wide - $vmsrvc10 = "vmware" ascii wide - $vmsrvc11 = "vmx86" ascii wide - $vmsrvc12 = "vpcbus" ascii wide - $vmsrvc13 = "vpc-s3" ascii wide - $vmsrvc14 = "vpcuhub" ascii wide - $vmsrvc15 = "msvmmouf" ascii wide - $vmsrvc16 = "VBoxMouse" ascii wide - $vmsrvc17 = "VBoxGuest" ascii wide - $vmsrvc18 = "VBoxSF" ascii wide - $vmsrvc19 = "xenevtchn" ascii wide - $vmsrvc20 = "xennet" ascii wide - $vmsrvc21 = "xennet6" ascii wide - $vmsrvc22 = "xensvc" ascii wide - $vmsrvc23 = "xenvdb" ascii wide - - $miscproc1 = "vmware2" ascii wide - $miscproc2 = "vmount2" ascii wide - $miscproc3 = "vmusrvc" ascii wide - $miscproc4 = "vmsrvc" ascii wide - $miscproc5 = "vboxservice" ascii wide - $miscproc6 = "vboxtray" ascii wide - $miscproc7 = "xenservice" ascii wide - - $vmware_mac_1a = "00-05-69" - $vmware_mac_1b = "00:05:69" - $vmware_mac_2a = "00-50-56" - $vmware_mac_2b = "00:50:56" - $vmware_mac_3a = "00-0C-29" - $vmware_mac_3b = "00:0C:29" - $vmware_mac_4a = "00-1C-14" - $vmware_mac_4b = "00:1C:14" - $virtualbox_mac_1a = "08-00-27" - $virtualbox_mac_1b = "08:00:27" - - condition: - 2 of them -} - -rule SandboxDetectMisc -{ - meta: - Description = "Risk.SBDtc.sm" - ThreatLevel = "3" - - strings: - $sbxie1 = "sbiedll" nocase ascii wide - - $prodid1 = "55274-640-2673064-23950" ascii wide - $prodid2 = "76487-644-3177037-23510" ascii wide - $prodid3 = "76487-337-8429955-22614" ascii wide - - $proc1 = "joeboxserver" ascii wide - $proc2 = "joeboxcontrol" ascii wide - condition: - any of them -} - -rule avdetect_procs -{ - meta: - Description = "Risk.AVDtc.sm" - ThreatLevel = "3" - - strings: - $proc2 = "LMon.exe" ascii wide - $proc3 = "sagui.exe" ascii wide - $proc4 = "RDTask.exe" ascii wide - $proc5 = "kpf4gui.exe" ascii wide - $proc6 = "ALsvc.exe" ascii wide - $proc7 = "pxagent.exe" ascii wide - $proc8 = "fsma32.exe" ascii wide - $proc9 = "licwiz.exe" ascii wide - $proc10 = "SavService.exe" ascii wide - $proc11 = "prevxcsi.exe" ascii wide - $proc12 = "alertwall.exe" ascii wide - $proc13 = "livehelp.exe" ascii wide - $proc14 = "SAVAdminService.exe" ascii wide - $proc15 = "csi-eui.exe" ascii wide - $proc16 = "mpf.exe" ascii wide - $proc17 = "lookout.exe" ascii wide - $proc18 = "savprogress.exe" ascii wide - $proc19 = "lpfw.exe" ascii wide - $proc20 = "mpfcm.exe" ascii wide - $proc21 = "emlproui.exe" ascii wide - $proc22 = "savmain.exe" ascii wide - $proc23 = "outpost.exe" ascii wide - $proc24 = "fameh32.exe" ascii wide - $proc25 = "emlproxy.exe" ascii wide - $proc26 = "savcleanup.exe" ascii wide - $proc27 = "filemon.exe" ascii wide - $proc28 = "AntiHook.exe" ascii wide - $proc29 = "endtaskpro.exe" ascii wide - $proc30 = "savcli.exe" ascii wide - $proc31 = "procmon.exe" ascii wide - $proc32 = "xfilter.exe" ascii wide - $proc33 = "netguardlite.exe" ascii wide - $proc34 = "backgroundscanclient.exe" ascii wide - $proc35 = "Sniffer.exe" ascii wide - $proc36 = "scfservice.exe" ascii wide - $proc37 = "oasclnt.exe" ascii wide - $proc38 = "sdcservice.exe" ascii wide - $proc39 = "acs.exe" ascii wide - $proc40 = "scfmanager.exe" ascii wide - $proc41 = "omnitray.exe" ascii wide - $proc42 = "sdcdevconx.exe" ascii wide - $proc43 = "aupdrun.exe" ascii wide - $proc44 = "spywaretermin" ascii wide - $proc45 = "atorshield.exe" ascii wide - $proc46 = "onlinent.exe" ascii wide - $proc47 = "sdcdevconIA.exe" ascii wide - $proc48 = "sppfw.exe" ascii wide - $proc49 = "spywat~1.exe" ascii wide - $proc50 = "opf.exe" ascii wide - $proc51 = "sdcdevcon.exe" ascii wide - $proc52 = "spfirewallsvc.exe" ascii wide - $proc53 = "ssupdate.exe" ascii wide - $proc54 = "pctavsvc.exe" ascii wide - $proc55 = "configuresav.exe" ascii wide - $proc56 = "fwsrv.exe" ascii wide - $proc57 = "terminet.exe" ascii wide - $proc58 = "pctav.exe" ascii wide - $proc59 = "alupdate.exe" ascii wide - $proc60 = "opfsvc.exe" ascii wide - $proc61 = "tscutynt.exe" ascii wide - $proc62 = "pcviper.exe" ascii wide - $proc63 = "InstLsp.exe" ascii wide - $proc64 = "uwcdsvr.exe" ascii wide - $proc65 = "umxtray.exe" ascii wide - $proc66 = "persfw.exe" ascii wide - $proc67 = "CMain.exe" ascii wide - $proc68 = "dfw.exe" ascii wide - $proc69 = "updclient.exe" ascii wide - $proc70 = "pgaccount.exe" ascii wide - $proc71 = "CavAUD.exe" ascii wide - $proc72 = "ipatrol.exe" ascii wide - $proc73 = "webwall.exe" ascii wide - $proc74 = "privatefirewall3.exe" ascii wide - $proc75 = "CavEmSrv.exe" ascii wide - $proc76 = "pcipprev.exe" ascii wide - $proc77 = "winroute.exe" ascii wide - $proc78 = "protect.exe" ascii wide - $proc79 = "Cavmr.exe" ascii wide - $proc80 = "prifw.exe" ascii wide - $proc81 = "apvxdwin.exe" ascii wide - $proc82 = "rtt_crc_service.exe" ascii wide - $proc83 = "Cavvl.exe" ascii wide - $proc84 = "tzpfw.exe" ascii wide - $proc85 = "as3pf.exe" ascii wide - $proc86 = "schedulerdaemon.exe" ascii wide - $proc87 = "CavApp.exe" ascii wide - $proc88 = "privatefirewall3.exe" ascii wide - $proc89 = "avas.exe" ascii wide - $proc90 = "sdtrayapp.exe" ascii wide - $proc91 = "CavCons.exe" ascii wide - $proc92 = "pfft.exe" ascii wide - $proc93 = "avcom.exe" ascii wide - $proc94 = "siteadv.exe" ascii wide - $proc95 = "CavMud.exe" ascii wide - $proc96 = "armorwall.exe" ascii wide - $proc97 = "avkproxy.exe" ascii wide - $proc98 = "sndsrvc.exe" ascii wide - $proc99 = "CavUMAS.exe" ascii wide - $proc100 = "app_firewall.exe" ascii wide - $proc101 = "avkservice.exe" ascii wide - $proc102 = "snsmcon.exe" ascii wide - $proc103 = "UUpd.exe" ascii wide - $proc104 = "blackd.exe" ascii wide - $proc105 = "avktray.exe" ascii wide - $proc106 = "snsupd.exe" ascii wide - $proc107 = "cavasm.exe" ascii wide - $proc108 = "blackice.exe" ascii wide - $proc109 = "avkwctrl.exe" ascii wide - $proc110 = "procguard.exe" ascii wide - $proc111 = "CavSub.exe" ascii wide - $proc112 = "umxagent.exe" ascii wide - $proc113 = "avmgma.exe" ascii wide - $proc114 = "DCSUserProt.exe" ascii wide - $proc115 = "CavUserUpd.exe" ascii wide - $proc116 = "kpf4ss.exe" ascii wide - $proc117 = "avtask.exe" ascii wide - $proc118 = "avkwctl.exe" ascii wide - $proc119 = "CavQ.exe" ascii wide - $proc120 = "tppfdmn.exe" ascii wide - $proc121 = "aws.exe" ascii wide - $proc122 = "firewall.exe" ascii wide - $proc123 = "Cavoar.exe" ascii wide - $proc124 = "blinksvc.exe" ascii wide - $proc125 = "bgctl.exe" ascii wide - $proc126 = "THGuard.exe" ascii wide - $proc127 = "CEmRep.exe" ascii wide - $proc128 = "sp_rsser.exe" ascii wide - $proc129 = "bgnt.exe" ascii wide - $proc130 = "spybotsd.exe" ascii wide - $proc131 = "OnAccessInstaller.exe" ascii wide - $proc132 = "op_mon.exe" ascii wide - $proc133 = "bootsafe.exe" ascii wide - $proc134 = "xauth_service.exe" ascii wide - $proc135 = "SoftAct.exe" ascii wide - $proc136 = "cmdagent.exe" ascii wide - $proc137 = "bullguard.exe" ascii wide - $proc138 = "xfilter.exe" ascii wide - $proc139 = "CavSn.exe" ascii wide - $proc140 = "VCATCH.EXE" ascii wide - $proc141 = "cdas2.exe" ascii wide - $proc142 = "zlh.exe" ascii wide - $proc143 = "Packetizer.exe" ascii wide - $proc144 = "SpyHunter3.exe" ascii wide - $proc145 = "cmgrdian.exe" ascii wide - $proc146 = "adoronsfirewall.exe" ascii wide - $proc147 = "Packetyzer.exe" ascii wide - $proc148 = "wwasher.exe" ascii wide - $proc149 = "configmgr.exe" ascii wide - $proc150 = "scfservice.exe" ascii wide - $proc151 = "zanda.exe" ascii wide - $proc152 = "authfw.exe" ascii wide - $proc153 = "cpd.exe" ascii wide - $proc154 = "scfmanager.exe" ascii wide - $proc155 = "zerospywarele.exe" ascii wide - $proc156 = "dvpapi.exe" ascii wide - $proc157 = "espwatch.exe" ascii wide - $proc158 = "dltray.exe" ascii wide - $proc159 = "zerospywarelite_installer.exe" ascii wide - $proc160 = "clamd.exe" ascii wide - $proc161 = "fgui.exe" ascii wide - $proc162 = "dlservice.exe" ascii wide - $proc163 = "Wireshark.exe" ascii wide - $proc164 = "sab_wab.exe" ascii wide - $proc165 = "filedeleter.exe" ascii wide - $proc166 = "ashwebsv.exe" ascii wide - $proc167 = "tshark.exe" ascii wide - $proc168 = "SUPERAntiSpyware.exe" ascii wide - $proc169 = "firewall.exe" ascii wide - $proc170 = "ashdisp.exe" ascii wide - $proc171 = "rawshark.exe" ascii wide - $proc172 = "vdtask.exe" ascii wide - $proc173 = "firewall2004.exe" ascii wide - $proc174 = "ashmaisv.exe" ascii wide - $proc175 = "Ethereal.exe" ascii wide - $proc176 = "asr.exe" ascii wide - $proc177 = "firewallgui.exe" ascii wide - $proc178 = "ashserv.exe" ascii wide - $proc179 = "Tethereal.exe" ascii wide - $proc180 = "NetguardLite.exe" ascii wide - $proc181 = "gateway.exe" ascii wide - $proc182 = "aswupdsv.exe" ascii wide - $proc183 = "Windump.exe" ascii wide - $proc184 = "nstzerospywarelite.exe" ascii wide - $proc185 = "hpf_.exe" ascii wide - $proc186 = "avastui.exe" ascii wide - $proc187 = "Tcpdump.exe" ascii wide - $proc188 = "cdinstx.exe" ascii wide - $proc189 = "iface.exe" ascii wide - $proc190 = "avastsvc.exe" ascii wide - $proc191 = "Netcap.exe" ascii wide - $proc192 = "cdas17.exe" ascii wide - $proc193 = "invent.exe" ascii wide - $proc194 = "Netmon.exe" ascii wide - $proc195 = "fsrt.exe" ascii wide - $proc196 = "ipcserver.exe" ascii wide - $proc197 = "CV.exe" ascii wide - $proc198 = "VSDesktop.exe" ascii wide - $proc199 = "ipctray.exe" ascii wide - condition: - 3 of them -} - - -rule dbgdetect_procs -{ - meta: - Description = "Risk.DbgDtc.sm" - ThreatLevel = "3" - - strings: - $proc1 = "wireshark" nocase ascii wide - $proc2 = "filemon" nocase ascii wide - $proc3 = "procexp" nocase ascii wide - $proc4 = "procmon" nocase ascii wide - $proc5 = "regmon" nocase ascii wide - $proc6 = "idag" nocase ascii wide - $proc7 = "immunitydebugger" nocase ascii wide - $proc8 = "ollydbg" nocase ascii wide - $proc9 = "petools" nocase ascii wide - - condition: - 2 of them -} - -rule dbgdetect_files -{ - meta: - Description = "Risk.DbgDtc.sm" - ThreatLevel = "3" - - strings: - $file1 = "syserdbgmsg" nocase ascii wide - $file2 = "syserboot" nocase ascii wide - $file3 = "SICE" nocase ascii wide - $file4 = "NTICE" nocase ascii wide - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Risk.NetFilter.yar b/yara-mikesxrs/g00dv1n/Risk.NetFilter.yar deleted file mode 100644 index bca385f..0000000 --- a/yara-mikesxrs/g00dv1n/Risk.NetFilter.yar +++ /dev/null @@ -1,26 +0,0 @@ -rule RiskNetFilterSampleA -{ - meta: - Description = "Risk.NetFilter.A.vb" - ThreatLevel = "5" - - strings: - - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\epfwwfp" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\epfwwfpr" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\nisdrv" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\symnets" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\klwfp" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\amoncdw8" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\amoncdw7" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\bdfwfpf_pc" ascii wide - $ = "NFSDK Flow Established Callout" ascii wide - $ = "Flow Established Callout" ascii wide - $ = "NFSDK Stream Callout" ascii wide - $ = "Stream Callout" ascii wide - $ = "\\Device\\CtrlSM" ascii wide - $ = "\\DosDevices\\CtrlSM" ascii wide - - condition: - all of them -} diff --git a/yara-mikesxrs/g00dv1n/Rogue.AVSoft.yar b/yara-mikesxrs/g00dv1n/Rogue.AVSoft.yar deleted file mode 100644 index 7e2536c..0000000 --- a/yara-mikesxrs/g00dv1n/Rogue.AVSoft.yar +++ /dev/null @@ -1,40 +0,0 @@ -rule RogueDownloaderLoaderAVSoftA -{ - meta: - Description = "Trojan.Loader.sm" - ThreatLevel = "5" - - strings: - $ = "/info.php?idd=" ascii wide - $ = "{95B8F20E-4BC6-4E22-9442-BFB69ED62879}" ascii wide - //$ = "CheckExeSignatures" ascii wide - //$ = "RunInvalidSignatures" ascii wide - $ = "ELEVATECREATEPROCESS" ascii wide - $ = "srvdev.dll" ascii wide - //$ = "EntryPoint" ascii wide - - condition: - 3 of them -} - -rule RogueModuleAVSoftA -{ - meta: - Description = "Rogue.AVSoft.sm" - ThreatLevel = "5" - - strings: - $ = "sec-red-alert-s.gif" ascii wide - $ = "sec-red-alert-b.gif" ascii wide - $ = "scaning.gif" ascii wide - $ = "scaning-stopped.gif" ascii wide - $ = "rezult-table-head-bg.gif" ascii wide - $ = "banner-get-protection.gif" ascii wide - $ = "netalrt.htm" ascii wide - $ = "alrt.htm" ascii wide - - $hex1 = { e8 ?? ?? ?? ?? 83 ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? e8 ?? ?? ?? ?? 3b ?? ?? ?? ?? ?? 73 ?? e8 ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 84 c0 75 ?? e8 ?? ?? ?? ?? 6a 1e 99 59 f7 f9 83 c2 14 69 d2 60 ea 00 00 52 ff d7 e8 ?? ?? ?? ?? 83 f8 01 75 ?? e8 ?? ?? ?? ??} - - condition: - (3 of them) or ( any of ($hex*)) -} diff --git a/yara-mikesxrs/g00dv1n/Rogue.Braviax.yar b/yara-mikesxrs/g00dv1n/Rogue.Braviax.yar deleted file mode 100644 index 8f9fb1e..0000000 --- a/yara-mikesxrs/g00dv1n/Rogue.Braviax.yar +++ /dev/null @@ -1,39 +0,0 @@ -rule RogueBraviaxSampleA -{ - meta: - Description = "Rogue.Braviax.sm" - ThreatLevel = "5" - - strings: - $ = "background_gradient_red.jpg" ascii wide - $ = "red_shield_48.png" ascii wide - $ = "pagerror.gif" ascii wide - $ = "green_shield.png" ascii wide - $ = "refresh.gif" ascii wide - $ = "red_shield.png" ascii wide - $ = "avp:scan" ascii wide - $ = "avp:site" ascii wide - $str1 = "Trojan-BNK.Win32.Keylogger.gen" ascii wide - $str2 = "Trojan-PSW.Win32.Coced.219" ascii wide - $str3 = "Email-Worm.Win32.Eyeveg.f" ascii wide - $str4 = "Virus.BAT.Batalia1.840" ascii wide - $str5 = "Trojan-SMS.SymbOS.Viver.a" ascii wide - $str6 = "Trojan-Spy.HTML.Bankfraud.jk" ascii wide - $str7 = "glohhstt7.com" ascii wide - //$str8 = "Zorton" ascii wide - //$str9 = "Rango" ascii wide - //$str10 = "Sirius" ascii wide - //$str11 = "A-Secure" ascii wide - $str12 = "%1 Protection 201" ascii wide - $str13 = "%1 Antivirus 201" ascii wide - $str14 = "siriuc2014.com" ascii wide - $str15 = "siriucs2016.com" ascii wide - $str16 = "zorton2016.com" ascii wide - $str17 = "zorton2015.com" ascii wide - $str18 = "stormo10.com" ascii wide - $str19 = "fscurat20.com" ascii wide - $str20 = "fscurat21.com" ascii wide - - condition: - (3 of them) or (any of ($str*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Rogue.FakePAV.yar b/yara-mikesxrs/g00dv1n/Rogue.FakePAV.yar deleted file mode 100644 index 1fb3c9c..0000000 --- a/yara-mikesxrs/g00dv1n/Rogue.FakePAV.yar +++ /dev/null @@ -1,31 +0,0 @@ -rule RogueFakePAVSample -{ - meta: - Description = "Rogue.FakePAV.sm" - ThreatLevel = "5" - - strings: - $ = "ZALERT" ascii wide - $ = "ZAPFrm" ascii wide - $ = "ZAbout" ascii wide - $ = "ZAutoRunFrame" ascii wide - $ = "ZCheckBox" ascii wide - $ = "ZCplAll" ascii wide - $ = "ZFogWnd" ascii wide - $ = "ZFrameDEt" ascii wide - $ = "ZIEWnd" ascii wide - $ = "ZMainFrame" ascii wide - $ = "ZMainWnd" ascii wide - $ = "ZOptionsFrame" ascii wide - $ = "ZProcessFrame" ascii wide - $ = "ZProgressBar" ascii wide - $ = "ZPromo" ascii wide - $ = "ZReg" ascii wide - $ = "ZResFR" ascii wide - $ = "ZServiceFrame" ascii wide - $ = "ZUpdate" ascii wide - $ = "ZWarn" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Rogue.FakeRean.yar b/yara-mikesxrs/g00dv1n/Rogue.FakeRean.yar deleted file mode 100644 index 07150f9..0000000 --- a/yara-mikesxrs/g00dv1n/Rogue.FakeRean.yar +++ /dev/null @@ -1,128 +0,0 @@ -rule RogueFakeDefenderSample -{ - meta: - Description = "Rogue.FakeDef.sm" - ThreatLevel = "5" - - strings: - $a = "pcdfdata" ascii wide - $b = "toplevel_pcdef" ascii wide - - $ = "%spld%d.exe" ascii wide - $ = "avsrun.exe" ascii wide - $ = "avsdel.exe" ascii wide - - $ = "vl.bin" ascii wide - $ = "reginfo.bin" ascii wide - - $ = "%s%s.lnk" ascii wide - $ = "%sRemove %s.lnk" ascii wide - $ = "Uninstaller application" ascii wide - $ = "%s%s Help and Support.lnk" ascii wide - - $ = "pavsdata" ascii wide - $ = "avsmainwnd" ascii wide - $ = "avsdsvc" ascii wide - $ = "ovcf" ascii wide - - $ = "Global\\avsinst" ascii wide - $ = "Global\\avscfglock" ascii wide - $ = "\\loc\\reg\\conn\\activate" ascii wide - $ = "\\forms\\alerts\\vulner" ascii wide - $ = "\\forms\\alerts\\hack" ascii wide - - $ = "Software\\Classes\\.exe" ascii wide - - $ = "%s was infected with %s and has been successfully repaired" ascii wide - $ = "Attack %s from remote host %d.%d.%d.%d has been successfully blocked" ascii wide - - $ = "http://%s/api/ping?stage=1&uid=%S&id=%d&subid=%d&os=%d&avf=%d" ascii wide - $ = "http://%s/api/ping?stage=2&uid=%S&success=%d" ascii wide - $ = "http://%s/api/ping?stage=3&uid=%S" ascii wide - $ = "http://%s/content/scc" ascii wide - $ = "http://%s/postload2/?uid=%S" ascii wide - $ = "http://%S/api/test" ascii wide - $ = "http://%s/load/?uid=%S" ascii wide - $ = "http://%s/html/viruslist/?uid=%S" ascii wide - $ = "https://%s/billing/key/?uid=%S" ascii wide - $ = "https://%s/html/billing/?uid=%S" ascii wide - - condition: - 3 of them -} - -rule RogueFakeReanInternetSecuritySample -{ - meta: - Description = "Rogue.FakeRean.sm" - ThreatLevel = "5" - - strings: - $ = "VB82ea936a-6aa61dbf" ascii wide - $ = "VBOX HARDDISK" ascii wide - $ = "avbase.dat" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "ORDER #:" ascii wide - $ = "Thank you, the program is now registered!" ascii wide - $ = "To continue please restart the program. Press OK to close the program." ascii wide - $ = "Wrong activation code! Please check and retry" ascii wide - $ = "license. As soon as you complete the activation you will" ascii wide - $ = "This option is available only in the activated version of " ascii wide - $ = "You must activate the program by entering registration information " ascii wide - $ = "has detected that a new Threat Database is available." ascii wide - $ = "items are critical privacy compromising content" - $ = "items is medium privacy threats" ascii wide - $ = "items are junk content of low privacy threats" ascii wide - $ = "has detected a leak of your files though the Internet. " ascii wide - $ = "We strongly recommend that you block the attack immediately" ascii wide - $ = "All threats has been succesfully removed." ascii wide - $ = "Attention! We strongly recommend that you activate " ascii wide - $ = "for the safety and faster running of your PC." ascii wide - $ = "No new update available" ascii wide - $ = "Could not connect to server!" ascii wide - $ = "New updates are installed successfully!" ascii wide - $ = "Security Warning!" ascii wide - $ = "Malicious program has been detected." ascii wide - $ = "Click here to protect your computer." ascii wide - $ = "is infected by W32/Blaster.worm" ascii wide - $ = "$$$$$$$$.bat" ascii wide - $ = "Completed!" ascii wide - $ = "Antivirus software uninstalled successfully" ascii wide - $ = "Antivirus uninstall is not success. Please try again..." ascii wide - $ = "-uninstall" ascii wide - $ = "_MUTEX" ascii wide - $ = "/min" ascii wide - - condition: - 7 of them -} - -rule RogueUnknownFakeAV -{ - meta: - Description = "Rogue.FakeRean.rc" - ThreatLevel = "5" - - strings: - $a = "S:\\appointed\\commanding\\general\\Moravia\\Image[01].exe" ascii wide - $b = "Dresden blockade" ascii wide - $c = "37592837532" ascii wide - $d = "39874598234" ascii wide - $e = "465234750238947532649587203948523-4572304750329458-23459723450-23457" ascii wide - - condition: - ($a and $b) or ($c and $d) or $e -} - -rule RoguePCDefender -{ - meta: - Description = "Rogue.FakeDef.rc" - ThreatLevel = "5" - - strings: - $hex0 = { 8A 4A 01 56 57 33 FF 47 8B C7 8D 72 03 85 C0 74 28 80 C1 0B 80 F9 5A 7E 11 0F BE C1 83 E8 41 6A 19 99 59 F7 F9 80 C2 41 8A CA 33 C0 38 0E 0F 94 C0 47 46 46 83 FF 10 7C D4 5F 5E C3 } - - condition: - any of ($hex*) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Rogue.FakeSysDef.yar b/yara-mikesxrs/g00dv1n/Rogue.FakeSysDef.yar deleted file mode 100644 index 31fc40d..0000000 --- a/yara-mikesxrs/g00dv1n/Rogue.FakeSysDef.yar +++ /dev/null @@ -1,38 +0,0 @@ -rule RogueFakeSysDefSample -{ - meta: - Description = "Rogue.FakeSysDef.sm" - ThreatLevel = "5" - - strings: - $ = "smtmp" ascii wide - $ = "attrib -h" ascii wide - $ = "%s\\license.dat" ascii wide - $ = "Thank you for purchasing %s" ascii wide - $ = "%s\\%s_License.txt" ascii wide - $ = "Bad sectors" ascii wide - $ = "Lost cluster chains" ascii wide - $ = "Relocate bad sectors: " ascii wide - $ = "Fix corrupted files: " ascii wide - $ = "Fix cluster chain: " ascii wide - $ = "No errors found. Disk%s health summary %d%%." ascii wide - $ = "Error 0x00000024 - %s_FILE_SYSTEM" ascii wide - $ = "Verifying disk consistency..." ascii wide - $ = "Hard drive spin failure detected" ascii wide - $ = "Checking S.M.A.R.T. attributes" ascii wide - $a = "S.M.A.R.T reports" ascii wide - $ = "Checking HDD surface for bad sectors.." ascii wide - $ = "Scanning sectors 0x%04X-0x%04X..." ascii wide - $ = "Check cancelled." ascii wide - $ = "Hard disk error detected" ascii wide - $ = "Repair volumes" ascii wide - $ = "Hard disk verification completed. No errors found." ascii wide - $ = "Exception Processing Message 0x%08X Parameters" ascii wide - $ = "Windows - Read error" ascii wide - $ = "File system on local disk %s contains critical errors" ascii wide - $ = "explorer.exe - Corrupt Disk" ascii wide - $ = "svchost.exe - Corrupt Disk" ascii wide - - condition: - (3 of them) or $a -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Rogue.LiveSP.yar b/yara-mikesxrs/g00dv1n/Rogue.LiveSP.yar deleted file mode 100644 index 8c13e3b..0000000 --- a/yara-mikesxrs/g00dv1n/Rogue.LiveSP.yar +++ /dev/null @@ -1,59 +0,0 @@ -rule RogueWin32LiveSecurityProfessional -{ - meta: - Description = "Rogue.LiveSP.sm" - ThreatLevel = "5" - strings: - $ = "W32.SillyFDC.BDQ" ascii wide - $ = "Trojan.Peancomm" ascii wide - $ = "Adware.Borlan" ascii wide - $ = "Trojan.Exprez" ascii wide - $ = "Sunshine.B" ascii wide - $ = "SecurityRisk.URLRedir" ascii wide - $ = "Spyware.Ezurl" ascii wide - $ = "W32.Azero.A" ascii wide - $ = "W32.Downloadup.B" ascii wide - $ = "Hacktool.Unreal.A" ascii wide - $ = "Backdoor.Rustock.B" ascii wide - $ = "Infostealer.Snifula.B" ascii wide - $ = "Adware.FCHelp" ascii wide - $ = "Adware.Invinciblekey" ascii wide - $ = "Packed.Dromedan!gen5" ascii wide - $ = "Downloader.Jadelile" ascii wide - $ = "SecShieldFraud!gen7" ascii wide - $ = "Trojan.Komodola" ascii wide - $ = "W32.Stekct" ascii wide - $ = "Packed.Generic.368" ascii wide - $ = "VirusDoctor!gen12" ascii wide - $ = "UnlockAV" ascii wide - $ = "Sign Up in Live Security Professional" ascii wide - $ = "General security:" ascii wide - $ = "Real-Time Shields:" ascii wide - $ = "Self-protection from malware:" ascii wide - $ = "Definitions auto updates:" ascii wide - $ = "Virus definition version:" ascii wide - $ = "Program version:" ascii wide - $ = "Live Security Professional %s." ascii wide - $ = "You have a license" ascii wide - $ = "Your system is protected from possible threats." ascii wide - $ = "3.13.44.20" ascii wide - $ = "Protection level:" ascii wide - $ = "Your computer is fully protected." ascii wide - $ = "Your protection against viruses and spyware is weak" ascii wide - $ = "You must enter the serial number that came to your email to activate your license." ascii wide - $ = "Live Security Professional - Unregistered version" ascii wide - $ = "Scan stopped..." ascii wide - $ = "Scan paused..." ascii wide - $ = "http://185.6.80.65/index.php?r=checkout" ascii wide - $ = "To complete the registration, check your data for correctness." ascii wide - $ = "You have successfully signed up and choose a license. After confirming the payment (about 10 minutes), you get a completely secure system." ascii wide - $ = "Live Security Professional has blocked" ascii wide - $ = "Live security professional" ascii wide - $ = "Successfully Cleared!" ascii wide - $ = "DETECTED VIRUSES" ascii wide - $ = "List of detected viruses." ascii wide - $ = "Total infected:" ascii wide - $ = "10% of the viruses were treated free. For the cure of all viruses, you must purchase a license Pro or Pro Plus." ascii wide - condition: - 5 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Rogue.SDef.yar b/yara-mikesxrs/g00dv1n/Rogue.SDef.yar deleted file mode 100644 index 3b30645..0000000 --- a/yara-mikesxrs/g00dv1n/Rogue.SDef.yar +++ /dev/null @@ -1,20 +0,0 @@ -rule RogueSpywareDefenderSample -{ - meta: - Description = "Rogue.SDef.sm" - ThreatLevel = "5" - - strings: - $str1 = "/get_two.php?" ascii wide - $str2 = "spyware-defender.com" ascii wide - $str3 = "Spyware Defender 2014" ascii wide - $str4 = "Antivirus MAC 2014" ascii wide - $str5 = "Antivirus WIN 2014" ascii wide - $ = "Delete" ascii wide - $ = "NoRemove" ascii wide - $ = "ForceRemove" ascii wide - $ = "RunInvalidSignatures" ascii wide - $ = "CheckExeSignatures" ascii wide - condition: - (5 of them) or (any of ($str*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Rogue.SysDoc.yar b/yara-mikesxrs/g00dv1n/Rogue.SysDoc.yar deleted file mode 100644 index 2e025d8..0000000 --- a/yara-mikesxrs/g00dv1n/Rogue.SysDoc.yar +++ /dev/null @@ -1,49 +0,0 @@ -rule RogueWin32SystemDoctorA -{ - meta: - Description = "Rogue.SysDoct.rc" - ThreatLevel = "5" - strings: - $hex0 = { 55 8b ec 83 ec 7c a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 56 68 90 d0 47 00 8d ?? ?? e8 ?? ?? ?? ?? 83 ?? ?? ?? 8b ?? ?? 73 ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? 83 f8 ff 74 ?? 6a 00 6a 01 e8 ?? ?? ?? ?? 33 c0 8b ?? ?? 33 cd 5e e8 ?? ?? ?? ?? c9 c3 53 57 33 db 53 6a 01 e8 ?? ?? ?? ?? be a4 d0 47 00 8d ?? ?? a5 a4 be ac d0 47 00 8d ?? ?? a5 a4 be b4 d0 47 00 8d ?? ?? a5 66 ?? a4 be bc d0 47 00 8d ?? ?? a5 a5 66 ?? a4 be 90 88 45 00 8d ?? ?? a5 a5 a5 a5 be 00 10 00 00 56 e8 ?? ?? ?? ?? 59 6a 02 53 89 ?? ?? 53 8d ?? ?? 50 c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b f8 83 ff ff 0f ?? ?? ?? ?? ?? 8d ?? ?? 50 53 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 50 56 8b ?? ?? 56 8d ?? ?? 50 6a 0c 8d ?? ?? 50 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 ff ?? ?? ?? ?? ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 74 ?? 33 db 43 56 e8 ?? ?? ?? ?? 59 5f 8b c3 5b e9 ?? ?? ?? ?? 8b ?? ?? eb ?? } - $ = "http://sys-doctor.com" ascii wide - $ = "AA39754E-715219CE" ascii wide - $ = "System Doctor" ascii wide - $ = "C:\\sd.dbg" ascii wide - $ = "C:\\sd1.dbg" ascii wide - condition: - (2 of them) or (any of ($hex*)) -} - -rule RogueWin32FufelAVA -{ - meta: - Description = "Rogue.FufelAV.sm" - ThreatLevel = "5" - strings: - $ = "avp:buy" ascii wide - $ = "avp:scan" ascii wide - $ = "Protection software" ascii wide - $ = "Invalid registration key!" ascii wide - $ = "Unprotected mode request" ascii wide - $ = "Are you sure want to continue in unprotected mode?" ascii wide - $ = "I have serial key" ascii wide - $ = "Continue unprotected" ascii wide - $ = "trying to infect your files" ascii wide - $ = "Your computer was attacked from" ascii wide - $ = "Attack was blocked" ascii wide - $ = "Please register product to block hackers attack" ascii wide - $ = "Scanning completed. No threads found." ascii wide - $ = "Scanning completed. Cleanup is required." ascii wide - $ = "Warning! %d Infections found!" ascii wide - $ = "Registered version" ascii wide - $ = "Unregistered version (Please register)" ascii wide - $ = "Cured" ascii wide - $ = "Infected process" ascii wide - $str_0 = "Sinergia Cleaner" ascii wide - $str_1 = "Sinergia software.lnk" ascii wide - - $str_2 = "fufel-av-2.com" ascii wide - $str_3 = "fufel-av.com" ascii wide - condition: - (3 of them) or (any of ($str_*)) -} diff --git a/yara-mikesxrs/g00dv1n/Rogue.Winwebsec.yar b/yara-mikesxrs/g00dv1n/Rogue.Winwebsec.yar deleted file mode 100644 index 671c2af..0000000 --- a/yara-mikesxrs/g00dv1n/Rogue.Winwebsec.yar +++ /dev/null @@ -1,25 +0,0 @@ -rule RogueWinwebsecSample -{ - meta: - Description = "Rogue.Winwebsec.sm" - ThreatLevel = "5" - - strings: - $a = "%s%s\\%s.ico" ascii wide - $b = "%s%s\\%s.exe" ascii wide - condition: - $a or $b -} - -rule RogueSShieldSample -{ - meta: - Description = "Rogue.SShield.sm" - ThreatLevel = "5" - - strings: - $a = "64C665BE" wide - $b = "BC0172B25DF2" wide - condition: - $a or $b -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Antivar.yar b/yara-mikesxrs/g00dv1n/Trojan.Antivar.yar deleted file mode 100644 index aaa013a..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Antivar.yar +++ /dev/null @@ -1,11 +0,0 @@ -rule TrojanWin32AntivarSample -{ - meta: - Description = "Trojan.Antivar.sm" - ThreatLevel = "5" - strings: - $ = "ServerNabs4" ascii wide - $ = "\\system32\\antivar.exe" ascii wide - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Cbeplay.yar b/yara-mikesxrs/g00dv1n/Trojan.Cbeplay.yar deleted file mode 100644 index 6bd322e..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Cbeplay.yar +++ /dev/null @@ -1,58 +0,0 @@ -rule TrojanDownloaderCbeplaySample -{ - meta: - Description = "Trojan.Cbeplay.sm" - ThreatLevel = "5" - - strings: - $ = "wireshark.exe" ascii wide - $ = "pstorec.dll" ascii wide - $ = "ROOT\\SecurityCenter2" ascii wide - $ = "Select * from AntiVirusProduct" ascii wide - $ = "SbieDll.dll" ascii wide - $ = "OPEN %s.mp3 TYPE MpegVideo ALIAS MP3" ascii wide - $ = "PLAY MP3 wait" ascii wide - $ = "CLOSE MP3" ascii wide - $ = "VIRTUALBOX" ascii wide - $ = "VideoBiosVersion" ascii wide - $ = "QEMU" ascii wide - $ = "VMWARE" ascii wide - $ = "VBOX" ascii wide - $ = "VIRTUAL" ascii wide - $ = "taskmgr.exe" ascii wide - $ = "explorer.exe" ascii wide - $ = "Program Manager" ascii wide - $ = "Shell_TrayWnd" ascii wide - $ = "FriendlyName" ascii wide - $ = "Capture Filter" ascii wide - $ = "SampleGrab" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot" ascii wide - $ = "Hello, visitor from: <strong>" ascii wide - $ = "SendVoucher" ascii wide - $ = "winver" ascii wide - $ = "AVID" ascii wide - $ = "Emsisoft" ascii wide - $ = "Lavasoft" ascii wide - $ = "avast" ascii wide - $ = "Avira" ascii wide - $ = "BitDef" ascii wide - $ = "COMODO" ascii wide - $ = "F-Secure" ascii wide - $ = "G Data" ascii wide - $ = "Kaspersky" ascii wide - $ = "McAfee" ascii wide - $ = "ESET" ascii wide - $ = "Norton" ascii wide - $ = "Microsoft Security Essentials" ascii wide - $ = "Panda" ascii wide - $ = "Sophos" ascii wide - $ = "Trend Micro" ascii wide - $ = "Symantec" ascii wide - $ = "BullGuard" ascii wide - $ = "VIPRE" ascii wide - $ = "Webroot" ascii wide - condition: - 8 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.ChStartPage.yar b/yara-mikesxrs/g00dv1n/Trojan.ChStartPage.yar deleted file mode 100644 index 87101a3..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.ChStartPage.yar +++ /dev/null @@ -1,24 +0,0 @@ -rule TrojanChangeStartPageSampleA -{ - meta: - Description = "Trojan.CStartPage.sm" - ThreatLevel = "5" - - strings: - $ = "chrome.exe" ascii wide - $ = "urls_to_restore_on_startup" ascii wide - $ = "restore_on_startup" ascii wide - $ = "restore_on_startup_migrated" ascii wide - $ = "urls_to_restore_on_startup" ascii wide - $ = "translate_accepted_count" ascii wide - $ = "translate_denied_count" ascii wide - $ = "translate_site_blacklist" ascii wide - $ = "netsh firewall add allowedprogram" ascii wide - $ = "homepage_is_newtabpage" ascii wide - $ = "Start Page" ascii wide - $ = "user_pref(%cbrowser.startup.homepage%c" ascii wide - $ = "%ws\\mozilla\\firefox\\profiles" ascii wide - $ = "c:\\windows\\sms.exe" ascii wide - condition: - 3 of them -} diff --git a/yara-mikesxrs/g00dv1n/Trojan.Citadel.yar b/yara-mikesxrs/g00dv1n/Trojan.Citadel.yar deleted file mode 100644 index fee195c..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Citadel.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule TrojanWin32CitadelSampleA -{ - meta: - Description = "Trojan.Citadel.sm" - ThreatLevel = "5" - - strings: - $a = "Coded by BRIAN KREBS for personal use only. I love my job & wife." ascii wide - $hex_string = {85 C0 7? ?? 8A 4C 30 FF 30 0C 30 48 7?} - $ = "softpc.new" ascii wide - $ = "CS:%04x IP:%04x OP:%02x %02x %02x %02x %02x" ascii wide - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Comfoo.yar b/yara-mikesxrs/g00dv1n/Trojan.Comfoo.yar deleted file mode 100644 index b9fb517..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Comfoo.yar +++ /dev/null @@ -1,38 +0,0 @@ -rule TrojanWin32ComfooSample -{ - meta: - Description = "Trojan.Comfoo.sm" - ThreatLevel = "5" - - strings: - $ = "exclusiveinstance12" ascii wide - $ = "MYGAMEHAVESTART" ascii wide - $ = "MYGAMEHAVEstarted" ascii wide - $ = "MYGAMEHAVESTARTEd" ascii wide - $ = "MYGAMEHAVESTARTED" ascii wide - $ = "thisisanewfirstrun" ascii wide - $ = "THISISASUPERNEWGAMENOWBEGIN" ascii wide - $ = "thisisnewtrofor024" ascii wide - - $ = "cabinet.dll" ascii wide - $ = "09lkjds" ascii wide - $ = "perfdi.ini" ascii wide - $ = "msobj.sys" ascii wide - $ = "usbak.sys" ascii wide - $ = "\\\\.\\DevCtrlKrnl" ascii wide - $ = "THIS324NEWGAME" ascii wide - $ = "watchevent29021803" ascii wide - $ = "iamwaitingforu653890" ascii wide - $ = "Call to GetAdaptersInfo failed. Return Value" ascii wide - $ = "Hard Disk(%s--LocalDisk)" ascii wide - $ = "Total size: %I64d (MB)" ascii wide - - $ = "SYSTEM\\CurrentControlSet\\Services\\%s" ascii wide - - $hex0 = { 6a ff 68 1b 04 01 10 64 ?? ?? ?? ?? ?? 50 64 ?? ?? ?? ?? ?? ?? 51 56 57 68 30 17 00 00 e8 ?? ?? ?? ?? 83 c4 04 89 ?? ?? ?? 85 c0 c7 ?? ?? ?? ?? ?? ?? ?? 74 ?? 8b c8 e8 ?? ?? ?? ?? 8b f0 eb ?? 33 f6 8b ?? 6a 01 8b ce c7 ?? ?? ?? ?? ?? ?? ?? ff ?? ?? bf 30 3b 01 10 83 c9 ff 33 c0 8b ?? f2 ?? f7 d1 49 51 68 30 3b 01 10 8b ce ff ?? ?? 8b ?? 68 81 3e 00 00 8b ce ff ?? ?? 8b ?? ?? ?? 8b ?? 50 8b ce ff ?? ?? 8b ?? ?? ?? 8b ?? 50 8b ce ff ?? ?? 56 e8 ?? ?? ?? ?? 8b f8 83 c4 04 f7 df 1b ff 47 85 f6 74 ?? 8b ce e8 ?? ?? ?? ?? 56 e8 ?? ?? ?? ?? 83 c4 04 8b ?? ?? ?? 8b c7 5f 5e 64 ?? ?? ?? ?? ?? ?? 83 c4 10 c3} - $hex1 = { 55 56 57 6a 08 33 ed e8 ?? ?? ?? ?? 8b f0 83 c4 04 85 f6 0f ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 89 ?? ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 7f 03 0f 00 55 68 94 32 01 10 89 ?? ?? ff ?? ?? ?? ?? ?? 8b f8 85 ff 74 ?? 53 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 68 ff 01 0f 00 55 55 68 e8 30 01 10 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 53 ff ?? ?? ?? ?? ?? 85 c0 74 ?? bd 01 00 00 00 53 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 85 ed 5b 74 ?? 8b c6 5f 5e 5d c3} - $hex2 = { 53 53 6a 03 53 53 68 00 00 00 c0 68 78 33 01 10 ff ?? ?? ?? ?? ?? 89 ?? ?? 83 f8 ff 75 ?? 33 c0 8b ?? ?? 64 ?? ?? ?? ?? ?? ?? 5f 5e 5b 8b e5 5d c3 89 ?? ?? 89 ?? ?? 89 ?? ?? be 88 33 01 10 8b c7 8a ?? 8a ca 3a ?? 75 ?? 3a cb 74 ?? 8a ?? ?? 8a ca 3a ?? ?? 75 ?? 83 c0 02 83 c6 02 3a cb 75 ?? 33 c0 eb ?? 1b c0 83 d8 ff 3b c3 75 ?? 89 ?? ?? eb ?? 57 ff ?? ?? ?? ?? ?? 89 ?? ?? 83 f8 ff 74 ?? 8b ?? ?? 50 ff ?? ?? ?? ?? ?? 66 ?? ?? ?? 53 8d ?? ?? 51 6a 04 8d ?? ?? 52 6a 06 8d ?? ?? 50 8b ?? ?? 56 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 81 fe c8 20 22 00 75 ?? c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 64 ?? ?? ?? ?? ?? ?? 5f 5e 5b 8b e5 5d c3} - - condition: - (3 of them) or (any of ($hex*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Cutwail.yar b/yara-mikesxrs/g00dv1n/Trojan.Cutwail.yar deleted file mode 100644 index 2eea854..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Cutwail.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule TrojanBotnetWin32CutwailSample -{ - meta: - Description = "Trojan.Cutwail.sm" - ThreatLevel = "5" - - strings: - $ = "PreLoader.pdb" ascii wide - $ = "magadan21" ascii wide - $ = "RkInstall.pdb" ascii wide - $ = "InnerDrv.pdb" ascii wide - $ = "Protect.pdb" ascii wide - $ = "MailerApp.pdb" ascii wide - $ = "revolution6" ascii wide - $ = "bot25" ascii wide - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Dllpatcher.yar b/yara-mikesxrs/g00dv1n/Trojan.Dllpatcher.yar deleted file mode 100644 index f9fcdb1..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Dllpatcher.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule TrojanDllpatcherA -{ - meta: - Description = "Trojan.Dllpatcher.vb" - ThreatLevel = "5" - - strings: - $str1 = "Global\\Matil da" ascii wide - $str2 = "Global\\Nople Mento" ascii wide - $str3 = "%s\\System32\\dnsapi.dll" ascii wide - $str4 = "%s\\SysWOW64\\dnsapi.dll" ascii wide - - condition: - 3 of them -} diff --git a/yara-mikesxrs/g00dv1n/Trojan.Downloader.yar b/yara-mikesxrs/g00dv1n/Trojan.Downloader.yar deleted file mode 100644 index fd8642e..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Downloader.yar +++ /dev/null @@ -1,49 +0,0 @@ -rule TrojanDownloaderWin32KaraganySampleA -{ - meta: - Description = "Trojan.Karagany.sm" - ThreatLevel = "5" - strings: - $hex0 = { e8 ?? ?? ?? ?? 68 b4 05 00 00 e8 ?? ?? ?? ?? 83 c4 04 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? 99 b9 05 00 00 00 f7 f9 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 c0 24 40 00 8b ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 78 24 40 00 a1 ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 30 24 40 00 8b ?? ?? ?? ?? ?? 51 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 e8 23 40 00 8b ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 a0 23 40 00 a1 ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 83 c4 08 8d ?? ?? ?? ?? ?? 51 68 00 03 00 84 6a 00 6a 00 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ??} - $hex1 = { 55 8b ec 83 ec 18 e8 ?? ?? ?? ?? 89 ?? ?? 8b ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 a3 ?? ?? ?? ?? 68 d0 21 40 00 8b ?? ?? 51 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 6a 00 6a 00 68 38 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 6a 00 6a 00 68 2c 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 6a 00 6a 00 68 20 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? 8b ?? ?? ?? ?? ?? 52 8b ?? ?? 50 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? a1 ?? ?? ?? ?? 50 8b ?? ?? 51 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 6a 00 6a 00 68 14 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 6a 00 6a 00 68 04 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 8b e5 5d c3} - $hex2 = { 55 8b ec 81 ec 20 04 00 00 a1 ?? ?? ?? ?? 89 ?? ?? 68 e0 30 40 00 68 48 23 40 00 8d ?? ?? ?? ?? ?? 51 ff ?? ?? 83 c4 0c 6a 00 6a 00 8d ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 83 c4 0c b8 01 00 00 00 8b e5 5d c3} - condition: - any of ($hex*) -} - -rule TrojanDownloaderWin32WaledacSampleR -{ - meta: - Description = "Trojan.Waledac.sm" - ThreatLevel = "5" - strings: - $hex0 = { 55 8b ec 81 ec 6c 02 00 00 56 57 68 80 00 00 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 68 1c 21 40 00 8d ?? ?? ?? ?? ?? 50 ff d6 e8 ?? ?? ?? ?? 8d ?? ?? 51 50 e8 ?? ?? ?? ?? 8b ?? ?? 59 59 8b ?? ?? 8d ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff d6 8d ?? ?? 50 e8 ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 50 ff d6 33 f6 56 56 6a 02 56 56 68 00 00 00 40 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f8 3b fe 75 ?? 32 c0 eb ?? 56 8d ?? ?? 50 53 ff ?? ?? 57 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 39 ?? ?? 75 ?? 6a 44 5f 57 8d ?? ?? 56 50 e8 ?? ?? ?? ?? 83 c4 0c 33 c0 66 ?? ?? ?? 8d ?? ?? 50 8d ?? ?? 50 56 56 56 56 56 56 8d ?? ?? ?? ?? ?? 50 56 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? f7 d8 1b c0 f7 d8 5f 5e c9 c3 55} - $hex1 = { 55 8b ec 83 e4 f8 83 ec 10 56 57 e8 ?? ?? ?? ?? be 10 30 40 00 56 68 02 02 00 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 6a 02 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 68 01 01 00 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 6a ff ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? a3 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? be 30 21 40 00 8d ?? ?? ?? a5 a5 59 a3 ?? ?? ?? ?? a5 8d ?? ?? ?? 50 68 40 21 40 00 a4 e8 ?? ?? ?? ?? 59 59 84 c0 75 ?? 8d ?? ?? ?? 50 68 4c 21 40 00 e8 ?? ?? ?? ?? 59 59 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 5f 33 c0 5e 8b e5 5d c3} - $hex2 = { 55 8b ec 51 83 ?? ?? ?? 53 8b ?? ?? ?? ?? ?? 56 57 bf 00 90 01 00 eb ?? 7c ?? 8b ?? ?? 56 ff ?? ?? ?? ?? ?? 03 c3 50 e8 ?? ?? ?? ?? 01 ?? ?? 8b ?? ?? 8b ?? ?? 83 c4 0c e8 ?? ?? ?? ?? 83 e8 00 74 ?? 48 75 ?? 6a 00 57 ff ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? 8b f0 85 f6 75 ?? 8b ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? f7 d8 1b c0 40 eb ?? 48 32 c0 eb ?? b0 01 5f 5e 5b c9 c3} - condition: - any of ($hex*) -} - -rule TrojanDownloaderWin32PerkeshSamle -{ - meta: - Description = "Trojan.Perkesh.rc" - ThreatLevel = "5" - strings: - $a = "698d51" ascii wide - $b = "%s~%x.dat" ascii wide - $c = "\\drivers\\etc\\hosts" ascii wide - condition: - all of them -} - -rule TrojanDownloaderWin32PerkeshDriverSamle -{ - meta: - Description = "Trojan.Perkesh.rc" - ThreatLevel = "5" - strings: - $a = "C:\\FOUND.001\\333888\\sys\\Driver\\i386\\feiji.pdb" ascii wide - condition: - $a -} diff --git a/yara-mikesxrs/g00dv1n/Trojan.Dropper.yar b/yara-mikesxrs/g00dv1n/Trojan.Dropper.yar deleted file mode 100644 index fe4a000..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Dropper.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule TrojanDropperMicrojoin -{ - meta: - Description = "Trojan.Microjoin.rc" - ThreatLevel = "5" - - strings: - $ep = { 55 8B EC 6A FF 68 00 00 00 00 68 00 00 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 5F 5E 5B 33 C0 83 C4 78 5D } - - condition: - $ep at entrypoint -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Frethog.yar b/yara-mikesxrs/g00dv1n/Trojan.Frethog.yar deleted file mode 100644 index 36a8b9a..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Frethog.yar +++ /dev/null @@ -1,30 +0,0 @@ -rule TrojanDownloaderWin32Frethog_E_Sample -{ - meta: - Description = "Trojan.Frethog.sm" - ThreatLevel = "5" - - strings: - $ = "C:\\WINDOWS\\system32\\msvbvm60.dll\\3" ascii wide - $ = "DownLoad File:" ascii wide - $ = "\\system32\\mswinsck.ocx" ascii wide - - $ = "http://www.pc918.net/file.txt" ascii wide - $ = "http://www.yswm.net/file.txt" ascii wide - $ = "http://www.v138.net/file.txt" ascii wide - $ = "http://www.v345.net/file.txt" ascii wide - $ = "http://www.ahwm.net/file.txt" ascii wide - $ = "http://user.yswm.net/yswm" ascii wide - - $ = "so118config" ascii wide - $ = "http://user.yswm.net" ascii wide - $ = "hide.exe" ascii wide - $ = "\\win.ini" ascii wide - $ = "\\system32\\svchost.exe" ascii wide - $ = "P2P DownFile:" ascii wide - $ = "yswm.runsoft" ascii wide - $ = "\\sys.dat" ascii wide - - condition: - 4 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.GBot.yar b/yara-mikesxrs/g00dv1n/Trojan.GBot.yar deleted file mode 100644 index ed21d67..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.GBot.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule TrojanGBotSampleA_Malex -{ - meta: - Description = "Trojan.GBot.sm" - ThreatLevel = "5" - - strings: - $ = "My name is \"G-Bot\" or \"GBot\"!"ascii wide - $ = "C:\\WINDOWS\\WinUpdaterstd\\svchost.exe"ascii wide - $hex0 = { 85 d2 74 ?? 8b ?? ?? 41 7f ?? 50 52 8b ?? ?? e8 ?? ?? ?? ?? 89 c2 58 52 8b ?? ?? e8 ?? ?? ?? ?? 5a 58 eb ?? f0 ?? ?? ?? 87 ?? 85 d2 74 ?? 8b ?? ?? 49 7c ?? f0 ?? ?? ?? 75 ?? 8d ?? ?? e8 ?? ?? ?? ?? c3} - $hex1 = { 53 56 8b f2 8b d8 66 ?? ?? ?? 66 3d b0 d7 72 ?? 66 3d b3 d7 76 ?? bb 66 00 00 00 eb ?? 66 3d b0 d7 74 ?? 8b c3 e8 ?? ?? ?? ?? 66 ?? ?? ?? 80 ?? ?? ?? 75 ?? 83 ?? ?? ?? 75 ?? c7 ?? ?? ?? ?? ?? ?? 8b c3 ff ?? ?? 8b d8 85 db 74 ?? 8b c3 e8 ?? ?? ?? ?? 8b c3 5e 5b c3} - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Gamarue.Andromeda.yar b/yara-mikesxrs/g00dv1n/Trojan.Gamarue.Andromeda.yar deleted file mode 100644 index 595568b..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Gamarue.Andromeda.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule TrojanDropperWin32Gamarue_A_Andromeda -{ - meta: - Description = "Trojan.Andromeda.sm" - ThreatLevel = "5" - - strings: - $ = { 66 8B 10 66 3B 11 75 1E 66 3B D3 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 3B D3 75 DE 33 C0 EB 05 1B C0 83 D8 FF 3B C3 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? ?? 56 FF D7 85 C0 75 ?? } - $a = "ldr\\CUSTOM\\local\\local\\Release\\ADropper.pdb" ascii wide - $ = "EpisodeNorth.exe" ascii wide - $ = "HandballChampionship.exe" ascii wide - $ = "\\#MSI" ascii wide - $ = "\\MSI" ascii wide - $ = "\\msiexec.exe" ascii wide - $ = "avp.exe" ascii wide - $ = "\\(empty).lnk" ascii wide - $b = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst" ascii wide - - condition: - (3 of them) or $a or $b -} diff --git a/yara-mikesxrs/g00dv1n/Trojan.Injector.yar b/yara-mikesxrs/g00dv1n/Trojan.Injector.yar deleted file mode 100644 index f8d452a..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Injector.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule TrojanInjectorA -{ - meta: - Description = "Trojan.Injector.vb" - ThreatLevel = "5" - - strings: - $ = "KERNEO32.nll" ascii wide - $ = "CfeateFileAaocwwA" ascii wide - $ = "RGPdFileREjhsoX" ascii wide - - condition: - all of them -} diff --git a/yara-mikesxrs/g00dv1n/Trojan.Kovter.yar b/yara-mikesxrs/g00dv1n/Trojan.Kovter.yar deleted file mode 100644 index b0f4545..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Kovter.yar +++ /dev/null @@ -1,29 +0,0 @@ -rule TrojanWin32KovterSample -{ - meta: - Description = "Trojan.Kovter.sm" - ThreatLevel = "5" - - strings: - $ = "AntiVirtualBox" ascii wide - $ = "AntiVMware" ascii wide - $ = "AntiVMwareEx" ascii wide - $ = "AntiVirtualPC" ascii wide - $ = "AntiSandboxie" ascii wide - $ = "AntiThreadExpert" ascii wide - $ = "AntiWireshark" ascii wide - $ = "AntiJoeBox" ascii wide - $ = "AntiRFP" ascii wide - $ = "AntiAllDebugger" ascii wide - $ = "AntiODBG" ascii wide - $ = "AntiSoftIce" ascii wide - $ = "AntiSyserDebugger" ascii wide - $ = "AntiTrwDebugger" ascii wide - $ = "AntiVirtualMachine" ascii wide - $ = "AntiSunbeltSandboxie" ascii wide - - $a = "i:\\MySoft\\project Locker\\optimize orig Binary\\kol\\err.pas" ascii wide - - condition: - 3 of them or $a -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Kuluoz.yar b/yara-mikesxrs/g00dv1n/Trojan.Kuluoz.yar deleted file mode 100644 index 06ce7eb..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Kuluoz.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule TrojanDownloaderWin32KuluozSampleB -{ - meta: - Description = "Trojan.Asprox.sm" - ThreatLevel = "5" - strings: - $ = "svchost.exe" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "/index.php?r=gate&id=" ascii wide - $ = "/index.php?r=gate/getipslist&id=" ascii wide - $ = "You fag" ascii wide - $ = "For group" ascii wide - $hex0 = { 55 8b ec 81 ec dc 00 00 00 90 68 1c 10 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? 68 28 10 40 00 8b ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 44 10 40 00 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 58 10 40 00 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 6c 10 40 00 8b ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 7c 10 40 00 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? 68 94 10 40 00 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? b8 50 89 40 00 2d b0 10 40 00 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c1 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? c6 ?? ?? ?? ?? ?? ?? ?? eb ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c0 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? c6 ?? ?? ?? ?? eb ?? c7 ?? ?? ?? ?? ?? ?? 90 8d ?? ?? ?? ?? ?? 52 8d ?? ?? 50 6a 00 6a 00 6a 04 6a 00 6a 00 6a 00 68 a4 10 40 00 6a 00 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6a 00 6a 18 8d ?? ?? 50 6a 00 8b ?? ?? ?? ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 83 c2 08 89 ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 6a 04 8d ?? ?? ?? ?? ?? 51 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 00 68 00 00 00 08 6a 40 8d ?? ?? ?? ?? ?? 52 6a 00 68 1f 00 0f 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 52 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 50 6a ff 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 8b ?? ?? 3b ?? ?? 73 ?? b9 b0 10 40 00 03 ?? ?? 8b ?? ?? ?? ?? ?? 03 ?? ?? 8a ?? 88 ?? eb ?? 90 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 51 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? 6a 40 68 00 30 00 00 68 00 00 50 00 6a 00 ff ?? ?? ?? ?? ?? 89 ?? ?? 8d ?? ?? ?? ?? ?? 50 68 00 10 00 00 8b ?? ?? 51 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 03 ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? 8b ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 51 8b ?? ?? 52 8b ?? ?? 50 8b ?? ?? ?? ?? ?? 51 8b ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 00 68 00 00 00 08 6a 40 8d ?? ?? ?? ?? ?? 51 6a 00 68 1f 00 0f 00 8d ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 51 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 52 6a ff 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? c6 ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? c6 ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c0 01 89 ?? ?? 8b ?? ?? 3b ?? ?? 73 ?? 8b ?? ?? ?? ?? ?? 03 ?? ?? 8b ?? ?? 03 ?? ?? 8a ?? 88 ?? eb ?? 90 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 50 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 51 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6a 00 8b ?? ?? ?? ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 e8 03 00 00 ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? 8b e5 5d c3} - condition: - (3 of them) or $hex0 -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Lethic.yar b/yara-mikesxrs/g00dv1n/Trojan.Lethic.yar deleted file mode 100644 index 956631d..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Lethic.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule TrojanWin32LethicBSample -{ - meta: - Description = "Trojan.Lethic.sm" - ThreatLevel = "5" - strings: - $ = "zaproxza" ascii wide - $ = "93.190.137.51" ascii wide - $ = "antaw" ascii wide - $hex0 = { e8 ?? ?? ?? ?? 8b ?? ?? 52 e8 ?? ?? ?? ?? 8b ?? ?? 50 e8 ?? ?? ?? ?? 68 74 43 40 00 e8 ?? ?? ?? ?? 89 ?? ?? 6a 33 68 00 40 40 00 8b ?? ?? 51 e8 ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? e9 ?? ?? ?? ?? 8b ?? ??} - condition: - (2 of them) or (any of ($hex*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Necurs.yar b/yara-mikesxrs/g00dv1n/Trojan.Necurs.yar deleted file mode 100644 index 6a12dfc..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Necurs.yar +++ /dev/null @@ -1,61 +0,0 @@ -rule TrojanWin32NecursSample -{ - meta: - Description = "Trojan.Necurs.sm" - ThreatLevel = "5" - - strings: - $ = "some stupid error %u" ascii wide - $ = "loading" ascii wide - $ = "unloading" ascii wide - $ = "exception %08x %swhen %s at %p" ascii wide - $ = "microsoft.com" ascii wide - $ = "facebook.com" ascii wide - $a = "NitrGB" ascii wide - $ = "\\Installer\\{" ascii wide - $ = "%s%0.8X-%0.4X-%0.4X-%0.4X-%0.8X%0.4X}\\" ascii wide - $ = "syshost32" ascii wide - $ = "%s\\svchost.exe" ascii wide - - condition: - (8 of them) or $a -} - -rule TrojanWinNTNecursSample -{ - meta: - Description = "Trojan.Necurs.sm" - ThreatLevel = "5" - - strings: - $a = "F:\\cut\\abler\\detecting\\overlapping\\am.pdb" ascii wide - $ = "VirusBuster Ltd" ascii wide - $ = "Beijing Jiangmin" ascii wide - $ = "SUNBELT SOFTWARE" ascii wide - $ = "Sunbelt Software" ascii wide - $ = "K7 Computing" ascii wide - $ = "Immunet Corporation" ascii wide - $ = "Beijing Rising" ascii wide - $ = "G DATA Software" ascii wide - $ = "Quick Heal Technologies" ascii wide - $ = "Comodo Security Solutions" ascii wide - $ = "CJSC Returnil Software" ascii wide - $ = "NovaShield Inc" ascii wide - $ = "BullGuard Ltd" ascii wide - $ = "Check Point Software Technologies Ltd" ascii wide - $ = "Panda Software International" ascii wide - $ = "Kaspersky Lab" ascii wide - $ = "FRISK Software International Ltd" ascii wide - $ = "ESET, spol. s r.o." ascii wide - $ = "Doctor Web Ltd" ascii wide - $ = "BitDefender SRL" ascii wide - $ = "BITDEFENDER LLC" ascii wide - $ = "Avira GmbH" ascii wide - $ = "GRISOFT, s.r.o." ascii wide - $ = "PC Tools" ascii wide - $ = "ALWIL Software" ascii wide - $ = "Agnitum Ltd" ascii wide - - condition: - (8 of them) or $a -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Nedsym.yar b/yara-mikesxrs/g00dv1n/Trojan.Nedsym.yar deleted file mode 100644 index dcf7b9f..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Nedsym.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule TrojanWin32NedsymGSample -{ - meta: - Description = "Trojan.Nedsym.sm" - ThreatLevel = "5" - - strings: - $ = "qwertyuiopasdfghjklzxcvbnm123456789" ascii wide - $ = "svcnost.exe" ascii wide - $ = "Windows Init" ascii wide - $ = "\\drivers\\etc\\hosts" ascii wide - - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Neurevt.yar b/yara-mikesxrs/g00dv1n/Trojan.Neurevt.yar deleted file mode 100644 index bbea958..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Neurevt.yar +++ /dev/null @@ -1,117 +0,0 @@ -rule TrojanWin32NeurevtA_BackDoor -{ - meta: - Description = "Trojan.Neurevt.sm" - ThreatLevel = "5" - - strings: - $ = "%s\\__%08x.lnk" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "{2227A280-3AEA-1069-A2DE-08002B30309D}" ascii wide - $ = "schtasks.exe" ascii wide - $ = "SYSTEM\\CurrentControlSet\\Control\\Session Manager" ascii wide - $ = "Software\\Classes\\CLSID\\%s\\%08X\\%s" ascii wide - $ = "%s\\%08X.pif" ascii wide - $ = "Windows ha detectado una carpeta da" ascii wide - $ = "Mostrar Detalles" ascii wide - $ = "Mas informaci" ascii wide - $ = "Restaurar archivos" ascii wide - $ = "Restaurar archivos y chequear el disco en busca de errores" ascii wide - $ = "Erro de Disco Cr" ascii wide - $ = "O Windows encontrou uma pasta corrompida no seu disco r" ascii wide - $ = "Mostrar detalhes" ascii wide - $ = "Mais detalhes sobre esse erro" ascii wide - $ = "Restaurar os arquivos" ascii wide - $ = "Restaurar os arquivos e verificar erros no disco" ascii wide - $ = "Kritischer Festplattenfehler" ascii wide - $ = "Windows hat einen fehlerhaften Ordner auf deiner Festplatte vorgefunden." ascii wide - $ = "Mehrere fehlerhafte Dateien wurden in dem Ordner 'Eigene Dokumente' gefunden. Um Datenverlust zu ver" ascii wide - $ = "Details anzeigen" ascii wide - $ = "Mehr Details zu diesem Fehler" ascii wide - $ = "Dateien wiederherstellen" ascii wide - $ = "Dateien wiederherstellen und Festplatte auf Fehler " ascii wide - $ = "Erreur Critique" ascii wide - $ = "Windows a trouv" ascii wide - $ = "Plusieurs fichiers corrompu sont trouv" ascii wide - $ = "Montre d" ascii wide - $ = "Plus de d" ascii wide - $ = "Kritieke foutmelding" ascii wide - $ = "Windows heeft een beschadigde map gevonden" ascii wide - $ = "Meerdere beschadigde bestanden zijn in de map 'Mijn Documenten' gevonden. Om dataverlies te voorkome" ascii wide - $ = "Toon details" ascii wide - $ = "Meer details over deze foutmelding" ascii wide - $ = "Herstel bestanden" ascii wide - $ = "Herstel bestanden en controleer de harde schijf voor errors" ascii wide - $ = "Kritik disk hatas" ascii wide - $ = "Windows sabit diskinizde bozuk bir klas" ascii wide - $ = "Bu hata hakk" ascii wide - $ = "Dosyalar" ascii wide - $ = "Hata ayr" ascii wide - $ = "Kritis Disk Kesalahan" ascii wide - $ = "Windows telah mengalami rusak folder pada hard drive Anda" ascii wide - $ = "Beberapa file rusak telah ditemukan di folder 'My Documents'. Untuk mencegah kerugian serius data, p" ascii wide - $ = "Tampilkan detail" ascii wide - $ = "Lebih rinci tentang kesalahan ini" ascii wide - $ = "mengembalikan file" ascii wide - $ = "Kembalikan file dan memeriksa disk untuk kesalahan" ascii wide - $ = "Errore critico dell'hard disk" ascii wide - $ = "Windows ha trovato una cartella corrotta nel vostro hard disk." ascii wide - $ = "Mostra dettagli" ascii wide - $ = "Maggiori dettagli su quest'errore" ascii wide - $ = "Ripristina i file" ascii wide - $ = "Ripristina i file e controlla il disco per errori." ascii wide - $ = "Kriittinen Levy Virhe" ascii wide - $ = "Windows on t" ascii wide - $ = "Useita korruptoituneita tiedostoja on l" ascii wide - $ = "Palauta tiedostot" ascii wide - $ = "Palauta tiedostot ja etsi virheit" ascii wide - $ = "Problem, krytyczny stan dysku" ascii wide - $ = "Windows znalazl korupcyjny folder w twoim twardym dysku." ascii wide - $ = "Duza ilosc zepsutych plikow zostala znaleziona w swoim folderze 'My Documents'. Zeby zachowac pamiec" ascii wide - $ = "Pokaz wiecej informacji" ascii wide - $ = "Wiecej danych na temat bledu" ascii wide - $ = "Przywracanie plik" ascii wide - $ = "Critical Disk Error" ascii wide - $ = "Windows has encountered a corrupted folder on your hard drive" ascii wide - $ = "Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of da" ascii wide - $ = "Show details" ascii wide - $ = "More details about this error" ascii wide - $ = "Restore files and check disk for errors" ascii wide - $ = "http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535" ascii wide - $ = "uac" ascii wide - $ = "nuac" ascii wide - $ = "Has denegado los privilegios de Windows para la utilidad de restauraci" ascii wide - $ = "Error en los privilegios" ascii wide - $ = "Erro de privil" ascii wide - $ = "Sie verweigerten Windows die Privilegien, das Dateiwiederherstellungswerkzeug zu nutzen. Bitte w" ascii wide - $ = "Privilegfehler" ascii wide - $ = "Vous avez rejet" ascii wide - $ = "Erreur de privil" ascii wide - $ = "U heeft de nodige rechten afgewezen voor de Windows herstelprocedure. Selecteer JA op de volgende UA" ascii wide - $ = "Toestemming error" ascii wide - $ = "Windows dosya restorasyon program" ascii wide - $ = "Izin hatas" ascii wide - $ = "Anda menyangkal hak-hak istimewa yang tepat untuk utilitas restorasi file Windows. Silakan pilih YES" ascii wide - $ = "Privilege Kesalahan" ascii wide - $ = "Hai negato i privilegi necessari a Windows per riparare i file. Selezione \"Si\" nella seguente finest" ascii wide - $ = "Errore nei privilegi" ascii wide - $ = "Et sallinut oikeuksia Windowsin tiedostojen palautus ohjelmistolle. Ole hyv" ascii wide - $ = "Windows file restoration utility" ascii wide - $ = "You denied the proper privileges to the Windows file restoration utility. Please select YES on the f" ascii wide - $ = "Privilege Error" ascii wide - $ = "local ip detected" ascii wide - - $hex0 = { 55 8b ec 81 ec 04 01 00 00 83 ?? ?? ?? 56 57 0f ?? ?? ?? ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? be 34 71 42 00 8b ce e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 81 c2 ae 17 00 00 8b ca e8 ?? ?? ?? ?? 83 f8 08 0f ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 8b f8 85 ff 74 ?? 68 04 01 00 00 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? a1 ?? ?? ?? ?? 56 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 57 68 68 a3 42 00 50 ff ?? ?? ?? ?? ?? 83 c4 14 57 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 d2 04 00 00 ff ?? ?? ?? ?? ?? 8b f0 ff ?? ?? ?? ?? ?? ff ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 8b f8 83 fe 01 75 ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b c7 eb ?? 33 c0 5f 5e c9 c2 04 00 55} - $hex1 = { 55 8b ec 81 ec 04 01 00 00 53 33 db 57 39 ?? ?? 0f ?? ?? ?? ?? ?? 8b ?? ?? 3b cb 0f ?? ?? ?? ?? ?? 39 ?? ?? 0f ?? ?? ?? ?? ?? 3b f3 0f ?? ?? ?? ?? ?? 39 ?? 0f ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 81 c2 ae 17 00 00 8b ca e8 ?? ?? ?? ?? 83 f8 08 0f ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 8b f8 3b fb 0f ?? ?? ?? ?? ?? 68 04 01 00 00 53 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? ff ?? ?? a1 ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 57 68 68 a3 42 00 50 ff ?? ?? ?? ?? ?? 83 c4 14 57 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 d2 04 00 00 ff ?? ?? ?? ?? ?? 8b f8 ff ?? ?? ?? ?? ?? ff ?? ?? 8b ?? ff ?? ?? 8d ?? ?? ?? ?? ?? 50 68 01 00 00 80 e8 ?? ?? ?? ?? 89 ?? 83 ff 01 75 ?? 53 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 39 ?? 0f 95 c0 eb ?? 32 c0 5f 5b c9 c2 0c 00} - $hex2 = { 55 8b ec 81 ec 98 06 00 00 8b cf e8 ?? ?? ?? ?? 83 f8 01 73 ?? 33 c0 40 c9 c3 53 56 57 32 db ff ?? ?? ?? ?? ?? 68 08 02 00 00 8b f0 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 68 03 01 00 00 57 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? a1 ?? ?? ?? ?? 05 f2 14 00 00 50 56 ff ?? ?? ?? ?? ?? 85 c0 74 ?? a1 ?? ?? ?? ?? 05 f2 14 00 00 50 8b d7 e8 ?? ?? ?? ?? 85 c0 78 ?? 33 c0 40 e9 ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 57 e8 ?? ?? ?? ?? be 80 00 00 00 eb ?? ff ?? ?? ?? ?? ?? 83 f8 05 75 ?? 84 db 75 ?? 8b cf e8 ?? ?? ?? ?? 83 f8 01 72 ?? 57 e8 ?? ?? ?? ?? b3 01 56 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 57 ff ?? ?? ?? ?? ?? 8b f0 85 f6 74 ?? 68 00 c1 42 00 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 68 0c c1 42 00 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 6a 5c 5e 8b d7 e8 ?? ?? ?? ?? 40 50 57 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 68 18 c1 42 00 50 ff ?? ?? ?? ?? ?? 83 c4 10 6a 08 8d ?? ?? ?? ?? ?? 50 57 ff ?? ?? ?? ?? ?? 85 c0 75 ?? 6a 04 50 57 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? 68 8c 00 00 00 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 83 f8 05 75 ?? 8b cf e8 ?? ?? ?? ?? 83 f8 01 72 ?? 57 e8 ?? ?? ?? ?? eb ?? 32 c0 fe c8 0f b6 c0 f7 d8 1b c0 83 e0 02 eb ?? 6a 03 58 eb ?? 33 c0 5e 5b c9 c3} - $hex3 = { 55 8b ec 83 e4 f8 51 8b ?? ?? 57 85 d2 0f ?? ?? ?? ?? ?? 0f ?? ?? 66 85 c9 0f ?? ?? ?? ?? ?? 0f ?? ?? ?? 83 e8 00 0f ?? ?? ?? ?? ?? 48 74 ?? 48 0f ?? ?? ?? ?? ?? 48 0f ?? ?? ?? ?? ?? b8 1c 03 00 00 66 3b c8 0f ?? ?? ?? ?? ?? a1 ?? ?? ?? ?? 0f ?? ?? ?? 50 e8 ?? ?? ?? ?? 3c 01 0f ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? e9 ?? ?? ?? ?? b8 18 01 00 00 66 3b c8 75 ?? a1 ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 8d ?? ?? 8b cf e8 ?? ?? ?? ?? 83 f8 02 76 ?? 8b ?? ?? f6 c2 01 74 ?? e8 ?? ?? ?? ?? 83 f8 fe 75 ?? a1 ?? ?? ?? ?? 03 c0 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? eb ?? f6 c2 02 74 ?? 57 e8 ?? ?? ?? ?? eb ?? f6 c2 04 74 ?? e8 ?? ?? ?? ?? eb ?? b8 24 14 00 00 66 3b c8 75 ?? a1 ?? ?? ?? ?? 0f ?? ?? ?? 50 e8 ?? ?? ?? ?? 3c 01 75 ?? 8b c2 e8 ?? ?? ?? ?? 33 c0 40 eb ?? 33 c0 5f 8b e5 5d c2 04 00} - $hex4 = { 8b ?? ?? c6 ?? ?? ?? ?? ff ?? ?? 83 f9 37 8b ?? ?? 7e ?? eb ?? c6 ?? ?? ?? ?? ff ?? ?? 8b ?? ?? 83 f9 40 7c ?? e8 ?? ?? ?? ?? eb ?? 8b ?? ?? c6 ?? ?? ?? ?? ff ?? ?? 83 ?? ?? ?? 7c ?? eb ?? c6 ?? ?? ?? ?? ff ?? ?? 8b ?? ?? 83 f9 38 7c ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? e9 ?? ?? ?? ??} - $hex5 = { 55 8b ec 51 51 56 33 f6 57 8b f9 3b c6 74 ?? 39 ?? ?? 74 ?? 3b fe 74 ?? 39 ?? ?? 74 ?? 6a 07 5a 39 ?? ?? 72 ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 76 ?? 53 eb ?? 33 f6 3b ?? ?? 77 ?? 8b ?? ?? 8d ?? ?? ?? 8a ?? ?? 3a ?? ?? 75 ?? ff ?? ?? 83 ?? ?? ?? 75 ?? 8d ?? ?? eb ?? 8a ?? ?? 88 ?? ?? 41 3b ca 72 ?? ff ?? ?? 46 83 fe 07 72 ?? eb ?? 83 ?? ?? ?? 42 8d ?? ?? 4f 3b ?? ?? 72 ?? 5b 8b ?? ?? eb ?? 83 c8 ff 5f 5e c9 c2 08 00} - - - condition: - (10 of them) or (any of ($hex*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.PowerLoader.yar b/yara-mikesxrs/g00dv1n/Trojan.PowerLoader.yar deleted file mode 100644 index 881197c..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.PowerLoader.yar +++ /dev/null @@ -1,22 +0,0 @@ -rule MalwarePowerLoaderSample -{ - meta: - Description = "Trojan.PowerLoader.sm" - ThreatLevel = "5" - - strings: - $str_1 = "powerloader" ascii wide - - $ = "inject64_section" ascii wide - $ = "inject64_event" ascii wide - $ = "inject_section" ascii wide - $ = "inject_event" ascii wide - $ = "loader.dat" ascii wide - $ = "Inject64End" ascii wide - $ = "Inject64Normal" ascii wide - $ = "Inject64Start" ascii wide - $ = "UacInject64End" ascii wide - $ = "UacInject64Start" ascii wide - condition: - (2 of them) or (any of ($str_*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Ransom.yar b/yara-mikesxrs/g00dv1n/Trojan.Ransom.yar deleted file mode 100644 index b79bbff..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Ransom.yar +++ /dev/null @@ -1,56 +0,0 @@ -rule TrojanRansomRevetonSample -{ - meta: - Description = "Trojan.Reveton.sm" - ThreatLevel = "5" - - strings: - $a = "JimmMonsterNew" ascii wide - $ = "regedit.exe" ascii wide - $ = "rundll32.exe" ascii wide - $ = "msconfig.lnk" ascii wide - $ = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ctfmon.exe" ascii wide - condition: - (3 of them) or $a -} - -rule TrojanWin32UrausySampleA -{ - meta: - Description = "Trojan.Urausy.sm" - ThreatLevel = "5" - - strings: - $a = { 55 89 E5 53 56 57 83 0D ?? ?? ?? ?? 01 31 C0 5F 5E 5B C9 C2 04 00 } - $b = { FF 15 ?? ?? ?? ?? 09 C0 0F 84 ?? ?? ?? ?? 8B 75 ?? 89 C3 6A 01 6A FF 6A 05 56 E8 } - - condition: - $a and $b -} - -rule TrojanRansomWin32TobfySample -{ - meta: - Description = "Trojan.Tobfy.sm" - ThreatLevel = "5" - - strings: - $ = "http://62.109.28.231/gtx3d16bv3/upload/img.jpg" ascii wide - $ = "http://62.109.28.231/gtx3d16bv3/upload/mp3.mp3" ascii wide - - $ = "Pay MoneyPak" ascii wide - $ = "You have 72 hours to pay the fine!" ascii wide - $ = "Wait! Your request is processed within 24 hours." ascii wide - $a = "G:\\WORK\\WORK_PECEPB\\Work_2012 Private\\Project L-0-ck_ER\\NEW Extern\\inject\\injc\\Release\\injc.pdb" ascii wide - $b = "G:\\WORK\\WORK_PECEPB\\Work_2012 Private\\Project L-0-ck_ER\\Version V 1.0\\V1.0\\Release\\te.pdb" ascii wide - $ = "picture.php?pin=" ascii wide - $ = "s\\sound.mp3" ascii wide - $ = "s\\1.jpg" ascii wide - $ = "s\\1.bmp" ascii wide - $ = "getunlock.php" ascii wide - - condition: - (4 of them) or $a or $b -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Regin.yar b/yara-mikesxrs/g00dv1n/Trojan.Regin.yar deleted file mode 100644 index 1a64ed5..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Regin.yar +++ /dev/null @@ -1,101 +0,0 @@ -rule Regin_APT_KernelDriver_Generic_A { - meta: - Description = "Trojan.Regin.A.sm" - ThreatLevel = "5" - strings: - $m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e } - - $s0 = "atapi.sys" fullword wide - $s1 = "disk.sys" fullword wide - $s3 = "h.data" fullword ascii - $s4 = "\\system32" fullword ascii - $s5 = "\\SystemRoot" fullword ascii - $s6 = "system" fullword ascii - $s7 = "temp" fullword ascii - $s8 = "windows" fullword ascii - - $x1 = "LRich6" fullword ascii - $x2 = "KeServiceDescriptorTable" fullword ascii - condition: - $m1 and all of ($s*) and 1 of ($x*) -} - -rule Regin_APT_KernelDriver_Generic_B { - meta: - Description = "Trojan.Regin.B.sm" - ThreatLevel = "5" - strings: - $s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e } - $s2 = "H.data" fullword ascii nocase - $s3 = "INIT" fullword ascii - $s4 = "ntoskrnl.exe" fullword ascii - - $v1 = "\\system32" fullword ascii - $v2 = "\\SystemRoot" fullword ascii - $v3 = "KeServiceDescriptorTable" fullword ascii - - $w1 = "\\system32" fullword ascii - $w2 = "\\SystemRoot" fullword ascii - $w3 = "LRich6" fullword ascii - - $x1 = "_snprintf" fullword ascii - $x2 = "_except_handler3" fullword ascii - - $y1 = "mbstowcs" fullword ascii - $y2 = "wcstombs" fullword ascii - $y3 = "KeGetCurrentIrql" fullword ascii - - $z1 = "wcscpy" fullword ascii - $z2 = "ZwCreateFile" fullword ascii - $z3 = "ZwQueryInformationFile" fullword ascii - $z4 = "wcslen" fullword ascii - $z5 = "atoi" fullword ascii - condition: - all of ($s*) and ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) -} - -rule Regin_APT_KernelDriver_Generic_C { - meta: - Description = "Trojan.Regin.C.sm" - ThreatLevel = "5" - /*description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2" - author = "@Malwrsignatures - included in APT Scanner THOR" - date = "23.11.14" - hash1 = "e0895336617e0b45b312383814ec6783556d7635" - hash2 = "732298fa025ed48179a3a2555b45be96f7079712" */ - strings: - - $s0 = "KeGetCurrentIrql" fullword ascii - $s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide - $s2 = "usbclass" fullword wide - - $x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii - $x2 = "Universal Serial Bus Class Driver" fullword wide - $x3 = "5.2.3790.0" fullword wide - - $y1 = "LSA Shell" fullword wide - $y2 = "0Richw" fullword ascii - condition: - all of ($s*) and ( all of ($x*) or all of ($y*) ) -} - -rule Regin_sig_svcsstat { - meta: - Description = "Trojan.Regin.sm" - ThreatLevel = "5" - /*description = "Detects svcstat from Regin report - file svcsstat.exe_sample" - author = "@Malwrsignatures" - date = "25.11.14" - score = 70 - hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"*/ - strings: - $s0 = "Service Control Manager" fullword ascii - $s1 = "_vsnwprintf" fullword ascii - $s2 = "Root Agency" fullword ascii - $s3 = "Root Agency0" fullword ascii - $s4 = "StartServiceCtrlDispatcherA" fullword ascii - $s5 = "\\\\?\\UNC" fullword ascii - $s6 = "%ls%ls" fullword wide - condition: - all of them and filesize < 15KB and filesize > 10KB -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Rovnix.yar b/yara-mikesxrs/g00dv1n/Trojan.Rovnix.yar deleted file mode 100644 index 7445696..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Rovnix.yar +++ /dev/null @@ -1,36 +0,0 @@ -rule TrojanWin32RovnixSample -{ - meta: - Description = "Trojan.Rovnix.sm" - ThreatLevel = "5" - strings: - $ = "dropper.exe" ascii wide - $ = "dropper_x64.exe" ascii wide - $ = "Inject64Start" ascii wide - $ = "Inject64End" ascii wide - $ = "Inject64Normal" ascii wide - $ = "inject_section" ascii wide - $ = "inject_event" ascii wide - $ = "0:/plugins/%s" ascii wide - $ = "0:/plugins/base" ascii wide - $ = "0:/plugins/base/binary" ascii wide - $ = "0:/plugins/base/mask" ascii wide - $ = "0:/plugins/base/version" ascii wide - $ = "0:/plugins/base/once" ascii wide - $ = "0:/plugins/rootkit" ascii wide - $ = "0:/plugins/rootkit/binary" ascii wide - $ = "0:/plugins/rootkit/version" ascii wide - $ = "0:/plugins/rootkit/binary" ascii wide - $ = "0:\\storage\\keylog" ascii wide - $ = "0:\\storage\\config" ascii wide - $ = "0:\\storage\\intrnl" ascii wide - $ = "0:\\storage\\passw" ascii wide - $ = "0:\\storage\\hunter" ascii wide - $ = "0:/hidden" ascii wide - $ = "0:/hidden/%s" ascii wide - $ = "0:/hidden/%s/path" ascii wide - $ = "0:/hidden/%s/binary" ascii wide - $ = "0:/hidden/%s/mask" ascii wide - condition: - 3 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Simda.yar b/yara-mikesxrs/g00dv1n/Trojan.Simda.yar deleted file mode 100644 index 37c15cc..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Simda.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule TrojanDroppedBackdoorWin32SimdaSample -{ - meta: - Description = "Trojan.Simda.sm" - ThreatLevel = "5" - - strings: - $ = ".driver" ascii wide - $ = ".userm" ascii wide - $ = ".uac64" ascii wide - $ = ".mcp" ascii wide - $ = ".cfgbin" ascii wide - $ = ".uacdll" ascii wide - $ = "%s\\%s.sys" ascii wide - $ = "%s\\%s.exe" ascii wide - $ = "%appdata%\\ScanDisc.exe" ascii wide - condition: - 4 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Sirefef.yar b/yara-mikesxrs/g00dv1n/Trojan.Sirefef.yar deleted file mode 100644 index f9a139f..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Sirefef.yar +++ /dev/null @@ -1,180 +0,0 @@ -// Rule - Dropped file from Trojan Sirefef / ZeroAccess. -rule TrojanSirefefZerroAccess -{ - meta: - Description = "Trojan.Sirefef.sm" - ThreatLevel = "5" - - strings: - - //$ = "n64" ascii wide - //$ = "n32" ascii wide - //$ = "$Recycle.Bin\\" ascii wide - $ = "\\$%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02x" ascii wide - //$ = "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}" ascii wide - - - $ = "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" ascii wide - $ = "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "%wZ\\Software\\Classes\\clsid" ascii wide - $ = "\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\" ascii wide - $ = "\\registry\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - - $ = "\\systemroot\\system32\\config" ascii wide - $ = "\\??\\ACPI#PNP0303#2&da1a3ff&0" ascii wide - $ = "GoogleUpdate.exe" ascii wide - $ = "Google Update Service (gupdate)" ascii wide - $ = "%sU\\%08x.@" ascii wide - $ = "\\??\\%sU" ascii wide - $ = "\\??\\%s@" ascii wide - $ = "%08x.@" ascii wide - $ = "%08x.$" ascii wide - $ = "%08x.~" ascii wide - $ = "\\??\\%08x" ascii wide - $ = "\\n." ascii wide - $ = "wbem\\fastprox.dll" ascii wide - - $ = "c:\\windows\\system32\\z" ascii wide - $s1 = "e:\\sz\\x64\\release\\InCSRSS.pdb" ascii wide - - $s2 = "C:\\Jinket\\Lownza\\Kueshmmba\\de.pdb" ascii wide - $s3 = "E:\\Marlne\\Bensjo\\Ernstedun\\Rugriayid\\Wasp851.pdb" ascii wide - - $hex0 = { 55 8b ec 83 ec 48 53 56 57 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? 59 8b c6 e8 ?? ?? ?? ?? 8b c6 89 ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ff ?? ?? ?? ?? ?? 68 08 54 30 6a ff ?? ?? ff d6 ff ?? ?? ?? ?? ?? 68 18 54 30 6a ff ?? ?? ff d6 83 c4 18 83 ?? ?? ?? ?? ?? ?? 75 ?? 8b ?? ?? ?? ?? ?? bb 98 70 30 6a bf 00 00 10 00 eb ?? ff ?? ?? ff ?? ?? ?? ?? ?? 68 a0 0f 00 00 ff ?? ?? ?? ?? ?? 53 57 8d ?? ?? 50 ff d6 85 c0 7d ?? 68 60 ea 00 00 ff ?? ?? ?? ?? ?? bb 54 70 30 6a eb ?? ff ?? ?? ff ?? ?? ?? ?? ?? 6a 01 68 e0 93 04 00 ff ?? ?? ?? ?? ?? ff ?? ?? e8 ?? ?? ?? ?? 53 57 8d ?? ?? 50 ff d6 85 c0 7d ?? bf 20 71 30 6a 57 ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? 50 6a 00 ff ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 33 c0 8d ?? ?? 5f 5e 5b c9 c2 04 00} - $hex1 = { 55 8b ec 83 ec 18 56 57 8d ?? ?? 50 e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? be 00 08 00 00 8b c6 e8 ?? ?? ?? ?? 8b fc 33 c0 b9 30 00 fe 7f 66 ?? ?? ?? 66 ?? ?? ?? 89 ?? ?? 0f ?? ?? 0f ?? ?? ?? 8b ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 41 41 66 83 f8 5c 75 ?? 66 ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? b8 28 55 30 6a 72 ?? b8 3c 55 30 6a 50 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 0f b7 c8 01 ?? ?? 33 c0 50 66 ?? ?? ?? 8b ?? ?? ff ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 0f ?? ?? ?? 0f ?? ?? ?? 2b c8 83 f9 50 0f ?? ?? ?? ?? ?? 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 ff ?? ?? 8b ?? ?? 03 c1 68 58 55 30 6a 50 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 83 c4 38 6a 02 5a 40 33 c9 f7 e2 0f 90 c1 f7 d9 0b c1 50 6a 00 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 85 c0 74 ?? 57 50 ff ?? ?? ?? ?? ?? 59 33 c0 59 40 eb ?? 33 c0 8d ?? ?? 5f 5e c9 c2 04 00} - $hex2 = { 8b ?? ?? ?? 83 e8 00 74 ?? 48 75 ?? ff ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 74 ?? 6a 00 6a 00 ff ?? ?? ?? 68 62 13 30 6a 68 00 00 08 00 6a 00 ff ?? ?? ?? ?? ?? eb ?? a1 ?? ?? ?? ?? 85 c0 74 ?? 50 ff ?? ?? ?? ?? ?? a1 ?? ?? ?? ?? 85 c0 74 ?? 50 ff ?? ?? ?? ?? ?? 33 c0 40 c2 0c 00} - $hex3 = { 55 8b ec 51 51 53 56 8b ?? ?? 56 ff ?? ?? ?? ?? ?? 8b d8 85 db 0f ?? ?? ?? ?? ?? 57 6a 40 68 00 10 00 00 ff ?? ?? 6a 00 ff ?? ?? ?? ?? ?? 8b f8 89 ?? ?? 85 ff 0f ?? ?? ?? ?? ?? 8b ?? ?? f3 ?? 0f ?? ?? ?? 0f ?? ?? ?? 8d ?? ?? ?? 83 c0 0c 8b ?? 8b ?? ?? 8b ?? ?? 03 f1 03 f9 8b ?? ?? 83 c0 28 4a f3 ?? 75 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? 2b ?? ?? 8d ?? ?? 50 6a 05 6a 01 ff ?? ?? ff d7 85 c0 74 ?? eb ?? 8b ?? ?? 29 ?? ?? 56 8d ?? ?? 8b ?? 03 ?? ?? 83 c1 f8 52 d1 e9 51 50 ff ?? ?? ?? ?? ?? 83 ?? ?? ?? 75 ?? 8d ?? ?? 50 6a 01 6a 01 ff ?? ?? ff d7 85 c0 74 ?? 8d ?? ?? 8b ?? 85 c0 74 ?? 8b f1 8b ?? ?? 03 c1 50 ff ?? ?? ?? ?? ?? 83 c6 14 8b ?? 85 c0 75 ?? 8b ?? ?? 5f 5e 5b c9 c2 04 00} - $hex4 = { 8b ?? ?? ?? ?? ?? b8 00 20 00 00 66 ?? ?? ?? ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? 48 75 ?? 56 ff ?? ?? ?? ff ?? ?? ?? ?? ?? 33 f6 56 6a 04 56 68 0a 1d 40 00 56 56 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 3b c6 74 ?? 56 50 ff ?? ?? ?? ?? ?? 5e b0 01 c2 0c 00} - $hex5 = { 55 8b ec 83 e4 f8 83 ec 34 53 56 57 33 db 53 6a 18 8d ?? ?? ?? 50 53 ff ?? ?? ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? 89 ?? ?? ?? 33 c0 8d ?? ?? ?? ab 8d ?? ?? ?? 50 68 00 90 42 00 68 ff ff 1f 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? 3b c3 74 ?? 48 50 ff ?? ?? e8 ?? ?? ?? ?? e9 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 6a 02 53 53 8d ?? ?? ?? 50 ff ?? ?? 6a ff 6a ff ff d6 85 c0 7c ?? 6a 02 53 53 8d ?? ?? ?? 50 ff ?? ?? 6a fe 6a ff ff d6 85 c0 7c ?? 6a 20 53 8d ?? ?? ?? 50 68 20 90 42 00 68 9f 01 12 00 8d ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 7c ?? 53 53 6a 08 8d ?? ?? ?? 50 8d ?? ?? ?? 50 53 53 53 ff ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ff d7 68 18 90 42 00 6a 01 ff ?? ?? ?? ?? ?? ff ?? ?? ff d7 5f 5e 5b 8b e5 5d c2 08 00} - $hex6 = { 55 8b ec 51 68 c2 7e 42 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 51 68 02 23 00 00 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 7c ?? a1 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 85 c0 75 ?? b8 53 50 43 33 68 00 00 40 00 50 ff ?? ?? ?? ?? ?? ff ?? ?? c9 c3} - $hex7 = { 55 8b ec 83 ec 64 53 56 57 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 33 db 53 53 ff ?? ?? ?? ?? ?? 50 68 4d 10 40 00 53 53 53 53 53 6a ff ff ?? ?? ?? ?? ?? b8 00 04 00 00 e8 ?? ?? ?? ?? 8b f4 89 ?? ?? 89 ?? ?? e9 ?? ?? ?? ?? 8d ?? ?? 50 56 c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 83 ?? ?? ?? 75 ?? 6a 30 53 ff ?? ?? ?? ?? ?? 3b c3 74 ?? 8b ?? ?? 8b ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? c6 ?? ?? ?? 8d ?? ?? 89 ?? ?? 89 ?? 8d ?? ?? 89 ?? ?? 89 ?? 8b ?? ?? ?? ?? ?? 89 ?? c7 ?? ?? ?? ?? ?? ?? 89 ?? ?? a3 ?? ?? ?? ?? eb ?? 33 c0 3b c3 74 ?? 8d ?? ?? e8 ?? ?? ?? ?? ff ?? ?? e9 ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? e9 ?? ?? ?? ?? a1 ?? ?? ?? ?? b9 38 90 42 00 eb ?? 8b ?? ?? 3b ?? ?? 74 ?? 8b ?? 3b c1 75 ?? 33 ff 3b fb 0f ?? ?? ?? ?? ?? 8b ?? ?? 48 74 ?? 48 74 ?? 48 48 74 ?? 48 74 ?? 48 74 ?? 48 74 ?? 48 75 ?? 57 8d ?? ?? e8 ?? ?? ?? ?? eb ?? 8b f8 eb ?? 8d ?? ?? 8b ?? eb ?? 8b ?? ?? 3b ?? ?? 74 ?? 8b ?? 3b c1 75 ?? 33 c0 3b c3 74 ?? 8b f0 e8 ?? ?? ?? ?? eb ?? 8d ?? ?? 50 e8 ?? ?? ?? ?? eb ?? e8 ?? ?? ?? ?? ff ?? ?? eb ?? ff ?? ?? 8b cf e8 ?? ?? ?? ?? 3b c3 74 ?? 8b f0 e8 ?? ?? ?? ?? eb ?? 57 8d ?? ?? e8 ?? ?? ?? ?? eb ?? 8d ?? ?? e8 ?? ?? ?? ?? 89 ?? ?? ff ?? ?? 8b ?? ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 39 ?? ?? 74 ?? 53 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? 5f 5e 5b c9 c2 08 00} - $hex8 = { 53 56 57 ff ?? ?? ?? ?? ?? 0f b7 c0 33 ff 57 6a 04 8b c8 68 04 e2 41 00 c1 e9 08 c0 e0 04 6a 1a 0a c8 6a ff 88 ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8b d8 6a 3c 53 ff d6 59 59 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 75 ?? 57 e8 ?? ?? ?? ?? 68 a4 e0 41 00 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 6a 3e 53 ff d6 59 59 85 c0 74 ?? 6a 01 e8 ?? ?? ?? ?? eb ?? 8b ?? ?? ?? ?? ?? b8 00 20 00 00 66 ?? ?? ?? ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 e8 03 00 00 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? 2b c7 74 ?? 48 75 ?? ff ?? ?? ?? ff ?? ?? ?? ?? ?? 33 c0 40 e8 ?? ?? ?? ?? 8b f0 e8 ?? ?? ?? ?? 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 75 ?? 57 57 56 68 10 1c 40 00 57 57 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? eb ?? e8 ?? ?? ?? ?? 5f 5e b0 01 5b c2 0c 00} - $hex9 = { 55 8b ec 83 e4 f8 81 ec 94 01 00 00 53 56 57 68 c0 bb 41 00 68 d4 bb 41 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 75 ?? 8b ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 6a 40 6a 07 8d ?? ?? 56 ff d7 85 c0 74 ?? b8 91 1b 40 00 2b c6 83 e8 05 89 ?? ?? 8d ?? ?? ?? 50 ff ?? ?? ?? c6 ?? ?? 6a 07 56 c6 ?? ?? ?? c6 ?? ?? ?? ff d7 8d ?? ?? ?? 50 68 02 02 00 00 ff ?? ?? ?? ?? ?? 6a 0d e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 90 e0 41 00 6a 01 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 6a 40 6a 02 53 ff d7 85 c0 74 ?? b8 8b ff 00 00 66 ?? ?? 8d ?? ?? ?? 50 ff ?? ?? ?? 6a 02 53 ff d7 5f 5e 33 c0 5b 8b e5 5d c2 04 00} - $hex10 ={ 55 8b ec 83 ec 18 a0 ?? ?? ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 53 56 0f b6 c0 57 c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? 8b ?? ?? 39 ?? ?? 73 ?? 2b ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 2b c4 89 ?? ?? 89 ?? ?? 8b ?? ?? 8d ?? ?? 50 ff ?? ?? 53 6a 05 ff ?? ?? ?? ?? ?? 89 ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 33 c0 03 d8 6a 01 8d ?? ?? 57 68 e8 c1 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 08 c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 2c c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 4c c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 6c c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 8c c2 41 00 ff d6 84 c0 74 ?? 8d ?? ?? ?? ?? ?? 50 68 00 e0 41 00 6a 01 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 7c ?? 6a 00 ff ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? 8b ?? 85 c0 0f ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 8d ?? ?? 5f 5e 5b c9 c3} - $hex11 ={ 55 8b ec 81 ec ac 00 00 00 53 56 57 6a 20 6a 07 8d ?? ?? 50 68 6c e0 41 00 68 89 00 12 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 6a 05 6a 10 8d ?? ?? 50 8d ?? ?? 50 ff ?? ?? ff d6 8b d8 bf 05 00 00 80 3b df 74 ?? 85 db 75 ?? 8b ?? ?? b8 80 00 04 00 23 c8 3b c8 75 ?? 6a 01 6a 18 8d ?? ?? 50 8d ?? ?? 50 ff ?? ?? ff d6 3b c7 74 ?? 85 c0 75 ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 6a 08 8d ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 6a 10 8d ?? ?? 50 68 14 e2 41 00 e8 ?? ?? ?? ?? 83 c4 0c 33 db eb ?? bb bb 00 00 c0 ff ?? ?? ff ?? ?? ?? ?? ?? 85 db 7d ?? 81 cb 00 00 01 00 5f 5e 8b c3 5b c9 c3} - condition: - (5 of them) or (any of ($hex*)) or (any of ($s*)) -} - -rule TrojanSirefefZerroAccessANModule -{ - meta: - Description = "Trojan.Sirefef.sm" - ThreatLevel = "5" - - strings: - $ = "%s\\%s\\%08x.@" ascii wide - $ = "%s\\%s\\%s" ascii wide - $ = "InstallFlashPlayer.exe" ascii wide - $ = "get/flashplayer/update/current/install/install_all_win_%s_sgn.z" ascii wide - $ = "download/C/C/0/CC0BD555-33DD-411E-936B-73AC6F95AE11/IE8-WindowsXP-x86-ENU.exe" ascii wide - $ = "\\??\\%08x" ascii wide - $ = "80000032.32" ascii wide - $ = "\\GLOBAL??\\{D1C8BD9B-9DF7-4fb6-A1C3-D96202C79FC0}" ascii wide - $ = "http://%.*s/_ylt=3648C868A1DB;" ascii wide - - - $hex0 = { 56 8b ?? ?? ?? 33 c0 8d ?? ?? 87 ?? 85 c0 74 ?? 6a 00 50 6a 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 83 c8 ff f0 ?? ?? ?? 75 ?? 85 f6 74 ?? 8b ?? 8b ?? 6a 01 8b ce ff d0 83 c8 ff 8d ?? ?? 87 ?? 83 f8 ff 74 ?? 50 ff ?? ?? ?? ?? ?? 8b ?? 8b ?? ?? 8b ce ff d0 8d ?? ?? 83 ca ff f0 ?? ?? ?? 75 ?? 85 f6 74 ?? 8b ?? 8b ?? 6a 01 8b ce ff d2 5e c2 08 00} - $hex1 = { 57 8b ?? ?? ?? ?? ?? 68 30 75 00 00 ff d7 a1 ?? ?? ?? ?? 85 c0 74 ?? 56 eb ?? 8d 9b 00 00 00 00 68 30 75 00 00 8b f0 ff d7 a1 ?? ?? ?? ?? 3b f0 75 ?? 5e 6a 00 ff ?? ?? ?? ?? ??} - $hex2 = { 83 ec 5c 56 8d ?? ?? ?? 50 68 ff 01 0f 00 83 ce ff 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? 57 8d ?? ?? ?? 51 6a 01 6a 00 68 90 61 01 10 68 ff 01 0f 00 52 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 85 c0 78 ?? 8b ?? ?? ?? 6a 04 8d ?? ?? ?? 50 6a 0c 51 ff ?? ?? ?? ?? ?? 6a 40 8d ?? ?? ?? 6a 00 52 c7 ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? 83 c4 0c 8d ?? ?? ?? 50 8b ?? ?? ?? 8d ?? ?? ?? 51 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 52 6a 00 50 c7 ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8b ?? ?? ?? 51 ff d7 8b ?? ?? ?? 8b ?? ?? ?? 52 ff d7 8b ?? ?? ?? 50 ff d7 5f 8b c6 5e 83 c4 5c c2 08 00} - $hex3 = { 56 8b f2 e8 ?? ?? ?? ?? 85 c0 74 ?? 83 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? 6a 00 6a 00 6a 00 68 20 8b 00 10 6a 00 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? b8 01 00 00 00 5e c3 33 c0 5e c3} - $hex4 = { 53 8b d9 8b ca e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 56 68 20 ca 01 10 ff ?? ?? ?? ?? ?? 8b f0 ff ?? ?? ?? ?? ?? ba f8 34 01 10 8b ce 57 8b ff 66 ?? ?? 66 ?? ?? 75 ?? 66 85 ff 74 ?? 66 ?? ?? ?? 66 ?? ?? ?? 75 ?? 83 c1 04 83 c2 04 66 85 ff 75 ?? 33 c9 eb ?? 1b c9 83 d9 ff 85 c9 75 ?? 68 10 35 01 10 50 ff ?? ?? ?? ?? ?? 83 c4 08 85 c0 74 ?? 68 30 be 00 10 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 6a 00 6a 00 68 b0 04 00 00 68 a0 89 00 10 6a 00 6a 00 ff d6 8b ?? ?? ?? ?? ?? 50 ff d7 e8 ?? ?? ?? ?? 6a 00 6a 00 6a 00 68 20 83 00 10 6a 00 6a 00 ff d6 50 ff d7 5f 5e b8 01 00 00 00 5b c3 e8 ?? ?? ?? ?? 85 c0 74 ?? 68 30 be 00 10 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b c3 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 6a 00 6a 00 6a 00 68 80 bd 00 10 6a 00 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 5f 5e b8 01 00 00 00 5b c3 5f 5e 33 c0 5b c3 83 ?? ?? ?? ?? ?? ?? 74 ?? 8b c3 e8 ?? ?? ?? ?? b8 01 00 00 00 5b c3 33 c0 5b c3} - - - condition: - (5 of them) or (any of ($hex*)) -} - -rule TrojanSirefefZerroAccessPlayloadModule -{ - meta: - Description = "Trojan.Sirefef.sm" - ThreatLevel = "5" - - strings: - $ = "U\\80000032.@" ascii wide - $ = "\\\\.\\globalroot\\systemroot\\system32\\mswsock.dll" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.AcceptEx" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.GetAcceptExSockaddrs" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.NSPStartup" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.TransmitFile" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.getnetbyname" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.inet_network" ascii wide - $ = "%sU\\%08x.@" ascii wide - $ = "\\??\\%s@" ascii wide - $ = "\\??\\%sU" ascii wide - $ = "\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters" ascii wide - $ = "\\KnownDlls\\mswsock.dll" ascii wide - $ = "\\systemroot\\assembly" ascii wide - $ = "GAC_MSIL" ascii wide - $ = "GAC" ascii wide - $ = "????????.@" ascii wide - $ = "%08x.@" ascii wide - $ = "%08x.$" ascii wide - $ = "%08x.~" ascii wide - - $ = "\\systemroot\\assembly\\GAC\\Desktop.ini" ascii wide - - condition: - (5 of them) -} - -rule TrojanSirefefZerroAccessPluginModule -{ - meta: - Description = "Trojan.Sirefef.sm" - ThreatLevel = "5" - - strings: - $hex0 = { 55 8b ec 81 ec 94 01 00 00 56 68 30 40 00 10 68 00 00 10 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 81 fe 00 00 00 40 75 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 85 f6 8b ?? ?? ?? ?? ?? 7c ?? 8d ?? ?? ?? ?? ?? 50 68 02 02 00 00 ff ?? ?? ?? ?? ?? 85 c0 75 ?? e8 ?? ?? ?? ?? 6a 20 68 60 ea 00 00 b9 80 40 00 10 e8 ?? ?? ?? ?? 69 c0 e8 03 00 00 50 6a 00 68 b7 15 00 10 6a 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 74 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 6a ff ff ?? ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff d6 a1 ?? ?? ?? ?? 85 c0 74 ?? b9 fb 15 00 10 ff ?? ?? e8 ?? ?? ?? ?? 68 28 40 00 10 6a 01 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff d6} - $hex1 = { 81 ?? ?? ?? ?? ?? 56 57 8b f9 75 ?? b9 fb 15 00 10 89 ?? ?? ?? ?? ?? ff ?? ?? 8b ?? ?? ?? ?? ?? 68 08 32 00 10 57 ff d6 59 59 50 b9 80 40 00 10 e8 ?? ?? ?? ?? 68 f0 31 00 10 57 ff d6 59 59 33 c9 8b d0 41 e8 ?? ?? ?? ?? 33 c0 50 50 50 68 85 16 00 10 50 50 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 33 c0 5f 40 5e c3} - $hex2 = { 55 8b ec 81 ec 90 00 00 00 53 56 57 6a 40 5e 8b d9 6a 04 8b c6 66 ?? ?? ?? 58 33 ff 57 66 ?? ?? ?? 57 8d ?? ?? 50 ff ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? ff ?? ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 6a 20 8d ?? ?? 6a 07 89 ?? ?? 8d ?? ?? 50 8d ?? ?? 50 89 ?? ?? 68 98 00 10 00 8d ?? ?? 56 c7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ff ?? ?? ?? ?? ?? 85 c0 7c ?? 57 57 6a 18 68 0c 40 00 10 57 6a 60 8d ?? ?? ?? ?? ?? 50 8d ?? ?? 50 ff ?? e8 ?? ?? ?? ?? 85 c0 7c ?? 8d ?? ?? ?? ?? ?? 33 c9 03 c1 80 ?? ?? ?? 75 ?? 8b ?? ?? 81 f9 30 30 31 00 74 ?? 81 f9 30 30 32 00 75 ?? 66 ?? ?? ?? ?? 75 ?? 8b ?? ?? 89 ?? ?? eb ?? 66 ?? ?? ?? ?? 75 ?? 6a 10 8d ?? ?? 8d ?? ?? 59 f3 ?? 33 ff 8b ?? 3b cf 75 ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 66 ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? 33 d2 b9 80 51 01 00 f7 f1 6a 4c 53 66 ?? ?? ?? 8d ?? ?? 50 ff ?? ?? e8 ?? ?? ?? ?? 39 ?? ?? 75 ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 57 8b cb 89 ?? ?? e8 ?? ?? ?? ?? 5f 5e 5b c9 c2 04 00} - - $hex3 = { 55 8b ec 83 ec 74 53 56 57 be 30 00 fe 7f 56 ff ?? ?? ?? ?? ?? 59 8d ?? ?? ?? e8 ?? ?? ?? ?? 89 ?? ?? 68 94 60 00 10 56 ff ?? ?? ff ?? ?? ?? ?? ?? 59 59 50 ff ?? ?? ?? ?? ?? 59 59 33 db 53 53 ff ?? ?? ?? ?? ?? 8b f0 3b f3 0f ?? ?? ?? ?? ?? 6a 70 8d ?? ?? 53 50 e8 ?? ?? ?? ?? 83 c4 0c 6a 70 8d ?? ?? 50 33 ff 6a 09 47 56 c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 85 c0 74 ?? ff ?? ?? ?? ?? ?? 85 c0 74 ?? 9c 81 ?? ?? ?? ?? ?? ?? 9d 90 68 08 70 00 10 57 8b ?? ?? ?? ?? ?? ff d7 85 c0 75 ?? 38 ?? ?? ?? ?? ?? 75 ?? ff ?? ?? ff ?? ?? 56 e8 ?? ?? ?? ?? 38 ?? ?? ?? ?? ?? 75 ?? 68 00 70 00 10 6a 01 ff d7 85 c0 74 ?? 56 ff ?? ?? ?? ?? ?? 33 c0 8d ?? ?? 5f 5e 5b c9 c2 04 00} - $hex4 = { 55 8b ec 51 53 56 57 68 24 70 00 10 68 00 00 10 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f8 81 ff 00 00 00 40 75 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 33 f6 3b fe 7c ?? 56 56 ff ?? ?? 68 88 13 00 10 56 56 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8b f8 3b fe 74 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 57 c6 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 56 56 57 ff ?? ?? ?? ?? ?? 57 ff d3 ff ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff d3 ff ?? ?? ff ?? ?? ?? ?? ??} - $hex5 = { 53 56 57 8b d9 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 9c 81 ?? ?? ?? ?? ?? ?? 9d 90 53 ff ?? ?? ?? ?? ?? 59 6a 02 5a 8d ?? ?? ?? 33 c9 f7 e2 0f 90 c1 33 ff f7 d9 0b c1 50 57 ff ?? ?? ?? ?? ?? 8b f0 3b f7 74 ?? 53 68 50 61 00 10 56 ff ?? ?? ?? ?? ?? 83 c4 0c 57 57 56 68 77 14 00 10 57 57 ff ?? ?? ?? ?? ?? 3b c7 74 ?? 50 ff ?? ?? ?? ?? ?? 33 c0 40 eb ?? 56 ff ?? ?? ?? ?? ?? 33 c0 5f 5e 5b c3} - - condition: - any of ($hex*) -} - -rule TrojanSirefefZerroAccessPluginModuleZooCliccer -{ - meta: - Description = "Trojan.ZooClicker.sm" - ThreatLevel = "5" - - strings: - $ = "%s\\00000001.@" ascii wide - $ = "z00clicker3" ascii wide - $ = "z00clicker" ascii wide - - condition: - any of them -} - -rule TrojanSirefefZerroAccess2016 -{ - meta: - Description = "Trojan.Sirefef.E.sm" - ThreatLevel = "5" - - strings: - - $ = "GoogleUpdate.exe" ascii wide - $ = "%08x.@" ascii wide - $ = "%08x.$" ascii wide - $ = "%08x.~" ascii wide - - $s1 = "\\Google\\Desktop\\Install\\{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\\#." ascii wide - $s2 = "\\BaseNamedObjects\\Restricted\\{12E9D947-EDF5-4191-AADB-F51815F004D8}" ascii wide - $s3 = "\\BaseNamedObjects\\Restricted\\{889E2280-F15E-4330-A3F4-D4EEF899AAF6}" ascii wide - $s4 = "\\BaseNamedObjects\\Restricted\\{1FD06E7A-B215-4ae2-B209-AC869A3DF0B7}" ascii wide - $s5 = "\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D7A}" ascii wide - $s6 = "80000000.@" ascii wide - $s7 = "=cccctp=ddddt:=rrrrt<=sssst" ascii wide - $s8 = "=ccccta=ddddt+=rrrrt-=sssst" ascii wide - - condition: - (3 of them) or (any of ($s*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Upatre.yar b/yara-mikesxrs/g00dv1n/Trojan.Upatre.yar deleted file mode 100644 index a09595f..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Upatre.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule TrojanUpatreSample -{ - meta: - Description = "Trojan.Upatre.vb" - ThreatLevel = "5" - - strings: - $hex_string = { 52 ba 6c 6c 00 00 52 ba 73 66 2e 64 52 ba 32 5c 71 61 52 ba 74 65 6d 33 52 ba 5c 73 79 73 52} - - condition: - $hex_string -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Trojan.Virtool.Obfuscator.yar b/yara-mikesxrs/g00dv1n/Trojan.Virtool.Obfuscator.yar deleted file mode 100644 index c388f27..0000000 --- a/yara-mikesxrs/g00dv1n/Trojan.Virtool.Obfuscator.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule TrojanVirtoolObfuscator -{ - meta: - Description = "Trojan.Obfuscator.rc" - ThreatLevel = "5" - - strings: - $ = "1346243623461" ascii wide - $ = "3nterface" ascii wide - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/TrojanPSW.Tepfer.yar b/yara-mikesxrs/g00dv1n/TrojanPSW.Tepfer.yar deleted file mode 100644 index a897573..0000000 --- a/yara-mikesxrs/g00dv1n/TrojanPSW.Tepfer.yar +++ /dev/null @@ -1,68 +0,0 @@ -rule TrojanPSWTepferSample -{ - meta: - Description = "Trojan.Tepfer.sm" - ThreatLevel = "5" - - strings: - $ = "Software\\BPFTP" ascii wide - $ = "\\BulletProof Software\\BulletProof FTP Client" ascii wide - $ = "Software\\BPFTP\\Bullet Proof FTP" ascii wide - $ = "Software\\NCH Software\\ClassicFTP\\FTPAccounts" ascii wide - $ = "\\GlobalSCAPE\\CuteFTP" ascii wide - $ = "\\GlobalSCAPE\\CuteFTP Pro" ascii wide - $ = "\\GlobalSCAPE\\CuteFTP Lite" ascii wide - $ = "\\CuteFTP" ascii wide - $ = "\\GPSoftware\\Directory Opus\\ConfigFiles\\ftp.oxc" ascii wide - $ = "SOFTWARE\\Far\\Plugins\\FTP\\Hosts" ascii wide - $ = "SOFTWARE\\Far2\\Plugins\\FTP\\Hosts" ascii wide - $ = "Software\\Far\\Plugins\\FTP\\Hosts" ascii wide - $ = "Software\\Far2\\Plugins\\FTP\\Hosts" ascii wide - $ = "Software\\Far\\SavedDialogHistory\\FTPHost" ascii wide - $ = "Software\\Far2\\SavedDialogHistory\\FTPHost" ascii wide - $ = "Software\\Ghisler\\Windows Commander" ascii wide - $ = "Software\\Ghisler\\Total Commander" ascii wide - $ = "Software\\Sota\\FFFTP" ascii wide - $ = "Software\\FileZilla" ascii wide - $ = "FileZilla3" ascii wide - $ = "FlashFXP" ascii wide - $ = "FTP Commander Pro" ascii wide - $ = "FTP Navigator" ascii wide - $ = "FTP Commander" ascii wide - $ = "FTP Commander Deluxe" ascii wide - $ = "Software\\FTP Explorer\\Profiles" ascii wide - $ = "\\FTP Explorer\\profiles.xml" ascii wide - $ = "Windows/Total Commander" ascii wide - $ = "FTP Commander" ascii wide - $ = "BulletProof FTP Client" ascii wide - $ = "TurboFTP" ascii wide - $ = "SoftX FTP Client" ascii wide - $ = "LeapFTP" ascii wide - $ = "WinSCP" ascii wide - $ = "32bit FTP" ascii wide - $ = "FTP Control" ascii wide - $ = "SecureFX" ascii wide - $ = "BitKinex" ascii wide - $ = "CuteFTP" ascii wide - $ = "WS_FTP" ascii wide - $ = "FFFTP" ascii wide - $ = "Core FTP" ascii wide - $ = "WebDrive" ascii wide - $ = "Classic FTP" ascii wide - $ = "Fling" ascii wide - $ = "NetDrive" ascii wide - $ = "FileZilla" ascii wide - $ = "FTP Explorer" ascii wide - $ = "SmartFTP" ascii wide - $ = "FTPRush" ascii wide - $ = "UltraFXP" ascii wide - $ = "Frigate3 FTP" ascii wide - $ = "BlazeFtp" ascii wide - $ = "Software\\LeechFTP" ascii wide - $ = "SiteInfo.QFP" ascii wide - $ = "WinFTP" ascii wide - $ = "FreshFTP" ascii wide - $ = "BlazeFtp" ascii wide - condition: - 9 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/TrojanPSW.ZBot.yar b/yara-mikesxrs/g00dv1n/TrojanPSW.ZBot.yar deleted file mode 100644 index ed0e8dd..0000000 --- a/yara-mikesxrs/g00dv1n/TrojanPSW.ZBot.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule TrojanZeusZbotSampleA -{ - meta: - Description = "Trojan.ZBot.sm" - ThreatLevel = "5" - - strings: - $ = "-m" ascii wide - $ = "-m%p" ascii wide - $ = ":d\\r\\ndel" ascii wide - $ = "@echo off\\r\\n%s\\r\\ndel /F" ascii wide - $hex0 = { 83 EC 0C 53 55 33 DB 56 8B C2 33 ED 57 89 44 24 18 89 4C 24 10 39 5C 24 20 0F 8E ?? ?? ?? ?? 8B 04 A8 83 3C C5 } - $hex1 = { E8 ?? ?? ?? ?? 83 C4 04 C7 45 FC 00 00 00 00 EB 09 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 15 ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? 8B 45 08 83 C0 08 A3 ?? ?? ?? ?? 8B 4D FC 51 8B 15 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? } - $hex2 = { 6A 02 6A 00 FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 08 56 E8 ?? ?? ?? ?? EB 02 8A C3 84 C0 74 28 F6 44 24 36 08 75 0A E8 ?? ?? ?? ?? 83 4C 24 36 08 F6 44 24 36 40 75 0A E8 ?? ?? ?? ?? 83 4C 24 36 40 56 E8 ?? ?? ?? ?? 8D 44 24 08 50 E8 ?? ?? ?? ?? 8A C3 EB 02 32 C0 5E 5B 8B E5 5D C3 } - $hex3 = { 55 8b ec 81 ec 70 03 00 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 50 68 28 59 40 00 8d ?? ?? ?? ?? ?? 68 6c 02 00 00 50 e8 ?? ?? ?? ?? 83 c4 14 85 c0 7e ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 84 c0 74 ?? b0 01 eb ?? 32 c0 c9 c2 04 00} - $hex4 = { 55 8b ec 83 e4 f8 81 ec 4c 02 00 00 53 8b ?? ?? ?? ?? ?? 56 57 33 ff c6 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 57 6a 02 e8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 83 f8 ff 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 ff ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? e9 ?? ?? ?? ?? 8b ?? ?? ?? 3b cf 0f ?? ?? ?? ?? ?? 3b ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 33 c0 39 ?? ?? ?? 76 ?? 8b ?? ?? ?? 39 ?? ?? 0f ?? ?? ?? ?? ?? 40 3b ?? ?? ?? 72 ?? 51 e8 ?? ?? ?? ?? 89 ?? ?? ?? 3b c7 0f ?? ?? ?? ?? ?? ff ?? ?? ?? 57 68 00 04 00 00 ff ?? ?? ?? ?? ?? 8b f0 3b f7 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 56 e8 ?? ?? ?? ?? 56 8b f8 ff d3 85 ff 74 ?? 8b ?? ?? ?? 3b ?? ?? ?? ?? ?? 75 ?? ff ?? ff ?? ?? ?? ?? ?? 3b ?? ?? ?? ?? ?? 75 ?? 8b ?? 50 a1 ?? ?? ?? ?? 8b ?? e8 ?? ?? ?? ?? 85 c0 75 ?? 8b ?? ?? ?? 8d ?? ?? ?? ?? ?? ?? 50 8d ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 8b ?? ?? ?? 8b ?? ?? ?? ff ?? ?? ?? ff ?? ?? ?? ff ?? ?? ?? 89 ?? ?? ff ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? c6 ?? ?? ?? ?? 57 e8 ?? ?? ?? ?? 33 ff ff ?? ?? ?? ff d3 8d ?? ?? ?? 50 ff ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? ff ?? ?? ?? ff d3 39 ?? ?? ?? 0f ?? ?? ?? ?? ?? ff ?? ?? ?? e8 ?? ?? ?? ?? 8a ?? ?? ?? 5f 5e 5b 8b e5 5d c3} - - - condition: - (3 of them) or (any of ($hex*)) -} diff --git a/yara-mikesxrs/g00dv1n/TrojanSpy.Ursnif.yar b/yara-mikesxrs/g00dv1n/TrojanSpy.Ursnif.yar deleted file mode 100644 index 2d2b35b..0000000 --- a/yara-mikesxrs/g00dv1n/TrojanSpy.Ursnif.yar +++ /dev/null @@ -1,33 +0,0 @@ -rule TrojanSpyWin32UrsnifASample -{ - meta: - Description = "Trojan.Ursnif.sm" - ThreatLevel = "5" - - strings: - $ = "CreateProcessNotify" ascii wide - $ = "rundll32" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" ascii wide - $ = "iexplore.exe" ascii wide - $ = "firefox.exe" ascii wide - $ = "Software\\AppDataLow\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing" ascii wide - $ = "/UPD" ascii wide - $ = "/sd %lu" ascii wide - $ = "%lu.bat" ascii wide - $ = "attrib -r -s -h %%1" ascii wide - $ = "S:(ML;;NW;;;LW)" ascii wide - $ = "D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)" ascii wide - $ = "%lu.exe" ascii wide - $ = "mashevserv.com" ascii wide - $ = "ericpotic.com" ascii wide - $ = "version=%u&user=%x%x%x%x&server=%u&id=%u&crc=%x&aid=%u" ascii wide - $ = "CHROME.DLL" ascii wide - $ = "chrome.exe" ascii wide - $ = "opera.exe" ascii wide - $ = "safari.exe" ascii wide - $ = "explorer.exe" ascii wide - - condition: - 6 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Virus.Chir.yar b/yara-mikesxrs/g00dv1n/Virus.Chir.yar deleted file mode 100644 index 9c6c2f9..0000000 --- a/yara-mikesxrs/g00dv1n/Virus.Chir.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule ChirBSample -{ - meta: - Description = "Virus.Chir.B.vb" - ThreatLevel = "5" - - strings: - $ = "runouce.exe" ascii wide - $ = "imissyou@btamail.net.cn" ascii wide - $ = "ChineseHacker-2" ascii wide - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Virus.Madang.yar b/yara-mikesxrs/g00dv1n/Virus.Madang.yar deleted file mode 100644 index 3280bcb..0000000 --- a/yara-mikesxrs/g00dv1n/Virus.Madang.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule FileVirusWin32MaganASample -{ - meta: - Description = "Virus.Madang.sm" - ThreatLevel = "5" - - strings: - $hex_string = { 60 78 ?? 79 ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? e8 ?? ?? ?? ?? 61 78 ?? 79 ?? ?? 68 ?? ?? ?? ?? C3 } - - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Worm.Cridex.yar b/yara-mikesxrs/g00dv1n/Worm.Cridex.yar deleted file mode 100644 index 4e214b6..0000000 --- a/yara-mikesxrs/g00dv1n/Worm.Cridex.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule WormWin32CridexSamlpeE -{ - meta: - Description = "Worm.Cridex.sm" - ThreatLevel = "5" - - strings: - $ = "Software\\Microsoft\\Windows NT\\C%08X" ascii wide - $ = "<server><![CDATA[%%u.%%u.%%u.%%u:%%u]]>" ascii wide - $ = "KB%08d.exe" ascii wide - $ = "Local\\XME%08X" ascii wide - $ = "Local\\XMM%08X" ascii wide - $ = "Local\\XMI%08X" ascii wide - $ = "Local\\XMS%08X" ascii wide - $ = "Local\\XMF%08X" ascii wide - $ = "Local\\XMR%08X" ascii wide - $ = "Local\\XMQ%08X" ascii wide - $ = "Local\\XMB%08X" ascii wide - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Worm.Dorkbot.yar b/yara-mikesxrs/g00dv1n/Worm.Dorkbot.yar deleted file mode 100644 index b133eac..0000000 --- a/yara-mikesxrs/g00dv1n/Worm.Dorkbot.yar +++ /dev/null @@ -1,97 +0,0 @@ -rule WormWin32DorkbotSamlpeA -{ - meta: - Description = "Worm.Dorkbot.sm" - ThreatLevel = "5" - - strings: - $ = "from removing our bot file!" ascii wide - $ = "from moving our bot file" ascii wide - $ = "Message hijacked!" ascii wide - $ = "popgrab" ascii wide - $ = "ftpgrab" ascii wide - $ = "s.Blocked possible browser exploit pack call on URL" ascii wide - $ = "webroot." ascii wide - $ = "fortinet." ascii wide - $ = "virusbuster.nprotect." ascii wide - $ = "gdatasoftware." ascii wide - $ = "virus." ascii wide - $ = "precisesecurity." ascii wide - $ = "lavasoft." ascii wide - $ = "heck.tc" ascii wide - $ = "emsisoft." ascii wide - $ = "onlinemalwarescanner." ascii wide - $ = "onecare.live." ascii wide - $ = "f-secure." ascii wide - $ = "bullguard." ascii wide - $ = "clamav." ascii wide - $ = "pandasecurity." ascii wide - $ = "sophos." ascii wide - $ = "malwarebytes." ascii wide - $ = "sunbeltsoftware." ascii wide - $ = "norton." ascii wide - $ = "norman." ascii wide - $ = "mcafee." ascii wide - $ = "symantec" ascii wide - $ = "comodo." ascii wide - $ = "avast." ascii wide - $ = "avira." ascii wide - $ = "avg." ascii wide - $ = "bitdefender." ascii wide - $ = "eset." ascii wide - $ = "kaspersky." ascii wide - $ = "trendmicro." ascii wide - $ = "iseclab." ascii wide - $ = "virscan." ascii wide - $ = "garyshood." ascii wide - $ = "viruschief." ascii wide - $ = "jotti." ascii wide - $ = "threatexpert." ascii wide - $ = "novirusthanks." ascii wide - $ = "virustotal." ascii wide - $ = "you stupid cracker" ascii wide - $ = "ngrBot Error" ascii wide - $ = "Slowloris]: Finished flood on" ascii wide - $ = "UDP]: Finished flood on" ascii wide - $ = "SYN]: Finished flood on" ascii wide - $ = "USB]: Infected %s" ascii wide - $ = "MSN]: Updated MSN spread message to" ascii wide - $ = "MSN]: Updated MSN spread interval to" ascii wide - $ = "HTTP]: Updated HTTP spread message to" ascii wide - $ = "HTTP]: Injected value is now %s." ascii wide - $ = "HTTP]: Updated HTTP spread interval to" ascii wide - $ = "Visit]: Visited" ascii wide - $ = "DNS]: Blocked" ascii wide - $ = "RSOCK4]: Started rsock4" ascii wide - $ = "Visit]: Error visitng" ascii wide - $ = "FTP Login]: %s" ascii wide - $ = "POP3 Login]: %s" ascii wide - $ = "FTP Infect]: %s was iframed" ascii wide - $ = "HTTP Login]: %s" ascii wide - $ = "HTTP Traffic]: %s" ascii wide - $ = "Ruskill]: Detected File:" ascii wide - $ = "Ruskill]: Detected DNS:" ascii wide - $ = "Ruskill]: Detected Reg:" ascii wide - $ = "PDef+]: %s" ascii wide - $ = "DNS]: Blocked DNS" ascii wide - $ = "MSN]: %s" ascii wide - $ = "HTTP]: %s" ascii wide - condition: - 8 of them -} - -rule WormWin32DorkbotSamlpeB -{ - meta: - Description = "Worm.Dorkbot.sm" - ThreatLevel = "5" - - strings: - $ = "http://ht.ly/jZH8A?yd=" ascii wide - $ = "DecriptedFiles" ascii wide - $ = "Infected Drive: %s" ascii wide - $a = "snkb00pt" ascii wide - - condition: - (3 of them) or $a -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Worm.Phorpiex.yar b/yara-mikesxrs/g00dv1n/Worm.Phorpiex.yar deleted file mode 100644 index 38bdc5a..0000000 --- a/yara-mikesxrs/g00dv1n/Worm.Phorpiex.yar +++ /dev/null @@ -1,99 +0,0 @@ -rule WormWin32PhorpiexSampleM -{ - meta: - Description = "Worm.Phorpiex.sm" - ThreatLevel = "5" - - strings: - $ = "paltalk.exe" ascii wide - $ = "Xfire.exe" ascii wide - $ = "googletalk.exe" ascii wide - $ = "Skype.exe" ascii wide - $ = "http://goo.gl" ascii wide - - $ = "qemu" ascii wide - $ = "virtual" ascii wide - $ = "vmware" ascii wide - $ = "%s\\winsvcon.txt" ascii wide - $ = "%s\\rmrf%i%i%i%i.bat" ascii wide - $ = "%s%s.txt" ascii wide - $ = "%s%s.zip" ascii wide - $ = "IMG%s-JPG.scr" ascii wide - $ = "Microsoft Windows Manager" ascii wide - $ = "winbtc.exe" ascii wide - $ = "winmgr.exe" ascii wide - $ = "winraz.exe" ascii wide - $ = "winsam.exe" ascii wide - $ = "winsvc.exe" ascii wide - $ = "winsvn.exe" ascii wide - $ = ".exe" ascii wide - $ = ".bat" ascii wide - $ = ".vbs" ascii wide - $ = ".pif" ascii wide - $ = ".cmd" ascii wide - $ = "%s\\autorun.inf" ascii wide - - $ = "ti piace la foto?" ascii wide - $ = "hai visto questa foto?" ascii wide - $ = "la foto e grandiosa!" ascii wide - $ = "ti ricordi la Foto?" ascii wide - $ = "conosci la persona in questa foto?" ascii wide - $ = "chi e in questa foto?" ascii wide - $ = "nu imi mai voi face niciodat poze!! toate ies urate ca asta." ascii wide - $ = "spune-mi ce crezi despre poza asta." ascii wide - $ = "asta e ce-a mai funny poza! tu ce zici?" ascii wide - $ = "zimi ce crezi despre poza asta?" ascii wide - $ = "pogled na ovu sliku" ascii wide - $ = "bu resmi bakmak" ascii wide - $ = "pozri sa na tento obr" ascii wide - $ = "pogled na to sliko" ascii wide - $ = "vaata seda pilti" ascii wide - $ = "spojrzec na to zdjecie" ascii wide - $ = "Ieskatieties " ascii wide - $ = "kyk na hierdie foto" ascii wide - $ = "tell me what you think of this picture i edited" ascii wide - $ = "this is the funniest photo ever!" ascii wide - $ = "tell me what you think of this photo" ascii wide - $ = "i don't think i will ever sleep again after seeing this photo" ascii wide - $ = "i cant believe i still have this picture" ascii wide - $ = "should i make this my default picture?" ascii wide - $ = "ken je dat foto nog?" ascii wide - $ = "kijk wat voor een foto ik heb gevonden" ascii wide - $ = "ik hoop dat jij het net bent op dit foto" ascii wide - $ = "ben jij dat op dit foto?" ascii wide - $ = "dit foto zal je echt eens bekijken!" ascii wide - $ = "ken je dit foto al?" ascii wide - $ = "olhar para esta foto" ascii wide - $ = "devrais-je mettre cette photo de profile?" ascii wide - $ = "c'est la photo la plus marrante!" ascii wide - $ = "dis moi ce que tu pense de cette photo de moi?" ascii wide - $ = "mes parents vont me tu" ascii wide - $ = "creo que no voy a poder dormir m" ascii wide - $ = "esta foto es gracios" ascii wide - $ = "mis padres me van a matar si ven esta foto mia, que decis?" ascii wide - $ = "mira como saliste en esta foto jajaja" ascii wide - $ = "wie findest du das foto?" ascii wide - $ = "hab ich dir das foto schon gezeigt?" ascii wide - $ = "schau mal welches foto ich gefunden hab" ascii wide - $ = "bist du das auf dem foto?" ascii wide - $ = "kennst du das foto schon?" ascii wide - $ = "I cant believe I still have this picture" ascii wide - $ = "I love your picture!" ascii wide - $ = "Is this you??" ascii wide - $ = "Picture of you???" ascii wide - $ = "Should I upload this picture on facebook?" ascii wide - $ = "Someone showed me your picture" ascii wide - $ = "Someone told me it's your picture" ascii wide - $ = "Take a look at my new picture please" ascii wide - $ = "Tell me what you think of this picture" ascii wide - $ = "This is the funniest picture ever!" ascii wide - $ = "What do you think of my new hair" ascii wide - $ = "What you think of my new hair color?" ascii wide - $ = "What you think of this picture?" ascii wide - $ = "You look so beautiful on this picture" ascii wide - $ = "You should take a look at this picture" ascii wide - $ = "Your photo isn't really that great" ascii wide - - condition: - 5 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Worm.SillyP2P.yar b/yara-mikesxrs/g00dv1n/Worm.SillyP2P.yar deleted file mode 100644 index 1bdcd66..0000000 --- a/yara-mikesxrs/g00dv1n/Worm.SillyP2P.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule WormWin32SillyP2PSampleH -{ - meta: - Description = "Worm.Silly.sm" - ThreatLevel = "5" - - strings: - $ = "95BC789A" ascii wide - $ = "svchosts.exe" ascii wide - $ = "Failed to start dl thread." ascii wide - $ = "wo8T#$>X&D" ascii wide - - $hex0 = { 55 8b ec 81 ec 8c 06 00 00 56 57 83 ?? ?? ?? ?? ?? ?? 8b ?? ?? b9 a5 00 00 00 8d ?? ?? ?? ?? ?? f3 ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 50 68 68 42 40 00 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 6a 00 68 60 42 40 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 58 42 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 59 83 ?? ?? ?? ?? ?? ?? 74 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 68 38 42 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 14 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 6a 06 ff ?? ?? e8 ?? ?? ?? ?? 83 c4 10 68 00 02 00 00 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? eb ?? 68 64 41 40 00 68 28 42 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 10 eb ?? 8d ?? ?? ?? ?? ?? 50 68 0c 42 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 10 eb ?? 68 f0 41 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c eb ?? 68 c4 41 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 6a 06 ff ?? ?? e8 ?? ?? ?? ?? 83 c4 10 68 00 02 00 00 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 83 ?? ?? ?? ?? ?? ?? 75 ?? ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? e8 ?? ?? ?? ?? 59 6a 00 ff ?? ?? ?? ?? ??} - $hex1 = { 55 8b ec 81 ec 14 03 00 00 57 80 ?? ?? ?? ?? ?? ?? 6a 40 59 33 c0 8d ?? ?? ?? ?? ?? f3 ?? 66 ?? aa 80 ?? ?? ?? ?? ?? ?? 6a 40 59 33 c0 8d ?? ?? ?? ?? ?? f3 ?? 66 ?? aa 6a 03 8d ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 80 ?? ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 83 f8 02 75 ?? 6a 05 6a 00 8d ?? ?? ?? ?? ?? 50 68 48 41 40 00 68 40 41 40 00 6a 00 ff ?? ?? ?? ?? ?? 68 54 40 40 00 e8 ?? ?? ?? ?? 59 50 68 54 40 40 00 e8 ?? ?? ?? ?? 59 59 68 90 01 00 00 ff ?? ?? ?? ?? ?? 68 6c 40 40 00 6a 00 6a 00 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 3d b7 00 00 00 75 ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 89 ?? ?? 68 34 41 40 00 ff ?? ?? e8 ?? ?? ?? ?? 59 59 85 c0 74 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? a0 ?? ?? ?? ?? 88 ?? ?? 8d ?? ?? 50 e8 ?? ?? ?? ??} - $hex2 = { 55 8b ec 81 ec 10 03 00 00 83 ?? ?? ?? ?? ?? ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 50 68 78 40 40 00 ff ?? ?? ?? ?? ?? 68 84 40 40 00 8d ?? ?? ?? ?? ?? 50 68 74 42 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 10 68 84 40 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 59 85 c0 0f ?? ?? ?? ?? ?? 6a 00 8d ?? ?? ?? ?? ?? 50 6a 00 68 3f 00 0f 00 6a 00 6a 00 6a 00 68 c0 42 40 00 68 01 00 00 80 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 50 8d ?? ?? ?? ?? ?? 50 6a 01 6a 00 68 94 40 40 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 6a 00 8d ?? ?? ?? ?? ?? 50 6a 00 68 3f 00 0f 00 6a 00 6a 00 6a 00 68 c0 42 40 00 68 02 00 00 80 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 50 8d ?? ?? ?? ?? ?? 50 6a 01 6a 00 68 94 40 40 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 6a 00 8d ?? ?? ?? ?? ?? 50 6a 00 68 3f 00 0f 00 6a 00 6a 00 6a 00 68 7c 42 40 00 68 02 00 00 80 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 50 8d ?? ?? ?? ?? ?? 50 6a 01 6a 00 68 94 40 40 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 68 34 41 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 59 0f b6 c0 85 c0 74 ?? 68 c8 00 00 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? c9 c3} - - condition: - (3 of them) or (any of ($hex*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/Worm.SkypeSpamer.yar b/yara-mikesxrs/g00dv1n/Worm.SkypeSpamer.yar deleted file mode 100644 index 115935a..0000000 --- a/yara-mikesxrs/g00dv1n/Worm.SkypeSpamer.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule WormSkypeMsgSpamerSample -{ - meta: - Description = "Worm.SkypeSpamer.sm" - ThreatLevel = "5" - - strings: - $code = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC ?? ?? ?? ?? 53 55 56 57 33 DB 68 ?? ?? ?? ?? 88 5C 24 17 E8 ?? ?? ?? ?? 83 C4 04 85 C0 75 34 68 96 00 00 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 83 F8 01 75 10 E8 ?? ?? ?? ?? 3C 01 75 23 53 FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 } - $a = "Skype.exe" ascii wide - $b = "msnmsgr.exe" ascii wide - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/g00dv1n/g00dvin_index.yara b/yara-mikesxrs/g00dv1n/g00dvin_index.yara deleted file mode 100644 index b64a6d8..0000000 --- a/yara-mikesxrs/g00dv1n/g00dvin_index.yara +++ /dev/null @@ -1,3548 +0,0 @@ -rule AdwareAdGazelleSample -{ - meta: - Description = "Adware.AdGazelle.vb" - ThreatLevel = "5" - - strings: - - $ = "D:\\popajar3" ascii wide - $ = "squeakychocolate" ascii wide - $ = "squeaky chocolate" ascii wide - $ = "adxloader.dll" ascii wide - $ = "adxloader.pdb" ascii wide - $ = "adxloader64.dll" ascii wide - $ = "adxloader64.pdb" ascii wide - $ = "d:\\Products\\ADX.IE.8" ascii wide - - condition: - any of them -}rule AdwareAdpeakSample -{ - meta: - Description = "Adware.Adpeak.vb" - ThreatLevel = "5" - - strings: - - $ = "dealcabby.dll" ascii wide - $ = "getsavin.dll" ascii wide - - condition: - any of them -}rule AdwarePricePeepSample -{ - meta: - Description = "Adware.PricePeep.vb" - ThreatLevel = "5" - - strings: - - $ = "BrandedUpdater" ascii wide - $ = "default_browser" ascii wide - $ = "LaunchDefaultBrowser" ascii wide - $ = "LaunchBrowser" ascii wide - - $a1 = "InstallUtil.pdb" ascii wide - $a2 = "C:\\managed\\root\\VTG_" ascii wide - $a3 = "InstallUtil.pdb" ascii wide - $a4 = "BrandedUpdater.pdb" ascii wide - //$a5 = "PricePeep" ascii wide - $a6 = "InstallUtil.cpp" ascii wide - $a7 = "BrandedUpdater.cpp" ascii wide - - condition: - (3 of them) or (any of ($a*)) -}rule BetterSurfASample -{ - meta: - Description = "Adware.BetterSurf.A.vb" - ThreatLevel = "5" - - strings: - $n1 = "Media Buzz" ascii wide - $n2 = "MediaBuzz" ascii wide - - //$script1 = "document.getElementById('wsu_js" ascii wide - //$script2 = "script.setAttribute('id','wsu_js" ascii wide - - condition: - all of ($n*) -}rule AdwareBrowseFoxSample -{ - meta: - Description = "Adware.BrowseFox.vb" - ThreatLevel = "5" - - strings: - - $a2 = ".expextdll.dll" ascii wide - $a3 = ".IEUpdate.pdb" ascii wide - $a4 = ".Repmon.dll" ascii wide - $a5 = ".BRT.Helper.exe" ascii wide - $a6 = ".BrowserAdapter.pdb" ascii wide - $a7 = ".expextdll.dll" ascii wide - $a8 = ".browseradapter64.exe" ascii wide - $a9 = ".purbrowse.exe" ascii wide - $a10 = "BrowserFilter.exe" ascii wide - $a11 = ".Bromon.dll" ascii wide - $a12 = ".OfSvc.dll" ascii wide - $a13 = ".GCUpdate.dll" ascii wide - $a14 = ".BroStats.dll" ascii wide - $a15 = ".BOAS.dll" ascii wide - $a16 = ".BrowserAdapterS.dll" ascii wide - $a17 = ".PurBrowse64.exe" ascii wide - - $b1 = "system32\\drivers\\%s.sys" ascii wide - $b2 = "FilterApp" ascii wide - - condition: - (any of ($a*)) or (all of ($b*)) -}rule ConduitASample -{ - meta: - Description = "Adware.Conduit.A.vb" - ThreatLevel = "5" - - strings: - $ = "GetSpeedBrowserInstalled" ascii wide - $ = "SpeedBrowserAlreadyInstalled" ascii wide - $ = "Injekt SVN - client" ascii wide - - condition: - any of them -} - -rule ConduitBSample -{ - meta: - Description = "Adware.Conduit.B.vb" - ThreatLevel = "5" - - strings: - $ = "CAboutTabsInjector_" ascii wide - $ = "AboutTabsDataUrlPublisher" ascii wide - $ = "AboutTabsDataUrlConduit" ascii wide - $ = "AboutTabsUsageUrl" ascii wide - $ = "AboutTabsEnabledByUser" ascii wide - $ = "AboutTabsEnabledByConduit" ascii wide - $ = "AboutTabsEnabledByPublisher" ascii wide - $ = "SearchInNewTabContent.xml" ascii wide - $ = "CONDUIT_CHEVRON_MUTEX" ascii wide - $ = "CConduitExternalForTBAPI" ascii wide - $ = "EI_Toolbar_Update_Mutex" ascii wide - - condition: - any of them -}rule AdwareConvertAdSample -{ - meta: - Description = "Adware.ConvertAd.vb" - ThreatLevel = "5" - - strings: - - $ = "http://download-servers.com/SysInfo/adrouteservice/adrouter.php" ascii wide - $ = "ConvertAd.html" ascii wide - $ = "ConvertAd.exe" ascii wide - - condition: - any of them -}rule AdwareCrossriderSampleA -{ - meta: - Description = "Adware.Crossrider.A.sm" - ThreatLevel = "5" - - strings: - $ = "-bho.dll" ascii wide - $ = "-bho64.dll" ascii wide - $ = "-buttonutil64.dll" ascii wide - $ = "-buttonutil.dll" ascii wide - $ = "-BrowserEventSandBox" ascii wide - $ = "CrossriderApp" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\chrome.exe" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe" ascii wide - $ = "IEInject_Win32.dll" ascii wide - $ = "bg_debug.js" ascii wide - $ = "new_debug.js" ascii wide - $ = "Browser Process id" ascii wide - $ = "BHO Process id" ascii wide - $ = "BhoRunningVersion" ascii wide - $ = "-nova64.dll" ascii wide - - $str1 = "crossrider-buttonutil.pdb" ascii wide - $str2 = "AVCCrossriderButtonHelper" ascii wide - $str3 = "AVCCrossRiderLogger" ascii wide - $str5 = "AddCrossRiderSearchProvider" ascii wide - $str6 = "C:\\BUILD_AVZR2\\WhiteRabbit" ascii wide - $str7 = "CrossriderBHO" ascii wide - $str8 = "215AppVerifier" ascii wide - $str9 = "Crossrider BHO Version" ascii wide - $str10 = "brightcircleinvestments.com" ascii wide - $str11 = "CrossriderNotification.pdb" ascii wide - $str12 = "C:\\Users\\cross\\Desktop\\compilation_bot_area" ascii wide - condition: - (3 of them) or (any of ($str*)) -} - -rule AdwareCrossriderSampleB -{ - meta: - Description = "Adware.Crossrider.B.vb" - ThreatLevel = "5" - - strings: - $ = "crossbrowse/updater/{{camp_id}}/{{version}}/{{secret}}/update.json" ascii wide - $ = "Crossbrowse\\Crossbrowse\\Application\\crossbrowse.exe" ascii wide - $ = "allnetserveline.com/crossbrowse" ascii wide - $ = "C:\\workspace\\crossbrowse" ascii wide - $ = "CrossriderBrowserInstaller.pdb" ascii wide - - condition: - any of them -} -rule AdwareDealPlySample -{ - meta: - Description = "Adware.DealPly.vb" - ThreatLevel = "5" - - strings: - - $ = "dealply.prq" ascii wide - - condition: - any of them -}rule AdwareDlhelperAdSample -{ - meta: - Description = "Adware.Dlhelper.vb" - ThreatLevel = "5" - - strings: - - $ = "trifonov@onegbsoft.ru" ascii wide - $ = "bulovackiy@dontehnoservis.com.ua" ascii wide - $ = "contacts@dayzgames.com" ascii wide - $ = "admin@mayris.org" ascii wide - - $ = "Panel_OffersList" ascii wide - - $ = "support@dlhelper.com" ascii wide - $ = "http://dlhelper.com" ascii wide - - $ = "http://sendme9.ru" ascii wide - $ = "http://sendme3.ru" ascii wide - $ = "http://trustfile3.ru" ascii wide - $ = "http://trustfile9.ru" ascii wide - $ = "http://downloaditeasy.ru" ascii wide - - condition: - any of them -}rule AdwareDownloaderA -{ - meta: - Description = "Adware.Downloader.A.vb" - ThreatLevel = "5" - - strings: - - $ = "odiassi" ascii wide - $ = "stavers" ascii wide - $ = "trollimog" ascii wide - $ = "diapause" ascii wide - $ = "UserControl1" ascii wide - $ = "listboxmod01" ascii wide - - condition: - all of them -}rule AdwareELEXSampleA -{ - meta: - Description = "Adware.ELEX.A.vb" - ThreatLevel = "5" - - strings: - - $ = "www.freeappstools.com" ascii wide - $ = "dl.elex.soft365.com" ascii wide - $ = "E:\\Code\\FileSyn\\Bin" ascii wide - $ = "E:\\Code_SVN\\FileSyn\\Bin" ascii wide - - condition: - any of them -} - - -rule AdwareELEXSampleB -{ - meta: - Description = "Adware.ELEX.B.vb" - ThreatLevel = "5" - - strings: - - $pdb = "Release\\SFKEX.pdb" ascii wide - $ = "21e223b3f0c97db3c281da1g7zccaefozzjcktmlma" ascii wide - $ = "http://xa.xingcloud.com/v4/sof-everything" ascii wide - $ = "http://www.mysearch123.com" ascii wide - $ = "SFKEX.exe" ascii wide - $ = "SFKEX.dll" ascii wide - $ = "SFKURL" ascii wide - - condition: - 2 of them -} - - -rule AdwareELEXSampleCommon -{ - meta: - Description = "Adware.ELEX.vb" - ThreatLevel = "5" - - strings: - - $ = "\\Mozilla\\Firefox\\" ascii wide - $ = "profiles.ini" ascii wide - $ = "Profile0" ascii wide - $ = "\\prefs.js" ascii wide - $ = "\\Google\\Chrome\\User Data\\" ascii wide - $ = "\\Secure Preferences" ascii wide - $ = "Software\\Microsoft\\Internet Explorer\\Main" ascii wide - $ = "Start Page" ascii wide - $ = "chrome.exe" ascii wide - $ = "iexplore.exe" ascii wide - $ = "firefox.exe" ascii wide - $ = "user_pref" ascii wide - $ = "browser.startup.homepage" ascii wide - $ = "startup_urls" ascii wide - - condition: - all of them -}rule AdwareStormWatchSample -{ - meta: - Description = "Adware.StormWatch.vb" - ThreatLevel = "5" - - strings: - - $ = "localstormwatch.com" ascii wide - $ = "StormWatch.pdb" ascii wide - $ = "StormWatch.exe" ascii wide - $ = "ActiveDeals" ascii wide - - condition: - any of them -}rule AdwareGenieoSample -{ - meta: - Description = "Adware.Genieo.vb" - ThreatLevel = "5" - - strings: - $h1 = "gentray.pdb" ascii wide - $h2 = "genupdater.pdb" ascii wide - $h3 = "www.genieo.com" ascii wide - $h4 = "userfeedback-genieo.appspot.com" ascii wide - $h5 = "Genieo Innovation LTD" ascii wide - - $str1 = "Software\\Genieo" ascii wide - $str2 = "SOFTWARE\\Genieo" ascii wide - - $str5 = "genieo.exe" ascii wide - $str6 = "genieutils.exe" ascii wide - $str7 = "genupdater.exe" ascii wide - - $str8 = "__Genieo_" ascii wide - $str9 = "GenieoUpdaterServiceCleaner" ascii wide - $str10 = "GENIEO_TRAY_UI" ascii wide - - condition: - any of them -}rule AdwareImaliSample -{ - meta: - Description = "Adware.Imali.vb" - ThreatLevel = "5" - - strings: - - $ = "www.freemediaplayer.tv" ascii wide - - condition: - any of them -}rule AdwareInstallCoreSample -{ - meta: - Description = "Adware.InstallCore.vb" - ThreatLevel = "5" - - strings: - - $ = "www.mynicepicks.com" ascii wide - $ = "www.ultimatepdfconverter.com" ascii wide - $ = "www.coolpdfcreator.com" ascii wide - $ = "cdnus.ironcdn.com" ascii wide - $ = "esd.baixaki.com.br" ascii wide - $ = "cdneu2.programmersupply.com" ascii wide - - condition: - any of them -}rule LinkuryASample -{ - meta: - Description = "Adware.Linkury.A.vb" - ThreatLevel = "5" - - strings: - $ = "Smartbar" ascii wide - $ = "Linkury" ascii wide - $ = "ChromeUtils" ascii wide - $ = "FirefoxUtils" ascii wide - $ = "AddBundledSoftware" ascii wide - $ = "UpdateToolbarState" ascii wide - $ = "New Tab Search" ascii wide - $ = "get_BrowserIsOpen" ascii wide - $ = "get_BetterSearchResults" ascii wide - $ = "get_AllYourBrowsers" ascii wide - $ = "get_ChangeHomepageAndSearch" ascii wide - $ = "get_BrowserSettingsProtectOk" ascii wide - $ = "get_BrowserSettingsChange" ascii wide - $ = "get_BrowserSettingsProtectChange" ascii wide - $ = "get_BrowserSettingsProtectDescription" ascii wide - $ = "get_BrowserSettingsProtectHeader" ascii wide - $ = "get_BrowserSettingsProtectKeep" ascii wide - - condition: - 2 of them -} - -rule LinkuryBSample -{ - meta: - Description = "Adware.Linkury.B.vb" - ThreatLevel = "5" - - strings: - $ = "C:\\Cranberry\\bin\\CaraDelevigne\\Cara.pdb" ascii wide - - condition: - any of them -}rule MyWebSearchSample -{ - meta: - Description = "Adware.MyWebSearch.vb" - ThreatLevel = "5" - - strings: - $ = "t8Setup1.pdb" ascii wide - $ = "t8EIPlug.pdb" ascii wide - $ = "t8EzSetp.pdb" ascii wide - $ = "NPt8EISB.pdb" ascii wide - $ = "Mindspark Interactive Network" ascii wide - $ = "mindspark.com" ascii wide - - condition: - any of them -}rule NextLiveSample -{ - meta: - Description = "Adware.NextLive.vb" - ThreatLevel = "5" - - strings: - - $ = "nengine.pdb" ascii wide - $ = "nengine.dll" ascii wide - $ = "D:\\svn.thecodeway.com\\private\\nlive\\trunk" ascii wide - - condition: - any of them -}rule ObronaAdsSample -{ - meta: - Description = "Adware.ObronaAds.vb" - ThreatLevel = "5" - - strings: - $i1 = "ObronaBlockAds" ascii wide - $i2 = "Obrona Block Ads" ascii wide - $i3 = "ObronaVPN" ascii wide - $i4 = "OBRONA_PROXY" ascii wide - $i5 = "SecurityAndShoppingAdvisor" ascii wide - $i6 = "SASAService" ascii wide - $i7 = "http://update.obrona.org" ascii wide - $i8 = "Proxy-agent: SASA Proxy" ascii wide - $i9 = "Proxy\\AdsInjectionContentProvider.cpp" ascii wide - - $ = "sendBrowsersHistoryKeywords" ascii wide - $ = "startWatcher" ascii wide - $ = "HelperApplication" ascii wide - $ = "enableAds" ascii wide - $ = "enableInjecting" ascii wide - $ = "disableInjecting" ascii wide - $ = "requestNewAdsUrl" ascii wide - $ = "requestAdsIgnoredDomains" ascii wide - $ = "startSendingSearchKeywords" ascii wide - $ = "AdsService" ascii wide - $ = "ServiceProxy.cpp" ascii wide - $ = "HelperApplication.cpp" ascii wide - $ = "Updater.cpp" ascii - $ = "WebProxy.cpp" ascii wide - - condition: - (any of ($i*)) or (3 of them) -}rule AdwareOpenCandySample -{ - meta: - Description = "Adware.OpenCandy.vb" - ThreatLevel = "5" - - strings: - - $ = "http://cdn.opencandy.com" ascii wide - - condition: - any of them -}rule AdwareOutBrowseSample -{ - meta: - Description = "Adware.OutBrowse.vb" - ThreatLevel = "5" - - strings: - - $ = "cdn.install.playbryte.com" ascii wide - $ = "download.2yourface.com" ascii wide - $ = "www.default-page.com" ascii wide - $ = "install2.optimum-installer.com" ascii wide - $ = "downloadzone.org" ascii wide - - condition: - any of them -}rule AdwarePullUpdateSample -{ - meta: - Description = "Adware.PullUpdate.vb" - ThreatLevel = "5" - - strings: - $ = "gettvwizard.com" ascii wide - $ = "getsharethis.com" ascii wide - $ = "thewebguard.com" ascii wide - $ = "astro-arcade.com" ascii wide - $ = "instashareonline.com" ascii wide - $ = "safewebonline.com" ascii wide - $ = "downloadmeteoroids.com" ascii wide - $ = "moviemasterapp.com" ascii wide - $ = "watchzombieinvasion.com" ascii wide - $ = "freevideoconverterapp.com" ascii wide - - // $ = "TVWizard" ascii wide - //$ = "TV Wizard" ascii wide - $ = "AstroArcade" ascii wide - $ = "WebGuard Deleter" ascii wide - $ = "SmallIslandDevelopment" ascii wide - - $ = "AVFirefoxCookieReader" ascii wide - $ = "AVChromeCookieReader" ascii wide - $ = "AVInternetExplorerCookieReader" ascii wide - $ = "AVBrowserCookieReader" ascii wide - $ = "Data Protection Solutions" ascii wide - - - $ = "VideoDimmer.exe" ascii wide - $ = "VideoDimmerService.exe" ascii wide - - $ = "WebGuard.exe" ascii wide - $ = "WebGuardService.exe" ascii wide - - $ = "HealthAlert.exe" ascii wide - $ = "HealthAlertService.exe" ascii wide - - $ = "CrimeWatch.exe" ascii wide - $ = "CrimeWatchService.exe" ascii wide - - $ = "SafeWeb.exe" ascii wide - $ = "SafeWebService.exe" ascii wide - - $ = "Meteoroids.exe" ascii wide - $ = "MeteoroidsService.exe" ascii wide - - $ = "Websteroids.exe" ascii wide - $ = "WebsteroidsService.exe" ascii wide - - $ = "WebShield.exe" ascii wide - $ = "WebShieldService.exe" ascii wide - - $ = "ZombieNews.exe" ascii wide - $ = "ZombieNewsService.exe" ascii wide - - $ = "CelebrityAlertService.exe" ascii wide - $ = "CelebrityAlert.exe" ascii wide - - $ = "MovieMaster.exe" ascii wide - $ = "MovieMasterService.exe" ascii wide - - $ = "ZombieInvasionService.exe" ascii wide - $ = "ZombieInvasion.exe" ascii wide - - $ = "BreakingNewsAlertService.exe" ascii wide - $ = "BreakingNewsAlert.exe" ascii wide - - condition: - any of them -}rule SearchProtectSample -{ - meta: - Description = "Adware.SProtect.vb" - ThreatLevel = "5" - - strings: - $ = "Search Protect" ascii wide - $ = "SearchProtect" ascii wide - $ = "Search Protector" ascii wide - $ = "SearchProtector" ascii wide - $ = "ClientConnect" ascii wide - $ = "SPVC32.dll" ascii wide - $ = "SPVC32Loader.dll" ascii wide - $ = "SPVC64.dll" ascii wide - $ = "SPVC64Loader.dll" ascii wide - $ = "SProtector" ascii wide - $ = "AppendInit.dll" ascii wide - $ = "{12DA0E6F-5543-440C-BAA2-28BF01070AFA}" ascii wide - $pdb1 = "CltMngSvc.pdb" ascii wide - $pdb2 = "SPtool.pdb" ascii wide - $pdb3 = "SPtool64.pdb" ascii wide - $pdb4 = "SPVC32.pdb" ascii wide - $pdb5 = "SPVC64.pdb" ascii wide - $pdb6 = "SPVC32Loader.pdb" ascii wide - $pdb7 = "SPVC64Loader.pdb" ascii wide - $pdb8 = "cltmng.pdb" ascii wide - $pdb9 = "MiniStubUtils.pdb" ascii wide - $pdb10 = "Search Protector" ascii wide - $pdb11 = "%programfiles%\\Free Offers from" ascii wide - $pdb12 = "TestSearchProtect" ascii wide - $pdb13 = "ProtectService.pdb" ascii wide - $pdb14 = "E:\\supsoft" ascii wide - $pdb15 = "BrowerWatch.dll" ascii wide - - condition: - (2 of them) or (any of ($pdb*)) -}rule SearchSuiteSample -{ - meta: - Description = "Adware.SearchSuite.vb" - ThreatLevel = "5" - - strings: - //$ = "SearchSuite" ascii wide - $ = "searchcore.net" ascii wide - $ = "searchnu.com" ascii wide - $ = "searchqu.com" ascii wide - $ = "searchsheet.com" ascii wide - $ = "adoresearch.com" ascii wide - $ = "newsearchtab.com" ascii wide - $ = "searchsupreme.com" ascii wide - $ = "mlsearch.com" ascii wide - $ = "insertsearch.com" ascii wide - $ = "gotsearch.com" ascii wide - $ = "search.ask.com" ascii wide - $ = "search-results.com" ascii wide - $ = "default-search.net" ascii wide - $ = "imesh web search" ascii wide - - condition: - any of them -}rule AdwareSendoriSample -{ - meta: - Description = "Adware.Sendori.vb" - ThreatLevel = "5" - - strings: - $ = "SendoriSvc.pdb" ascii wide - $ = "SendoriTray.pdb" ascii wide - $ = "sendori64f.sys" ascii wide - $ = "sendori64r.sys" ascii wide - $ = "sendori32.sys" ascii wide - $ = "Sendori.dll" ascii wide - $ = "SendoriProxy.dll" ascii wide - $ = "SendoriUp.exe" ascii wide - $ = "SendoriSvc.exe" ascii wide - $ = "SendoriTray.exe" ascii wide - $ = "SendoriControl.exe" ascii wide - $ = "sendori-win-upgrader.exe" ascii wide - $ = "\\\\.\\pipe\\Sendori" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Sendori" ascii wide - $ = "SOFTWARE\\Sendori" ascii wide - $ = "Sendori, Inc" ascii wide - $ = "Sendori Service" ascii wide - $ = "Service Sendori" ascii wide - $ = "Application Sendori" ascii wide - $ = "SendoriLSP" ascii wide - $ = "Sendori Elevated Service Controller" ascii wide - $ = "Sendori-Client" ascii wide - $ = "SENDORI_UPGRADE_ASSISTANT" ascii wide - - condition: - any of them -}rule SimplyTechSample -{ - meta: - Description = "Adware.SimplyTech.vb" - ThreatLevel = "5" - - strings: - $ = "wtb_64.pdb" ascii wide - $ = "wtb_64.DLL" ascii wide - $ = "wtb.ToolbarInfo" ascii wide - $ = "Surf Canyon" ascii wide - $ = "surfcanyon" ascii wide - - condition: - any of them -}rule SmartAppsSample -{ - meta: - Description = "Adware.SmartApps.vb" - ThreatLevel = "5" - - strings: - - $a1 = "Unicows.dll" ascii wide - $a2 = "FrameworkBHO.DLL" ascii wide - $a3 = "URLDownloadToFile" ascii wide - $a4 = "getExtensionFileContents" ascii wide - $a5 = "Toolbar" ascii wide - $a6 = "GdiplusStartup" ascii wide - - $b1 = "getCookieW" ascii wide - $b2 = "setCookieW" ascii wide - $b3 = "InternetSetCookieW" ascii wide - $b5 = "InternetGetCookieExW" ascii wide - - condition: - (all of ($b*)) and (any of ($a*)) -}rule AdwareSolimbdaSample -{ - meta: - Description = "Adware.Solimbda.vb" - ThreatLevel = "5" - - strings: - $ = "http://api.downloadmr.com" ascii wide - $ = "SuggestedApps" ascii wide - - condition: - all of them -}rule TriorisSample -{ - meta: - Description = "Adware.Trioris.vb" - ThreatLevel = "5" - - strings: - $ = "instamarket.js" ascii wide - $ = "instamarketoff.js" ascii wide - $ = "trioris.net" ascii wide - $ = "storegid.com" ascii wide - $ = "screentoolkit.com" ascii wide - $ = "Sergey Cherezov" ascii wide - - condition: - any of them -}rule AdwareVitruvianSample -{ - meta: - Description = "Adware.Vitruvian.vb" - ThreatLevel = "5" - - strings: - $ = "WordProser" ascii wide - $ = "vitruvian" ascii wide - $ = "gethighlightly.com" ascii wide - $ = "betterbrainapp.com" ascii wide - $ = "wordproser.com" ascii wide - $ = "intellitermapp.com" ascii wide - $ = "BetterBrainClientIE.pdb" ascii wide - - condition: - any of them -}rule AdwareWajamSample -{ - meta: - Description = "Adware.Wajam.vb" - ThreatLevel = "5" - - strings: - - $ = "fastnfreedownload.com" ascii wide - $ = "InternetEnhancer.exe" ascii wide - $ = "InternetEnhancerService.exe" ascii wide - $ = "WJManifest" ascii wide - $ = "WaInterEnhance" ascii wide - $ = "ping_wajam" ascii wide - $ = "D:\\jenkins\\workspace" ascii wide - $ = "WajamService" ascii wide - $ = "AVCWJService" ascii wide - $ = "Internet Enhancer Service" ascii wide - - $a1 = "WajamInternetEnhancerService.pdb" ascii wide - $a4 = "WHttpServer.pdb" ascii wide - $a2 = "Wajam. All right reserved" ascii wide - $a3 = "Wajam.Proxy" ascii wide - - condition: - (3 of them) or (any of ($a*)) -}rule RootkitSampleDriverAgony -{ - meta: - Description = "Trojan.Agony.sm" - ThreatLevel = "5" - - strings: - $ = "DosDevices\\agony" ascii wide - $ = "Device\\agony" ascii wide - $ = "VOLUME.INI" ascii wide - $ = "ERVICES.EXE" ascii wide - $ = "ervices.exe" ascii wide - $ = "agony rootkit" ascii wide - $ = "agony" ascii wide - $ = "for exemple: agony -p process1.exe process2.exe" ascii wide - $a = "i386\\agony.pdb" ascii wide - - condition: - (3 of them) or $a -} - -rule AdwareSampleWebTools -{ - meta: - Description = "Adware.WebTools.sm" - ThreatLevel = "5" - - strings: - $ = "IEctrl.log" ascii wide - $ = "agony" ascii wide - $s1 = "Gates.pdb" ascii wide - $s0 = "GatesInstall.pdb" ascii wide - $s2 = "IECtrl.pdb" ascii wide - $s3 = "svch0st.exe" ascii wide - $s4 = "SESDKDummy.dll" ascii wide - $s5 = "SESDKDummy64.dll" ascii wide - - condition: - (3 of them) or (any of ($s*)) -}rule AdwareWebWatcherSample -{ - meta: - Description = "Adware.WebWatcher.vb" - ThreatLevel = "5" - - strings: - $ = "E:\\BuildSource\\7\\WindowsClient\\WindowsClient.Client.RC\\Binaries" ascii wide - $ = "Release DlpHook\\mcapp.pdb" ascii wide - $ = "Release DlpHook\\mcsc.pdb" ascii wide - $ = "Release Sonar\\Shim64.pdb" ascii wide - $ = "Release Sonar\\Shim.pdb" ascii wide - - condition: - any of them -}rule AdwareiBryteSample -{ - meta: - Description = "Adware.iBryte.vb" - ThreatLevel = "5" - - strings: - - $ = "install.ibryte.com" ascii wide - $ = "pn-installer28.com" ascii wide - - condition: - any of them -}rule AdwareUCSKoreaSample -{ - meta: - Description = "Adware.uKor.sm" - ThreatLevel = "5" - - strings: - $ = "_uninstall_Mutex" ascii wide - $ = "_updater_Mutex" ascii wide - $ = "_main_Mutex" ascii wide - $ = "_install_Mutex" ascii wide - $ = "main_agent" ascii wide - $ = "updater_agent" ascii wide - $ = "APP/bundle.php" ascii wide - $ = "APP/update_ck.php?v1" ascii wide - $ = "APP/bundle_stat.php?v1" ascii wide - $ = "APP/stat.php?v1" ascii wide - $ = "co.kr/mbk.php?v1" ascii wide - $ = "co.kr/etc/yak_app.htm" ascii wide - - $hex1 = { 51 a1 ?? ?? ?? ?? 56 68 80 1f 40 00 50 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 33 d2 68 b8 0b 00 00 8d ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 83 c4 04 85 c0 74 ?? 68 3f 00 0f 00 6a 00 6a 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8b ?? ?? ?? ?? ?? 68 ff 01 0f 00 51 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 74 ?? 6a 00 6a 04 e8 ?? ?? ?? ?? 83 c4 08 68 c8 e8 41 00 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 6a 00 6a 01 e8 ?? ?? ?? ?? 83 c4 08 eb ?? 8b ?? ?? ?? 68 28 6e 42 00 6a 01 56 ff ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 5e 74 ?? 6a 00 ff ?? ?? ?? ?? ?? 8b d0 b8 01 00 00 00 e8 ?? ?? ?? ?? 83 c4 04 59 c2 08 00} - - condition: - (2 of them) or (any of ($hex*)) -}rule BladabindiASample -{ - meta: - Description = "Backdoor.Bladabindi.A.vb" - ThreatLevel = "5" - - strings: - $ = "shutdown -r -t 00" ascii wide - $ = "netsh firewall add allowedprogram" ascii wide - $ = "netsh firewall delete allowedprogram" ascii wide - $ = "cmd.exe /k ping 0 & del" ascii wide - $ = "ReceiveBufferSize" ascii wide - $ = "SendBufferSize" ascii wide - $ = "restartcomputer" ascii wide - $ = "NoWindowsUpdate" ascii wide - $ = "winupdateoff" ascii wide - $ = "DisableTaskMgr" ascii wide - $ = "set cdaudio door closed" ascii wide - $ = "set cdaudio door open" ascii wide - $ = "VMDragDetectWndClass" ascii wide - $ = "%dark%" ascii wide - $ = "microwaveone.ddns.net" ascii wide - - condition: - 5 of them -}rule BackdoorDediprosA -{ - meta: - Description = "Backdoor.Dedipros.rc" - ThreatLevel = "5" - - strings: - $ = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/advapi32.dll" ascii wide - $ = "rundll32.exe %s, CodeMain lpServiceName" ascii wide - $ = "C:\\Windows\\System32\\Rundlla.dll" ascii wide - $ = "s%\\pmeT\\SWODNIW\\:C" ascii wide - $ = "SYSTEM\\CurrentControlSet\\Services\\%s" ascii wide - $ = "\\keylog.dat" ascii wide - condition: - 2 of them -}rule BackdoorWin32FynloskiASample -{ - meta: - Description = "Backdoor.Fynloski.sm" - ThreatLevel = "5" - - strings: - $ = "#BOT#VisitUrl" ascii wide - $ = "#BOT#OpenUrl" ascii wide - $ = "#BOT#Ping" ascii wide - $ = "BTRESULTPing|Res" ascii wide - $ = "#BOT#RunPrompt" ascii wide - $ = "BTRESULTClose" ascii wide - $ = "#BOT#SvrUninstal" ascii wide - $ = "#BOT#URLUpdate" ascii wide - $ = "BTERRORUpdate" ascii wide - $ = "BTRESULTUpdate" ascii wide - $ = "#BOT#URLDownload" ascii wide - $ = "BTRESULTOpen" ascii wide - $ = "BTERRORDownload" ascii wide - $ = "BTRESULTDownload" ascii wide - $ = "BTRESULTMass" ascii wide - $ = "BTRESULTHTTP" ascii wide - $ = "BTERRORVisit" ascii wide - $ = "BTRESULTSyn" ascii wide - $ = "BTRESULTUDP" ascii wide - $ = "Flood|UDP Flood task finished" ascii wide - $ = "Flood|Syn task finished" ascii wide - $ = "Flood|Http Flood task finished" ascii wide - - condition: - 3 of them -}rule BackdoorGenASample -{ - meta: - Description = "Backdoor.Gen.A.vb" - ThreatLevel = "5" - - strings: - $ = "Form1" ascii wide - $ = "Flamand" ascii wide - $ = "Afildoe.Belver" ascii wide - $ = "FromBase64String" ascii wide - $ = "TeAdor.Properties.Resources" ascii wide - - condition: - 3 of them -}rule BackdoorLiudoor -{ -meta: - author = "RSA FirstWatch" - date = "2015-07-23" - Description = "Backdoor.Liudoor.sm" - ThreatLevel = "5" - hash0 = "78b56bc3edbee3a425c96738760ee406" - hash1 = "5aa0510f6f1b0e48f0303b9a4bfc641e" - hash2 = "531d30c8ee27d62e6fbe855299d0e7de" - hash3 = "2be2ac65fd97ccc97027184f0310f2f3" - hash4 = "6093505c7f7ec25b1934d3657649ef07" - type = "Win32 DLL" - -strings: - $string0 = "Succ" ascii wide - $string1 = "Fail" ascii wide - $string2 = "pass" ascii wide - $string3 = "exit" ascii wide - $string4 = "svchostdllserver.dll" ascii wide - $string5 = "L$,PQR" ascii wide - $string6 = "0/0B0H0Q0W0k0" ascii wide - $string7 = "QSUVWh" ascii wide - $string8 = "Ht Hu[" ascii wide -condition: - all of them -} -rule MirageAPTBackdoorSample -{ - meta: - Description = "Backdoor.Mirage.sm" - ThreatLevel = "5" - - strings: - $a1 = "welcome to the desert of the real" ascii wide - $a2 = "Mirage" ascii wide - $b = "Encoding: gzip" ascii wide - $c = /\/[A-Za-z]*\?hl=en/ - condition: - (($a1 or $a2) or $b) and $c -}rule TrojanWin32Vawtrak_BackDoor -{ - meta: - Description = "Backdoor.Win32.sm" - ThreatLevel = "5" - - strings: - $ = "[VNC] New Client" ascii wide - $ = "[VNC] Fail init BC" ascii wide - $ = "[VNC] Fail addr proto BC" ascii wide - $ = "[VNC] Fail connect BC" ascii wide - $ = "[VNC] Fail init work:" ascii wide - $ = "[VNC] Start Sever" ascii wide - $ = "[VNC] Parse param error:" ascii wide - $ = "[VNC] Fail create process:" ascii wide - $ = "[VNC] Fail inject to process:" ascii wide - $ = "[Socks] New Client" ascii wide - $ = "[Socks] Failt Init BC" ascii wide - $ = "[Socks] Fail add proto BC" ascii wide - $ = "[Socks] Failt connect BC" ascii wide - $ = "[Socks] Fail parse param:" ascii wide - $ = "[Pony] Fail Get Pass" ascii wide - $ = "DL_EXEC Status [Pipe]" ascii wide - $ = "DL_EXEC Status[Local]" ascii wide - $ = "Start Socks addr:" ascii wide - $ = "Start Socks Status[Pipe]" ascii wide - $ = "Start Socks Status[Local]" ascii wide - $ = "Start VNC addr: %s" ascii wide - $ = "Start VNC Status[Pipe]: %u-%u-%u" ascii wide - $ = "Start VNC Status[Local]: %u" ascii wide - $ = "PID: %u [%0.2u:%0.2u:%0.2u]" ascii wide - $ = "[BC] Cmd Ver Error" ascii wide - $ = "[BC] Wait Ping error %u[%u]" ascii wide - $ = "[BC] Fail Connect" ascii wide - $ = "[BC] Fail send auth" ascii wide - $ = "[BC] Fail read cmd" ascii wide - $ = "[BC] cmd error: %u" ascii wide - $ = "[BC] Cmd need disconnect" ascii wide - $ = "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins" ascii wide - - $str_0 = "T:\\Develop\\EQ2\\bin\\tmp" ascii wide - $str_1 = "T:\\Develop\\EQ2\\bin\\tmp\\client_32.pdb" ascii wide - $str_2 = "T:\\Develop\\EQ2\\bin\\tmp\\client_64.pdb" ascii wide - $str_3 = "client_64.dll" ascii wide - $str_4 = "client_32.dll" ascii wide - - condition: - (5 of them) or (any of ($str_*)) -} -rule BackdoorZegostSampleA -{ - meta: - Description = "Backdoor.Zegost.rc" - ThreatLevel = "5" - - strings: - $a = "VIPBlackDDOS" ascii wide - $b = "SynFlood" ascii wide - $c = "ICMPFlood" ascii wide - $d = "UDPFlood" ascii wide - $e = "DNSFlood" ascii wide - $f = "Game2Flood" ascii wide - $g = "HTTPGetFlood" ascii wide - condition: - 2 of them -}rule MalwareBitCoinMinerSample_A -{ - meta: - Description = "Malware.BitCoinMiner.sm" - ThreatLevel = "5" - - strings: - $ = "Min3Win.exe" ascii wide - $ = "bitcoin-miner.exe" ascii wide - $ = "WINSXS32" ascii wide - $ = "http://xhuehs.cantvenlinea.ru:1942" ascii wide - $ = "bigbob0000001@gmail.com" ascii wide - - condition: - 3 of them -}rule TinyLoaderSample -{ - meta: - Description = "Malware.TinyLoader.vb" - ThreatLevel = "5" - - strings: - - $ = "B1 Tiny Loader/1.0" ascii wide - - condition: - all of them -}rule PWSPasswordsToDBApp -{ - meta: - Description = "PWS.PassDB.sm" - ThreatLevel = "5" - - strings: - - $pdb0 = "PasswordsToDB.pdb" ascii wide - $ipa0 = "82.146.47.116" ascii wide - $ipa1 = "82.146.54.187" ascii wide - - condition: - any of them -}rule PUPSystemOptimizerASample -{ - meta: - Description = "PUP.SystemOptimizer.vb" - ThreatLevel = "5" - - strings: - - $ = "http://bitest.softservers.net" ascii wide - $ = "http://bi.softservers.net" ascii wide - - condition: - any of them -}rule PUPSystweakSample -{ - meta: - Description = "PUP.Systweak.vb" - ThreatLevel = "5" - - strings: - - $ = "Systweak Software0" ascii wide - $ = "pc-updater.com/miscservice/miscservice.asmx" ascii wide - - condition: - any of them -}rule RansomCryptoApp_A -{ - meta: - Description = "Ransom.CryptoApp.sm" - ThreatLevel = "5" - - strings: - - $pdb0 = "CryptoApp.pdb" ascii wide - $pdb1 = "KeepAlive.pdb" ascii wide - $pdb2 = "SelfDestroy.pdb" ascii wide - $pdb3 = "CoreDownloader.pdb" ascii wide - - condition: - (3 of them) or (any of ($pdb*)) -} - -rule RansomCryptoWallApp_3 -{ - meta: - Description = "Ransom.CryptoWall.sm" - ThreatLevel = "5" - - strings: - - $s0 = "spatopayforwin.com" ascii wide - $s1 = "bythepaywayall.com" ascii wide - $s2 = "lowallmoneypool.com" ascii wide - $s3 = "transoptionpay.com" ascii wide - $s4 = "HELP_DECRYPT" ascii wide nocase - - $s5 = "speralreaopio.com" ascii wide - $s6 = "vremlreafpa.com" ascii wide - $s7 = "wolfwallsreaetpay.com" ascii wide - $s8 = "askhoreasption.com" ascii wide - - condition: - any of ($s*) -} - -rule RansomCBTLockerApp -{ - meta: - Description = "Ransom.CBTLocker.sm" - ThreatLevel = "5" - - strings: - - $s0 = "Your personal files are encrypted by CTB-Locker" ascii wide - $s1 = "Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key,generated for this computer" ascii wide - $s2 = "Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key." ascii wide - $s3 = "If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program" ascii wide - - $s6 = "keme132.DLL" ascii wide - $s7 = "klospad.pdb" ascii wide - - condition: - (any of ($s*)) or (3 of them) -} - -rule RansomEncryptorRaaSApp -{ - meta: - Description = "Ransom.EncryptorRaaS.sm" - ThreatLevel = "5" - - strings: - - $s0 = "decryptoraveidf7.onion.to" ascii wide - $s1 = "encryptor_raas_readme_liesmich.txt" ascii wide - $s2 = "The files on your computer have been securely encrypted by Encryptor RaaS" ascii wide - $s3 = "Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt" ascii wide - $s4 = "encryptor3awk6px.onion" ascii wide - - condition: - any of ($s*) -} - -rule RansomSampleTeslaCryptA -{ - meta: - Description = "Ransom.TeslaCrypt.sm" - ThreatLevel = "5" - - strings: - $ = "HOWTO_RESTORE_FILES.TXT" ascii wide nocase - $ = "HOWTO_RESTORE_FILES.bmp" ascii wide nocase - $ = "HOWTO_RESTORE_FILES.HTML" ascii wide nocase - condition: - any of them -} - -rule RansomSampleTeslaCryptB -{ - meta: - Description = "Ransom.TeslaCrypt.B.sm" - ThreatLevel = "5" - - strings: - $ = "help_recover_instructions" ascii wide nocase - $ = "help_recover_instructions.TXT" ascii wide nocase - $ = "help_recover_instructions.png" ascii wide nocase - condition: - any of them -} - -rule RansomSampleChimeraB -{ - meta: - Description = "Ransom.Win32.Chimera.sm" - ThreatLevel = "5" - - strings: - $ = "YOUR_FILES_ARE_ENCRYPTED.HTML" ascii wide nocase - $ = "Projects\\Ransom\\bin\\Release\\Core.pdb" ascii wide nocase - $ = "BM-2cW44Yq9DWbHYnRSfzBLVxvE6WjadchNBt" ascii wide nocase - condition: - any of them -} - -rule RansomSampleLeChiffre -{ - meta: - Description = "Ransom.Win32.LeChiffre.sm" - ThreatLevel = "5" - - strings: - $ = "LeChiffre" ascii wide nocase - $ = "decrypt.my.files@gmail.com" ascii wide nocase - $ = "http://184.107.251.146/sipvoice.php?" ascii wide nocase - $ = "_secret_code.txt" ascii wide nocase - $ = "_How to decrypt LeChiffre files.html" ascii wide nocase - condition: - 2 of them -} - -rule RansomSampleHydraCrypt -{ - meta: - Description = "Ransom.Win32.HydraCrypt.sm" - ThreatLevel = "5" - - strings: - $ = "README_DECRYPT_HYDRA_ID_" ascii wide nocase - $ = "hydracrypt_ID_" ascii wide nocase - $ = "HYDRACRYPT" ascii wide nocase - $ = "ccc=hydra01_" ascii wide nocase - condition: - 2 of them -} - -rule RansomFilecoderA -{ - meta: - Description = "Ransom.FileCoder.A.vb" - ThreatLevel = "5" - - strings: - $ = "Guji36" ascii wide - $ = "Burnamedoxi" ascii wide - $ = "S48H1G54JSPSODKMGdfH1FD5G8DSDPSDKMFSSJJPGMCNDHS2FH5" ascii wide - condition: - any of them -} - -rule RansomSampleLockyCrypt -{ - meta: - Description = "Ransom.Win32.Locky.sm" - ThreatLevel = "5" - - strings: - $s1 = ".locky" ascii wide nocase - $ = "&encrypted=" ascii wide nocase - $s2 = "_Locky_recover_instructions.txt" ascii wide nocase - $s3 = "_Locky_recover_instructions.bmp" ascii wide nocase - $ = "94.242.57.45" ascii wide nocase - $ = "46.4.239.76" ascii wide nocase - $s6 = "Software\\Locky" ascii wide nocase - $ = "vssadmin.exe Delete Shadows" ascii wide nocase - $ = "Locky" ascii wide nocase - - $o1 = { 45 b8 99 f7 f9 0f af 45 b8 89 45 b8 } // address=0x4144a7 - $o2 = { 2b 0a 0f af 4d f8 89 4d f8 c7 45 } // address=0x413863 - - condition: - (3 of them) or (any of ($s*)) or (all of ($o*)) -} - -import "pe" -rule RansomLocky -{ - meta: - Description = "Ransom.Locky.ab" - ThreatLevel = "5" - strings: - $mz = { 4d 5a } - - $inst1 = "_HELP_instructions.bmp" ascii wide - $inst2 = "_HELP_instructions.html" ascii wide - $inst3 = "_HELP_instructions.txt" ascii wide - $inst4 = "_Locky_recover_instructions.bmp" ascii wide - $inst5 = "_Locky_recover_instructions.txt" ascii wide - $deleteShadows = "vssadmin.exe" ascii wide // universal Ransom detect :) - - $cyrptEP1 = {e8 95 23 ff ff 86 c8 86 ea e9 8d 23 ff ff 86 f4 e9 84 23 ff ff 86 c5} // EP paked locy - $cyrptEP2 = {55 8b ec eb 68 eb 66 eb 64 6a 00 6a 00 6a 00 6a 00 6a 00} // EP packed locy 2 - - condition: - ( $mz at 0 ) and - ( - $cyrptEP1 at pe.entry_point or - $cyrptEP2 at pe.entry_point or - (any of ($inst*)) or - $deleteShadows - ) -} - -rule RansomImportDetect -{ - meta: - Description = "Ransom.Gen.ab" - ThreatLevel = "3" - condition: - (pe.imports("Kernel32.dll", "FindFirstFileW") or pe.imports("Kernel32.dll", "FindFirstFileA")) and - (pe.imports("Kernel32.dll", "FindNextFileW") or pe.imports("Kernel32.dll", "FindNextFileA")) and - (pe.imports("Advapi32.dll", "CryptAcquireContextW") or pe.imports("Advapi32.dll", "CryptAcquireContextA")) and - pe.imports("Advapi32.dll", "CryptEncrypt") and - pe.imports("Advapi32.dll", "CryptGenRandom") -} - -rule VMdetectMisc -{ - meta: - Description = "Risk.VMDtc.sm" - ThreatLevel = "3" - - strings: - $vbox1 = "VBoxService" nocase ascii wide - $vbox2 = "VBoxTray" nocase ascii wide - $vbox3 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide - $vbox4 = "SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions" nocase ascii wide - - $wine1 = "wine_get_unix_file_name" ascii wide - - $vmware1 = "vmmouse.sys" ascii wide - $vmware2 = "VMware Virtual IDE Hard Drive" ascii wide - - $miscvm1 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase ascii wide - $miscvm2 = "SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum" nocase ascii wide - - $vmdrv1 = "hgfs.sys" ascii wide - $vmdrv2 = "vmhgfs.sys" ascii wide - $vmdrv3 = "prleth.sys" ascii wide - $vmdrv4 = "prlfs.sys" ascii wide - $vmdrv5 = "prlmouse.sys" ascii wide - $vmdrv6 = "prlvideo.sys" ascii wide - $vmdrv7 = "prl_pv32.sys" ascii wide - $vmdrv8 = "vpc-s3.sys" ascii wide - $vmdrv9 = "vmsrvc.sys" ascii wide - $vmdrv10 = "vmx86.sys" ascii wide - $vmdrv11 = "vmnet.sys" ascii wide - - $vmsrvc1 = "vmicheartbeat" ascii wide - $vmsrvc2 = "vmicvss" ascii wide - $vmsrvc3 = "vmicshutdown" ascii wide - $vmsrvc4 = "vmicexchange" ascii wide - $vmsrvc5 = "vmci" ascii wide - $vmsrvc6 = "vmdebug" ascii wide - $vmsrvc7 = "vmmouse" ascii wide - $vmsrvc8 = "VMTools" ascii wide - $vmsrvc9 = "VMMEMCTL" ascii wide - $vmsrvc10 = "vmware" ascii wide - $vmsrvc11 = "vmx86" ascii wide - $vmsrvc12 = "vpcbus" ascii wide - $vmsrvc13 = "vpc-s3" ascii wide - $vmsrvc14 = "vpcuhub" ascii wide - $vmsrvc15 = "msvmmouf" ascii wide - $vmsrvc16 = "VBoxMouse" ascii wide - $vmsrvc17 = "VBoxGuest" ascii wide - $vmsrvc18 = "VBoxSF" ascii wide - $vmsrvc19 = "xenevtchn" ascii wide - $vmsrvc20 = "xennet" ascii wide - $vmsrvc21 = "xennet6" ascii wide - $vmsrvc22 = "xensvc" ascii wide - $vmsrvc23 = "xenvdb" ascii wide - - $miscproc1 = "vmware2" ascii wide - $miscproc2 = "vmount2" ascii wide - $miscproc3 = "vmusrvc" ascii wide - $miscproc4 = "vmsrvc" ascii wide - $miscproc5 = "vboxservice" ascii wide - $miscproc6 = "vboxtray" ascii wide - $miscproc7 = "xenservice" ascii wide - - $vmware_mac_1a = "00-05-69" - $vmware_mac_1b = "00:05:69" - $vmware_mac_2a = "00-50-56" - $vmware_mac_2b = "00:50:56" - $vmware_mac_3a = "00-0C-29" - $vmware_mac_3b = "00:0C:29" - $vmware_mac_4a = "00-1C-14" - $vmware_mac_4b = "00:1C:14" - $virtualbox_mac_1a = "08-00-27" - $virtualbox_mac_1b = "08:00:27" - - condition: - 2 of them -} - -rule SandboxDetectMisc -{ - meta: - Description = "Risk.SBDtc.sm" - ThreatLevel = "3" - - strings: - $sbxie1 = "sbiedll" nocase ascii wide - - $prodid1 = "55274-640-2673064-23950" ascii wide - $prodid2 = "76487-644-3177037-23510" ascii wide - $prodid3 = "76487-337-8429955-22614" ascii wide - - $proc1 = "joeboxserver" ascii wide - $proc2 = "joeboxcontrol" ascii wide - condition: - any of them -} - -rule avdetect_procs -{ - meta: - Description = "Risk.AVDtc.sm" - ThreatLevel = "3" - - strings: - $proc2 = "LMon.exe" ascii wide - $proc3 = "sagui.exe" ascii wide - $proc4 = "RDTask.exe" ascii wide - $proc5 = "kpf4gui.exe" ascii wide - $proc6 = "ALsvc.exe" ascii wide - $proc7 = "pxagent.exe" ascii wide - $proc8 = "fsma32.exe" ascii wide - $proc9 = "licwiz.exe" ascii wide - $proc10 = "SavService.exe" ascii wide - $proc11 = "prevxcsi.exe" ascii wide - $proc12 = "alertwall.exe" ascii wide - $proc13 = "livehelp.exe" ascii wide - $proc14 = "SAVAdminService.exe" ascii wide - $proc15 = "csi-eui.exe" ascii wide - $proc16 = "mpf.exe" ascii wide - $proc17 = "lookout.exe" ascii wide - $proc18 = "savprogress.exe" ascii wide - $proc19 = "lpfw.exe" ascii wide - $proc20 = "mpfcm.exe" ascii wide - $proc21 = "emlproui.exe" ascii wide - $proc22 = "savmain.exe" ascii wide - $proc23 = "outpost.exe" ascii wide - $proc24 = "fameh32.exe" ascii wide - $proc25 = "emlproxy.exe" ascii wide - $proc26 = "savcleanup.exe" ascii wide - $proc27 = "filemon.exe" ascii wide - $proc28 = "AntiHook.exe" ascii wide - $proc29 = "endtaskpro.exe" ascii wide - $proc30 = "savcli.exe" ascii wide - $proc31 = "procmon.exe" ascii wide - $proc32 = "xfilter.exe" ascii wide - $proc33 = "netguardlite.exe" ascii wide - $proc34 = "backgroundscanclient.exe" ascii wide - $proc35 = "Sniffer.exe" ascii wide - $proc36 = "scfservice.exe" ascii wide - $proc37 = "oasclnt.exe" ascii wide - $proc38 = "sdcservice.exe" ascii wide - $proc39 = "acs.exe" ascii wide - $proc40 = "scfmanager.exe" ascii wide - $proc41 = "omnitray.exe" ascii wide - $proc42 = "sdcdevconx.exe" ascii wide - $proc43 = "aupdrun.exe" ascii wide - $proc44 = "spywaretermin" ascii wide - $proc45 = "atorshield.exe" ascii wide - $proc46 = "onlinent.exe" ascii wide - $proc47 = "sdcdevconIA.exe" ascii wide - $proc48 = "sppfw.exe" ascii wide - $proc49 = "spywat~1.exe" ascii wide - $proc50 = "opf.exe" ascii wide - $proc51 = "sdcdevcon.exe" ascii wide - $proc52 = "spfirewallsvc.exe" ascii wide - $proc53 = "ssupdate.exe" ascii wide - $proc54 = "pctavsvc.exe" ascii wide - $proc55 = "configuresav.exe" ascii wide - $proc56 = "fwsrv.exe" ascii wide - $proc57 = "terminet.exe" ascii wide - $proc58 = "pctav.exe" ascii wide - $proc59 = "alupdate.exe" ascii wide - $proc60 = "opfsvc.exe" ascii wide - $proc61 = "tscutynt.exe" ascii wide - $proc62 = "pcviper.exe" ascii wide - $proc63 = "InstLsp.exe" ascii wide - $proc64 = "uwcdsvr.exe" ascii wide - $proc65 = "umxtray.exe" ascii wide - $proc66 = "persfw.exe" ascii wide - $proc67 = "CMain.exe" ascii wide - $proc68 = "dfw.exe" ascii wide - $proc69 = "updclient.exe" ascii wide - $proc70 = "pgaccount.exe" ascii wide - $proc71 = "CavAUD.exe" ascii wide - $proc72 = "ipatrol.exe" ascii wide - $proc73 = "webwall.exe" ascii wide - $proc74 = "privatefirewall3.exe" ascii wide - $proc75 = "CavEmSrv.exe" ascii wide - $proc76 = "pcipprev.exe" ascii wide - $proc77 = "winroute.exe" ascii wide - $proc78 = "protect.exe" ascii wide - $proc79 = "Cavmr.exe" ascii wide - $proc80 = "prifw.exe" ascii wide - $proc81 = "apvxdwin.exe" ascii wide - $proc82 = "rtt_crc_service.exe" ascii wide - $proc83 = "Cavvl.exe" ascii wide - $proc84 = "tzpfw.exe" ascii wide - $proc85 = "as3pf.exe" ascii wide - $proc86 = "schedulerdaemon.exe" ascii wide - $proc87 = "CavApp.exe" ascii wide - $proc88 = "privatefirewall3.exe" ascii wide - $proc89 = "avas.exe" ascii wide - $proc90 = "sdtrayapp.exe" ascii wide - $proc91 = "CavCons.exe" ascii wide - $proc92 = "pfft.exe" ascii wide - $proc93 = "avcom.exe" ascii wide - $proc94 = "siteadv.exe" ascii wide - $proc95 = "CavMud.exe" ascii wide - $proc96 = "armorwall.exe" ascii wide - $proc97 = "avkproxy.exe" ascii wide - $proc98 = "sndsrvc.exe" ascii wide - $proc99 = "CavUMAS.exe" ascii wide - $proc100 = "app_firewall.exe" ascii wide - $proc101 = "avkservice.exe" ascii wide - $proc102 = "snsmcon.exe" ascii wide - $proc103 = "UUpd.exe" ascii wide - $proc104 = "blackd.exe" ascii wide - $proc105 = "avktray.exe" ascii wide - $proc106 = "snsupd.exe" ascii wide - $proc107 = "cavasm.exe" ascii wide - $proc108 = "blackice.exe" ascii wide - $proc109 = "avkwctrl.exe" ascii wide - $proc110 = "procguard.exe" ascii wide - $proc111 = "CavSub.exe" ascii wide - $proc112 = "umxagent.exe" ascii wide - $proc113 = "avmgma.exe" ascii wide - $proc114 = "DCSUserProt.exe" ascii wide - $proc115 = "CavUserUpd.exe" ascii wide - $proc116 = "kpf4ss.exe" ascii wide - $proc117 = "avtask.exe" ascii wide - $proc118 = "avkwctl.exe" ascii wide - $proc119 = "CavQ.exe" ascii wide - $proc120 = "tppfdmn.exe" ascii wide - $proc121 = "aws.exe" ascii wide - $proc122 = "firewall.exe" ascii wide - $proc123 = "Cavoar.exe" ascii wide - $proc124 = "blinksvc.exe" ascii wide - $proc125 = "bgctl.exe" ascii wide - $proc126 = "THGuard.exe" ascii wide - $proc127 = "CEmRep.exe" ascii wide - $proc128 = "sp_rsser.exe" ascii wide - $proc129 = "bgnt.exe" ascii wide - $proc130 = "spybotsd.exe" ascii wide - $proc131 = "OnAccessInstaller.exe" ascii wide - $proc132 = "op_mon.exe" ascii wide - $proc133 = "bootsafe.exe" ascii wide - $proc134 = "xauth_service.exe" ascii wide - $proc135 = "SoftAct.exe" ascii wide - $proc136 = "cmdagent.exe" ascii wide - $proc137 = "bullguard.exe" ascii wide - $proc138 = "xfilter.exe" ascii wide - $proc139 = "CavSn.exe" ascii wide - $proc140 = "VCATCH.EXE" ascii wide - $proc141 = "cdas2.exe" ascii wide - $proc142 = "zlh.exe" ascii wide - $proc143 = "Packetizer.exe" ascii wide - $proc144 = "SpyHunter3.exe" ascii wide - $proc145 = "cmgrdian.exe" ascii wide - $proc146 = "adoronsfirewall.exe" ascii wide - $proc147 = "Packetyzer.exe" ascii wide - $proc148 = "wwasher.exe" ascii wide - $proc149 = "configmgr.exe" ascii wide - $proc150 = "scfservice.exe" ascii wide - $proc151 = "zanda.exe" ascii wide - $proc152 = "authfw.exe" ascii wide - $proc153 = "cpd.exe" ascii wide - $proc154 = "scfmanager.exe" ascii wide - $proc155 = "zerospywarele.exe" ascii wide - $proc156 = "dvpapi.exe" ascii wide - $proc157 = "espwatch.exe" ascii wide - $proc158 = "dltray.exe" ascii wide - $proc159 = "zerospywarelite_installer.exe" ascii wide - $proc160 = "clamd.exe" ascii wide - $proc161 = "fgui.exe" ascii wide - $proc162 = "dlservice.exe" ascii wide - $proc163 = "Wireshark.exe" ascii wide - $proc164 = "sab_wab.exe" ascii wide - $proc165 = "filedeleter.exe" ascii wide - $proc166 = "ashwebsv.exe" ascii wide - $proc167 = "tshark.exe" ascii wide - $proc168 = "SUPERAntiSpyware.exe" ascii wide - $proc169 = "firewall.exe" ascii wide - $proc170 = "ashdisp.exe" ascii wide - $proc171 = "rawshark.exe" ascii wide - $proc172 = "vdtask.exe" ascii wide - $proc173 = "firewall2004.exe" ascii wide - $proc174 = "ashmaisv.exe" ascii wide - $proc175 = "Ethereal.exe" ascii wide - $proc176 = "asr.exe" ascii wide - $proc177 = "firewallgui.exe" ascii wide - $proc178 = "ashserv.exe" ascii wide - $proc179 = "Tethereal.exe" ascii wide - $proc180 = "NetguardLite.exe" ascii wide - $proc181 = "gateway.exe" ascii wide - $proc182 = "aswupdsv.exe" ascii wide - $proc183 = "Windump.exe" ascii wide - $proc184 = "nstzerospywarelite.exe" ascii wide - $proc185 = "hpf_.exe" ascii wide - $proc186 = "avastui.exe" ascii wide - $proc187 = "Tcpdump.exe" ascii wide - $proc188 = "cdinstx.exe" ascii wide - $proc189 = "iface.exe" ascii wide - $proc190 = "avastsvc.exe" ascii wide - $proc191 = "Netcap.exe" ascii wide - $proc192 = "cdas17.exe" ascii wide - $proc193 = "invent.exe" ascii wide - $proc194 = "Netmon.exe" ascii wide - $proc195 = "fsrt.exe" ascii wide - $proc196 = "ipcserver.exe" ascii wide - $proc197 = "CV.exe" ascii wide - $proc198 = "VSDesktop.exe" ascii wide - $proc199 = "ipctray.exe" ascii wide - condition: - 3 of them -} - - -rule dbgdetect_procs -{ - meta: - Description = "Risk.DbgDtc.sm" - ThreatLevel = "3" - - strings: - $proc1 = "wireshark" nocase ascii wide - $proc2 = "filemon" nocase ascii wide - $proc3 = "procexp" nocase ascii wide - $proc4 = "procmon" nocase ascii wide - $proc5 = "regmon" nocase ascii wide - $proc6 = "idag" nocase ascii wide - $proc7 = "immunitydebugger" nocase ascii wide - $proc8 = "ollydbg" nocase ascii wide - $proc9 = "petools" nocase ascii wide - - condition: - 2 of them -} - -rule dbgdetect_files -{ - meta: - Description = "Risk.DbgDtc.sm" - ThreatLevel = "3" - - strings: - $file1 = "syserdbgmsg" nocase ascii wide - $file2 = "syserboot" nocase ascii wide - $file3 = "SICE" nocase ascii wide - $file4 = "NTICE" nocase ascii wide - condition: - 2 of them -}rule RiskNetFilterSampleA -{ - meta: - Description = "Risk.NetFilter.A.vb" - ThreatLevel = "5" - - strings: - - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\epfwwfp" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\epfwwfpr" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\nisdrv" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\symnets" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\klwfp" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\amoncdw8" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\amoncdw7" ascii wide - $ = "\\Registry\\Machine\\SYSTEM\\ControlSet001\\services\\bdfwfpf_pc" ascii wide - $ = "NFSDK Flow Established Callout" ascii wide - $ = "Flow Established Callout" ascii wide - $ = "NFSDK Stream Callout" ascii wide - $ = "Stream Callout" ascii wide - $ = "\\Device\\CtrlSM" ascii wide - $ = "\\DosDevices\\CtrlSM" ascii wide - - condition: - all of them -} -rule RogueDownloaderLoaderAVSoftA -{ - meta: - Description = "Trojan.Loader.sm" - ThreatLevel = "5" - - strings: - $ = "/info.php?idd=" ascii wide - $ = "{95B8F20E-4BC6-4E22-9442-BFB69ED62879}" ascii wide - //$ = "CheckExeSignatures" ascii wide - //$ = "RunInvalidSignatures" ascii wide - $ = "ELEVATECREATEPROCESS" ascii wide - $ = "srvdev.dll" ascii wide - //$ = "EntryPoint" ascii wide - - condition: - 3 of them -} - -rule RogueModuleAVSoftA -{ - meta: - Description = "Rogue.AVSoft.sm" - ThreatLevel = "5" - - strings: - $ = "sec-red-alert-s.gif" ascii wide - $ = "sec-red-alert-b.gif" ascii wide - $ = "scaning.gif" ascii wide - $ = "scaning-stopped.gif" ascii wide - $ = "rezult-table-head-bg.gif" ascii wide - $ = "banner-get-protection.gif" ascii wide - $ = "netalrt.htm" ascii wide - $ = "alrt.htm" ascii wide - - $hex1 = { e8 ?? ?? ?? ?? 83 ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? e8 ?? ?? ?? ?? 3b ?? ?? ?? ?? ?? 73 ?? e8 ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 84 c0 75 ?? e8 ?? ?? ?? ?? 6a 1e 99 59 f7 f9 83 c2 14 69 d2 60 ea 00 00 52 ff d7 e8 ?? ?? ?? ?? 83 f8 01 75 ?? e8 ?? ?? ?? ??} - - condition: - (3 of them) or ( any of ($hex*)) -} -rule RogueBraviaxSampleA -{ - meta: - Description = "Rogue.Braviax.sm" - ThreatLevel = "5" - - strings: - $ = "background_gradient_red.jpg" ascii wide - $ = "red_shield_48.png" ascii wide - $ = "pagerror.gif" ascii wide - $ = "green_shield.png" ascii wide - $ = "refresh.gif" ascii wide - $ = "red_shield.png" ascii wide - $ = "avp:scan" ascii wide - $ = "avp:site" ascii wide - $str1 = "Trojan-BNK.Win32.Keylogger.gen" ascii wide - $str2 = "Trojan-PSW.Win32.Coced.219" ascii wide - $str3 = "Email-Worm.Win32.Eyeveg.f" ascii wide - $str4 = "Virus.BAT.Batalia1.840" ascii wide - $str5 = "Trojan-SMS.SymbOS.Viver.a" ascii wide - $str6 = "Trojan-Spy.HTML.Bankfraud.jk" ascii wide - $str7 = "glohhstt7.com" ascii wide - //$str8 = "Zorton" ascii wide - //$str9 = "Rango" ascii wide - //$str10 = "Sirius" ascii wide - //$str11 = "A-Secure" ascii wide - $str12 = "%1 Protection 201" ascii wide - $str13 = "%1 Antivirus 201" ascii wide - $str14 = "siriuc2014.com" ascii wide - $str15 = "siriucs2016.com" ascii wide - $str16 = "zorton2016.com" ascii wide - $str17 = "zorton2015.com" ascii wide - $str18 = "stormo10.com" ascii wide - $str19 = "fscurat20.com" ascii wide - $str20 = "fscurat21.com" ascii wide - - condition: - (3 of them) or (any of ($str*)) -}rule RogueFakePAVSample -{ - meta: - Description = "Rogue.FakePAV.sm" - ThreatLevel = "5" - - strings: - $ = "ZALERT" ascii wide - $ = "ZAPFrm" ascii wide - $ = "ZAbout" ascii wide - $ = "ZAutoRunFrame" ascii wide - $ = "ZCheckBox" ascii wide - $ = "ZCplAll" ascii wide - $ = "ZFogWnd" ascii wide - $ = "ZFrameDEt" ascii wide - $ = "ZIEWnd" ascii wide - $ = "ZMainFrame" ascii wide - $ = "ZMainWnd" ascii wide - $ = "ZOptionsFrame" ascii wide - $ = "ZProcessFrame" ascii wide - $ = "ZProgressBar" ascii wide - $ = "ZPromo" ascii wide - $ = "ZReg" ascii wide - $ = "ZResFR" ascii wide - $ = "ZServiceFrame" ascii wide - $ = "ZUpdate" ascii wide - $ = "ZWarn" ascii wide - - condition: - any of them -}rule RogueFakeDefenderSample -{ - meta: - Description = "Rogue.FakeDef.sm" - ThreatLevel = "5" - - strings: - $a = "pcdfdata" ascii wide - $b = "toplevel_pcdef" ascii wide - - $ = "%spld%d.exe" ascii wide - $ = "avsrun.exe" ascii wide - $ = "avsdel.exe" ascii wide - - $ = "vl.bin" ascii wide - $ = "reginfo.bin" ascii wide - - $ = "%s%s.lnk" ascii wide - $ = "%sRemove %s.lnk" ascii wide - $ = "Uninstaller application" ascii wide - $ = "%s%s Help and Support.lnk" ascii wide - - $ = "pavsdata" ascii wide - $ = "avsmainwnd" ascii wide - $ = "avsdsvc" ascii wide - $ = "ovcf" ascii wide - - $ = "Global\\avsinst" ascii wide - $ = "Global\\avscfglock" ascii wide - $ = "\\loc\\reg\\conn\\activate" ascii wide - $ = "\\forms\\alerts\\vulner" ascii wide - $ = "\\forms\\alerts\\hack" ascii wide - - $ = "Software\\Classes\\.exe" ascii wide - - $ = "%s was infected with %s and has been successfully repaired" ascii wide - $ = "Attack %s from remote host %d.%d.%d.%d has been successfully blocked" ascii wide - - $ = "http://%s/api/ping?stage=1&uid=%S&id=%d&subid=%d&os=%d&avf=%d" ascii wide - $ = "http://%s/api/ping?stage=2&uid=%S&success=%d" ascii wide - $ = "http://%s/api/ping?stage=3&uid=%S" ascii wide - $ = "http://%s/content/scc" ascii wide - $ = "http://%s/postload2/?uid=%S" ascii wide - $ = "http://%S/api/test" ascii wide - $ = "http://%s/load/?uid=%S" ascii wide - $ = "http://%s/html/viruslist/?uid=%S" ascii wide - $ = "https://%s/billing/key/?uid=%S" ascii wide - $ = "https://%s/html/billing/?uid=%S" ascii wide - - condition: - 3 of them -} - -rule RogueFakeReanInternetSecuritySample -{ - meta: - Description = "Rogue.FakeRean.sm" - ThreatLevel = "5" - - strings: - $ = "VB82ea936a-6aa61dbf" ascii wide - $ = "VBOX HARDDISK" ascii wide - $ = "avbase.dat" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "ORDER #:" ascii wide - $ = "Thank you, the program is now registered!" ascii wide - $ = "To continue please restart the program. Press OK to close the program." ascii wide - $ = "Wrong activation code! Please check and retry" ascii wide - $ = "license. As soon as you complete the activation you will" ascii wide - $ = "This option is available only in the activated version of " ascii wide - $ = "You must activate the program by entering registration information " ascii wide - $ = "has detected that a new Threat Database is available." ascii wide - $ = "items are critical privacy compromising content" - $ = "items is medium privacy threats" ascii wide - $ = "items are junk content of low privacy threats" ascii wide - $ = "has detected a leak of your files though the Internet. " ascii wide - $ = "We strongly recommend that you block the attack immediately" ascii wide - $ = "All threats has been succesfully removed." ascii wide - $ = "Attention! We strongly recommend that you activate " ascii wide - $ = "for the safety and faster running of your PC." ascii wide - $ = "No new update available" ascii wide - $ = "Could not connect to server!" ascii wide - $ = "New updates are installed successfully!" ascii wide - $ = "Security Warning!" ascii wide - $ = "Malicious program has been detected." ascii wide - $ = "Click here to protect your computer." ascii wide - $ = "is infected by W32/Blaster.worm" ascii wide - $ = "$$$$$$$$.bat" ascii wide - $ = "Completed!" ascii wide - $ = "Antivirus software uninstalled successfully" ascii wide - $ = "Antivirus uninstall is not success. Please try again..." ascii wide - $ = "-uninstall" ascii wide - $ = "_MUTEX" ascii wide - $ = "/min" ascii wide - - condition: - 7 of them -} - -rule RogueUnknownFakeAV -{ - meta: - Description = "Rogue.FakeRean.rc" - ThreatLevel = "5" - - strings: - $a = "S:\\appointed\\commanding\\general\\Moravia\\Image[01].exe" ascii wide - $b = "Dresden blockade" ascii wide - $c = "37592837532" ascii wide - $d = "39874598234" ascii wide - $e = "465234750238947532649587203948523-4572304750329458-23459723450-23457" ascii wide - - condition: - ($a and $b) or ($c and $d) or $e -} - -rule RoguePCDefender -{ - meta: - Description = "Rogue.FakeDef.rc" - ThreatLevel = "5" - - strings: - $hex0 = { 8A 4A 01 56 57 33 FF 47 8B C7 8D 72 03 85 C0 74 28 80 C1 0B 80 F9 5A 7E 11 0F BE C1 83 E8 41 6A 19 99 59 F7 F9 80 C2 41 8A CA 33 C0 38 0E 0F 94 C0 47 46 46 83 FF 10 7C D4 5F 5E C3 } - - condition: - any of ($hex*) -}rule RogueFakeSysDefSample -{ - meta: - Description = "Rogue.FakeSysDef.sm" - ThreatLevel = "5" - - strings: - $ = "smtmp" ascii wide - $ = "attrib -h" ascii wide - $ = "%s\\license.dat" ascii wide - $ = "Thank you for purchasing %s" ascii wide - $ = "%s\\%s_License.txt" ascii wide - $ = "Bad sectors" ascii wide - $ = "Lost cluster chains" ascii wide - $ = "Relocate bad sectors: " ascii wide - $ = "Fix corrupted files: " ascii wide - $ = "Fix cluster chain: " ascii wide - $ = "No errors found. Disk%s health summary %d%%." ascii wide - $ = "Error 0x00000024 - %s_FILE_SYSTEM" ascii wide - $ = "Verifying disk consistency..." ascii wide - $ = "Hard drive spin failure detected" ascii wide - $ = "Checking S.M.A.R.T. attributes" ascii wide - $a = "S.M.A.R.T reports" ascii wide - $ = "Checking HDD surface for bad sectors.." ascii wide - $ = "Scanning sectors 0x%04X-0x%04X..." ascii wide - $ = "Check cancelled." ascii wide - $ = "Hard disk error detected" ascii wide - $ = "Repair volumes" ascii wide - $ = "Hard disk verification completed. No errors found." ascii wide - $ = "Exception Processing Message 0x%08X Parameters" ascii wide - $ = "Windows - Read error" ascii wide - $ = "File system on local disk %s contains critical errors" ascii wide - $ = "explorer.exe - Corrupt Disk" ascii wide - $ = "svchost.exe - Corrupt Disk" ascii wide - - condition: - (3 of them) or $a -}rule RogueWin32LiveSecurityProfessional -{ - meta: - Description = "Rogue.LiveSP.sm" - ThreatLevel = "5" - strings: - $ = "W32.SillyFDC.BDQ" ascii wide - $ = "Trojan.Peancomm" ascii wide - $ = "Adware.Borlan" ascii wide - $ = "Trojan.Exprez" ascii wide - $ = "Sunshine.B" ascii wide - $ = "SecurityRisk.URLRedir" ascii wide - $ = "Spyware.Ezurl" ascii wide - $ = "W32.Azero.A" ascii wide - $ = "W32.Downloadup.B" ascii wide - $ = "Hacktool.Unreal.A" ascii wide - $ = "Backdoor.Rustock.B" ascii wide - $ = "Infostealer.Snifula.B" ascii wide - $ = "Adware.FCHelp" ascii wide - $ = "Adware.Invinciblekey" ascii wide - $ = "Packed.Dromedan!gen5" ascii wide - $ = "Downloader.Jadelile" ascii wide - $ = "SecShieldFraud!gen7" ascii wide - $ = "Trojan.Komodola" ascii wide - $ = "W32.Stekct" ascii wide - $ = "Packed.Generic.368" ascii wide - $ = "VirusDoctor!gen12" ascii wide - $ = "UnlockAV" ascii wide - $ = "Sign Up in Live Security Professional" ascii wide - $ = "General security:" ascii wide - $ = "Real-Time Shields:" ascii wide - $ = "Self-protection from malware:" ascii wide - $ = "Definitions auto updates:" ascii wide - $ = "Virus definition version:" ascii wide - $ = "Program version:" ascii wide - $ = "Live Security Professional %s." ascii wide - $ = "You have a license" ascii wide - $ = "Your system is protected from possible threats." ascii wide - $ = "3.13.44.20" ascii wide - $ = "Protection level:" ascii wide - $ = "Your computer is fully protected." ascii wide - $ = "Your protection against viruses and spyware is weak" ascii wide - $ = "You must enter the serial number that came to your email to activate your license." ascii wide - $ = "Live Security Professional - Unregistered version" ascii wide - $ = "Scan stopped..." ascii wide - $ = "Scan paused..." ascii wide - $ = "http://185.6.80.65/index.php?r=checkout" ascii wide - $ = "To complete the registration, check your data for correctness." ascii wide - $ = "You have successfully signed up and choose a license. After confirming the payment (about 10 minutes), you get a completely secure system." ascii wide - $ = "Live Security Professional has blocked" ascii wide - $ = "Live security professional" ascii wide - $ = "Successfully Cleared!" ascii wide - $ = "DETECTED VIRUSES" ascii wide - $ = "List of detected viruses." ascii wide - $ = "Total infected:" ascii wide - $ = "10% of the viruses were treated free. For the cure of all viruses, you must purchase a license Pro or Pro Plus." ascii wide - condition: - 5 of them -}rule RogueSpywareDefenderSample -{ - meta: - Description = "Rogue.SDef.sm" - ThreatLevel = "5" - - strings: - $str1 = "/get_two.php?" ascii wide - $str2 = "spyware-defender.com" ascii wide - $str3 = "Spyware Defender 2014" ascii wide - $str4 = "Antivirus MAC 2014" ascii wide - $str5 = "Antivirus WIN 2014" ascii wide - $ = "Delete" ascii wide - $ = "NoRemove" ascii wide - $ = "ForceRemove" ascii wide - $ = "RunInvalidSignatures" ascii wide - $ = "CheckExeSignatures" ascii wide - condition: - (5 of them) or (any of ($str*)) -}rule RogueWin32SystemDoctorA -{ - meta: - Description = "Rogue.SysDoct.rc" - ThreatLevel = "5" - strings: - $hex0 = { 55 8b ec 83 ec 7c a1 ?? ?? ?? ?? 33 c5 89 ?? ?? 56 68 90 d0 47 00 8d ?? ?? e8 ?? ?? ?? ?? 83 ?? ?? ?? 8b ?? ?? 73 ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? 83 f8 ff 74 ?? 6a 00 6a 01 e8 ?? ?? ?? ?? 33 c0 8b ?? ?? 33 cd 5e e8 ?? ?? ?? ?? c9 c3 53 57 33 db 53 6a 01 e8 ?? ?? ?? ?? be a4 d0 47 00 8d ?? ?? a5 a4 be ac d0 47 00 8d ?? ?? a5 a4 be b4 d0 47 00 8d ?? ?? a5 66 ?? a4 be bc d0 47 00 8d ?? ?? a5 a5 66 ?? a4 be 90 88 45 00 8d ?? ?? a5 a5 a5 a5 be 00 10 00 00 56 e8 ?? ?? ?? ?? 59 6a 02 53 89 ?? ?? 53 8d ?? ?? 50 c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b f8 83 ff ff 0f ?? ?? ?? ?? ?? 8d ?? ?? 50 53 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 50 56 8b ?? ?? 56 8d ?? ?? 50 6a 0c 8d ?? ?? 50 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 ff ?? ?? ?? ?? ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 75 ?? 8d ?? ?? 50 56 e8 ?? ?? ?? ?? 59 59 85 c0 74 ?? 33 db 43 56 e8 ?? ?? ?? ?? 59 5f 8b c3 5b e9 ?? ?? ?? ?? 8b ?? ?? eb ?? } - $ = "http://sys-doctor.com" ascii wide - $ = "AA39754E-715219CE" ascii wide - $ = "System Doctor" ascii wide - $ = "C:\\sd.dbg" ascii wide - $ = "C:\\sd1.dbg" ascii wide - condition: - (2 of them) or (any of ($hex*)) -} - -rule RogueWin32FufelAVA -{ - meta: - Description = "Rogue.FufelAV.sm" - ThreatLevel = "5" - strings: - $ = "avp:buy" ascii wide - $ = "avp:scan" ascii wide - $ = "Protection software" ascii wide - $ = "Invalid registration key!" ascii wide - $ = "Unprotected mode request" ascii wide - $ = "Are you sure want to continue in unprotected mode?" ascii wide - $ = "I have serial key" ascii wide - $ = "Continue unprotected" ascii wide - $ = "trying to infect your files" ascii wide - $ = "Your computer was attacked from" ascii wide - $ = "Attack was blocked" ascii wide - $ = "Please register product to block hackers attack" ascii wide - $ = "Scanning completed. No threads found." ascii wide - $ = "Scanning completed. Cleanup is required." ascii wide - $ = "Warning! %d Infections found!" ascii wide - $ = "Registered version" ascii wide - $ = "Unregistered version (Please register)" ascii wide - $ = "Cured" ascii wide - $ = "Infected process" ascii wide - $str_0 = "Sinergia Cleaner" ascii wide - $str_1 = "Sinergia software.lnk" ascii wide - - $str_2 = "fufel-av-2.com" ascii wide - $str_3 = "fufel-av.com" ascii wide - condition: - (3 of them) or (any of ($str_*)) -} -rule RogueWinwebsecSample -{ - meta: - Description = "Rogue.Winwebsec.sm" - ThreatLevel = "5" - - strings: - $a = "%s%s\\%s.ico" ascii wide - $b = "%s%s\\%s.exe" ascii wide - condition: - $a or $b -} - -rule RogueSShieldSample -{ - meta: - Description = "Rogue.SShield.sm" - ThreatLevel = "5" - - strings: - $a = "64C665BE" wide - $b = "BC0172B25DF2" wide - condition: - $a or $b -}rule TrojanWin32AntivarSample -{ - meta: - Description = "Trojan.Antivar.sm" - ThreatLevel = "5" - strings: - $ = "ServerNabs4" ascii wide - $ = "\\system32\\antivar.exe" ascii wide - condition: - any of them -}rule TrojanDownloaderCbeplaySample -{ - meta: - Description = "Trojan.Cbeplay.sm" - ThreatLevel = "5" - - strings: - $ = "wireshark.exe" ascii wide - $ = "pstorec.dll" ascii wide - $ = "ROOT\\SecurityCenter2" ascii wide - $ = "Select * from AntiVirusProduct" ascii wide - $ = "SbieDll.dll" ascii wide - $ = "OPEN %s.mp3 TYPE MpegVideo ALIAS MP3" ascii wide - $ = "PLAY MP3 wait" ascii wide - $ = "CLOSE MP3" ascii wide - $ = "VIRTUALBOX" ascii wide - $ = "VideoBiosVersion" ascii wide - $ = "QEMU" ascii wide - $ = "VMWARE" ascii wide - $ = "VBOX" ascii wide - $ = "VIRTUAL" ascii wide - $ = "taskmgr.exe" ascii wide - $ = "explorer.exe" ascii wide - $ = "Program Manager" ascii wide - $ = "Shell_TrayWnd" ascii wide - $ = "FriendlyName" ascii wide - $ = "Capture Filter" ascii wide - $ = "SampleGrab" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot" ascii wide - $ = "Hello, visitor from: <strong>" ascii wide - $ = "SendVoucher" ascii wide - $ = "winver" ascii wide - $ = "AVID" ascii wide - $ = "Emsisoft" ascii wide - $ = "Lavasoft" ascii wide - $ = "avast" ascii wide - $ = "Avira" ascii wide - $ = "BitDef" ascii wide - $ = "COMODO" ascii wide - $ = "F-Secure" ascii wide - $ = "G Data" ascii wide - $ = "Kaspersky" ascii wide - $ = "McAfee" ascii wide - $ = "ESET" ascii wide - $ = "Norton" ascii wide - $ = "Microsoft Security Essentials" ascii wide - $ = "Panda" ascii wide - $ = "Sophos" ascii wide - $ = "Trend Micro" ascii wide - $ = "Symantec" ascii wide - $ = "BullGuard" ascii wide - $ = "VIPRE" ascii wide - $ = "Webroot" ascii wide - condition: - 8 of them -}rule TrojanChangeStartPageSampleA -{ - meta: - Description = "Trojan.CStartPage.sm" - ThreatLevel = "5" - - strings: - $ = "chrome.exe" ascii wide - $ = "urls_to_restore_on_startup" ascii wide - $ = "restore_on_startup" ascii wide - $ = "restore_on_startup_migrated" ascii wide - $ = "urls_to_restore_on_startup" ascii wide - $ = "translate_accepted_count" ascii wide - $ = "translate_denied_count" ascii wide - $ = "translate_site_blacklist" ascii wide - $ = "netsh firewall add allowedprogram" ascii wide - $ = "homepage_is_newtabpage" ascii wide - $ = "Start Page" ascii wide - $ = "user_pref(%cbrowser.startup.homepage%c" ascii wide - $ = "%ws\\mozilla\\firefox\\profiles" ascii wide - $ = "c:\\windows\\sms.exe" ascii wide - condition: - 3 of them -} -rule TrojanWin32CitadelSampleA -{ - meta: - Description = "Trojan.Citadel.sm" - ThreatLevel = "5" - - strings: - $a = "Coded by BRIAN KREBS for personal use only. I love my job & wife." ascii wide - $hex_string = {85 C0 7? ?? 8A 4C 30 FF 30 0C 30 48 7?} - $ = "softpc.new" ascii wide - $ = "CS:%04x IP:%04x OP:%02x %02x %02x %02x %02x" ascii wide - - condition: - any of them -}rule TrojanWin32ComfooSample -{ - meta: - Description = "Trojan.Comfoo.sm" - ThreatLevel = "5" - - strings: - $ = "exclusiveinstance12" ascii wide - $ = "MYGAMEHAVESTART" ascii wide - $ = "MYGAMEHAVEstarted" ascii wide - $ = "MYGAMEHAVESTARTEd" ascii wide - $ = "MYGAMEHAVESTARTED" ascii wide - $ = "thisisanewfirstrun" ascii wide - $ = "THISISASUPERNEWGAMENOWBEGIN" ascii wide - $ = "thisisnewtrofor024" ascii wide - - $ = "cabinet.dll" ascii wide - $ = "09lkjds" ascii wide - $ = "perfdi.ini" ascii wide - $ = "msobj.sys" ascii wide - $ = "usbak.sys" ascii wide - $ = "\\\\.\\DevCtrlKrnl" ascii wide - $ = "THIS324NEWGAME" ascii wide - $ = "watchevent29021803" ascii wide - $ = "iamwaitingforu653890" ascii wide - $ = "Call to GetAdaptersInfo failed. Return Value" ascii wide - $ = "Hard Disk(%s--LocalDisk)" ascii wide - $ = "Total size: %I64d (MB)" ascii wide - - $ = "SYSTEM\\CurrentControlSet\\Services\\%s" ascii wide - - $hex0 = { 6a ff 68 1b 04 01 10 64 ?? ?? ?? ?? ?? 50 64 ?? ?? ?? ?? ?? ?? 51 56 57 68 30 17 00 00 e8 ?? ?? ?? ?? 83 c4 04 89 ?? ?? ?? 85 c0 c7 ?? ?? ?? ?? ?? ?? ?? 74 ?? 8b c8 e8 ?? ?? ?? ?? 8b f0 eb ?? 33 f6 8b ?? 6a 01 8b ce c7 ?? ?? ?? ?? ?? ?? ?? ff ?? ?? bf 30 3b 01 10 83 c9 ff 33 c0 8b ?? f2 ?? f7 d1 49 51 68 30 3b 01 10 8b ce ff ?? ?? 8b ?? 68 81 3e 00 00 8b ce ff ?? ?? 8b ?? ?? ?? 8b ?? 50 8b ce ff ?? ?? 8b ?? ?? ?? 8b ?? 50 8b ce ff ?? ?? 56 e8 ?? ?? ?? ?? 8b f8 83 c4 04 f7 df 1b ff 47 85 f6 74 ?? 8b ce e8 ?? ?? ?? ?? 56 e8 ?? ?? ?? ?? 83 c4 04 8b ?? ?? ?? 8b c7 5f 5e 64 ?? ?? ?? ?? ?? ?? 83 c4 10 c3} - $hex1 = { 55 56 57 6a 08 33 ed e8 ?? ?? ?? ?? 8b f0 83 c4 04 85 f6 0f ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 89 ?? ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 7f 03 0f 00 55 68 94 32 01 10 89 ?? ?? ff ?? ?? ?? ?? ?? 8b f8 85 ff 74 ?? 53 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 68 ff 01 0f 00 55 55 68 e8 30 01 10 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 53 ff ?? ?? ?? ?? ?? 85 c0 74 ?? bd 01 00 00 00 53 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 85 ed 5b 74 ?? 8b c6 5f 5e 5d c3} - $hex2 = { 53 53 6a 03 53 53 68 00 00 00 c0 68 78 33 01 10 ff ?? ?? ?? ?? ?? 89 ?? ?? 83 f8 ff 75 ?? 33 c0 8b ?? ?? 64 ?? ?? ?? ?? ?? ?? 5f 5e 5b 8b e5 5d c3 89 ?? ?? 89 ?? ?? 89 ?? ?? be 88 33 01 10 8b c7 8a ?? 8a ca 3a ?? 75 ?? 3a cb 74 ?? 8a ?? ?? 8a ca 3a ?? ?? 75 ?? 83 c0 02 83 c6 02 3a cb 75 ?? 33 c0 eb ?? 1b c0 83 d8 ff 3b c3 75 ?? 89 ?? ?? eb ?? 57 ff ?? ?? ?? ?? ?? 89 ?? ?? 83 f8 ff 74 ?? 8b ?? ?? 50 ff ?? ?? ?? ?? ?? 66 ?? ?? ?? 53 8d ?? ?? 51 6a 04 8d ?? ?? 52 6a 06 8d ?? ?? 50 8b ?? ?? 56 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 81 fe c8 20 22 00 75 ?? c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 64 ?? ?? ?? ?? ?? ?? 5f 5e 5b 8b e5 5d c3} - - condition: - (3 of them) or (any of ($hex*)) -}rule TrojanBotnetWin32CutwailSample -{ - meta: - Description = "Trojan.Cutwail.sm" - ThreatLevel = "5" - - strings: - $ = "PreLoader.pdb" ascii wide - $ = "magadan21" ascii wide - $ = "RkInstall.pdb" ascii wide - $ = "InnerDrv.pdb" ascii wide - $ = "Protect.pdb" ascii wide - $ = "MailerApp.pdb" ascii wide - $ = "revolution6" ascii wide - $ = "bot25" ascii wide - condition: - any of them -}rule TrojanDllpatcherA -{ - meta: - Description = "Trojan.Dllpatcher.vb" - ThreatLevel = "5" - - strings: - $str1 = "Global\\Matil da" ascii wide - $str2 = "Global\\Nople Mento" ascii wide - $str3 = "%s\\System32\\dnsapi.dll" ascii wide - $str4 = "%s\\SysWOW64\\dnsapi.dll" ascii wide - - condition: - 3 of them -} -rule TrojanDownloaderWin32KaraganySampleA -{ - meta: - Description = "Trojan.Karagany.sm" - ThreatLevel = "5" - strings: - $hex0 = { e8 ?? ?? ?? ?? 68 b4 05 00 00 e8 ?? ?? ?? ?? 83 c4 04 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? 99 b9 05 00 00 00 f7 f9 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 c0 24 40 00 8b ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 78 24 40 00 a1 ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 30 24 40 00 8b ?? ?? ?? ?? ?? 51 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 e8 23 40 00 8b ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 83 c4 08 eb ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 a0 23 40 00 a1 ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 83 c4 08 8d ?? ?? ?? ?? ?? 51 68 00 03 00 84 6a 00 6a 00 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ??} - $hex1 = { 55 8b ec 83 ec 18 e8 ?? ?? ?? ?? 89 ?? ?? 8b ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 a3 ?? ?? ?? ?? 68 d0 21 40 00 8b ?? ?? 51 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 6a 00 6a 00 68 38 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 6a 00 6a 00 68 2c 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 6a 00 6a 00 68 20 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? 8b ?? ?? ?? ?? ?? 52 8b ?? ?? 50 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? a1 ?? ?? ?? ?? 50 8b ?? ?? 51 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 6a 00 6a 00 68 14 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 6a 00 6a 00 68 04 23 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? ?? 51 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? ?? eb ?? 8b e5 5d c3} - $hex2 = { 55 8b ec 81 ec 20 04 00 00 a1 ?? ?? ?? ?? 89 ?? ?? 68 e0 30 40 00 68 48 23 40 00 8d ?? ?? ?? ?? ?? 51 ff ?? ?? 83 c4 0c 6a 00 6a 00 8d ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 83 c4 0c b8 01 00 00 00 8b e5 5d c3} - condition: - any of ($hex*) -} - -rule TrojanDownloaderWin32WaledacSampleR -{ - meta: - Description = "Trojan.Waledac.sm" - ThreatLevel = "5" - strings: - $hex0 = { 55 8b ec 81 ec 6c 02 00 00 56 57 68 80 00 00 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 68 1c 21 40 00 8d ?? ?? ?? ?? ?? 50 ff d6 e8 ?? ?? ?? ?? 8d ?? ?? 51 50 e8 ?? ?? ?? ?? 8b ?? ?? 59 59 8b ?? ?? 8d ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff d6 8d ?? ?? 50 e8 ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 50 ff d6 33 f6 56 56 6a 02 56 56 68 00 00 00 40 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f8 3b fe 75 ?? 32 c0 eb ?? 56 8d ?? ?? 50 53 ff ?? ?? 57 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 39 ?? ?? 75 ?? 6a 44 5f 57 8d ?? ?? 56 50 e8 ?? ?? ?? ?? 83 c4 0c 33 c0 66 ?? ?? ?? 8d ?? ?? 50 8d ?? ?? 50 56 56 56 56 56 56 8d ?? ?? ?? ?? ?? 50 56 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? f7 d8 1b c0 f7 d8 5f 5e c9 c3 55} - $hex1 = { 55 8b ec 83 e4 f8 83 ec 10 56 57 e8 ?? ?? ?? ?? be 10 30 40 00 56 68 02 02 00 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 6a 02 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 56 68 01 01 00 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 6a ff ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? a3 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? be 30 21 40 00 8d ?? ?? ?? a5 a5 59 a3 ?? ?? ?? ?? a5 8d ?? ?? ?? 50 68 40 21 40 00 a4 e8 ?? ?? ?? ?? 59 59 84 c0 75 ?? 8d ?? ?? ?? 50 68 4c 21 40 00 e8 ?? ?? ?? ?? 59 59 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 59 5f 33 c0 5e 8b e5 5d c3} - $hex2 = { 55 8b ec 51 83 ?? ?? ?? 53 8b ?? ?? ?? ?? ?? 56 57 bf 00 90 01 00 eb ?? 7c ?? 8b ?? ?? 56 ff ?? ?? ?? ?? ?? 03 c3 50 e8 ?? ?? ?? ?? 01 ?? ?? 8b ?? ?? 8b ?? ?? 83 c4 0c e8 ?? ?? ?? ?? 83 e8 00 74 ?? 48 75 ?? 6a 00 57 ff ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? 8b f0 85 f6 75 ?? 8b ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? f7 d8 1b c0 40 eb ?? 48 32 c0 eb ?? b0 01 5f 5e 5b c9 c3} - condition: - any of ($hex*) -} - -rule TrojanDownloaderWin32PerkeshSamle -{ - meta: - Description = "Trojan.Perkesh.rc" - ThreatLevel = "5" - strings: - $a = "698d51" ascii wide - $b = "%s~%x.dat" ascii wide - $c = "\\drivers\\etc\\hosts" ascii wide - condition: - all of them -} - -rule TrojanDownloaderWin32PerkeshDriverSamle -{ - meta: - Description = "Trojan.Perkesh.rc" - ThreatLevel = "5" - strings: - $a = "C:\\FOUND.001\\333888\\sys\\Driver\\i386\\feiji.pdb" ascii wide - condition: - $a -} -import"pe" -rule TrojanDropperMicrojoin -{ - meta: - Description = "Trojan.Microjoin.rc" - ThreatLevel = "5" - - strings: - $ep = { 55 8B EC 6A FF 68 00 00 00 00 68 00 00 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 5F 5E 5B 33 C0 83 C4 78 5D } - - condition: - $ep at pe.entry_point -}rule TrojanDownloaderWin32Frethog_E_Sample -{ - meta: - Description = "Trojan.Frethog.sm" - ThreatLevel = "5" - - strings: - $ = "C:\\WINDOWS\\system32\\msvbvm60.dll\\3" ascii wide - $ = "DownLoad File:" ascii wide - $ = "\\system32\\mswinsck.ocx" ascii wide - - $ = "http://www.pc918.net/file.txt" ascii wide - $ = "http://www.yswm.net/file.txt" ascii wide - $ = "http://www.v138.net/file.txt" ascii wide - $ = "http://www.v345.net/file.txt" ascii wide - $ = "http://www.ahwm.net/file.txt" ascii wide - $ = "http://user.yswm.net/yswm" ascii wide - - $ = "so118config" ascii wide - $ = "http://user.yswm.net" ascii wide - $ = "hide.exe" ascii wide - $ = "\\win.ini" ascii wide - $ = "\\system32\\svchost.exe" ascii wide - $ = "P2P DownFile:" ascii wide - $ = "yswm.runsoft" ascii wide - $ = "\\sys.dat" ascii wide - - condition: - 4 of them -}rule TrojanGBotSampleA_Malex -{ - meta: - Description = "Trojan.GBot.sm" - ThreatLevel = "5" - - strings: - $ = "My name is \"G-Bot\" or \"GBot\"!"ascii wide - $ = "C:\\WINDOWS\\WinUpdaterstd\\svchost.exe"ascii wide - $hex0 = { 85 d2 74 ?? 8b ?? ?? 41 7f ?? 50 52 8b ?? ?? e8 ?? ?? ?? ?? 89 c2 58 52 8b ?? ?? e8 ?? ?? ?? ?? 5a 58 eb ?? f0 ?? ?? ?? 87 ?? 85 d2 74 ?? 8b ?? ?? 49 7c ?? f0 ?? ?? ?? 75 ?? 8d ?? ?? e8 ?? ?? ?? ?? c3} - $hex1 = { 53 56 8b f2 8b d8 66 ?? ?? ?? 66 3d b0 d7 72 ?? 66 3d b3 d7 76 ?? bb 66 00 00 00 eb ?? 66 3d b0 d7 74 ?? 8b c3 e8 ?? ?? ?? ?? 66 ?? ?? ?? 80 ?? ?? ?? 75 ?? 83 ?? ?? ?? 75 ?? c7 ?? ?? ?? ?? ?? ?? 8b c3 ff ?? ?? 8b d8 85 db 74 ?? 8b c3 e8 ?? ?? ?? ?? 8b c3 5e 5b c3} - - condition: - any of them -}rule TrojanDropperWin32Gamarue_A_Andromeda -{ - meta: - Description = "Trojan.Andromeda.sm" - ThreatLevel = "5" - - strings: - $ = { 66 8B 10 66 3B 11 75 1E 66 3B D3 74 15 66 8B 50 02 66 3B 51 02 75 0F 83 C0 04 83 C1 04 66 3B D3 75 DE 33 C0 EB 05 1B C0 83 D8 FF 3B C3 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? ?? 56 FF D7 85 C0 75 ?? } - $a = "ldr\\CUSTOM\\local\\local\\Release\\ADropper.pdb" ascii wide - $ = "EpisodeNorth.exe" ascii wide - $ = "HandballChampionship.exe" ascii wide - $ = "\\#MSI" ascii wide - $ = "\\MSI" ascii wide - $ = "\\msiexec.exe" ascii wide - $ = "avp.exe" ascii wide - $ = "\\(empty).lnk" ascii wide - $b = "hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst" ascii wide - - condition: - (3 of them) or $a or $b -} -rule TrojanInjectorA -{ - meta: - Description = "Trojan.Injector.vb" - ThreatLevel = "5" - - strings: - $ = "KERNEO32.nll" ascii wide - $ = "CfeateFileAaocwwA" ascii wide - $ = "RGPdFileREjhsoX" ascii wide - - condition: - all of them -} -rule TrojanWin32KovterSample -{ - meta: - Description = "Trojan.Kovter.sm" - ThreatLevel = "5" - - strings: - $ = "AntiVirtualBox" ascii wide - $ = "AntiVMware" ascii wide - $ = "AntiVMwareEx" ascii wide - $ = "AntiVirtualPC" ascii wide - $ = "AntiSandboxie" ascii wide - $ = "AntiThreadExpert" ascii wide - $ = "AntiWireshark" ascii wide - $ = "AntiJoeBox" ascii wide - $ = "AntiRFP" ascii wide - $ = "AntiAllDebugger" ascii wide - $ = "AntiODBG" ascii wide - $ = "AntiSoftIce" ascii wide - $ = "AntiSyserDebugger" ascii wide - $ = "AntiTrwDebugger" ascii wide - $ = "AntiVirtualMachine" ascii wide - $ = "AntiSunbeltSandboxie" ascii wide - - $a = "i:\\MySoft\\project Locker\\optimize orig Binary\\kol\\err.pas" ascii wide - - condition: - 3 of them or $a -}rule TrojanDownloaderWin32KuluozSampleB -{ - meta: - Description = "Trojan.Asprox.sm" - ThreatLevel = "5" - strings: - $ = "svchost.exe" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "/index.php?r=gate&id=" ascii wide - $ = "/index.php?r=gate/getipslist&id=" ascii wide - $ = "You fag" ascii wide - $ = "For group" ascii wide - $hex0 = { 55 8b ec 81 ec dc 00 00 00 90 68 1c 10 40 00 ff ?? ?? ?? ?? ?? 89 ?? ?? 68 28 10 40 00 8b ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 44 10 40 00 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 58 10 40 00 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 6c 10 40 00 8b ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 7c 10 40 00 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? 68 94 10 40 00 8b ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? b8 50 89 40 00 2d b0 10 40 00 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c1 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? c6 ?? ?? ?? ?? ?? ?? ?? eb ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c0 01 89 ?? ?? 83 ?? ?? ?? 73 ?? 8b ?? ?? c6 ?? ?? ?? ?? eb ?? c7 ?? ?? ?? ?? ?? ?? 90 8d ?? ?? ?? ?? ?? 52 8d ?? ?? 50 6a 00 6a 00 6a 04 6a 00 6a 00 6a 00 68 a4 10 40 00 6a 00 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6a 00 6a 18 8d ?? ?? 50 6a 00 8b ?? ?? ?? ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 83 c2 08 89 ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 6a 04 8d ?? ?? ?? ?? ?? 51 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 00 68 00 00 00 08 6a 40 8d ?? ?? ?? ?? ?? 52 6a 00 68 1f 00 0f 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 52 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 50 6a ff 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c2 01 89 ?? ?? 8b ?? ?? 3b ?? ?? 73 ?? b9 b0 10 40 00 03 ?? ?? 8b ?? ?? ?? ?? ?? 03 ?? ?? 8a ?? 88 ?? eb ?? 90 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 51 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 8b ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? 6a 40 68 00 30 00 00 68 00 00 50 00 6a 00 ff ?? ?? ?? ?? ?? 89 ?? ?? 8d ?? ?? ?? ?? ?? 50 68 00 10 00 00 8b ?? ?? 51 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 03 ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? 8b ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 51 8b ?? ?? 52 8b ?? ?? 50 8b ?? ?? ?? ?? ?? 51 8b ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 00 68 00 00 00 08 6a 40 8d ?? ?? ?? ?? ?? 51 6a 00 68 1f 00 0f 00 8d ?? ?? ?? ?? ?? 52 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 51 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 52 6a ff 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? c6 ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? c6 ?? ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? 8b ?? ?? 03 ?? ?? ?? ?? ?? c6 ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? eb ?? 8b ?? ?? 83 c0 01 89 ?? ?? 8b ?? ?? 3b ?? ?? 73 ?? 8b ?? ?? ?? ?? ?? 03 ?? ?? 8b ?? ?? 03 ?? ?? 8a ?? 88 ?? eb ?? 90 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6a 40 6a 00 6a 01 8d ?? ?? ?? ?? ?? 50 6a 00 6a 00 6a 00 8d ?? ?? ?? ?? ?? 51 8b ?? ?? ?? ?? ?? 52 8b ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 6a 00 8b ?? ?? ?? ?? ?? 51 ff ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 68 e8 03 00 00 ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? 8b e5 5d c3} - condition: - (3 of them) or $hex0 -}rule TrojanWin32LethicBSample -{ - meta: - Description = "Trojan.Lethic.sm" - ThreatLevel = "5" - strings: - $ = "zaproxza" ascii wide - $ = "93.190.137.51" ascii wide - $ = "antaw" ascii wide - $hex0 = { e8 ?? ?? ?? ?? 8b ?? ?? 52 e8 ?? ?? ?? ?? 8b ?? ?? 50 e8 ?? ?? ?? ?? 68 74 43 40 00 e8 ?? ?? ?? ?? 89 ?? ?? 6a 33 68 00 40 40 00 8b ?? ?? 51 e8 ?? ?? ?? ?? 8b ?? ?? 89 ?? ?? ?? ?? ?? 8b ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? e9 ?? ?? ?? ?? 8b ?? ??} - condition: - (2 of them) or (any of ($hex*)) -}rule TrojanWin32NecursSample -{ - meta: - Description = "Trojan.Necurs.sm" - ThreatLevel = "5" - - strings: - $ = "some stupid error %u" ascii wide - $ = "loading" ascii wide - $ = "unloading" ascii wide - $ = "exception %08x %swhen %s at %p" ascii wide - $ = "microsoft.com" ascii wide - $ = "facebook.com" ascii wide - $a = "NitrGB" ascii wide - $ = "\\Installer\\{" ascii wide - $ = "%s%0.8X-%0.4X-%0.4X-%0.4X-%0.8X%0.4X}\\" ascii wide - $ = "syshost32" ascii wide - $ = "%s\\svchost.exe" ascii wide - - condition: - (8 of them) or $a -} - -rule TrojanWinNTNecursSample -{ - meta: - Description = "Trojan.Necurs.sm" - ThreatLevel = "5" - - strings: - $a = "F:\\cut\\abler\\detecting\\overlapping\\am.pdb" ascii wide - $ = "VirusBuster Ltd" ascii wide - $ = "Beijing Jiangmin" ascii wide - $ = "SUNBELT SOFTWARE" ascii wide - $ = "Sunbelt Software" ascii wide - $ = "K7 Computing" ascii wide - $ = "Immunet Corporation" ascii wide - $ = "Beijing Rising" ascii wide - $ = "G DATA Software" ascii wide - $ = "Quick Heal Technologies" ascii wide - $ = "Comodo Security Solutions" ascii wide - $ = "CJSC Returnil Software" ascii wide - $ = "NovaShield Inc" ascii wide - $ = "BullGuard Ltd" ascii wide - $ = "Check Point Software Technologies Ltd" ascii wide - $ = "Panda Software International" ascii wide - $ = "Kaspersky Lab" ascii wide - $ = "FRISK Software International Ltd" ascii wide - $ = "ESET, spol. s r.o." ascii wide - $ = "Doctor Web Ltd" ascii wide - $ = "BitDefender SRL" ascii wide - $ = "BITDEFENDER LLC" ascii wide - $ = "Avira GmbH" ascii wide - $ = "GRISOFT, s.r.o." ascii wide - $ = "PC Tools" ascii wide - $ = "ALWIL Software" ascii wide - $ = "Agnitum Ltd" ascii wide - - condition: - (8 of them) or $a -}rule TrojanWin32NedsymGSample -{ - meta: - Description = "Trojan.Nedsym.sm" - ThreatLevel = "5" - - strings: - $ = "qwertyuiopasdfghjklzxcvbnm123456789" ascii wide - $ = "svcnost.exe" ascii wide - $ = "Windows Init" ascii wide - $ = "\\drivers\\etc\\hosts" ascii wide - - condition: - 2 of them -}rule TrojanWin32NeurevtA_BackDoor -{ - meta: - Description = "Trojan.Neurevt.sm" - ThreatLevel = "5" - - strings: - $ = "%s\\__%08x.lnk" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "{2227A280-3AEA-1069-A2DE-08002B30309D}" ascii wide - $ = "schtasks.exe" ascii wide - $ = "SYSTEM\\CurrentControlSet\\Control\\Session Manager" ascii wide - $ = "Software\\Classes\\CLSID\\%s\\%08X\\%s" ascii wide - $ = "%s\\%08X.pif" ascii wide - $ = "Windows ha detectado una carpeta da" ascii wide - $ = "Mostrar Detalles" ascii wide - $ = "Mas informaci" ascii wide - $ = "Restaurar archivos" ascii wide - $ = "Restaurar archivos y chequear el disco en busca de errores" ascii wide - $ = "Erro de Disco Cr" ascii wide - $ = "O Windows encontrou uma pasta corrompida no seu disco r" ascii wide - $ = "Mostrar detalhes" ascii wide - $ = "Mais detalhes sobre esse erro" ascii wide - $ = "Restaurar os arquivos" ascii wide - $ = "Restaurar os arquivos e verificar erros no disco" ascii wide - $ = "Kritischer Festplattenfehler" ascii wide - $ = "Windows hat einen fehlerhaften Ordner auf deiner Festplatte vorgefunden." ascii wide - $ = "Mehrere fehlerhafte Dateien wurden in dem Ordner 'Eigene Dokumente' gefunden. Um Datenverlust zu ver" ascii wide - $ = "Details anzeigen" ascii wide - $ = "Mehr Details zu diesem Fehler" ascii wide - $ = "Dateien wiederherstellen" ascii wide - $ = "Dateien wiederherstellen und Festplatte auf Fehler " ascii wide - $ = "Erreur Critique" ascii wide - $ = "Windows a trouv" ascii wide - $ = "Plusieurs fichiers corrompu sont trouv" ascii wide - $ = "Montre d" ascii wide - $ = "Plus de d" ascii wide - $ = "Kritieke foutmelding" ascii wide - $ = "Windows heeft een beschadigde map gevonden" ascii wide - $ = "Meerdere beschadigde bestanden zijn in de map 'Mijn Documenten' gevonden. Om dataverlies te voorkome" ascii wide - $ = "Toon details" ascii wide - $ = "Meer details over deze foutmelding" ascii wide - $ = "Herstel bestanden" ascii wide - $ = "Herstel bestanden en controleer de harde schijf voor errors" ascii wide - $ = "Kritik disk hatas" ascii wide - $ = "Windows sabit diskinizde bozuk bir klas" ascii wide - $ = "Bu hata hakk" ascii wide - $ = "Dosyalar" ascii wide - $ = "Hata ayr" ascii wide - $ = "Kritis Disk Kesalahan" ascii wide - $ = "Windows telah mengalami rusak folder pada hard drive Anda" ascii wide - $ = "Beberapa file rusak telah ditemukan di folder 'My Documents'. Untuk mencegah kerugian serius data, p" ascii wide - $ = "Tampilkan detail" ascii wide - $ = "Lebih rinci tentang kesalahan ini" ascii wide - $ = "mengembalikan file" ascii wide - $ = "Kembalikan file dan memeriksa disk untuk kesalahan" ascii wide - $ = "Errore critico dell'hard disk" ascii wide - $ = "Windows ha trovato una cartella corrotta nel vostro hard disk." ascii wide - $ = "Mostra dettagli" ascii wide - $ = "Maggiori dettagli su quest'errore" ascii wide - $ = "Ripristina i file" ascii wide - $ = "Ripristina i file e controlla il disco per errori." ascii wide - $ = "Kriittinen Levy Virhe" ascii wide - $ = "Windows on t" ascii wide - $ = "Useita korruptoituneita tiedostoja on l" ascii wide - $ = "Palauta tiedostot" ascii wide - $ = "Palauta tiedostot ja etsi virheit" ascii wide - $ = "Problem, krytyczny stan dysku" ascii wide - $ = "Windows znalazl korupcyjny folder w twoim twardym dysku." ascii wide - $ = "Duza ilosc zepsutych plikow zostala znaleziona w swoim folderze 'My Documents'. Zeby zachowac pamiec" ascii wide - $ = "Pokaz wiecej informacji" ascii wide - $ = "Wiecej danych na temat bledu" ascii wide - $ = "Przywracanie plik" ascii wide - $ = "Critical Disk Error" ascii wide - $ = "Windows has encountered a corrupted folder on your hard drive" ascii wide - $ = "Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of da" ascii wide - $ = "Show details" ascii wide - $ = "More details about this error" ascii wide - $ = "Restore files and check disk for errors" ascii wide - $ = "http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535" ascii wide - $ = "uac" ascii wide - $ = "nuac" ascii wide - $ = "Has denegado los privilegios de Windows para la utilidad de restauraci" ascii wide - $ = "Error en los privilegios" ascii wide - $ = "Erro de privil" ascii wide - $ = "Sie verweigerten Windows die Privilegien, das Dateiwiederherstellungswerkzeug zu nutzen. Bitte w" ascii wide - $ = "Privilegfehler" ascii wide - $ = "Vous avez rejet" ascii wide - $ = "Erreur de privil" ascii wide - $ = "U heeft de nodige rechten afgewezen voor de Windows herstelprocedure. Selecteer JA op de volgende UA" ascii wide - $ = "Toestemming error" ascii wide - $ = "Windows dosya restorasyon program" ascii wide - $ = "Izin hatas" ascii wide - $ = "Anda menyangkal hak-hak istimewa yang tepat untuk utilitas restorasi file Windows. Silakan pilih YES" ascii wide - $ = "Privilege Kesalahan" ascii wide - $ = "Hai negato i privilegi necessari a Windows per riparare i file. Selezione \"Si\" nella seguente finest" ascii wide - $ = "Errore nei privilegi" ascii wide - $ = "Et sallinut oikeuksia Windowsin tiedostojen palautus ohjelmistolle. Ole hyv" ascii wide - $ = "Windows file restoration utility" ascii wide - $ = "You denied the proper privileges to the Windows file restoration utility. Please select YES on the f" ascii wide - $ = "Privilege Error" ascii wide - $ = "local ip detected" ascii wide - - $hex0 = { 55 8b ec 81 ec 04 01 00 00 83 ?? ?? ?? 56 57 0f ?? ?? ?? ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? be 34 71 42 00 8b ce e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 81 c2 ae 17 00 00 8b ca e8 ?? ?? ?? ?? 83 f8 08 0f ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 8b f8 85 ff 74 ?? 68 04 01 00 00 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? a1 ?? ?? ?? ?? 56 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 57 68 68 a3 42 00 50 ff ?? ?? ?? ?? ?? 83 c4 14 57 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 d2 04 00 00 ff ?? ?? ?? ?? ?? 8b f0 ff ?? ?? ?? ?? ?? ff ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 8b f8 83 fe 01 75 ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b c7 eb ?? 33 c0 5f 5e c9 c2 04 00 55} - $hex1 = { 55 8b ec 81 ec 04 01 00 00 53 33 db 57 39 ?? ?? 0f ?? ?? ?? ?? ?? 8b ?? ?? 3b cb 0f ?? ?? ?? ?? ?? 39 ?? ?? 0f ?? ?? ?? ?? ?? 3b f3 0f ?? ?? ?? ?? ?? 39 ?? 0f ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 81 c2 ae 17 00 00 8b ca e8 ?? ?? ?? ?? 83 f8 08 0f ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? 8b f8 3b fb 0f ?? ?? ?? ?? ?? 68 04 01 00 00 53 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? ff ?? ?? a1 ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 57 68 68 a3 42 00 50 ff ?? ?? ?? ?? ?? 83 c4 14 57 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 d2 04 00 00 ff ?? ?? ?? ?? ?? 8b f8 ff ?? ?? ?? ?? ?? ff ?? ?? 8b ?? ff ?? ?? 8d ?? ?? ?? ?? ?? 50 68 01 00 00 80 e8 ?? ?? ?? ?? 89 ?? 83 ff 01 75 ?? 53 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 39 ?? 0f 95 c0 eb ?? 32 c0 5f 5b c9 c2 0c 00} - $hex2 = { 55 8b ec 81 ec 98 06 00 00 8b cf e8 ?? ?? ?? ?? 83 f8 01 73 ?? 33 c0 40 c9 c3 53 56 57 32 db ff ?? ?? ?? ?? ?? 68 08 02 00 00 8b f0 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 68 03 01 00 00 57 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? a1 ?? ?? ?? ?? 05 f2 14 00 00 50 56 ff ?? ?? ?? ?? ?? 85 c0 74 ?? a1 ?? ?? ?? ?? 05 f2 14 00 00 50 8b d7 e8 ?? ?? ?? ?? 85 c0 78 ?? 33 c0 40 e9 ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 57 e8 ?? ?? ?? ?? be 80 00 00 00 eb ?? ff ?? ?? ?? ?? ?? 83 f8 05 75 ?? 84 db 75 ?? 8b cf e8 ?? ?? ?? ?? 83 f8 01 72 ?? 57 e8 ?? ?? ?? ?? b3 01 56 57 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 57 ff ?? ?? ?? ?? ?? 8b f0 85 f6 74 ?? 68 00 c1 42 00 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 68 0c c1 42 00 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 6a 5c 5e 8b d7 e8 ?? ?? ?? ?? 40 50 57 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 68 18 c1 42 00 50 ff ?? ?? ?? ?? ?? 83 c4 10 6a 08 8d ?? ?? ?? ?? ?? 50 57 ff ?? ?? ?? ?? ?? 85 c0 75 ?? 6a 04 50 57 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? 68 8c 00 00 00 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 83 f8 05 75 ?? 8b cf e8 ?? ?? ?? ?? 83 f8 01 72 ?? 57 e8 ?? ?? ?? ?? eb ?? 32 c0 fe c8 0f b6 c0 f7 d8 1b c0 83 e0 02 eb ?? 6a 03 58 eb ?? 33 c0 5e 5b c9 c3} - $hex3 = { 55 8b ec 83 e4 f8 51 8b ?? ?? 57 85 d2 0f ?? ?? ?? ?? ?? 0f ?? ?? 66 85 c9 0f ?? ?? ?? ?? ?? 0f ?? ?? ?? 83 e8 00 0f ?? ?? ?? ?? ?? 48 74 ?? 48 0f ?? ?? ?? ?? ?? 48 0f ?? ?? ?? ?? ?? b8 1c 03 00 00 66 3b c8 0f ?? ?? ?? ?? ?? a1 ?? ?? ?? ?? 0f ?? ?? ?? 50 e8 ?? ?? ?? ?? 3c 01 0f ?? ?? ?? ?? ?? 52 e8 ?? ?? ?? ?? e9 ?? ?? ?? ?? b8 18 01 00 00 66 3b c8 75 ?? a1 ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 8d ?? ?? 8b cf e8 ?? ?? ?? ?? 83 f8 02 76 ?? 8b ?? ?? f6 c2 01 74 ?? e8 ?? ?? ?? ?? 83 f8 fe 75 ?? a1 ?? ?? ?? ?? 03 c0 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? eb ?? f6 c2 02 74 ?? 57 e8 ?? ?? ?? ?? eb ?? f6 c2 04 74 ?? e8 ?? ?? ?? ?? eb ?? b8 24 14 00 00 66 3b c8 75 ?? a1 ?? ?? ?? ?? 0f ?? ?? ?? 50 e8 ?? ?? ?? ?? 3c 01 75 ?? 8b c2 e8 ?? ?? ?? ?? 33 c0 40 eb ?? 33 c0 5f 8b e5 5d c2 04 00} - $hex4 = { 8b ?? ?? c6 ?? ?? ?? ?? ff ?? ?? 83 f9 37 8b ?? ?? 7e ?? eb ?? c6 ?? ?? ?? ?? ff ?? ?? 8b ?? ?? 83 f9 40 7c ?? e8 ?? ?? ?? ?? eb ?? 8b ?? ?? c6 ?? ?? ?? ?? ff ?? ?? 83 ?? ?? ?? 7c ?? eb ?? c6 ?? ?? ?? ?? ff ?? ?? 8b ?? ?? 83 f9 38 7c ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? 8a ?? ?? 88 ?? ?? e9 ?? ?? ?? ??} - $hex5 = { 55 8b ec 51 51 56 33 f6 57 8b f9 3b c6 74 ?? 39 ?? ?? 74 ?? 3b fe 74 ?? 39 ?? ?? 74 ?? 6a 07 5a 39 ?? ?? 72 ?? 89 ?? ?? 89 ?? ?? 39 ?? ?? 76 ?? 53 eb ?? 33 f6 3b ?? ?? 77 ?? 8b ?? ?? 8d ?? ?? ?? 8a ?? ?? 3a ?? ?? 75 ?? ff ?? ?? 83 ?? ?? ?? 75 ?? 8d ?? ?? eb ?? 8a ?? ?? 88 ?? ?? 41 3b ca 72 ?? ff ?? ?? 46 83 fe 07 72 ?? eb ?? 83 ?? ?? ?? 42 8d ?? ?? 4f 3b ?? ?? 72 ?? 5b 8b ?? ?? eb ?? 83 c8 ff 5f 5e c9 c2 08 00} - - - condition: - (10 of them) or (any of ($hex*)) -}rule MalwarePowerLoaderSample -{ - meta: - Description = "Trojan.PowerLoader.sm" - ThreatLevel = "5" - - strings: - $str_1 = "powerloader" ascii wide - - $ = "inject64_section" ascii wide - $ = "inject64_event" ascii wide - $ = "inject_section" ascii wide - $ = "inject_event" ascii wide - $ = "loader.dat" ascii wide - $ = "Inject64End" ascii wide - $ = "Inject64Normal" ascii wide - $ = "Inject64Start" ascii wide - $ = "UacInject64End" ascii wide - $ = "UacInject64Start" ascii wide - condition: - (2 of them) or (any of ($str_*)) -}rule TrojanRansomRevetonSample -{ - meta: - Description = "Trojan.Reveton.sm" - ThreatLevel = "5" - - strings: - $a = "JimmMonsterNew" ascii wide - $ = "regedit.exe" ascii wide - $ = "rundll32.exe" ascii wide - $ = "msconfig.lnk" ascii wide - $ = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" ascii wide - $ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ctfmon.exe" ascii wide - condition: - (3 of them) or $a -} - -rule TrojanWin32UrausySampleA -{ - meta: - Description = "Trojan.Urausy.sm" - ThreatLevel = "5" - - strings: - $a = { 55 89 E5 53 56 57 83 0D ?? ?? ?? ?? 01 31 C0 5F 5E 5B C9 C2 04 00 } - $b = { FF 15 ?? ?? ?? ?? 09 C0 0F 84 ?? ?? ?? ?? 8B 75 ?? 89 C3 6A 01 6A FF 6A 05 56 E8 } - - condition: - $a and $b -} - -rule TrojanRansomWin32TobfySample -{ - meta: - Description = "Trojan.Tobfy.sm" - ThreatLevel = "5" - - strings: - $ = "http://62.109.28.231/gtx3d16bv3/upload/img.jpg" ascii wide - $ = "http://62.109.28.231/gtx3d16bv3/upload/mp3.mp3" ascii wide - - $ = "Pay MoneyPak" ascii wide - $ = "You have 72 hours to pay the fine!" ascii wide - $ = "Wait! Your request is processed within 24 hours." ascii wide - $a = "G:\\WORK\\WORK_PECEPB\\Work_2012 Private\\Project L-0-ck_ER\\NEW Extern\\inject\\injc\\Release\\injc.pdb" ascii wide - $b = "G:\\WORK\\WORK_PECEPB\\Work_2012 Private\\Project L-0-ck_ER\\Version V 1.0\\V1.0\\Release\\te.pdb" ascii wide - $ = "picture.php?pin=" ascii wide - $ = "s\\sound.mp3" ascii wide - $ = "s\\1.jpg" ascii wide - $ = "s\\1.bmp" ascii wide - $ = "getunlock.php" ascii wide - - condition: - (4 of them) or $a or $b -}rule Regin_APT_KernelDriver_Generic_A { - meta: - Description = "Trojan.Regin.A.sm" - ThreatLevel = "5" - strings: - $m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e } - - $s0 = "atapi.sys" fullword wide - $s1 = "disk.sys" fullword wide - $s3 = "h.data" fullword ascii - $s4 = "\\system32" fullword ascii - $s5 = "\\SystemRoot" fullword ascii - $s6 = "system" fullword ascii - $s7 = "temp" fullword ascii - $s8 = "windows" fullword ascii - - $x1 = "LRich6" fullword ascii - $x2 = "KeServiceDescriptorTable" fullword ascii - condition: - $m1 and all of ($s*) and 1 of ($x*) -} - -rule Regin_APT_KernelDriver_Generic_B { - meta: - Description = "Trojan.Regin.B.sm" - ThreatLevel = "5" - strings: - $s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e } - $s2 = "H.data" fullword ascii nocase - $s3 = "INIT" fullword ascii - $s4 = "ntoskrnl.exe" fullword ascii - - $v1 = "\\system32" fullword ascii - $v2 = "\\SystemRoot" fullword ascii - $v3 = "KeServiceDescriptorTable" fullword ascii - - $w1 = "\\system32" fullword ascii - $w2 = "\\SystemRoot" fullword ascii - $w3 = "LRich6" fullword ascii - - $x1 = "_snprintf" fullword ascii - $x2 = "_except_handler3" fullword ascii - - $y1 = "mbstowcs" fullword ascii - $y2 = "wcstombs" fullword ascii - $y3 = "KeGetCurrentIrql" fullword ascii - - $z1 = "wcscpy" fullword ascii - $z2 = "ZwCreateFile" fullword ascii - $z3 = "ZwQueryInformationFile" fullword ascii - $z4 = "wcslen" fullword ascii - $z5 = "atoi" fullword ascii - condition: - all of ($s*) and ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) -} - -rule Regin_APT_KernelDriver_Generic_C { - meta: - Description = "Trojan.Regin.C.sm" - ThreatLevel = "5" - /*description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2" - author = "@Malwrsignatures - included in APT Scanner THOR" - date = "23.11.14" - hash1 = "e0895336617e0b45b312383814ec6783556d7635" - hash2 = "732298fa025ed48179a3a2555b45be96f7079712" */ - strings: - - $s0 = "KeGetCurrentIrql" fullword ascii - $s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide - $s2 = "usbclass" fullword wide - - $x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii - $x2 = "Universal Serial Bus Class Driver" fullword wide - $x3 = "5.2.3790.0" fullword wide - - $y1 = "LSA Shell" fullword wide - $y2 = "0Richw" fullword ascii - condition: - all of ($s*) and ( all of ($x*) or all of ($y*) ) -} - -rule Regin_sig_svcsstat { - meta: - Description = "Trojan.Regin.sm" - ThreatLevel = "5" - /*description = "Detects svcstat from Regin report - file svcsstat.exe_sample" - author = "@Malwrsignatures" - date = "25.11.14" - score = 70 - hash = "5164edc1d54f10b7cb00a266a1b52c623ab005e2"*/ - strings: - $s0 = "Service Control Manager" fullword ascii - $s1 = "_vsnwprintf" fullword ascii - $s2 = "Root Agency" fullword ascii - $s3 = "Root Agency0" fullword ascii - $s4 = "StartServiceCtrlDispatcherA" fullword ascii - $s5 = "\\\\?\\UNC" fullword ascii - $s6 = "%ls%ls" fullword wide - condition: - all of them and filesize < 15KB and filesize > 10KB -}rule TrojanWin32RovnixSample -{ - meta: - Description = "Trojan.Rovnix.sm" - ThreatLevel = "5" - strings: - $ = "dropper.exe" ascii wide - $ = "dropper_x64.exe" ascii wide - $ = "Inject64Start" ascii wide - $ = "Inject64End" ascii wide - $ = "Inject64Normal" ascii wide - $ = "inject_section" ascii wide - $ = "inject_event" ascii wide - $ = "0:/plugins/%s" ascii wide - $ = "0:/plugins/base" ascii wide - $ = "0:/plugins/base/binary" ascii wide - $ = "0:/plugins/base/mask" ascii wide - $ = "0:/plugins/base/version" ascii wide - $ = "0:/plugins/base/once" ascii wide - $ = "0:/plugins/rootkit" ascii wide - $ = "0:/plugins/rootkit/binary" ascii wide - $ = "0:/plugins/rootkit/version" ascii wide - $ = "0:/plugins/rootkit/binary" ascii wide - $ = "0:\\storage\\keylog" ascii wide - $ = "0:\\storage\\config" ascii wide - $ = "0:\\storage\\intrnl" ascii wide - $ = "0:\\storage\\passw" ascii wide - $ = "0:\\storage\\hunter" ascii wide - $ = "0:/hidden" ascii wide - $ = "0:/hidden/%s" ascii wide - $ = "0:/hidden/%s/path" ascii wide - $ = "0:/hidden/%s/binary" ascii wide - $ = "0:/hidden/%s/mask" ascii wide - condition: - 3 of them -}rule TrojanDroppedBackdoorWin32SimdaSample -{ - meta: - Description = "Trojan.Simda.sm" - ThreatLevel = "5" - - strings: - $ = ".driver" ascii wide - $ = ".userm" ascii wide - $ = ".uac64" ascii wide - $ = ".mcp" ascii wide - $ = ".cfgbin" ascii wide - $ = ".uacdll" ascii wide - $ = "%s\\%s.sys" ascii wide - $ = "%s\\%s.exe" ascii wide - $ = "%appdata%\\ScanDisc.exe" ascii wide - condition: - 4 of them -}// Rule - Dropped file from Trojan Sirefef / ZeroAccess. -rule TrojanSirefefZerroAccess -{ - meta: - Description = "Trojan.Sirefef.sm" - ThreatLevel = "5" - - strings: - - //$ = "n64" ascii wide - //$ = "n32" ascii wide - //$ = "$Recycle.Bin\\" ascii wide - $ = "\\$%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02x" ascii wide - //$ = "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}" ascii wide - - - $ = "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" ascii wide - $ = "%wZ\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "%wZ\\Software\\Classes\\clsid" ascii wide - $ = "\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\" ascii wide - $ = "\\registry\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - - $ = "\\systemroot\\system32\\config" ascii wide - $ = "\\??\\ACPI#PNP0303#2&da1a3ff&0" ascii wide - $ = "GoogleUpdate.exe" ascii wide - $ = "Google Update Service (gupdate)" ascii wide - $ = "%sU\\%08x.@" ascii wide - $ = "\\??\\%sU" ascii wide - $ = "\\??\\%s@" ascii wide - $ = "%08x.@" ascii wide - $ = "%08x.$" ascii wide - $ = "%08x.~" ascii wide - $ = "\\??\\%08x" ascii wide - $ = "\\n." ascii wide - $ = "wbem\\fastprox.dll" ascii wide - - $ = "c:\\windows\\system32\\z" ascii wide - $s1 = "e:\\sz\\x64\\release\\InCSRSS.pdb" ascii wide - - $s2 = "C:\\Jinket\\Lownza\\Kueshmmba\\de.pdb" ascii wide - $s3 = "E:\\Marlne\\Bensjo\\Ernstedun\\Rugriayid\\Wasp851.pdb" ascii wide - - $hex0 = { 55 8b ec 83 ec 48 53 56 57 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? 59 8b c6 e8 ?? ?? ?? ?? 8b c6 89 ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ff ?? ?? ?? ?? ?? 68 08 54 30 6a ff ?? ?? ff d6 ff ?? ?? ?? ?? ?? 68 18 54 30 6a ff ?? ?? ff d6 83 c4 18 83 ?? ?? ?? ?? ?? ?? 75 ?? 8b ?? ?? ?? ?? ?? bb 98 70 30 6a bf 00 00 10 00 eb ?? ff ?? ?? ff ?? ?? ?? ?? ?? 68 a0 0f 00 00 ff ?? ?? ?? ?? ?? 53 57 8d ?? ?? 50 ff d6 85 c0 7d ?? 68 60 ea 00 00 ff ?? ?? ?? ?? ?? bb 54 70 30 6a eb ?? ff ?? ?? ff ?? ?? ?? ?? ?? 6a 01 68 e0 93 04 00 ff ?? ?? ?? ?? ?? ff ?? ?? e8 ?? ?? ?? ?? 53 57 8d ?? ?? 50 ff d6 85 c0 7d ?? bf 20 71 30 6a 57 ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? 50 6a 00 ff ?? ?? 8d ?? ?? e8 ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 33 c0 8d ?? ?? 5f 5e 5b c9 c2 04 00} - $hex1 = { 55 8b ec 83 ec 18 56 57 8d ?? ?? 50 e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? be 00 08 00 00 8b c6 e8 ?? ?? ?? ?? 8b fc 33 c0 b9 30 00 fe 7f 66 ?? ?? ?? 66 ?? ?? ?? 89 ?? ?? 0f ?? ?? 0f ?? ?? ?? 8b ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 41 41 66 83 f8 5c 75 ?? 66 ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? b8 28 55 30 6a 72 ?? b8 3c 55 30 6a 50 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 66 ?? ?? ?? 66 ?? ?? ?? 0f b7 c8 01 ?? ?? 33 c0 50 66 ?? ?? ?? 8b ?? ?? ff ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 0f ?? ?? ?? 0f ?? ?? ?? 2b c8 83 f9 50 0f ?? ?? ?? ?? ?? 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 0f ?? ?? ?? 51 ff ?? ?? 8b ?? ?? 03 c1 68 58 55 30 6a 50 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 83 c4 38 6a 02 5a 40 33 c9 f7 e2 0f 90 c1 f7 d9 0b c1 50 6a 00 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 85 c0 74 ?? 57 50 ff ?? ?? ?? ?? ?? 59 33 c0 59 40 eb ?? 33 c0 8d ?? ?? 5f 5e c9 c2 04 00} - $hex2 = { 8b ?? ?? ?? 83 e8 00 74 ?? 48 75 ?? ff ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 74 ?? 6a 00 6a 00 ff ?? ?? ?? 68 62 13 30 6a 68 00 00 08 00 6a 00 ff ?? ?? ?? ?? ?? eb ?? a1 ?? ?? ?? ?? 85 c0 74 ?? 50 ff ?? ?? ?? ?? ?? a1 ?? ?? ?? ?? 85 c0 74 ?? 50 ff ?? ?? ?? ?? ?? 33 c0 40 c2 0c 00} - $hex3 = { 55 8b ec 51 51 53 56 8b ?? ?? 56 ff ?? ?? ?? ?? ?? 8b d8 85 db 0f ?? ?? ?? ?? ?? 57 6a 40 68 00 10 00 00 ff ?? ?? 6a 00 ff ?? ?? ?? ?? ?? 8b f8 89 ?? ?? 85 ff 0f ?? ?? ?? ?? ?? 8b ?? ?? f3 ?? 0f ?? ?? ?? 0f ?? ?? ?? 8d ?? ?? ?? 83 c0 0c 8b ?? 8b ?? ?? 8b ?? ?? 03 f1 03 f9 8b ?? ?? 83 c0 28 4a f3 ?? 75 ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? 2b ?? ?? 8d ?? ?? 50 6a 05 6a 01 ff ?? ?? ff d7 85 c0 74 ?? eb ?? 8b ?? ?? 29 ?? ?? 56 8d ?? ?? 8b ?? 03 ?? ?? 83 c1 f8 52 d1 e9 51 50 ff ?? ?? ?? ?? ?? 83 ?? ?? ?? 75 ?? 8d ?? ?? 50 6a 01 6a 01 ff ?? ?? ff d7 85 c0 74 ?? 8d ?? ?? 8b ?? 85 c0 74 ?? 8b f1 8b ?? ?? 03 c1 50 ff ?? ?? ?? ?? ?? 83 c6 14 8b ?? 85 c0 75 ?? 8b ?? ?? 5f 5e 5b c9 c2 04 00} - $hex4 = { 8b ?? ?? ?? ?? ?? b8 00 20 00 00 66 ?? ?? ?? ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? 48 75 ?? 56 ff ?? ?? ?? ff ?? ?? ?? ?? ?? 33 f6 56 6a 04 56 68 0a 1d 40 00 56 56 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 3b c6 74 ?? 56 50 ff ?? ?? ?? ?? ?? 5e b0 01 c2 0c 00} - $hex5 = { 55 8b ec 83 e4 f8 83 ec 34 53 56 57 33 db 53 6a 18 8d ?? ?? ?? 50 53 ff ?? ?? ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? 89 ?? ?? ?? 33 c0 8d ?? ?? ?? ab 8d ?? ?? ?? 50 68 00 90 42 00 68 ff ff 1f 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? ?? ?? ?? 3b c3 74 ?? 48 50 ff ?? ?? e8 ?? ?? ?? ?? e9 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 6a 02 53 53 8d ?? ?? ?? 50 ff ?? ?? 6a ff 6a ff ff d6 85 c0 7c ?? 6a 02 53 53 8d ?? ?? ?? 50 ff ?? ?? 6a fe 6a ff ff d6 85 c0 7c ?? 6a 20 53 8d ?? ?? ?? 50 68 20 90 42 00 68 9f 01 12 00 8d ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 7c ?? 53 53 6a 08 8d ?? ?? ?? 50 8d ?? ?? ?? 50 53 53 53 ff ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ff d7 68 18 90 42 00 6a 01 ff ?? ?? ?? ?? ?? ff ?? ?? ff d7 5f 5e 5b 8b e5 5d c2 08 00} - $hex6 = { 55 8b ec 51 68 c2 7e 42 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 51 68 02 23 00 00 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 7c ?? a1 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 85 c0 75 ?? b8 53 50 43 33 68 00 00 40 00 50 ff ?? ?? ?? ?? ?? ff ?? ?? c9 c3} - $hex7 = { 55 8b ec 83 ec 64 53 56 57 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 33 db 53 53 ff ?? ?? ?? ?? ?? 50 68 4d 10 40 00 53 53 53 53 53 6a ff ff ?? ?? ?? ?? ?? b8 00 04 00 00 e8 ?? ?? ?? ?? 8b f4 89 ?? ?? 89 ?? ?? e9 ?? ?? ?? ?? 8d ?? ?? 50 56 c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 83 ?? ?? ?? 75 ?? 6a 30 53 ff ?? ?? ?? ?? ?? 3b c3 74 ?? 8b ?? ?? 8b ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? c6 ?? ?? ?? 8d ?? ?? 89 ?? ?? 89 ?? 8d ?? ?? 89 ?? ?? 89 ?? 8b ?? ?? ?? ?? ?? 89 ?? c7 ?? ?? ?? ?? ?? ?? 89 ?? ?? a3 ?? ?? ?? ?? eb ?? 33 c0 3b c3 74 ?? 8d ?? ?? e8 ?? ?? ?? ?? ff ?? ?? e9 ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? e9 ?? ?? ?? ?? a1 ?? ?? ?? ?? b9 38 90 42 00 eb ?? 8b ?? ?? 3b ?? ?? 74 ?? 8b ?? 3b c1 75 ?? 33 ff 3b fb 0f ?? ?? ?? ?? ?? 8b ?? ?? 48 74 ?? 48 74 ?? 48 48 74 ?? 48 74 ?? 48 74 ?? 48 74 ?? 48 75 ?? 57 8d ?? ?? e8 ?? ?? ?? ?? eb ?? 8b f8 eb ?? 8d ?? ?? 8b ?? eb ?? 8b ?? ?? 3b ?? ?? 74 ?? 8b ?? 3b c1 75 ?? 33 c0 3b c3 74 ?? 8b f0 e8 ?? ?? ?? ?? eb ?? 8d ?? ?? 50 e8 ?? ?? ?? ?? eb ?? e8 ?? ?? ?? ?? ff ?? ?? eb ?? ff ?? ?? 8b cf e8 ?? ?? ?? ?? 3b c3 74 ?? 8b f0 e8 ?? ?? ?? ?? eb ?? 57 8d ?? ?? e8 ?? ?? ?? ?? eb ?? 8d ?? ?? e8 ?? ?? ?? ?? 89 ?? ?? ff ?? ?? 8b ?? ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 39 ?? ?? 74 ?? 53 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? 5f 5e 5b c9 c2 08 00} - $hex8 = { 53 56 57 ff ?? ?? ?? ?? ?? 0f b7 c0 33 ff 57 6a 04 8b c8 68 04 e2 41 00 c1 e9 08 c0 e0 04 6a 1a 0a c8 6a ff 88 ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8b d8 6a 3c 53 ff d6 59 59 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 75 ?? 57 e8 ?? ?? ?? ?? 68 a4 e0 41 00 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 6a 3e 53 ff d6 59 59 85 c0 74 ?? 6a 01 e8 ?? ?? ?? ?? eb ?? 8b ?? ?? ?? ?? ?? b8 00 20 00 00 66 ?? ?? ?? ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 e8 03 00 00 ff ?? ?? ?? ?? ?? 57 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? 2b c7 74 ?? 48 75 ?? ff ?? ?? ?? ff ?? ?? ?? ?? ?? 33 c0 40 e8 ?? ?? ?? ?? 8b f0 e8 ?? ?? ?? ?? 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 75 ?? 57 57 56 68 10 1c 40 00 57 57 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? eb ?? e8 ?? ?? ?? ?? 5f 5e b0 01 5b c2 0c 00} - $hex9 = { 55 8b ec 83 e4 f8 81 ec 94 01 00 00 53 56 57 68 c0 bb 41 00 68 d4 bb 41 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 75 ?? 8b ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 6a 40 6a 07 8d ?? ?? 56 ff d7 85 c0 74 ?? b8 91 1b 40 00 2b c6 83 e8 05 89 ?? ?? 8d ?? ?? ?? 50 ff ?? ?? ?? c6 ?? ?? 6a 07 56 c6 ?? ?? ?? c6 ?? ?? ?? ff d7 8d ?? ?? ?? 50 68 02 02 00 00 ff ?? ?? ?? ?? ?? 6a 0d e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 68 90 e0 41 00 6a 01 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 6a 40 6a 02 53 ff d7 85 c0 74 ?? b8 8b ff 00 00 66 ?? ?? 8d ?? ?? ?? 50 ff ?? ?? ?? 6a 02 53 ff d7 5f 5e 33 c0 5b 8b e5 5d c2 04 00} - $hex10 ={ 55 8b ec 83 ec 18 a0 ?? ?? ?? ?? 83 ?? ?? ?? 83 ?? ?? ?? 53 56 0f b6 c0 57 c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? 8b ?? ?? 39 ?? ?? 73 ?? 2b ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 2b c4 89 ?? ?? 89 ?? ?? 8b ?? ?? 8d ?? ?? 50 ff ?? ?? 53 6a 05 ff ?? ?? ?? ?? ?? 89 ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 33 c0 03 d8 6a 01 8d ?? ?? 57 68 e8 c1 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 08 c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 2c c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 4c c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 6c c2 41 00 ff d6 84 c0 75 ?? 6a 01 57 68 8c c2 41 00 ff d6 84 c0 74 ?? 8d ?? ?? ?? ?? ?? 50 68 00 e0 41 00 6a 01 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 7c ?? 6a 00 ff ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? 8b ?? 85 c0 0f ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 8d ?? ?? 5f 5e 5b c9 c3} - $hex11 ={ 55 8b ec 81 ec ac 00 00 00 53 56 57 6a 20 6a 07 8d ?? ?? 50 68 6c e0 41 00 68 89 00 12 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 6a 05 6a 10 8d ?? ?? 50 8d ?? ?? 50 ff ?? ?? ff d6 8b d8 bf 05 00 00 80 3b df 74 ?? 85 db 75 ?? 8b ?? ?? b8 80 00 04 00 23 c8 3b c8 75 ?? 6a 01 6a 18 8d ?? ?? 50 8d ?? ?? 50 ff ?? ?? ff d6 3b c7 74 ?? 85 c0 75 ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 6a 08 8d ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 6a 10 8d ?? ?? 50 68 14 e2 41 00 e8 ?? ?? ?? ?? 83 c4 0c 33 db eb ?? bb bb 00 00 c0 ff ?? ?? ff ?? ?? ?? ?? ?? 85 db 7d ?? 81 cb 00 00 01 00 5f 5e 8b c3 5b c9 c3} - condition: - (5 of them) or (any of ($hex*)) or (any of ($s*)) -} - -rule TrojanSirefefZerroAccessANModule -{ - meta: - Description = "Trojan.Sirefef.sm" - ThreatLevel = "5" - - strings: - $ = "%s\\%s\\%08x.@" ascii wide - $ = "%s\\%s\\%s" ascii wide - $ = "InstallFlashPlayer.exe" ascii wide - $ = "get/flashplayer/update/current/install/install_all_win_%s_sgn.z" ascii wide - $ = "download/C/C/0/CC0BD555-33DD-411E-936B-73AC6F95AE11/IE8-WindowsXP-x86-ENU.exe" ascii wide - $ = "\\??\\%08x" ascii wide - $ = "80000032.32" ascii wide - $ = "\\GLOBAL??\\{D1C8BD9B-9DF7-4fb6-A1C3-D96202C79FC0}" ascii wide - $ = "http://%.*s/_ylt=3648C868A1DB;" ascii wide - - - $hex0 = { 56 8b ?? ?? ?? 33 c0 8d ?? ?? 87 ?? 85 c0 74 ?? 6a 00 50 6a 00 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8d ?? ?? 83 c8 ff f0 ?? ?? ?? 75 ?? 85 f6 74 ?? 8b ?? 8b ?? 6a 01 8b ce ff d0 83 c8 ff 8d ?? ?? 87 ?? 83 f8 ff 74 ?? 50 ff ?? ?? ?? ?? ?? 8b ?? 8b ?? ?? 8b ce ff d0 8d ?? ?? 83 ca ff f0 ?? ?? ?? 75 ?? 85 f6 74 ?? 8b ?? 8b ?? 6a 01 8b ce ff d2 5e c2 08 00} - $hex1 = { 57 8b ?? ?? ?? ?? ?? 68 30 75 00 00 ff d7 a1 ?? ?? ?? ?? 85 c0 74 ?? 56 eb ?? 8d 9b 00 00 00 00 68 30 75 00 00 8b f0 ff d7 a1 ?? ?? ?? ?? 3b f0 75 ?? 5e 6a 00 ff ?? ?? ?? ?? ??} - $hex2 = { 83 ec 5c 56 8d ?? ?? ?? 50 68 ff 01 0f 00 83 ce ff 56 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? ?? 57 8d ?? ?? ?? 51 6a 01 6a 00 68 90 61 01 10 68 ff 01 0f 00 52 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 85 c0 78 ?? 8b ?? ?? ?? 6a 04 8d ?? ?? ?? 50 6a 0c 51 ff ?? ?? ?? ?? ?? 6a 40 8d ?? ?? ?? 6a 00 52 c7 ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? 83 c4 0c 8d ?? ?? ?? 50 8b ?? ?? ?? 8d ?? ?? ?? 51 6a 00 6a 00 6a 00 6a 00 6a 00 6a 00 52 6a 00 50 c7 ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 85 c0 74 ?? 8b ?? ?? ?? 51 ff d7 8b ?? ?? ?? 8b ?? ?? ?? 52 ff d7 8b ?? ?? ?? 50 ff d7 5f 8b c6 5e 83 c4 5c c2 08 00} - $hex3 = { 56 8b f2 e8 ?? ?? ?? ?? 85 c0 74 ?? 83 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? 6a 00 6a 00 6a 00 68 20 8b 00 10 6a 00 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? b8 01 00 00 00 5e c3 33 c0 5e c3} - $hex4 = { 53 8b d9 8b ca e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 56 68 20 ca 01 10 ff ?? ?? ?? ?? ?? 8b f0 ff ?? ?? ?? ?? ?? ba f8 34 01 10 8b ce 57 8b ff 66 ?? ?? 66 ?? ?? 75 ?? 66 85 ff 74 ?? 66 ?? ?? ?? 66 ?? ?? ?? 75 ?? 83 c1 04 83 c2 04 66 85 ff 75 ?? 33 c9 eb ?? 1b c9 83 d9 ff 85 c9 75 ?? 68 10 35 01 10 50 ff ?? ?? ?? ?? ?? 83 c4 08 85 c0 74 ?? 68 30 be 00 10 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 6a 00 6a 00 68 b0 04 00 00 68 a0 89 00 10 6a 00 6a 00 ff d6 8b ?? ?? ?? ?? ?? 50 ff d7 e8 ?? ?? ?? ?? 6a 00 6a 00 6a 00 68 20 83 00 10 6a 00 6a 00 ff d6 50 ff d7 5f 5e b8 01 00 00 00 5b c3 e8 ?? ?? ?? ?? 85 c0 74 ?? 68 30 be 00 10 c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b c3 e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 6a 00 6a 00 6a 00 68 80 bd 00 10 6a 00 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 5f 5e b8 01 00 00 00 5b c3 5f 5e 33 c0 5b c3 83 ?? ?? ?? ?? ?? ?? 74 ?? 8b c3 e8 ?? ?? ?? ?? b8 01 00 00 00 5b c3 33 c0 5b c3} - - - condition: - (5 of them) or (any of ($hex*)) -} - -rule TrojanSirefefZerroAccessPlayloadModule -{ - meta: - Description = "Trojan.Sirefef.sm" - ThreatLevel = "5" - - strings: - $ = "U\\80000032.@" ascii wide - $ = "\\\\.\\globalroot\\systemroot\\system32\\mswsock.dll" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.AcceptEx" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.GetAcceptExSockaddrs" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.NSPStartup" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.TransmitFile" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.getnetbyname" ascii wide - $ = "\\\\?\\globalroot\\systemroot\\system32\\mswsock.inet_network" ascii wide - $ = "%sU\\%08x.@" ascii wide - $ = "\\??\\%s@" ascii wide - $ = "\\??\\%sU" ascii wide - $ = "\\registry\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters" ascii wide - $ = "\\KnownDlls\\mswsock.dll" ascii wide - $ = "\\systemroot\\assembly" ascii wide - $ = "GAC_MSIL" ascii wide - $ = "GAC" ascii wide - $ = "????????.@" ascii wide - $ = "%08x.@" ascii wide - $ = "%08x.$" ascii wide - $ = "%08x.~" ascii wide - - $ = "\\systemroot\\assembly\\GAC\\Desktop.ini" ascii wide - - condition: - (5 of them) -} - -rule TrojanSirefefZerroAccessPluginModule -{ - meta: - Description = "Trojan.Sirefef.sm" - ThreatLevel = "5" - - strings: - $hex0 = { 55 8b ec 81 ec 94 01 00 00 56 68 30 40 00 10 68 00 00 10 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 81 fe 00 00 00 40 75 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 85 f6 8b ?? ?? ?? ?? ?? 7c ?? 8d ?? ?? ?? ?? ?? 50 68 02 02 00 00 ff ?? ?? ?? ?? ?? 85 c0 75 ?? e8 ?? ?? ?? ?? 6a 20 68 60 ea 00 00 b9 80 40 00 10 e8 ?? ?? ?? ?? 69 c0 e8 03 00 00 50 6a 00 68 b7 15 00 10 6a 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 85 c0 74 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 6a ff ff ?? ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff d6 a1 ?? ?? ?? ?? 85 c0 74 ?? b9 fb 15 00 10 ff ?? ?? e8 ?? ?? ?? ?? 68 28 40 00 10 6a 01 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff d6} - $hex1 = { 81 ?? ?? ?? ?? ?? 56 57 8b f9 75 ?? b9 fb 15 00 10 89 ?? ?? ?? ?? ?? ff ?? ?? 8b ?? ?? ?? ?? ?? 68 08 32 00 10 57 ff d6 59 59 50 b9 80 40 00 10 e8 ?? ?? ?? ?? 68 f0 31 00 10 57 ff d6 59 59 33 c9 8b d0 41 e8 ?? ?? ?? ?? 33 c0 50 50 50 68 85 16 00 10 50 50 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? 33 c0 5f 40 5e c3} - $hex2 = { 55 8b ec 81 ec 90 00 00 00 53 56 57 6a 40 5e 8b d9 6a 04 8b c6 66 ?? ?? ?? 58 33 ff 57 66 ?? ?? ?? 57 8d ?? ?? 50 ff ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? c6 ?? ?? ?? ff ?? ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 6a 20 8d ?? ?? 6a 07 89 ?? ?? 8d ?? ?? 50 8d ?? ?? 50 89 ?? ?? 68 98 00 10 00 8d ?? ?? 56 c7 ?? ?? ?? ?? ?? ?? 89 ?? ?? 89 ?? ?? 89 ?? ?? ff ?? ?? ?? ?? ?? 85 c0 7c ?? 57 57 6a 18 68 0c 40 00 10 57 6a 60 8d ?? ?? ?? ?? ?? 50 8d ?? ?? 50 ff ?? e8 ?? ?? ?? ?? 85 c0 7c ?? 8d ?? ?? ?? ?? ?? 33 c9 03 c1 80 ?? ?? ?? 75 ?? 8b ?? ?? 81 f9 30 30 31 00 74 ?? 81 f9 30 30 32 00 75 ?? 66 ?? ?? ?? ?? 75 ?? 8b ?? ?? 89 ?? ?? eb ?? 66 ?? ?? ?? ?? 75 ?? 6a 10 8d ?? ?? 8d ?? ?? 59 f3 ?? 33 ff 8b ?? 3b cf 75 ?? 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 66 ?? ?? ?? 75 ?? e8 ?? ?? ?? ?? 33 d2 b9 80 51 01 00 f7 f1 6a 4c 53 66 ?? ?? ?? 8d ?? ?? 50 ff ?? ?? e8 ?? ?? ?? ?? 39 ?? ?? 75 ?? c7 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 57 8b cb 89 ?? ?? e8 ?? ?? ?? ?? 5f 5e 5b c9 c2 04 00} - - $hex3 = { 55 8b ec 83 ec 74 53 56 57 be 30 00 fe 7f 56 ff ?? ?? ?? ?? ?? 59 8d ?? ?? ?? e8 ?? ?? ?? ?? 89 ?? ?? 68 94 60 00 10 56 ff ?? ?? ff ?? ?? ?? ?? ?? 59 59 50 ff ?? ?? ?? ?? ?? 59 59 33 db 53 53 ff ?? ?? ?? ?? ?? 8b f0 3b f3 0f ?? ?? ?? ?? ?? 6a 70 8d ?? ?? 53 50 e8 ?? ?? ?? ?? 83 c4 0c 6a 70 8d ?? ?? 50 33 ff 6a 09 47 56 c7 ?? ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 89 ?? ?? c7 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 85 c0 74 ?? ff ?? ?? ?? ?? ?? 85 c0 74 ?? 9c 81 ?? ?? ?? ?? ?? ?? 9d 90 68 08 70 00 10 57 8b ?? ?? ?? ?? ?? ff d7 85 c0 75 ?? 38 ?? ?? ?? ?? ?? 75 ?? ff ?? ?? ff ?? ?? 56 e8 ?? ?? ?? ?? 38 ?? ?? ?? ?? ?? 75 ?? 68 00 70 00 10 6a 01 ff d7 85 c0 74 ?? 56 ff ?? ?? ?? ?? ?? 33 c0 8d ?? ?? 5f 5e 5b c9 c2 04 00} - $hex4 = { 55 8b ec 51 53 56 57 68 24 70 00 10 68 00 00 10 00 8d ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f8 81 ff 00 00 00 40 75 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 33 f6 3b fe 7c ?? 56 56 ff ?? ?? 68 88 13 00 10 56 56 ff ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8b f8 3b fe 74 ?? ff ?? ?? ff ?? ?? ?? ?? ?? 57 c6 ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 56 56 57 ff ?? ?? ?? ?? ?? 57 ff d3 ff ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ff d3 ff ?? ?? ff ?? ?? ?? ?? ??} - $hex5 = { 53 56 57 8b d9 ff ?? ?? ?? ?? ?? 85 c0 74 ?? 9c 81 ?? ?? ?? ?? ?? ?? 9d 90 53 ff ?? ?? ?? ?? ?? 59 6a 02 5a 8d ?? ?? ?? 33 c9 f7 e2 0f 90 c1 33 ff f7 d9 0b c1 50 57 ff ?? ?? ?? ?? ?? 8b f0 3b f7 74 ?? 53 68 50 61 00 10 56 ff ?? ?? ?? ?? ?? 83 c4 0c 57 57 56 68 77 14 00 10 57 57 ff ?? ?? ?? ?? ?? 3b c7 74 ?? 50 ff ?? ?? ?? ?? ?? 33 c0 40 eb ?? 56 ff ?? ?? ?? ?? ?? 33 c0 5f 5e 5b c3} - - condition: - any of ($hex*) -} - -rule TrojanSirefefZerroAccessPluginModuleZooCliccer -{ - meta: - Description = "Trojan.ZooClicker.sm" - ThreatLevel = "5" - - strings: - $ = "%s\\00000001.@" ascii wide - $ = "z00clicker3" ascii wide - $ = "z00clicker" ascii wide - - condition: - any of them -} - -rule TrojanSirefefZerroAccess2016 -{ - meta: - Description = "Trojan.Sirefef.E.sm" - ThreatLevel = "5" - - strings: - - $ = "GoogleUpdate.exe" ascii wide - $ = "%08x.@" ascii wide - $ = "%08x.$" ascii wide - $ = "%08x.~" ascii wide - - $s1 = "\\Google\\Desktop\\Install\\{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\\#." ascii wide - $s2 = "\\BaseNamedObjects\\Restricted\\{12E9D947-EDF5-4191-AADB-F51815F004D8}" ascii wide - $s3 = "\\BaseNamedObjects\\Restricted\\{889E2280-F15E-4330-A3F4-D4EEF899AAF6}" ascii wide - $s4 = "\\BaseNamedObjects\\Restricted\\{1FD06E7A-B215-4ae2-B209-AC869A3DF0B7}" ascii wide - $s5 = "\\BaseNamedObjects\\Restricted\\{A3D35150-6823-4462-8C6E-7417FF841D7A}" ascii wide - $s6 = "80000000.@" ascii wide - $s7 = "=cccctp=ddddt:=rrrrt<=sssst" ascii wide - $s8 = "=ccccta=ddddt+=rrrrt-=sssst" ascii wide - - condition: - (3 of them) or (any of ($s*)) -}rule TrojanUpatreSample -{ - meta: - Description = "Trojan.Upatre.vb" - ThreatLevel = "5" - - strings: - $hex_string = { 52 ba 6c 6c 00 00 52 ba 73 66 2e 64 52 ba 32 5c 71 61 52 ba 74 65 6d 33 52 ba 5c 73 79 73 52} - - condition: - $hex_string -}rule TrojanVirtoolObfuscator -{ - meta: - Description = "Trojan.Obfuscator.rc" - ThreatLevel = "5" - - strings: - $ = "1346243623461" ascii wide - $ = "3nterface" ascii wide - condition: - all of them -}rule TrojanPSWTepferSample -{ - meta: - Description = "Trojan.Tepfer.sm" - ThreatLevel = "5" - - strings: - $ = "Software\\BPFTP" ascii wide - $ = "\\BulletProof Software\\BulletProof FTP Client" ascii wide - $ = "Software\\BPFTP\\Bullet Proof FTP" ascii wide - $ = "Software\\NCH Software\\ClassicFTP\\FTPAccounts" ascii wide - $ = "\\GlobalSCAPE\\CuteFTP" ascii wide - $ = "\\GlobalSCAPE\\CuteFTP Pro" ascii wide - $ = "\\GlobalSCAPE\\CuteFTP Lite" ascii wide - $ = "\\CuteFTP" ascii wide - $ = "\\GPSoftware\\Directory Opus\\ConfigFiles\\ftp.oxc" ascii wide - $ = "SOFTWARE\\Far\\Plugins\\FTP\\Hosts" ascii wide - $ = "SOFTWARE\\Far2\\Plugins\\FTP\\Hosts" ascii wide - $ = "Software\\Far\\Plugins\\FTP\\Hosts" ascii wide - $ = "Software\\Far2\\Plugins\\FTP\\Hosts" ascii wide - $ = "Software\\Far\\SavedDialogHistory\\FTPHost" ascii wide - $ = "Software\\Far2\\SavedDialogHistory\\FTPHost" ascii wide - $ = "Software\\Ghisler\\Windows Commander" ascii wide - $ = "Software\\Ghisler\\Total Commander" ascii wide - $ = "Software\\Sota\\FFFTP" ascii wide - $ = "Software\\FileZilla" ascii wide - $ = "FileZilla3" ascii wide - $ = "FlashFXP" ascii wide - $ = "FTP Commander Pro" ascii wide - $ = "FTP Navigator" ascii wide - $ = "FTP Commander" ascii wide - $ = "FTP Commander Deluxe" ascii wide - $ = "Software\\FTP Explorer\\Profiles" ascii wide - $ = "\\FTP Explorer\\profiles.xml" ascii wide - $ = "Windows/Total Commander" ascii wide - $ = "FTP Commander" ascii wide - $ = "BulletProof FTP Client" ascii wide - $ = "TurboFTP" ascii wide - $ = "SoftX FTP Client" ascii wide - $ = "LeapFTP" ascii wide - $ = "WinSCP" ascii wide - $ = "32bit FTP" ascii wide - $ = "FTP Control" ascii wide - $ = "SecureFX" ascii wide - $ = "BitKinex" ascii wide - $ = "CuteFTP" ascii wide - $ = "WS_FTP" ascii wide - $ = "FFFTP" ascii wide - $ = "Core FTP" ascii wide - $ = "WebDrive" ascii wide - $ = "Classic FTP" ascii wide - $ = "Fling" ascii wide - $ = "NetDrive" ascii wide - $ = "FileZilla" ascii wide - $ = "FTP Explorer" ascii wide - $ = "SmartFTP" ascii wide - $ = "FTPRush" ascii wide - $ = "UltraFXP" ascii wide - $ = "Frigate3 FTP" ascii wide - $ = "BlazeFtp" ascii wide - $ = "Software\\LeechFTP" ascii wide - $ = "SiteInfo.QFP" ascii wide - $ = "WinFTP" ascii wide - $ = "FreshFTP" ascii wide - $ = "BlazeFtp" ascii wide - condition: - 9 of them -}rule TrojanZeusZbotSampleA -{ - meta: - Description = "Trojan.ZBot.sm" - ThreatLevel = "5" - - strings: - $ = "-m" ascii wide - $ = "-m%p" ascii wide - $ = ":d\\r\\ndel" ascii wide - $ = "@echo off\\r\\n%s\\r\\ndel /F" ascii wide - $hex0 = { 83 EC 0C 53 55 33 DB 56 8B C2 33 ED 57 89 44 24 18 89 4C 24 10 39 5C 24 20 0F 8E ?? ?? ?? ?? 8B 04 A8 83 3C C5 } - $hex1 = { E8 ?? ?? ?? ?? 83 C4 04 C7 45 FC 00 00 00 00 EB 09 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 15 ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? C7 45 F4 ?? ?? ?? ?? 8B 45 08 83 C0 08 A3 ?? ?? ?? ?? 8B 4D FC 51 8B 15 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? } - $hex2 = { 6A 02 6A 00 FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 08 56 E8 ?? ?? ?? ?? EB 02 8A C3 84 C0 74 28 F6 44 24 36 08 75 0A E8 ?? ?? ?? ?? 83 4C 24 36 08 F6 44 24 36 40 75 0A E8 ?? ?? ?? ?? 83 4C 24 36 40 56 E8 ?? ?? ?? ?? 8D 44 24 08 50 E8 ?? ?? ?? ?? 8A C3 EB 02 32 C0 5E 5B 8B E5 5D C3 } - $hex3 = { 55 8b ec 81 ec 70 03 00 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 50 68 28 59 40 00 8d ?? ?? ?? ?? ?? 68 6c 02 00 00 50 e8 ?? ?? ?? ?? 83 c4 14 85 c0 7e ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 84 c0 74 ?? b0 01 eb ?? 32 c0 c9 c2 04 00} - $hex4 = { 55 8b ec 83 e4 f8 81 ec 4c 02 00 00 53 8b ?? ?? ?? ?? ?? 56 57 33 ff c6 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 57 6a 02 e8 ?? ?? ?? ?? 89 ?? ?? ?? 89 ?? ?? ?? 83 f8 ff 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 ff ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? e9 ?? ?? ?? ?? 8b ?? ?? ?? 3b cf 0f ?? ?? ?? ?? ?? 3b ?? ?? ?? ?? ?? 0f ?? ?? ?? ?? ?? 33 c0 39 ?? ?? ?? 76 ?? 8b ?? ?? ?? 39 ?? ?? 0f ?? ?? ?? ?? ?? 40 3b ?? ?? ?? 72 ?? 51 e8 ?? ?? ?? ?? 89 ?? ?? ?? 3b c7 0f ?? ?? ?? ?? ?? ff ?? ?? ?? 57 68 00 04 00 00 ff ?? ?? ?? ?? ?? 8b f0 3b f7 0f ?? ?? ?? ?? ?? 8d ?? ?? ?? 50 56 e8 ?? ?? ?? ?? 56 8b f8 ff d3 85 ff 74 ?? 8b ?? ?? ?? 3b ?? ?? ?? ?? ?? 75 ?? ff ?? ff ?? ?? ?? ?? ?? 3b ?? ?? ?? ?? ?? 75 ?? 8b ?? 50 a1 ?? ?? ?? ?? 8b ?? e8 ?? ?? ?? ?? 85 c0 75 ?? 8b ?? ?? ?? 8d ?? ?? ?? ?? ?? ?? 50 8d ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 8b ?? ?? ?? 8b ?? ?? ?? ff ?? ?? ?? ff ?? ?? ?? ff ?? ?? ?? 89 ?? ?? ff ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? c6 ?? ?? ?? ?? 57 e8 ?? ?? ?? ?? 33 ff ff ?? ?? ?? ff d3 8d ?? ?? ?? 50 ff ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? ff ?? ?? ?? ff d3 39 ?? ?? ?? 0f ?? ?? ?? ?? ?? ff ?? ?? ?? e8 ?? ?? ?? ?? 8a ?? ?? ?? 5f 5e 5b 8b e5 5d c3} - - - condition: - (3 of them) or (any of ($hex*)) -} -rule TrojanSpyWin32UrsnifASample -{ - meta: - Description = "Trojan.Ursnif.sm" - ThreatLevel = "5" - - strings: - $ = "CreateProcessNotify" ascii wide - $ = "rundll32" ascii wide - $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide - $ = "System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" ascii wide - $ = "iexplore.exe" ascii wide - $ = "firefox.exe" ascii wide - $ = "Software\\AppDataLow\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing" ascii wide - $ = "/UPD" ascii wide - $ = "/sd %lu" ascii wide - $ = "%lu.bat" ascii wide - $ = "attrib -r -s -h %%1" ascii wide - $ = "S:(ML;;NW;;;LW)" ascii wide - $ = "D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)" ascii wide - $ = "%lu.exe" ascii wide - $ = "mashevserv.com" ascii wide - $ = "ericpotic.com" ascii wide - $ = "version=%u&user=%x%x%x%x&server=%u&id=%u&crc=%x&aid=%u" ascii wide - $ = "CHROME.DLL" ascii wide - $ = "chrome.exe" ascii wide - $ = "opera.exe" ascii wide - $ = "safari.exe" ascii wide - $ = "explorer.exe" ascii wide - - condition: - 6 of them -}rule ChirBSample -{ - meta: - Description = "Virus.Chir.B.vb" - ThreatLevel = "5" - - strings: - $ = "runouce.exe" ascii wide - $ = "imissyou@btamail.net.cn" ascii wide - $ = "ChineseHacker-2" ascii wide - - condition: - all of them -}rule FileVirusWin32MaganASample -{ - meta: - Description = "Virus.Madang.sm" - ThreatLevel = "5" - - strings: - $hex_string = { 60 78 ?? 79 ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? ?? e8 ?? ?? ?? ?? 61 78 ?? 79 ?? ?? 68 ?? ?? ?? ?? C3 } - - condition: - any of them -}rule WormWin32CridexSamlpeE -{ - meta: - Description = "Worm.Cridex.sm" - ThreatLevel = "5" - - strings: - $ = "Software\\Microsoft\\Windows NT\\C%08X" ascii wide - $ = "<server><![CDATA[%%u.%%u.%%u.%%u:%%u]]>" ascii wide - $ = "KB%08d.exe" ascii wide - $ = "Local\\XME%08X" ascii wide - $ = "Local\\XMM%08X" ascii wide - $ = "Local\\XMI%08X" ascii wide - $ = "Local\\XMS%08X" ascii wide - $ = "Local\\XMF%08X" ascii wide - $ = "Local\\XMR%08X" ascii wide - $ = "Local\\XMQ%08X" ascii wide - $ = "Local\\XMB%08X" ascii wide - condition: - 2 of them -}rule WormWin32DorkbotSamlpeA -{ - meta: - Description = "Worm.Dorkbot.sm" - ThreatLevel = "5" - - strings: - $ = "from removing our bot file!" ascii wide - $ = "from moving our bot file" ascii wide - $ = "Message hijacked!" ascii wide - $ = "popgrab" ascii wide - $ = "ftpgrab" ascii wide - $ = "s.Blocked possible browser exploit pack call on URL" ascii wide - $ = "webroot." ascii wide - $ = "fortinet." ascii wide - $ = "virusbuster.nprotect." ascii wide - $ = "gdatasoftware." ascii wide - $ = "virus." ascii wide - $ = "precisesecurity." ascii wide - $ = "lavasoft." ascii wide - $ = "heck.tc" ascii wide - $ = "emsisoft." ascii wide - $ = "onlinemalwarescanner." ascii wide - $ = "onecare.live." ascii wide - $ = "f-secure." ascii wide - $ = "bullguard." ascii wide - $ = "clamav." ascii wide - $ = "pandasecurity." ascii wide - $ = "sophos." ascii wide - $ = "malwarebytes." ascii wide - $ = "sunbeltsoftware." ascii wide - $ = "norton." ascii wide - $ = "norman." ascii wide - $ = "mcafee." ascii wide - $ = "symantec" ascii wide - $ = "comodo." ascii wide - $ = "avast." ascii wide - $ = "avira." ascii wide - $ = "avg." ascii wide - $ = "bitdefender." ascii wide - $ = "eset." ascii wide - $ = "kaspersky." ascii wide - $ = "trendmicro." ascii wide - $ = "iseclab." ascii wide - $ = "virscan." ascii wide - $ = "garyshood." ascii wide - $ = "viruschief." ascii wide - $ = "jotti." ascii wide - $ = "threatexpert." ascii wide - $ = "novirusthanks." ascii wide - $ = "virustotal." ascii wide - $ = "you stupid cracker" ascii wide - $ = "ngrBot Error" ascii wide - $ = "Slowloris]: Finished flood on" ascii wide - $ = "UDP]: Finished flood on" ascii wide - $ = "SYN]: Finished flood on" ascii wide - $ = "USB]: Infected %s" ascii wide - $ = "MSN]: Updated MSN spread message to" ascii wide - $ = "MSN]: Updated MSN spread interval to" ascii wide - $ = "HTTP]: Updated HTTP spread message to" ascii wide - $ = "HTTP]: Injected value is now %s." ascii wide - $ = "HTTP]: Updated HTTP spread interval to" ascii wide - $ = "Visit]: Visited" ascii wide - $ = "DNS]: Blocked" ascii wide - $ = "RSOCK4]: Started rsock4" ascii wide - $ = "Visit]: Error visitng" ascii wide - $ = "FTP Login]: %s" ascii wide - $ = "POP3 Login]: %s" ascii wide - $ = "FTP Infect]: %s was iframed" ascii wide - $ = "HTTP Login]: %s" ascii wide - $ = "HTTP Traffic]: %s" ascii wide - $ = "Ruskill]: Detected File:" ascii wide - $ = "Ruskill]: Detected DNS:" ascii wide - $ = "Ruskill]: Detected Reg:" ascii wide - $ = "PDef+]: %s" ascii wide - $ = "DNS]: Blocked DNS" ascii wide - $ = "MSN]: %s" ascii wide - $ = "HTTP]: %s" ascii wide - condition: - 8 of them -} - -rule WormWin32DorkbotSamlpeB -{ - meta: - Description = "Worm.Dorkbot.sm" - ThreatLevel = "5" - - strings: - $ = "http://ht.ly/jZH8A?yd=" ascii wide - $ = "DecriptedFiles" ascii wide - $ = "Infected Drive: %s" ascii wide - $a = "snkb00pt" ascii wide - - condition: - (3 of them) or $a -}rule WormWin32PhorpiexSampleM -{ - meta: - Description = "Worm.Phorpiex.sm" - ThreatLevel = "5" - - strings: - $ = "paltalk.exe" ascii wide - $ = "Xfire.exe" ascii wide - $ = "googletalk.exe" ascii wide - $ = "Skype.exe" ascii wide - $ = "http://goo.gl" ascii wide - - $ = "qemu" ascii wide - $ = "virtual" ascii wide - $ = "vmware" ascii wide - $ = "%s\\winsvcon.txt" ascii wide - $ = "%s\\rmrf%i%i%i%i.bat" ascii wide - $ = "%s%s.txt" ascii wide - $ = "%s%s.zip" ascii wide - $ = "IMG%s-JPG.scr" ascii wide - $ = "Microsoft Windows Manager" ascii wide - $ = "winbtc.exe" ascii wide - $ = "winmgr.exe" ascii wide - $ = "winraz.exe" ascii wide - $ = "winsam.exe" ascii wide - $ = "winsvc.exe" ascii wide - $ = "winsvn.exe" ascii wide - $ = ".exe" ascii wide - $ = ".bat" ascii wide - $ = ".vbs" ascii wide - $ = ".pif" ascii wide - $ = ".cmd" ascii wide - $ = "%s\\autorun.inf" ascii wide - - $ = "ti piace la foto?" ascii wide - $ = "hai visto questa foto?" ascii wide - $ = "la foto e grandiosa!" ascii wide - $ = "ti ricordi la Foto?" ascii wide - $ = "conosci la persona in questa foto?" ascii wide - $ = "chi e in questa foto?" ascii wide - $ = "nu imi mai voi face niciodat poze!! toate ies urate ca asta." ascii wide - $ = "spune-mi ce crezi despre poza asta." ascii wide - $ = "asta e ce-a mai funny poza! tu ce zici?" ascii wide - $ = "zimi ce crezi despre poza asta?" ascii wide - $ = "pogled na ovu sliku" ascii wide - $ = "bu resmi bakmak" ascii wide - $ = "pozri sa na tento obr" ascii wide - $ = "pogled na to sliko" ascii wide - $ = "vaata seda pilti" ascii wide - $ = "spojrzec na to zdjecie" ascii wide - $ = "Ieskatieties " ascii wide - $ = "kyk na hierdie foto" ascii wide - $ = "tell me what you think of this picture i edited" ascii wide - $ = "this is the funniest photo ever!" ascii wide - $ = "tell me what you think of this photo" ascii wide - $ = "i don't think i will ever sleep again after seeing this photo" ascii wide - $ = "i cant believe i still have this picture" ascii wide - $ = "should i make this my default picture?" ascii wide - $ = "ken je dat foto nog?" ascii wide - $ = "kijk wat voor een foto ik heb gevonden" ascii wide - $ = "ik hoop dat jij het net bent op dit foto" ascii wide - $ = "ben jij dat op dit foto?" ascii wide - $ = "dit foto zal je echt eens bekijken!" ascii wide - $ = "ken je dit foto al?" ascii wide - $ = "olhar para esta foto" ascii wide - $ = "devrais-je mettre cette photo de profile?" ascii wide - $ = "c'est la photo la plus marrante!" ascii wide - $ = "dis moi ce que tu pense de cette photo de moi?" ascii wide - $ = "mes parents vont me tu" ascii wide - $ = "creo que no voy a poder dormir m" ascii wide - $ = "esta foto es gracios" ascii wide - $ = "mis padres me van a matar si ven esta foto mia, que decis?" ascii wide - $ = "mira como saliste en esta foto jajaja" ascii wide - $ = "wie findest du das foto?" ascii wide - $ = "hab ich dir das foto schon gezeigt?" ascii wide - $ = "schau mal welches foto ich gefunden hab" ascii wide - $ = "bist du das auf dem foto?" ascii wide - $ = "kennst du das foto schon?" ascii wide - $ = "I cant believe I still have this picture" ascii wide - $ = "I love your picture!" ascii wide - $ = "Is this you??" ascii wide - $ = "Picture of you???" ascii wide - $ = "Should I upload this picture on facebook?" ascii wide - $ = "Someone showed me your picture" ascii wide - $ = "Someone told me it's your picture" ascii wide - $ = "Take a look at my new picture please" ascii wide - $ = "Tell me what you think of this picture" ascii wide - $ = "This is the funniest picture ever!" ascii wide - $ = "What do you think of my new hair" ascii wide - $ = "What you think of my new hair color?" ascii wide - $ = "What you think of this picture?" ascii wide - $ = "You look so beautiful on this picture" ascii wide - $ = "You should take a look at this picture" ascii wide - $ = "Your photo isn't really that great" ascii wide - - condition: - 5 of them -}rule WormWin32SillyP2PSampleH -{ - meta: - Description = "Worm.Silly.sm" - ThreatLevel = "5" - - strings: - $ = "95BC789A" ascii wide - $ = "svchosts.exe" ascii wide - $ = "Failed to start dl thread." ascii wide - $ = "wo8T#$>X&D" ascii wide - - $hex0 = { 55 8b ec 81 ec 8c 06 00 00 56 57 83 ?? ?? ?? ?? ?? ?? 8b ?? ?? b9 a5 00 00 00 8d ?? ?? ?? ?? ?? f3 ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 50 68 68 42 40 00 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 6a 00 68 60 42 40 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 58 42 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 59 83 ?? ?? ?? ?? ?? ?? 74 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 68 38 42 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 14 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 6a 06 ff ?? ?? e8 ?? ?? ?? ?? 83 c4 10 68 00 02 00 00 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 89 ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? eb ?? 68 64 41 40 00 68 28 42 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 10 eb ?? 8d ?? ?? ?? ?? ?? 50 68 0c 42 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 10 eb ?? 68 f0 41 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c eb ?? 68 c4 41 40 00 68 ff 01 00 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 6a 06 ff ?? ?? e8 ?? ?? ?? ?? 83 c4 10 68 00 02 00 00 6a 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 0c 83 ?? ?? ?? ?? ?? ?? 75 ?? ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? e8 ?? ?? ?? ?? 59 6a 00 ff ?? ?? ?? ?? ??} - $hex1 = { 55 8b ec 81 ec 14 03 00 00 57 80 ?? ?? ?? ?? ?? ?? 6a 40 59 33 c0 8d ?? ?? ?? ?? ?? f3 ?? 66 ?? aa 80 ?? ?? ?? ?? ?? ?? 6a 40 59 33 c0 8d ?? ?? ?? ?? ?? f3 ?? 66 ?? aa 6a 03 8d ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 80 ?? ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 83 f8 02 75 ?? 6a 05 6a 00 8d ?? ?? ?? ?? ?? 50 68 48 41 40 00 68 40 41 40 00 6a 00 ff ?? ?? ?? ?? ?? 68 54 40 40 00 e8 ?? ?? ?? ?? 59 50 68 54 40 40 00 e8 ?? ?? ?? ?? 59 59 68 90 01 00 00 ff ?? ?? ?? ?? ?? 68 6c 40 40 00 6a 00 6a 00 ff ?? ?? ?? ?? ?? a3 ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 3d b7 00 00 00 75 ?? 6a 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 89 ?? ?? 68 34 41 40 00 ff ?? ?? e8 ?? ?? ?? ?? 59 59 85 c0 74 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? a0 ?? ?? ?? ?? 88 ?? ?? 8d ?? ?? 50 e8 ?? ?? ?? ??} - $hex2 = { 55 8b ec 81 ec 10 03 00 00 83 ?? ?? ?? ?? ?? ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 04 01 00 00 8d ?? ?? ?? ?? ?? 50 68 78 40 40 00 ff ?? ?? ?? ?? ?? 68 84 40 40 00 8d ?? ?? ?? ?? ?? 50 68 74 42 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 10 68 84 40 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 59 85 c0 0f ?? ?? ?? ?? ?? 6a 00 8d ?? ?? ?? ?? ?? 50 6a 00 68 3f 00 0f 00 6a 00 6a 00 6a 00 68 c0 42 40 00 68 01 00 00 80 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 50 8d ?? ?? ?? ?? ?? 50 6a 01 6a 00 68 94 40 40 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 6a 00 8d ?? ?? ?? ?? ?? 50 6a 00 68 3f 00 0f 00 6a 00 6a 00 6a 00 68 c0 42 40 00 68 02 00 00 80 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 50 8d ?? ?? ?? ?? ?? 50 6a 01 6a 00 68 94 40 40 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 6a 00 8d ?? ?? ?? ?? ?? 50 6a 00 68 3f 00 0f 00 6a 00 6a 00 6a 00 68 7c 42 40 00 68 02 00 00 80 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 50 8d ?? ?? ?? ?? ?? 50 6a 01 6a 00 68 94 40 40 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 68 34 41 40 00 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 59 59 0f b6 c0 85 c0 74 ?? 68 c8 00 00 00 ff ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? 6a 00 ff ?? ?? ?? ?? ?? c9 c3} - - condition: - (3 of them) or (any of ($hex*)) -}rule WormSkypeMsgSpamerSample -{ - meta: - Description = "Worm.SkypeSpamer.sm" - ThreatLevel = "5" - - strings: - $code = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC ?? ?? ?? ?? 53 55 56 57 33 DB 68 ?? ?? ?? ?? 88 5C 24 17 E8 ?? ?? ?? ?? 83 C4 04 85 C0 75 34 68 96 00 00 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 04 83 F8 01 75 10 E8 ?? ?? ?? ?? 3C 01 75 23 53 FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 } - $a = "Skype.exe" ascii wide - $b = "msnmsgr.exe" ascii wide - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/iSightPartners/SDBFile.yar b/yara-mikesxrs/iSightPartners/SDBFile.yar deleted file mode 100644 index 946287e..0000000 --- a/yara-mikesxrs/iSightPartners/SDBFile.yar +++ /dev/null @@ -1,20 +0,0 @@ -rule SDBFile -{ - meta: - author = "iSight Partners" - author2 = "Sean Pierce" - description = "Shim Database files" - reference = "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf" - reference2 = "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims.pdf" - strings: - $magic = { 73 64 62 66 } // sdbf - condition: - $magic at 8 and - md5 != "B02B4B8924F019BDE57484A55DC5CA57" and - md5 != "BA17F2DA98A8A375D22CB33C8E83A146" and - md5 != "EC9D5F0AE38EC4A97E70960264B7D07D" and - md5 != "4C7B2F691885878EDBAE48760A7E3FB9" and - md5 != "1D8C1280D38C526C7041E72DB8D70DC1" and - md5 != "8006552125C9D590843192543668BB0B" -} - diff --git a/yara-mikesxrs/kaspersky/Adwind.yar b/yara-mikesxrs/kaspersky/Adwind.yar deleted file mode 100644 index b500d49..0000000 --- a/yara-mikesxrs/kaspersky/Adwind.yar +++ /dev/null @@ -1,27 +0,0 @@ -rule Adwind_JAR_PACKA { - meta: - author = “Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com” - last_modified = “2015-11-30” - reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf" - strings: - $b1 = “.class” ascii - $b2 = “c/a/a/” ascii - $b3 = “b/a/” ascii - $b4 = “a.dat” ascii - $b5 = “META-INF/MANIFEST.MF” ascii - condition: - int16(0) == 0x4B50 and ($b1 and $b2 and $b3 and $b4 and $b5) -} -rule Adwind_JAR_PACKB { - meta: - author = “Vitaly Kamluk, Vitaly.Kamluk@kaspersky.com” - last_modified = “2015-11-30” - reference = "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf" - strings: - $c1 = “META-INF/MANIFEST.MF” ascii - $c2 = “main/Start.class” ascii - $a1 = “config/config.perl” ascii - $b1 = “java/textito.isn” ascii - condition: - int16(0) == 0x4B50 and ($c1 and $c2 and ($a1 or $b1)) -} diff --git a/yara-mikesxrs/kaspersky/Crime_eyepyramid.yar b/yara-mikesxrs/kaspersky/Crime_eyepyramid.yar deleted file mode 100644 index adbfa15..0000000 --- a/yara-mikesxrs/kaspersky/Crime_eyepyramid.yar +++ /dev/null @@ -1,58 +0,0 @@ -rule crime_ZZ_EyePyramid { -meta: -copyright = " Kaspersky Lab" -author = " Kaspersky Lab" -maltype = "crimeware" -filetype = "Win32 EXE" -date = "2016­01­11" version = "1.0" -strings: -$a0="eyepyramid.com" ascii wide nocase fullword -$a1="hostpenta.com" ascii wide nocase fullword -$a2="ayexisfitness.com" ascii wide nocase fullword -$a3="enasrl.com" ascii wide nocase fullword -$a4="eurecoove.com" ascii wide nocase fullword -$a5="marashen.com" ascii wide nocase fullword -$a6="millertaylor.com" ascii wide nocase fullword -$a7="occhionero.com" ascii wide nocase fullword -$a8="occhionero.info" ascii wide nocase fullword -$a9="wallserv.com" ascii wide nocase fullword -$a10="westlands.com" ascii wide nocase fullword -$a11="217.115.113.181" ascii wide nocase fullword -$a12="216.176.180.188" ascii wide nocase fullword -$a13="65.98.88.29" ascii wide nocase fullword -$a14="199.15.251.75" ascii wide nocase fullword -$a15="216.176.180.181" ascii wide nocase fullword -$a16="MN600­849590C695DFD9BF69481597241E­668C" ascii wide nocase fullword -$a17="MN600­841597241E8D9BF6949590C695DF­774D" ascii wide nocase fullword -$a18="MN600­3E3A3C593AD5BAF50F55A4ED60F0­385D" ascii wide nocase fullword -$a19="MN600­AD58AF50F55A60E043E3A3C593ED­874A" ascii wide nocase fullword -$a20="gpool@hostpenta.com" ascii wide nocase fullword -$a21="hanger@hostpenta.com" ascii wide nocase fullword -$a22="hostpenta@hostpenta.com" ascii wide nocase fullword -$a23="ulpi715@gmx.com" ascii wide nocase fullword -$b0="purge626@gmail.com" ascii wide fullword -$b1="tip848@gmail.com" ascii wide fullword -$b2="dude626@gmail.com" ascii wide fullword -$b3="octo424@gmail.com" ascii wide fullword -$b4="antoniaf@poste.it" ascii wide fullword -$b5="mmarcucci@virgilio.it" ascii wide fullword -$b6="i.julia@blu.it" ascii wide fullword -$b7="g.simeoni@inwind.it" ascii wide fullword -$b8="g.latagliata@live.com" ascii wide fullword -$b9="rita.p@blu.it" ascii wide fullword -$b10="b.gaetani@live.com" ascii wide fullword -$b11="gpierpaolo@tin.it" ascii wide fullword -$b12="e.barbara@poste.it" ascii wide fullword -$b13="stoccod@libero.it" ascii wide fullword -$b14="g.capezzone@virgilio.it" ascii wide fullword -$b15="baldarim@blu.it" ascii wide fullword -$b16="elsajuliette@blu.it" ascii wide fullword -$b17="dipriamoj@alice.it" ascii wide fullword -$b18="izabelle.d@blu.it" ascii wide fullword -$b19="lu_1974@hotmail.com" ascii wide fullword -$b20="tim11235@gmail.com" ascii wide fullword -$b21="plars575@gmail.com" ascii wide fullword -$b22="guess515@fastmail.fm" ascii wide fullword -condition: -((uint16(0) == 0x5A4D)) and (filesize < 10MB) and ((any of ($a*)) or (any of ($b*)) ) -} diff --git a/yara-mikesxrs/kaspersky/LazarusWannaCry.yar b/yara-mikesxrs/kaspersky/LazarusWannaCry.yar deleted file mode 100644 index 79f635b..0000000 --- a/yara-mikesxrs/kaspersky/LazarusWannaCry.yar +++ /dev/null @@ -1,39 +0,0 @@ -rule lazaruswannacry { - -meta: - -description = “Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta” - date = “2017-05-15” - reference = “https://twitter.com/neelmehta/status/864164081116225536” - reference2 = "https://securelist.com/wannacry-and-lazarus-group-the-missing-link/78431/" - author = “Kaspersky Lab” - version = “1.0” - hash = “9c7c7149387a1c79679a87dd1ba755bc” - hash = “ac21c8ad899727137c4b94458d7aa8d8” - -strings: - -$a1={ - 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75 - 04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 - 46 56 E8 - } - -$a2={ - 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00 - 10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00 - 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 - 38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 - 44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00 - 68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00 - FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0 - 08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0 - 10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0 - 2B C0 2C C0 FF FE - } - -condition: - -((uint16(0) == 0x5A4D)) and (filesize < 15000000) and - all of them - } diff --git a/yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_LSA.yar b/yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_LSA.yar deleted file mode 100644 index 286d70a..0000000 --- a/yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_LSA.yar +++ /dev/null @@ -1,33 +0,0 @@ - -import "pe" -import "math" - - -rule apt_ProjectSauron_encrypted_LSA { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron encrypted LSA samples" - version = "1.0" - reference = "https://securelist.com/blog/" - -strings: - - $a1 = "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" fullword ascii - $a2 = "\\Device\\NdisRaw_" fullword ascii - $a3 = "\\\\.\\GLOBALROOT\\Device\\{8EDB44DC-86F0-4E0E-8068-BD2CABA4057A}" fullword wide - $a4 = "Global\\{a07f6ba7-8383-4104-a154-e582e85a32eb}" fullword wide - $a5 = "Missing function %S::#%d" fullword wide - $a6 = {8945D08D8598FEFFFF2BD08945D88D45BC83C20450C745C0030000008975C48955DCFF55FC8BF88D8F0000003A83F90977305333DB53FF15} - $a7 = {488D4C24304889442450488D452044886424304889442460488D4520C7442434030000002BD848897C243844896C244083C308895C246841FFD68D880000003A8BD883F909772DFF} - - -condition: - uint16(0) == 0x5A4D - and (any of ($a*) or - ( - pe.exports("InitializeChangeNotify") and - pe.exports("PasswordChangeNotify") and - math.entropy(0x400, filesize) >= 7.5 - )) - and filesize < 1000000 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_SSPI.yar b/yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_SSPI.yar deleted file mode 100644 index 5277421..0000000 --- a/yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_SSPI.yar +++ /dev/null @@ -1,19 +0,0 @@ - -import "pe" -import "math" - -rule apt_ProjectSauron_encrypted_SSPI { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect encrypted ProjectSauron SSPI samples" - version = "1.0" - reference = "https://securelist.com/blog/" - -condition: - uint16(0) == 0x5A4D and - filesize < 1000000 and - pe.exports("InitSecurityInterfaceA") and - pe.characteristics & pe.DLL and - (pe.machine == pe.MACHINE_AMD64 or pe.machine == pe.MACHINE_IA64) and - math.entropy(0x400, filesize) >= 7.5 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_container.yar b/yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_container.yar deleted file mode 100644 index 0b10860..0000000 --- a/yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_container.yar +++ /dev/null @@ -1,22 +0,0 @@ - -import "pe" -import "math" - -rule apt_ProjectSauron_encrypted_container { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron samples encrypted container" - version = "1.0" - reference = "https://securelist.com/blog/" - -strings: - - $vfs_header = {02 AA 02 C1 02 0?} - $salt = {91 0A E0 CC 0D FE CE 36 78 48 9B 9C 97 F7 F5 55} - -condition: - uint16(0) == 0x5A4D - and ((@vfs_header < 0x4000) or $salt) and - math.entropy(0x400, filesize) >= 6.5 and - (filesize > 0x400) and filesize < 10000000 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_ProjectSauron_encryption.yar b/yara-mikesxrs/kaspersky/apt_ProjectSauron_encryption.yar deleted file mode 100644 index 71042eb..0000000 --- a/yara-mikesxrs/kaspersky/apt_ProjectSauron_encryption.yar +++ /dev/null @@ -1,22 +0,0 @@ - -import "pe" -import "math" - -rule apt_ProjectSauron_encryption { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron string encryption" - version = "1.0" - reference = "https://securelist.com/blog/" - - -strings: - - $a1 = {81??02AA02C175??8B??0685} - $a2 = {918D9A94CDCC939A93939BD18B9AB8DE9C908DAF8D9B9BBE8C8C9AFF} - $a3 = {803E225775??807E019F75??807E02BE75??807E0309} - -condition: - filesize < 5000000 and - any of ($a*) -} diff --git a/yara-mikesxrs/kaspersky/apt_ProjectSauron_generic_pipe_backdoor.yar b/yara-mikesxrs/kaspersky/apt_ProjectSauron_generic_pipe_backdoor.yar deleted file mode 100644 index 3bc1dc0..0000000 --- a/yara-mikesxrs/kaspersky/apt_ProjectSauron_generic_pipe_backdoor.yar +++ /dev/null @@ -1,23 +0,0 @@ - -import "pe" -import "math" - -rule apt_ProjectSauron_generic_pipe_backdoor { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron generic pipe backdoors" - version = "1.0" - reference = "https://securelist.com/blog/" - -strings: - $a = { C7 [2-3] 32 32 32 32 E8 } - $b = { 42 12 67 6B } - $c = { 25 31 5F 73 } - $d = "rand" - $e = "WS2_32" - -condition: - uint16(0) == 0x5A4D and - (all of them) and - filesize < 400000 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_ProjectSauron_pipe_backdoor.yar b/yara-mikesxrs/kaspersky/apt_ProjectSauron_pipe_backdoor.yar deleted file mode 100644 index 41fbcf9..0000000 --- a/yara-mikesxrs/kaspersky/apt_ProjectSauron_pipe_backdoor.yar +++ /dev/null @@ -1,24 +0,0 @@ -import "pe" -import "math" - -rule apt_ProjectSauron_pipe_backdoor { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron pipe backdoors" - version = "1.0" - reference = "https://securelist.com/blog/" - -strings: - - $a1 = "CreateNamedPipeW" fullword ascii - $a2 = "SetSecurityDescriptorDacl" fullword ascii - $a3 = "GetOverlappedResult" fullword ascii - $a4 = "TerminateThread" fullword ascii - $a5 = "%s%s%X" fullword wide - - -condition: - uint16(0) == 0x5A4D - and (all of ($a*)) - and filesize < 100000 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_duqu2_drivers.yar b/yara-mikesxrs/kaspersky/apt_duqu2_drivers.yar deleted file mode 100644 index f19c4c6..0000000 --- a/yara-mikesxrs/kaspersky/apt_duqu2_drivers.yar +++ /dev/null @@ -1,26 +0,0 @@ -rule apt_duqu2_drivers { - -meta: - - copyright = "Kaspersky Lab" - description = "Rule to detect Duqu 2.0 drivers" - last_modified = "2015-06-09" - version = "1.0" - Reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" - -strings: - - $a1="\\DosDevices\\port_optimizer" wide nocase - $a2="romanian.antihacker" - $a3="PortOptimizerTermSrv" wide - $a4="ugly.gorilla1" - - $b1="NdisIMCopySendCompletePerPacketInfo" - $b2="NdisReEnumerateProtocolBindings" - $b3="NdisOpenProtocolConfiguration" - -condition: - - uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000 - -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_duqu2_loaders.yar b/yara-mikesxrs/kaspersky/apt_duqu2_loaders.yar deleted file mode 100644 index 52a13bc..0000000 --- a/yara-mikesxrs/kaspersky/apt_duqu2_loaders.yar +++ /dev/null @@ -1,36 +0,0 @@ -rule apt_duqu2_loaders { - -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect Duqu 2.0 samples" - last_modified = "2015-06-09" - version = "1.0" - Reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" - -strings: - - $a1="{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide - $a2="\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide - $a4="\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide - $a5="Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide - $a8="SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide - $a9="SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide - $a7="SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide - $b1="MSI.dll" - $b2="msi.dll" - $b3="StartAction" - $c1="msisvc_32@" wide - $c2="PROP=" wide - $c3="-Embedding" wide - $c4="S:(ML;;NW;;;LW)" wide - - $d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase - $d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40} -condition: - -( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 ) - -or - -( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 ) -} diff --git a/yara-mikesxrs/kaspersky/apt_equation_cryptotable.yar b/yara-mikesxrs/kaspersky/apt_equation_cryptotable.yar deleted file mode 100644 index d8809a0..0000000 --- a/yara-mikesxrs/kaspersky/apt_equation_cryptotable.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule apt_equation_cryptotable : crypto { - meta: - copyright = "Kaspersky Lab" - description = "Rule to detect the crypto library used in Equation group malware" - version = "1.0" - last_modified = "2015-02-16" - reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" - strings: - $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1} - condition: - $a -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_equation_doublefantasy_genericresource.yar b/yara-mikesxrs/kaspersky/apt_equation_doublefantasy_genericresource.yar deleted file mode 100644 index 4e3925a..0000000 --- a/yara-mikesxrs/kaspersky/apt_equation_doublefantasy_genericresource.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule apt_equation_doublefantasy_genericresource { - meta: - copyright = "Kaspersky Lab" - description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW" - version = "1.0" - last_modified = "2015-02-16" - reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" - strings: - $mz="MZ" - $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00} - $a2="yyyyyyyyyyyyyyyy" - $a3="002" - condition: - (($mz at 0) and all of ($a*)) and filesize < 500000 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_equation_equationlaser_runtimeclasses.yar b/yara-mikesxrs/kaspersky/apt_equation_equationlaser_runtimeclasses.yar deleted file mode 100644 index 93c6ec8..0000000 --- a/yara-mikesxrs/kaspersky/apt_equation_equationlaser_runtimeclasses.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule apt_equation_equationlaser_runtimeclasses { - meta: - copyright = "Kaspersky Lab" - description = "Rule to detect the EquationLaser malware" - version = "1.0" - last_modified = "2015-02-16" - reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" - strings: - $a1="?a73957838_2@@YAXXZ" - $a2="?a84884@@YAXXZ" - $a3="?b823838_9839@@YAXXZ" - $a4="?e747383_94@@YAXXZ" - $a5="?e83834@@YAXXZ" - $a6="?e929348_827@@YAXXZ" - condition: - any of them -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_equation_exploitlib_mutexes.yar b/yara-mikesxrs/kaspersky/apt_equation_exploitlib_mutexes.yar deleted file mode 100644 index 746f5e0..0000000 --- a/yara-mikesxrs/kaspersky/apt_equation_exploitlib_mutexes.yar +++ /dev/null @@ -1,28 +0,0 @@ -rule apt_equation_exploitlib_mutexes { - -meta: - - copyright = "Kaspersky Lab" - description = "Rule to detect Equation group's Exploitation library" - version = "1.0" - last_modified = "2015-02-16" - reference = "https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" - - -strings: - - $mz="MZ" - - $a1="prkMtx" wide - $a2="cnFormSyncExFBC" wide - $a3="cnFormVoidFBC" wide - $a4="cnFormSyncExFBC" - $a5="cnFormVoidFBC" - -condition: - -(($mz at 0) and any of ($a*)) - -} - - diff --git a/yara-mikesxrs/kaspersky/apt_hellsing_implantstrings.yar b/yara-mikesxrs/kaspersky/apt_hellsing_implantstrings.yar deleted file mode 100644 index 346ddc6..0000000 --- a/yara-mikesxrs/kaspersky/apt_hellsing_implantstrings.yar +++ /dev/null @@ -1,31 +0,0 @@ -rule apt_hellsing_implantstrings -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing implants" - - strings: - $mz="MZ" - $a1="the file uploaded failed !" - $a2="ping 127.0.0.1" - $b1="the file downloaded failed !" - $b2="common.asp" - $c="xweber_server.exe" - $d="action=" - $debugpath1="d:\\Hellsing\\release\\msger\\" nocase - $debugpath2="d:\\hellsing\\sys\\xrat\\" nocase - $debugpath3="D:\\Hellsing\\release\\exe\\" nocase - $debugpath4="d:\\hellsing\\sys\\xkat\\" nocase - $debugpath5="e:\\Hellsing\\release\\clare" nocase - $debugpath6="e:\\Hellsing\\release\\irene\\" nocase - $debugpath7="d:\\hellsing\\sys\\irene\\" nocase - $e="msger_server.dll" - $f="ServiceMain" - - condition: - ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_hellsing_installer.yar b/yara-mikesxrs/kaspersky/apt_hellsing_installer.yar deleted file mode 100644 index 55f0cf5..0000000 --- a/yara-mikesxrs/kaspersky/apt_hellsing_installer.yar +++ /dev/null @@ -1,28 +0,0 @@ -rule apt_hellsing_installer -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing xweber/msger installers" - - strings: - $mz="MZ" - $cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\"" - $a1="xweber_install_uac.exe" - $a2="system32\\cmd.exe" wide - $a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" - $a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" - $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=" - $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" - $a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" - $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide - $a10="%SystemRoot%\\system32\\cmd.exe" wide - $a11="msger_install.dll" - $a12={00 65 78 2E 64 6C 6C 00} - - condition: - ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_hellsing_irene.yar b/yara-mikesxrs/kaspersky/apt_hellsing_irene.yar deleted file mode 100644 index eaef947..0000000 --- a/yara-mikesxrs/kaspersky/apt_hellsing_irene.yar +++ /dev/null @@ -1,22 +0,0 @@ -rule apt_hellsing_irene -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing msger irene installer" - - strings: - $mz="MZ" - $a1="\\Drivers\\usbmgr.tmp" wide - $a2="\\Drivers\\usbmgr.sys" wide - $a3="common_loadDriver CreateFile error! " - $a4="common_loadDriver StartService error && GetLastError():%d! " - $a5="irene" wide - $a6="aPLib v0.43 - the smaller the better" - - condition: - ($mz at 0) and (4 of ($a*)) and filesize < 500000 -} diff --git a/yara-mikesxrs/kaspersky/apt_hellsing_msgertype2.yar b/yara-mikesxrs/kaspersky/apt_hellsing_msgertype2.yar deleted file mode 100644 index 766b219..0000000 --- a/yara-mikesxrs/kaspersky/apt_hellsing_msgertype2.yar +++ /dev/null @@ -1,22 +0,0 @@ -rule apt_hellsing_msgertype2 -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing msger type 2 implants" - strings: - $mz="MZ" - $a1="%s\\system\\%d.txt" - $a2="_msger" - $a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s" - $a4="http://%s/data/%s.1000001000" - $a5="/lib/common.asp?action=user_upload&file=" - $a6="%02X-%02X-%02X-%02X-%02X-%02X" - - condition: - ($mz at 0) and (4 of ($a*)) and filesize < 500000 - -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_hellsing_proxytool.yar b/yara-mikesxrs/kaspersky/apt_hellsing_proxytool.yar deleted file mode 100644 index 4ce0cb5..0000000 --- a/yara-mikesxrs/kaspersky/apt_hellsing_proxytool.yar +++ /dev/null @@ -1,22 +0,0 @@ -rule apt_hellsing_proxytool -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing proxy testing tool" - - strings: - $mz="MZ" - $a1="PROXY_INFO: automatic proxy url => %s " - $a2="PROXY_INFO: connection type => %d " - $a3="PROXY_INFO: proxy server => %s " - $a4="PROXY_INFO: bypass list => %s " - $a5="InternetQueryOption failed with GetLastError() %d" - $a6="D:\\Hellsing\\release\\exe\\exe\\" nocase - - condition: - ($mz at 0) and (2 of ($a*)) and filesize < 300000 -} diff --git a/yara-mikesxrs/kaspersky/apt_hellsing_xkat.yar b/yara-mikesxrs/kaspersky/apt_hellsing_xkat.yar deleted file mode 100644 index 9260565..0000000 --- a/yara-mikesxrs/kaspersky/apt_hellsing_xkat.yar +++ /dev/null @@ -1,28 +0,0 @@ -rule apt_hellsing_xkat -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing xKat tool" - - strings: - $mz="MZ" - $a1="\\Dbgv.sys" - $a2="XKAT_BIN" - $a3="release sys file error." - $a4="driver_load error. " - $a5="driver_create error." - $a6="delete file:%s error." - $a7="delete file:%s ok." - $a8="kill pid:%d error." - $a9="kill pid:%d ok." - $a10="-pid-delete" - $a11="kill and delete pid:%d error." - $a12="kill and delete pid:%d ok." - - condition: - ($mz at 0) and (6 of ($a*)) and filesize < 300000 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_regin_2013_64bit_stage1.yar b/yara-mikesxrs/kaspersky/apt_regin_2013_64bit_stage1.yar deleted file mode 100644 index e350ed9..0000000 --- a/yara-mikesxrs/kaspersky/apt_regin_2013_64bit_stage1.yar +++ /dev/null @@ -1,24 +0,0 @@ -rule apt_regin_2013_64bit_stage1 { - -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect Regin 64 bit stage 1 loaders" - version = "1.0" - last_modified = "2014-11-18" - filename="wshnetc.dll" - md5="bddf5afbea2d0eed77f2ad4e9a4f044d" - filename="wsharp.dll" - md5="c053a0a3f1edcbbfc9b51bc640e808ce" - Reference = "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" - -strings: - $mz="MZ" - $a1="PRIVHEAD" - $a2="\\\\.\\PhysicalDrive%d" - $a3="ZwDeviceIoControlFile" - -condition: - - ($mz at 0) and (all of ($a*)) and filesize < 100000 - -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/apt_regin_dispatcher_disp_dll.yar b/yara-mikesxrs/kaspersky/apt_regin_dispatcher_disp_dll.yar deleted file mode 100644 index d2bc185..0000000 --- a/yara-mikesxrs/kaspersky/apt_regin_dispatcher_disp_dll.yar +++ /dev/null @@ -1,22 +0,0 @@ -rule apt_regin_dispatcher_disp_dll { - -meta: - - copyright = "Kaspersky Lab" - description = "Rule to detect Regin disp.dll dispatcher" - version = "1.0" - last_modified = "2014-11-18" - Reference = "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" - -strings: - $mz="MZ" - $string1="shit" - $string2="disp.dll" - $string3="255.255.255.255" - $string4="StackWalk64" - $string5="imagehlp.dll" - -condition: - - ($mz at 0) and (all of ($string*)) -} diff --git a/yara-mikesxrs/kaspersky/apt_regin_vfs.yar b/yara-mikesxrs/kaspersky/apt_regin_vfs.yar deleted file mode 100644 index 59e93b6..0000000 --- a/yara-mikesxrs/kaspersky/apt_regin_vfs.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule apt_regin_vfs { - -meta: - - copyright = "Kaspersky Lab" - description = "Rule to detect Regin VFSes" - version = "1.0" - last_modified = "2014-11-18" - Reference = "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" - -strings: - - $a1={00 02 00 08 00 08 03 F6 D7 F3 52} - $a2={00 10 F0 FF F0 FF 11 C7 7F E8 52} - $a3={00 04 00 10 00 10 03 C2 D3 1C 93} - $a4={00 04 00 10 C8 00 04 C8 93 06 D8} - -condition: - - ($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0) -} diff --git a/yara-mikesxrs/kaspersky/backdoored_ssh.yar b/yara-mikesxrs/kaspersky/backdoored_ssh.yar deleted file mode 100644 index 8122921..0000000 --- a/yara-mikesxrs/kaspersky/backdoored_ssh.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule Backdoored_ssh { -meta: -author = "Kaspersky" -reference = "https://securelist.com/energetic-bear-crouching-yeti/85345/" -actor = "Energetic Bear/Crouching Yeti" -strings: -$a1 = "OpenSSH" -$a2 = "usage: ssh" -$a3 = "HISTFILE" -condition: -uint32(0) == 0x464c457f and filesize<1000000 and all of ($a*) -} diff --git a/yara-mikesxrs/kaspersky/exploit_Silverlight_Toropov_Generic_XAP.yar b/yara-mikesxrs/kaspersky/exploit_Silverlight_Toropov_Generic_XAP.yar deleted file mode 100644 index c2e8387..0000000 --- a/yara-mikesxrs/kaspersky/exploit_Silverlight_Toropov_Generic_XAP.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule exploit_Silverlight_Toropov_Generic_XAP { - - meta: - - author = "Kaspersky Lab" - filetype = "Win32 EXE" - date = "2015-07-23" - version = "1.0" - Reference = "https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-microsoft-silverlight-0-day/" - -strings: - - $b2="Can't find Payload() address" ascii wide - $b3="/SilverApp1;compoent/App.xaml" ascii wide - $b4="Can't allocate ums after buf[]" ascii wide - $b5="------------ START ------------" - -condition: - - ((2 of ($b*)) ) -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/kaspersky_index.yara b/yara-mikesxrs/kaspersky/kaspersky_index.yara deleted file mode 100644 index 4302270..0000000 --- a/yara-mikesxrs/kaspersky/kaspersky_index.yara +++ /dev/null @@ -1,578 +0,0 @@ -rule apt_duqu2_drivers { - -meta: - - copyright = "Kaspersky Lab" - description = "Rule to detect Duqu 2.0 drivers" - last_modified = "2015-06-09" - version = "1.0" - Reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" - -strings: - - $a1="\\DosDevices\\port_optimizer" wide nocase - $a2="romanian.antihacker" - $a3="PortOptimizerTermSrv" wide - $a4="ugly.gorilla1" - - $b1="NdisIMCopySendCompletePerPacketInfo" - $b2="NdisReEnumerateProtocolBindings" - $b3="NdisOpenProtocolConfiguration" - -condition: - - uint16(0) == 0x5A4D and (any of ($a*) ) and (2 of ($b*)) and filesize < 100000 - -} - -rule apt_duqu2_loaders { - -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect Duqu 2.0 samples" - last_modified = "2015-06-09" - version = "1.0" - Reference = "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" - -strings: - - $a1="{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide - $a2="\\\\.\\pipe\\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}" wide - $a4="\\\\.\\pipe\\{AB6172ED-8105-4996-9D2A-597B5F827501}" wide - $a5="Global\\{B54E3268-DE1E-4c1e-A667-2596751403AD}" wide - $a8="SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'" wide - $a9="SELECT `Data` FROM `Binary` WHERE `Name`='CryptHash%i'" wide - $a7="SELECT `%s` FROM `%s` WHERE `%s`='CAData%i'" wide - $b1="MSI.dll" - $b2="msi.dll" - $b3="StartAction" - $c1="msisvc_32@" wide - $c2="PROP=" wide - $c3="-Embedding" wide - $c4="S:(ML;;NW;;;LW)" wide - - $d1 = "NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer" nocase - $d2 = {2E 3F 41 56 3F 24 5F 42 69 6E 64 40 24 30 30 58 55 3F 24 5F 50 6D 66 5F 77 72 61 70 40 50 38 43 4C 52 ?? 40 40 41 45 58 58 5A 58 56 31 40 24 24 24 56 40 73 74 64 40 40 51 41 56 43 4C 52 ?? 40 40 40 73 74 64 40 40} -condition: - -( (uint16(0) == 0x5a4d) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) ) and filesize < 100000 ) - -or - -( (uint32(0) == 0xe011cfd0) and ( (any of ($a*)) or (all of ($b*)) or (all of ($c*)) or (any of ($d*)) ) and filesize < 20000000 ) -} - -rule apt_equation_exploitlib_mutexes { - -meta: - - copyright = "Kaspersky Lab" - description = "Rule to detect Equation group's Exploitation library" - version = "1.0" - last_modified = "2015-02-16" - reference = "https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" - - -strings: - - $mz="MZ" - - $a1="prkMtx" wide - $a2="cnFormSyncExFBC" wide - $a3="cnFormVoidFBC" wide - $a4="cnFormSyncExFBC" - $a5="cnFormVoidFBC" - -condition: - -(($mz at 0) and any of ($a*)) - -} - -rule apt_equation_doublefantasy_genericresource { - meta: - copyright = "Kaspersky Lab" - description = "Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW" - version = "1.0" - last_modified = "2015-02-16" - reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" - strings: - $mz="MZ" - $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00} - $a2="yyyyyyyyyyyyyyyy" - $a3="002" - condition: - (($mz at 0) and all of ($a*)) and filesize < 500000 -} - -rule apt_equation_equationlaser_runtimeclasses { - meta: - copyright = "Kaspersky Lab" - description = "Rule to detect the EquationLaser malware" - version = "1.0" - last_modified = "2015-02-16" - reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" - strings: - $a1="?a73957838_2@@YAXXZ" - $a2="?a84884@@YAXXZ" - $a3="?b823838_9839@@YAXXZ" - $a4="?e747383_94@@YAXXZ" - $a5="?e83834@@YAXXZ" - $a6="?e929348_827@@YAXXZ" - condition: - any of them -} - -rule apt_equation_cryptotable : crypto { - meta: - copyright = "Kaspersky Lab" - description = "Rule to detect the crypto library used in Equation group malware" - version = "1.0" - last_modified = "2015-02-16" - reference = "http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" - strings: - $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1} - condition: - $a -} - -rule apt_hellsing_implantstrings -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing implants" - - strings: - $mz="MZ" - $a1="the file uploaded failed !" - $a2="ping 127.0.0.1" - $b1="the file downloaded failed !" - $b2="common.asp" - $c="xweber_server.exe" - $d="action=" - $debugpath1="d:\\Hellsing\\release\\msger\\" nocase - $debugpath2="d:\\hellsing\\sys\\xrat\\" nocase - $debugpath3="D:\\Hellsing\\release\\exe\\" nocase - $debugpath4="d:\\hellsing\\sys\\xkat\\" nocase - $debugpath5="e:\\Hellsing\\release\\clare" nocase - $debugpath6="e:\\Hellsing\\release\\irene\\" nocase - $debugpath7="d:\\hellsing\\sys\\irene\\" nocase - $e="msger_server.dll" - $f="ServiceMain" - - condition: - ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000 -} - -rule apt_hellsing_installer -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing xweber/msger installers" - - strings: - $mz="MZ" - $cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\"" - $a1="xweber_install_uac.exe" - $a2="system32\\cmd.exe" wide - $a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" - $a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" - $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=" - $a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==" - $a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" - $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide - $a10="%SystemRoot%\\system32\\cmd.exe" wide - $a11="msger_install.dll" - $a12={00 65 78 2E 64 6C 6C 00} - - condition: - ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000 -} - -rule apt_hellsing_irene -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing msger irene installer" - - strings: - $mz="MZ" - $a1="\\Drivers\\usbmgr.tmp" wide - $a2="\\Drivers\\usbmgr.sys" wide - $a3="common_loadDriver CreateFile error! " - $a4="common_loadDriver StartService error && GetLastError():%d! " - $a5="irene" wide - $a6="aPLib v0.43 - the smaller the better" - - condition: - ($mz at 0) and (4 of ($a*)) and filesize < 500000 -} - -rule apt_hellsing_msgertype2 -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing msger type 2 implants" - strings: - $mz="MZ" - $a1="%s\\system\\%d.txt" - $a2="_msger" - $a3="http://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%s" - $a4="http://%s/data/%s.1000001000" - $a5="/lib/common.asp?action=user_upload&file=" - $a6="%02X-%02X-%02X-%02X-%02X-%02X" - - condition: - ($mz at 0) and (4 of ($a*)) and filesize < 500000 - -} - -rule apt_hellsing_proxytool -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing proxy testing tool" - - strings: - $mz="MZ" - $a1="PROXY_INFO: automatic proxy url => %s " - $a2="PROXY_INFO: connection type => %d " - $a3="PROXY_INFO: proxy server => %s " - $a4="PROXY_INFO: bypass list => %s " - $a5="InternetQueryOption failed with GetLastError() %d" - $a6="D:\\Hellsing\\release\\exe\\exe\\" nocase - - condition: - ($mz at 0) and (2 of ($a*)) and filesize < 300000 -} - -rule apt_hellsing_xkat -{ - meta: - version = "1.0" - filetype = "PE" - author = "Costin Raiu, Kaspersky Lab" - copyright = "Kaspersky Lab" - date = "2015-04-07" - description = "detection for Hellsing xKat tool" - - strings: - $mz="MZ" - $a1="\\Dbgv.sys" - $a2="XKAT_BIN" - $a3="release sys file error." - $a4="driver_load error. " - $a5="driver_create error." - $a6="delete file:%s error." - $a7="delete file:%s ok." - $a8="kill pid:%d error." - $a9="kill pid:%d ok." - $a10="-pid-delete" - $a11="kill and delete pid:%d error." - $a12="kill and delete pid:%d ok." - - condition: - ($mz at 0) and (6 of ($a*)) and filesize < 300000 -} - -rule apt_regin_2013_64bit_stage1 { - -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect Regin 64 bit stage 1 loaders" - version = "1.0" - last_modified = "2014-11-18" - filename="wshnetc.dll" - md5="bddf5afbea2d0eed77f2ad4e9a4f044d" - filename="wsharp.dll" - md5="c053a0a3f1edcbbfc9b51bc640e808ce" - Reference = "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" - -strings: - $mz="MZ" - $a1="PRIVHEAD" - $a2="\\\\.\\PhysicalDrive%d" - $a3="ZwDeviceIoControlFile" - -condition: - - ($mz at 0) and (all of ($a*)) and filesize < 100000 - -} - -rule apt_regin_dispatcher_disp_dll { - -meta: - - copyright = "Kaspersky Lab" - description = "Rule to detect Regin disp.dll dispatcher" - version = "1.0" - last_modified = "2014-11-18" - Reference = "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" - -strings: - $mz="MZ" - $string1="shit" - $string2="disp.dll" - $string3="255.255.255.255" - $string4="StackWalk64" - $string5="imagehlp.dll" - -condition: - - ($mz at 0) and (all of ($string*)) -} - -rule apt_regin_vfs { - -meta: - - copyright = "Kaspersky Lab" - description = "Rule to detect Regin VFSes" - version = "1.0" - last_modified = "2014-11-18" - Reference = "https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" - -strings: - - $a1={00 02 00 08 00 08 03 F6 D7 F3 52} - $a2={00 10 F0 FF F0 FF 11 C7 7F E8 52} - $a3={00 04 00 10 00 10 03 C2 D3 1C 93} - $a4={00 04 00 10 C8 00 04 C8 93 06 D8} - -condition: - - ($a1 at 0) or ($a2 at 0) or ($a3 at 0) or ($a4 at 0) -} - -rule exploit_Silverlight_Toropov_Generic_XAP { - - meta: - - author = "Kaspersky Lab" - filetype = "Win32 EXE" - date = "2015-07-23" - version = "1.0" - Reference = "https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-microsoft-silverlight-0-day/" - -strings: - - $b2="Can't find Payload() address" ascii wide - $b3="/SilverApp1;compoent/App.xaml" ascii wide - $b4="Can't allocate ums after buf[]" ascii wide - $b5="------------ START ------------" - -condition: - - ((2 of ($b*)) ) -} - -import "pe" -rule xdedic_packed_syscan { - meta: - author = "Kaspersky Lab" - company = "Kaspersky Lab" - reference = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf" - strings: - $a1 = "SysScan.exe" nocase ascii wide - condition: - uint16(0) == 0x5A4D - and any of ($a*) and filesize > 1000000 and filesize <1200000 and - pe.number_of_sections == 13 and pe.version_info["FileVersion"] contains "1.3.4." -} - -rule xDedic_SysScan_unpacked { - meta: - author = " Kaspersky Lab" - maltype = "crimeware" - type ="crimeware" - filetype = "Win32 EXE" - date = "2016-03-14" - reference = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf" - version = "1.0" - hash = "fac495be1c71012682ebb27092060b43" - hash = "e8cc69231e209db7968397e8a244d104" - hash = "a53847a51561a7e76fd034043b9aa36d" - hash = "e8691fa5872c528cd8e72b82e7880e98" - hash = "F661b50d45400e7052a2427919e2f777" - strings: - $a1="/c ping -n 2 127.0.0.1 & del \"SysScan.exe\"" ascii wide - $a2="SysScan DEBUG Mode!!!" ascii wide - $a3="This rechecking? (set 0/1 or press enter key)" ascii wide - $a4="http://37.49.224.144:8189/manual_result" ascii wide - $b1="Checker end work!" ascii wide - $b2="Trying send result..." ascii wide - condition: - ((uint16(0) == 0x5A4D)) and (filesize < 5000000) and - ((any of ($a*)) or (all of ($b*))) -} - -import "pe" -import "math" - -rule apt_ProjectSauron_pipe_backdoor { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron pipe backdoors" - version = "1.0" - reference = "https://securelist.com/blog/" - -strings: - - $a1 = "CreateNamedPipeW" fullword ascii - $a2 = "SetSecurityDescriptorDacl" fullword ascii - $a3 = "GetOverlappedResult" fullword ascii - $a4 = "TerminateThread" fullword ascii - $a5 = "%s%s%X" fullword wide - - -condition: - uint16(0) == 0x5A4D - and (all of ($a*)) - and filesize < 100000 -} - -rule apt_ProjectSauron_encrypted_LSA { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron encrypted LSA samples" - version = "1.0" - reference = "https://securelist.com/blog/" - -strings: - - $a1 = "EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492" fullword ascii - $a2 = "\\Device\\NdisRaw_" fullword ascii - $a3 = "\\\\.\\GLOBALROOT\\Device\\{8EDB44DC-86F0-4E0E-8068-BD2CABA4057A}" fullword wide - $a4 = "Global\\{a07f6ba7-8383-4104-a154-e582e85a32eb}" fullword wide - $a5 = "Missing function %S::#%d" fullword wide - $a6 = {8945D08D8598FEFFFF2BD08945D88D45BC83C20450C745C0030000008975C48955DCFF55FC8BF88D8F0000003A83F90977305333DB53FF15} - $a7 = {488D4C24304889442450488D452044886424304889442460488D4520C7442434030000002BD848897C243844896C244083C308895C246841FFD68D880000003A8BD883F909772DFF} - - -condition: - uint16(0) == 0x5A4D - and (any of ($a*) or - ( - pe.exports("InitializeChangeNotify") and - pe.exports("PasswordChangeNotify") and - math.entropy(0x400, filesize) >= 7.5 - )) - and filesize < 1000000 -} - -rule apt_ProjectSauron_encrypted_SSPI { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect encrypted ProjectSauron SSPI samples" - version = "1.0" - reference = "https://securelist.com/blog/" - -condition: - uint16(0) == 0x5A4D and - filesize < 1000000 and - pe.exports("InitSecurityInterfaceA") and - pe.characteristics & pe.DLL and - (pe.machine == pe.MACHINE_AMD64 or pe.machine == pe.MACHINE_IA64) and - math.entropy(0x400, filesize) >= 7.5 -} - -rule apt_ProjectSauron_MyTrampoline { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron MyTrampoline module" - version = "1.0" - reference = "https://securelist.com/blog/" - -strings: - - $a1 = ":\\System Volume Information\\{" wide - $a2 = "\\\\.\\PhysicalDrive%d" wide - $a3 = "DMWndClassX%d" - - $b1 = "{774476DF-C00F-4e3a-BF4A-6D8618CFA532}" ascii wide - $b2 = "{820C02A4-578A-4750-A409-62C98F5E9237}" ascii wide - -condition: - uint16(0) == 0x5A4D and - filesize < 5000000 and - (all of ($a*) or any of ($b*)) -} - -rule apt_ProjectSauron_encrypted_container { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron samples encrypted container" - version = "1.0" - reference = "https://securelist.com/blog/" - -strings: - - $vfs_header = {02 AA 02 C1 02 0?} - $salt = {91 0A E0 CC 0D FE CE 36 78 48 9B 9C 97 F7 F5 55} - -condition: - uint16(0) == 0x5A4D - and ((@vfs_header < 0x4000) or $salt) and - math.entropy(0x400, filesize) >= 6.5 and - (filesize > 0x400) and filesize < 10000000 -} - -rule apt_ProjectSauron_encryption { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron string encryption" - version = "1.0" - reference = "https://securelist.com/blog/" - - -strings: - - $a1 = {81??02AA02C175??8B??0685} - $a2 = {918D9A94CDCC939A93939BD18B9AB8DE9C908DAF8D9B9BBE8C8C9AFF} - $a3 = {803E225775??807E019F75??807E02BE75??807E0309} - -condition: - filesize < 5000000 and - any of ($a*) -} - -rule apt_ProjectSauron_generic_pipe_backdoor { -meta: - copyright = "Kaspersky Lab" - description = "Rule to detect ProjectSauron generic pipe backdoors" - version = "1.0" - reference = "https://securelist.com/blog/" - -strings: - $a = { C7 [2-3] 32 32 32 32 E8 } - $b = { 42 12 67 6B } - $c = { 25 31 5F 73 } - $d = "rand" - $e = "WS2_32" - -condition: - uint16(0) == 0x5A4D and - (all of them) and - filesize < 400000 -} \ No newline at end of file diff --git a/yara-mikesxrs/kaspersky/ransomware_PetrWrap.yar b/yara-mikesxrs/kaspersky/ransomware_PetrWrap.yar deleted file mode 100644 index e8c3cb8..0000000 --- a/yara-mikesxrs/kaspersky/ransomware_PetrWrap.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule ransomware_PetrWrap -{ -meta: - copyright= "Kaspersky Lab" - description = "Rule to detect PetrWrap ransomware samples" - reference = "https://securelist.com/schroedingers-petya/78870/" - last_modified = "2017-06-27" - author = "Kaspersky Lab" - hash = "71B6A493388E7D0B40C83CE903BC6B04" - version = "1.0" -strings: - $a1 = "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcqYLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgqCXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu" fullword wide - $a2 = ".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls" fullword wide - $a3 = "DESTROY ALL OF YOUR DATA PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" fullword ascii - $a4 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" fullword ascii - $a5 = "wowsmith123456posteo.net." fullword wide -condition: - uint16(0) == 0x5A4D and filesize < 1000000 and any of them -} diff --git a/yara-mikesxrs/kaspersky/stonedrill.yar b/yara-mikesxrs/kaspersky/stonedrill.yar deleted file mode 100644 index 5977caf..0000000 --- a/yara-mikesxrs/kaspersky/stonedrill.yar +++ /dev/null @@ -1,45 +0,0 @@ -import "pe" -import "math" - -rule susp_file_enumerator_with_encrypted_resource_101 { -meta: - copyright = "Kaspersky Lab" - description = "Generic detection for samples that enumerate files with encrypted resource called 101" - reference = "https://securelist.com/from-shamoon-to-stonedrill/77725/" - hash = "2cd0a5f1e9bcce6807e57ec8477d222a" - hash = "c843046e54b755ec63ccb09d0a689674" - version = "1.4" -strings: - $mz = "This program cannot be run in DOS mode." - $a1 = "FindFirstFile" ascii wide nocase - $a2 = "FindNextFile" ascii wide nocase - $a3 = "FindResource" ascii wide nocase - $a4 = "LoadResource" ascii wide nocase - -condition: -uint16(0) == 0x5A4D and -all of them and -filesize < 700000 and -pe.number_of_sections > 4 and -pe.number_of_signatures == 0 and -pe.number_of_resources > 1 and pe.number_of_resources < 15 and for any i in (0..pe.number_of_resources - 1): -( (math.entropy(pe.resources[i].offset, pe.resources[i].length) > 7.8) and pe.resources[i].id == 101 and -pe.resources[i].length > 20000 and -pe.resources[i].language == 0 and -not ($mz in (pe.resources[i].offset..pe.resources[i].offset + pe.resources[i].length)) -) -} - -rule StoneDrill_main_sub { -meta: - author = "Kaspersky Lab" - description = "Rule to detect StoneDrill (decrypted) samples" - reference = "https://securelist.com/from-shamoon-to-stonedrill/77725/" - hash = "d01781f1246fd1b64e09170bd6600fe1" - hash = "ac3c25534c076623192b9381f926ba0d" - version = "1.0" -strings: - $code = {B8 08 00 FE 7F FF 30 8F 44 24 ?? 68 B4 0F 00 00 FF 15 ?? ?? ?? 00 B8 08 00 FE 7F FF 30 8F 44 24 ?? 8B ?? 24 [1 - 4] 2B ?? 24 [6] F7 ?1 [5 - 12] 00} -condition: - uint16(0) == 0x5A4D and $code and filesize < 5000000 -} diff --git a/yara-mikesxrs/kaspersky/xDedic_SysScan_unpacked.yar b/yara-mikesxrs/kaspersky/xDedic_SysScan_unpacked.yar deleted file mode 100644 index d5987ee..0000000 --- a/yara-mikesxrs/kaspersky/xDedic_SysScan_unpacked.yar +++ /dev/null @@ -1,26 +0,0 @@ -rule xDedic_SysScan_unpacked { - meta: - author = " Kaspersky Lab" - maltype = "crimeware" - type ="crimeware" - filetype = "Win32 EXE" - date = "2016-03-14" - reference = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf" - version = "1.0" - hash = "fac495be1c71012682ebb27092060b43" - hash = "e8cc69231e209db7968397e8a244d104" - hash = "a53847a51561a7e76fd034043b9aa36d" - hash = "e8691fa5872c528cd8e72b82e7880e98" - hash = "F661b50d45400e7052a2427919e2f777" - strings: - $a1="/c ping -n 2 127.0.0.1 & del \"SysScan.exe\"" ascii wide - $a2="SysScan DEBUG Mode!!!" ascii wide - $a3="This rechecking? (set 0/1 or press enter key)" ascii wide - $a4="http://37.49.224.144:8189/manual_result" ascii wide - $b1="Checker end work!" ascii wide - $b2="Trying send result..." ascii wide - condition: - ((uint16(0) == 0x5A4D)) and (filesize < 5000000) and - ((any of ($a*)) or (all of ($b*))) -} - diff --git a/yara-mikesxrs/kaspersky/xdedic_packed_syscan.yar b/yara-mikesxrs/kaspersky/xdedic_packed_syscan.yar deleted file mode 100644 index 19768d5..0000000 --- a/yara-mikesxrs/kaspersky/xdedic_packed_syscan.yar +++ /dev/null @@ -1,13 +0,0 @@ -import "pe" -rule xdedic_packed_syscan { - meta: - author = "Kaspersky Lab" - company = "Kaspersky Lab" - reference = "https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdf" - strings: - $a1 = "SysScan.exe" nocase ascii wide - condition: - uint16(0) == 0x5A4D - and any of ($a*) and filesize > 1000000 and filesize <1200000 and - pe.number_of_sections == 13 and pe.version_info["FileVersion"] contains "1.3.4." -} \ No newline at end of file diff --git a/yara-mikesxrs/one offs/9002Rat.yar b/yara-mikesxrs/one offs/9002Rat.yar deleted file mode 100644 index 948a6dd..0000000 --- a/yara-mikesxrs/one offs/9002Rat.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule MPAMedia9002_dll -{ - meta: - decription = "9002 trojan family, MPAMedia.dll" - author = "HPSR" - reference = "E48A4CB7325ADCB38127A95AD47CD24D" - reference2 = "https://community.saas.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WaBdzB9ifW8" - date = "11/8/2016" - strings: - $opCode010 = {8D 45 ?? C7 45 ?? 56 69 72 74 33 DB C7 45 ?? 75 61 6C 50 50} - $opCode060 = {C7 45 ?? 72 6F 74 65 66 C7 45 ?? 63 74 88 5D ?? C7 45 ?? 6B 65 72 6E} - $opCode100 = {C7 45 ?? 65 6C 33 32 88 5D ?? C7 45 ?? 47 65 74 53 C7 45 ?? 79 73 74 65} - $opCode140 = {c7 45 ?? 6D 54 69 6D 66 C7 ?? EC 65 00} - condition: - all of them -} diff --git a/yara-mikesxrs/one offs/AdwindRat.yar b/yara-mikesxrs/one offs/AdwindRat.yar deleted file mode 100644 index d625826..0000000 --- a/yara-mikesxrs/one offs/AdwindRat.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule Adwind -{ - meta: - author="Asaf Aprozper, asafa AT minerva-labs.com" - description = "Adwind RAT" - last modified = "2017-06-25" - reference = "https://minerva-labs.com/post/adwind-and-other-evasive-java-rats" -strings: - $a0 = "META-INF/MANIFEST.MF" - $a1 = /Main(\$)Q[0-9][0-9][0-9][0-9]/ - $PK = "PK" -condition: - $PK at 0 and $a0 and $a1 -} diff --git a/yara-mikesxrs/one offs/CVE-2013-3660.yar b/yara-mikesxrs/one offs/CVE-2013-3660.yar deleted file mode 100644 index e32ea10..0000000 --- a/yara-mikesxrs/one offs/CVE-2013-3660.yar +++ /dev/null @@ -1,22 +0,0 @@ -rule Windows_0day_Exploit_Developers_1 { - meta: description = "Windows 0day EPATHOBJ local ring0 Exploit - Developer Names" score = 60 - strings: - $a = "taviso" fullword - $b = "cmpxchg8b" fullword - $c = "programmeboy" fullword - condition: - all of them -} - -rule Windows_0day_Exploit_1 { - meta: description = "Windows 0day EPATHOBJ local ring0 Exploit" score = 70 - strings: - $a = "PATHRECORD" fullword - $b = "HRGN" fullword - $c = "FlattenPath" fullword - $d = "EndPath" fullword - $e = "PolyDraw" fullword - - condition: - all of them -} diff --git a/yara-mikesxrs/one offs/ComputraceAgent.yar b/yara-mikesxrs/one offs/ComputraceAgent.yar deleted file mode 100644 index 4721411..0000000 --- a/yara-mikesxrs/one offs/ComputraceAgent.yar +++ /dev/null @@ -1,21 +0,0 @@ - rule bad_ComputraceAgent -{ - meta: - description = "Absolute Computrace Agent Lacking Hardcoded Domain" - reference = "https://pastebin.com/u/dgallagher" - thread_level = 3 - in_the_wild = true - - strings: - $a = { D1 E0 F5 8B 4D 0C 83 D1 00 8B EC FF 33 83 C3 04 } - $b1 = { 72 70 63 6E 65 74 70 2E 65 78 65 00 72 70 63 6E 65 74 70 00 } - $b2 = { 54 61 67 49 64 00 } - - $domain = { c6 d0 d4 c7 d6 dd 9b db d4 d8 d0 c4 c0 d0 c7 cc 9b d6 da d8 } // search.namequery.com XOR 0xb5 - - condition: - uint16(0) == 0x5a4d and - filesize < 20KB and - ($a or ($b1 and $b2)) - and not $domain -} diff --git a/yara-mikesxrs/one offs/CoreFlood_ldr.yar b/yara-mikesxrs/one offs/CoreFlood_ldr.yar deleted file mode 100644 index cc92ca3..0000000 --- a/yara-mikesxrs/one offs/CoreFlood_ldr.yar +++ /dev/null @@ -1,31 +0,0 @@ -rule CoreFlood_ldr_strings -{ - meta: - author = "Brian Baskin" - date = "13 Feb 14" - comment = "CoreFlood Trojan Loader Strings" - reference = "http://www.ghettoforensics.com/2014/02/malware-with-no-strings-attached-part-2.html" - - strings: - $RegKey = "MlLrqtuhA3x0WmjwNM27" - $API = "3etProcAddr" - - condition: - all of them -} - -rule CoreFlood_ldr_decoder -{ - meta: - author = "Brian Baskin" - date = "13 Feb 14" - comment = "CoreFlood? Trojan Loader Decoding Keys" - reference = "http://www.ghettoforensics.com/2014/02/malware-with-no-strings-attached-part-2.html" - - strings: - $Sub_85BA = { 81 EA BA 85 00 00 } - $XOR_85BC= { 05 BC 85 00 00 } - - condition: - all of them -} diff --git a/yara-mikesxrs/one offs/Cridex.yar b/yara-mikesxrs/one offs/Cridex.yar deleted file mode 100644 index 9304565..0000000 --- a/yara-mikesxrs/one offs/Cridex.yar +++ /dev/null @@ -1,13 +0,0 @@ - -rule Malware_Cridex_Generic { -meta: - description = "Cridex Generic" - author = "Yara Bulk Rule Generator" - hash = "ab0e2cbca1434ab87e8cb81f97180292" -strings: - $s1 = /[Cc]:\\([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)[a-zA-Z]{4,10}\\[a-zA-Z]{4,10}/ fullword - $s2 = /[Cc]:\\([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)([a-zA-Z]{4,10}\\|)[a-zA-Z]{4,10}\\[a-zA-Z]{4,10}.[a-z]{3}/ fullword - $s3 = /[Cc]:\\[a-zA-Z]{4,10}\\[a-zA-Z]{4,10}/ fullword -condition: - ( #s1 > 4 and #s1 < 8 ) and ( #s2 > 1 and #s2 < 5 ) and ( #s3 > 4 and #s3 < 8 ) and filesize < 200KB -} diff --git a/yara-mikesxrs/one offs/Hancidoc_Dropper.yar b/yara-mikesxrs/one offs/Hancidoc_Dropper.yar deleted file mode 100644 index 5d2c756..0000000 --- a/yara-mikesxrs/one offs/Hancidoc_Dropper.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule Hancidoc : Dropper -{ - meta: - author="moutonplacide" - date="2016-11-23" - description="Hancitor document dropper" - - strings: - $doc = {d0 cf 11 e0 a1 b1 1a e1 00 00} /* DOC Header */ - $author = "Kimberly" - $pe_marker = /[A-Z]{8}\x08\x00/ /*STARFALL / FORTINET marker*/ - condition: - ($doc at 0) and ($author and $pe_marker) -} diff --git a/yara-mikesxrs/one offs/Mebroot_Torpig.yar b/yara-mikesxrs/one offs/Mebroot_Torpig.yar deleted file mode 100644 index 82ff709..0000000 --- a/yara-mikesxrs/one offs/Mebroot_Torpig.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule Mebroot_Torpig -{ - meta: - author = "perpetualhorizon" - reference = "https://perpetualhorizon.blogspot.com/2010/05/trip-down-memory-lane-with-torpig-part.html" - strings: - $a = "[avorp1_251]" fullword - $b = "Temp\\$$$dq3e" fullword - $c = "Temp$67we.$" fullword - $d = "Temp\\xsw2" fullword - $e = "controlpanel r57shell.php c99shell" fullword - $f = "66.135.61.80" fullword - $g = "72.51.34.52" fullword - - condition: - any of them -} diff --git a/yara-mikesxrs/one offs/OSX_Malware.yar b/yara-mikesxrs/one offs/OSX_Malware.yar deleted file mode 100644 index 7e28714..0000000 --- a/yara-mikesxrs/one offs/OSX_Malware.yar +++ /dev/null @@ -1,112 +0,0 @@ -rule OSX_backdoor_EvilOSX -{ - meta: - description = "EvilOSX MacOS/OSX backdoor" - author = "John Lambert @JohnLaTwC" - reference = "https://github.com/Marten4n6/EvilOSX, https://twitter.com/JohnLaTwC/status/966139336436498432" - date = "2018-02-23" - hash = "89e5b8208daf85f549d9b7df8e2a062e47f15a5b08462a4224f73c0a6223972a" - - strings: - $h1 = /#!\/usr\/bin\/env\s+python/ - $s0 = "import base64" fullword ascii - $s1 = "b64decode" fullword ascii - - //strings present in decoded python script: - $x0 = "EvilOSX" fullword ascii - $x1 = "get_launch_agent_directory" fullword ascii - - //Base64 encoded versions of these strings - //EvilOSX - $enc_x0 = /(AHYAaQBsAE8AUwBYA|dmlsT1NY|RQB2AGkAbABPAFMAWA|RXZpbE9TW|UAdgBpAGwATwBTAFgA|V2aWxPU1)/ ascii - - //get_launch_agent_directory - $enc_x1 = /(AGUAdABfAGwAYQB1AG4AYwBoAF8AYQBnAGUAbgB0AF8AZABpAHIAZQBjAHQAbwByAHkA|cAZQB0AF8AbABhAHUAbgBjAGgAXwBhAGcAZQBuAHQAXwBkAGkAcgBlAGMAdABvAHIAeQ|dldF9sYXVuY2hfYWdlbnRfZGlyZWN0b3J5|Z2V0X2xhdW5jaF9hZ2VudF9kaXJlY3Rvcn|ZwBlAHQAXwBsAGEAdQBuAGMAaABfAGEAZwBlAG4AdABfAGQAaQByAGUAYwB0AG8AcgB5A|ZXRfbGF1bmNoX2FnZW50X2RpcmVjdG9ye)/ ascii - - condition: - $h1 at 0 - and filesize < 30KB - and all of ($s*) - and - 1 of ($x*) - or 1 of ($enc_x*) -} - -rule OSX_backdoor_Bella -{ - meta: - description = "Bella MacOS/OSX backdoor" - author = "John Lambert @JohnLaTwC" - reference = "https://twitter.com/JohnLaTwC/status/911998777182924801" - date = "2018-02-23" - hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be" - - strings: - $h1 = /#!\/usr\/bin\/env\s+python/ - - //prereqs - $s0 = "subprocess" fullword ascii - $s1 = "import sys" fullword ascii - $s2 = "shutil" fullword ascii - - $p0 = "create_bella_helpers" fullword ascii - $p1 = "is_there_SUID_shell" fullword ascii - $p2 = "BELLA IS NOW RUNNING" fullword ascii - $p3 = "SELECT * FROM bella WHERE id" fullword ascii - - $subpart1_a = "inject_payloads" fullword ascii - $subpart1_b = "check_if_payloads" fullword ascii - $subpart1_c = "updateDB" fullword ascii - - $subpart2_a = "appleIDPhishHelp" fullword ascii - $subpart2_b = "appleIDPhish" fullword ascii - $subpart2_c = "iTunes" fullword ascii - condition: - $h1 at 0 - and filesize < 120KB - and @s0[1] < 100 - and @s1[1] < 100 - and @s2[1] < 100 - and - 1 of ($p*) - or all of ($subpart1_*) - or all of ($subpart2_*) -} - - -rule persistence_agent_macos -{ - meta: - hash = "4288a81779a492b5b02bad6e90b2fa6212fa5f8ee87cc5ec9286ab523fc02446 cec7be2126d388707907b4f9d681121fd1e3ca9f828c029b02340ab1331a5524 e1cf136be50c4486ae8f5e408af80b90229f3027511b4beed69495a042af95be" - - strings: - $h1 = "#!/usr/bin/env python" - $s_1= "<plist" ascii fullword - $s_2= "ProgramArguments" ascii fullword - $s_3= "Library" ascii fullword - $sinterval_1= "StartInterval" ascii fullword - $sinterval_2= "RunAtLoad" ascii fullword - - //<plist - $e_1 = /(AHAAbABpAHMAdA|cGxpc3|PABwAGwAaQBzAHQA|PHBsaXN0|wAcABsAGkAcwB0A|xwbGlzd)/ ascii - - //ProgramArguments - $e_2 =/(AAcgBvAGcAcgBhAG0AQQByAGcAdQBtAGUAbgB0AHMA|AHIAbwBnAHIAYQBtAEEAcgBnAHUAbQBlAG4AdABzA|Byb2dyYW1Bcmd1bWVudH|cm9ncmFtQXJndW1lbnRz|UAByAG8AZwByAGEAbQBBAHIAZwB1AG0AZQBuAHQAcw|UHJvZ3JhbUFyZ3VtZW50c)/ ascii - //Library - $e_4 = /(AGkAYgByAGEAcgB5A|aWJyYXJ5|TABpAGIAcgBhAHIAeQ|TGlicmFye|wAaQBiAHIAYQByAHkA|xpYnJhcn)/ ascii - - //StartInterval - $einterval_a = /(AHQAYQByAHQASQBuAHQAZQByAHYAYQBsA|dGFydEludGVydmFs|MAdABhAHIAdABJAG4AdABlAHIAdgBhAGwA|N0YXJ0SW50ZXJ2YW|U3RhcnRJbnRlcnZhb|UwB0AGEAcgB0AEkAbgB0AGUAcgB2AGEAbA)/ ascii - $einterval_b = /(AHUAbgBBAHQATABvAGEAZA|dW5BdExvYW|IAdQBuAEEAdABMAG8AYQBkA|J1bkF0TG9hZ|UgB1AG4AQQB0AEwAbwBhAGQA|UnVuQXRMb2Fk)/ ascii - - condition: - $h1 at 0 - and filesize < 120KB - and - ( - (all of ($s_*) and 1 of ($sinterval*)) - or - (all of ($e_*) and 1 of ($einterval*)) - ) - -} diff --git a/yara-mikesxrs/one offs/Pegasus.yar b/yara-mikesxrs/one offs/Pegasus.yar deleted file mode 100644 index 0a31a2f..0000000 --- a/yara-mikesxrs/one offs/Pegasus.yar +++ /dev/null @@ -1,24 +0,0 @@ -/* -author: ben actis -notes: rough attempt to find more samples on vt via vt hunting. - * special thanks to https://twitter.com/iMokhles/status/769362814490279936 - * for reversing and posting screesnshot on twitter while i was on vaction without ios device - - * lookout i love you guys, please share hashes :) - - * jcase has awesome bbq - -*/ -rule iOSPegasusDetected -{ - strings: - $a01 = "/private/var/root/test.app/data" - $a02 = "/private/var/root/test.app/d/" - $a03 = "/private/var/root/test.app" - $a04 = "/private/var/tmp/crw" - $a05 = "/private/var/tmp/cr" - $a06 = "/private/var/tmp/st_data/" - - condition: - any of them -} diff --git a/yara-mikesxrs/one offs/Qadars_DGA.yar b/yara-mikesxrs/one offs/Qadars_DGA.yar deleted file mode 100644 index ea0d331..0000000 --- a/yara-mikesxrs/one offs/Qadars_DGA.yar +++ /dev/null @@ -1,10 +0,0 @@ -rule Qadars_DGA - { - meta: - author = "PhishLabs" - reference = "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan" - strings: - $dga_function = { 69 C9 93 B1 39 3E BE F1 E1 00 00 2B F1 81 E6 FF FF FF 7F B8 56 55 55 55 F7 EE 8B C2 C1 E8 1F 03 C2 8D 04 40 } - condition: - $dga_function - } diff --git a/yara-mikesxrs/one offs/Shellphish.yar b/yara-mikesxrs/one offs/Shellphish.yar deleted file mode 100644 index 2f76c49..0000000 --- a/yara-mikesxrs/one offs/Shellphish.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule ShellPhish -{ - meta: - reference = "https://windowsir.blogspot.com/2017/10/updates.html" - strings: - $birth_node = { 08 D4 0C 47 F8 73 C2 } - $vol_id = { 7E E4 BC 9C } - $sid = "2287413414-4262531481-1086768478" wide ascii - - condition: - all of them -} diff --git a/yara-mikesxrs/one offs/W32ChirB.yar b/yara-mikesxrs/one offs/W32ChirB.yar deleted file mode 100644 index 84b79cb..0000000 --- a/yara-mikesxrs/one offs/W32ChirB.yar +++ /dev/null @@ -1,90 +0,0 @@ -import "pe" - -rule W32ChirB_eml { - meta: - description = "readme.eml - Chir.B" - author = "wit0k" - reference = "" - date = "2018-08-30" - hash1 = "d41a5c4fe5171cbfe26ef04da347188d1c22e34d2d4cdffd833f38d61e3b6ec8" - strings: - $s4 = "<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>" fullword ascii - $s6 = "UAToCwAAAGCJGIlQBPzzpGHP+maPAGaPQAaLdQiLfQyLTRDM+2HJwgwA6cgAAABgi0UIagBQUGoA/5aQAAAAYcnCBAAAAAAAAAAAAMMAAAAAAAAAAAAAAAAAAAA=" fullword ascii - $s7 = /FROM: .{1,20}@yahoo\.com/ fullword ascii nocase - $s8 = /Content-Type: audio\/x-wav; name=.{1,20}.exe/ fullword ascii nocase - $s11 = "dmFTY3JpcHQiPndpbmRvdy5vcGVuKCJyZWFkbWUuZW1sIiwgbnVsbCwicmVzaXphYmxlPW5vLHRvcD02MDAwLGxlZnQ9NjAwMCIpPC9zY3JpcHQ+PC9odG1sPgBYanhQ" ascii /* base64 encoded string 'vaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>...' */ - $s18 = "TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVz" ascii /* base64 encoded string 'MZP...This program mus' */ - condition: - ( uint16(0) == 0x20ce and filesize < 120KB and ( 3 of them ) - ) or ( all of them ) -} - -rule W32ChirB_pe_infector { - meta: - description = "pp.exe - Chir.B" - author = "wit0k" - reference = "" - date = "2018-08-31" - hash1 = "d2f46265c39c21bc544b9ab4fad708bae7f33defff32f280806d48e3eb31e510" - strings: - $s1 = "<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>" fullword ascii - $s2 = "<html><script language=\"JavaScript\">window.open(\"readme.eml\", null,\"resizable=no,top=6000,left=6000\")</script></html>" fullword ascii - $s3 = /FROM: .{1,20}@yahoo\.com/ fullword ascii nocase - $s4 = /Content-Type: audio\/x-wav; name=.{1,20}.exe/ fullword ascii nocase - $s5 = "\\runouce.exe" fullword ascii - $s6 = "Net Send * My god! Some one killed ChineseHacker-2 Monitor" fullword ascii - $s7 = /readme\.eml/ fullword ascii - $s8 = "Runonce" fullword ascii - $s9 = "SUBJECT: %s is comming!" fullword ascii - $s10 = /MAIL FROM: .{1,20}@btamail\.net.\cn/ fullword ascii - $s11 = "Content-id: THE-CID" fullword ascii - $s12 = "btamail.net.cn" fullword ascii - $ds1 = "This program cannot be run in DOS mode" - condition: - (uint16(0) == 0x5a4d or uint16(0) == 0x4d5a ) and ( 8 of them ) and (filesize < 120KB) and not $ds1 -} - -rule W32ChirB_infected_pe { - meta: - description = "pp.exe appended to an exe" - author = "wit0k" - reference = "" - date = "2018-08-31" - hash1 = "6ca9ff59325d13f1dd69855d88633814c685bcf0db44415888a3ceeeab731493" - strings: - $s1 = "<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>" fullword ascii - $s2 = "<html><script language=\"JavaScript\">window.open(\"readme.eml\", null,\"resizable=no,top=6000,left=6000\")</script></html>" fullword ascii - $s3 = /FROM: .{1,20}@yahoo\.com/ fullword ascii nocase - $s4 = /Content-Type: audio\/x-wav; name=.{1,20}.exe/ fullword ascii nocase - $s5 = "\\runouce.exe" fullword ascii - $s6 = "Net Send * My god! Some one killed ChineseHacker-2 Monitor" fullword ascii - $s7 = "readme.eml" fullword ascii - $s8 = "Runonce" fullword ascii - $s9 = "SUBJECT: %s is comming!" fullword ascii - $s10 = /MAIL FROM: .{1,20}@btamail\.net.\cn/ fullword ascii - $s11 = "Content-id: THE-CID" fullword ascii - $s12 = "btamail.net.cn" fullword ascii - $s13 = "ChineseHacker-2" ascii wide - $b14 = { 60 E8 E6 19 00 00 8B 74 24 20 E8 08 00 00 00 61 } /* Begining of injected code */ - $ds1 = "This program cannot be run in DOS mode" - condition: - ( uint16(0) == 0xe860 and - ( 8 of them ) and ( $b14 at pe.entry_point ) and $ds1 - ) or ( all of them ) -} - - -rule W32ChirB_LastResort -{ - meta: - Description = "" - - strings: - $a = "runouce.exe" ascii wide - $b = /.{1,20}@btamail.net.cn/ fullword ascii nocase - $c = "ChineseHacker-2" ascii wide - - condition: - all of them -} - diff --git a/yara-mikesxrs/one offs/XorDDoS.yar b/yara-mikesxrs/one offs/XorDDoS.yar deleted file mode 100644 index 243158b..0000000 --- a/yara-mikesxrs/one offs/XorDDoS.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule XorDDoSv1 -{ -meta: - author = "Akamai SIRT" - description = "Rule to detect XorDDoS infection" - reference = "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/fast-dns-xor-botnet-case-study.pdf" -strings: - $st0 = "BB2FA36AAA9541F0" - $st1 = "md5=" - $st2 = "denyip=" - $st3 = "filename=" - $st4 = "rmfile=" - $st5 = "exec_packet" - $st6 = "build_iphdr" -condition: - all of them -} diff --git a/yara-mikesxrs/one offs/ammyy_cerber3.yar b/yara-mikesxrs/one offs/ammyy_cerber3.yar deleted file mode 100644 index 27f4607..0000000 --- a/yara-mikesxrs/one offs/ammyy_cerber3.yar +++ /dev/null @@ -1,21 +0,0 @@ -rule ammyy_cerber3 { - meta: - description = "Rule to detect Ammyy Admin / Cerber 3.0 Ransomware" - author = "Rich Walchuck" - source = "AA_v3.5.exe" - md5 = "54d07ec77e3daaf32b2ba400f34dd370" - sha1 = "3a99641ba00047e1be23dfae4fcf6242b8b8eb10" - sha256 = "99b84137b5b8b3c522414e332526785e506ed2dbe557eafc40a7bcf47b623d88" - date = "09/28/2016" - strings: - $s0 = "mailto:support@ammy.com" fullword ascii - $s1 = "@$&%04\\Uninstall.exe" fullword ascii - $s2 = "@$&%05\\encrypted.exe" fullword ascii - $s3 = "http://www.ammy.com/" fullword ascii - $s4 = "@$&%05\\AA_v3.exe" fullword ascii - $s5 = "ammy 1.00 - Smart Install Maker" fullword ascii - $s6 = "ammy 1.00 Installation" fullword wide - $s7 = "Ammy" fullword wide - condition: - all of them -} diff --git a/yara-mikesxrs/one offs/crime_ole_loadswf_cve_2018_4878.yar b/yara-mikesxrs/one offs/crime_ole_loadswf_cve_2018_4878.yar deleted file mode 100644 index ff526eb..0000000 --- a/yara-mikesxrs/one offs/crime_ole_loadswf_cve_2018_4878.yar +++ /dev/null @@ -1,35 +0,0 @@ -rule crime_ole_loadswf_cve_2018_4878 -{ -meta: -description = "Detects CVE-2018-4878" -vuln_type = "Remote Code Execution" -vuln_impact = "Use-after-free" -affected_versions = "Adobe Flash 28.0.0.137 and earlier versions" -mitigation0 = "Implement Protected View for Office documents" -mitigation1 = "Disable Adobe Flash" -weaponization = "Embedded in Microsoft Office first payloads" -actor = "Purported North Korean actors" -reference = "hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998" -report = "https://www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/" -author = "Vitali Kremez, Flashpoint" -version = "1.1" - -strings: -// EMBEDDED FLASH OBJECT BIN HEADER -$header = "rdf:RDF" wide ascii - -// OBJECT APPLICATION TYPE TITLE -$title = "Adobe Flex" wide ascii - -// PDB PATH -$pdb = "F:\\work\\flash\\obfuscation\\loadswf\\src" wide ascii - -// LOADER STRINGS -$s0 = "URLRequest" wide ascii -$s1 = "URLLoader" wide ascii -$s2 = "loadswf" wide ascii -$s3 = "myUrlReqest" wide ascii - -condition: -all of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*) -} diff --git a/yara-mikesxrs/one offs/crime_win32_gratefulpos_trojan.yar b/yara-mikesxrs/one offs/crime_win32_gratefulpos_trojan.yar deleted file mode 100644 index bfd887a..0000000 --- a/yara-mikesxrs/one offs/crime_win32_gratefulpos_trojan.yar +++ /dev/null @@ -1,30 +0,0 @@ -rule crime_win32_gratefulpos_trojan { - meta: - description = "GratefulPOS malware variant" - author = "@VK_Intel" - reference = "Detects GratefulPOS" - reference = "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html" - date = "2017-12-10" - strings: - $s0 = "conhost.exe" fullword ascii - $s1 = "del logmeinlauncher.exe" fullword ascii - $s2 = "Chrome.exe" fullword ascii - $s3 = "taskmgr.exe" fullword ascii - $s4 = "firefox.exe" fullword ascii - $s5 = "logmeinlauncher.exe stop" fullword ascii - $s6 = "ping 1.1.1.1 -n 1 -w 3000 > nul" fullword ascii - $s7 = "Ymscoree.dll" fullword wide - $s8 = "LogMeInHamachi Process Launcher" fullword ascii - $s9 = "sched.exe" fullword ascii - $s10 = "wininit.exe" fullword ascii - $s11 = "wmiprvse.exe" fullword ascii - $s12 = "RegSrvc.exe" fullword ascii - $s13 = "mdm.exe" fullword ascii - $s14 = "GET /index.php HTTP/1.0" fullword ascii - $s15 = "LogMeIn Hamachi Launcher" fullword ascii - $s16 = "logmein.bid" fullword ascii - $s17 = "del sd.bat" fullword ascii - $s18 = "sd.bat" fullword ascii - condition: - uint16(0) == 0x5a4d and filesize < 500KB and 10 of them -} diff --git a/yara-mikesxrs/one offs/dridex.yar b/yara-mikesxrs/one offs/dridex.yar deleted file mode 100644 index 10d998a..0000000 --- a/yara-mikesxrs/one offs/dridex.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule dridex : dridex -{ - meta: - description = “Dridex Malware Indicators” - author = “Kunal Makwana” - date = “2016/04/03” - thread_level = 4 - in_the_wild = true - - strings: - $domain = “g-t-c-co.uk” nocase - $ip = “185.11.240.14” wide ascii - $mail = “ali73_2008027@yahoo.co.uk” wide ascii - - condition: - $domain or $ip or $mail -} diff --git a/yara-mikesxrs/one offs/fastposloader.yar b/yara-mikesxrs/one offs/fastposloader.yar deleted file mode 100644 index 74e8fd5..0000000 --- a/yara-mikesxrs/one offs/fastposloader.yar +++ /dev/null @@ -1,33 +0,0 @@ -private rule IsPE -{ - condition: - // MZ signature at offset 0 and ... - uint16(0) == 0x5A4D and - // ... PE signature at offset stored in MZ header at 0x3C - uint32(uint32(0x3C)) == 0x00004550 -} - - - - -rule fastposloader: posmalware{ - -meta: - author = "Nikolaos Pantazopoulos" - date = "20/11/2016" - description = "FastPos malware" - -strings: - - $string1 = "keylogaaa9logbbb7" - $string2 = "\\_hookRecvSrvc\\Release\\_hookRecvSrvc.pdb" - $string3 = "\\_hookProc\\Release\\_hookProc.pdb" - $string4 = "statuslog&log=procinstalled" - $string5 = "\\_hookKlg\\Release\\_hookKlg.pdb" - $string6 = "CLAXCSSPLS" - $string7 = "statuslog&log=kbinjected" - $string8 = "\\_hookLoader\\Release\\_hookLoader.pdb" - $string9 = "\\\\.\\mailslot\\trackslot" -condition: - all of($string*) and IsPE -} diff --git a/yara-mikesxrs/one offs/marcher.yar b/yara-mikesxrs/one offs/marcher.yar deleted file mode 100644 index 1d6a7fb..0000000 --- a/yara-mikesxrs/one offs/marcher.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule marcher -{ - meta: - description = "This rule detects a variant of Marcher" - sample = "6c15fcdcee665dd38a24931da27b1e16c0b15de832d968bf5891d8e389a32d3e" - author = "strobostro" - - strings: - $a = "com.note.donote" wide - $b = "Adobe Flash Player" wide - $c = "Click on Activate button to secure your application" wide - $d = "Please submit your Verifed buy MasterCard Password" wide - $e = "Please submit your Verifed buy Visa Password" wide - - condition: - $a and any of ($b,$c,$d,$e) - -} diff --git a/yara-mikesxrs/one offs/mwi_document.yar b/yara-mikesxrs/one offs/mwi_document.yar deleted file mode 100644 index 648dcd5..0000000 --- a/yara-mikesxrs/one offs/mwi_document.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule mwi_document : exploitdoc -{ - meta: - description = "MWI generated document" - reference = "https://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample" - - strings: - $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE" - $mwistat_url = ".php?id=" - $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}" - - condition: - all of them -} diff --git a/yara-mikesxrs/one offs/nettraveler.yar b/yara-mikesxrs/one offs/nettraveler.yar deleted file mode 100644 index 93bd2db..0000000 --- a/yara-mikesxrs/one offs/nettraveler.yar +++ /dev/null @@ -1,26 +0,0 @@ -/* - Rules generated from APT Report NetTraveler - http://www.securelist.com/en/blog/8105/NetTraveler_is_Running_Red_Star_APT_Attacks_Compromise_High_Profile_Victims -*/ -rule APT_Malware_BAT_Contents { - meta: description = "APT Malware Batch File Contents" threat_level = 10 score = 60 - strings: - $a1 = ">nul del" - $a2 = "service.exe" - $a3 = "service.dll" - condition: all of them -} -rule APT_Malware_NetTraveler_Saker { - meta: description = "APT Malware NetTraveler Saker" threat_level = 10 score = 50 - strings: - $a1 = "JustTempFun" fullword - $a2 = "servicemain" nocase fullword - condition: all of them -} -rule APT_Malware_NetTraveler_Trojan { - meta: description = "APT Malware NetTraveler Trojan" threat_level = 10 score = 65 - strings: - $a1 = "Get From IEOption!" - $a2 = "Get From Reg!" - condition: all of them -} diff --git a/yara-mikesxrs/one offs/packager_cve2017_11882.yar b/yara-mikesxrs/one offs/packager_cve2017_11882.yar deleted file mode 100644 index 11f9fa0..0000000 --- a/yara-mikesxrs/one offs/packager_cve2017_11882.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule packager_cve2017_11882 { - meta: - author = "Rich Warren" - description = "Attempts to exploit CVE-2017-11882 using Packager" - reference = "https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py" - score = 60 - strings: - $header_rtf = "{\\rt" nocase - - $font = { 30 61 30 31 30 38 35 61 35 61 } - $equation = { 45 71 75 61 74 69 6F 6E 2E 33 } - $package = { 50 61 63 6b 61 67 65 } - $header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase - condition: - all of them and $header_rtf at 0 -} diff --git a/yara-mikesxrs/one offs/snake_uroburos.yar b/yara-mikesxrs/one offs/snake_uroburos.yar deleted file mode 100644 index 53e6179..0000000 --- a/yara-mikesxrs/one offs/snake_uroburos.yar +++ /dev/null @@ -1,30 +0,0 @@ -rule snake_packed -{ -meta: -author = "artemonsecurity" -md5 = "f4f192004df1a4723cb9a8b4a9eb2fbf" -reference = "http://artemonsecurity.com/uroburos.pdf" -strings: -/* -25 FF FF FE FF and eax, 0FFFEFFFFh -0F 22 C0 mov cr0, eax -C0 E8 ?? ?? 00 00 call sub_???? -*/ -$cr0 = { 25 FF FF FE FF 0F 22 C0 E8 ?? ?? 00 00} -condition: -any of them -} - -rule snake -{ -meta: -author = "artemonsecurity" -md5 = "40aa66d9600d82e6c814b5307c137be5" -reference = "http://artemonsecurity.com/uroburos.pdf" -strings: -$ModuleStart = { 00 4D 6F 64 75 6C 65 53 74 61 72 74 00 } -$ModuleStop = { 00 4D 6F 64 75 6C 65 53 74 6F 70 00} -$firefox = "firefox.exe" -condition: -all of them -} diff --git a/yara-mikesxrs/paloalto/Palo_Alto_index.yara b/yara-mikesxrs/paloalto/Palo_Alto_index.yara deleted file mode 100644 index 338a4e2..0000000 --- a/yara-mikesxrs/paloalto/Palo_Alto_index.yara +++ /dev/null @@ -1,207 +0,0 @@ -rule ce_enfal_cmstar_debug_msg - -{ - - meta: - - author = "rfalcone" - - description = "Detects the static debug strings within CMSTAR" - - reference = "9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c" - - date = "5/10/2015" - - link = "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" - - strings: - - $d1 = "EEE\x0d\x0a" fullword - - $d2 = "TKE\x0d\x0a" fullword - - $d3 = "VPE\x0d\x0a" fullword - - $d4 = "VPS\x0d\x0a" fullword - - $d5 = "WFSE\x0d\x0a" fullword - - $d6 = "WFSS\x0d\x0a" fullword - - $d7 = "CM**\x0d\x0a" fullword - - condition: - - uint16(0) == 0x5a4d and all of ($d*) - -} - - -rule hancitor_dropper : vb_win32api -{ - meta: - author = "Jeff White - jwhite@paloaltonetworks.com @noottrak" - date = "18AUG2016" - hash1 = "03aef51be133425a0e5978ab2529890854ecf1b98a7cf8289c142a62de7acd1a" - hash2 = "4b3912077ef47515b2b74bc1f39de44ddd683a3a79f45c93777e49245f0e9848" - hash3 = "a78972ac6dee8c7292ae06783cfa1f918bacfe956595d30a0a8d99858ce94b5a" - reference = "https://github.com/pan-unit42/public_tools/tree/master/hancitor" - - strings: - $api_01 = { 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 } // VirtualAlloc - $api_02 = { 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 } // RtlMoveMemory - $api_04 = { 00 43 61 6C 6C 57 69 6E 64 6F 77 50 72 6F 63 41 00 } // CallWindowProcAi - $magic = { 50 4F 4C 41 } // POLA - - condition: - uint32be(0) == 0xD0CF11E0 and all of ($api_*) and $magic -} - -/* - -SAMPLES: - -000f7832251ae4ba41c42c46d83cbf13d0b2aed0c1f949fbe68b728fdcb2fada_S2.exe -0002218f5c47ef709e390288e4268a02bb9d9087a996bb55d3a9c23d68a46760_S2.exe -000fa485eda66fd4b5acd3fee4e2cdf5bd8e82a4968d27c202fe4747dfb57d00_S2.exe -001451cfe7d492163ebcdaa2a3da9eb849ab0bd509cd969dd75965c88c19d5d4_S2.exe -001627a8adaf2ea97b19dd4f6b915abf57bd41b4fe7af33d5f9f381a97d04a3d_S2.exe -001856ba5da54bdf6cb87c61254af2ca9f936e83402e43579177bd0f4ac1f120_S2.exe -0022f6c5ec68cabb34eee693cb23cb72a1099719b93f552cb9a09a99a0086afc_S2.exe -002763b63f07529dd29c7840fed0e1bc68c974364b3aa64f7b6b225ca191f87f_S2.exe -002ccf946b928eb123790aa8a6a4e1574827f6d387c661003df6e095d1d9137b_S2.exe -002d93a56d6da0d4cd39c1d1bb36ebfb8bb493b0a204882120fc305c1b840caa_S2.exe -0031be555860fee238837c1004d2f0ec353487ce6f9d0715106bb5670d965862_S2.exe -0033f126d294bdda76e68d8dc994189a5d82e728e9e2cbe273789107bd855e06_S2.exe -0039b33d9b86b02a4df6a605018a9749693ea3d871b187d9d1e1e0ec58e63f26_S2.exe -003e0e981f9ec2f4ff844161dc2aca600df38965b9dd586532ede80f6367e90b_S2.exe -0042539fb052745f1568b089bf86e41d393b981cdfc7201f7d8bdde145714fe2_S2.exe -0043d7cf12ad497de3cc4739a435f1765ec4c65e05e1f21faecfe40cc9d4fc35_S2.exe -004fa50455bac533cfa150660a6148ed20eb19a1169aa48991367eabb7494f1e_S2.exe -00509f0c3436a02e09a49226169d28979d0b4eb42375cf2dbb1733cc67333b73_S2.exe -0056fc1baedc78d43638f509d4a2ff617567cdffe4e0aa6a9892d80b076b2e4d_S2.exe -0058b39843b0c37520a28a4d239de2e934a811159fe6a310e63b9fcf85ac2cf7_S2.exe -005b3491673d414c65c0b2c8c351b672dd41a1679c97ffd7e4e0a6b1d00580a9_S2.exe -005dee83851ee0db47b705b4ac6857bc4649e59c47418208d62ce3cc0c1f9a02_S2.exe -006446a6303d85b5427139c6bc08c0f12e361d49cd7fa1ccc3e431d2fdd56d8c_S2.exe -006495c7fb7388f0513a24d9d09bf9517d5a3fd05c0da7d39311f6e6cf0f8fe3_S2.exe -0065a97402349fbbe5195effd6329ed89eb276ac3f728c7f8827d913d1296037_S2.exe -006cc18d23ba7ec78ce5d3e78cde63157abd05b1e1908c93c35f99933637a6e7_S2.exe -006cc87046164b41330918db95150f16227aa235865c4c95283b2d5fb9bd0d18_S2.exe -008d53efab6e0be2f356ce86581414db9804d46170eea4b408b6f23690a35487_S2.exe -009794dbe2aefed8ebd0d433c4b5c8931f6b3c1eaf0fbb34ad3fb247ae8dd0b5_S2.exe -009b714c0a6731f2eadd04dab409172d34986526a298b7a1fe4f51152bf6773e_S2.exe -00a1fb0d0a45ec998f65a458e55790e49944bb36b9398d7be495aa7ac7f27ac4_S2.exe -00a24e6e5da9bea88f695e7b15621f418f683ce0b185ee67ba66e91bfe360e53_S2.exe -00a90d131960bbad21a4f787f328d69b3af514f6e800cea606deb97aa0393e29_S2.exe -00aae024d89ebdee5464f410fe588f31a1888f84eb68ee6dddb1ddf9b86012aa_S2.exe -00ae14dc7815f74b083abc290d561d59fa8bc9717c22423fdec109bedc0de170_S2.exe -00b088c257b7aab93e262445085337261a8b6d4369e9e48c6fe840c56971d8c2_S2.exe -00b3c741c366252a8472046960b35636cf6c651a73d94d2810d14446dfae6db1_S2.exe -00b46ed617c1d651dadd8b4abad8b644f30e49e0d12bc378dfb720f9b55b6277_S2.exe -00b4f5d82ff5636d87821e2eb367c63bf83f478d4d4c480a3d9bc920bcd23f4a_S2.exe -00b515429f4b16a501d7c97999eb884210dcf5b413b3896e11c03a926b31289f_S2.exe -00bdb09cd6dfc308cc101aa009240ba612df781c62efb705f7b2ba9c198494d9_S2.exe -00c4a1abded604c193671ac83935cf5e84bf272b5b574c26dfc814821d38155e_S2.exe -00c7f1f0183fdb23eba1c5bfbe94518bbe22093bd8ae648c8c242229ca65c46a_S2.exe -00c9f1276737f9ab4eb49c6c3a8c955cae7085fb7744ab0f0b90cc6b83eea377_S2.exe -00d552f43b11e0017ff34576e2fbe5d47db4c5141ed0cc7cad1a6367a5161839_S2.exe -00dc95924de13484980037630e916271fdf0568fbb77b2dbe0b622f526b403ba_S2.exe -00ded1b849e87b266e63924bf17e7e142899d1dd57d6085ec6490c29c65c6008_S2.exe -00e67a9a4b5be7bd31fbc88bb3b6e34107f1a93b2b6dab0598cedcfb410fe256_S2.exe -00e706f9118c32ed1cd3ce9e0444053c47daffc3e7e53b32061ec039834292ca_S2.exe -00f0424b7659c7ec499c70cfcea411f71672fc89c92f564bf11b0a043059d2dd_S2.exe - -BYTES: - -558bec833d805b400000750bff1540404000a3805b4000833d805b40000074158b4508506a008b0d805b400051ff1544404000eb0233c05dc3cccccccccccccc558bec833d805b40000074138b4508506a008b0d805b400051ff15484040005dc3cccccccccccccccccccccccccccccc558bec83ec088b45088945f88b4d10894dfc8b551083ea01895510837dfc0074138b45088a4d0c88088b550883c201895508ebd88b45f88be55dc3cccccccccc558bec83ec088b45088945f88b4d10894dfc8b551083ea01895510837dfc00741e8b45088b4d0c8a1188108b450883c0018945088b4d0c83c101894d0cebcd8b45f88be55dc3cccccccccccccccccccc558bec833d885b400000750ac705885b40005c504000b80100000085c074498b0d885b40000fbe1183fa7c740ca1885b40000fbe0885c975088b5508c60200eb278b45088b0d885b40008a1188108b450883c0018945088b0d885b400083c101890d885b4000ebae8b15885b40000fbe0283f87c750f8b0d885b400083c101890d885b40008b15885b40000fbe0285c0750ec705885b40000000000033c0eb05b8010000005dc3cccccccccccccccccc558bec833d845b40000075186a006a006a006a006880414000ff1514414000a3845b4000a1845b40005dc3cccccccccc558bec81ec74020000a10450400033c58945fc6a3c6a008d85a8fdffff50e86dfeffff83c40cc785a8fdffff3c0000008d8df8feffff898db8fdffffc785bcfdffff040100008d95f4fdffff8995d4fdffffc785d8fdffff040100008d85a8fdffff506a006a008b4d0c51ff151041400085c0750733c0e97902000083bdb4fdffff00750ac785b4fdffff0300000083bdb4fdffff03741083bdb4fdffff04740733c0e94d020000e823ffffff898594fdffff83bd94fdffff00750733c0e932020000668b95c0fdffff6689959cfdffffc78598fdffff0081088483bdb4fdffff0475118b8598fdffff0d00308000898598fdffff6a006a006a036a006a000fb78d9cfdffff518d95f8feffff528b8594fdffff50ff150c4140008985a0fdffff83bda0fdffff00750733c0e9c4010000837d0801750cc78590fdffffc8414000eb0ac78590fdffffd04140006a008b8d98fdffff5168085040006a006a008d95f4fdffff528b8590fdffff508b8da0fdffff51ff15084140008985a4fdffff83bda4fdffff0075148b95a0fdffff52ff150441400033c0e95801000083bdb4fdffff047550c785e8fdffff040000008d85e8fdffff508d8df0fdffff516a1f8b95a4fdffff52ff15004140008b85f0fdffff0d001100008985f0fdffff6a048d8df0fdffff516a1f8b95a4fdffff52ff1518414000c7858cfdffff00000000837d100074108b451050ff154c40400089858cfdffff8b8d8cfdffff518b5510526810504000ff154c4040005068105040008b85a4fdffff50ff15f4404000c785ecfdffff00000000c785e4fdffff040000006a008d8de4fdffff518d95ecfdffff5268130000208b85a4fdffff50ff15f840400081bdecfdffffc80000007545837d1400743f8b4d1c518b551883ea01528b4514508b8da4fdffff51ff15fc40400085c074168b551c833a00760e8b451c8b088b5514c6040a00eb098b451cc700000000008b8da4fdffff51ff15044140008b95a0fdffff52ff150441400081bdecfdffffc80000007507b801000000eb0233c08b4dfc33cde8b42400008be55dc3cccccccccccccccccccccccccc558bec8b4518508b4d14518b5510528b450c508b4d08516a01e8d2fcffff83c4185dc3cccccccccccccccccccccccccc558bec8b4518508b4d14518b5510528b450c508b4d08516a00e8a2fcffff83c4185dc3cccccccccccccccccccccccccc558bec81ec74020000a10450400033c58945fc6a3c6a008d85a4fdffff50e8fdfaffff83c40cc785a4fdffff3c0000008d8df8feffff898db4fdffffc785b8fdffff040100008d95f4fdffff8995d0fdffffc785d4fdffff040100008d85a4fdffff506a006a008b4d0851ff151041400085c0750733c0e97402000083bdb0fdffff00750ac785b0fdffff0300000083bdb0fdffff03741083bdb0fdffff04740733c0e948020000e8b3fbffff898590fdffff83bd90fdffff00750733c0e92d020000ba500000006689959cfdffffc78594fdffff0081088483bdb0fdffff04751eb8bb0100006689859cfdffff8b8d94fdffff81c900308000898d94fdffff6a016a006a036a006a000fb7959cfdffff528d85f8feffff508b8d90fdffff51ff150c414000898598fdffff83bd98fdffff00750733c0e9b40100006a018b9594fdffff5268085040006a006a008d85f4fdffff5068d44140008b8d98fdffff51ff15084140008985a0fdffff83bda0fdffff0075148b9598fdffff52ff150441400033c0e96601000083bdb0fdffff047550c785e8fdffff040000008d85e8fdffff508d8df0fdffff516a1f8b95a0fdffff52ff15004140008b85f0fdffff0d001100008985f0fdffff6a048d8df0fdffff516a1f8b95a0fdffff52ff15184140006a006a006810504000ff154c4040005068105040008b85a0fdffff50ff15f4404000c785ecfdffff00000000c785e4fdffff040000006a008d8de4fdffff518d95ecfdffff5268130000208b85a0fdffff50ff15f840400081bdecfdffffc8000000757a837d0c0074748b4d14c70100000000ba0100000085d274628d85e0fdffff508b4d10518b550c528b85a0fdffff50ff15fc40400089858cfdffff83bd8cfdffff01753383bde0fdffff00742a8b4d0c038de0fdffff894d0c8b55102b95e0fdffff8955108b45148b08038de0fdffff8b5514890aeb02eb02eb958b85a0fdffff50ff15044140008b8d98fdffff51ff150441400081bdecfdffffc80000007507b801000000eb0233c08b4dfc33cde8492100008be55dc3cccc558bec81ec14010000a10450400033c58945fc68040100008d85f8feffff50ff15504040008985ecfeffff83bdecfeffff00745bb9010000006bd1038995f0feffff81bdf0feffff040100007302eb05e8222200008b85f0feffffc68405f8feffff006a006a006a006a008d8df4feffff516a006a008d95f8feffff52ff155440400085c074088b85f4feffffeb0233c08b4dfc33cde8a82000008be55dc3cc558bec83ec2ca10450400033c58945fc0f57c0660f1345e4c745f0008000008b45f050e8e8f6ffff83c4048945e08b4de0894dec8d55f0528b45ec506a006a006a02ff151c4040008945dc837ddc00754d837dec0074476a086a008d4df451e81cf7ffff83c40c8b55ec8b4234508b4dec83c12c518d55f452e842f7ffff83c40c8b45e43345f48b4de8334df88945e4894de88b55ec8b42088945ecebb38b4de051e8a9f6ffff83c404e8b1feffff33d28945d48955d88b45d48b55d8b120e8fc2100003345e43355e88b4dfc33cde8cf1f00008be55dc3cccccccccccccccc558beca1385c40000b053c5c40007510e80bffffffa3385c400089153c5c4000a1385c40008b153c5c40005dc3cccccc558bec83ec08a10450400033c58945fcb8010000006bc8000fbe91145c400085d2741668145c40008b450850ff1558404000b801000000eb468d4df8516a2068145c40006a0068d8414000e8d0faffff83c41483f801751668145c40008b550852ff1558404000b801000000eb1168f04140008b450850ff155840400033c08b4dfc33cde80a1f00008be55dc3cccccc558bec81ec0c020000a10450400033c58945fcc785f8fdffff00010000c785f4fdffff000000008d85f8fdffff508b8df8fdffff518d95fcfdffff5268f8414000e87afaffff83c41083f801755db8010000006bc8000fbe940dfcfdffff83fa3c7548b801000000c1e0000fbe8c05fcfdffff83f9217533ba01000000d1e20fbe8415fcfdffff83f864751fb9010000006bd1030fbe8415fcfdffff83f86f750ac785f4fdffff010000008b85f4fdffff8b4dfc33cde8481e00008be55dc3cc558becb8010000006bc8008b55080fbe040a83f87b757eb901000000d1e18b55080fbe040a83f83a756bb901000000c1e1008b55080fbe040a83f8727450b901000000c1e1008b55080fbe040a83f875743cb901000000c1e1008b55080fbe040a83f8647428b901000000c1e1008b55080fbe040a83f86c7414b901000000c1e1008b55080fbe040a83f86e7507b801000000eb0233c05dc3cccccccccccccc558becb801000000c1e0008b4d080fbe140183fa3a756bb8010000006bc8008b55080fbe040a83f8727450b9010000006bd1008b45080fbe0c1083f975743cba010000006bc2008b4d080fbe140183fa647428b8010000006bc8008b55080fbe040a83f86c7414b9010000006bd1008b45080fbe0c1083f96e7507b801000000eb0233c05dc3cccccccccccccccccccc558bec81ec44050000a10450400033c58945fcff155c4040008985d8faffffe82cfdffff8985bcfaffff8995c0faffff8d85dcfeffff50e8040c000083c4048d4ddc51e838fdffff83c4048b95d8faffff81e2ffff00000fb7c225ff0000000fb6c8898dc4faffff8b95d8faffff81e2ffff00000fb7c2c1e80825ff0000000fb6c8898dc8faffffe8131c00008985ccfaffff83bdccfaffff01750cc785d4faffff0c424000eb0ac785d4faffff104240008b95d4faffff528b85c8faffff508b8dc4faffff518d55dc528d85dcfeffff50684c5040008b8dc0faffff518b95bcfaffff5268144240008d85dcfaffff50ff15ec40400083c428833d105c40000075236800040000e873f2ffff83c404a3105c4000b9010000006bd100a1105c4000c6041000c785d0faffff0100000083bdd0faffff010f858b000000b9010000006bd100a1105c40000fbe0c1085c975158b15105c400052e822f3ffff - -*/ - -rule hancitor_payload - { - meta: - author = "Jeff White - jwhite@paloalnetworks.com @noottrak" - date = "26AUG2016" - reference = "https://github.com/pan-unit42/public_tools/tree/master/hancitor" - - - strings: - $byte_code = { 5? 8? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? FF ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 8? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? EB ?? 33 ?? 5D C3 CC CC CC CC CC CC CC 5? 8? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 8? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? 8? ?? ?? 8? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? EB ?? 8? ?? ?? 8? ?? 5D C3 CC CC CC CC CC 5? 8? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? 8? ?? ?? 8? ?? 8? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? EB ?? 8? ?? ?? 8? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 85 ?? 74 ?? 8? ?? ?? ?? ?? ?? 0F BE ?? 83 ?? ?? 74 ?? A1 ?? ?? ?? ?? 0F BE ?? 85 ?? 75 ?? 8? ?? ?? C6 ?? ?? EB ?? 8? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? 8? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? ?? ?? ?? EB ?? 8? ?? ?? ?? ?? ?? 0F BE ?? 83 ?? ?? 75 ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 0F BE ?? 85 ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 ?? EB ?? B8 ?? ?? ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC 5? 8? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? 5D C3 CC CC CC CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 6A ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? 85 ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 33 ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 66 8B ?? ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 8? ?? ?? ?? ?? ?? 0D ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 0F B7 ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 0D ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? 5? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? 5? 8? ?? ?? 83 ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 85 ?? 74 ?? 8? ?? ?? 83 ?? ?? 76 ?? 8? ?? ?? 8? ?? 8? ?? ?? C6 ?? ?? ?? EB ?? 8? ?? ?? C7 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 6A ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? 85 ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 33 ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? BA ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 0F B7 ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 6A ?? 8? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 0D ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? C7 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 85 ?? 74 ?? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 8? ?? ?? 03 ?? ?? ?? ?? ?? 8? ?? ?? 8? ?? ?? 2B ?? ?? ?? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? 03 ?? ?? ?? ?? ?? 8? ?? ?? 8? ?? EB ?? EB ?? EB ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? B9 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 73 ?? EB ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 85 ?? 74 ?? 8? ?? ?? ?? ?? ?? EB ?? 33 ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC 5? 8? ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? 0F 57 ?? 66 0F 13 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8D ?? ?? 5? 8? ?? ?? 5? 6A ?? 6A ?? 6A ?? FF ?? ?? ?? ?? ?? 8? ?? ?? 83 ?? ?? ?? 75 ?? 83 ?? ?? ?? 74 ?? 6A ?? 6A ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 5? 8? ?? ?? 83 ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? 33 ?? ?? 8? ?? ?? 33 ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? EB ?? 8? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 33 ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? B1 ?? E8 ?? ?? ?? ?? 33 ?? ?? 33 ?? ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC CC CC CC CC CC CC CC 5? 8? ?? A1 ?? ?? ?? ?? 0B ?? ?? ?? ?? ?? 75 ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5D C3 CC CC CC 5? 8? ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 74 ?? 68 ?? ?? ?? ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? EB ?? 8D ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 75 ?? 68 ?? ?? ?? ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? 33 ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? C1 ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 ?? BA ?? ?? ?? ?? D1 ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 ?? B9 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC 5? 8? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B9 ?? ?? ?? ?? D1 ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 5D C3 CC CC CC CC CC CC CC 5? 8? ?? B8 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? BA ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B8 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 5D C3 CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 0F B7 ?? 25 ?? ?? ?? ?? 0F B6 ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 0F B7 ?? C1 ?? ?? 25 ?? ?? ?? ?? 0F B6 ?? 8? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? A3 ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? A1 ?? ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? A1 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 ?? 8? ?? ?? ?? ?? ?? 5? (E8|FF) } - - condition: - uint16be(0) == 0x4D5A and $byte_code -} - -/* - -SAMPLES: - -0002218f5c47ef709e390288e4268a02bb9d9087a996bb55d3a9c23d68a46760_S1.exe -006495c7fb7388f0513a24d9d09bf9517d5a3fd05c0da7d39311f6e6cf0f8fe3_S1.exe -000f7832251ae4ba41c42c46d83cbf13d0b2aed0c1f949fbe68b728fdcb2fada_S1.exe -000fa485eda66fd4b5acd3fee4e2cdf5bd8e82a4968d27c202fe4747dfb57d00_S1.exe -001451cfe7d492163ebcdaa2a3da9eb849ab0bd509cd969dd75965c88c19d5d4_S1.exe -001627a8adaf2ea97b19dd4f6b915abf57bd41b4fe7af33d5f9f381a97d04a3d_S1.exe -001856ba5da54bdf6cb87c61254af2ca9f936e83402e43579177bd0f4ac1f120_S1.exe -0022f6c5ec68cabb34eee693cb23cb72a1099719b93f552cb9a09a99a0086afc_S1.exe -002763b63f07529dd29c7840fed0e1bc68c974364b3aa64f7b6b225ca191f87f_S1.exe -002ccf946b928eb123790aa8a6a4e1574827f6d387c661003df6e095d1d9137b_S1.exe -002d93a56d6da0d4cd39c1d1bb36ebfb8bb493b0a204882120fc305c1b840caa_S1.exe -0031be555860fee238837c1004d2f0ec353487ce6f9d0715106bb5670d965862_S1.exe -0033f126d294bdda76e68d8dc994189a5d82e728e9e2cbe273789107bd855e06_S1.exe -0039b33d9b86b02a4df6a605018a9749693ea3d871b187d9d1e1e0ec58e63f26_S1.exe -003e0e981f9ec2f4ff844161dc2aca600df38965b9dd586532ede80f6367e90b_S1.exe -0042539fb052745f1568b089bf86e41d393b981cdfc7201f7d8bdde145714fe2_S1.exe -0043d7cf12ad497de3cc4739a435f1765ec4c65e05e1f21faecfe40cc9d4fc35_S1.exe -004fa50455bac533cfa150660a6148ed20eb19a1169aa48991367eabb7494f1e_S1.exe -00509f0c3436a02e09a49226169d28979d0b4eb42375cf2dbb1733cc67333b73_S1.exe -0056fc1baedc78d43638f509d4a2ff617567cdffe4e0aa6a9892d80b076b2e4d_S1.exe -0058b39843b0c37520a28a4d239de2e934a811159fe6a310e63b9fcf85ac2cf7_S1.exe -005b3491673d414c65c0b2c8c351b672dd41a1679c97ffd7e4e0a6b1d00580a9_S1.exe -005dee83851ee0db47b705b4ac6857bc4649e59c47418208d62ce3cc0c1f9a02_S1.exe -006446a6303d85b5427139c6bc08c0f12e361d49cd7fa1ccc3e431d2fdd56d8c_S1.exe -0065a97402349fbbe5195effd6329ed89eb276ac3f728c7f8827d913d1296037_S1.exe -006cc18d23ba7ec78ce5d3e78cde63157abd05b1e1908c93c35f99933637a6e7_S1.exe -006cc87046164b41330918db95150f16227aa235865c4c95283b2d5fb9bd0d18_S1.exe -008d53efab6e0be2f356ce86581414db9804d46170eea4b408b6f23690a35487_S1.exe -009794dbe2aefed8ebd0d433c4b5c8931f6b3c1eaf0fbb34ad3fb247ae8dd0b5_S1.exe -009b714c0a6731f2eadd04dab409172d34986526a298b7a1fe4f51152bf6773e_S1.exe -00a1fb0d0a45ec998f65a458e55790e49944bb36b9398d7be495aa7ac7f27ac4_S1.exe -00a24e6e5da9bea88f695e7b15621f418f683ce0b185ee67ba66e91bfe360e53_S1.exe -00a90d131960bbad21a4f787f328d69b3af514f6e800cea606deb97aa0393e29_S1.exe -00aae024d89ebdee5464f410fe588f31a1888f84eb68ee6dddb1ddf9b86012aa_S1.exe -00ae14dc7815f74b083abc290d561d59fa8bc9717c22423fdec109bedc0de170_S1.exe -00b088c257b7aab93e262445085337261a8b6d4369e9e48c6fe840c56971d8c2_S1.exe -00b3c741c366252a8472046960b35636cf6c651a73d94d2810d14446dfae6db1_S1.exe -00b46ed617c1d651dadd8b4abad8b644f30e49e0d12bc378dfb720f9b55b6277_S1.exe -00b4f5d82ff5636d87821e2eb367c63bf83f478d4d4c480a3d9bc920bcd23f4a_S1.exe -00b515429f4b16a501d7c97999eb884210dcf5b413b3896e11c03a926b31289f_S1.exe -00bdb09cd6dfc308cc101aa009240ba612df781c62efb705f7b2ba9c198494d9_S1.exe -00c4a1abded604c193671ac83935cf5e84bf272b5b574c26dfc814821d38155e_S1.exe -00c7f1f0183fdb23eba1c5bfbe94518bbe22093bd8ae648c8c242229ca65c46a_S1.exe -00c9f1276737f9ab4eb49c6c3a8c955cae7085fb7744ab0f0b90cc6b83eea377_S1.exe -00d552f43b11e0017ff34576e2fbe5d47db4c5141ed0cc7cad1a6367a5161839_S1.exe - -BYTES: - -eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e60132c8f7d681e621010000880d029040008bce33c083f165740f6685d2740af6c20174058d5001eb0233d28b2d1090400033fabaac0000006603c266a314904000b0012ac3b22e0fb7cda20090400084d27415b865000000663b050c9040007507b801000000eb0233c0300502904000221d1490400083e601f7d681e6210100008bc633d283f065740f6685c9740af6c10174058d4201eb0233c033f8b9ac0000006603d166891514904000893d049040000fb7fdb2012ad3b02e897c241c88150090400084c07413b965000000663b0d0c90400075058d419ceb0233c0221d149040003005029040000fbeebb0de83e601a20390400083fd390f82f50000000fbf3d0c9040008bcf6bc965b84505d986f7e903d1c1fa088bc2c1e81f03c289442428a0109040003443a203904000a110904000b93f0000002bc8ba4a010000d3ea8bcf83c62ed3ea8b0d0490400081e12101000033ce23d06631150c9040000fbe150290400083ca0b23d033c081fd0b0100000f94c0890d04904000b9220000000bd081ca2001000033c066833d1490400017891510904000668b150c9040000f94c06633442428496623d085c975f88b4c242832c0660fbed0a2029040000fbec04169c04a010000210d109040000fb7ca894c241c33d2b96b020000f7f1a0039040008b7c241cc74424148f000000895424188a0d02904000fec00fbec080e1012d11010000ba0100000089150890400075056685ff74028bc2fec0a2009040008ac22c510c01a203904000bac700000033c04a6685ff0f95c022c12ac885d275ef8b542414880d0290400033c9813d1090400011010000b0090f94c18b7424188025029040000166890d0c9040008acad2f8c0f8070a0503904000660fbec8b83fc52543f7e2a110904000c1ea0669d2f40000002bc20344241466890d149040008bf80fbe0d02904000b8c99c1a94f7ee03d6c1fa098bc2c1e81f03d069d2750300008bc12bc203c60fbf74241c8944242483f92e0f94c0320500904000897c24203409a20090400033c081fe220100000f94c023c583f0097410803d03904000007407b801000000eb0233c03005009040008b4c2418a003904000d3e632c3340133c93b742424a2019040000f94c1330d08904000750d66390d0c904000750433c0eb05b80100000028050290400033c03905049040008b5c24300f94c0c744242c45010000a310904000b8b3428c7df7e7c1ea07b8b3cf213589542434f7e78bc72bc2d1e803c2c1e80889442438833d0890400000751366837c241c00750b8d530985d2750433c9eb05b9010000008a1501904000a00090400032c1660fbef2662bf38bcb66d3e60fbec8a2009040008b4424243bc80f94c10ac80fb6c18a0d039040000fbefa8bd702c881f222010000740485db75108b150490400039542414740a33c0eb0b8b1504904000b8010000008b5c24206633f0a1109040006689350c9040008b74243469f6050100002bde33c203da0fb7d38954241cbe340000008ad980eb6f0acb83ee0175f4 - -*/ - -rule hancitor_stage1 - { - meta: - author = "Jeff White - jwhite@paloaltonetworks.com @noottrak" - date = "26AUG2016" - reference = "https://github.com/pan-unit42/public_tools/tree/master/hancitor" - - strings: - $byte_code = { EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? 32 ?? F7 ?? 81 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? 8? ?? ?? ?? ?? ?? 33 ?? BA ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? B2 ?? 0F B7 ?? A2 ?? ?? ?? ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 30 ?? ?? ?? ?? ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? 33 ?? B9 ?? ?? ?? ?? 66 03 ?? 66 89 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 0F B7 ?? B2 ?? 2A ?? B0 ?? 8? ?? ?? ?? 8? ?? ?? ?? ?? ?? 84 ?? 74 ?? B9 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? 8D ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 0F BE ?? B0 ?? 83 ?? ?? A2 ?? ?? ?? ?? 83 ?? ?? 0F 82 ?? ?? ?? ?? 0F BF ?? ?? ?? ?? ?? 8? ?? 6B ?? ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8? ?? C1 ?? ?? 03 ?? 8? ?? ?? ?? A0 ?? ?? ?? ?? 34 ?? A2 ?? ?? ?? ?? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? BA ?? ?? ?? ?? D3 ?? 8? ?? 83 ?? ?? D3 ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 33 ?? 23 ?? 66 31 ?? ?? ?? ?? ?? 0F BE ?? ?? ?? ?? ?? 83 ?? ?? 23 ?? 33 ?? 81 ?? ?? ?? ?? ?? 0F 94 ?? 8? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 0B ?? 81 ?? ?? ?? ?? ?? 33 ?? 66 83 ?? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 66 8B ?? ?? ?? ?? ?? 0F 94 ?? 66 33 ?? ?? ?? 49 66 23 ?? 85 ?? 75 ?? 8? ?? ?? ?? 32 ?? 66 0F BE ?? A2 ?? ?? ?? ?? 0F BE ?? 41 69 ?? ?? ?? ?? ?? 21 ?? ?? ?? ?? ?? 0F B7 ?? 8? ?? ?? ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? A0 ?? ?? ?? ?? 8? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 8? ?? ?? ?? 8? ?? ?? ?? ?? ?? FE ?? 0F BE ?? 80 ?? ?? 2D ?? ?? ?? ?? BA ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 75 ?? 66 85 ?? 74 ?? 8? ?? FE ?? A2 ?? ?? ?? ?? 8? ?? 2C ?? 0C ?? A2 ?? ?? ?? ?? BA ?? ?? ?? ?? 33 ?? 4A 66 85 ?? 0F 95 ?? 22 ?? 2A ?? 85 ?? 75 ?? 8? ?? ?? ?? 8? ?? ?? ?? ?? ?? 33 ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? B0 ?? 0F 94 ?? 8? ?? ?? ?? 80 ?? ?? ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? 8? ?? D2 ?? C0 ?? ?? 0A ?? ?? ?? ?? ?? 66 0F BE ?? B8 ?? ?? ?? ?? F7 ?? A1 ?? ?? ?? ?? C1 ?? ?? 69 ?? ?? ?? ?? ?? 2B ?? 03 ?? ?? ?? 66 89 ?? ?? ?? ?? ?? 8? ?? 0F BE ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8? ?? C1 ?? ?? 03 ?? 69 ?? ?? ?? ?? ?? 8? ?? 2B ?? 03 ?? 0F BF ?? ?? ?? 8? ?? ?? ?? 83 ?? ?? 0F 94 ?? 32 ?? ?? ?? ?? ?? 8? ?? ?? ?? 34 ?? A2 ?? ?? ?? ?? 33 ?? 81 ?? ?? ?? ?? ?? 0F 94 ?? 23 ?? 83 ?? ?? 74 ?? 80 ?? ?? ?? ?? ?? ?? 74 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 30 ?? ?? ?? ?? ?? 8? ?? ?? ?? A0 ?? ?? ?? ?? D3 ?? 32 ?? 34 ?? 33 ?? 3B ?? ?? ?? A2 ?? ?? ?? ?? 0F 94 ?? 33 ?? ?? ?? ?? ?? 75 ?? 66 39 ?? ?? ?? ?? ?? 75 ?? 33 ?? EB ?? B8 ?? ?? ?? ?? 28 ?? ?? ?? ?? ?? 33 ?? 39 ?? ?? ?? ?? ?? 8? ?? ?? ?? 0F 94 ?? C7 ?? ?? ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? B8 ?? ?? ?? ?? 8? ?? ?? ?? F7 ?? 8? ?? 2B ?? D1 ?? 03 ?? C1 ?? ?? 8? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 66 83 ?? ?? ?? ?? 75 ?? 8D ?? ?? 85 ?? 75 ?? 33 ?? EB ?? B9 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? A0 ?? ?? ?? ?? 32 ?? 66 0F BE ?? 66 2B ?? 8? ?? 66 D3 ?? 0F BE ?? A2 ?? ?? ?? ?? 8? ?? ?? ?? 3B ?? 0F 94 ?? 0A ?? 0F B6 ?? 8? ?? ?? ?? ?? ?? 0F BE ?? 8? ?? 02 ?? 81 ?? ?? ?? ?? ?? 74 ?? 85 ?? 75 ?? 8? ?? ?? ?? ?? ?? 39 ?? ?? ?? 74 ?? 33 ?? EB ?? 8? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8? ?? ?? ?? 66 33 ?? A1 ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? 8? ?? ?? ?? 69 ?? ?? ?? ?? ?? 2B ?? 33 ?? 03 ?? 0F B7 ?? 8? ?? ?? ?? BE ?? ?? ?? ?? 8? ?? 80 ?? ?? 0A ?? 83 ?? ?? 75 ?? } - $meta_CN = "SynapticosSoft, Corporation." wide ascii // CompanyName - $meta_PN = "ngqlgdA" wide ascii // ProductName - $meta_OF = "MpklYuere.exe" wide ascii // OriginalFilename - - condition: - uint16be(0) == 0x4D5A and ($byte_code or all of ($meta_*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/paloalto/ce_enfal_cmstar_debug_msg.yar b/yara-mikesxrs/paloalto/ce_enfal_cmstar_debug_msg.yar deleted file mode 100644 index 1b72350..0000000 --- a/yara-mikesxrs/paloalto/ce_enfal_cmstar_debug_msg.yar +++ /dev/null @@ -1,37 +0,0 @@ -rule ce_enfal_cmstar_debug_msg - -{ - - meta: - - author = "rfalcone" - - description = "Detects the static debug strings within CMSTAR" - - reference = "9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c" - - date = "5/10/2015" - - link = "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" - - strings: - - $d1 = "EEE\x0d\x0a" fullword - - $d2 = "TKE\x0d\x0a" fullword - - $d3 = "VPE\x0d\x0a" fullword - - $d4 = "VPS\x0d\x0a" fullword - - $d5 = "WFSE\x0d\x0a" fullword - - $d6 = "WFSS\x0d\x0a" fullword - - $d7 = "CM**\x0d\x0a" fullword - - condition: - - uint16(0) == 0x5a4d and all of ($d*) - -} \ No newline at end of file diff --git a/yara-mikesxrs/paloalto/cobalt_gang_builder.yar b/yara-mikesxrs/paloalto/cobalt_gang_builder.yar deleted file mode 100644 index 394d0b6..0000000 --- a/yara-mikesxrs/paloalto/cobalt_gang_builder.yar +++ /dev/null @@ -1,41 +0,0 @@ -rule cmstp_macro_builder_rev_a -{ - meta: - description="CMSTP macro builder based on variable names and runtime invoke" - author="Palo Alto Networks Unit42" - reference = "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/" - strings: - $method="CallByName" - $varexp=/[A-Za-z]k[0-9]{2}([0-9]{1})/ - condition: - $method and - #method == 2 and - #varexp > 10 - -} - -rule cmstp_macro_builder_rev_b { - meta: - description="CMSTP macro builder based on routines and functions names and runtime invoke" - author="Palo Alto Networks Unit42" - reference = "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/" - strings: - $func=/Private Function [A-Za-z]{1,5}[0-9]{2,3}\(/ - $sub=/Sub [A-Za-z]{1,5}[0-9]{2,5}\(/ - $call="CallByName" - condition: - $call and - #func > 1 and - #sub > 1 -} - -rule cobaltgang_pdf_metadata_rev_a{ - meta: - description="Find documents saved from the same potential Cobalt Gang PDF template" - author="Palo Alto Networks Unit 42" - reference = "https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/" - strings: - $ = "<xmpMM:DocumentID>uuid:31ac3688-619c-4fd4-8e3f-e59d0354a338" ascii wide - condition: - any of them -} diff --git a/yara-mikesxrs/paloalto/findpos.yar b/yara-mikesxrs/paloalto/findpos.yar deleted file mode 100644 index c32b191..0000000 --- a/yara-mikesxrs/paloalto/findpos.yar +++ /dev/null @@ -1,28 +0,0 @@ -import "cuckoo" - -rule findpos -{ - meta: - description = "FindPOS is a newly discovered POS family." - category = "Point of Sale" - author = "Josh Grunzweig" - - strings: - $s1 = "oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s" nocase wide ascii - - $pdb1 = "H:\\Work\\Current\\FindStr\\Release\\FindStr.pdb" nocase wide ascii - $pdb2 = "H:\\Work\\FindStrX\\Release\\FindStr.pdb" nocase wide ascii - $pdb3 = "H:\\Work\\Current\\KeyLogger\\Release\\KeyLogger.pdb" nocase wide ascii - - condition: - any of ($s*) or - any of ($pdb*) or - ( - cuckoo.sync.mutex(/WIN_[a-fA-F0-9]{16}/) and - cuckoo.registry.key_access(/\\Software\\Microsoft\\Windows\\CurrentVersion\\Run/) and - ( - cuckoo.filesystem.file_access(/C\:\\WINDOWS\\System32\\\w{8}\.exe/) or - cuckoo.filesystem.file_access(/C\:\\Documents\ and\ Settings\\[^\\]+\\\w{8}\.exe/) - ) - ) -} \ No newline at end of file diff --git a/yara-mikesxrs/paloalto/general_win_dll_golang_socks.yar b/yara-mikesxrs/paloalto/general_win_dll_golang_socks.yar deleted file mode 100644 index 9708ca3..0000000 --- a/yara-mikesxrs/paloalto/general_win_dll_golang_socks.yar +++ /dev/null @@ -1,15 +0,0 @@ -import "pe" - -rule general_win_dll_golang_socks -{ - meta: - author = "paloaltonetworks" - date = "2022-03-13" - description = "Highly suspicious GO DLL with proxy communication capabilities" - reference = "https://unit42.paloaltonetworks.com/popping-eagle-malware/" - - condition: - general_win_golang_socks and - (pe.characteristics & pe.DLL) and pe.is_dll() -} - diff --git a/yara-mikesxrs/paloalto/general_win_faked_dlls_export_popo.yar b/yara-mikesxrs/paloalto/general_win_faked_dlls_export_popo.yar deleted file mode 100644 index 89e6900..0000000 --- a/yara-mikesxrs/paloalto/general_win_faked_dlls_export_popo.yar +++ /dev/null @@ -1,22 +0,0 @@ -import "pe" - -rule general_win_faked_dlls_export_popo -{ - meta: - author = "paloaltonetworks" - date = "2022-03-13" - description = "Detects DLL files with an export function named 'popo'" - reference = "https://unit42.paloaltonetworks.com/popping-eagle-malware/" - hash0 = "e5e89d8db12c7dacddff5c2a76b1f3b52c955c2e86af8f0b3e36c8a5d954b5e8" // fake uxtheme.dll - hash1 = "95676c8eeaab93396597e05bb4df3ff8cc5780ad166e4ee54484387b97f381df" // fake uxtheme.dll - hash2 = "59d12f26cbc3e49e28be13f0306f5a9b1a9fd62909df706e58768d2f0ccca189" // fake uxtheme.dll - hash3 = "0dc8f17b053d9bfab45aed21340a1f85325f79e0925caf21b9eaf9fbdc34a47a" // ClickRuntime-amd86.dll - - condition: - (pe.characteristics & pe.DLL) and pe.is_dll() and - filesize < 20MB and - ( - pe.exports("popo") or - pe.exports("Popo") - ) - diff --git a/yara-mikesxrs/paloalto/general_win_golang_socks.yar b/yara-mikesxrs/paloalto/general_win_golang_socks.yar deleted file mode 100644 index 66d5a9a..0000000 --- a/yara-mikesxrs/paloalto/general_win_golang_socks.yar +++ /dev/null @@ -1,30 +0,0 @@ -import "pe" - -rule general_win_golang_socks -{ - meta: - author = "paloaltonetworks" - date = "2022-03-13" - description = "potentially unwanted GO application with proxy communication capabilities" - reference = "https://unit42.paloaltonetworks.com/popping-eagle-malware/" - - strings: - $go_name_1 = "main.go" nocase ascii // default go name for the “func main(){...}” in "package main” - $go_name_2 = "eagle" nocase ascii - $go_name_3 = "popo" nocase ascii - $go_name_4 = "-Client-Dll/" nocase ascii - - $go_pkg_1 = "github.com/armon/go-socks5" nocase wide ascii - $go_pkg_2 = "github.com/hashicorp/yamux" nocase wide ascii - $go_pkg_3 = "github.com/fatedier/frp/vendor" wide ascii - $go_pkg_4 = "github.com/rofl0r/rocksocks5" wide ascii - - condition: - uint16(0) == 0x5a4d and - filesize < 7MB and - ( - 1 of ($go_name_*) and - 2 of ($go_pkg_*) - ) -} - diff --git a/yara-mikesxrs/paloalto/hancitor_dropper.yar b/yara-mikesxrs/paloalto/hancitor_dropper.yar deleted file mode 100644 index c36e33a..0000000 --- a/yara-mikesxrs/paloalto/hancitor_dropper.yar +++ /dev/null @@ -1,80 +0,0 @@ -rule hancitor_dropper : vb_win32api -{ - meta: - author = "Jeff White - jwhite@paloaltonetworks.com @noottrak" - date = "18AUG2016" - hash1 = "03aef51be133425a0e5978ab2529890854ecf1b98a7cf8289c142a62de7acd1a" - hash2 = "4b3912077ef47515b2b74bc1f39de44ddd683a3a79f45c93777e49245f0e9848" - hash3 = "a78972ac6dee8c7292ae06783cfa1f918bacfe956595d30a0a8d99858ce94b5a" - reference = "https://github.com/pan-unit42/public_tools/tree/master/hancitor" - - strings: - $api_01 = { 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 } // VirtualAlloc - $api_02 = { 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 } // RtlMoveMemory - $api_04 = { 00 43 61 6C 6C 57 69 6E 64 6F 77 50 72 6F 63 41 00 } // CallWindowProcAi - $magic = { 50 4F 4C 41 } // POLA - - condition: - uint32be(0) == 0xD0CF11E0 and all of ($api_*) and $magic -} - -/* - -SAMPLES: - -000f7832251ae4ba41c42c46d83cbf13d0b2aed0c1f949fbe68b728fdcb2fada_S2.exe -0002218f5c47ef709e390288e4268a02bb9d9087a996bb55d3a9c23d68a46760_S2.exe -000fa485eda66fd4b5acd3fee4e2cdf5bd8e82a4968d27c202fe4747dfb57d00_S2.exe -001451cfe7d492163ebcdaa2a3da9eb849ab0bd509cd969dd75965c88c19d5d4_S2.exe -001627a8adaf2ea97b19dd4f6b915abf57bd41b4fe7af33d5f9f381a97d04a3d_S2.exe -001856ba5da54bdf6cb87c61254af2ca9f936e83402e43579177bd0f4ac1f120_S2.exe -0022f6c5ec68cabb34eee693cb23cb72a1099719b93f552cb9a09a99a0086afc_S2.exe -002763b63f07529dd29c7840fed0e1bc68c974364b3aa64f7b6b225ca191f87f_S2.exe -002ccf946b928eb123790aa8a6a4e1574827f6d387c661003df6e095d1d9137b_S2.exe -002d93a56d6da0d4cd39c1d1bb36ebfb8bb493b0a204882120fc305c1b840caa_S2.exe -0031be555860fee238837c1004d2f0ec353487ce6f9d0715106bb5670d965862_S2.exe -0033f126d294bdda76e68d8dc994189a5d82e728e9e2cbe273789107bd855e06_S2.exe -0039b33d9b86b02a4df6a605018a9749693ea3d871b187d9d1e1e0ec58e63f26_S2.exe -003e0e981f9ec2f4ff844161dc2aca600df38965b9dd586532ede80f6367e90b_S2.exe -0042539fb052745f1568b089bf86e41d393b981cdfc7201f7d8bdde145714fe2_S2.exe -0043d7cf12ad497de3cc4739a435f1765ec4c65e05e1f21faecfe40cc9d4fc35_S2.exe -004fa50455bac533cfa150660a6148ed20eb19a1169aa48991367eabb7494f1e_S2.exe -00509f0c3436a02e09a49226169d28979d0b4eb42375cf2dbb1733cc67333b73_S2.exe -0056fc1baedc78d43638f509d4a2ff617567cdffe4e0aa6a9892d80b076b2e4d_S2.exe -0058b39843b0c37520a28a4d239de2e934a811159fe6a310e63b9fcf85ac2cf7_S2.exe -005b3491673d414c65c0b2c8c351b672dd41a1679c97ffd7e4e0a6b1d00580a9_S2.exe -005dee83851ee0db47b705b4ac6857bc4649e59c47418208d62ce3cc0c1f9a02_S2.exe -006446a6303d85b5427139c6bc08c0f12e361d49cd7fa1ccc3e431d2fdd56d8c_S2.exe -006495c7fb7388f0513a24d9d09bf9517d5a3fd05c0da7d39311f6e6cf0f8fe3_S2.exe -0065a97402349fbbe5195effd6329ed89eb276ac3f728c7f8827d913d1296037_S2.exe -006cc18d23ba7ec78ce5d3e78cde63157abd05b1e1908c93c35f99933637a6e7_S2.exe -006cc87046164b41330918db95150f16227aa235865c4c95283b2d5fb9bd0d18_S2.exe -008d53efab6e0be2f356ce86581414db9804d46170eea4b408b6f23690a35487_S2.exe -009794dbe2aefed8ebd0d433c4b5c8931f6b3c1eaf0fbb34ad3fb247ae8dd0b5_S2.exe -009b714c0a6731f2eadd04dab409172d34986526a298b7a1fe4f51152bf6773e_S2.exe -00a1fb0d0a45ec998f65a458e55790e49944bb36b9398d7be495aa7ac7f27ac4_S2.exe -00a24e6e5da9bea88f695e7b15621f418f683ce0b185ee67ba66e91bfe360e53_S2.exe -00a90d131960bbad21a4f787f328d69b3af514f6e800cea606deb97aa0393e29_S2.exe -00aae024d89ebdee5464f410fe588f31a1888f84eb68ee6dddb1ddf9b86012aa_S2.exe -00ae14dc7815f74b083abc290d561d59fa8bc9717c22423fdec109bedc0de170_S2.exe -00b088c257b7aab93e262445085337261a8b6d4369e9e48c6fe840c56971d8c2_S2.exe -00b3c741c366252a8472046960b35636cf6c651a73d94d2810d14446dfae6db1_S2.exe -00b46ed617c1d651dadd8b4abad8b644f30e49e0d12bc378dfb720f9b55b6277_S2.exe -00b4f5d82ff5636d87821e2eb367c63bf83f478d4d4c480a3d9bc920bcd23f4a_S2.exe -00b515429f4b16a501d7c97999eb884210dcf5b413b3896e11c03a926b31289f_S2.exe -00bdb09cd6dfc308cc101aa009240ba612df781c62efb705f7b2ba9c198494d9_S2.exe -00c4a1abded604c193671ac83935cf5e84bf272b5b574c26dfc814821d38155e_S2.exe -00c7f1f0183fdb23eba1c5bfbe94518bbe22093bd8ae648c8c242229ca65c46a_S2.exe -00c9f1276737f9ab4eb49c6c3a8c955cae7085fb7744ab0f0b90cc6b83eea377_S2.exe -00d552f43b11e0017ff34576e2fbe5d47db4c5141ed0cc7cad1a6367a5161839_S2.exe -00dc95924de13484980037630e916271fdf0568fbb77b2dbe0b622f526b403ba_S2.exe -00ded1b849e87b266e63924bf17e7e142899d1dd57d6085ec6490c29c65c6008_S2.exe -00e67a9a4b5be7bd31fbc88bb3b6e34107f1a93b2b6dab0598cedcfb410fe256_S2.exe -00e706f9118c32ed1cd3ce9e0444053c47daffc3e7e53b32061ec039834292ca_S2.exe -00f0424b7659c7ec499c70cfcea411f71672fc89c92f564bf11b0a043059d2dd_S2.exe - -BYTES: - -558bec833d805b400000750bff1540404000a3805b4000833d805b40000074158b4508506a008b0d805b400051ff1544404000eb0233c05dc3cccccccccccccc558bec833d805b40000074138b4508506a008b0d805b400051ff15484040005dc3cccccccccccccccccccccccccccccc558bec83ec088b45088945f88b4d10894dfc8b551083ea01895510837dfc0074138b45088a4d0c88088b550883c201895508ebd88b45f88be55dc3cccccccccc558bec83ec088b45088945f88b4d10894dfc8b551083ea01895510837dfc00741e8b45088b4d0c8a1188108b450883c0018945088b4d0c83c101894d0cebcd8b45f88be55dc3cccccccccccccccccccc558bec833d885b400000750ac705885b40005c504000b80100000085c074498b0d885b40000fbe1183fa7c740ca1885b40000fbe0885c975088b5508c60200eb278b45088b0d885b40008a1188108b450883c0018945088b0d885b400083c101890d885b4000ebae8b15885b40000fbe0283f87c750f8b0d885b400083c101890d885b40008b15885b40000fbe0285c0750ec705885b40000000000033c0eb05b8010000005dc3cccccccccccccccccc558bec833d845b40000075186a006a006a006a006880414000ff1514414000a3845b4000a1845b40005dc3cccccccccc558bec81ec74020000a10450400033c58945fc6a3c6a008d85a8fdffff50e86dfeffff83c40cc785a8fdffff3c0000008d8df8feffff898db8fdffffc785bcfdffff040100008d95f4fdffff8995d4fdffffc785d8fdffff040100008d85a8fdffff506a006a008b4d0c51ff151041400085c0750733c0e97902000083bdb4fdffff00750ac785b4fdffff0300000083bdb4fdffff03741083bdb4fdffff04740733c0e94d020000e823ffffff898594fdffff83bd94fdffff00750733c0e932020000668b95c0fdffff6689959cfdffffc78598fdffff0081088483bdb4fdffff0475118b8598fdffff0d00308000898598fdffff6a006a006a036a006a000fb78d9cfdffff518d95f8feffff528b8594fdffff50ff150c4140008985a0fdffff83bda0fdffff00750733c0e9c4010000837d0801750cc78590fdffffc8414000eb0ac78590fdffffd04140006a008b8d98fdffff5168085040006a006a008d95f4fdffff528b8590fdffff508b8da0fdffff51ff15084140008985a4fdffff83bda4fdffff0075148b95a0fdffff52ff150441400033c0e95801000083bdb4fdffff047550c785e8fdffff040000008d85e8fdffff508d8df0fdffff516a1f8b95a4fdffff52ff15004140008b85f0fdffff0d001100008985f0fdffff6a048d8df0fdffff516a1f8b95a4fdffff52ff1518414000c7858cfdffff00000000837d100074108b451050ff154c40400089858cfdffff8b8d8cfdffff518b5510526810504000ff154c4040005068105040008b85a4fdffff50ff15f4404000c785ecfdffff00000000c785e4fdffff040000006a008d8de4fdffff518d95ecfdffff5268130000208b85a4fdffff50ff15f840400081bdecfdffffc80000007545837d1400743f8b4d1c518b551883ea01528b4514508b8da4fdffff51ff15fc40400085c074168b551c833a00760e8b451c8b088b5514c6040a00eb098b451cc700000000008b8da4fdffff51ff15044140008b95a0fdffff52ff150441400081bdecfdffffc80000007507b801000000eb0233c08b4dfc33cde8b42400008be55dc3cccccccccccccccccccccccccc558bec8b4518508b4d14518b5510528b450c508b4d08516a01e8d2fcffff83c4185dc3cccccccccccccccccccccccccc558bec8b4518508b4d14518b5510528b450c508b4d08516a00e8a2fcffff83c4185dc3cccccccccccccccccccccccccc558bec81ec74020000a10450400033c58945fc6a3c6a008d85a4fdffff50e8fdfaffff83c40cc785a4fdffff3c0000008d8df8feffff898db4fdffffc785b8fdffff040100008d95f4fdffff8995d0fdffffc785d4fdffff040100008d85a4fdffff506a006a008b4d0851ff151041400085c0750733c0e97402000083bdb0fdffff00750ac785b0fdffff0300000083bdb0fdffff03741083bdb0fdffff04740733c0e948020000e8b3fbffff898590fdffff83bd90fdffff00750733c0e92d020000ba500000006689959cfdffffc78594fdffff0081088483bdb0fdffff04751eb8bb0100006689859cfdffff8b8d94fdffff81c900308000898d94fdffff6a016a006a036a006a000fb7959cfdffff528d85f8feffff508b8d90fdffff51ff150c414000898598fdffff83bd98fdffff00750733c0e9b40100006a018b9594fdffff5268085040006a006a008d85f4fdffff5068d44140008b8d98fdffff51ff15084140008985a0fdffff83bda0fdffff0075148b9598fdffff52ff150441400033c0e96601000083bdb0fdffff047550c785e8fdffff040000008d85e8fdffff508d8df0fdffff516a1f8b95a0fdffff52ff15004140008b85f0fdffff0d001100008985f0fdffff6a048d8df0fdffff516a1f8b95a0fdffff52ff15184140006a006a006810504000ff154c4040005068105040008b85a0fdffff50ff15f4404000c785ecfdffff00000000c785e4fdffff040000006a008d8de4fdffff518d95ecfdffff5268130000208b85a0fdffff50ff15f840400081bdecfdffffc8000000757a837d0c0074748b4d14c70100000000ba0100000085d274628d85e0fdffff508b4d10518b550c528b85a0fdffff50ff15fc40400089858cfdffff83bd8cfdffff01753383bde0fdffff00742a8b4d0c038de0fdffff894d0c8b55102b95e0fdffff8955108b45148b08038de0fdffff8b5514890aeb02eb02eb958b85a0fdffff50ff15044140008b8d98fdffff51ff150441400081bdecfdffffc80000007507b801000000eb0233c08b4dfc33cde8492100008be55dc3cccc558bec81ec14010000a10450400033c58945fc68040100008d85f8feffff50ff15504040008985ecfeffff83bdecfeffff00745bb9010000006bd1038995f0feffff81bdf0feffff040100007302eb05e8222200008b85f0feffffc68405f8feffff006a006a006a006a008d8df4feffff516a006a008d95f8feffff52ff155440400085c074088b85f4feffffeb0233c08b4dfc33cde8a82000008be55dc3cc558bec83ec2ca10450400033c58945fc0f57c0660f1345e4c745f0008000008b45f050e8e8f6ffff83c4048945e08b4de0894dec8d55f0528b45ec506a006a006a02ff151c4040008945dc837ddc00754d837dec0074476a086a008d4df451e81cf7ffff83c40c8b55ec8b4234508b4dec83c12c518d55f452e842f7ffff83c40c8b45e43345f48b4de8334df88945e4894de88b55ec8b42088945ecebb38b4de051e8a9f6ffff83c404e8b1feffff33d28945d48955d88b45d48b55d8b120e8fc2100003345e43355e88b4dfc33cde8cf1f00008be55dc3cccccccccccccccc558beca1385c40000b053c5c40007510e80bffffffa3385c400089153c5c4000a1385c40008b153c5c40005dc3cccccc558bec83ec08a10450400033c58945fcb8010000006bc8000fbe91145c400085d2741668145c40008b450850ff1558404000b801000000eb468d4df8516a2068145c40006a0068d8414000e8d0faffff83c41483f801751668145c40008b550852ff1558404000b801000000eb1168f04140008b450850ff155840400033c08b4dfc33cde80a1f00008be55dc3cccccc558bec81ec0c020000a10450400033c58945fcc785f8fdffff00010000c785f4fdffff000000008d85f8fdffff508b8df8fdffff518d95fcfdffff5268f8414000e87afaffff83c41083f801755db8010000006bc8000fbe940dfcfdffff83fa3c7548b801000000c1e0000fbe8c05fcfdffff83f9217533ba01000000d1e20fbe8415fcfdffff83f864751fb9010000006bd1030fbe8415fcfdffff83f86f750ac785f4fdffff010000008b85f4fdffff8b4dfc33cde8481e00008be55dc3cc558becb8010000006bc8008b55080fbe040a83f87b757eb901000000d1e18b55080fbe040a83f83a756bb901000000c1e1008b55080fbe040a83f8727450b901000000c1e1008b55080fbe040a83f875743cb901000000c1e1008b55080fbe040a83f8647428b901000000c1e1008b55080fbe040a83f86c7414b901000000c1e1008b55080fbe040a83f86e7507b801000000eb0233c05dc3cccccccccccccc558becb801000000c1e0008b4d080fbe140183fa3a756bb8010000006bc8008b55080fbe040a83f8727450b9010000006bd1008b45080fbe0c1083f975743cba010000006bc2008b4d080fbe140183fa647428b8010000006bc8008b55080fbe040a83f86c7414b9010000006bd1008b45080fbe0c1083f96e7507b801000000eb0233c05dc3cccccccccccccccccccc558bec81ec44050000a10450400033c58945fcff155c4040008985d8faffffe82cfdffff8985bcfaffff8995c0faffff8d85dcfeffff50e8040c000083c4048d4ddc51e838fdffff83c4048b95d8faffff81e2ffff00000fb7c225ff0000000fb6c8898dc4faffff8b95d8faffff81e2ffff00000fb7c2c1e80825ff0000000fb6c8898dc8faffffe8131c00008985ccfaffff83bdccfaffff01750cc785d4faffff0c424000eb0ac785d4faffff104240008b95d4faffff528b85c8faffff508b8dc4faffff518d55dc528d85dcfeffff50684c5040008b8dc0faffff518b95bcfaffff5268144240008d85dcfaffff50ff15ec40400083c428833d105c40000075236800040000e873f2ffff83c404a3105c4000b9010000006bd100a1105c4000c6041000c785d0faffff0100000083bdd0faffff010f858b000000b9010000006bd100a1105c40000fbe0c1085c975158b15105c400052e822f3ffff - -*/ \ No newline at end of file diff --git a/yara-mikesxrs/paloalto/hancitor_payload.yar b/yara-mikesxrs/paloalto/hancitor_payload.yar deleted file mode 100644 index af94f55..0000000 --- a/yara-mikesxrs/paloalto/hancitor_payload.yar +++ /dev/null @@ -1,70 +0,0 @@ -rule hancitor_payload - { - meta: - author = "Jeff White - jwhite@paloalnetworks.com @noottrak" - date = "26AUG2016" - reference = "https://github.com/pan-unit42/public_tools/tree/master/hancitor" - - - strings: - $byte_code = { 5? 8? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? FF ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 8? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? EB ?? 33 ?? 5D C3 CC CC CC CC CC CC CC 5? 8? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 8? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? 8? ?? ?? 8? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? EB ?? 8? ?? ?? 8? ?? 5D C3 CC CC CC CC CC 5? 8? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? 8? ?? ?? 8? ?? 8? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? EB ?? 8? ?? ?? 8? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 85 ?? 74 ?? 8? ?? ?? ?? ?? ?? 0F BE ?? 83 ?? ?? 74 ?? A1 ?? ?? ?? ?? 0F BE ?? 85 ?? 75 ?? 8? ?? ?? C6 ?? ?? EB ?? 8? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? 8? ?? 8? ?? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? ?? ?? ?? EB ?? 8? ?? ?? ?? ?? ?? 0F BE ?? 83 ?? ?? 75 ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 0F BE ?? 85 ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 ?? EB ?? B8 ?? ?? ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC 5? 8? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? 5D C3 CC CC CC CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 6A ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? 85 ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 33 ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 66 8B ?? ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 8? ?? ?? ?? ?? ?? 0D ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 0F B7 ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 0D ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? 5? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? 5? 8? ?? ?? 83 ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 85 ?? 74 ?? 8? ?? ?? 83 ?? ?? 76 ?? 8? ?? ?? 8? ?? 8? ?? ?? C6 ?? ?? ?? EB ?? 8? ?? ?? C7 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 6A ?? E8 ?? ?? ?? ?? 83 ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 6A ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? 85 ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 33 ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? BA ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 0F B7 ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 33 ?? E9 ?? ?? ?? ?? 6A ?? 8? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 33 ?? E9 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 0D ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 83 ?? ?? ?? 74 ?? 8? ?? ?? C7 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 85 ?? 74 ?? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? 8? ?? ?? 03 ?? ?? ?? ?? ?? 8? ?? ?? 8? ?? ?? 2B ?? ?? ?? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? 03 ?? ?? ?? ?? ?? 8? ?? ?? 8? ?? EB ?? EB ?? EB ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 74 ?? B9 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? 73 ?? EB ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? C6 ?? ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? 6A ?? 6A ?? 8D ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 85 ?? 74 ?? 8? ?? ?? ?? ?? ?? EB ?? 33 ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC 5? 8? ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? 0F 57 ?? 66 0F 13 ?? ?? C7 ?? ?? ?? ?? ?? ?? 8? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8D ?? ?? 5? 8? ?? ?? 5? 6A ?? 6A ?? 6A ?? FF ?? ?? ?? ?? ?? 8? ?? ?? 83 ?? ?? ?? 75 ?? 83 ?? ?? ?? 74 ?? 6A ?? 6A ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? 8? ?? ?? 5? 8? ?? ?? 83 ?? ?? 5? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? 33 ?? ?? 8? ?? ?? 33 ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? EB ?? 8? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? E8 ?? ?? ?? ?? 33 ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? 8? ?? ?? B1 ?? E8 ?? ?? ?? ?? 33 ?? ?? 33 ?? ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC CC CC CC CC CC CC CC 5? 8? ?? A1 ?? ?? ?? ?? 0B ?? ?? ?? ?? ?? 75 ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5D C3 CC CC CC 5? 8? ?? 83 ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? B8 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? 85 ?? 74 ?? 68 ?? ?? ?? ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? EB ?? 8D ?? ?? 5? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 75 ?? 68 ?? ?? ?? ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? 8? ?? ?? 5? FF ?? ?? ?? ?? ?? 33 ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? C1 ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 ?? BA ?? ?? ?? ?? D1 ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 ?? B9 ?? ?? ?? ?? 6B ?? ?? 0F BE ?? ?? ?? ?? ?? ?? 83 ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? 33 ?? E8 ?? ?? ?? ?? 8? ?? 5D C3 CC 5? 8? ?? B8 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B9 ?? ?? ?? ?? D1 ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 5D C3 CC CC CC CC CC CC CC 5? 8? ?? B8 ?? ?? ?? ?? C1 ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? BA ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B8 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 74 ?? B9 ?? ?? ?? ?? 6B ?? ?? 8? ?? ?? 0F BE ?? ?? 83 ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 5D C3 CC CC CC CC CC CC CC CC CC CC 5? 8? ?? 81 ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 ?? 8? ?? ?? FF ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8D ?? ?? 5? E8 ?? ?? ?? ?? 83 ?? ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 0F B7 ?? 25 ?? ?? ?? ?? 0F B6 ?? 8? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 0F B7 ?? C1 ?? ?? 25 ?? ?? ?? ?? 0F B6 ?? 8? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 8D ?? ?? 5? 8D ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 5? 8? ?? ?? ?? ?? ?? 5? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 5? FF ?? ?? ?? ?? ?? 83 ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? A3 ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? A1 ?? ?? ?? ?? C6 ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B ?? ?? A1 ?? ?? ?? ?? 0F BE ?? ?? 85 ?? 75 ?? 8? ?? ?? ?? ?? ?? 5? (E8|FF) } - - condition: - uint16be(0) == 0x4D5A and $byte_code -} - -/* - -SAMPLES: - -0002218f5c47ef709e390288e4268a02bb9d9087a996bb55d3a9c23d68a46760_S1.exe -006495c7fb7388f0513a24d9d09bf9517d5a3fd05c0da7d39311f6e6cf0f8fe3_S1.exe -000f7832251ae4ba41c42c46d83cbf13d0b2aed0c1f949fbe68b728fdcb2fada_S1.exe -000fa485eda66fd4b5acd3fee4e2cdf5bd8e82a4968d27c202fe4747dfb57d00_S1.exe -001451cfe7d492163ebcdaa2a3da9eb849ab0bd509cd969dd75965c88c19d5d4_S1.exe -001627a8adaf2ea97b19dd4f6b915abf57bd41b4fe7af33d5f9f381a97d04a3d_S1.exe -001856ba5da54bdf6cb87c61254af2ca9f936e83402e43579177bd0f4ac1f120_S1.exe -0022f6c5ec68cabb34eee693cb23cb72a1099719b93f552cb9a09a99a0086afc_S1.exe -002763b63f07529dd29c7840fed0e1bc68c974364b3aa64f7b6b225ca191f87f_S1.exe -002ccf946b928eb123790aa8a6a4e1574827f6d387c661003df6e095d1d9137b_S1.exe -002d93a56d6da0d4cd39c1d1bb36ebfb8bb493b0a204882120fc305c1b840caa_S1.exe -0031be555860fee238837c1004d2f0ec353487ce6f9d0715106bb5670d965862_S1.exe -0033f126d294bdda76e68d8dc994189a5d82e728e9e2cbe273789107bd855e06_S1.exe -0039b33d9b86b02a4df6a605018a9749693ea3d871b187d9d1e1e0ec58e63f26_S1.exe -003e0e981f9ec2f4ff844161dc2aca600df38965b9dd586532ede80f6367e90b_S1.exe -0042539fb052745f1568b089bf86e41d393b981cdfc7201f7d8bdde145714fe2_S1.exe -0043d7cf12ad497de3cc4739a435f1765ec4c65e05e1f21faecfe40cc9d4fc35_S1.exe -004fa50455bac533cfa150660a6148ed20eb19a1169aa48991367eabb7494f1e_S1.exe -00509f0c3436a02e09a49226169d28979d0b4eb42375cf2dbb1733cc67333b73_S1.exe -0056fc1baedc78d43638f509d4a2ff617567cdffe4e0aa6a9892d80b076b2e4d_S1.exe -0058b39843b0c37520a28a4d239de2e934a811159fe6a310e63b9fcf85ac2cf7_S1.exe -005b3491673d414c65c0b2c8c351b672dd41a1679c97ffd7e4e0a6b1d00580a9_S1.exe -005dee83851ee0db47b705b4ac6857bc4649e59c47418208d62ce3cc0c1f9a02_S1.exe -006446a6303d85b5427139c6bc08c0f12e361d49cd7fa1ccc3e431d2fdd56d8c_S1.exe -0065a97402349fbbe5195effd6329ed89eb276ac3f728c7f8827d913d1296037_S1.exe -006cc18d23ba7ec78ce5d3e78cde63157abd05b1e1908c93c35f99933637a6e7_S1.exe -006cc87046164b41330918db95150f16227aa235865c4c95283b2d5fb9bd0d18_S1.exe -008d53efab6e0be2f356ce86581414db9804d46170eea4b408b6f23690a35487_S1.exe -009794dbe2aefed8ebd0d433c4b5c8931f6b3c1eaf0fbb34ad3fb247ae8dd0b5_S1.exe -009b714c0a6731f2eadd04dab409172d34986526a298b7a1fe4f51152bf6773e_S1.exe -00a1fb0d0a45ec998f65a458e55790e49944bb36b9398d7be495aa7ac7f27ac4_S1.exe -00a24e6e5da9bea88f695e7b15621f418f683ce0b185ee67ba66e91bfe360e53_S1.exe -00a90d131960bbad21a4f787f328d69b3af514f6e800cea606deb97aa0393e29_S1.exe -00aae024d89ebdee5464f410fe588f31a1888f84eb68ee6dddb1ddf9b86012aa_S1.exe -00ae14dc7815f74b083abc290d561d59fa8bc9717c22423fdec109bedc0de170_S1.exe -00b088c257b7aab93e262445085337261a8b6d4369e9e48c6fe840c56971d8c2_S1.exe -00b3c741c366252a8472046960b35636cf6c651a73d94d2810d14446dfae6db1_S1.exe -00b46ed617c1d651dadd8b4abad8b644f30e49e0d12bc378dfb720f9b55b6277_S1.exe -00b4f5d82ff5636d87821e2eb367c63bf83f478d4d4c480a3d9bc920bcd23f4a_S1.exe -00b515429f4b16a501d7c97999eb884210dcf5b413b3896e11c03a926b31289f_S1.exe -00bdb09cd6dfc308cc101aa009240ba612df781c62efb705f7b2ba9c198494d9_S1.exe -00c4a1abded604c193671ac83935cf5e84bf272b5b574c26dfc814821d38155e_S1.exe -00c7f1f0183fdb23eba1c5bfbe94518bbe22093bd8ae648c8c242229ca65c46a_S1.exe -00c9f1276737f9ab4eb49c6c3a8c955cae7085fb7744ab0f0b90cc6b83eea377_S1.exe -00d552f43b11e0017ff34576e2fbe5d47db4c5141ed0cc7cad1a6367a5161839_S1.exe - -BYTES: - -eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e601f7d681e62101000032c88bee33c083f565740f6685d2740af6c20174058d5001eb0233d2bdac0000006603c566a314904000b0012ac3a20090400033fa0fb71510904000b02e84c07415b865000000663b050c9040007507b801000000eb0233c0221d1490400083e60132c8f7d681e621010000880d029040008bce33c083f165740f6685d2740af6c20174058d5001eb0233d28b2d1090400033fabaac0000006603c266a314904000b0012ac3b22e0fb7cda20090400084d27415b865000000663b050c9040007507b801000000eb0233c0300502904000221d1490400083e601f7d681e6210100008bc633d283f065740f6685c9740af6c10174058d4201eb0233c033f8b9ac0000006603d166891514904000893d049040000fb7fdb2012ad3b02e897c241c88150090400084c07413b965000000663b0d0c90400075058d419ceb0233c0221d149040003005029040000fbeebb0de83e601a20390400083fd390f82f50000000fbf3d0c9040008bcf6bc965b84505d986f7e903d1c1fa088bc2c1e81f03c289442428a0109040003443a203904000a110904000b93f0000002bc8ba4a010000d3ea8bcf83c62ed3ea8b0d0490400081e12101000033ce23d06631150c9040000fbe150290400083ca0b23d033c081fd0b0100000f94c0890d04904000b9220000000bd081ca2001000033c066833d1490400017891510904000668b150c9040000f94c06633442428496623d085c975f88b4c242832c0660fbed0a2029040000fbec04169c04a010000210d109040000fb7ca894c241c33d2b96b020000f7f1a0039040008b7c241cc74424148f000000895424188a0d02904000fec00fbec080e1012d11010000ba0100000089150890400075056685ff74028bc2fec0a2009040008ac22c510c01a203904000bac700000033c04a6685ff0f95c022c12ac885d275ef8b542414880d0290400033c9813d1090400011010000b0090f94c18b7424188025029040000166890d0c9040008acad2f8c0f8070a0503904000660fbec8b83fc52543f7e2a110904000c1ea0669d2f40000002bc20344241466890d149040008bf80fbe0d02904000b8c99c1a94f7ee03d6c1fa098bc2c1e81f03d069d2750300008bc12bc203c60fbf74241c8944242483f92e0f94c0320500904000897c24203409a20090400033c081fe220100000f94c023c583f0097410803d03904000007407b801000000eb0233c03005009040008b4c2418a003904000d3e632c3340133c93b742424a2019040000f94c1330d08904000750d66390d0c904000750433c0eb05b80100000028050290400033c03905049040008b5c24300f94c0c744242c45010000a310904000b8b3428c7df7e7c1ea07b8b3cf213589542434f7e78bc72bc2d1e803c2c1e80889442438833d0890400000751366837c241c00750b8d530985d2750433c9eb05b9010000008a1501904000a00090400032c1660fbef2662bf38bcb66d3e60fbec8a2009040008b4424243bc80f94c10ac80fb6c18a0d039040000fbefa8bd702c881f222010000740485db75108b150490400039542414740a33c0eb0b8b1504904000b8010000008b5c24206633f0a1109040006689350c9040008b74243469f6050100002bde33c203da0fb7d38954241cbe340000008ad980eb6f0acb83ee0175f4 - -*/ \ No newline at end of file diff --git a/yara-mikesxrs/paloalto/hancitor_stage1.yar b/yara-mikesxrs/paloalto/hancitor_stage1.yar deleted file mode 100644 index 2d8d485..0000000 --- a/yara-mikesxrs/paloalto/hancitor_stage1.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule hancitor_stage1 - { - meta: - author = "Jeff White - jwhite@paloaltonetworks.com @noottrak" - date = "26AUG2016" - reference = "https://github.com/pan-unit42/public_tools/tree/master/hancitor" - - strings: - $byte_code = { EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 32 ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? BD ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? A2 ?? ?? ?? ?? 33 ?? 0F B7 ?? ?? ?? ?? ?? B0 ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? 32 ?? F7 ?? 81 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? 8? ?? ?? ?? ?? ?? 33 ?? BA ?? ?? ?? ?? 66 03 ?? 66 A3 ?? ?? ?? ?? B0 ?? 2A ?? B2 ?? 0F B7 ?? A2 ?? ?? ?? ?? 84 ?? 74 ?? B8 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 30 ?? ?? ?? ?? ?? 22 ?? ?? ?? ?? ?? 83 ?? ?? F7 ?? 81 ?? ?? ?? ?? ?? 8? ?? 33 ?? 83 ?? ?? 74 ?? 66 85 ?? 74 ?? F6 ?? ?? 74 ?? 8D ?? ?? EB ?? 33 ?? 33 ?? B9 ?? ?? ?? ?? 66 03 ?? 66 89 ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 0F B7 ?? B2 ?? 2A ?? B0 ?? 8? ?? ?? ?? 8? ?? ?? ?? ?? ?? 84 ?? 74 ?? B9 ?? ?? ?? ?? 66 3B ?? ?? ?? ?? ?? 75 ?? 8D ?? ?? EB ?? 33 ?? 22 ?? ?? ?? ?? ?? 30 ?? ?? ?? ?? ?? 0F BE ?? B0 ?? 83 ?? ?? A2 ?? ?? ?? ?? 83 ?? ?? 0F 82 ?? ?? ?? ?? 0F BF ?? ?? ?? ?? ?? 8? ?? 6B ?? ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8? ?? C1 ?? ?? 03 ?? 8? ?? ?? ?? A0 ?? ?? ?? ?? 34 ?? A2 ?? ?? ?? ?? A1 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B ?? BA ?? ?? ?? ?? D3 ?? 8? ?? 83 ?? ?? D3 ?? 8? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 33 ?? 23 ?? 66 31 ?? ?? ?? ?? ?? 0F BE ?? ?? ?? ?? ?? 83 ?? ?? 23 ?? 33 ?? 81 ?? ?? ?? ?? ?? 0F 94 ?? 8? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 0B ?? 81 ?? ?? ?? ?? ?? 33 ?? 66 83 ?? ?? ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 66 8B ?? ?? ?? ?? ?? 0F 94 ?? 66 33 ?? ?? ?? 49 66 23 ?? 85 ?? 75 ?? 8? ?? ?? ?? 32 ?? 66 0F BE ?? A2 ?? ?? ?? ?? 0F BE ?? 41 69 ?? ?? ?? ?? ?? 21 ?? ?? ?? ?? ?? 0F B7 ?? 8? ?? ?? ?? 33 ?? B9 ?? ?? ?? ?? F7 ?? A0 ?? ?? ?? ?? 8? ?? ?? ?? C7 ?? ?? ?? ?? ?? ?? ?? 8? ?? ?? ?? 8? ?? ?? ?? ?? ?? FE ?? 0F BE ?? 80 ?? ?? 2D ?? ?? ?? ?? BA ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? 75 ?? 66 85 ?? 74 ?? 8? ?? FE ?? A2 ?? ?? ?? ?? 8? ?? 2C ?? 0C ?? A2 ?? ?? ?? ?? BA ?? ?? ?? ?? 33 ?? 4A 66 85 ?? 0F 95 ?? 22 ?? 2A ?? 85 ?? 75 ?? 8? ?? ?? ?? 8? ?? ?? ?? ?? ?? 33 ?? 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? B0 ?? 0F 94 ?? 8? ?? ?? ?? 80 ?? ?? ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? 8? ?? D2 ?? C0 ?? ?? 0A ?? ?? ?? ?? ?? 66 0F BE ?? B8 ?? ?? ?? ?? F7 ?? A1 ?? ?? ?? ?? C1 ?? ?? 69 ?? ?? ?? ?? ?? 2B ?? 03 ?? ?? ?? 66 89 ?? ?? ?? ?? ?? 8? ?? 0F BE ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? F7 ?? 03 ?? C1 ?? ?? 8? ?? C1 ?? ?? 03 ?? 69 ?? ?? ?? ?? ?? 8? ?? 2B ?? 03 ?? 0F BF ?? ?? ?? 8? ?? ?? ?? 83 ?? ?? 0F 94 ?? 32 ?? ?? ?? ?? ?? 8? ?? ?? ?? 34 ?? A2 ?? ?? ?? ?? 33 ?? 81 ?? ?? ?? ?? ?? 0F 94 ?? 23 ?? 83 ?? ?? 74 ?? 80 ?? ?? ?? ?? ?? ?? 74 ?? B8 ?? ?? ?? ?? EB ?? 33 ?? 30 ?? ?? ?? ?? ?? 8? ?? ?? ?? A0 ?? ?? ?? ?? D3 ?? 32 ?? 34 ?? 33 ?? 3B ?? ?? ?? A2 ?? ?? ?? ?? 0F 94 ?? 33 ?? ?? ?? ?? ?? 75 ?? 66 39 ?? ?? ?? ?? ?? 75 ?? 33 ?? EB ?? B8 ?? ?? ?? ?? 28 ?? ?? ?? ?? ?? 33 ?? 39 ?? ?? ?? ?? ?? 8? ?? ?? ?? 0F 94 ?? C7 ?? ?? ?? ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? F7 ?? C1 ?? ?? B8 ?? ?? ?? ?? 8? ?? ?? ?? F7 ?? 8? ?? 2B ?? D1 ?? 03 ?? C1 ?? ?? 8? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? 75 ?? 66 83 ?? ?? ?? ?? 75 ?? 8D ?? ?? 85 ?? 75 ?? 33 ?? EB ?? B9 ?? ?? ?? ?? 8? ?? ?? ?? ?? ?? A0 ?? ?? ?? ?? 32 ?? 66 0F BE ?? 66 2B ?? 8? ?? 66 D3 ?? 0F BE ?? A2 ?? ?? ?? ?? 8? ?? ?? ?? 3B ?? 0F 94 ?? 0A ?? 0F B6 ?? 8? ?? ?? ?? ?? ?? 0F BE ?? 8? ?? 02 ?? 81 ?? ?? ?? ?? ?? 74 ?? 85 ?? 75 ?? 8? ?? ?? ?? ?? ?? 39 ?? ?? ?? 74 ?? 33 ?? EB ?? 8? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8? ?? ?? ?? 66 33 ?? A1 ?? ?? ?? ?? 66 89 ?? ?? ?? ?? ?? 8? ?? ?? ?? 69 ?? ?? ?? ?? ?? 2B ?? 33 ?? 03 ?? 0F B7 ?? 8? ?? ?? ?? BE ?? ?? ?? ?? 8? ?? 80 ?? ?? 0A ?? 83 ?? ?? 75 ?? } - $meta_CN = "SynapticosSoft, Corporation." wide ascii // CompanyName - $meta_PN = "ngqlgdA" wide ascii // ProductName - $meta_OF = "MpklYuere.exe" wide ascii // OriginalFilename - - condition: - uint16be(0) == 0x4D5A and ($byte_code or all of ($meta_*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/paloalto/powerstager.yar b/yara-mikesxrs/paloalto/powerstager.yar deleted file mode 100644 index 1d4ffa0..0000000 --- a/yara-mikesxrs/paloalto/powerstager.yar +++ /dev/null @@ -1,40 +0,0 @@ -rule powerstager -{ - meta: - author = "Jeff White - jwhite@paloaltonetworks.com @noottrak" - date = "02JAN2018" - hash1 = "758097319d61e2744fb6b297f0bff957c6aab299278c1f56a90fba197795a0fa" //x86 - hash2 = "83e714e72d9f3c500cad610c4772eae6152a232965191f0125c1c6f97004b7b5" //x64 - description = "Detects PowerStager Windows executable, both x86 and x64" - reference = "https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/" - - strings: - $filename = /%s\\[a-zA-Z0-9]{12}/ - $pathname = "TEMP" wide ascii -// $errormsg = "The version of this file is not compatible with the version of Windows you're running." wide ascii - $filedesc = "Lorem ipsum dolor sit amet, consecteteur adipiscing elit" wide ascii - $apicall_01 = "memset" - $apicall_02 = "getenv" - $apicall_03 = "fopen" - $apicall_04 = "memcpy" - $apicall_05 = "fwrite" - $apicall_06 = "fclose" - $apicall_07 = "CreateProcessA" - $decoder_x86_01 = { 8D 95 [4] 8B 45 ?? 01 D0 0F B6 18 8B 4D ?? } - $decoder_x86_02 = { 89 C8 0F B6 84 05 [4] 31 C3 89 D9 8D 95 [4] 8B 45 ?? 01 D0 88 08 83 45 [2] 8B 45 ?? 3D } - $decoder_x64_01 = { 8B 85 [4] 48 98 44 0F [7] 8B 85 [4] 48 63 C8 48 } - $decoder_x64_02 = { 48 89 ?? 0F B6 [3-6] 44 89 C2 31 C2 8B 85 [4] 48 98 } - - condition: - uint16be(0) == 0x4D5A - and - all of ($apicall_*) - and - $filename - and - $pathname - and - $filedesc - and - (2 of ($decoder_x86*) or 2 of ($decoder_x64*)) -} diff --git a/yara-mikesxrs/paloalto/webshell_chinachopper_oab.yar b/yara-mikesxrs/paloalto/webshell_chinachopper_oab.yar deleted file mode 100644 index b9bb29c..0000000 --- a/yara-mikesxrs/paloalto/webshell_chinachopper_oab.yar +++ /dev/null @@ -1,70 +0,0 @@ -rule webshell_chinachopper_oab - -{ - -meta: - -author = "Jeff White (Palo Alto Networks) @noottrak" - -reference = "https://unit42.paloaltonetworks.com/china-chopper-webshell/" - -date = "02MAR2021" - -hash01 = "e8ea17cd1de6d3389c792cce8c0ff1927a6386f0ef32ab0b097763de1f86ffc8" - -hash02 = "34f9944a85ffba58f3fa60c5dc32da1ce6743dae261e1820ef6c419808757112" - -hash03 = "55fbfab29f9d2c26f81f1ff901af838110d7f76acc81f14b791a8903aa8b8425" - -hash04 = "6e75bbcdd22ec9df1c7796e381a83f88e3ae82f5698c6b31b64d8f11e9cfd867" - -strings: - -// Detect OAB file - -$OAB01 = "ExternalUrl" ascii // Contains webshell - -$OAB02 = "InternalUrl" ascii - -$OAB03 = "ExchangeVersion" ascii - -$OAB04 = "WhenChangedUTC" ascii - -// Detect injected Url variants - -$HTTP01 = "http://f/" ascii nocase - -$HTTP02 = "http://g/" ascii nocase - -$HTTP03 = "http://p/" ascii nocase - -// Detect ChinaChopper variants - -$websh01 = "<script language=\"JScript\"" ascii nocase - -$websh02 = "<script language=\"c#\"" ascii nocase - -$websh03 = "<script runat=\"server\"" ascii nocase - -// Detect webshell anchors - -$cc01 = "Request" ascii nocase - -$cc02 = "Page_Load" ascii nocase - - - - -// Detect injected pattern, no webshell - -$non = /http:\/\/[a-z]\/[a-z0-9]+/ - -condition: - -(all of ($OAB*) and 1 of ($HTTP*) and 1 of ($websh*) and all of ($cc*)) - -or - -(all of ($OAB*) and $non) - -} diff --git a/yara-mikesxrs/pombredanne/Android_AVITOMMS_Variant.yar b/yara-mikesxrs/pombredanne/Android_AVITOMMS_Variant.yar deleted file mode 100644 index 0477e62..0000000 --- a/yara-mikesxrs/pombredanne/Android_AVITOMMS_Variant.yar +++ /dev/null @@ -1,33 +0,0 @@ -import "androguard" - -rule Android_AVITOMMS_Variant -{ - meta: - author = "Jacob Soo Lead Re" - date = "28-May-2016" - description = "This rule try to detects Spy.Banker AVITO-MMS Variant" - source = "https://blog.avast.com/android-banker-trojan-preys-on-credit-card-information" - - condition: - (androguard.receiver(/AlarmReceiverKnock/) and - androguard.receiver(/BootReciv/) and - androguard.receiver(/AlarmReceiverAdm/)) - -} - -rule Android_AVITOMMS_Rule2 -{ - meta: - author = "Jacob Soo Lead Re" - date = "01-July-2016" - description = "This rule try to detects Spy.Banker AVITO-MMS Variant" - source = "https://blog.avast.com/android-banker-trojan-preys-on-credit-card-information" - - condition: - androguard.service(/IMService/) and - androguard.receiver(/BootReciv/) and - androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i) and - androguard.permission(/android.permission.KILL_BACKGROUND_PROCESSES/i) and - androguard.permission(/android.permission.SEND_SMS/i) and - androguard.permission(/android.permission.INTERNET/i) -} diff --git a/yara-mikesxrs/pombredanne/Android_AndroRat.yar b/yara-mikesxrs/pombredanne/Android_AndroRat.yar deleted file mode 100644 index c44823b..0000000 --- a/yara-mikesxrs/pombredanne/Android_AndroRat.yar +++ /dev/null @@ -1,15 +0,0 @@ -import "androguard" - -rule Android_AndroRat -{ - meta: - author = "Jacob Soo Lead Re" - date = "06-July-2016" - description = "This rule will be able to tag all the AndroRat samples." - source = "http://www.symantec.com/connect/nl/blogs/remote-access-tool-takes-aim-android-apk-binder" - - condition: - androguard.service(/my.app.client/i) and - androguard.receiver(/BootReceiver/i) and - androguard.filter(/android.intent.action.BOOT_COMPLETED/i) -} diff --git a/yara-mikesxrs/pombredanne/Android_BadMirror.yar b/yara-mikesxrs/pombredanne/Android_BadMirror.yar deleted file mode 100644 index 848f23f..0000000 --- a/yara-mikesxrs/pombredanne/Android_BadMirror.yar +++ /dev/null @@ -1,14 +0,0 @@ -import "androguard" - -rule Android_BadMirror -{ - meta: - author = "Jacob Soo Lead Re" - date = "06-June-2016" - description = "BadMirror is Android malware. The malware sends information to its remote CnC (phone number, MAC adddress, list of installed applications...) but it also has the capability to execute a few commands such as \"app\" (download an APK) or \"page\" (display a given URL)." - source = "https://blog.fortinet.com/post/badmirror-new-android-malware-family-spotted-by-sherlockdroid" - - condition: - androguard.service(/SimInsService/i) and - androguard.permission(/android.permission.READ_PHONE_STATE/i) -} diff --git a/yara-mikesxrs/pombredanne/Android_Banker_Sberbank.yar b/yara-mikesxrs/pombredanne/Android_Banker_Sberbank.yar deleted file mode 100644 index a6bfae5..0000000 --- a/yara-mikesxrs/pombredanne/Android_Banker_Sberbank.yar +++ /dev/null @@ -1,15 +0,0 @@ -import "androguard" - -rule Android_Banker_Sberbank -{ - meta: - author = "Jacob Soo Lead Re" - date = "14-July-2016" - description = "This rule try to detects Android Banker Sberbank" - source = "https://www.zscaler.com/blogs/research/android-banker-malware-goes-social" - - condition: - androguard.service(/MasterInterceptor/i) and - androguard.receiver(/MasterBoot/i) and - androguard.filter(/ACTION_POWER_DISCONNECTED/i) -} diff --git a/yara-mikesxrs/pombredanne/Android_Clicker_G.yar b/yara-mikesxrs/pombredanne/Android_Clicker_G.yar deleted file mode 100644 index ac3322b..0000000 --- a/yara-mikesxrs/pombredanne/Android_Clicker_G.yar +++ /dev/null @@ -1,14 +0,0 @@ -import "androguard" - -rule Android_Clicker_G -{ - meta: - author = "Jacob Soo Lead Re" - date = "01-July-2016" - description = "This rule try to detects Clicker.G samples" - reference = "https://blogs.mcafee.com/mcafee-labs/android-malware-clicker-dgen-found-google-play/" - strings: - $a = "upd.php?text=" - condition: - androguard.receiver(/MyBroadCastReceiver/i) and $a -} diff --git a/yara-mikesxrs/pombredanne/Android_Copy9.yar b/yara-mikesxrs/pombredanne/Android_Copy9.yar deleted file mode 100644 index 2fe76e7..0000000 --- a/yara-mikesxrs/pombredanne/Android_Copy9.yar +++ /dev/null @@ -1,14 +0,0 @@ -import "androguard" - -rule Android_Copy9 -{ - meta: - author = "Jacob Soo Lead Re" - date = "06-June-2016" - description = "This rule try to detect commercial spyware from Copy9" - source = "http://copy9.com/" - - condition: - androguard.service(/com.ispyoo/i) and - androguard.receiver(/com.ispyoo/i) -} diff --git a/yara-mikesxrs/pombredanne/Android_DeathRing.yar b/yara-mikesxrs/pombredanne/Android_DeathRing.yar deleted file mode 100644 index 7b0799a..0000000 --- a/yara-mikesxrs/pombredanne/Android_DeathRing.yar +++ /dev/null @@ -1,14 +0,0 @@ -import "androguard" - -rule Android_DeathRing -{ - meta: - author = "Jacob Soo Lead Re" - date = "06-June-2016" - description = "DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries. Detection volumes are moderate, though we consider this a concerning threat given its pre-loaded nature and the fact that we are actively seeing detections of it around the world." - source = "https://blog.lookout.com/blog/2014/12/04/deathring/" - - condition: - androguard.service(/MainOsService/i) and - androguard.receiver(/ApkUninstallReceiver/i) -} diff --git a/yara-mikesxrs/pombredanne/Android_Dendroid.yar b/yara-mikesxrs/pombredanne/Android_Dendroid.yar deleted file mode 100644 index a963b1b..0000000 --- a/yara-mikesxrs/pombredanne/Android_Dendroid.yar +++ /dev/null @@ -1,15 +0,0 @@ -import "androguard" - -rule Android_Dendroid -{ - meta: - author = "Jacob Soo Lead Re" - date = "19-May-2016" - description = "This rule try to detect Dendroid" - source = "https://blog.lookout.com/blog/2014/03/06/dendroid/" - - condition: - (androguard.service(/com.connect.RecordService/i) or - androguard.activity(/com.connect.Dendroid/i)) and - androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i) -} diff --git a/yara-mikesxrs/pombredanne/Android_Dogspectus.yar b/yara-mikesxrs/pombredanne/Android_Dogspectus.yar deleted file mode 100644 index c96cad7..0000000 --- a/yara-mikesxrs/pombredanne/Android_Dogspectus.yar +++ /dev/null @@ -1,16 +0,0 @@ -import "androguard" - -rule Android_Dogspectus -{ - meta: - author = "Jacob Soo Lead Re" - date = "20-July-2016" - description = "This rule try to detects Dogspectus" - source = "https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware" - - condition: - androguard.activity(/PanickedActivity/i) and - androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i) and - androguard.permission(/android.permission.INTERNET/i) and - androguard.permission(/android.permission.WAKE_LOCK/i) -} diff --git a/yara-mikesxrs/pombredanne/Android_FakeBank_Fanta.yar b/yara-mikesxrs/pombredanne/Android_FakeBank_Fanta.yar deleted file mode 100644 index 09d9851..0000000 --- a/yara-mikesxrs/pombredanne/Android_FakeBank_Fanta.yar +++ /dev/null @@ -1,17 +0,0 @@ -import "androguard" - -rule Android_FakeBank_Fanta -{ - meta: - author = "Jacob Soo Lead Re" - date = "14-July-2016" - description = "This rule try to detects Android FakeBank_Fanta" - source = "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-bank-app-phishes-credentials-locks-users-out/" - - condition: - androguard.service(/SocketService/i) and - androguard.receiver(/MyAdmin/i) and - androguard.receiver(/Receiver/i) and - androguard.receiver(/NetworkChangeReceiver/i) - -} diff --git a/yara-mikesxrs/pombredanne/Android_Godless.yar b/yara-mikesxrs/pombredanne/Android_Godless.yar deleted file mode 100644 index b6cc7d6..0000000 --- a/yara-mikesxrs/pombredanne/Android_Godless.yar +++ /dev/null @@ -1,37 +0,0 @@ -import "androguard" - -rule Android_Godlike -{ - meta: - author = "Jacob Soo Lead Re" - date = "01-July-2016" - description = "This rule will be able to tag all the samples with local exploits." - source = "http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/" - - strings: - $a = "libgodlikelib.so" - condition: - (androguard.service(/godlike\.s/i) and - androguard.service(/godlike\.g/i) and - androguard.receiver(/godlike\.e/i)) or - $a - } - -rule Android_Godlike_2 -{ - meta: - author = "Jacob Soo Lead Re" - date = "01-July-2016" - description = "This rule will be able to tag all the samples with remote exploits." - source = "http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/" - - strings: - $a_1 = "libroot.so" - $a_2 = "silent91_arm_bin.root" - $a_3 = "libr.so" - $a_4 = "libpl_droidsonroids_gif.so" - condition: - (androguard.service(/FastInstallService/i) and - androguard.service(/DownloadService/i)) and - any of ($a_*) -} diff --git a/yara-mikesxrs/pombredanne/Android_Marcher.yar b/yara-mikesxrs/pombredanne/Android_Marcher.yar deleted file mode 100644 index 6067301..0000000 --- a/yara-mikesxrs/pombredanne/Android_Marcher.yar +++ /dev/null @@ -1,14 +0,0 @@ -import "androguard" - -rule Android_Marcher -{ - meta: - author = "Jacob Soo Lead Re" - date = "04-July-2016" - description = "Marcher has been active since 2013; like any commercial malware, it is featured in different campaigns, in multiple countries." - source = "https://exchange.xforce.ibmcloud.com/collection/Marcher-Android-Bot-eeede463ee5c2b57402fc86154411e65" - - condition: - (androguard.filter(/com.KHLCert.fdservice/i) and - androguard.filter(/com.KHLCert.gpservice/i)) -} diff --git a/yara-mikesxrs/pombredanne/Android_MazarBot.yar b/yara-mikesxrs/pombredanne/Android_MazarBot.yar deleted file mode 100644 index 6a3d230..0000000 --- a/yara-mikesxrs/pombredanne/Android_MazarBot.yar +++ /dev/null @@ -1,16 +0,0 @@ -import "androguard" - -rule Android_MazarBot -{ - meta: - author = "Jacob Soo Lead Re" - date = "01-July-2016" - description = "This rule try to detects MazarBot" - source = "https://heimdalsecurity.com/blog/security-alert-new-android-malware-post-denmark/" - - condition: - (androguard.filter(/wakeup/i) and - androguard.filter(/reportsent/i)) or - (androguard.filter(/wakeup/i) and - androguard.filter(/com\.whats\.process/i)) -} diff --git a/yara-mikesxrs/pombredanne/Android_OmniRat.yar b/yara-mikesxrs/pombredanne/Android_OmniRat.yar deleted file mode 100644 index a7a214f..0000000 --- a/yara-mikesxrs/pombredanne/Android_OmniRat.yar +++ /dev/null @@ -1,17 +0,0 @@ -import "androguard" - -rule Android_OmniRat -{ - meta: - author = "Jacob Soo Lead Re" - date = "01-July-2016" - description = "This rule try to detects OmniRat" - source = "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" - - strings: - $a = "android.engine.apk" - condition: - (androguard.activity(/com.app.MainActivity/i) and - androguard.permission(/android.permission.WRITE_EXTERNAL_STORAGE/i) and - androguard.package_name(/com.app/i)) and $a -} diff --git a/yara-mikesxrs/pombredanne/Android_RuMMS.yar b/yara-mikesxrs/pombredanne/Android_RuMMS.yar deleted file mode 100644 index deb3ead..0000000 --- a/yara-mikesxrs/pombredanne/Android_RuMMS.yar +++ /dev/null @@ -1,19 +0,0 @@ -import "androguard" - -rule Android_RuMMS -{ - meta: - author = "Jacob Soo Lead Re" - date = "19-May-2016" - description = "This rule try to detects Android.Banking.RuMMS" - source = "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" - - condition: - (androguard.service(/\.Tb/) and - androguard.service(/\.Ad/) and - androguard.receiver(/\.Ac/) and - androguard.receiver(/\.Ma/)) or - (androguard.url(/http\:\/\/37\.1\.207/) and - androguard.url(/\/api\/\?id\=7/)) - -} diff --git a/yara-mikesxrs/pombredanne/PDF_Embedded_Exe.yar b/yara-mikesxrs/pombredanne/PDF_Embedded_Exe.yar deleted file mode 100644 index 80e8f38..0000000 --- a/yara-mikesxrs/pombredanne/PDF_Embedded_Exe.yar +++ /dev/null @@ -1,8 +0,0 @@ -rule PDF_Embedded_Exe{ - strings: - $header = {25 50 44 46} - $Launch_Action = {3C 3C 2F 53 2F 4C 61 75 6E 63 68 2F 54 79 70 65 2F 41 63 74 69 6F 6E 2F 57 69 6E 3C 3C 2F 46} - $exe = {3C 3C 2F 45 6D 62 65 64 64 65 64 46 69 6C 65 73} - condition: - $header at 0 and $Launch_Action and $exe -} diff --git a/yara-mikesxrs/pombredanne/SandroRat.yar b/yara-mikesxrs/pombredanne/SandroRat.yar deleted file mode 100644 index e12c590..0000000 --- a/yara-mikesxrs/pombredanne/SandroRat.yar +++ /dev/null @@ -1,13 +0,0 @@ -import "androguard" - -rule SandroRat -{ - meta: - author = "Jacob Soo Lead Re" - date = "21-May-2016" - description = "This rule detects SandroRat" - source = "https://blogs.mcafee.com/mcafee-labs/sandrorat-android-rat-targeting-polish-banking-users-via-e-mail-phishing/" - - condition: - androguard.activity(/net.droidjack.server/i) -} diff --git a/yara-mikesxrs/pombredanne/Spartan_SWF.yar b/yara-mikesxrs/pombredanne/Spartan_SWF.yar deleted file mode 100644 index 66d1159..0000000 --- a/yara-mikesxrs/pombredanne/Spartan_SWF.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule Spartan_SWF -{ - meta: - author = "Jacob Soo Lead Re" - date = "11-June-2016" - version = "1.0" - - strings: - $header = {46 57 53} - $a1 = {73 6F 63 69 6F 64 6F 78 2E 75 74 69 6C 73 3A 42 61 73 65 36 34} - $a2 = {0C 5F 65 6E 63 6F 64 65 43 68 61 72 73 0C 5F 64 65 63 6F 64 65 43 68 61 72 73 06 65 6E 63 6F 64 65 06 64 65 63 6F 64 65 0E 49 6E 69 74 45 6E 63 6F 72 65 43 68 61 72 0E 49 6E 69 74 44 65 63 6F 64 65 43 68 61 72} - condition: - $header at 0 and all of ($a*) -} diff --git a/yara-mikesxrs/securityartwork/Erebus_Ransomware.yar b/yara-mikesxrs/securityartwork/Erebus_Ransomware.yar deleted file mode 100644 index 22ff9d1..0000000 --- a/yara-mikesxrs/securityartwork/Erebus_Ransomware.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule Erebus: MALW -{ - meta: - description = "Erebus Ransomware" - author = "Joan Soriano / @joanbtl" - date = "2017-06-23" - version = "1.0" - MD5 = "27d857e12b9be5d43f935b8cc86eaabf" - SHA256 = "0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f" - ref1 = "http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" - ref2 = "https://www.securityartwork.es/2017/06/28/analisis-erebus-ransomware-linux/" - strings: - $a = "/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log" - $b = "EREBUS IS BEST." - condition: - all of them -} diff --git a/yara-mikesxrs/securityartwork/HardcodeHunter.yar b/yara-mikesxrs/securityartwork/HardcodeHunter.yar deleted file mode 100644 index 55bc660..0000000 --- a/yara-mikesxrs/securityartwork/HardcodeHunter.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule HardcodeHunter -{ - meta: - description = "Veil Hardcoded IP" - reference = "https://www.securityartwork.es/2015/03/20/deteccion-de-codigo-malicioso-con-yara-i/" - strings: - $ IP = / (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) \. - (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) \. - (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) \. - (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) / - condition: - $ IP at 0x28df -} diff --git a/yara-mikesxrs/securityartwork/IoT_Reaper.yar b/yara-mikesxrs/securityartwork/IoT_Reaper.yar deleted file mode 100644 index 2b50468..0000000 --- a/yara-mikesxrs/securityartwork/IoT_Reaper.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule LinuxIoTReaper: MALW -{ -meta: - description = "LinuxIoTReaper" - author = "Joan Soriano / @w0lfvan" - reference = "https://www.securityartwork.es/2017/11/06/analisis-linux-iotreaper/" - date = "2017-10-30" - version = "1.0" - md5 = "95b448bdf6b6c97a33e1d1dbe41678eb" - sha256 = "b463ca6c3ec7fa19cd318afdd2fa2365fa9e947771c21c4bd6a3bc2120ba7f28" -strings: - $a = "weruuoqweiur.com" - $b = "rm -f /tmp/ftpupload.sh \n" - $c = "%02x-%02x-%02x-%02x-%02x-%02x" - condition: - all of them -} diff --git a/yara-mikesxrs/securityartwork/Linux_Bew.yar b/yara-mikesxrs/securityartwork/Linux_Bew.yar deleted file mode 100644 index b2f5373..0000000 --- a/yara-mikesxrs/securityartwork/Linux_Bew.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule LinuxBew: MALW -{ - meta: - description = "Linux.Bew Backdoor" - author = "Joan Soriano / @w0lfvan" - date = "2017-07-10" - version = "1.0" - reference = "https://www.securityartwork.es/2017/07/21/linux-bew-backdoor-minado-bitcoin/" - MD5 = "27d857e12b9be5d43f935b8cc86eaabf" - SHA256 = "80c4d1a1ef433ac44c4fe72e6ca42395261fbca36eff243b07438263a1b1cf06" - strings: - $a = "src/secp256k1.c" - $b = "hfir.u230.org" - $c = “tempfile-x11session” - condition: - all of them -} diff --git a/yara-mikesxrs/securityartwork/Linux_Helios.yar b/yara-mikesxrs/securityartwork/Linux_Helios.yar deleted file mode 100644 index 362f88e..0000000 --- a/yara-mikesxrs/securityartwork/Linux_Helios.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule LinuxHelios: MALW -{ - meta: - description = "Linux.Helios" - author = "Joan Soriano / @w0lfvan" - date = "2017-10-19" - version = "1.0" - reference = "https://www.securityartwork.es/2017/10/23/analisis-linux-helios/" - MD5 = "1a35193f3761662a9a1bd38b66327f49" - SHA256 = "72c2e804f185bef777e854fe86cff3e86f00290f32ae8b3cb56deedf201f1719" - strings: - $a = "LIKE A GOD!!! IP:%s User:%s Pass:%s" - $b = "smack" - $c = "PEACE OUT IMMA DUP\n" - condition: - all of them -} diff --git a/yara-mikesxrs/securityartwork/Meterpreter_rev_tcp.yar b/yara-mikesxrs/securityartwork/Meterpreter_rev_tcp.yar deleted file mode 100644 index 9ca950b..0000000 --- a/yara-mikesxrs/securityartwork/Meterpreter_rev_tcp.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule Meterpreter_rev_tcp -{ - meta: - description = "Meterpreter reverse TCP" - reference = "https://www.securityartwork.es/2015/03/20/deteccion-de-codigo-malicioso-con-yara-i/" - strings: - $ metadata "ab.exe" wide nocase - $ dll1 = "MSVCRT.dll" nocase - $ dll2 = "KERNEL32.dll" nocase - $ dll3 = "ADVAPI32.dll" nocase - $ dll4 = "WSOCK32.dll" nocase - $ dll5 = "WS2_32.dll" nocase - $ dll6 = "ntdll.dll" nocase - condition: - #metadata == 2 and all of ($ dll *) -} diff --git a/yara-mikesxrs/securityartwork/OfficeMacrosWinintelDLL.yar b/yara-mikesxrs/securityartwork/OfficeMacrosWinintelDLL.yar deleted file mode 100644 index e37f30f..0000000 --- a/yara-mikesxrs/securityartwork/OfficeMacrosWinintelDLL.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule OfficeMacrosWinintelDLL -{ - meta: - Autor = "Manuel Bermudez" - date = "08-01-2015" - description = "Fichero office con macros sospechosa" - link = "https://www.securityartwork.es/2015/04/17/gestion-de-incidentes-practica-actuaciones-ante-malware-ii/" - strings: - $VBA1 = "VBA6" - $VBA2 = "VBA7" - $str1 = "wininet.dll" nocase - $str2 = "InternetOpenUrl" nocase - $str3 = "InternetReadFile" nocase - $str4 = "InternetOpen" nocase - $str5 = "InternetCloseHandle" nocase - condition: - 1 of ($VBA*) and 2 of ($str*) -} diff --git a/yara-mikesxrs/securityartwork/linux_Okiru.yar b/yara-mikesxrs/securityartwork/linux_Okiru.yar deleted file mode 100644 index c85c3f6..0000000 --- a/yara-mikesxrs/securityartwork/linux_Okiru.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule LinuxOkiru: MALW -{ - meta: - description = "Linux.Okiru" - author = "Joan Soriano / @w0lfvan" - reference = "https://www.securityartwork.es/2017/12/18/analisis-linux-okiru/" - date = "2017-11-03" - version = "1.0" - MD5 = "0e1e8079cc78cd242dd70867bc30c8d1" - SHA256 = "601ad06dd9de8c19c196441f4a405c95dbd752c95fb017fda6c4fc7ca6d86d9c" - strings: - $a = "/usr/dvr_main _8182T_1108" - $b = "/var/Challenge" - $c = "/mnt/mtd/app/gui" - condition: - all of them -} diff --git a/yara-mikesxrs/securityartwork/multibanker.yar b/yara-mikesxrs/securityartwork/multibanker.yar deleted file mode 100644 index cc2d8bf..0000000 --- a/yara-mikesxrs/securityartwork/multibanker.yar +++ /dev/null @@ -1,81 +0,0 @@ -/* -https://www.securityartwork.es/2015/06/03/deteccion-de-codigo-malicioso-con-yara-ii/ -*/ - -rule xmlc : banker{ - strings: - $a = "/c del" fullword - $b = "PostDel" fullword - $c = ">> NUL" fullword - $d = "LOADXML" - $e = "lm.dat" - $f = "---------------%s----------------" - - condition: - filesize < 150KB and (3 of ($a,$b,$c,$d,$e,$f)) -} - -rule silent_banker : banker -{ - strings: - $a = {6A 40 68 00 30 00 00 6A 14 8D 91} - $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} - $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" - - condition: - $a or $b or $c -} - -rule zbot : banker -{ - strings: - $a = "__SYSTEM__" wide - $b = "*tanentry*" - $c = "*<option" - $d = "*<select" - $e = "*<input" - - condition: - ($a and $b) or ($c and $d and $e) -} - -rule banbra : banker -{ - strings: - $a = "senha" fullword nocase - $b = "cartao" fullword nocase - $c = "caixa" - $d = "login" fullword nocase - $e = ".com.br" - - condition: - #a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3 -} - - - -rule spyeye -{ - meta: - description = "Indicates that the SpyEye Trojan is installed" - - strings: - $a = "SPYNET" - $b = "SpyEye" - - condition: - ($a and $b) -} - -rule tdl3 -{ - meta: - null_string = 1 - - strings: - $1 = "\\\\?\\globalroot\\" - $2 = ".ini" - - condition: - all of them - } diff --git a/yara-mikesxrs/securityartwork/shellcode_cve_2013_2729.yar b/yara-mikesxrs/securityartwork/shellcode_cve_2013_2729.yar deleted file mode 100644 index e7d6abd..0000000 --- a/yara-mikesxrs/securityartwork/shellcode_cve_2013_2729.yar +++ /dev/null @@ -1,23 +0,0 @@ -rule shellcode_cve_2013_2729 -{ -meta: - author = "Manuel" - company = "S2 Grupo" - date = "2014-12-17" - reference = "https://www.securityartwork.es/2014/12/18/regla-yara-para-cve-2013-2729/" - description = "PDF con shellcode CVE 2013_2729" - link1 = "http://www.binamuse.com/papers/XFABMPReport.pdf" - link2 = "https://github.com/feliam/CVE-2013-2729/blob/master/XFABMPExploit.py" - link3 = "https://github.com/feliam/CVE-2013-2729/blob/master/E10.1.4.pdf " - link4 = "https://www.securityartwork.es/2014/09/30/pdf-deconstruido-al- - aroma-de-shellcode-i/" - md5test = "eb9228f17568704676385428d3bbefff" -strings: - $xfa1 = "XFA 1 0 R" - $xfa2 = "XFA 2 0 R" - $xfa3 = "XFA 3 0 R" - $s0 = "AcroForm 2 0 R" - $s1 = "/Filter [/Fl" -condition: - 1 of ($xfa*) and all of ($s*) -} diff --git a/yara-mikesxrs/securityartwork/trickbot.yar b/yara-mikesxrs/securityartwork/trickbot.yar deleted file mode 100644 index e7d6266..0000000 --- a/yara-mikesxrs/securityartwork/trickbot.yar +++ /dev/null @@ -1,66 +0,0 @@ -rule MALW_trickbot_bankBot : Trojan -{ -meta: - author = "Marc Salinas @Bondey_m" - description = "Detects Trickbot Banking Trojan" - reference = "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf" -strings: - $str_trick_01 = "moduleconfig" - $str_trick_02 = "Start" - $str_trick_03 = "Control" - $str_trick_04 = "FreeBuffer" - $str_trick_05 = "Release" -condition: - all of ($str_trick_*) -} - -rule MALW_systeminfo_trickbot_module : Trojan -{ -meta: - author = "Marc Salinas @Bondey_m" - description = "Detects systeminfo module from Trickbot Trojan" - reference = "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf" -strings: - $str_systeminf_01 = "<program>" - $str_systeminf_02 = "<service>" - $str_systeminf_03 = "</systeminfo>" - $str_systeminf_04 = "GetSystemInfo.pdb" - $str_systeminf_05 = "</autostart>" - $str_systeminf_06 = "</moduleconfig>" -condition: -all of ($str_ systeminf_*) -} - -rule MALW_dllinject_trickbot_module : Trojan -{ -meta: - author = "Marc Salinas @Bondey_m" - description = " Detects dllinject module from Trickbot Trojan" - reference = "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf" -strings: - $str_dllinj_01 = "user_pref(" - $str_dllinj_02 = "<ignore_mask>" - $str_dllinj_03 = "<require_header>" - $str_dllinj_04 = "</dinj>" -condition: - all of ($str_ dllinj_*) -} - -rule MALW_mailsercher_trickbot_module : Trojan -{ -meta: - author = "Marc Salinas @Bondey_m" - description = " Detects mailsearcher module from Trickbot Trojan" - reference = "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf" -strings: - $str_mails_01 = "mailsearcher" - $str_mails_02 = "handler" - $str_mails_03 = "conf" - $str_mails_04 = "ctl" - $str_mails_05 = "SetConf" - $str_mails_06 = "file" - $str_mails_07 = "needinfo" - $str_mails_08 = "mailconf" -condition: - all of ($str_mails_*) -} diff --git a/yara-mikesxrs/symantec/Bannerjack.yar b/yara-mikesxrs/symantec/Bannerjack.yar deleted file mode 100644 index cb24da5..0000000 --- a/yara-mikesxrs/symantec/Bannerjack.yar +++ /dev/null @@ -1,17 +0,0 @@ -import "pe" - -rule Bannerjack -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly BannerJack hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - strings: - $str_1 = "Usage: ./banner-jack [options]" - $str_2 = "-f: file.csv" - $str_3 = "-s: ip start" - $str_4 = "-R: timeout read (optional, default %d secs)" - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/Cadelle_1.yar b/yara-mikesxrs/symantec/Cadelle_1.yar deleted file mode 100644 index 4be223a..0000000 --- a/yara-mikesxrs/symantec/Cadelle_1.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule Cadelle_1 -{ -meta: - author = "Symantec" - reference = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" -strings: - $s1 = { 56 57 8B F8 8B F1 33 C0 3B F0 74 22 39 44 24 0C 74 18 0F B7 0F 66 3B C8 74 10 66 89 0A 42 42 47 47 4E FF 4C 24 0C 3B F0 75 E2 3B F0 75 07 4A 4A B8 7A 00 07 80 33 C9 5F 66 89 0A 5E C2 04 00} - $s2 = "ntsvc32" - $s3 = "ntbind32" -condition: - $s1 and ($s2 or $s3) -} - diff --git a/yara-mikesxrs/symantec/Cadelle_2.yar b/yara-mikesxrs/symantec/Cadelle_2.yar deleted file mode 100644 index d3f6830..0000000 --- a/yara-mikesxrs/symantec/Cadelle_2.yar +++ /dev/null @@ -1,30 +0,0 @@ -rule Cadelle_2 -{ -meta: - author = "Symantec" - reference = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" -strings: - $s1 = "[EXECUTE]" wide ascii - $s2 = "WebCamCapture" wide ascii - $s3 = "</DAY>" wide ascii - $s4 ="</DOCUMENT>" wide ascii - $s5 = "<DOCUMENT>" wide ascii - $s6 = "<DATETIME>" wide ascii - $s7 = "Can't open file for reading :" wide ascii - $s8 = "</DATETIME>" wide ascii - $s9 = "</USERNAME>" wide ascii - $s10 = "JpegFile :" wide ascii - $s12 = "[SCROLL]" wide ascii - $s13 = "<YEAR>" wide ascii - $s14 = "CURRENT DATE" wide ascii - $s15 = "</YEAR>" wide ascii - $s16 = "</MONTH>" wide ascii - $s17 = "<PRINTERNAME>" wide ascii - $s18 = "</DRIVE>" wide ascii - $s19 = "<DATATYPE>" wide ascii - $s20 = "<MACADDRESS>" wide ascii - $s21 = "FlashMemory" wide ascii -condition: - 12 of them -} - diff --git a/yara-mikesxrs/symantec/Cadelle_3.yar b/yara-mikesxrs/symantec/Cadelle_3.yar deleted file mode 100644 index a33f67a..0000000 --- a/yara-mikesxrs/symantec/Cadelle_3.yar +++ /dev/null @@ -1,22 +0,0 @@ -rule Cadelle_3 -{ -meta: - author = "Symantec" - reference = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" -strings: - $s1 = "SOFTWARE\\ntsvc32\\HDD" wide ascii - $s2 = "SOFTWARE\\ntsvc32\\ROU" wide ascii - $s3 = "SOFTWARE\\ntsvc32\\HST" wide ascii - $s4 = "SOFTWARE\\ntsvc32\\FLS" wide ascii - $s5 = "ntsvc32" wide ascii - $s6 = ".Win$py." wide ascii - $s7 = "C:\\users\\" wide ascii - $s8 = "%system32%" wide ascii - $s9 = "\\Local Settings\\Temp" wide ascii - $s10 = "SVWATAUAVAW" wide ascii - $s11 = "\\AppData\\Local" wide ascii - $s12 = "\\AppData" wide ascii -condition: - 6 of them -} - diff --git a/yara-mikesxrs/symantec/Cadelle_4.yar b/yara-mikesxrs/symantec/Cadelle_4.yar deleted file mode 100644 index 938f7d2..0000000 --- a/yara-mikesxrs/symantec/Cadelle_4.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule Cadelle_4 -{ -meta: - author = "Symantec" - reference = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" -strings: - $s1 = "AppInit_DLLs" wide ascii - $s2 = { 5C 00 62 00 61 00 63 00 6B 00 75 00 70 00 00 } - $s3 = { 5C 00 75 00 70 00 64 00 61 00 74 00 65 00 00 } - $s4 = "\\cmd.exe" wide ascii -condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/Eventlog.yar b/yara-mikesxrs/symantec/Eventlog.yar deleted file mode 100644 index 2b1fad6..0000000 --- a/yara-mikesxrs/symantec/Eventlog.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule Eventlog -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly Eventlog hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $str_1= "wevtsvc.dll" - $str_2= "Stealing %S.evtx handle ..." - $str_3= "ElfChnk" - $str_4= "-Dr Dump all logs from a channel or .evtx file (raw" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/Hacktool.yar b/yara-mikesxrs/symantec/Hacktool.yar deleted file mode 100644 index 8967659..0000000 --- a/yara-mikesxrs/symantec/Hacktool.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule Hacktool -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $str_1 = "\\\\.\\pipe\\winsession" wide - $str_2 = "WsiSvc" wide - $str_3 = "ConnectNamedPipe" - $str_4 = "CreateNamedPipeW" - $str_5 = "CreateProcessAsUserW" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/Kwampirs.yar b/yara-mikesxrs/symantec/Kwampirs.yar deleted file mode 100644 index a759984..0000000 --- a/yara-mikesxrs/symantec/Kwampirs.yar +++ /dev/null @@ -1,74 +0,0 @@ -rule Kwampirs -{ - meta: - copyright = "Symantec" - reference = "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" - family = "Kwampirs" - description = "Kwampirs dropper and main payload components" - strings: -$pubkey = - { - 06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00 - 01 00 01 00 CD 74 15 BC 47 7E 0A 5E E4 35 22 A5 - 97 0C 65 BE E0 33 22 F2 94 9D F5 40 97 3C 53 F9 - E4 7E DD 67 CF 5F 0A 5E F4 AD C9 CF 27 D3 E6 31 - 48 B8 00 32 1D BE 87 10 89 DA 8B 2F 21 B4 5D 0A - CD 43 D7 B4 75 C9 19 FE CC 88 4A 7B E9 1D 8C 11 - 56 A6 A7 21 D8 C6 82 94 C1 66 11 08 E6 99 2C 33 - 02 E2 3A 50 EA 58 D2 A7 36 EE 5A D6 8F 5D 5D D2 - 9E 04 24 4A CE 4C B6 91 C0 7A C9 5C E7 5F 51 28 - 4C 72 E1 60 AB 76 73 30 66 18 BE EC F3 99 5E 4B - 4F 59 F5 56 AD 65 75 2B 8F 14 0C 0D 27 97 12 71 - 6B 49 08 84 61 1D 03 BA A5 42 92 F9 13 33 57 D9 - 59 B3 E4 05 F9 12 23 08 B3 50 9A DA 6E 79 02 36 - EE CE 6D F3 7F 8B C9 BE 6A 7E BE 8F 85 B8 AA 82 - C6 1E 14 C6 1A 28 29 59 C2 22 71 44 52 05 E5 E6 - FE 58 80 6E D4 95 2D 57 CB 99 34 61 E9 E9 B3 3D - 90 DC 6C 26 5D 70 B4 78 F9 5E C9 7D 59 10 61 DF - F7 E4 0C B3 - } - - $network_xor_key = - { - B7 E9 F9 2D F8 3E 18 57 B9 18 2B 1F 5F D9 A5 38 - C8 E7 67 E9 C6 62 9C 50 4E 8D 00 A6 59 F8 72 E0 - 91 42 FF 18 A6 D1 81 F2 2B C8 29 EB B9 87 6F 58 - C2 C9 8E 75 3F 71 ED 07 D0 AC CE 28 A1 E7 B5 68 - CD CF F1 D8 2B 26 5C 31 1E BC 52 7C 23 6C 3E 6B - 8A 24 61 0A 17 6C E2 BB 1D 11 3B 79 E0 29 75 02 - D9 25 31 5F 95 E7 28 28 26 2B 31 EC 4D B3 49 D9 - 62 F0 3E D4 89 E4 CC F8 02 41 CC 25 15 6E 63 1B - 10 3B 60 32 1C 0D 5B FA 52 DA 39 DF D1 42 1E 3E - BD BC 17 A5 96 D9 43 73 3C 09 7F D2 C6 D4 29 83 - 3E 44 44 6C 97 85 9E 7B F0 EE 32 C3 11 41 A3 6B - A9 27 F4 A3 FB 2B 27 2B B6 A6 AF 6B 39 63 2D 91 - 75 AE 83 2E 1E F8 5F B5 65 ED B3 40 EA 2A 36 2C - A6 CF 8E 4A 4A 3E 10 6C 9D 28 49 66 35 83 30 E7 - 45 0E 05 ED 69 8D CF C5 40 50 B1 AA 13 74 33 0F - DF 41 82 3B 1A 79 DC 3B 9D C3 BD EA B1 3E 04 33 - } - -$decrypt_string = - { - 85 DB 75 09 85 F6 74 05 89 1E B0 01 C3 85 FF 74 - 4F F6 C3 01 75 4A 85 F6 74 46 8B C3 D1 E8 33 C9 - 40 BA 02 00 00 00 F7 E2 0F 90 C1 F7 D9 0B C8 51 - E8 12 28 00 00 89 06 8B C8 83 C4 04 33 C0 85 DB - 74 16 8B D0 83 E2 0F 8A 92 1C 33 02 10 32 14 38 - 40 88 11 41 3B C3 72 EA 66 C7 01 00 00 B0 01 C3 - 32 C0 C3 - } - - $init_strings = - { - 55 8B EC 83 EC 10 33 C9 B8 0D 00 00 00 BA 02 00 - 00 00 F7 E2 0F 90 C1 53 56 57 F7 D9 0B C8 51 E8 - B3 27 00 00 BF 05 00 00 00 8D 77 FE BB 4A 35 02 - 10 2B DE 89 5D F4 BA 48 35 02 10 4A BB 4C 35 02 - 10 83 C4 04 2B DF A3 C8 FC 03 10 C7 45 FC 00 00 - 00 00 8D 4F FC 89 55 F8 89 5D F0 EB 06 - } - - condition: - 2 of them -} diff --git a/yara-mikesxrs/symantec/Multipurpose.yar b/yara-mikesxrs/symantec/Multipurpose.yar deleted file mode 100644 index 84d9b2e..0000000 --- a/yara-mikesxrs/symantec/Multipurpose.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule Multipurpose -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly Multipurpose hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - strings: - $str_1 = "dump %d|%d|%d|%d|%d|%d|%s|%d" - $str_2 = "kerberos%d.dll" - $str_3 = "\\\\.\\pipe\\lsassp" - $str_4 = "pth <PID:USER:DOMAIN:NTLM>: change" - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/Proxy.yar b/yara-mikesxrs/symantec/Proxy.yar deleted file mode 100644 index ffcfde4..0000000 --- a/yara-mikesxrs/symantec/Proxy.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule Proxy -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly proxy hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $str_1 = "-u user : proxy username" - $str_2 = "--pleh : displays help" - $str_3 = "-x ip/host : proxy ip or host" - $str_4 = "-m : bypass mutex check" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/Securetunnel.yar b/yara-mikesxrs/symantec/Securetunnel.yar deleted file mode 100644 index adacc31..0000000 --- a/yara-mikesxrs/symantec/Securetunnel.yar +++ /dev/null @@ -1,17 +0,0 @@ -rule Securetunnel - { - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly Securetunnel hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $str_1 = "KRB5CCNAME" - $str_2 = "SSH _ AUTH _ SOCK" - $str_3 = "f:l:u:cehR" - $str_4 = ".o+=*BOX@%&#/^SE" - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/comrat.yar b/yara-mikesxrs/symantec/comrat.yar deleted file mode 100644 index 2582bee..0000000 --- a/yara-mikesxrs/symantec/comrat.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule comrat -{ - meta: - author = "Symantec" - malware = "COMRAT" - Reference="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $mz = "MZ" - $b = {C645????} - $c = {C685??FEFFFF??} - //$d = {FFA0??0?0000} - $e = {89A8??00000068??00000056FFD78B} - $f = {00004889????030000488B} - - condition: - ($mz at 0) and ((#c > 200 and #b > 200 ) /*or (#d > 40)*/ and (#e > 15 or #f > 30)) -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/fa.yar b/yara-mikesxrs/symantec/fa.yar deleted file mode 100644 index 5d5114e..0000000 --- a/yara-mikesxrs/symantec/fa.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule fa -{ - meta: - author = "Symantec" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $mz = "MZ" - $string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb" - - $string2 = "d:\\proj\\cn\\fa64\\" - $string3 = "sengoku _ Win32.sys\x00" - $string4 = "rk _ ntsystem.c" - $string5 = "\\uroboros\\" - $string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}" - - condition: - ($mz at 0) and (any of ($string*)) -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/isPE.yar b/yara-mikesxrs/symantec/isPE.yar deleted file mode 100644 index 105b8b7..0000000 --- a/yara-mikesxrs/symantec/isPE.yar +++ /dev/null @@ -1,9 +0,0 @@ -private rule isPE -{ - meta: - Author = "Symantec" - Reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" - - condition: - uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550 -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/jiripbot _ ascii _ str _ decrypt.yar b/yara-mikesxrs/symantec/jiripbot _ ascii _ str _ decrypt.yar deleted file mode 100644 index 38dce24..0000000 --- a/yara-mikesxrs/symantec/jiripbot _ ascii _ str _ decrypt.yar +++ /dev/null @@ -1,12 +0,0 @@ -rule jiripbot_ascii_str_decrypt -{ - meta: - author ="Symantec Security Response" - date ="2015-07-01" - description ="Butterfly Jiripbot hacktool" - reference ="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - strings: - $decrypt_func = {85 FF 75 03 33 C0 C3 8B C7 8D 50 01 8A 08 40 84 C9 75 F9 2B C2 53 8B D8 80 7C 3B FF ?? 75 3E 83 3D ?? ?? ?? ?? 00 56 BE ?? ?? ?? ?? 75 11 56 FF 15 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 01 00 00 00 56 FF 15 ?? ?? ?? ?? 33 C0 85 DB 74 09 80 34 38 ?? 40 3B C3 72 F7 56 FF 15 ?? ?? ?? ?? 5E 8B C7 5B C3} - condition: - $decrypt_func -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/jiripbot _ unicode _ str _ decrypt.yar b/yara-mikesxrs/symantec/jiripbot _ unicode _ str _ decrypt.yar deleted file mode 100644 index 2ccc98c..0000000 --- a/yara-mikesxrs/symantec/jiripbot _ unicode _ str _ decrypt.yar +++ /dev/null @@ -1,13 +0,0 @@ -rule jiripbot_unicode_str_decrypt -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly Jiripbot Unicode hacktool" - reference ="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $decrypt = {85 ?? 75 03 33 C0 C3 8B ?? 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 57 8B F8 B8 ?? ?? ?? ?? 66 39 44 7E FE 75 43 83 3D ?? ?? ?? ?? 00 53 BB ?? ?? ?? ?? 75 11 53 FF 15 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 01 00 00 00 53 FF 15 ?? ?? ?? ?? 33 C0 85 FF 74 0E B9 ?? 00 00 00 66 31 0C 46 40 3B C7 72 F2 53 FF 15 ?? ?? ?? ?? 5B 8B C6 5F C3 } - condition: - $decrypt -} diff --git a/yara-mikesxrs/symantec/remsec_encrypted_api.yar b/yara-mikesxrs/symantec/remsec_encrypted_api.yar deleted file mode 100644 index 603eec0..0000000 --- a/yara-mikesxrs/symantec/remsec_encrypted_api.yar +++ /dev/null @@ -1,15 +0,0 @@ -rule remsec_encrypted_api -{ -meta: -copyright = "Symantec" -strings: -$open_process = -/* -"OpenProcess -\ -x00" in encrypted form -*/ -{ 91 9A 8F B0 9C 90 8D AF 8C 8C 9A FF } -condition: -all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/remsec_executable_blob_32.yar b/yara-mikesxrs/symantec/remsec_executable_blob_32.yar deleted file mode 100644 index 6a8c4b1..0000000 --- a/yara-mikesxrs/symantec/remsec_executable_blob_32.yar +++ /dev/null @@ -1,26 +0,0 @@ -rule remsec_executable_blob_32 -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -31 06 l0: xor [esi], eax -83 C6 04 add esi, 4 -D1 E8 shr eax, 1 -73 05 -jnb short l1 -35 01 00 00 D0 xor eax, 0D0000001h -E2 F0 l1: loop l0 -*/ -{ -31 06 -83 C6 04 -D1 E8 -73 05 -35 01 00 00 D0 -E2 F0 -} -condition: -all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/remsec_executable_blob_64.yar b/yara-mikesxrs/symantec/remsec_executable_blob_64.yar deleted file mode 100644 index d2767dd..0000000 --- a/yara-mikesxrs/symantec/remsec_executable_blob_64.yar +++ /dev/null @@ -1,27 +0,0 @@ -rule remsec_executable_blob_64 -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -31 06 l0: xor -[rsi], eax -48 83 C6 04 add rsi, 4 -D1 E8 shr eax, 1 -73 05 jnb short l1 -35 01 00 00 D0 xor eax, 0D00000 -01h -E2 EF l1: loop l0 -*/ -{ -31 06 -48 83 C6 04 -D1 E8 -73 05 -35 01 00 00 D0 -E2 EF -} -condition: -all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/remsec_executable_blob_parser.yar b/yara-mikesxrs/symantec/remsec_executable_blob_parser.yar deleted file mode 100644 index d127ea4..0000000 --- a/yara-mikesxrs/symantec/remsec_executable_blob_parser.yar +++ /dev/null @@ -1,30 +0,0 @@ -rule -remsec_executable_blob_parser -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -0F 82 ?? ?? 00 00 jb l_0 -80 7? 04 02 cmp byte ptr [r0+4], 2 -0F -85 ?? ?? 00 00 jnz l_0 -81 3? 02 AA 02 C1 cmp dword ptr [r0], -0C102AA02h -0F 85 ?? ?? 00 00 jnz l_0 -8B ?? 06 mov r1, [r0+6] -*/ -{ -( 0F 82 ?? ?? 00 00 | 72 ?? ) -( 80 | 41 80 ) ( 7? | 7C 24 ) 04 02 -( 0F 85 ?? ?? 00 00 | 75 ?? ) -( 81 | 41 81 ) ( 3? | 3C 24 | 7D 00 ) 02 AA 02 C1 -( 0F 85 ?? ?? 00 00 | 75 ?? ) -( 8B | 41 -8B | 44 8B | 45 8B ) ( 4? | 5? | 6? | 7? | ?4 24 | -?C 24 ) 06 -} -condition: -all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/remsec_packer_A.yar b/yara-mikesxrs/symantec/remsec_packer_A.yar deleted file mode 100644 index f7c7011..0000000 --- a/yara-mikesxrs/symantec/remsec_packer_A.yar +++ /dev/null @@ -1,26 +0,0 @@ -rule remsec_packer_A -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -69 ?? AB 00 00 00 imul r0, 0ABh -81 C? CD 2B 00 00 add r0, 2BCDh -F7 E? mul r0 -C1 E? 0D shr r1, 0Dh -69 ?? 85 CF 00 00 imul r1, 0CF85h -2B sub r0, r1 -*/ -{ -69 ( C? | D? | E? | F? ) AB 00 00 00 -( 81 | 41 81 ) C? CD 2B 00 00 -( F7 | 41 -F7 ) E? -( C1 | 41 C1 ) E? 0D -( 69 | 45 69 ) ( C? | D? | E? | F? ) 85 CF 00 00 -( 29 | 41 29 | 44 29 | 45 29 | 2B | 41 2B | 44 2B | 45 2B ) -} -condition: -all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/remsec_packer_B.yar b/yara-mikesxrs/symantec/remsec_packer_B.yar deleted file mode 100644 index cb8b6b6..0000000 --- a/yara-mikesxrs/symantec/remsec_packer_B.yar +++ /dev/null @@ -1,63 +0,0 @@ -rule remsec_packer_B -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -48 8B 05 C4 2D 01 00 mov rax, cs:LoadLibraryA -48 89 44 24 48 mov qword ptr -[rsp+1B8h+descriptor+18h], rax -48 8B 05 A -0 2D 01 00 mov rax, cs:GetProcAddress -48 8D 4C 24 30 lea rcx, -[rsp+1B8h+descriptor] -48 89 44 2 -4 50 mov qword ptr -[rsp+1B8h+descriptor+20h], rax -48 8D 84 24 80 00 00 00 lea rax, -[rsp+1B8h+var_138] -C6 44 24 30 00 mov [rsp+1B8h+descriptor], -0 -48 89 44 24 60 -mov qword ptr -[rsp+1B8h+descriptor+30h], rax -48 8D 84 24 80 00 00 00 lea rax, -[rsp+1B8h+var_138] -C7 44 24 34 03 00 00 00 mov dword ptr -[rsp+1B8h+descriptor+4], 3 -2B F8 -sub edi, eax -48 89 5C 24 38 mov qword ptr -[rsp+1B8h+descriptor+8], rbx -44 89 6C 24 40 mov dword ptr -[rsp+1B8h+descriptor+10h], r13d -83 C7 08 -add edi, 8 -89 7C 24 68 mov dword ptr -[rsp+1B8h+descriptor+38h], edi -FF D5 call rbp -05 00 00 00 3A add eax, 3A000000h -*/ -{ -48 8B 05 ?? ?? ?? ?? -48 89 44 24 ?? -48 8B 05 ?? ?? ?? ?? -48 8D 4C 24 ?? -48 89 44 24 ?? -48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) -( 44 88 6? 24 ?? | C6 44 24 ?? 00 ) -48 89 44 24 ?? -48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) -C7 44 24 ?? 0? 00 00 00 -2B ?8 -48 89 ?C 24 ?? -44 89 6? 24 ?? -83 C? 08 -89 ?C 24 ?? -( FF | 41 FF ) D? -( 05 | 8D 88 ) 00 00 00 3A -} -condition: -all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/sav _ dropper.yar b/yara-mikesxrs/symantec/sav _ dropper.yar deleted file mode 100644 index 78e534f..0000000 --- a/yara-mikesxrs/symantec/sav _ dropper.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule sav_dropper -{ - meta: - author = "Symantec" - malware = "SAV dropper" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $mz = "MZ" - $a = /[a-z]{,10} _ x64.sys\x00hMZ\x00/ - - condition: - ($mz at 0) and uint32(0x400) == 0x000000c3 and pe.number_of_sections == 6 and $a -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/sav.yar b/yara-mikesxrs/symantec/sav.yar deleted file mode 100644 index 0c3e3b5..0000000 --- a/yara-mikesxrs/symantec/sav.yar +++ /dev/null @@ -1,137 +0,0 @@ -rule sav{ - meta: - author = "Symantec" - malware = "SAV" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers" - - strings: - $mz = "MZ" -/* -8B 75 18 mov esi, [ebp+arg _ 10] -31 34 81 xor [ecx+eax*4], esi -40 inc eax -3B C2 cmp eax, edx -72 F5 jb short loc _ 9F342 -33 F6 xor esi, esi -39 7D 14 cmp [ebp+arg _ C], edi -76 1B jbe short loc _ 9F36F -8A 04 0E mov al, [esi+ecx] -88 04 0F mov [edi+ecx], al -6A 0F push 0Fh -33 D2 xor edx, edx -8B C7 mov eax, edi -5B pop ebx -F7 F3 div ebx -85 D2 test edx, edx -75 01 jnz short loc _ 9F368 -*/ - $code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 } - -/* -8B 45 F8 mov eax, [ebp+var _ 8] -40 inc eax -89 45 F8 mov [ebp+var _ 8], eax -8B 45 10 mov eax, [ebp+arg _ 8] -C1 E8 02 shr eax, 2 -39 45 F8 cmp [ebp+var _ 8], eax -73 17 jnb short loc _ 4013ED -8B 45 F8 mov eax, [ebp+var _ 8] -8B 4D F4 mov ecx, [ebp+var _ C] -8B 04 81 mov eax, [ecx+eax*4] -33 45 20 xor eax, [ebp+arg _ 18] -8B 4D F8 mov ecx, [ebp+var _ 8] -8B 55 F4 mov edx, [ebp+var _ C] -89 04 8A mov [edx+ecx*4], eax -EB D7 jmp short loc _ 4013C4 -83 65 F8 00 and [ebp+var _ 8], 0 -83 65 EC 00 and [ebp+var _ 14], 0 -EB 0E jmp short loc _ 401405 -8B 45 F8 mov eax, [ebp+var _ 8] -40 inc eax -89 45 F8 mov [ebp+var _ 8], eax -8B 45 EC mov eax, [ebp+var _ 14] -40 inc eax -89 45 EC mov [ebp+var _ 14], eax -8B 45 EC mov eax, [ebp+var _ 14] -3B 45 10 cmp eax, [ebp+arg _ 8] -73 27 jnb short loc _ 401434 -8B 45 F4 mov eax, [ebp+var _ C] -03 45 F8 add eax, [ebp+var _ 8] -8B 4D F4 mov ecx, [ebp+var _ C] -03 4D EC add ecx, [ebp+var _ 14] -8A 09 mov cl, [ecx] -88 08 mov [eax], cl -8B 45 F8 mov eax, [ebp+var _ 8] -33 D2 xor edx, edx -6A 0F push 0Fh -59 pop ecx -F7 F1 div ecx -85 D2 test edx, edx -75 07 jnz short loc _ 401432 -*/ - - $code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 } - -/* -8A 04 0F mov al, [edi+ecx] -88 04 0E mov [esi+ecx], al -6A 0F push 0Fh -33 D2 xor edx, edx -8B C6 mov eax, esi -5B pop ebx -F7 F3 div ebx -85 D2 test edx, edx -75 01 jnz short loc _ B12FC -47 inc edi -8B 45 14 mov eax, [ebp+arg _ C] -46 inc esi -47 inc edi -3B F8 cmp edi, eax -72 E3 jb short loc _ B12E8 -EB 04 jmp short loc _ B130B -C6 04 08 00 mov byte ptr [eax+ecx], 0 -48 dec eax -3B C6 cmp eax, esi -73 F7 jnb short loc _ B1307 -33 C0 xor eax, eax -C1 EE 02 shr esi, 2 -74 0B jz short loc _ B1322 -8B 55 18 mov edx, [ebp+arg _ 10] -31 14 81 xor [ecx+eax*4], edx -40 inc eax -3B C6 cmp eax, esi -72 F5 jb short loc _ B1317 -*/ - - $code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5} - -/* -29 5D 0C sub [ebp+arg _ 4], ebx -8B D1 mov edx, ecx -C1 EA 05 shr edx, 5 -2B CA sub ecx, edx -8B 55 F4 mov edx, [ebp+var _ C] -2B C3 sub eax, ebx -3D 00 00 00 01 cmp eax, 1000000h -89 0F mov [edi], ecx -8B 4D 10 mov ecx, [ebp+arg _ 8] -8D 94 91 00 03 00 00 lea edx, [ecx+edx*4+300h] -73 17 jnb short loc _ 9FC44 -8B 7D F8 mov edi, [ebp+var _ 8] -8B 4D 0C mov ecx, [ebp+arg _ 4] -0F B6 3F movzx edi, byte ptr [edi] -C1 E1 08 shl ecx, 8 -0B CF or ecx, edi -C1 E0 08 shl eax, 8 -FF 45 F8 inc [ebp+var _ 8] -89 4D 0C mov [ebp+arg _ 4], ecx -8B 0A mov ecx, [edx] -8B F8 mov edi, eax -C1 EF 0B shr edi, 0Bh -*/ - - $code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B} - - condition: - ($mz at 0) and (($code1a or $code1b or $code1c) and $code2) -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/symantec_index.yara b/yara-mikesxrs/symantec/symantec_index.yara deleted file mode 100644 index 7ff4272..0000000 --- a/yara-mikesxrs/symantec/symantec_index.yara +++ /dev/null @@ -1,746 +0,0 @@ -import "pe" - -rule Bannerjack -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly BannerJack hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - strings: - $str_1 = "Usage: ./banner-jack [options]" - $str_2 = "-f: file.csv" - $str_3 = "-s: ip start" - $str_4 = "-R: timeout read (optional, default %d secs)" - condition: - all of them -} - -rule comrat -{ - meta: - author = "Symantec" - malware = "COMRAT" - Reference="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $mz = "MZ" - $b = {C645????} - $c = {C685??FEFFFF??} - //$d = {FFA0??0?0000} - $e = {89A8??00000068??00000056FFD78B} - $f = {00004889????030000488B} - - condition: - ($mz at 0) and ((#c > 200 and #b > 200 ) /*or (#d > 40)*/ and (#e > 15 or #f > 30)) -} - - -rule Eventlog -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly Eventlog hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $str_1= "wevtsvc.dll" - $str_2= "Stealing %S.evtx handle ..." - $str_3= "ElfChnk" - $str_4= "-Dr Dump all logs from a channel or .evtx file (raw" - - condition: - all of them -} - -rule fa -{ - meta: - author = "Symantec" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $mz = "MZ" - $string1 = "C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdb" - - $string2 = "d:\\proj\\cn\\fa64\\" - $string3 = "sengoku _ Win32.sys\x00" - $string4 = "rk _ ntsystem.c" - $string5 = "\\uroboros\\" - $string6 = "shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}" - - condition: - ($mz at 0) and (any of ($string*)) -} - -rule Hacktool -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $str_1 = "\\\\.\\pipe\\winsession" wide - $str_2 = "WsiSvc" wide - $str_3 = "ConnectNamedPipe" - $str_4 = "CreateNamedPipeW" - $str_5 = "CreateProcessAsUserW" - - condition: - all of them -} - -private rule isPE -{ - meta: - Author = "Symantec" - Reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" - - condition: - uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550 -} - - -rule jiripbot_ascii_str_decrypt -{ - meta: - author ="Symantec Security Response" - date ="2015-07-01" - description ="Butterfly Jiripbot hacktool" - reference ="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - strings: - $decrypt_func = {85 FF 75 03 33 C0 C3 8B C7 8D 50 01 8A 08 40 84 C9 75 F9 2B C2 53 8B D8 80 7C 3B FF ?? 75 3E 83 3D ?? ?? ?? ?? 00 56 BE ?? ?? ?? ?? 75 11 56 FF 15 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 01 00 00 00 56 FF 15 ?? ?? ?? ?? 33 C0 85 DB 74 09 80 34 38 ?? 40 3B C3 72 F7 56 FF 15 ?? ?? ?? ?? 5E 8B C7 5B C3} - condition: - $decrypt_func -} - -rule jiripbot_unicode_str_decrypt -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly Jiripbot Unicode hacktool" - reference ="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $decrypt = {85 ?? 75 03 33 C0 C3 8B ?? 8D 50 02 66 8B 08 83 C0 02 66 85 C9 75 F5 2B C2 D1 F8 57 8B F8 B8 ?? ?? ?? ?? 66 39 44 7E FE 75 43 83 3D ?? ?? ?? ?? 00 53 BB ?? ?? ?? ?? 75 11 53 FF 15 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 01 00 00 00 53 FF 15 ?? ?? ?? ?? 33 C0 85 FF 74 0E B9 ?? 00 00 00 66 31 0C 46 40 3B C7 72 F2 53 FF 15 ?? ?? ?? ?? 5B 8B C6 5F C3 } - condition: - $decrypt -} - -rule Trojan_Karagany -{ - meta: - alias = "Dreamloader" - Author = "Symantec" - Reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" - - strings: - $s1 = "neosphere" wide ascii - $s2 = "10000000000051200" wide ascii - $v1 = "&fichier" wide ascii - $v2 = "&identifiant" wide ascii - $c1 = "xmonstart" wide ascii - $c2 = "xmonstop" wide ascii - $c3 = "xgetfile" wide ascii - $c4 = "downadminexec" wide ascii - $c5 = "xdiex" wide ascii - $c6 = "xrebootx" wide ascii - - condition: - isPE and (($s1 and $s2) or ($v1 and $v2) or (any of ($c*))) -} - - -rule Multipurpose -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly Multipurpose hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - strings: - $str_1 = "dump %d|%d|%d|%d|%d|%d|%s|%d" - $str_2 = "kerberos%d.dll" - $str_3 = "\\\\.\\pipe\\lsassp" - $str_4 = "pth <PID:USER:DOMAIN:NTLM>: change" - condition: - all of them -} - -rule Proxy -{ - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly proxy hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $str_1 = "-u user : proxy username" - $str_2 = "--pleh : displays help" - $str_3 = "-x ip/host : proxy ip or host" - $str_4 = "-m : bypass mutex check" - - condition: - all of them -} - -rule sav_dropper -{ - meta: - author = "Symantec" - malware = "SAV dropper" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $mz = "MZ" - $a = /[a-z]{,10} _ x64.sys\x00hMZ\x00/ - - condition: - ($mz at 0) and uint32(0x400) == 0x000000c3 and pe.number_of_sections == 6 and $a -} - -rule sav{ - meta: - author = "Symantec" - malware = "SAV" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers" - - strings: - $mz = "MZ" -/* -8B 75 18 mov esi, [ebp+arg _ 10] -31 34 81 xor [ecx+eax*4], esi -40 inc eax -3B C2 cmp eax, edx -72 F5 jb short loc _ 9F342 -33 F6 xor esi, esi -39 7D 14 cmp [ebp+arg _ C], edi -76 1B jbe short loc _ 9F36F -8A 04 0E mov al, [esi+ecx] -88 04 0F mov [edi+ecx], al -6A 0F push 0Fh -33 D2 xor edx, edx -8B C7 mov eax, edi -5B pop ebx -F7 F3 div ebx -85 D2 test edx, edx -75 01 jnz short loc _ 9F368 -*/ - $code1a = { 8B 75 18 31 34 81 40 3B C2 72 F5 33 F6 39 7D 14 76 1B 8A 04 0E 88 04 0F 6A 0F 33 D2 8B C7 5B F7 F3 85 D2 75 01 } - -/* -8B 45 F8 mov eax, [ebp+var _ 8] -40 inc eax -89 45 F8 mov [ebp+var _ 8], eax -8B 45 10 mov eax, [ebp+arg _ 8] -C1 E8 02 shr eax, 2 -39 45 F8 cmp [ebp+var _ 8], eax -73 17 jnb short loc _ 4013ED -8B 45 F8 mov eax, [ebp+var _ 8] -8B 4D F4 mov ecx, [ebp+var _ C] -8B 04 81 mov eax, [ecx+eax*4] -33 45 20 xor eax, [ebp+arg _ 18] -8B 4D F8 mov ecx, [ebp+var _ 8] -8B 55 F4 mov edx, [ebp+var _ C] -89 04 8A mov [edx+ecx*4], eax -EB D7 jmp short loc _ 4013C4 -83 65 F8 00 and [ebp+var _ 8], 0 -83 65 EC 00 and [ebp+var _ 14], 0 -EB 0E jmp short loc _ 401405 -8B 45 F8 mov eax, [ebp+var _ 8] -40 inc eax -89 45 F8 mov [ebp+var _ 8], eax -8B 45 EC mov eax, [ebp+var _ 14] -40 inc eax -89 45 EC mov [ebp+var _ 14], eax -8B 45 EC mov eax, [ebp+var _ 14] -3B 45 10 cmp eax, [ebp+arg _ 8] -73 27 jnb short loc _ 401434 -8B 45 F4 mov eax, [ebp+var _ C] -03 45 F8 add eax, [ebp+var _ 8] -8B 4D F4 mov ecx, [ebp+var _ C] -03 4D EC add ecx, [ebp+var _ 14] -8A 09 mov cl, [ecx] -88 08 mov [eax], cl -8B 45 F8 mov eax, [ebp+var _ 8] -33 D2 xor edx, edx -6A 0F push 0Fh -59 pop ecx -F7 F1 div ecx -85 D2 test edx, edx -75 07 jnz short loc _ 401432 -*/ - - $code1b = { 8B 45 F8 40 89 45 F8 8B 45 10 C1 E8 02 39 45 F8 73 17 8B 45 F8 8B 4D F4 8B 04 81 33 45 20 8B 4D F8 8B 55 F4 89 04 8A EB D7 83 65 F8 00 83 65 EC 00 EB 0E 8B 45 F8 40 89 45 F8 8B 45 EC 40 89 45 EC 8B 45 EC 3B 45 10 73 27 8B 45 F4 03 45 F8 8B 4D F4 03 4D EC 8A 09 88 08 8B 45 F8 33 D2 6A 0F 59 F7 F1 85 D2 75 07 } - -/* -8A 04 0F mov al, [edi+ecx] -88 04 0E mov [esi+ecx], al -6A 0F push 0Fh -33 D2 xor edx, edx -8B C6 mov eax, esi -5B pop ebx -F7 F3 div ebx -85 D2 test edx, edx -75 01 jnz short loc _ B12FC -47 inc edi -8B 45 14 mov eax, [ebp+arg _ C] -46 inc esi -47 inc edi -3B F8 cmp edi, eax -72 E3 jb short loc _ B12E8 -EB 04 jmp short loc _ B130B -C6 04 08 00 mov byte ptr [eax+ecx], 0 -48 dec eax -3B C6 cmp eax, esi -73 F7 jnb short loc _ B1307 -33 C0 xor eax, eax -C1 EE 02 shr esi, 2 -74 0B jz short loc _ B1322 -8B 55 18 mov edx, [ebp+arg _ 10] -31 14 81 xor [ecx+eax*4], edx -40 inc eax -3B C6 cmp eax, esi -72 F5 jb short loc _ B1317 -*/ - - $code1c = { 8A 04 0F 88 04 0E 6A 0F 33 D2 8B C6 5B F7 F3 85 D2 75 01 47 8B 45 14 46 47 3B F8 72 E3 EB 04 C6 04 08 00 48 3B C6 73 F7 33 C0 C1 EE 02 74 0B 8B 55 18 31 14 81 40 3B C6 72 F5} - -/* -29 5D 0C sub [ebp+arg _ 4], ebx -8B D1 mov edx, ecx -C1 EA 05 shr edx, 5 -2B CA sub ecx, edx -8B 55 F4 mov edx, [ebp+var _ C] -2B C3 sub eax, ebx -3D 00 00 00 01 cmp eax, 1000000h -89 0F mov [edi], ecx -8B 4D 10 mov ecx, [ebp+arg _ 8] -8D 94 91 00 03 00 00 lea edx, [ecx+edx*4+300h] -73 17 jnb short loc _ 9FC44 -8B 7D F8 mov edi, [ebp+var _ 8] -8B 4D 0C mov ecx, [ebp+arg _ 4] -0F B6 3F movzx edi, byte ptr [edi] -C1 E1 08 shl ecx, 8 -0B CF or ecx, edi -C1 E0 08 shl eax, 8 -FF 45 F8 inc [ebp+var _ 8] -89 4D 0C mov [ebp+arg _ 4], ecx -8B 0A mov ecx, [edx] -8B F8 mov edi, eax -C1 EF 0B shr edi, 0Bh -*/ - - $code2 = { 29 5D 0C 8B D1 C1 EA 05 2B CA 8B 55 F4 2B C3 3D 00 00 00 01 89 0F 8B 4D 10 8D 94 91 00 03 00 00 73 17 8B 7D F8 8B 4D 0C 0F B6 3F C1 E1 08 0B CF C1 E0 08 FF 45 F8 89 4D 0C 8B 0A 8B F8 C1 EF 0B} - - condition: - ($mz at 0) and (($code1a or $code1b or $code1c) and $code2) -} - - -rule Securetunnel - { - meta: - author = "Symantec Security Response" - date = "2015-07-01" - description = "Butterfly Securetunnel hacktool" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - - strings: - $str_1 = "KRB5CCNAME" - $str_2 = "SSH _ AUTH _ SOCK" - $str_3 = "f:l:u:cehR" - $str_4 = ".o+=*BOX@%&#/^SE" - - condition: - all of them -} - - -rule turla_dll -{ - - meta: - Malware = "Trojan.Turla DLL" - author = "Symantec" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $a = /([A-Za-z0-9]{2,10} _ ){,2}Win32\.dll\x00/ - - condition: - pe.exports("ee") and $a -} - - -rule turla_dropper -{ - meta: - Malware = "Trojan.Turla dropper" - author = "Symantec" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34} - $b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8} - - condition: - all of them -} - -rule wipbot_2013_core_PDF -{ - meta: - author = "Symantec" - description = "Trojan.Wipbot 2014 core PDF" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - strings: - $PDF = "%PDF-" - $a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/ - $b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/ - - condition: - ($PDF at 0) and #a > 150 and #b > 200 -} - -rule wipbot_2013_core -{ - meta: - description = "core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error" - Malware = "Trojan.Wipbot 2013 core component" - author = "Symantec" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $mz = "MZ" - /* - 8947 0C MOV DWORD PTR DS:[EDI+C], EAX - C747 10 90C20400 MOV DWORD PTR DS:[EDI+10], 4C290 - C747 14 90C21000 MOV DWORD PTR DS:[EDI+14], 10C290 - C747 18 90906068 MOV DWORD PTR DS:[EDI+18], 68609090 - 894F 1C MOV DWORD PTR DS:[EDI+1C], ECX - C747 20 909090B8 MOV DWORD PTR DS:[EDI+20], B8909090 - 894F 24 MOV DWORD PTR DS:[EDI+24], ECX - C747 28 90FFD061 MOV DWORD PTR DS:[EDI+28], 61D0FF90 - C747 2C 90C20400 MOV DWORD PTR DS:[EDI+2C], 4C290 - */ - $code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00} - /* - 85C0 TEST EAX, EAX - 75 25 JNZ SHORT 64106327.00403AF1 - 8B0B MOV ECX, DWORD PTR DS:[EBX] - BF ???????? MOV EDI, ???????? - EB 17 JMP SHORT 64106327.00403AEC - 69D7 0D661900 IMUL EDX, EDI, 19660D - 8DBA 5FF36E3C LEA EDI, DWORD PTR DS:[EDX+3C6EF35F] - 89FE MOV ESI, EDI - C1EE 10 SHR ESI, 10 - 89F2 MOV EDX, ESI - 301401 XOR BYTE PTR DS:[ECX+EAX], DL - 40 INC EAX - 3B43 04 CMP EAX, DWORD PTR DS:[EBX+4] - 72 E4 JB SHORT 64106327.00403AD5 - */ - $code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4} - $code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} - $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0} - - condition: - $mz at 0 and (($code1 or $code2) or ($code3 and $code4)) -} - -rule wipbot_2013_dll -{ - meta: - author = "Symantec" - description = "Trojan.Wipbot 2013 DLL" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - description = "Down.dll component" - - strings: - $string1 = "/%s?rank=%s" - $string2 = "ModuleStart\x00ModuleStop\x00start" - $string3 = "1156fd22-3443-4344-c4ffff" - //read file... error.. - $string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00" - - condition: - 2 of them -} - -rule remsec_executable_blob_32 -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -31 06 l0: xor [esi], eax -83 C6 04 add esi, 4 -D1 E8 shr eax, 1 -73 05 -jnb short l1 -35 01 00 00 D0 xor eax, 0D0000001h -E2 F0 l1: loop l0 -*/ -{ -31 06 -83 C6 04 -D1 E8 -73 05 -35 01 00 00 D0 -E2 F0 -} -condition: -all of them -} - -rule remsec_executable_blob_64 -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -31 06 l0: xor -[rsi], eax -48 83 C6 04 add rsi, 4 -D1 E8 shr eax, 1 -73 05 jnb short l1 -35 01 00 00 D0 xor eax, 0D00000 -01h -E2 EF l1: loop l0 -*/ -{ -31 06 -48 83 C6 04 -D1 E8 -73 05 -35 01 00 00 D0 -E2 EF -} -condition: -all of them -} - -rule -remsec_executable_blob_parser -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -0F 82 ?? ?? 00 00 jb l_0 -80 7? 04 02 cmp byte ptr [r0+4], 2 -0F -85 ?? ?? 00 00 jnz l_0 -81 3? 02 AA 02 C1 cmp dword ptr [r0], -0C102AA02h -0F 85 ?? ?? 00 00 jnz l_0 -8B ?? 06 mov r1, [r0+6] -*/ -{ -( 0F 82 ?? ?? 00 00 | 72 ?? ) -( 80 | 41 80 ) ( 7? | 7C 24 ) 04 02 -( 0F 85 ?? ?? 00 00 | 75 ?? ) -( 81 | 41 81 ) ( 3? | 3C 24 | 7D 00 ) 02 AA 02 C1 -( 0F 85 ?? ?? 00 00 | 75 ?? ) -( 8B | 41 -8B | 44 8B | 45 8B ) ( 4? | 5? | 6? | 7? | ?4 24 | -?C 24 ) 06 -} -condition: -all of them -} - -rule remsec_encrypted_api -{ -meta: -copyright = "Symantec" -strings: -$open_process = -/* -"OpenProcess -\ -x00" in encrypted form -*/ -{ 91 9A 8F B0 9C 90 8D AF 8C 8C 9A FF } -condition: -all of them -} - -rule remsec_packer_A -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -69 ?? AB 00 00 00 imul r0, 0ABh -81 C? CD 2B 00 00 add r0, 2BCDh -F7 E? mul r0 -C1 E? 0D shr r1, 0Dh -69 ?? 85 CF 00 00 imul r1, 0CF85h -2B sub r0, r1 -*/ -{ -69 ( C? | D? | E? | F? ) AB 00 00 00 -( 81 | 41 81 ) C? CD 2B 00 00 -( F7 | 41 -F7 ) E? -( C1 | 41 C1 ) E? 0D -( 69 | 45 69 ) ( C? | D? | E? | F? ) 85 CF 00 00 -( 29 | 41 29 | 44 29 | 45 29 | 2B | 41 2B | 44 2B | 45 2B ) -} -condition: -all of them -} - -rule remsec_packer_B -{ -meta: -copyright = "Symantec" -strings: -$code = -/* -48 8B 05 C4 2D 01 00 mov rax, cs:LoadLibraryA -48 89 44 24 48 mov qword ptr -[rsp+1B8h+descriptor+18h], rax -48 8B 05 A -0 2D 01 00 mov rax, cs:GetProcAddress -48 8D 4C 24 30 lea rcx, -[rsp+1B8h+descriptor] -48 89 44 2 -4 50 mov qword ptr -[rsp+1B8h+descriptor+20h], rax -48 8D 84 24 80 00 00 00 lea rax, -[rsp+1B8h+var_138] -C6 44 24 30 00 mov [rsp+1B8h+descriptor], -0 -48 89 44 24 60 -mov qword ptr -[rsp+1B8h+descriptor+30h], rax -48 8D 84 24 80 00 00 00 lea rax, -[rsp+1B8h+var_138] -C7 44 24 34 03 00 00 00 mov dword ptr -[rsp+1B8h+descriptor+4], 3 -2B F8 -sub edi, eax -48 89 5C 24 38 mov qword ptr -[rsp+1B8h+descriptor+8], rbx -44 89 6C 24 40 mov dword ptr -[rsp+1B8h+descriptor+10h], r13d -83 C7 08 -add edi, 8 -89 7C 24 68 mov dword ptr -[rsp+1B8h+descriptor+38h], edi -FF D5 call rbp -05 00 00 00 3A add eax, 3A000000h -*/ -{ -48 8B 05 ?? ?? ?? ?? -48 89 44 24 ?? -48 8B 05 ?? ?? ?? ?? -48 8D 4C 24 ?? -48 89 44 24 ?? -48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) -( 44 88 6? 24 ?? | C6 44 24 ?? 00 ) -48 89 44 24 ?? -48 8D ( 45 ?? | 84 24 ?? ?? 00 00 ) -C7 44 24 ?? 0? 00 00 00 -2B ?8 -48 89 ?C 24 ?? -44 89 6? 24 ?? -83 C? 08 -89 ?C 24 ?? -( FF | 41 FF ) D? -( 05 | 8D 88 ) 00 00 00 3A -} -condition: -all of them -} - -rule Cadelle_1 -{ -meta: - author = "Symantec" - reference = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" -strings: - $s1 = { 56 57 8B F8 8B F1 33 C0 3B F0 74 22 39 44 24 0C 74 18 0F B7 0F 66 3B C8 74 10 66 89 0A 42 42 47 47 4E FF 4C 24 0C 3B F0 75 E2 3B F0 75 07 4A 4A B8 7A 00 07 80 33 C9 5F 66 89 0A 5E C2 04 00} - $s2 = "ntsvc32" - $s3 = "ntbind32" -condition: - $s1 and ($s2 or $s3) -} - -rule Cadelle_2 -{ -meta: - author = "Symantec" - reference = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" -strings: - $s1 = "[EXECUTE]" wide ascii - $s2 = "WebCamCapture" wide ascii - $s3 = "</DAY>" wide ascii - $s4 ="</DOCUMENT>" wide ascii - $s5 = "<DOCUMENT>" wide ascii - $s6 = "<DATETIME>" wide ascii - $s7 = "Can't open file for reading :" wide ascii - $s8 = "</DATETIME>" wide ascii - $s9 = "</USERNAME>" wide ascii - $s10 = "JpegFile :" wide ascii - $s12 = "[SCROLL]" wide ascii - $s13 = "<YEAR>" wide ascii - $s14 = "CURRENT DATE" wide ascii - $s15 = "</YEAR>" wide ascii - $s16 = "</MONTH>" wide ascii - $s17 = "<PRINTERNAME>" wide ascii - $s18 = "</DRIVE>" wide ascii - $s19 = "<DATATYPE>" wide ascii - $s20 = "<MACADDRESS>" wide ascii - $s21 = "FlashMemory" wide ascii -condition: - 12 of them -} - -rule Cadelle_3 -{ -meta: - author = "Symantec" - reference = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" -strings: - $s1 = "SOFTWARE\\ntsvc32\\HDD" wide ascii - $s2 = "SOFTWARE\\ntsvc32\\ROU" wide ascii - $s3 = "SOFTWARE\\ntsvc32\\HST" wide ascii - $s4 = "SOFTWARE\\ntsvc32\\FLS" wide ascii - $s5 = "ntsvc32" wide ascii - $s6 = ".Win$py." wide ascii - $s7 = "C:\\users\\" wide ascii - $s8 = "%system32%" wide ascii - $s9 = "\\Local Settings\\Temp" wide ascii - $s10 = "SVWATAUAVAW" wide ascii - $s11 = "\\AppData\\Local" wide ascii - $s12 = "\\AppData" wide ascii -condition: - 6 of them -} - -rule Cadelle_4 -{ -meta: - author = "Symantec" - reference = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" -strings: - $s1 = "AppInit_DLLs" wide ascii - $s2 = { 5C 00 62 00 61 00 63 00 6B 00 75 00 70 00 00 } - $s3 = { 5C 00 75 00 70 00 64 00 61 00 74 00 65 00 00 } - $s4 = "\\cmd.exe" wide ascii -condition: - all of them -} diff --git a/yara-mikesxrs/symantec/turla _ dll.yar b/yara-mikesxrs/symantec/turla _ dll.yar deleted file mode 100644 index 05526d6..0000000 --- a/yara-mikesxrs/symantec/turla _ dll.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule turla_dll -{ - - meta: - Malware = "Trojan.Turla DLL" - author = "Symantec" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $a = /([A-Za-z0-9]{2,10} _ ){,2}Win32\.dll\x00/ - - condition: - pe.exports("ee") and $a -} diff --git a/yara-mikesxrs/symantec/turla _ dropper.yar b/yara-mikesxrs/symantec/turla _ dropper.yar deleted file mode 100644 index 9d6bab2..0000000 --- a/yara-mikesxrs/symantec/turla _ dropper.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule turla_dropper -{ - meta: - Malware = "Trojan.Turla dropper" - author = "Symantec" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $a = {0F 31 14 31 20 31 3C 31 85 31 8C 31 A8 31 B1 31 D1 31 8B 32 91 32 B6 32 C4 32 6C 33 AC 33 10 34} - $b = {48 41 4C 2E 64 6C 6C 00 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 57 8B F9 8B 0D ?? ?? ?? ?? ?? C9 75 26 56 0F 20 C6 8B C6 25 FF FF FE FF 0F 22 C0 E8} - - condition: - all of them -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/wipbot _ 2013 _ core _ PDF.yar b/yara-mikesxrs/symantec/wipbot _ 2013 _ core _ PDF.yar deleted file mode 100644 index 4862ca4..0000000 --- a/yara-mikesxrs/symantec/wipbot _ 2013 _ core _ PDF.yar +++ /dev/null @@ -1,14 +0,0 @@ -rule wipbot_2013_core_PDF -{ - meta: - author = "Symantec" - description = "Trojan.Wipbot 2014 core PDF" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - strings: - $PDF = "%PDF-" - $a = /\+[A-Za-z]{1}\. _ _ \$\+[A-Za-z]{1}\. _ \$ _ \+/ - $b = /\+[A-Za-z]{1}\.\$\$\$ _ \+/ - - condition: - ($PDF at 0) and #a > 150 and #b > 200 -} \ No newline at end of file diff --git a/yara-mikesxrs/symantec/wipbot _ 2013 _ core.yar b/yara-mikesxrs/symantec/wipbot _ 2013 _ core.yar deleted file mode 100644 index b861bbc..0000000 --- a/yara-mikesxrs/symantec/wipbot _ 2013 _ core.yar +++ /dev/null @@ -1,45 +0,0 @@ -rule wipbot_2013_core -{ - meta: - description = "core + core; garbage appended data (PDF Exploit leftovers) + wipbot dropper; fake AdobeRd32 Error" - Malware = "Trojan.Wipbot 2013 core component" - author = "Symantec" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - - strings: - $mz = "MZ" - /* - 8947 0C MOV DWORD PTR DS:[EDI+C], EAX - C747 10 90C20400 MOV DWORD PTR DS:[EDI+10], 4C290 - C747 14 90C21000 MOV DWORD PTR DS:[EDI+14], 10C290 - C747 18 90906068 MOV DWORD PTR DS:[EDI+18], 68609090 - 894F 1C MOV DWORD PTR DS:[EDI+1C], ECX - C747 20 909090B8 MOV DWORD PTR DS:[EDI+20], B8909090 - 894F 24 MOV DWORD PTR DS:[EDI+24], ECX - C747 28 90FFD061 MOV DWORD PTR DS:[EDI+28], 61D0FF90 - C747 2C 90C20400 MOV DWORD PTR DS:[EDI+2C], 4C290 - */ - $code1 = { 89 47 0C C7 47 10 90 C2 04 00 C7 47 14 90 C2 10 00 C7 47 18 90 90 60 68 89 4F 1C C7 47 20 90 90 90 B8 89 4F 24 C7 47 28 90 FF D0 61 C7 47 2C 90 C2 04 00} - /* - 85C0 TEST EAX, EAX - 75 25 JNZ SHORT 64106327.00403AF1 - 8B0B MOV ECX, DWORD PTR DS:[EBX] - BF ???????? MOV EDI, ???????? - EB 17 JMP SHORT 64106327.00403AEC - 69D7 0D661900 IMUL EDX, EDI, 19660D - 8DBA 5FF36E3C LEA EDI, DWORD PTR DS:[EDX+3C6EF35F] - 89FE MOV ESI, EDI - C1EE 10 SHR ESI, 10 - 89F2 MOV EDX, ESI - 301401 XOR BYTE PTR DS:[ECX+EAX], DL - 40 INC EAX - 3B43 04 CMP EAX, DWORD PTR DS:[EBX+4] - 72 E4 JB SHORT 64106327.00403AD5 - */ - $code2 = { 85 C0 75 25 8B 0B BF ?? ?? ?? ?? EB 17 69 D7 0D 66 19 00 8D BA 5F F3 6E 3C 89 FE C1 EE 10 89 F2 30 14 01 40 3B 43 04 72 E4} - $code3 = {90 90 90 ?? B9 00 4D 5A 90 00 03 00 00 00 82 04} - $code4 = {55 89 E5 5D C3 55 89 E5 83 EC 18 8B 45 08 85 C0} - - condition: - $mz at 0 and (($code1 or $code2) or ($code3 and $code4)) -} diff --git a/yara-mikesxrs/symantec/wipbot _ 2013 _ dll.yar b/yara-mikesxrs/symantec/wipbot _ 2013 _ dll.yar deleted file mode 100644 index 099d646..0000000 --- a/yara-mikesxrs/symantec/wipbot _ 2013 _ dll.yar +++ /dev/null @@ -1,18 +0,0 @@ -rule wipbot_2013_dll -{ - meta: - author = "Symantec" - description = "Trojan.Wipbot 2013 DLL" - reference = "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - description = "Down.dll component" - - strings: - $string1 = "/%s?rank=%s" - $string2 = "ModuleStart\x00ModuleStop\x00start" - $string3 = "1156fd22-3443-4344-c4ffff" - //read file... error.. - $string4 = "read\x20file\x2E\x2E\x2E\x20error\x00\x00" - - condition: - 2 of them -} \ No newline at end of file diff --git a/yara-mikesxrs/vitorafonso/banker.yar b/yara-mikesxrs/vitorafonso/banker.yar deleted file mode 100644 index 57ad0cd..0000000 --- a/yara-mikesxrs/vitorafonso/banker.yar +++ /dev/null @@ -1,68 +0,0 @@ -import "androguard" - -rule Banker -{ - meta: - description = "Detects a Banker" - author = "vitorafonso" - sample = "e5df30b41b0c50594c2b77c1d5d6916a9ce925f792c563f692426c2d50aa2524" - report = "https://blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps" - - strings: - $a1 = "kill_on" - $a2 = "intercept_down" - $a3 = "send_sms" - $a4 = "check_manager_status" - $a5 = "browserappsupdate" - $a6 = "YnJvd3NlcmFwcHN1cGRhdGU=" // browserappsupdate - $a7 = "browserrestart" - $a8 = "YnJvd3NlcnJlc3RhcnQ=" // browserrestart - $a9 = "setMobileDataEnabled" - $a10 = "adminPhone" - - condition: - 8 of ($a*) - -} - -rule Acecard -{ - meta: - description = "Detects some acecard samples" - author = "vitorafonso" - sample = "0973da0f5cc7e4570659174612a650f3dbd93b3545f07bcc8b438af09dc257a9" - report = "https://securelist.com/blog/research/73777/the-evolution-of-acecard/" - - strings: - $a = "#control_number" - $b = "client number" - $c = "INTERCEPTING_INCOMING_ENABLED" - $d = "#intercept_sms_start" - $e = "#intercept_sms_stop" - $f = "intercepted incoming sms" - - condition: - all of them -} - -rule Acecard2 -{ - meta: - description = "Detects some acecard samples" - author = "vitorafonso" - sample = "88c744e563f7637e5630cb9b01cad663033ce2861cf01100f6c4e6fbb3e56df9" - report = "https://securelist.com/blog/research/73777/the-evolution-of-acecard/" - - strings: - $a = "Internet password" - $b = "Security no." - $c = "Keep your Internet Banking and secret authorisation code (SMS) secret. Don't reveal these details to anyone, not even if they claim to be NAB." - $d = "TYPE_INSTALLED_APPS" - $e = "TYPE_INTERCEPTED_INCOMING_SMS" - $f = "TYPE_LISTENED_INCOMING_SMS" - $g = "TYPE_CONTROL_NUMBER_DATA" - - condition: - all of them and - androguard.permission(/android.permission.RECEIVE_SMS/) -} diff --git a/yara-mikesxrs/vitorafonso/crisis.yar b/yara-mikesxrs/vitorafonso/crisis.yar deleted file mode 100644 index 88557a5..0000000 --- a/yara-mikesxrs/vitorafonso/crisis.yar +++ /dev/null @@ -1,19 +0,0 @@ -import "androguard" - -rule crisis -{ - meta: - description = "Crisis pack / Hacking team" - author = "vitorafonso" - sample = "29b1d89c630d5d44dc3c7842b9da7e29e3e91a644bce593bd6b83bdc9dbd3037" - - strings: - $a = "background_Tr6871623" - - condition: - $a and - androguard.permission(/android.permission.SEND_SMS/) and - androguard.permission(/android.permission.PROCESS_OUTGOING_CALLS/) and - androguard.permission(/android.permission.RECORD_AUDIO/) - -} diff --git a/yara-mikesxrs/vitorafonso/dropper.yar b/yara-mikesxrs/vitorafonso/dropper.yar deleted file mode 100644 index 2ab120c..0000000 --- a/yara-mikesxrs/vitorafonso/dropper.yar +++ /dev/null @@ -1,19 +0,0 @@ -rule dropper -{ - meta: - description = "Detects a dropper" - author = "vitorafonso" - samples = "4144f5cf8d8b3e228ad428a6e3bf6547132171609893df46f342d6716854f329, e1afcf6670d000f86b9aea4abcec7f38b7e6294b4d683c04f0b4f7083b6b311e" - - strings: - $a = "splitPayLoadFromDex" - $b = "readDexFileFromApk" - $c = "payload_odex" - $d = "payload_libs" - $e = "/payload.apk" - $f = "makeApplication" - - condition: - all of them - -} diff --git a/yara-mikesxrs/vitorafonso/exploit.yar b/yara-mikesxrs/vitorafonso/exploit.yar deleted file mode 100644 index 889d13d..0000000 --- a/yara-mikesxrs/vitorafonso/exploit.yar +++ /dev/null @@ -1,17 +0,0 @@ -import "androguard" - -rule Exploit -{ - meta: - description = "Detects some exploits" - author = "vitorafonso" - sample = "168f82516742a9580fb9d0c907140428f9d3837c88e0b3865002fd221b8154a1" - - strings: - $a = "Ohh, that's make joke!" - $b = "CoolXMainActivity" - - condition: - all of them - -} diff --git a/yara-mikesxrs/vitorafonso/shedun.yar b/yara-mikesxrs/vitorafonso/shedun.yar deleted file mode 100644 index 4af4497..0000000 --- a/yara-mikesxrs/vitorafonso/shedun.yar +++ /dev/null @@ -1,16 +0,0 @@ -rule shedun -{ - meta: - description = "Detects libcrypt_sign used by shedun" - author = "vitorafonso" - sample = "919f1096bb591c84b4aaf964f0374765c3fccda355c2686751219926f2d50fab" - - strings: - $a = "madana!!!!!!!!!" - $b = "ooooop!!!!!!!!!!!" - $c = "hehe you never know what happened!!!!" - - condition: - all of them - -} diff --git a/yara-mikesxrs/vitorafonso/zitmo.yar b/yara-mikesxrs/vitorafonso/zitmo.yar deleted file mode 100644 index 7628388..0000000 --- a/yara-mikesxrs/vitorafonso/zitmo.yar +++ /dev/null @@ -1,23 +0,0 @@ -import "androguard" - -rule zitmo -{ - meta: - description = "Detects Zitmo" - author = "vitorafonso" - samples = "d48ce7e9886b293fd5272851407df19f800769ebe4305358e23268ce9e0b8703, e86cdfb035aea4a5cb55efa59a5e68febf2f714525e301b46d99d5e79e02d773" - - strings: - $a = "REQUEST_SET_ADMIN" - $b = "RESPONSE_SET_ADMIN" - $c = "REQUEST_ON" - $d = "MESSAGE_START_UP" - $e = "KEY_ADMIN_NUMBER" - $f = "DEFAULT_ADMIN_NUMBER" - - condition: - all of them and - androguard.permission(/android.permission.SEND_SMS/) and - androguard.permission(/android.permission.RECEIVE_SMS/) - -}